3Com SUPERSTACK 3CR16110-95 Скачать руководство пользователя страница 186 | Manualshive

Страница: 186 / 214

3Com SUPERSTACK 3CR16110-95 Скачать руководство пользователя страница 186

186

C

HAPTER

14: N

ETWORKING

C

ONCEPTS

■

Linking two or more Private Networks Together

VPN is the perfect way to connect branch offices and business
partners to the primary business. Using VPN over the Internet, instead
of leased site-site lines, offers significant cost savings and improved
performance.

■

Using the IRE VPN Client for Secure Remote Management

Using the included IRE VPN client for Windows, a secure, encrypted
tunnel may be created that allows the administrator to remotely
manage the Firewall over the Internet.

■

Accessing Machines Using Private Addressing behind NAT

When NAT (Network Address Translation) is enabled, remote users are
not able to access hosts on the LAN unless the host is designated a
Public LAN Server for that specific protocol. Since the VPN Tunnel
terminates inside the LAN, remote users will be able to access all
computers that use private IP addresses on the LAN.

Basic VPN Terms and

Concepts

The following explains the most common terms and expressions used in
VPN

■

VPN Tunnel

Tunnelling is the encapsulation of point-point transmission inside IP
packets. A VPN Tunnel is a term that is used to describe a connection
between two or more private nodes or LANs over a public network,
typically the Internet. Encryption is often used to maintain the
confidentiality of private data when travelling over the Internet.

■

Encryption

Encryption is a mathematical operation that transforms data from
“clear text” (something that a human or a program can interpret) to
“cipher text” (something that cannot be interpreted). Usually the
mathematical operation requires that an alphanumeric “key” be
supplied along with the clear text. The key and clear text are
processed by the encryption operation which leads to the data
scrambling that makes encryption secure. Decryption is the opposite
of encryption: it is the mathematical operation that transforms cipher
text to clear text. Decryption also requires a key.

■

Key

A key is an alphanumeric string that is used by the encryption
operation to transform clear text into cipher text. Keys used in VPN

DUA1611-0AAA02.book Page 186 Thursday, August 2, 2001 4:01 PM

«
...
184
185
186
187
188
...
»

Содержание SUPERSTACK 3CR16110-95

Страница 1: ...Part No DUA1611 0AAA02 Published August 2001 SuperStack 3 Firewall User Guide SuperStack 3 Firewall 3CR16110 95 SuperStack 3 Firewall Web Site Filter 3C16111 DUA1611 0AAA02 book Page 1 Thursday Augus...

Страница 2: ...ny licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and...

Страница 3: ...Web URL Filtering 23 High Availability 24 Logs and Alerts 24 User Remote Access from the Internet 24 Automatic IP Address Sharing and Configuration 24 Introduction to Virtual Private Networking VPN 25...

Страница 4: ...provided by a DHCP Server 44 Configuring LAN Settings 44 Automatic LAN Settings 44 Entering information about your LAN 45 Configuring the DHCP Server 45 Confirming Firewall Settings 46 II CONFIGURING...

Страница 5: ...site is blocked 72 Updating the Web Filter 73 Checking the Web Filter Status 73 Downloading an Updated Filter List 74 Setting Actions if no Filter List is Loaded 74 Blocking Websites by using Keyword...

Страница 6: ...estoring Rules to Defaults 106 Updating User Privileges 106 Establishing an Authenticated Session 108 Setting Management Method 109 Selecting Remote Management 110 Using the Firewall with the NBX 100...

Страница 7: ...E VPN Client Software 139 Configuring the IRE VPN Client 139 10 CONFIGURING HIGH AVAILABILITY Getting Started 141 Network Configuration for High Availability Pair 142 Configuring High Availability 142...

Страница 8: ...s the Internet 169 Firewall Does Not Save Changes 169 Duplicate IP Address Errors Are Occurring 169 Machines on the WAN Are Not Reachable 170 Troubleshooting the Firewall VPN Client 170 The IKE Negoti...

Страница 9: ...Known Port Numbers 184 Registered Port Numbers 184 Private Port Numbers 184 Virtual Private Network Services 184 Introduction to Virtual Private Networks 185 VPN Applications 185 Basic VPN Terms and C...

Страница 10: ...ld Wide Web Site 201 3Com Knowledgebase Web Services 201 3Com FTP Site 202 Support from Your Network Supplier 202 Support from 3Com 202 Returning Products for Repair 204 INDEX REGULATORY NOTICES DUA16...

Страница 11: ...ave to web sites Sites can be blocked on a site wide or individual basis and by the features a web site uses or content it provides This guide is intended for use by the person responsible for install...

Страница 12: ...tion about installing and setting up the Web Site Filter Chapter 11 Troubleshooting common Firewall problems Chapter 12 Information about Denial of Service and other attacks Chapter 13 An introduction...

Страница 13: ...reen displays This typeface represents information as it appears on the screen Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands...

Страница 14: ...based application which you use to set up the Firewall to protect your network from attack and to control access to the Internet for LAN users NAT Network Address Translation NAT refers to the proces...

Страница 15: ...o as GMT or World Time VPN stands for Virtual Private Network and is a method of networking that uses data encryption and the public internet to provide secure communications between sites without inc...

Страница 16: ...l support questions For information about contacting Technical Support see Appendix A Registration To register your Firewall point your web browser to http www 3com com ssfirewall click on Hardware Re...

Страница 17: ...I GETTING STARTED Chapter 1 Introduction Chapter 2 Installing the Hardware Chapter 3 Quick Setup for the Firewall DUA1611 0AAA02 book Page 17 Thursday August 2 2001 4 01 PM...

Страница 18: ...18 DUA1611 0AAA02 book Page 18 Thursday August 2 2001 4 01 PM...

Страница 19: ...LAN to be securely connected to the Internet You can use the Firewall to Prevent theft destruction and modification of data Filter incoming data for unsafe or objectionable content Log events which m...

Страница 20: ...1 3Com Network Supervisor display Network Supervisor automatically discovers up to 1500 network devices and shows devices and connections on a graphical display Network managers can view network acti...

Страница 21: ...the Firewall you must follow the steps below before Network Supervisor will detect your Firewall 1 Access the Web interface from a Web browser connected to the LAN port of the Firewall 2 Click on the...

Страница 22: ...ers LAN DMZ WAN STOP DoS Attacks Blocked Web Access Allowed Unauthorised External Access Blocked Authorised External Access using VPN Encrypted STOP STOP STOP Internet Access Filtered optional LAN Nor...

Страница 23: ...you want to restrict access Alternatively you can restrict access to the Internet to certain trusted URLs See Setting up Trusted and Forbidden Domains on page 165 for more information Web site techno...

Страница 24: ...of Internet bandwidth You can also set up the Firewall to send an alert message through e mail when a high priority concern such as a hacker attack is detected See Log Alert Settings on page 177 for...

Страница 25: ...rading partners legal and financial advisors as well as remote workers and branch offices This real time requirement often leads to the creation of an extranet where branch offices and partners are co...

Страница 26: ...ating device at the other end of the tunnel must be using the same level and type of encryption See Configuring Virtual Private Network Services on page 123 for more details DUA1611 0AAA02 book Page 2...

Страница 27: ...s relatives la s curit qui se trouvent dans l Appendice A de ce guide VORSICHT Bevor Sie den Firewall hinzuf gen lesen Sie die Sicherheitsanweisungen die in Anhang A in diesem Handbuch aufgef hrt sind...

Страница 28: ...nd sources of electrical noise such as radio transmitters and broadband amplifiers Water or moisture cannot enter the case of the unit Air flow around the unit and through the vents in the side of the...

Страница 29: ...k the feet to the marked areas at each corner of the underside of the unit if you intend to place the unit directly on top of the desk Firewall Front Panel Figure 4 shows the front panel of the Firewa...

Страница 30: ...each have a Status LED that indicates the following Green indicates that the link between port and the next network device is operational at 100 Mbps Yellow indicates that the link between the port an...

Страница 31: ...se this connector to attach a Redundant Power System to the Firewall 11 Reset Switch recessed Use to reset the Firewall CAUTION Holding the Reset Switch when you power on the Firewall will erase the o...

Страница 32: ...l to the same physical network For example never connect the LAN and DMZ ports into the same device as this bypasses all firewall functions S LAN DMZ WAN N R F S S L B W C W N R Key S L B S C F W N eb...

Страница 33: ...he Normal position 3 Connect the Ethernet port labeled DMZ to the public servers If you are installing the Firewall DMZ and want to protect the public servers such as Web and FTP servers use the DMZ p...

Страница 34: ...wall See the following chapters for more information Chapter 3 for a quick setup guide for the Firewall Chapters 4 to 8 for full information about all the configuration options Chapter 11 for informat...

Страница 35: ...se the Installation Wizard to configure the Firewall you can activate the Installation Wizard manually To start the Installation Wizard manually click on the Tools menu followed by the Configuration t...

Страница 36: ...have finished using the Installation Wizard 2 Change the IP address to a value within the Firewall s default subnet This will be a value between 192 168 1 1 and 192 168 1 254 but not 192 168 1 254 as...

Страница 37: ...rewall manually click the Cancel button You will then be returned to the Web interface See Configuring the Firewall starting on page 49 to configure the Firewall using the Web interface Setting the Pa...

Страница 38: ...click the Next button to continue The Time Zone you choose will affect the time recorded in the logs Figure 9 Set Time Zone screen This completes the Basic setup of the Firewall The Firewall will now...

Страница 39: ...e 40 Automatic WAN Settings The Installation Wizard checks for the presence of a DHCP Server or a PPPoE server on the WAN port Depending on the server found the Firewall configures itself appropriatel...

Страница 40: ...tion Wizard s automatic detection then 1 Disconnect the power cord from the Firewall 2 Wait at least 5 seconds 3 Reconnect the power cord 4 Point your browser at the Firewall 5 Follow the instructions...

Страница 41: ...lation Wizard Using an IP Address provided by a PPPoE Server One IP address is provided by the PPPoE server This is taken by the WAN port Network Address Translation NAT will be enabled Using a Static...

Страница 42: ...first is unavailable or is unable to answer your query 4 Click the Next button to proceed to the final part of the configuration See Configuring LAN Settings on page 44 Using Multiple Static IP Addres...

Страница 43: ...by your ISP 3 WAN Gateway Router Address Enter the IP address of your route or internet access device This must be in the same address range as the WAN IP Address 4 DNS Server Address Enter the IP ad...

Страница 44: ...ynamic IP address DHCP option and click the Next button If a DHCP server is detected the Firewall will obtain its IP address automatically and will enable NAT for all devices connected to the LAN port...

Страница 45: ...you are not using NAT this screen will not appear as these settings will be the same as the WAN settings Figure 16 Configuring LAN Settings Choose an IP address for the LAN port of your Firewall and...

Страница 46: ...ate The addresses you set must be contained entirely within your LAN subnet and must be currently unused Click the Next button to continue The Firewall will now review its settings See Confirming Fire...

Страница 47: ...iguration of the Firewall click the Back button If you want to configure the Firewall manually Click the Cancel button to lose the changes made by the Installation Wizard or Click the Next Button cont...

Страница 48: ...plete the configuration of the Firewall using the Installation Wizard The Firewall will take under a minute to restart during which time the Power Self test LED will flash When the Power Self test LED...

Страница 49: ...etting up Web Filtering Chapter 6 Using the Firewall Diagnostic Tools Chapter 7 Setting a Policy Chapter 8 Advanced Settings Chapter 9 Configuring Virtual Private Network Services Chapter 10 Configuri...

Страница 50: ...50 DUA1611 0AAA02 book Page 50 Thursday August 2 2001 4 01 PM...

Страница 51: ...for another role Chapter 5 Setting up Web Filtering describes the functions available in the Filter menu of the Web interface These functions allow you to control the access your users have to informa...

Страница 52: ...available in the VPN menu of the Web interface These functions enable you encrypt and authenticate external access to your Firewall Chapter 10 Configuring High Availability describes the functions ava...

Страница 53: ...nistrator Password From the General screen select Set Password A window similar to that in Figure 22 displays If you are setting the password for the first time the default password is password Change...

Страница 54: ...x at the top of the screen If you cannot find your time zone in the list you should set this to the one with the same offset from GMT as is used at your location Use NTP Network Time Protocol to set t...

Страница 55: ...Universal Time Co ordinated UTC time UTC is the standard time common to all places in the world It is also commonly referred to as Greenwich Mean Time or World Time Many ISPs require firewall logs to...

Страница 56: ...Choose NAT Enabled if you want to use a single IP address for accessing the Internet or if you do not have an IP address allocated by your ISP for each machine that requires access to the Internet NA...

Страница 57: ...h PPPoE Client if your Internet connection for the Firewall WAN IP Address is to be obtained from a remote PPPoE server Specifying the LAN Settings For the LAN settings specify Firewall LAN IP Address...

Страница 58: ...ter the value specified by your ISP WAN DMZ Subnet Mask This value is automatically set to the LAN Subnet Mask for the Firewall unless PPPoE is selected For PPPoE enter the value specified by your ISP...

Страница 59: ...prevents users from reaching servers intended for public access such as a Web or e mail server which are crucial for effective Internet use In order to allow such services the Firewall comes with a sp...

Страница 60: ...dress Obtain these IP addresses from your ISP Usually the ISP can also supply information on setting up public Internet servers Click the Update button to save your changes To delete an address or ran...

Страница 61: ...manual addressing is used on the LAN computers Lease Time This is the amount of time that the IP address is leased or given to the client machine before the DHCP server attempts to renew that address...

Страница 62: ...CP client you can select the Set DNS Servers by Internet Firewalls DHCP Client to have these fields set automatically Dynamic Ranges When a client makes a request for an IP address the Firewall s DHCP...

Страница 63: ...requesting client type an IP address and the Ethernet MAC address of the client machine in the appropriate boxes and click Update Delete Static To remove a static address select it from the scrolling...

Страница 64: ...Service DNS is an internet service which allows users to enter an easily remembered host name such as www 3Com com instead of numerical IP addresses to access Internet resources The Firewall has a DN...

Страница 65: ...e Firewall s DNS Name Lookup tool to find the IP address of a host Ping The Ping tool bounces a packet off a machine on the Internet back to the sender This test shows if the Firewall is able to conta...

Страница 66: ...name such as www 3Com com 3 Click Refresh to display the packet trace information 4 Click Stop to terminate the packet trace and Reset to clear the results Technical Support Report The Tech Support R...

Страница 67: ...e appropriate tab This following sections are covered in this chapter Changing the Filter Settings Filtering Web Sites using a Custom List Updating the Web Filter Blocking Websites by using Keywords F...

Страница 68: ...heck the checkbox corresponding to that category ActiveX ActiveX is a programming language that is used to embed small programs in Web pages It is generally considered an insecure protocol to allow in...

Страница 69: ...selected the Firewall logs and blocks access to all sites on the Web Site Filter custom and keyword lists Log Only When selected the Firewall logs and then allows access to all sites on the Web Site F...

Страница 70: ...he Web Site Filter Custom Sites and Keywords Consent and Restrict Web Features such as ActiveX Java cookies and Web Proxy are not affected Always Block When selected Internet Filtering is always activ...

Страница 71: ...allows www 3Com com my support 3com com shop 3com com and so forth Up to 256 entries are supported in the Trusted Domains list Click Update to send the update to the Firewall Forbidden Domains To blo...

Страница 72: ...n a site is blocked When a user attempts to access a site that is blocked by the Web Site Filter a message is displayed on their screen The default message is Web Site Blocked by 3Com SuperStack 3 Fir...

Страница 73: ...difficult to add and maintain the numerical addresses of every server in the pool Many sites included in the Web Site Filter regularly change the IP address of the server to try to bypass the Web Site...

Страница 74: ...le in the event of the Filter List expiring or a download failing See Setting up Trusted and Forbidden Domains on page 71 for more information Allow traffic to all websites Select this option to provi...

Страница 75: ...se caution when enabling this feature For example blocking the word breast may stop access to sites on breast cancer as well as objectionable or pornographic sites To enable this function check the En...

Страница 76: ...sroom or library time limits are often imposed You can set up the Firewall to remind users when their time has expired by displaying the page defined in the Consent page URL box Type the time limit in...

Страница 77: ...for filtered access and the link for unfiltered access are case sensitive Enter the URL of the page you have created in the When entering these addresses you should not enter http before the address C...

Страница 78: ...tFilter html If you have changed the IP address or the Firewall use the IP Address of the Firewall instead of 192 168 1 254 Click the Update button to save your changes The link for filtered access is...

Страница 79: ...he Firewall Configuration File Upgrading the Firewall Firmware Logs and Alerts The Firewall maintains an event log which contains events that may be security concerns You can view this log with a brow...

Страница 80: ...t in Figure 34 displays Figure 34 View Log Window The log is usually displayed as a list in a table but may appear differently depending on the browser used You may have to adjust the browser s font s...

Страница 81: ...r Newsgroup blocked The LAN IP and Ethernet addresses of a machine that attempted to connect to the blocked site or newsgroup is displayed In most cases the name of the site which was blocked will als...

Страница 82: ...the source of the attack Varying conditions on the Internet can produce conditions which may cause the appearance of an attack even when no one is deliberately attacking one of the machines on the LAN...

Страница 83: ...page 92 for more information If there is a new software release an e mail notification is sent to this address Send Alerts To Alerts are events such as an attack which may warrant immediate attention...

Страница 84: ...rver field Click the Update button on the right of the browser window and restart the Firewall for changes to take effect E mail Log Now Immediately sends the log to the address in the Send Log To box...

Страница 85: ...ctivity such as administrator logins automatic loading of Web Site Filters activation and restarting the Firewall are generated This is enabled by default System Errors When enabled log messages showi...

Страница 86: ...g messages showing Ethernet broadcasts ARP resolution problems ICMP redirection problems and NAT resolution problems are generated This category is intended for experienced network administrators This...

Страница 87: ...ccessed Web sites Top 25 users of bandwidth by IP address Top 25 services that consume the most bandwidth Click Log and then select the Reports tab A window similar to that in Figure 36 displays Figur...

Страница 88: ...e Web Site Hits report to ensure that the majority of Web access is to sites considered applicable to the primary business function If leisure sports or other similar sites are on this list it may sig...

Страница 89: ...Firewall To restart the Firewall 1 Click Tools and select the Restart tab A window similar that in Figure 37 displays Figure 37 Restart Window 2 Click Restart SuperStack 3 Firewall 3 Click Yes to con...

Страница 90: ...to save and restore the configuration settings of the Firewall Click Tools and then select the Configuration tab A window similar to that in Figure 38 displays Figure 38 Configuration Window Use the...

Страница 91: ...sing Export You may need to set File type to to be able to see the exp file you exported 3 Once you have selected the file click Import 4 Once the file transfer has completed the status at the bottom...

Страница 92: ...g Factory Default Settings Click Restore to clear all configuration information and restore the Firewall to its factory state Clicking Restore will not change the Firewall s LAN IP Address LAN Subnet...

Страница 93: ...re the Firewall to send an e mail notification to the address in the Send log to box Click Tools and then select the Upgrade tab A window similar to that in Figure 41 displays To be notified automatic...

Страница 94: ...ile you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN 4 Click Upload to begin the upload Make sure that your Web browser supports HTTP uploads When uploading the fi...

Страница 95: ...ay it may result in the Firewall not responding to attempts to log in If your Firewall does not respond see Chapter 12 Troubleshooting Guide 5 Restart the Firewall for the changes to take effect DUA16...

Страница 96: ...96 CHAPTER 6 USING THE FIREWALL DIAGNOSTIC TOOLS DUA1611 0AAA02 book Page 96 Thursday August 2 2001 4 01 PM...

Страница 97: ...n the appropriate tab This following sections are covered in this chapter Changing Policy Services Adding and Deleting Services Editing Policy Rules Updating User Privileges Setting Management Method...

Страница 98: ...ers of that type on the Internet The default value is enabled When the Warning Icon is displayed to the right of the check box there is a Custom Rule in the Rules tab section that modifies the behavio...

Страница 99: ...otocol type 0 0 0 0 in the box Changing NetBIOS Broadcast Settings Systems running Microsoft Windows Networking communicate with one another through NetBIOS broadcast packets By default the Firewall b...

Страница 100: ...Point to point Tunneling Protocol PPTP and IPSec are forms of VPN that allows data to pass through the Firewall without termination In some cases passing large amounts of data through the Firewall can...

Страница 101: ...icates the IP port number which defines the service either TCP Port UDP Port or ICMP Type The second number indicates the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP There may be more than one...

Страница 102: ...If you create multiple entries with the same name they are grouped together as a single service and may not function as expected Disabling Screen Logs You can disable the log of events which is usuall...

Страница 103: ...he Internet Use extreme caution when creating or deleting Network Access Rules Network Access Rules do not disable protection from Denial of Service attacks such as SYN Flood Ping of Death or LAND How...

Страница 104: ...dress range Action The Action for a rule can be set to either Allow or Deny traffic across the Firewall For security reasons common protocols are often denied and more specific rules created to descri...

Страница 105: ...you want to edit Clicking on the icon will bring up the Edit Rule window where you can make the changes you need In the Edit Rule window To save your changes click Update To leave the Edit Rule window...

Страница 106: ...s The Firewall provides an authentication mechanism which gives authorized users access to the LAN from remote locations on the Internet as well as a means to bypass the Internet filtering and blockin...

Страница 107: ...names of friends family pets places and so on Good passwords can be created by Making up nonsense words such as dwizdell Including non alphanumeric ASCII characters in words such as so n c Passwords...

Страница 108: ...pting To establish an Authenticated Session you point your Web browser at the Firewall s LAN IP Address This process is identical to the administrator login A dialog box is displayed asking you for th...

Страница 109: ...wser on the LAN network When operating in this mode no Security Association information is needed Remotely from the WAN interface allows you to manage your Firewall from a remote host When operating i...

Страница 110: ...n the Authentication Key field An example of a valid authentication key is 1234567890ABCDEF1234567890ABCDEF 3 Click the Update button and then restart the Firewall for the change to take effect Using...

Страница 111: ...if it can fulfill the requests by returning a locally stored copy of the requested information If not the proxy Completes the request to the server Returns the requested information to the user Saves...

Страница 112: ...the network The Web Cache can be placed either on the WAN or the DMZ side of the Firewall The installation is the same as for a Proxy Server See below 1 Click Advanced and then select the Proxy Relay...

Страница 113: ...Wizard or by selecting Device View System Caching Set Caching Mode from the Web interface c In the Port Number field enter the number 8080 this is the default value d Do not configure Web Site Blocki...

Страница 114: ...rs in the Student Computer Lab Similarly an organization s accounting research or other sensitive resources may be protected against unauthorized access by other users on the same network By default p...

Страница 115: ...he network Devices connected to the WAN port do not have firewall or Web Site Filter protection It is advised that you use another Firewall to protect these computers 3 Connect the power cord to the b...

Страница 116: ...number of machines with restricted access rather than the larger number of machines on the corporate network Using the exclusive method you specify the IP addresses of the machines connected to the F...

Страница 117: ...to 192 168 23 100 type the starting address in the From Address box and the ending address in the To Address box To specify an individual address type it in the From Address box only You can specify u...

Страница 118: ...r To configure static routes click Advanced and then select the Static Routes tab A window similar to that in Figure 54 displays Figure 54 Static Routes Window R 1 R 2 F S S D e s i g n N e t w o r k...

Страница 119: ...nal addresses to internal addresses hidden by NAT Machines with an internal address may be accessed at the corresponding external valid IP address To create this relationship between internal and exte...

Страница 120: ...6 for details Figure 55 One to One NAT Window Table 4 Address Correspondence in One to One NAT LAN Address Corresponding WAN Address Accessed Through 192 168 1 1 209 19 28 16 Inaccessible Firewall WAN...

Страница 121: ...ge Begin box This address is assigned by the ISP Range Length Type the number of IP addresses for the range The range length may not exceed the number of valid IP address You can add up to 64 ranges T...

Страница 122: ...122 CHAPTER 8 ADVANCED SETTINGS DUA1611 0AAA02 book Page 122 Thursday August 2 2001 4 01 PM...

Страница 123: ...tab This following sections are covered in this chapter Editing VPN Summary Information Configuring a VPN Security Association Configuring the Firewall to use a RADIUS Server Using the Firewall with C...

Страница 124: ...Firewall CAUTION The Unique Firewall Identifier must be different for each Firewall within your network as VPN connections may refer to Firewalls by name Enable VPN To enable VPN connections check the...

Страница 125: ...Security Associations SAs that have been created in the VPN Configure window The Name listed in the summary table links to the corresponding VPN configuration A Renegotiate button will appear next to...

Страница 126: ...ick the Update button to save your changes To delete a SA click the drop down box labelled Security Associations and select the SA you want to delete Click the Delete button to delete the SA The Group...

Страница 127: ...tting up a SA for VPN clients which do not have a fixed IP address Security Policy The options in the Security policy area of the screen relate to the current Security Association being created modifi...

Страница 128: ...when the keys are renegotiated a low value short time will increase security but may cause inconvenience The default value for the SA Life time secs field is 28800 seconds 8 hours Enter the number 28...

Страница 129: ...d when Manual Keying is employed These fields do not appear when using IKE as your IPSec Keying Mode Encryption Method The Firewall supports seven encryption methods for establishing a VPN tunnel Thes...

Страница 130: ...Fast Encrypt ESP ARCFour uses 56 bit ARCFour to provide an encrypted VPN tunnel ARCFour is widely considered to be a secure encryption method Medium Medium Manual Key IKE Encrypt for Check Point ESP D...

Страница 131: ...n the value stated above it will be rejected by the Firewall If it is longer than stated then the number will be truncated and the stated number of digits used The Encryption Key is only used when Man...

Страница 132: ...ing a Network Range To edit a network range click of the icon of the pencil and paper next to the range you want to edit Change the range to the desired value and click the Update button Configuring t...

Страница 133: ...ribed below If you have a backup or secondary RADIUS server on your network then repeat the process for the Secondary Server fields Name or IP Address Enter the DNS name or IP address of your RADIUS s...

Страница 134: ...large network from internal threats Thus it is possible to have firewalls as portals and use Virtual Private Networks VPNs between the enterprise network and remote offices A VPN provides a secure enc...

Страница 135: ...Press the OK button when finished 3 For easier management you should create a group and place all objects that are protected by the remote Firewall in that group a Press the New button and select the...

Страница 136: ...on Key and SPI Key number must match the settings on the remote Firewall for the VPN to work 6 Now you must create a rule to allow the Check Point Firewall to exchange IPSEC packets with the remote Fi...

Страница 137: ...heckbox 2 Enter a valid destination address range referring to the LAN behind Check Point Specify the Check Point s external address as the IPSec Gateway address 3 Select the Encryption Method Encrypt...

Страница 138: ...US Server on page 132 4 If you do not have a RADIUS server or do not wish to use your RADIUS server to authenticate users ensure that the Require XAUTH RADIUS checkbox is not ticked 5 Set the SA Life...

Страница 139: ...figuring the IRE VPN Client 1 Copy the previously saved export file created in Setting up the GroupVPN Security Association to a floppy disk or to the hard drive of the client machine 2 Start the Safe...

Страница 140: ...he Security Policy Editor saving changes when prompted 6 Delete the export file from the hard drive if it was previously copied there The client is now set up to access your network safely across the...

Страница 141: ...walls together as a pair Although only one Firewall will function at a time the second will automatically take over from the first in the event of a failure Before attempting to configure two Firewall...

Страница 142: ...Do not mix the LAN DMZ and WAN networks when connecting the Firewalls together as this will compromise the security of your network All Firewall ports being used must be connected together with a hub...

Страница 143: ...ewall s serial number and network settings The bottom half of the window is used to configure High Availability 1 To enable High Availability check the Enable High Availability box 2 Enter the Serial...

Страница 144: ...artbeats respectively the backup Firewall will take over from the primary Firewall after 10 seconds in the event of a failure in the primary Firewall 6 Click the Update button Once the Firewall has be...

Страница 145: ...ton on the left side of the browser window and then click the Status tab at the top of the window Both the firmware version and the Firewall serial number are displayed at the top of the window In the...

Страница 146: ...elow High Availability Status Window One method to determine which Firewall is active is to check the High Availability status page for the High Availability pair To view the High Availability status...

Страница 147: ...mary Firewall to send e mail alerts you will receive an alert e mail when there is a change in the status of the High Availability pair For example when the backup Firewall takes over from the primary...

Страница 148: ...may be accomplished by disconnecting the active Firewall s LAN port by shutting off power on the currently active unit or by restarting it from the Web interface In all of these cases heartbeats from...

Страница 149: ...ION If the Preempt Mode checkbox has been checked for the primary Firewall the primary unit will take over operation from the backup unit after the restart is complete DUA1611 0AAA02 book Page 149 Thu...

Страница 150: ...150 CHAPTER 10 CONFIGURING HIGH AVAILABILITY DUA1611 0AAA02 book Page 150 Thursday August 2 2001 4 01 PM...

Страница 151: ...III ADMINISTRATION AND TROUBLESHOOTING Chapter 11 Administration and Advanced Operations Chapter 12 Troubleshooting Guide DUA1611 0AAA02 book Page 151 Thursday August 2 2001 4 01 PM...

Страница 152: ...152 DUA1611 0AAA02 book Page 152 Thursday August 2 2001 4 01 PM...

Страница 153: ...ided so Internet access can be tailored to the needs of the organization Just like the Custom List and filtering by Keywords see Chapter 8 access to these sites can be enabled or disabled The 3Com Web...

Страница 154: ...ote The Partial Nudity and Full Nudity categories do not include sites containing nudity or partial nudity of a non prurient nature For example web sites for publications such as National Geographic o...

Страница 155: ...mely aggressive and combative behavior or advocacy of unlawful political measures Topics include groups that advocate violence as a means to achieve their goals Includes How to information on weapons...

Страница 156: ...ental are not in this category For further details refer to http www cyberpatrol com Activating the Web Site Filter When you register the Firewall you will be given 30 days free subscription to the We...

Страница 157: ...List which computers on the Internet will be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on t...

Страница 158: ...are IP address restrictions on the source of the traffic such as keeping competitors off the company s Web site type the starting and ending IP addresses of the range in the Addr Range Begin and Addr...

Страница 159: ...access to NNTP servers on the Internet 1 For the Action choose Deny 2 From the Service list choose NNTP If the service is not listed in the menu add it in the Add Service window 3 Select LAN from the...

Страница 160: ...ss of the ISP s network in the Source Addr Range Begin box and the network s ending IP address in the Source Addr Range End box 5 Select WAN from the Destination Ethernet list 6 Since the intent is to...

Страница 161: ...servers and routers and can also be used to read any file on the system if set up incorrectly X Windows 6000 This can leak information from X window displays including all keystrokes DNS Domain Names...

Страница 162: ...set your Firewall to factory default settings and can access the Web interface of the Firewall successfully 3Com recommends that you use the Restore Factory Defaults command described on page 187 Howe...

Страница 163: ...ps flashing and the Alert LED is illuminated continuously indicating that the unit has been reset and the firmware erased Reloading the Firmware Even when the firmware has been erased you can use a ba...

Страница 164: ...assword is password Once you have logged into the Web interface you may upload your saved settings file as described in Configuration on page 185 Note that the administrator password is not uploaded a...

Страница 165: ...gement station from the local Ethernet network 2 Attach the Firewall directly to the management station To do this connect a cable from the Ethernet port on the management station to the LAN Port of t...

Страница 166: ...166 CHAPTER 11 ADMINISTRATION AND ADVANCED OPERATIONS DUA1611 0AAA02 book Page 166 Thursday August 2 2001 4 01 PM...

Страница 167: ...Technical Support First try the following Make sure that all equipment is switched on Switch off the Firewall wait approximately 5 seconds and then switch it back on Wait for the Power LED to stop fl...

Страница 168: ...ernative position Ethernet Connection is Not Functioning If the Ethernet connection does not work try the following Check the physical connections to make sure they are secure Try replacing the cable...

Страница 169: ...ternet router connected to the WAN port they are not accessible to users on the LAN To see if the problem is outside the Firewall disconnect the Firewall and try to access the Internet Try restarting...

Страница 170: ...MP OAK AG SA KE NON ID VID New connection message not received Retransmitting This means the VPN client cannot contact the Firewall either because the VPN client is misconfigured or the Internet Servi...

Страница 171: ...remote users from changing the VPN client policy Click No to permit remote user configuration Then name the security policy database file spd and save it to a local folder or to a floppy disk Import...

Страница 172: ...using PPPoE without a Firewall is that the ISP requires the customer to have a PPPoE account for each computer attempting to access the Internet The Firewall is able to manage PPPoE connections elimi...

Страница 173: ...IV FIREWALL AND NETWORKING CONCEPTS Chapter 13 Types of Attack and Firewall Defences Chapter 14 Networking Concepts DUA1611 0AAA02 book Page 173 Thursday August 2 2001 4 01 PM...

Страница 174: ...174 DUA1611 0AAA02 book Page 174 Thursday August 2 2001 4 01 PM...

Страница 175: ...t its vulnerabilities to crash any server at will Denial of Service attacks work by exploiting weaknesses in TCP IP exploiting weaknesses in your servers or by generating large amounts of traffic brut...

Страница 176: ...accept any more connections and will be unresponsive Firewall Response The connection request will be completed by the Firewall and the connection monitored to check if data is sent If no data is sen...

Страница 177: ...Firewall will drop any spoofed packets log the event and alert the administrator Trojan Horse Attacks Trojan Horse attacks rely on a piece of software installed within your network prior to the attack...

Страница 178: ...178 CHAPTER 13 TYPES OF ATTACK AND FIREWALL DEFENCES DUA1611 0AAA02 book Page 178 Thursday August 2 2001 4 01 PM...

Страница 179: ...Transmission Control Protocol In TCP IP TCP works with IP to ensure the integrity of the data traveling over the network TCP IP is the protocol of the Internet IP Addressing To become part of an IP ne...

Страница 180: ...P addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers The classes are based on estimated network size Class A used for very large networks with hundred...

Страница 181: ...bnet mask of 255 255 255 0 results in a sub network number of 123 45 67 0 and a device number of 89 The IP address numbers that are valid to use are those assigned by InterNIC this prevents someone se...

Страница 182: ...N which have not been assigned to you by your Internet Service Provider it is a good idea to use addresses in a special range allocated for this purpose The following three blocks of IP address space...

Страница 183: ...provides a dynamic leased address to a DHCP client This means that the client will be able to use the provided IP address for a certain period of time The DHCP server will not give this address to a d...

Страница 184: ...nge for the assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers The Registered Ports are not controlled by the IANA and on most systems can be used by ordi...

Страница 185: ...ssor The data is delivered via the Web and decrypted at the intended destination The SuperStack 3 Firewall VPN implementation uses the IPSec VPN standard This guarantees compliance with other VPN prod...

Страница 186: ...mmon terms and expressions used in VPN VPN Tunnel Tunnelling is the encapsulation of point point transmission inside IP packets A VPN Tunnel is a term that is used to describe a connection between two...

Страница 187: ...by trusted organizations Once a key has been generated the user must register his or her public key with a central administration called a Certifying Authority CA Organizations such as RSA Data Securi...

Страница 188: ...nications with secure Web Sites using the SSL protocol Many banks use a 40 bit key ARC4 for online banking while others use a 128 bit key 3Com s implementation of ARCFour uses a 56 bit key ARCFour is...

Страница 189: ...will not be accepted by the Firewall when entered as an SPI an error message will be displayed at the bottom of the Web browser window when the Update button is pressed Security Association SA A Secur...

Страница 190: ...190 CHAPTER 14 NETWORKING CONCEPTS DUA1611 0AAA02 book Page 190 Thursday August 2 2001 4 01 PM...

Страница 191: ...ix A Safety Information Appendix B Technical Specifications and Standards Appendix C Cable Specifications Appendix D Technical Support Index Regulatory Notices DUA1611 0AAA02 book Page 191 Thursday Au...

Страница 192: ...192 DUA1611 0AAA02 book Page 192 Thursday August 2 2001 4 01 PM...

Страница 193: ...safety information carefully before you install or remove the unit WARNING Exceptional care must be taken during installation and removal of the unit WARNING To ensure compliance with international s...

Страница 194: ...rer eigenen Sicherheit befolgen m ssen Alle Anweisungen sind sorgf ltig zu befolgen VORSICHT Sie m ssen die folgenden Sicherheitsinformationen sorgf ltig durchlesen bevor Sie das Ger t installieren od...

Страница 195: ...d rfen an diese Datensteckdosen angeschlossen werden Consignes Importantes de S curit AVERTISSEMENT Les avertissements pr sentent des consignes que vous devez respecter pour garantir votre s curit per...

Страница 196: ...ution des probl mes dans ce guide contacter votre fournisseur AVERTISSEMENT D branchez l adaptateur lectrique avant de retirer cet appareil AVERTISSEMENT Points d acc s RJ 45 Ceux ci sont prot g s par...

Страница 197: ...ding or 19in rack mounting using the mounting kit supplied Capacity Maximum Number of Simultaneous IP Connections 30 000 Maximum Number of Security Associations 1 000 Maximum Number of VPN Tunnels 1 9...

Страница 198: ...n Safety UL1950 EN 60950 CSA 22 2 950 IEC 950 EMC EN55022 Class A EN 50082 1 FCC Part 15 Part Class A ICES 003 Class A VCCI Class A EN 55024 CNS 13438 Class A Environmental EN 60068 IEC 68 Power Inlet...

Страница 199: ...used for Ethernet and Fast Ethernet Figure 66 Connecting the Firewall to a hub or switch using a straight through cable Figure 67 Connecting the Firewall to a Network Interface Card using a straight t...

Страница 200: ...pose Figure 68 Connecting the firewall to a hub or switch using a crossover cable Figure 69 Connecting the firewall to a network interface card using a crossover cable TxD TxD RxD RxD 1 2 3 6 Pins 4 5...

Страница 201: ...n World Wide Web site enter this URL into your Internet browser http www 3com com This service provides access to online support information such as technical documentation and software as well as sup...

Страница 202: ...maintenance application training and support services When you contact your network supplier for assistance have the following information ready Product model name part number and serial number A list...

Страница 203: ...1 463 00798 611 2230 or 02 3455 6455 00798 611 2230 0080 611 261 001 800 611 2000 Europe Middle East and Africa From anywhere in these regions call 44 0 1442 435529 phone 44 0 1442 432524 fax Europe a...

Страница 204: ...a Ecuador Mexico Paraguay Peru Uruguay Venezuela 0810 222 3266 511 241 1691 0800 133266 or 55 11 5643 2700 525 201 0004 562 240 6200 525 201 0004 525 201 0004 525 201 0004 525 201 0004 511 241 1691 52...

Страница 205: ...r Repair 205 U S A and Canada 1 800 NET 3Com 1 800 638 3266 Enterprise Customers 1 800 876 3266 1 408 326 7120 not toll free Country Telephone Number Fax Number DUA1611 0AAA02 book Page 205 Thursday A...

Страница 206: ...206 APPENDIX D TECHNICAL SUPPORT DUA1611 0AAA02 book Page 206 Thursday August 2 2001 4 01 PM...

Страница 207: ...24 automatic LAN settings 44 automatic WAN settings 39 B bandwidth usage by IP address 88 by service 88 blocking categories 69 81 broadband modems 25 C cable specifications 199 Categories tab 67 cloc...

Страница 208: ...positioning 28 purpose 19 quick setup 35 uses 19 firewall security 21 Firewall moving 35 firmware e mail notification 93 loading 93 lost 162 reloading 163 uploading 93 forbidden domains 71 front pane...

Страница 209: ...ual WAN settings 40 maximum idle time 76 web usage option 76 MIBs 202 moving your Firewall 35 N NAT 14 119 overview 24 network addressing mode 56 network access rules 23 103 creating 157 examples 159...

Страница 210: ...features 68 returning products for repair 204 routes adding 119 specifying static 117 rubber feet 29 rules creating 103 S safety information 193 sample network diagram 32 saving configuration 90 scree...

Страница 211: ...uploading firmware 93 URL 201 registration 16 URLs forbidden 23 trusted 23 user inactivity timer 107 privileges 23 106 remote access 24 settings authentication 106 users advanced 23 deleting 108 Inte...

Страница 212: ...212 INDEX DUA1611 0AAA02 book Page 212 Thursday August 2 2001 4 01 PM...

Страница 213: ...eceiver Plug the equipment into a different outlet so that equipment and receiver are on different branch circuits If necessary the user should consult the dealer or an experienced radio television te...

Страница 214: ...DUA1611 0AAA02 book Page 214 Thursday August 2 2001 4 01 PM...

Отзывы:

Нет отзывов