background image

LANCOM 3850 UMTS

 Chapter 7: Security settings

67

EN

7.3

The security settings wizard

Access to the configuration of a device permits not only to read out critical
information (e.g. WEP key, Internet password). Rather, also the entire settings
of the security functions (e.g. firewall) can be altered then. So an unauthorized
configuration access endangers not only a single device, but the entire net-
work.

Your LANCOM has a password protection for the configuration access. This
protection is already activated during the basic configuration by entering a
password.

The device locks access to its configuration for a specified period of time after
a certain number of failed log-in attempts. Both the number of failed attempts
and the duration of the lock can be set as needed. By default, access is locked
for a period of five minutes after the fifth failed log-in attempt. 

Besides these general settings you can also check the security settings of the
wireless network with the security wizard as far as your device has a WLAN
interface.

7.3.1

Wizard for LANconfig

Mark your LANCOM Router in the selection window. Select from the com-
mand bar 

Extras 

 

Setup Wizard

.

Select in the selection menu the setup wizard 

Control Security Settings

and confirm your choice with 

Next

.

Enter your password in the following windows and select the allowed pro-
tocols for the configuration access from local and remote networks. 

In a next step parameters of the configuration lock like number of failed
log-in attempts and the duration of the lock can be adjusted. 

Содержание 850 UMTS

Страница 1: ...LANCOM 3850 UMTS...

Страница 2: ...names mentioned may be trademarks or registered trademarks of their respective owners This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl or...

Страница 3: ...The UMTS HSDPA card is simply operated in the CardBus expansion slot of the LANCOM 3850 UMTS The device automatically switches Internet access between HSDPA UMTS and GPRS depending on availability Se...

Страница 4: ...ted by several members of our staff from a variety of departments in order to ensure you the best possible support when using your LANCOM product In case you encounter any errors or just want to issue...

Страница 5: ...ease see the enclosed leaf let or the LANCOM Systems website Information symbols Very important instructions Failure to observe this may result in damage Important instruction that should be observed...

Страница 6: ...requirements 19 2 2 1 Configuring the LANCOM devices 19 2 2 2 Operating access points in managed mode 20 2 3 Status displays interfaces an hardware installation 20 2 3 1 Status display 20 2 3 2 The ba...

Страница 7: ...51 5 3 1 Choosing the mobile telephone network 51 5 3 2 Activate UMTS GPRS profile 52 5 3 3 UMTS HSPDA only or automatic UMTS HSPDA GPRS se lection 53 5 3 4 Set up a time limit 54 6 Point to point co...

Страница 8: ...zard for LANconfig 69 7 4 2 Configuration under WEBconfig 69 7 5 The security checklist 69 8 Options and accessories 74 8 1 Optional LANCOM WLAN antennas 74 8 1 1 Antenna Diversity 74 8 1 2 Installati...

Страница 9: ...LANCOM 3850 UMTS Contents 9 EN 11 Radio channel regulations for WLANs 85 12 Index 86...

Страница 10: ...system or to the Internet access The advantages of Wireless LANs are obvious notebooks and PCs can be set up just where they are needed Due to Wireless LANs problems with missing connections or struc...

Страница 11: ...Internet access over WLAN or access to the company network via VPN As a back up connection for site coupling UMTS HSPDA is cheaper and or faster than the conventional alternatives ISDN and Analog Fur...

Страница 12: ...Internet via cable 1 2 2 Mobile conference room The modern business world requires ever increasing mobility from a growing number of employees That means that a constant access to e mails Internet or...

Страница 13: ...dquarters the field staff can also access all of the services in the network of headquarters fileserver mailserver data bases from the mobile office With the LANCOM UMTS VPN Option the VPN support wit...

Страница 14: ...short time of breakdown of a DSL connection the higher connection tariffs for the UMTS HSPDA are not relevant Adding the UMTS HSPDA backup to existing installations is often simply an issue of adding...

Страница 15: ...ckup chain should the backup router also fail Further information to the configuration of backup lines can be found in the LCOS reference manual 1 3 What can your LANCOM Wireless Router do The followi...

Страница 16: ...uble the bandwidth at 2 4 GHz and 5 GHz Super AG incl hardware compression and bursting Multi SSID Roaming function 802 11i WPA with hardware AES encryption WEP encryption up to 128 Bit key length WEP...

Страница 17: ...printer and for future extensions Internet access IP router Stateful Inspection Firewall Firewall filter address port IP masquerading NAT PAT Quality of Service Digital certificates X 509 incl PKCS 12...

Страница 18: ...ards 1 Click VPN wizard for easiest setup of RAS access and site to site LAN coupling via VPN Serial configuration interface FirmSafe with firmware versions for absolutely secure software upgrades Opt...

Страница 19: ...mputers that connect to a LANCOM must meet the following minimum requirements Operating system that supports TCP IP e g Windows Vista Windows XP Millennium Edition Me Windows 2000 Windows 98 Linux BSD...

Страница 20: ...re installation 2 3 1 Status display Meanings of the LEDs In the following sections we will use different terms to describe the behaviour of the LEDs Blinking means that the LED is switched on or off...

Страница 21: ...rational Red green Blinking alter nately Device insecure Configuration password not set Orange green In the housing cover blinking alternately with the online LED At least one WLAN module is in manage...

Страница 22: ...eans that a pre set charge or time limit has been reached There are three ways to remove the lock Reset the toll protection Increase the limit Deactivate the lock completely set limit to 0 LANmonitor...

Страница 23: ...nd a WLAN Controller However the WLAN Controller cannot assign a configuration because the firmware and or the device s loader version is not compatible with the WLAN Controller Off No DSL connection...

Страница 24: ...nections followed by a pause default Alternatively the frequency of the flashed can indicate the input sensitivity Green Blinking DFS scanning or other scan procedure Green Flashing WLAN Modul switche...

Страница 25: ...l configuration port RS 232 V 24 Reset button The reset button offers two basic functions boot restart and reset to the factory settings which are called by pressing the button for different lengths o...

Страница 26: ...to note that all 8 wires must be available by the cabling PoE feeds the power over those four wires which are normally not used for data transfer The PoE supply works only in such network segments in...

Страница 27: ...set tings all previous settings are lost Note that resetting the device leads to a loss on the WLAN encryption settings within the device and that the default WEP key is active again Connector for ma...

Страница 28: ...o the corresponding interface of the DSL modem For the automatic mode for simultaneous operating with LAN and DSLoL insert the included network cable green plugs into the LAN connector of the device a...

Страница 29: ...ts the power source to be used If a power outage causes a switch between power sources the device reboots so that the power feed is reactivated Operational After a short device self test the Power LED...

Страница 30: ...r LANCOM routers and LANCOM access points WLANmonitor enables the observation and surveillance of wireless LAN networks Clients connected to the access points are shown and even non authenticated acce...

Страница 31: ...e 3 1 Which information is necessary The basic configuration wizard will take care of the basic TCP IP configuration of the device and protect the device with a configuration password The fol lowing d...

Страница 32: ...n is optional You may also select manual configuration instead Make your selection after the following consi derations Choose automatic configuration if you are not familiar with networks and IP addre...

Страница 33: ...3 Settings for the Wireless LAN LANCOM Wireless Routers and LANCOM Access Points can be operated either as self sufficient Access Points with their own configuration WLAN modules in Access Point mode...

Страница 34: ...g the basic configuration also the Wireless LAN access of the configuring mobile base station must be changed to this new network name after closing the basic configuration Selection of a radio channe...

Страница 35: ...oints in managed mode are not displayed by LANconfig carrying out its device search To display these devices activate the option Extend search for managed APs If an unconfigured device is being found...

Страница 36: ...ay specify whether the device may only be configured from the local network or whether remote configuration via the WAN i e a remote network is also permissible Please note that enabling this will als...

Страница 37: ...LANCOM WLAN Controller the DHCP mode is swit ched from auto mode to client mode Network without DHCP server Not for centrally managed LANCOM Wireless Router or LANCOM Access Points In a network withou...

Страница 38: ...sed by the name LANCOM MAC address e g LANCOM 00a057xxxxxx The MAC address can be found on a label at the bottom of the device If there is no DNS server in the LAN or it is not linked to the DHCP serv...

Страница 39: ...ayed The setup wizards are tailored precisely to the functionality of the spe cific LANCOM Router As a result your device may offer different wizards than those shown here If you have chosen automatic...

Страница 40: ...e Internet You should always make sure that the configuration access is suitably protected e g with a password In the next window select your DSL provider from the list that is displayed Confirm your...

Страница 41: ...assigns IP addresses to the PCs in the LAN it also uses DHCP to specify its own IP address as that of the default gateway and DNS server The PCs must therefore be configured so that they automaticall...

Страница 42: ...LANCOM 3850 UMTS Chapter 3 Basic configuration 42 EN...

Страница 43: ...on this list you normally will not have to enter any further transfer parameters to configure your Internet access Only the authentication data that are supplied by your provider are required Additio...

Страница 44: ...be used with flat rate billing to conti nuously check the function of the remote station You also have the option of keeping flat rate connections alive if required Dropped connections are then autom...

Страница 45: ...lowing window select your country and your Internet provider if possible and enter your access information Depending on their availability the wizard will display additional options for your Internet...

Страница 46: ...rd in LANconfig Highlight the LANCOM Router in the selection window From the menu bar select Tools Setup Wizard From the menu select the Setup Internet access wizard and click Next To set up the Inter...

Страница 47: ...ss to the Internet or for VPN site coupling By activating the keep alive function it is very easy to set up for exam ple a mobile conference room that enables Internet access and if need be VPN protec...

Страница 48: ...home network with which the card is connected to the Internet The display of signal strength an the operating mode is dependent on the UMTS card in use LANmonitor s signal strength display is highly u...

Страница 49: ...terface can be used for full blown network coupling This variant may be used for setting up mobile conference rooms To couple two networks via a UMTS interface the initial step is to set up net work c...

Страница 50: ...e identities e g unambiguous e mail addresses for the relevant connection in the configuration area VPN tab IKE parameters in the list for IKE key The settings for the aggressive mode must agree for a...

Страница 51: ...tiated from the VPN gateway with the UMTS HSPDA card and must be directed towards the remote VPN gateway The interval times for the polling calls may have to be adjusted depending on the quality of th...

Страница 52: ...Networks or so Setup Interfaces UMTS GPRS parameters Scan Networks 5 3 2 Activate UMTS GPRS profile Operating the LANCOM devices with the UMTS HSPDA function in varying locations or with different UMT...

Страница 53: ...setting the data card in the LANCOM will initially attempt to establish a connection via UMTS HSPDA The card will automatically switch to the GPRS network if the UMTS HSPDA signal proves to be too wea...

Страница 54: ...UMTS profile 54 EN 5 3 4 Set up a time limit You can prevent excessive costs from arising from connections over the UMTS interface by setting up a time limit for example under LANconfig in the Man ag...

Страница 55: ...e stations In the 5 GHz band the automatic search for vacant WLAN channels can lead to several simultaneous test transmissions from multiple access points with the result that they do not find each ot...

Страница 56: ...ometrical alignment of wireless paths and the alignment of antennas with the help of LANCOM soft ware can be found in the LCOS reference manual To help find the best possible alignment for the antenna...

Страница 57: ...re both antennas approximately aligned The connection over the P2P path has to be functioning basically before you start fine tuning with the aid of LANmonitor Once signal monitoring has commenced the...

Страница 58: ...annel selection scheme to either Master or Slave Enter the approp riate MAC address for the WLAN card at the remote station maximum 6 Please observe that only the MAC addresses of the WLAN cards at th...

Страница 59: ...the problem of the hidden station by which the MAC addresses of the WLAN clients are not transferred over mul tiple stations 6 4 Security for point to point connections IEEE 802 11i can be used to at...

Страница 60: ...modules Activate the 802 11i encryption Select the method 802 11i WPA PSK Enter the passphrase to be used The passphrases should consist of a random string at least 22 charac ters long corresponding t...

Страница 61: ...me known all other WLAN con nections secured by LEPS remain secure particularly when the ACL is stored on a RADIUS server When using LANconfig for the configuration you enter the passphrases of the st...

Страница 62: ...in combination with external VPN gate way 7 1 1 Closed network Each Wireless LAN according to IEEE 802 11 has its own network name SSID This network name serves as identification and enables administr...

Страница 63: ...sign an individual passphrase consisting of any 4 to 64 ASCII characters to each MAC address The connection to the access point and the subsequent encryption with IEEE 802 11i or WPA is only possible...

Страница 64: ...Regularly change the WEP keys in your access points The passphrases for 802 11i or WPA do not have to be changed regularly as new keys are generated for each connection anyway This is not the only rea...

Страница 65: ...evices always begin with the character string 00A057 You will find the LAN MAC address on a sticker on the base of the device Only use the number labeled as MAC address that starts with 00A057 The oth...

Страница 66: ...Windows 2000 and Windows XP For other operating systems client software from other manufacturers is available The drivers for the LANCOM AirLancer wireless adapter are already equipped with a 802 1x...

Страница 67: ...og in attempts Both the number of failed attempts and the duration of the lock can be set as needed By default access is locked for a period of five minutes after the fifth failed log in attempt Besid...

Страница 68: ...ard Security settings to control and change the settings The following values are handled password for the device allowed protocols for the configuration access of local and remote net works parameter...

Страница 69: ...e observed when the rule will apply to a data packet The wizard will inform you as soon as the entries are complete Complete the configuration with Finish 7 4 2 Configuration under WEBconfig Under WEB...

Страница 70: ...guration by the wireless network then deacti vate it The field for deactivating the configuration by the wireless network is also contained in LANconfig in the Management configuration area on the Sec...

Страница 71: ...Nconfig The Rules tab under Firewall QoS can assist you to define and change the filter rules Have you excluded certain stations from access to the router Access to the internal functions of the devic...

Страница 72: ...settings for the logical and physical WLAN interfaces Change the default WEP password immediately after configuring the router for the first time With the Access Control List ACL you can permit or pre...

Страница 73: ...ion is not written to the non volatile flash memory A loss of power because the device has been relocated will cause the entire confi guration to be deleted Further information can be found in the ref...

Страница 74: ...able antennas can be found on the LANCOM web site under www lancom eu For help with calculating the correct antenna setup for external LANCOM AirLancer Extender antennas or for antennas of other ven d...

Страница 75: ...Extender antennas For installation of an optional AirLancer antenna turn off the LANCOM Wireless Router by pulling out the power supply cable of the device Remove now carefully the two diversity ante...

Страница 76: ...s clients via user name and password and checks the authorization of single users via RADIUS Accounting data online time and data volume can be transferred per user and per session to a central RADIUS...

Страница 77: ...ost cards are automatically locked and can only be reinstated by entering an additional number depending on the provider PIN2 or PUK Whenever a device is set to automatically establish a connection to...

Страница 78: ...mber should occur without error After the third attempt with an invalid PIN the SIM card is locked This error is also displayed on LANmonitor The PUK is required I n t h i s c a s e you can unlock the...

Страница 79: ...0 UMTS Chapter 9 Troubleshooting 79 EN U s u a l l y a data card is supplied with the operating software from the net pro vider With this software the PIN number of the SIM card can be changed wheneve...

Страница 80: ...is not listed you will have to enter manually the protocol being used In any case the protocol that your DSL provider sup plies you with should definitely work You can monitor and correct the protoco...

Страница 81: ...synchronous connections Instructions on how to increase the Windows size can be found in the Know ledge Base of the support section of the LANCOM web site www lancom eu 9 4 Unwanted connections under...

Страница 82: ...893 ETSI EN 301 489 1 ETSI EN 301 489 17 EN 60950 Radio licenses for all EU countries and Switzerland Regulations Notified in Germany Belgium Netherlands Luxemburg Austria Switzerland United King dom...

Страница 83: ...ce 10 100Base TX DSL interface 8 pin RJ45 socket corresponding to ISO 8877 EN 60603 7 10 2 2 Configuration interface Outband 8 pin mini DIN socket Connector Pin IAE 1 T 2 T 3 R 4 PoE G 5 PoE G 6 R 7 P...

Страница 84: ...that the devices of the type described in this documentation are in agreement with the basic requirements and other relevant regulations of the 1995 5 EC directive The CE declarations of conformity f...

Страница 85: ...ations for WLANs 85 EN 11 Radio channel regulations for WLANs Information about approvals and notifications in various countries and the radio channel regulations can be found in the reference manual...

Страница 86: ...ge protection 36 40 Connector for main antenna 27 Contact assignment 83 Outband 83 D Default gateway 41 DHCP 41 DHCP server 15 32 36 40 41 Diversity antennas 19 DNS DNS server 15 41 Documentation 19 D...

Страница 87: ...3 Package contents 19 Password 33 36 PAT siehe IP Masquerading PIN for UMTS card 77 Point to Point 63 point to point 16 Power adapter 19 25 Power over Ethernet 26 Public Spot Option 75 R RADIUS 16 Rel...

Страница 88: ...6 Transfer protocol 80 Turbo Mode 16 U UDP 71 UMTS 46 automatically switch to GPRS 53 Choosing the mobile telephone net work 51 incorrect PIN 77 Internet access 46 mobile conference room 49 time limit...

Отзывы: