Multitech RouteFinder RF650VPN Скачать руководство пользователя страница 189 | Manualshive

Страница: 189 / 240

Multitech RouteFinder RF650VPN Скачать руководство пользователя страница 189

Chapter 5 – PC Board Components, Upgrades, and Add-ons

Multi-Tech RouteFinder RF650VPN User Guide

189

Monitoring

Here you need to keep track of your system in terms of 'normal' usage so you can tell:

·

If your RouteFinder is working.

·

If your RouteFinder has been compromised.

·

What kinds of attacks are being perpetrated.

·

If your RouteFinder is providing the services your users need, or if upgrades or add-ons are needed.

To be proactive in solving these issues, keep track of usage reports and logs (refer to the sections on
System|User authentication, Network|Accounting, Definitions|Users, and Packet filter|LiveLog in
Chapter 3 of this manual). For information on RouteFinder upgrades and add-ons refer the preceeding
section called Software Upgrades and Add-ons.

Updating

This involves keeping both yourself and your RouteFinder abreast of new bugs, new attacks and new
patches, new tools and resources, etc. Much of the RouteFinder updating effort can be done
automatically (refer to the System|Up2Date Service section in Chapter 3 of this manual). Administrators
can keep themselves current with mailing lists, news groups, security forums, etc. (refer to the section on
Pre-Installation Planning in Chapter 1 of this manual for additional sources of information).
The SANS Institute and the National Infrastructure Protection Center (NIPC) produces a document
summarizing the Twenty Most Critical Internet Security Vulnerabilities. Thousands of organizations use
the list to prioritize their efforts so they could close the most dangerous holes first. It is segmented it into
three categories: General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities. The
SANS/FBI Top Twenty list is valuable because the majority of successful attacks on computer systems
via the Internet can be traced to exploitation of security flaws on this list. While manually checking a
system for each of the listed vulnerabilities is possible, a more practical way to find UNIX and Windows
vulnerabilities is to use an automated scanner.

Bob Todd, the author of the free Internet scanner SARA, created a version of SARA that finds and reports
on the status of the SANS/FBI Top Twenty list. SARA’s Top Twenty Vulnerability scanner is available
from the Center for Internet Security (

www.cisecurity.org

). To request a copy, email

[email protected]

with the subject "Top Twenty Scanner." Several commercial vulnerability scanners

may also be used to scan for these vulnerabilities, and the SANS Institute maintains a list of all scanners
that provide a focused Top Twenty scanning function at

www.sans.org

.

«
...
187
188
189
190
191
...
»

Содержание RouteFinder RF650VPN

Страница 1: ...RF650VPN Internet Security Appliance User Guide...

Страница 2: ...al released for RouteFinder software version 1 92 B 12 04 01 Manual revised for RouteFinder software version 2 00 Refer to Appendix C for a description of changes C 02 25 02 Updated with changes to Ap...

Страница 3: ...Introduction 34 System 35 Definitions Networks and Services 63 Network Network Settings 74 Proxies Application Gateways 111 VPN Virtual Private Networks 121 Help The Online Help Functions 158 Chapter...

Страница 4: ...plication Examples and How to Use Remote Syslog 195 Appendix B Cable Diagrams 203 Appendix C The WebAdmin Menu System 206 Appendix D User Authentication Methods 211 Appendix E Regulatory Information 2...

Страница 5: ...ultiVOIPs and public servers such as email and web to be safely connected And its full featured router hardware allows the entire network to share an Internet link by connecting to an existing cable m...

Страница 6: ...ther 10 Mbps or 100 Mbps the LINK LED is on if the WAN Ethernet link is invalid the LINK LED is off ACT The ACT Activity LED indicates either transmit or receive activity on the WAN Ethernet port When...

Страница 7: ...el components are described in detail in the Cabling Procedure section in Chapter 2 of this manual Ship Kit Contents The RF650VPN is shipped with the following one RF650VPN one or two power cords two...

Страница 8: ...net access for up to 255 LAN users with one IP address Internet access control tools provide client and site filtering Traffic monitoring and reporting IP address mapping port forwarding and DMZ port...

Страница 9: ...tification Contact the SANS at http www sans org newlook home htm Linux FreeS WAN is an implementation of IPSEC and IKE for Linux Several companies are co operating in the S WAN Secure Wide Area Netwo...

Страница 10: ...been developed and work has begun on defining and mapping the GASSP Broad Functional Principles Go to http web mit edu security www gassp1 html The Center for Internet Security The Center founded in...

Страница 11: ...y policy must also address who is allowed high speed remote access and any extra requirements associated with that privilege e g all remote access via DSL requires that a firewall be installed You wil...

Страница 12: ...nd from 1995 to 2001 the world wide increase in domains names has been almost exponential The systems in the global network communicate via the Internet Protocol Family IP including TCP UDP or ICMP Th...

Страница 13: ...cations running on the machine In more complex network layer firewall implementations the packet filtering process includes the interpretation of the packet payload The status of every current connect...

Страница 14: ...ogging and analysis of the protocol s usage Examples of existing proxies are The SMTP proxy responsible for email distribution and virus checking The HTTP proxy supporting Java JavaScript ActiveX Filt...

Страница 15: ...nternet Each of these methods has advantages and disadvantages as there is a conflict between the resulting costs and the security requirements Virtual Private Networking VPN establishs secure i e enc...

Страница 16: ...nts Note Please print this document and use it to fill in your specific RouteFinder and network information e g the IP address used e mail lists etc Enter the configuration information e g the Default...

Страница 17: ...ppropriate field of the Address Table below Please print this document and use it to fill in your specific RF650VPN and network information e g the IP address used e mail lists etc and keep for future...

Страница 18: ...s for battery replacement Caution The Phone and Ethernet ports are not designed to be connected to a Public Telecommunication Network Safety Recommendations for Rack Installations Ensure proper instal...

Страница 19: ...LAN Port RF650VPN Back Panel Connections 1 Using an RJ 45 cable connect the DMZ RJ 45 jack to the DMZ optional e g a Voice over IP gateway like MultiVOIPs or a public server such as e mail or web 2 U...

Страница 20: ...workstation to the RF650VPN s LAN port via Ethernet 2 Set the workstation IP address to 192 168 2 x subnet 3 Connect to the Internet at the RF650VPN WAN port 4 Make an Internet PUBLIC IP address so it...

Страница 21: ...o the Password entry and type the default Password of admin all lower case Click Login The User and Password entries are case sensitive both must be all lower case and can be up to 12 characters each...

Страница 22: ...n status light next to a function indicates that the function is enabled to disable the function click the Disable button next to the green status light A red status light next to a function indicates...

Страница 23: ...Guide 23 1 At the Welcome to WebAdmin screen click on System Settings The following screen displays a Add your own email address for alerts and notification b Remove the default email address c Optio...

Страница 24: ...on the LAN port the Private LAN on eth0 For example Name LAN IP address 192 168 2 0 Subnet mask 255 255 255 0 3 Click on Network Interfaces The Local Host screen displays Required changes a Change the...

Страница 25: ...order for you to configure the RouteFinder again You also need to reconfigure step 2 so your new IP network is defined e Click Save on the Network card eth0 settings Required changes f Change the IP...

Страница 26: ...will enable NAT between the LAN port and the WAN port 5 Click on Packet Filter Rules a Add the rule Any Any Any Allow This allows any service from any server to any client Note you will want to change...

Страница 27: ...en using PPTP tunneling 1 Check the following on the Microsoft web site for PPTP updates and patches http support microsoft com support kb articles Q285 1 89 ASP and http support microsoft com support...

Страница 28: ...k on VPN PPTP Roadwarrior VPN The PPTP Remote Access screen displays a Enable PPTP Status b Enable Debug c Select an Encryption Strength and click Save d Click on Definitions Networks e In the Command...

Страница 29: ...part of the main IP network of the LAN port private LAN You can assign up to 128 addresses g Click on Definitions Users h The User definition screen displays Define a new user check Remote access PPT...

Страница 30: ...N configuration is shown below a LAN to LAN configuration is shown at the end of this section The IPSec VPN Gateway Client to LAN configuration aka IPSec roadwarrior configuration is shown below IPSec...

Страница 31: ...dd network screen displays Define all the Networks and Hosts for the VPN connection 2 Click on VPN IPSEC Configurations The Edit rule screen displays a Enable VPN Status b Enable IKE Debugging c At Ne...

Страница 32: ...of the WAN port Local subnet should be the private IP Network on the LAN port f Select the Remote IP and Remote subnet The Remote IP should be the Public IP address of the WAN port on the remote site...

Страница 33: ...H and SCP clients can be downloaded from http www chiark greenend org uk sgtatham PuTTY http winscp vse cz eng http www ssh com products ssh 1 The login name for SSH loginuser default login name and d...

Страница 34: ...ed Secure Shell ssh access The aim of the administrator should be to let as little as possible and as much as necessary through the RouteFinder for both incoming as well as outgoing connections Note F...

Страница 35: ...ser Guide 35 System The System menu contains all of the functional configuration sub menus for the RouteFinder Settings Licensing Up2Date Service Backup User Authentication WebAdmin Site Certificate S...

Страница 36: ...3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 36 Settings From System Settings you can define Notifications SSH WebAdmin HTTPS WebAdmin password Automatic Disconnect Syst...

Страница 37: ...try Remote Syslog In the Remote Syslog window select the desired Remote Syslog host from the drop down box and click Save Remote Syslog lets you pass on all log messages of the firewall to another sys...

Страница 38: ...akes about one minute During this time it seems as if the connection is frozen or can t be established After that the connection returns to normal without any further delay The networks that are to be...

Страница 39: ...TP provides full flexibility of cryptographic algorithms modes and parameters The Allowed Networks dropdown list lets you select the networks from which access to WebAdmin is allowed You can Add new s...

Страница 40: ...n session without leaving WebAdmin via Exit the last session stays active until the end of the time out and no new administrator can log in If using ssh you can manually remove the active session if y...

Страница 41: ...time period as a straight line at the height of the old value All the values for Accounting in this time period are 0 Backward time adjustment summer to wintertime The time based reports already conta...

Страница 42: ...support Each RF650VPN ships with a unique individual License Key It is a 35 digit code that is provided on the RouteFinder s System CD Enter the license key for your RouteFinder and click Add When yo...

Страница 43: ...is mistaking a 0 zero for an o the letter O Another error is entering upper case letters or symbols The License Key number is tied to and tracked with your RouteFinder s serial number Whenever you re...

Страница 44: ...Up2Date service your RouteFinder can be continually updated with new virus patterns system patches and security features The Up2Dates are signed and encrypted and are read in via an encrypted connecti...

Страница 45: ...virus detection patterns for the firewall s virus scanner Click the Start button in the bottom table to start the Pattern Up2Date process To ensure that patterns stay up to date at all times this pro...

Страница 46: ...time interval after which the RouteFinder checks for new Up2Dates at the specified Up2Date server The selectable time intervals are Every hour Every night and Every week 3 Save the time interval by cl...

Страница 47: ...en read in the backup the comment is displayed 3 Click the Start button to create the backup file The backup file that contains your configuration is now created on theRouteFinder The message Backup h...

Страница 48: ...n compatible backup a brief summary of the backup content is displayed 5 Verify the backup information 6 Import the backup file into the active system by clicking the Start button The backup is then i...

Страница 49: ...ile sent to the indicated e mail address is typically from 3 10 Kb in size To delete an unneeded e mail address highlight it click Delete then click Save Generate E mail Backup File 1 Open the Backup...

Страница 50: ...ed not be created on the RouteFinder again User authentication is also used with the PPTP VPN function More information about PPTP Roadwarrior VPN is in the VPN directory later in this chapter At the...

Страница 51: ...erver for user authentication Radius also manages technical information needed for the communication of the router with the equipment of the caller This includes for example the protocols used IP addr...

Страница 52: ...ers Now assign all those users that are to be able to use the appropriate service to this group 3 Activate the user flag Allow dial in access to the network of every user in these groups This setting...

Страница 53: ...ster 11 If User Authentication is still disabled red light activate it by clicking the Enable button At Authentication types choose Radius from this select menu 12 Confirm your entries by clicking the...

Страница 54: ...DNS names The RouteFinder only supports names consisting of alphanumeric and minus and full stop characters Special characters such as _ are not permitted PDC IP Enter the IP address of the primary do...

Страница 55: ...your browser Create a Site Certificate for WebAdmin 1 Open the WebAdmin site certificate menu in the System directory 2 Enter your organization s data into the select menu entry fields Country code U...

Страница 56: ...curity Alert window install import the CA certificate into your browser by clicking the Yes button at the bottom of the screen 3 If your browser asks you what to do with the file tell it to open it im...

Страница 57: ...n the certificate and click OK The Save As screen displays 6 Enter the filename and location to save the certificate file and click Save The Download complete screen displays 7 Check the Close this di...

Страница 58: ...Tech RouteFinder RF650VPN User Guide 58 Install a Certificate into the Trusted Root Certification Authorities Store 1 At the Certificate Information window click Install Certificate 2 At the Welcome...

Страница 59: ...he certificate automatically placed or you can Browse to a particular location If you elect to place all certificates into a selected location follow the on screen prompts for Select Certificate Store...

Страница 60: ...the Certificate Information window click OK The certificate is successfully installed Note Due to system time differences and world timezone offsets it may be that the generated certificate is report...

Страница 61: ...ge Do you really want to shut down is displayed If you do not want to shut down the RouteFinder click the Cancel button to return to the System Shut down menu If you want to shut down the RouteFinder...

Страница 62: ...really want to shut down is displayed Click the OK button to confirm that you want to restart the RouteFinder WebAdmin software The complete restart can take 4 to 5 minutes When the restart process is...

Страница 63: ...efinitions names instead of having to deal with IP addresses ports and network masks Being able to group networks and services is an additional step saver All settings that are then made in the networ...

Страница 64: ...not be deleted or edited Add Network 1 Open the Network menu in the Definitions directory 2 Enter a straightforward name into the Name entry field This name is later used to set packet filter rules et...

Страница 65: ...creen is displayed You can then edit an existing entry s Name IP address or Subnet mask Delete Network You can remove a network from the list by clicking the del Command the message Do you really want...

Страница 66: ...be added or deleted together Note Every change in Network Groups is effective immediately Define Group Networks 1 Open the Network Groups menu in the Definitions directory 2 Assign a straightforward...

Страница 67: ...to edit from the Name select menu 3 Click the Show button All the networks that are in the selected network group are displayed in the Selected Networks menu The Available Networks window lists all t...

Страница 68: ...Any ICMP AH and ESP UDP uses ports between 0 and 65535 and is a protocol that doesn t use the ACK Bit UDP is well suited for streaming media and works faster than TCP especially when sending small am...

Страница 69: ...e g 80 a list of port numbers separated by commas e g 25 80 110 or a port range e g 1024 64000 separated by a colon 5 Set the D Port Server destination port number The entry options are a single port...

Страница 70: ...erations such as creating a higher level service group or to set packet filter rules 3 Confirm your entries by clicking Add The Edit Group menu is displayed All available services are contained in the...

Страница 71: ...elected Service group The Available Services window lists all the services defined for your RouteFinder Remove Service 1 Open the Service Groups menu in the Definitions directory 2 In Show Group selec...

Страница 72: ...should be able to use proxy services This setting is equivalent to adding the user to the allowed user list in the proxy configuration pages Available proxies are HTTP and SOCKS Add User 1 Open the Us...

Страница 73: ...Chapter 3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 73 Delete user By clicking the Delete button you delete the user from the Users table...

Страница 74: ...SNAT the destination and source address of the IP packets are converted With Masquerading you can hide private networks from the outside world behind one official IP address The Portscan detection me...

Страница 75: ...or the RouteFinder The first network card eth0 is always the interface to the internal network LAN and is called the trusted network The second network card eth1 is the interface to the external netwo...

Страница 76: ...der IP address is entered as the default gateway in the protected networks Interfaces Menu During initial installation the RouteFinder automatically recognises the installed network cards and adds the...

Страница 77: ...has an Interface Route You can use this function to half bridge a network into another LAN segment NOTE All packet filtering rules still apply when Proxy ARP is enabled This is not a full bridging fun...

Страница 78: ...er to re establish access When you make a change that effects other WebAdmin functions and configurations an information screen displays If the automatic changes are acceptable continue editing If the...

Страница 79: ...rd for all the networks known to it This means that the RouteFinder will accept and forward packets on the Proxy ARP interface for all other directly connected networks This function is necessary in s...

Страница 80: ...sk in the appropriate entry fields 3 Confirm your entry by clicking the Save button Proxy ARP on This Interface If you select the Proxy ARP on this Interface checkbox for a network card the RouteFinde...

Страница 81: ...e It is recommended that you set your computer with a static IP if you want to use DMZ Proxy ARP on this Interface If you checked the Proxy ARP on this Interface checkbox for a network card the RouteF...

Страница 82: ...face Hardware Interface select eth0 for the internal LAN eth1 for the external WAN or eth2 for the DMZ IP Address enter the network IP address for the network named Netmask enter the Netmask to be use...

Страница 83: ...ed to which interface Choose a predefined network or network card from the pull down list When you edit and or delete existing routing entries the interface adapts accordingly Static Routing Use this...

Страница 84: ...his network Using the menus select which network is routed onto which interface Define Interface Routing 1 Open the Routing menu in the Network directory 2 Select one of the already defined networks a...

Страница 85: ...n the Routing menu in the Network directory 2 Select an already defined network from the select menu in Static IP route 3 Enter the external IP address into the entry field on the right 4 Confirm your...

Страница 86: ...g table The columns Destination Gateway and Iface interface are especially relevant Destination is the address of the target system or network Gateway is the address of the router Iface Interface indi...

Страница 87: ...server with the IP address 192 168 0 20 accessible to clients outside your LAN These clients cannot contact its address directly as the IP address is not routed in the Internet It is however possible...

Страница 88: ...t mask 255 255 255 255 3 In Post DNAT destination select a host to which the IP packets are to be diverted Only one host can be defined as the Post DNAT destination If you are using a port range as th...

Страница 89: ...ranges are also possible From the Source drop down list you can select Any default DNS FTP FTP CONTROL HBCI HTTP HTTPS IDENT NEWS POP 3 SMTP SNMP SSH Telnet netbios dgm netbios ns or netbios ssn Dest...

Страница 90: ...included in the translation The translation only takes place if the packet is sent via the indicated network interface The address of this interface is used as the new source of the data packets This...

Страница 91: ...Computer A with the address XY is inside a masked network within the RouteFinder It starts an HTTP request into the Internet Computer A and all computers in this network use the only official IP addre...

Страница 92: ...ith the Enable button next to Status The default setting is enabled green traffic light 3 From the Action for portscanner traffic select menu choose the action to be carried out against the discovered...

Страница 93: ...ion Normal network activities such as Traceroute or an FTP data traffic with many small files can be interpreted as a portscan by PSD For this reason it is recommendable to exclude certain source and...

Страница 94: ...the connection to a remote host The program Ping sends an ICMP echo packet to a different computer When the computer receives the ICMP echo packet its TCP IP Stack must send an ICMP reply packet back...

Страница 95: ...100 pings 3 Enter the IP address or the name into the Host entry field e g port 25 for SMTP 4 To activate the Name Resolution function check the corresponding check box 5 Start the test connection by...

Страница 96: ...ear to indicate a time out After a fixed number of time outs the attempt is aborted This can have various reasons e g a packet filter doesn t allow traceroute Should no name be locatable despite activ...

Страница 97: ...ress and port 80 HTTP service Note For the Name Resolution function to operate the DNS proxy function in the Proxies DNS menu must be enabled Start TCP Connect 1 Open the Tools menu in the Network dir...

Страница 98: ...face to the DMZ is entered in the accounting but one particular computer in the DMZ is not to be accounted As this one computer might only be used for internal purposes it does not make sense to inclu...

Страница 99: ...g Rules All data traffic is filtered by the packet filter according to a set of rules that you define in Packet Filter Rules This set of rules is a central tool of your IT security Generally speaking...

Страница 100: ...ng from four drop down lists All services networks and groups previously created in Definitions are presented for selection In Edit rule use the Save button to create the appropriate rule as a new lin...

Страница 101: ...groups The selection Any applies to all IP addresses regardless of whether they are officially assigned addresses or so called private addresses according to RFC1918 The initial To Server select optio...

Страница 102: ...rule set the rules are sorted accordingly E g if you want to sort the table according to sender networks click From Client To go back to the order of Matching click Nr Broadcast on the whole Internet...

Страница 103: ...If the ICMP settings are disabled separate IPs and networks can be allowed to send ICMP packets through the RouteFinder by using appropriate packet filter rules ICMP Forwarding At Packet Filter ICMP...

Страница 104: ...or passed through to the local network and all connected DMZs Note To be able to use the tools Traceroute and Ping the function ICMP on firewall must be enabled After a successful start up of the Rout...

Страница 105: ...ilter violations in real time The Filter LiveLog reports the packet filter and NAT rules The Packet filter violation Log shows the packets that have not successfully passed the rule set of the packet...

Страница 106: ...see the result of the filter rule set in real time All the system generated filter rules are also shown here For the Current packet filter rules display fields the rules are currently valid and are ta...

Страница 107: ...et filter rules i e you must scroll past the former to view the later If an application such as online banking is not working after implementing the RouteFinder you can see if any packets were filtere...

Страница 108: ...e log with the latest violation information To re start the violation log again click start LiveLog The RouteFinder logging function is extremely important to your organization s security The logs pro...

Страница 109: ...wledge PSH Push the current packet RST Reset the current connection SYN Session request FIN Request to close a session By selecting open Packetfilter violation LiveLog you can view violations in real...

Страница 110: ...accept rule as well as the Statefull Inspection rule that accepts all ESTABLISHED and RELATED connections TTT_ACCEPT In this Chain you find the rules defined in WebAdmin which have an interface ip eit...

Страница 111: ...ls it usually offers more sophisticated features for logging and real time analysis of transferred content In the Proxies directory select a proxy entry and configure the settings At startup all proxi...

Страница 112: ...an active Proxy you need matching browser settings TCP IP address of your RouteFinder and port 8080 otherwise the Proxy must be run in transparent mode Requests to HTTPS TCP IP port 443 are forwarded...

Страница 113: ...a configured browser the proxy can only be run in transparent mode Transparent mode The HTTP requests to port 80 are transferred from the internal network and diverted through the proxy For the browse...

Страница 114: ...the menu Edit Settings Extended Proxies 2 At manual proxies configuration click the View button 3 At No proxy for enter the IP address of your RouteFinder 4 Click the OK button to save the entries In...

Страница 115: ...filter enabled you can still save cookies by using JavaScript by configuring your browser settings as follows Netscape EDIT PREFERENCES ADVANCED MSIE EXTRAS SECURITY ADJUST SETTINGS COOKIES SCRIPTING...

Страница 116: ...ithout further notice Configure SMTP Proxy 1 Open the SMTP menu in the Proxies directory 2 Clicking the Enable button next to Status to switch on enable the SMTP proxy 3 Configure the SMTP proxy using...

Страница 117: ...any time Note if you assign Any then everybody connected to the Internet can use your SMTP proxy for SPAM purposes SMTP routes here you determine the MTA Mail Transfer Agent to which each incoming do...

Страница 118: ...of the external name server into the entry field Confirm every IP address by clicking the Add button The name servers are entered into a window below and can be deleted again any time DNS administrato...

Страница 119: ...lly does not need to be configured Note All changes in Proxies becomes effective immediately without additional notice Note If SOCKS5 clients that do not resolve DNS names themselves are being used th...

Страница 120: ...0 the standard SOCKS port must be entered in the client application s configuration You can add multiple interfaces to listen on for more advanced configurations Finally select if you would like to us...

Страница 121: ...and data encryption according to an open standard IPSec VPN secured connections only allow authenticated stations to communicate with each other No one else can read or change the information of these...

Страница 122: ...exchange A VPN server is a economical and secure way to transfer information and can replace expensive dedicated lines between companies or branches Example You are a member of an IT team at company...

Страница 123: ...n indicates that the function is enabled to disable the function click the Disable button next to the greenstatus light A red status light next to a function indicates that the function is disabled to...

Страница 124: ...supported by both sides of the connection Authentication method secret Secret means that a symmetric key exists Both the Sender and Recipient must own the same for all other secrets key to establish...

Страница 125: ...LAN 3 Confirm the name by clicking the Add button Additional entry fields and selection options display in the New connection window 4 Using the entry and select menus configure the new VPN connectio...

Страница 126: ...irewall that is to be accessed from the local site or from which you want to be able access the local site 5 Save the entries by clicking the Save button After you have created a VPN tunnel at Packet...

Страница 127: ...nection ESP the ESP Encapsulating Security Payload method enter an option for ESP typically IPSEC encryption mode Settings here are for encryption using triple DES and authentication using MD5 The sel...

Страница 128: ...ible that due to the time out mechanism WebAdmin will close even though generation of the RSA key is still underway This is because the generation of the RSA key is taking too long or the time out per...

Страница 129: ...t use the old RSA key will become inoperable We recommend using RSA keys with a minimum length of 1536 Bits To generate a new RSA key at VPN IPSec RSA key Generate RSA key perform the following steps...

Страница 130: ...Key XXX Bits The transmission state of the private part of your RSA key to the VPN counterpart is displayed here When you configure a new VPN connection if you use an IPSec Connection with the authori...

Страница 131: ...Export RSA key With this function you can export your RSA key and download it onto your local administration pc Make sure that no one receives unauthorized access to the RSA keys To export an RSA key...

Страница 132: ...Tu Krbc71H4oIFd xqKJnt U8x25M0Wbxr0gQngECdZPWHj6KeSVtMtslzXMkxDecdawo CadPtPiH Iln23GKUOt3GoDVMob fob9wBYbwdHOxPAYtN QBxNPEU9PGMxQdYp8io72cy0duJNCXkEVvpvYvVzkmp0x VYOWYkfjiPsdhnz5FCitEh6XsCe0ctByoLjKA...

Страница 133: ...ng RSA key at VPN IPSec RSA key perform the following steps 1 Under Import RSA key to the right of Option to import an RSA key click Browse The Windows Choose file screen is displayed to let you selec...

Страница 134: ...ou can view important processes or error messages VPN logs By clicking the VPN LiveLog button you open a new window in which you can view VPN activities in real time VPN Routing This window shows all...

Страница 135: ...own pool in Definitions Networks and set it to be used as the PPTP pool here Alternatively you can assign a special IP to each user when you define their account see Definitions Users This IP does NO...

Страница 136: ...twork as the PPTP IP pool The users of the PPTP service are defined in Definitions Users where you can also assign IP addresses to certain users These IP addresses do not need to be part of the used p...

Страница 137: ...soft Windows 98 and Windows ME MS Windows 2000 only has a standard 40 bit encryption strength setting For a 128 bit encryption strength you also need the High Encryption Pack or Service Pack 2 SP2 can...

Страница 138: ...ame for the PPTP connection into the entry field of the Complete Wizard window Then click the Next button 13 By right clicking the new symbol in the Start Settings Network and DUN connections window y...

Страница 139: ...plays external NIC IP packet byte counts Selfmonitor provides e mail notification of system level issues Portscans disables and logs attempted portscans The data in the Reporting logs could be useful...

Страница 140: ...ry to cover up the issue e g missing log files or deleted entries 3 Most mysteries Unknowns don t mean anything Most of the time the issue turns out to be a client user error or a glitch in reporting...

Страница 141: ...teFinder displays a System uptime window which documents the availability of your RouteFinder the time elapsed between the last boot and the current time This menu shows the date when your system was...

Страница 142: ...of the graph or by clicking on the respective graphic you open additional graphs with the daily weekly monthly and yearly usage statistics on CPU RAM and SWAP utilization By clicking Back in the top r...

Страница 143: ...M The more RouteFinder processes that are in execution the less RAM is available SWAP utilization This function reflects the actual usage of the swap file on the RouteFinder s hard disk drive The used...

Страница 144: ...played with the average weekly monthly or yearly values By clicking the Back button you go back to the original overview In the Internal Network traffic window the day s data traffic utilization is sh...

Страница 145: ...ce routes are inserted by the system and cannot be edited Further manual entries can be made in the Network Routing menu described earlier in this chapter The Network connections table shows all the c...

Страница 146: ...n Foreign Address the destination IP address and port for example 192 168 2 40 1034 State the status of the connection The set of possible states reported are for example LISTEN ESTABLISHED TIME_WAIT...

Страница 147: ...the average daily weekly monthly and yearly values By clicking the Back button you go back to the original overview For this reporting the HTTP proxy function must be enabled otherwise the diagrams on...

Страница 148: ...uide 148 The HTTP memory hits diagram shows the percentage of cache hits occurring while the requested object was still in RAM as opposed to being loaded from disk Note For this reporting the HTTP pro...

Страница 149: ...oxy The Reporting SMTP proxy menu displays the RouteFinder s SMTP proxy e mail usage and status in two windows called SMTP Logs and SMTP Status SMTP Logs shows a real time log of the e mail traffic vi...

Страница 150: ...ch RouteFinder RF650VPN User Guide 150 A sample SMTP LiveLog screen is shown below When SMTP LiveLog is inactive click start LiveLog to begin real time logging SMTP activity When SMTP LiveLog is activ...

Страница 151: ...utgoing e mails Messages in queue Shows the total number of e mail messages in the RouteFinder s SMTP proxy queue Messages in queue but not yet pre processed Shows the number of received and queued me...

Страница 152: ...e Select All checkbox or select an individual entry select a function from the dropdown list e g delete selected entry and click Go The selected function is performed on the selected e mail s By click...

Страница 153: ...rk cards and sums up their sizes Each day s total is calculated once a day Additionally the number of bytes of data is calculated for each month The displayed traffic will match what your ISP charges...

Страница 154: ...e information Selfmonitoring controls the function performance and security of the system parameters and takes regulating measures when it detects divergences that go beyond a certain tolerance The sy...

Страница 155: ...Chapter 3 RouteFinder Software Operation Multi Tech RouteFinder RF650VPN User Guide 155...

Страница 156: ...onitoring LiveLog active click stop LiveLog at the bottom of the Selfmonitoring display to halt the real time Selfmonitoring log With the Selfmonitoring LiveLog inactive click start LiveLog at the bot...

Страница 157: ...porting Portscans by clicking the open Portscan LiveLog button A Portscan Detection PSD LiveLog window is displayed If a portscan is detected and blocked the administrator is notified by e mail The e...

Страница 158: ...you can perform a full text search The search is not case sensitive The search results are displayed in the order of appearance of the term you searched for You can limit the number of search results...

Страница 159: ...Help Index all WebAdmin menus are listed alphabetically The indicated path states where the particular function is to be found in WebAdmin By clicking the desired term Online Help is started and the...

Страница 160: ...on bar Exit Exit RouteFinder If you close the browser in the middle of a WebAdmin session via Exit the last session stays active until the end of the time out and no new administrator can log in The t...

Страница 161: ...teFinder can connect individual telecommuters to the office network by creating a separate secure tunnel for each connection or it can connect entire remote office networks together as a LAN to LAN co...

Страница 162: ...content Q10 Is Virtual Server support provided on my RouteFinder A10 Yes in addition to providing shared Internet access the RouteFinder can support a web ftp or other Internet servers Once configured...

Страница 163: ...n IP alias on your NIC and make a script in etc rc d rc2 d to have it run at each boot put it at S99 to be sure Just don t use ifconfig to do that as it is deprecated in 2 4 kernels The command to add...

Страница 164: ...terfaces in Network Interfaces Here you define your Network Interface settings as well as your default gateway for example Internal 192 168 100 1 255 255 255 255 External 194 162 134 10 255 255 255 12...

Страница 165: ...s Since government encryption policy is influenced by the agencies responsible for gathering domestic and international intelligence e g the FBI and NSA the government tries to balance the conflicting...

Страница 166: ...8 1 10 255 255 255 255 ASL_Extern 1 2 3 4 255 255 255 255 Go to Definitions Services and define entries for the control connection and the passive mode port range that the RouteFinder will use FTP_ALT...

Страница 167: ...anonymous ftp from ftp ftp nec com pub socks NEC s SOCKS V5 Reference Implementation of SOCKS V5 socks5 is available at ftp ftp nec com pub socks cgi bin download pl Both packages include clients for...

Страница 168: ...nts describing Version 4 SOCKS V4 protocol and extension to SOCKS V4 protocol There are three RFCs for SOCKS V5 related protocols RFC1928 Describes SOCKS Version 5 protocol also known as Authenticated...

Страница 169: ...problems Check the Lost Sent columns for an indication of the router experiencing problems A particular router sustaining a high loss percentage rate is a reasonable indicator that there s a problem...

Страница 170: ...cket filter violation LiveLog a window opens with the rule violations listed in order of occurrence see Chapter 3 of this manual Note Packets dropped by the Drop setting in Packet Filter Rules do not...

Страница 171: ...reen is re displayed Action Enter the correct User and Password in the proper format The User and Password are case sensitive Try turning off your keyboard s Caps Lock key When the User and Password a...

Страница 172: ...thentication method but you did not type in a Secret in the Secret field Action Enter one or more valid characters in the Secret entry field then click Save Valid characters include alpha numeric dash...

Страница 173: ...ing administration Services are definitions for data traffic via networks e g the Internet A service definition consists of a name the protocol and the source port S Port and destination port D Port T...

Страница 174: ...ontext sensitive Helps for additional information Message Remark Error Header error_header 11 Message ERROR Error Header error_header 12 Message ERROR Loop detected Error Header error_header 13 Messag...

Страница 175: ...seconds or more Message Error Error Header error_header 21 Message Message Error Header error_header 22 Message Restart Error Header error_header 23 Message Wrong IP address Error Header error_header...

Страница 176: ...Chapter 4 Troubleshooting Multi Tech RouteFinder RF650VPN User Guide 176 Action Enter an IP address that is valid for the IP address Menu Entry field...

Страница 177: ...a Network Name at Definitions Networks that has previously been entered Recovery Enter a unique previously unentered Name in the entry field Message Password was changed successfully Error Header err...

Страница 178: ...ail At least one valid existing e mail address must be entered Recovery Enter an existing valid email address e g admin yourhost com and click Save Message System restarts Error Header error_message 3...

Страница 179: ...Message Please type in a TCP port i e 25 for SMTP Error Header error_message 39 Meaning You entered an inconsistent TCP port number in an entry field For example At Network Tools TCP connect you did n...

Страница 180: ...IP IP necessary for COUNT VPN connections Error Header error_message 50 Message Connection with name NAME already exists Please choose another one Error Header error_message 51 Message The parameter N...

Страница 181: ...ormation program and protocol The function of this server is to deliver machine readable name address information describing networks gateways hosts and eventually domains within the Internet environm...

Страница 182: ...information keyboard and monitor connection information PC board component descriptions on going maintenance information e g RouteFinder housekeeping monitoring and updating and a hard disk drive reco...

Страница 183: ...RF650VPNs had a 128MB PC100 Non ECC DIMM VGA CRT connector this connector allows attachment of a monitor for configuration and reporting purposes CN4 Floppy drive connector The floppy drive connector...

Страница 184: ...nplug the fan power plug from the FAN1 connector on the pc board 3 Gently press down on the top of the metal fan retaining strip and unlatch it from the plastic retaining tab Fan1 is mounted directly...

Страница 185: ...d Disk drive ribbon cable Keyboard Connection KB1 is a keyed 6 pin MiniDIN PS 2 interface on the RF650VPN pc board used for connecting a keyboard Perform the following steps to attach a keyboard to th...

Страница 186: ...ll receive renewal notices from Multi Tech prior to the end of your subscription The latest virus pattern updates can then be downloaded from the Multi Tech server The RF650VPN s auto update feature l...

Страница 187: ...Scanner subscription expiration date The license key number is a 35 digit alphanumeric entry the letters must all be in lower case If you enter your license key number incorrectly the message Error Li...

Страница 188: ...et could be the private half of a public key private key pair or it could be a key used along with a symmetric algorithm In both authentication methods each side sends the other an unpredictable value...

Страница 189: ...hapter 1 of this manual for additional sources of information The SANS Institute and the National Infrastructure Protection Center NIPC produces a document summarizing the Twenty Most Critical Interne...

Страница 190: ...en neglected altered abused used for a purpose other than the one for which they were manufactured repaired by Customer or any party without MTS s written authorization or used in any manner inconsist...

Страница 191: ...e ID may be required by the ISP for administration purposes or connection identification Also note the status of your RouteFinder including LED indicators screen messages diagnostic test results probl...

Страница 192: ...Send your RouteFinder to this address MULTI TECH SYSTEMS INC 2205 WOODALE DRIVE MOUNDS VIEW MINNESOTA 55112 ATTN SERVICE OR REPAIRS You should also check with the supplier of your RouteFinder on the...

Страница 193: ...s required products may be shipped freight prepaid to our Mounds View Minnesota factory Recommended international shipment methods are via Federal Express UPS or DHL courier services or by airmail par...

Страница 194: ...10989 Phone 800 826 0279 Fax 914 267 2420 Email info thesupplynet com Internet http www thesupplynet com SupplyNet On line Ordering Instructions 1 Browse to http www thesupplynet com In the Browse by...

Страница 195: ...xamples can be found on the Multi Tech Web site for the RF650VPN as separate Reference Guides A Remote Syslog How To is also provided at the end of this appendix State of the Art Firewall Security The...

Страница 196: ...ed office network from the Internet The RouteFinder s DMZ port permits connecting of Voice over IP gateways like MultiVOIPs and public servers such as email and web to be safely connected Using a DMZ...

Страница 197: ...ies SMTP menu you configure the SMTP proxy including the optional e mail virus scanner The SMTP proxy acts as an email relay it accepts e mail for your internet domains and passes them on to your inte...

Страница 198: ...Appendix A Application Examples and How to Use Remote Syslog Multi Tech RouteFinder RF650VPN User Guide 198 RouteFinder VPN and MultiVOIP Example...

Страница 199: ...yslog server accepts messages from your RouteFinder 5 Restart your syslogd with the r option for example The RouteFinder sends on syslog standard port 514 UDP The syslog facility depends on the proces...

Страница 200: ...14 You should allow only incoming packets from your syslog client s Some logfile examples are provided below Syslog Sample 1 sample syslog ng conf file all syslog messages of karl2 will be written to...

Страница 201: ...l syslog messages of karl2 and the expression kernel will be written to var log karls2_kern options sync 0 time_reopen 10 log_fifo_size 1000 long_hostnames off use_dns no use_fqdn no create_dirs no ke...

Страница 202: ...mped to var log karl2_stuff options sync 0 time_reopen 10 log_fifo_size 1000 long_hostnames off use_dns no use_fqdn no create_dirs no keep_hostname yes source s_sys unix stream dev log internal udp ip...

Страница 203: ...ppendix illustrates and describes the RF650VPN cables Power Cords The RF650VPN IEC 320 Power Cord with US plug is shown below IEC 320 Power Cord with US Plug IEC 320 Power Cord with Euro Plug and the...

Страница 204: ...04 CD ROM Drive Adapter The RF650VPN is shipped with a 44 pin m to 40 pin f adapter that connects the Hard Disk Drive CD ROM Drive cable to a CD ROM Drive for use when performing the Hard Disk Drive R...

Страница 205: ...adapter pin out is shown below P1 is the 44 pin male header P2 is the 40 pin female box header P1 _ P2 P1 P2 1 1 21 21 2 2 22 22 3 3 23 23 4 4 24 24 5 5 25 25 6 6 26 26 7 7 27 27 8 8 28 28 9 9 29 29...

Страница 206: ...ion of network groups for easier handling Services Definition of network services for the firewall configuration Service Groups Definition of service groups for easier handling Users Definition of loc...

Страница 207: ...ge of the HTTP proxy web SMTP Proxy Displays the usage and status of the SMTP proxy e mail SMTP Virus E mails Lets you view delete or forward virus infected e mail Accounting Displays accounting infor...

Страница 208: ...the format shown below With your browser running when you insert the System CD in your computer s CD ROM drive the RouteFinder Install screen displays If you insert the System CD without your browser...

Страница 209: ...anual provides all of the Quick Start Guide information plus features and specifications full installation and operation procedures troubleshooting FAQs error messages and recovery upgrade procedures...

Страница 210: ...Initial SW release for RouteFinder WebAdmin Manual released at Rev A on 9 5 01 Software version 2 00 RouteFinder WebAdmin SW updated for production The tradename tagline changed to Internet Security A...

Страница 211: ...s User Authentication against a RADIUS server an NT SAM User Base users defined in WebAdmin local RouteFinder User Authentication RADIUS User Authentication With this method ASL will forward User Info...

Страница 212: ...e running any other type of Network with a centralized user base In this case you can use RADIUS user authentication however it is up to you to find a suitable RADIUS server for your network type You...

Страница 213: ...ier matches string where string is the proxy identifier currently socks or http Windows Groups matches yourgroup where yourgroup is one of the new user groups you created in step 3 Note you can add gr...

Страница 214: ...this unit not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Industry Canada This Class A digital apparatus meets all requirements...

Страница 215: ...ses harm to the phone network the phone company will notify you in advance that temporary discontinuance of service may be required But if advance notice isn t practical the phone company will notify...

Страница 216: ...t or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment Users should ensure for their own protection that the electrical ground connec...

Страница 217: ...license agreement is licensed to you under the terms of that license agreement By installing copying downloading accessing or otherwise using the SOFTWARE PRODUCT you agree to be bound by the terms of...

Страница 218: ...t with steps taken to protect its own proprietary information to prevent the unauthorized copying or use by third parties of the software or any of the other materials provided under this Agreement An...

Страница 219: ...the software program s delivered with this Agreement GRANT OF LICENSE MTS grants Customer the right to use one copy of the software on a single product the Licensed System You may not network the sof...

Страница 220: ...government of Afghanistan Cuba Iran Iraq Libya Montenegro North Korea Pakistan Serbia Sudan Syria nor any other country to which the United States has prohibited export I will not download or by any o...

Страница 221: ...ies of the Software may be made to replace worn or deteriorated copies for archival or back up purposes Licensee agrees to implement sufficient security measures to protect Multi Tech Systems Inc s pr...

Страница 222: ...hor s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on we want its recip...

Страница 223: ...m rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In additio...

Страница 224: ...ld be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to a...

Страница 225: ...LITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING...

Страница 226: ...3DES encryption throughput of 15M bps e g 3DES can be configured in WebAdmin from VPN IPSEC Configurations The RouteFinder uses 3DES as an encryption algorithm and not simple DES Data Encryption Stan...

Страница 227: ...eared Style sheets let Web designers more quickly create consistent pages and more consistent web sites Browsers began supporting the first CSS Specification Cascading Style Sheets Level 1 CSS1 in ver...

Страница 228: ...r exchanges between this source and destination computer and the transporting network CefaultRoute A routing table entry which is used to direct packets addressed to networks not explicitly listed in...

Страница 229: ...umbers Additionally there is a name server for every top level domain which lists all the subordinate name servers of that domain Thus the Domain Name System represents a distributed hierarchical data...

Страница 230: ...inger utility was in IETF RFC742 dated December 1977 A popular slogan promoting the phone book s yellow pages was Let your fingers do the walking The utility was christened Finger since the utility wa...

Страница 231: ...example that an IP datagram cannot reach an intended destination cannot connect to the requested service or that the network has dropped a datagram due to old age ICMP also provides information back...

Страница 232: ...ding process of the Linux kernel There are other programs that can also do this such as grub Most distributions versions of Linux use LILO You can set up lilo to require a password to start to load th...

Страница 233: ...ped by Microsoft that is considered more secure than SSL2 Note that some web sites may not support the PCT protocol PING Packet InterNet Groper A program used to test reachability of destinations by s...

Страница 234: ...standardised sentence of commands and answers with whose help a client and a server can communicate Well known protocols and the services they provide are for example HTTP www FTP ftp and NNTP news Pr...

Страница 235: ...tocol a TCP based host information program and protocol The function of this server is to deliver machine readable name address information describing networks gateways hosts and eventually domains wi...

Страница 236: ...ccess information types and required encryption levels firewall hardware and software management processes and procedures non standard access guidelines and a policy for adding new equipment to the ne...

Страница 237: ...Microsoft Windows program PuTTY is recommended as an SSH client Access via SSH is encrypted and therefore impossible for strangers to tap into Stateful Inspection A method of security that requires a...

Страница 238: ...Datagram Protocol A datagram oriented unreliable communications protocol widely used on the Internet It is a layer over the IP protocol UDP is defined in IETF RFC 768 UNC Universal Naming Convention...

Страница 239: ...y configure 113 non transparent mode 112 transparent mode 112 I ICMP on firewall 103 ICMP 102 ICMP Forwarding active inactive 102 ICMP on Firewall active inactive 103 ICMP forwarding 102 Index 157 Int...

Страница 240: ...8 Select Language 40 Selfmonitor edit e mail addresses 154 Selfmonitor 153 Service delete 69 edit 69 Service 68 Service Groups add service 71 define 70 edit 71 remove service 71 Service Groups 70 Sett...

Отзывы:

Нет отзывов