manualshive.com logo in svg

Multitech RouteFinder RF850, Руководство пользователя

Поделиться
Скачать
Multitech RouteFinder RF850 Скачать руководство пользователя страница 145

Chapter 8 – Frequently Asked Questions (FAQs) 

Multi-Tech Systems, Inc. RouteFinder RF850/860 User Guide (PN S000400E) 

145 

 
 

Q15.  I want to use DNAT with multiple original IPs, but my external NIC has just one IP.  

How can I do this? 

A15.

   Make sure that the request reaches the RouteFinder, and then use DNAT to redirect the request to the Web 

servers. There are two ways to do this: 
1.   Bind an alias to the external interface, so that it answers ARP requests for this address and the packets are 

sent to the MAC address of this NIC. You can do this in 

Network Setup > Interface

 (refer to Chapter 3). 

2.   Tell your router to send those packets directly to the RouteFinder's interface by adding a static routing entry 

to the RouteFinder.  

 

Q16.   My FTP clients want to use FXP transfers on my Server. How can I do that?  
A16. 

  For a fully functional FTP server (able to do FXP), the RouteFinder's "stateful inspection" function is not 

enough. Due to security concerns, the RouteFinder will only allow data connections from and to the same client 
IP as the control connection.  
The example below shows how to make a "glftpd" server work behind a RouteFinder, which does both packet 
filtering and DNAT. The general principle applies to all other FTP servers too, so you can use it even if you use 
another server daemon. 

 

Let‘s assume that you have 

glftpd

 set up in your LAN on address 192.168.1.10 with control port 23456. Your 

external, official IP on the RouteFinder is 1.2.3.4. 

 Go 

to 

Networks & Services > Networks

 and define the host entries for FTP server and external RouteFinder 

interface: 

 

FTP_Server 192.168.1.10 255.255.255.255 

ASL_Extern 1.2.3.4      255.255.255.255 

Go to Networks & Services > Services and define entries for the control connection and the passive mode port 
range that the RouteFinder will use.  

FTP_ALTControl TCP 1024:65535 23456 
PASV_Range  TCP 1024:65535 3000:4000 

Note that we selected the ports from 3000-4000 to be our passive connection range in this example. You 
should select a range matching your setup, do not make it too small, and make sure you do not need any ports 
in this range for other services. 
Go to Packet Filters > Packet Filter Rules and add the following rules: 

Any   FTP_ALTControl   FTP_Server    Allow 

This rule allows connections of clients to the FTP server. 

FTP_Server  Any   Any   Allow 

This rule allows the FTP server to make outgoing connections to clients, thus enabling the PORT command. 

Any  PASV_Range  FTP_Server  Allow 

This rule allows connections from clients to the passive port range of the FTP server (needed to make passive 
mode work). 
Add the DNAT rules. Go to Network Setup > DNAT and add the following definitions: 

ASL_extern  FTP_ALTControl   FTP_Server  FTP_ALTControl 
ASL_extern  PASV_Range       FTP_Server  PASV_Range 

The RouteFinder setup is done. However, the FTP server does not know that it is placed behind a DNAT 
firewall, and thus will give out his 192.168.1.10 address when replying to a PASV command. In addition, we 
must tell it only to use the ports in our PASV_Range for passive connections. 
Nearly all FTP servers have configuration options to set the IP and port range used for passive mode. In this 
case with 

glftpd

, these are the options: 

pasv_addr 1.2.3.4 1 
pasv_ports 3000 4000 

See 

glftpd.docs

 for more info on those configuration options, or check the docs of your particular FTP server if 

you use another daemon. 
 

Q17.  Do I need to add routes for my connected networks? 
A17.

   No, you never have to add routes for networks in which your RouteFinder is a member. These so-called 

"Interface Routes" are automatically added by the RouteFinder itself. 

 

Q18.  I have DNAT set up but I cannot connect to the translated services. What is wrong? 
A18.

  You may need to set packet filter rules to allow the traffic. When using DNAT, you must allow the traffic 

according to the characteristics BEFORE the translation.  
For example: 
If you translate 

1.2.3.4:80

 into 

192.168.1.10:80

, you must allow 

Any->1.2.3.4 port 80 TCP 

(http).  

When using SNAT, you must allow the traffic according to the characteristics after the translation. For example: 
If you translate 

SRC 192.168.10.1

 into 

SRC 1.2.10.1

, you must allow 

1.2.10.1 -> any -> any

(Note that these are examples only!) 

Содержание RouteFinder RF850

Страница 1: ...RouteFinder Internet Security Appliance RF850 RF860 User Guide...

Страница 2: ...y statement Added an RJ 45 Ethernet cable to the Ship Kit list Added an FAQ about the Ethernet ports supporting 10 100 Mbps half duplex and full duplex lines E 04 14 08 Changes for software version 3...

Страница 3: ...teFinder 16 Establish TCP IP Communication 16 Set a Fixed IP Address 16 Obtain a Dynamic IP Address 16 Open a Web Browser 18 Login 18 Web Management Software Opens 19 Navigating Through the Software S...

Страница 4: ...works Services Service Groups 65 Proxy 66 General Information About Proxies 66 Proxy HTTP Proxy 67 Proxy HTTP Proxy Custom Filters 71 Proxy SMTP Proxy 72 Proxy SMTP Proxy SMTP SPAM Filtering 75 Proxy...

Страница 5: ...135 Statistics Logs View Logs 135 Statistics Logs HTTP Access 136 Statistics Logs DHCP 137 Statistics Logs SMTP Virus Quarantines 137 Statistics Logs POP3 Virus Quarantines 137 Statistics Logs SMTP SP...

Страница 6: ...ix G Multi Tech Systems Inc Warranty Repairs and Replacement Policies 167 Appendix H Regulatory Compliance 169 Appendix I License Agreements 171 GNU GENERAL PUBLIC LICENSE 173 URL Content Filtering En...

Страница 7: ...r the Multi Tech Systems Inc Web site RouteFinder Features See the RouteFinder Data Sheet for detailed descriptions of the following features Supports IPSec and PPTP VPN tunneling Utilizes Triple Data...

Страница 8: ...only No 26 AWG or larger telecommunications line cord Never install telephone jacks in a wet location unless the jack is specifically designed for wet locations Safety Recommendations for Rack Install...

Страница 9: ...mation from the RouteFinder s Web Management software at Administration License Key This screen shows the entered License Key number and indicates whether it is a valid License Key number The License...

Страница 10: ...distance call to the corporate remote access server Branch Office VPN The LAN to LAN VPN application sends network traffic over the branch office Internet connection instead of relying on dedicated l...

Страница 11: ...es Intrusion Port Scan Detection Yes Yes H 323 Pass Through Yes Yes VPN Features Remote User Client to LAN Yes Yes Branch Office LAN to LAN Yes Yes 3DES AES Encryption Yes Yes Encryption Throughput 5M...

Страница 12: ...12Vdc 3 5A 42 Watts 12Vdc 3 5A Physical Description Dimensions 12 w 1 75 h 8 d 30 4cm 4 45cm 20 3cm Weight 4 4 lbs 2 0 kg Dimensions 12 w 1 75 h 8 d 30 4cm 4 45cm 20 3cm Weight 4 6 lbs 2 1 kg Operatin...

Страница 13: ...begin the installation process you should plan your network and decide which computer is to have access to which services This simplifies configuration and saves you a lot of time that you would other...

Страница 14: ...s receiving or transmitting data LAN Blinks when it is receiving or transmitting data 100MB WAN1 WAN2 DMZ Lights when a successful 100Base T Internet connection is established LAN Lights when a succes...

Страница 15: ...wser This may take two or three minutes Optional Connections 1 Using an RJ 45 Ethernet cable connect the WAN2 DMZ jack to a network or DMZ device For example a Voice over IP gateway 2 Using a DB 9 cab...

Страница 16: ...ddress To set a Fixed IP Address check Specify an IP address instead of Obtain an IP address automatically Then click OK 1 Enter the workstation IP address as 192 168 2 x Note that the x in the addres...

Страница 17: ...s dialog box displays Select Internet Protocol TCP IP Click the Properties button 5 Once you click the Properties button the following screen displays To have your DHCP client obtain a dynamic IP addr...

Страница 18: ...tional on screen prompts Login The Login screen displays after you type the default Gateway address Type the default User name admin all lower case Tab to the Password field and type the default passw...

Страница 19: ...g the software you may find the following information about navigating the screens and the structuring of the menus helpful Navigating Through the Software Screens Menu Bar Sub Menu Other Options Scre...

Страница 20: ...Local Users Radius SAM Version Information Restart Shutdown Networks Services Network Groups Service Groups HTTP Proxy Custom Filters SMTP Proxy SMTP SPAM Filtering POP3 Proxy POP3 SPAM Filtering Adv...

Страница 21: ...tial Configuration Step Set Up Your Time Zone Click Administration on the Menu Bar The System Setup screen displays Set the following Set System Time by selecting your Time Zone Set the current Day Mo...

Страница 22: ...orkstation s and the Internet as shown in the example below Important Note An initial configuration must be completed for each type of RouteFinder functions firewall configuration LAN to LAN configura...

Страница 23: ...t Example 204 26 122 1 6 Place a checkmark in the Packet Filter Rule LAN ANY ANY ACCEPT box to enable the rule 7 Change Password Settings as appropriate for your network It is highly recommended that...

Страница 24: ...d one in the remote branch office and requires additional parameters beyond the Wizard Setup to be entered Side A Side B RouteFinder Setup Side A Networks Services Networks Setup 1 Log in to your Rout...

Страница 25: ...orks and select the network to be allowed 4 In this example select Remote WAN 5 If you are not restricting the type of Service select Any 6 If you are not restricting any Network Click on To Host Netw...

Страница 26: ...Example Test Tunnel 2 Secret Enter a Secret password which has to match on both ends of the tunnel For this example enter test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Sel...

Страница 27: ...a new network name for the Remote LAN by entering a Name IP Address and Subnet Mask For this example enter the following Name Remote LAN IP Address 192 168 2 0 Subnet Mask 255 255 255 0 4 Click Add t...

Страница 28: ...Networks and select the network to be allowed In this example select Remote LAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host...

Страница 29: ...Example Test Tunnel 2 Secret Enter the Secret password which has to match on both ends of the tunnel For this example enter test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN...

Страница 30: ...the fields for entering the network information 3 Create a new network name for the RF850 LAN by entering the Name IP Address and Subnet Mask For this example enter the following Name RF850 LAN IP Ad...

Страница 31: ...network to be allowed In this example select RF850 LAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host Network select Any Notes...

Страница 32: ...test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Select LAN 6 Remote Gateway IP Select RF850 WAN 7 Remote LAN Select RF850 LAN 8 UID Click the Enable button must be enabled...

Страница 33: ...r network information 3 Create a new network name for the RF850 WAN by entering the Name IP Address and Subnet Mask For this example enter the following Name RF850 WAN IP Address 65 126 90 250 Subnet...

Страница 34: ...network to be allowed In this example select RF850 WAN 4 If you are not restricting the type of service select Any 5 If you are not restricting what network Click on To Host Network select Any Notes I...

Страница 35: ...test 3 Select Encryption Select 3DES 4 Local WAN IP Select WAN 5 Local LAN Select LAN 6 Remote Gateway IP Select RF850 WAN 7 Remote LAN Select RF850 LAN 8 UID Click the Enable button must be enabled...

Страница 36: ...terface screen Set default gateway at 204 26 122 1 Enter a host name example RF860 Site A com Enter Network Cards Cards 1 3 are defaulted Card 1 LAN eth0 192 168 2 1 255 255 255 0 Card 2 WAN eth1 204...

Страница 37: ...860 Site A com Enter Network Cards Cards 1 3 are defaulted Card 1 LAN eth0 192 168 2 1 255 255 255 0 Card 2 WAN eth1 204 26 122 103 255 255 255 0 Card 3 DMZ eth2 192 168 3 1 3 Packet Filters Packet Fi...

Страница 38: ...e unaware that their Internet requests are being transferred through an HTTP proxy Setting Up HTTP Proxy and URL Filtering 1 Click Proxy from the Menu bar The HTTP Proxy screen displays Notes About th...

Страница 39: ...ber is located on the bottom of the RouteFinder chassis and on the front of the Quick Start Guide 3 Changing Status for the LAN On the HTTP Proxy HTTP screen see previous page check the Add button acr...

Страница 40: ...the filter through one of the categories you had chosen or a category preset by the URL software For instance if you selected the Finance and Investment category to be filtered try to access www etrad...

Страница 41: ...a lot of time that you would otherwise need for corrections and adjustments Menu Bar The Menu bar provides the organization of this chapter Menu Bar Logout Important Note About Logout Logout Closes t...

Страница 42: ...teFinder general system based parameters A Note About This Screen When Logging Status is not checked the section of the screen Configure Logging does not display Email Notification Email Address Enter...

Страница 43: ...WANLinks Status The mail settings are saved in the server configuration The first email ID in the list should be the Administrator s ID so that when the first ID is added or deleted the session is te...

Страница 44: ...future retain their validity for the Accounting function The accounting files are continued when the setback time is reached again Therefore it is recommended that the time should only be set once dur...

Страница 45: ...you are still able to access Administration Administrative Access from your active IP address after the deleting procedure If this is no longer possible the process is not carried out This check is ca...

Страница 46: ...ssage if you try to delete access to a network that would cause you to lock yourself out Any has been set as the default for ease of installation ANY allows administrative access from everywhere once...

Страница 47: ...erminated The browser settings have to be changed for the new port number before starting the next session By default port 443 is configured for HTTPS sessions The value of the port number should lie...

Страница 48: ...same address that you will use to open the Administration Access interface It can be one of the RouteFinder IP addresses Example If you access Administration Access with https 192 168 10 1 the Host Ad...

Страница 49: ...t The license key number is a 20 digit alphanumeric entry the letters must all be in upper case If you enter your license key number incorrectly the message Error License is invalid is displayed Check...

Страница 50: ...s DNS attacks bad packets overflows chat accesses Web attacks will be detected and then the administrator is informed Apart from the above the other user defined rules for intrusion detection can be c...

Страница 51: ...assigned addresses or private addresses These Networks or groups must be predefined in the Networks menu Destination IP Address This selection allows you to choose the network to which the informatio...

Страница 52: ...valid names PING Ping is an acronym for Packet Internet Groper The PING utility is used as a diagnostic tool to determine if a communication path exists between two devices on the network The utility...

Страница 53: ...d Should the data packets path momentarily not be traceable stars appear to indicate a time out After a fixed number of time outs the attempt is aborted This can have various reasons e g a packet filt...

Страница 54: ...onnection by clicking the Start button A Sample TCP Connect Log DDNS Force Update To update the IP Address of the domain names in the DDNS server for WANInterfaces click the Update button Important No...

Страница 55: ...select a new amount of time 3 Each Event offers the following time choices minutely every minute twomins every two minutes threemins every three minutes fivemins every five minutes sevenmins every se...

Страница 56: ...he authentication person based i e user based and not IP based thus making a person based Accounting in the HTTP proxy access protocol possible Prerequisite Before you can use Local Authentication you...

Страница 57: ...become possible Note In order to use any of these authentication methods you must activate user authentication and the type of authentication for the services Mark the option Local SAM RADIUS in the...

Страница 58: ...ckup domain controller enter the PDC name again BDC IP Enter the IP address of the backup domain controller into this field If you do not have a backup domain controller enter the PDC IP address again...

Страница 59: ...to the RouteFinder and issue these commands login as root use password admin the default password Then type the following etc multicong scripts bkupmain importbkp default Press Enter Administration S...

Страница 60: ...if it is not used for any route or by any other module If a network is being used by a routing section that network cannot be edited Similarly if a host address is edited and changed to a network add...

Страница 61: ...es can be made in the dot notation style e g 255 255 255 0 for a class C network Networks Services Networks Entries on the Network Services Networks Screen Display on Other Screens Networks added on t...

Страница 62: ...resent in the service or service group list Using a space in the name is not allowed After you have entered the name click the Add button Protocol Select from the following protocols TCP UDP TCP UDP I...

Страница 63: ...e saved using the Save button Notes About Protocols 1 TCP UDP allow both protocols to be active at the same time 2 The ICMP protocol is necessary to test network connections and RouteFinder functional...

Страница 64: ...ction displays When the View Edit button is clicked the Edit Support section of the screen displays Add Network Group Enter a unique name for the Network Group This name is used later if you want to p...

Страница 65: ...ce Group This name is required for later operations such as creating a higher level service group or to set packet filter rules Click Add All names will be added to Select Group drop down list box fro...

Страница 66: ...y Using Microsoft Internet Explorer 1 Open the menu Extras Internet options 2 Choose the register card Connections 3 Open the menu LAN Settings Extended 4 Under Exceptions enter the IP address of your...

Страница 67: ...Save button can be seen More parts of the HTTP Proxy screen display after clicking Status and Save Also the URL Categorization section and the Authentication section display After clicking and saving...

Страница 68: ...as shown below Network Setup Load Balancing will display one of two screens to display depending on whether it is enabled or disabled See the two screens below On these screens you can change the stat...

Страница 69: ...gorization by checking the URL Filter box Click the URL Categories allowed filtered Edit button The URL Categories screen displays as shown here URL Categories allowed filtered On this screen you can...

Страница 70: ...e User Authentication by checking the User Authentication box and clicking Save Authentication Types 1 Select the desired Authentication Type Local RADIUS SAM 2 Click the Save button Available Users 1...

Страница 71: ...les Access Rules enable you to define custom rules Because of these custom rules networks or network groups can be allowed or denied access to certain URLs URLs can be added or deleted from this list...

Страница 72: ...n system This can be accomplished via a Microsoft Exchange Server for example Emails are transparently scanned for known viruses and other harmful content The SMTP proxy also acts as a gateway for out...

Страница 73: ...ed so that email to any domain is forwarded to the default gateway Example 192 168 1 10 Domain and Host The fully qualified Domain Name and Host of the SMTP Proxy must be entered here Queue Cleanup Cl...

Страница 74: ...to the above listed domains Confirm every selected network by clicking the Add button Note If you assign Any then everybody connected to the Internet can use your SMTP proxy for SPAM purposes SMTP Rou...

Страница 75: ...User Guide PN S000400E 75 Proxy SMTP Proxy SMTP SPAM Filtering Proxy SMTP Proxy SMTP SPAM Filtering On this screen the SPAM filtering parameters can be set so that all incoming and outgoing emails se...

Страница 76: ...ore the domain name testuser routefinder yourdomain com If you want to block all email from the domain routefinder yourdomain com then add it as routefinder yourdomain com If you want to block all ema...

Страница 77: ...so double extensions such as tar gz cannot be used If you want to search for the expression as is in the email then add it just as it is If you want to use the entry as a regular expression then enclo...

Страница 78: ...to Bypass POP3 Virus Spam Filtering KBytes Select the mail size that will bypass filtering Note The next two fields display only if you have purchased the Virus Protection package POP3 Virus Protecti...

Страница 79: ...ection Check the box to enable POP3 SPAM Protection Subject of SPAM Mails Enter a word that you would like to add to the subject line of any email identified by the virus scanner as SPAM The word SPAM...

Страница 80: ...ed Networks If the user tries to retrieve email from the network entered in the list then that connection of retrieving emails is rejected Check for NULL Sender If this option is enabled email with an...

Страница 81: ...al proxy supported by many client applications SOCKS5 is an IETF Internet Engineering Task Force approved standard proxy protocol for TCP IP based networking applications The basic purpose of the prot...

Страница 82: ...Sam If you choose the Local method you can choose whether or not local users may use the SOCKS proxy If you disable User Authentication then client applications must be configured with empty user name...

Страница 83: ...ion from the drop down list box and then click the Add button Your choice will display in the box under the selection list It you want to change or delete an interface highlight the name and click the...

Страница 84: ...P Address Resolution Protocol resolutions ARP clash Some operating systems e g Microsoft Windows cannot cope with this That is why one network interface should be used per physical segment About the I...

Страница 85: ...er 6 RouteFinder Software Multi Tech Systems Inc RouteFinder RF850 860 User Guide PN S000400E 85 Network Setup Interface Network Setup Interface Network Setup Interfaces Screen with Load Balancing Dis...

Страница 86: ...TP clients are to be assigned a WINS server address enter the address here Network Cards Interface Name Each column allows you to identify the interfaces for the LAN WAN and DMZ networks these are ava...

Страница 87: ...this section you can configure the Speed and Duplexity of the NICs By default the RouteFinder automatically detects the Speed and Duplexity of the NICs If you want to change these values click on the...

Страница 88: ...OM2 Initialization String Enter the set of commands you want sent to the modem at startup The initialization string sets speed error correction compression various timeout values and how to display re...

Страница 89: ...e 1 Type AT T19 0 nn where nn is the country region code in hexadecimal notation Click Enter OK displays 2 Then save the changes by issuing the following command AT F W Click Enter 3 To verify that th...

Страница 90: ...rtant If DHCP client is enabled the PPPoE cannot be used The internet connection can be either PPPoE or DHCP client at any given time PPPoE when Load Balancing is Disabled PPPoE when Load Balancing is...

Страница 91: ...CP client cannot be enabled The interface to the internet can be either through PPPoE or DHCP client at any time If DHCP client is enabled and if the IP address has been assigned then the following va...

Страница 92: ...mail ID you have specified while registering with the Dynamic DNS server Password Enter the password you had specified while registering with the Dynamic DNS server Dynamic DNS Server Enter the server...

Страница 93: ...ond router is to be responsible for this network Add Routes Interface Route Select an already defined network and a network card The entries are confirmed by clicking the Add button Also existing entr...

Страница 94: ...lect one of the networks already defined in the Networks menu Select a network from each box from and to networks The options are Any LAN WANInterface WAN DMZ Interface and DMZ when Load Balancing is...

Страница 95: ...ket Filter Rules with the original source address Packet filter rules are covered later in this chapter Note To create simple connections from private networks to the Internet you should use the Netwo...

Страница 96: ...g Service e g FTP FTP CONTROL to be redirected Post DNAT Destination Select a network host to which the IP packets are to be diverted Only one host can be defined as the Post DNAT destination Importan...

Страница 97: ...Load Balancing the following message displays Enabling Load Balancing will delete the spooling rules between WAN and DMZ Load Balancing Over Multiple Links Enable Load Balancing Check the box and clic...

Страница 98: ...dary DNS server to be used by the local peer through the specific interface Then click the Save button This field can be left blank Note A secondary DNS Address cannot be configured without a primary...

Страница 99: ...irtual IP Address on the LAN that forms the Cluster IP and a Configuration Synchronization module The configuration of High Availability is highly critical to its functionality and a slight misconfigu...

Страница 100: ...is text box enter the IP address to be used for accessing various RouteFinder services on the LAN Important Notes This IP must belong to the LAN network and should not belong to any host on the networ...

Страница 101: ...would like to disable it uncheck the DHCP Server on LAN checkbox If you change the check mark click the Save button to activate the change Add Click the Add Subnet button which will open the table for...

Страница 102: ...interface to the DMZ is entered in the Accounting while one particular computer in the DMZ is not to be accounted If this one computer is only to be used for internal purposes it does not make sense t...

Страница 103: ...you use the Update Service your RouteFinder can be continually updated with new virus protection patterns system patches security features and new features Update resolves dependencies between modules...

Страница 104: ...lay Time Interval for Automatic Update of Virus Patterns Your RouteFinder can be continually updated with new virus patterns with optional email virus scan subscription system patches and security fea...

Страница 105: ...as to use as evidence if and when you discover a successful attack letting you compare the before and after states of the RouteFinder You may want to store all alerts and notifications Passwords are s...

Страница 106: ...for this file to verify that this is the file you want Once you are sure of the file you want click the Import button Download Backup Click the Download button to backup files saved in the firewall to...

Страница 107: ...name of TEST the repository name should always be in capital letters 2 Let the path to the repository be usr local cvs 3 Create a repository in the server using the command cvs d usr local TEST init...

Страница 108: ...ned is carried out You can Accept Drop Reject Log the packets When packets are rejected an entry in the appropriate log file occurs All rules are entered according to the principle From Client Service...

Страница 109: ...ters e g ports Example SMTP ANY To Select the network to which the data packets are sent for the rule to match Network groups can also be selected These network clients or groups must be pre defined i...

Страница 110: ...ICMP Forwarding Check the ICMP Forward checkbox to enable the forwarding of ICMP packets through the RouteFinder into the local network and all connected DMZs In this way you select whether an ICMP p...

Страница 111: ...packet passthrough PPTP NAT support Click Save This includes two features 1 Server behind the firewall and client on the Internet DNAT of PPTP packets 2 Clients behind the firewall and server on the I...

Страница 112: ...make a change Drop Fragmented Packets Dropped Fragmented Packets Enables disables dropping of IP fragmented packets Log Dropped Fragmented Packets Check the Log Dropped Fragmented Packets checkbox to...

Страница 113: ...utbound access requests from private LAN and service DMZ network clients that use a service on a public WAN network server host All Access Requests Traversing Firewall Violating Security Policy Check...

Страница 114: ...the basis of priority When a packet enters an interface depending on the bandwidth available the packets are either dropped or sent In other words it is based on best effort mechanism IP does not pro...

Страница 115: ...or which the classification rule is set Class Select the priority to be given to the rule Interface Select the interface through which the packet goes Add Button Click the Add button to add this rule...

Страница 116: ...tion according to an open standard IPSec The IPSec protocol suite based on cryptographic technologies provides security services at the IP network layer It secures network traffic providing guaranteed...

Страница 117: ...the compression checkbox to enable IPCOMP the compression algorithm Perfect Forward Secrecy PFS Check the PFS checkbox to enable PFS a concept in which the newly generated keys are unrelated to the ol...

Страница 118: ...e tunnel again comes up on the other link i e WAN 2 Failover is possible only when the remote gateway is an FQDN Fully Qualified Domain Name Local LAN Local security gateway for which the security ser...

Страница 119: ...ion 1 ESP using 3DES for encryption and MD5 for authentication 2 ESP using 3DES for encryption and SHA1 for authentication 3 ESP using 3DES for encryption and AH MD5 for authentication 4 ESP using 3DE...

Страница 120: ...face to initiate the IPSec tunnel Left Security Gateway Options are LAN WAN and DMZ Local LAN This is the local security gateway for which the security services are to be provided If the RouteFinder a...

Страница 121: ...elf signed Certificate of Authority CA by entering the information necessary to identify your Certificate Import a selected Certificate of Authority Add a predefined Certificate of Authority Certifica...

Страница 122: ...n enabling IPSec Bridging you will be given options to select the pairs of tunnels for which bridging is to be setup See example above Bridge Endpoint Setup Configure a tunnel and two networks by sele...

Страница 123: ...ne banking is not working after implementing the RouteFinder you can see if any packets were filtered out and which rule was responsible for filtering them PPTP Settings PPTP Status Check the Status c...

Страница 124: ...n Type Select the type of authentication to be used Options are Local or RADIUS Click the Save button User Name and Password Enter the name in lowercase and password in lowercase of the PPTP user Clic...

Страница 125: ...tion System Setup in the Web Management software which allows several entries the screen allows only one ID Host Name Enter the Host Name of your firewall Example format FIREWALL mydomain com LAN Sett...

Страница 126: ...Modem Settings Use this checkbox to enable disable the modem PPP dial backup feature If enabled enter the User Name Password Serial Port Baud Rate Dial Number and Initialization Strings for the backu...

Страница 127: ...tine displays virus quarantined email SMTP Spam Quarantine using a Message Expression filter and an Attachment filter SPAM emails will not be relayed and will be quarantined in the SPAM area They can...

Страница 128: ...SWAP Statistics Shows the actual usage of the swap space on the system When using the HTTP proxy is in use frequent activity of the swap file is normal displays as a graph The log files are updated e...

Страница 129: ...you find here for example 192 168 2 43 443 you know that there is an active HTTPS session Foreign Address The destination IP address and port for example 192 168 2 40 1034 State Status of the connect...

Страница 130: ...LISTENING The socket is listening for a connection request Such sockets are only included in the output if you specify listening I or all a option CONNECTING The socket is about to establish a connect...

Страница 131: ...affic This example shows the daily graph for LAN traffic Statistics Logs SMTP Proxy The SMTP Proxy screen displays the RouteFinder s SMTP proxy email usage and status in two windows called SMTP Logs a...

Страница 132: ...on for all the IPSec tunnels that are currently enabled Statistics Logs Self Monitor The Self Monitoring function ensures the integrity of the RouteFinder system and informs the administrator of impor...

Страница 133: ...ts of a successful attack You will probably want to keep log information in a location separate from the RouteFinder to keep an intruder from destroying the log data upon compromising the RouteFinder...

Страница 134: ...ith Action as LOG the packets matching the corresponding source address and service will be logged Show Logs Select the packets to be displayed by checking the box next to the packet category Check Au...

Страница 135: ...ion Live Log button to display the User Defined Intrusion Detection rules entered on the Administration Intrusion Detection screen Portscan Live Log Click the Portscan Live Log button to display detec...

Страница 136: ...nding button Generate HTTP Reject Reports 1 Click the Generate button to generate the current day s HTTP Reject report 2 Select a file from the remote client server by browsing to the file name and th...

Страница 137: ...e emails will be saved in the virus quarantine area These emails can be viewed by the administrator who can then take action as to whether or not to delete or forward the emails to the email ID Statis...

Страница 138: ...N DMZ and LAN when Load Balancing is disabled When Load Balancing is enabled Bandwidth Utilization displays for WANLINK1 WANLINK2 and LAN The graphs display daily weekly monthly and yearly bandwidth u...

Страница 139: ...US servers are available for almost every operating system The RouteFinder s implementation of the RADIUS method allows you to configure access rights on both a per proxy and a per user basis NT SAM S...

Страница 140: ...entifier field based on these values your RADIUS server should just decide to grant or deny access Setting Up a Microsoft IAS RADIUS Server This section explains how to set up a Microsoft IAS Internet...

Страница 141: ...ication requests Setting Up NT 2000 SAM SMB Authentication To setup Windows NT 2000 SAM Authentication you will need an NT 2000 machine on your network that holds the user accounts This can be a domai...

Страница 142: ...uteFinder A4 Yes in addition to providing shared Internet access the RouteFinder can support a Web FTP or other Internet servers Once configured the RouteFinder only accepts unsolicited IP packets add...

Страница 143: ...eth0 0 though you should avoid characters like or _ ifconfig seems to get lost if you use these 2 Tell the RouteFinder to send those IP packets directly to the external interface by adding a static ro...

Страница 144: ...areas Cuba Iran Iraq Libya North Korea Serbia except Kosovo Sudan and Syria For the latest information on United States cryptography export and import laws contact the Bureau of Export Administration...

Страница 145: ...atching your setup do not make it too small and make sure you do not need any ports in this range for other services Go to Packet Filters Packet Filter Rules and add the following rules Any FTP_ALTCon...

Страница 146: ...forward packets Single homed firewalls have one network interface card You would use a single homed firewall with a choke router that filters packets not originating from the SOCKS server Q22 Is there...

Страница 147: ...ems A particular router sustaining a high loss percentage rate is a reasonable indicator that there s a problem with that specific router Type PATHPING at the command prompt to view the syntax for Pat...

Страница 148: ...filter rules system generated filter rules and filter violations The Filter LiveLog supervises the packet filter and NAT rules The Packet Filter log shows the packets that have not successfully passed...

Страница 149: ...the first packet of a session Subsequent packets are not logged Inbound Access Request Each access request from the external network to the box for any services hosted by the box or hosted by an inte...

Страница 150: ...to LO1 G of Baseline module version 4 0 ICSA Labs Figure 12 shows a snapshot of Startup History User Defined Log User defined logging is classified as User logs Administrators can log packets using th...

Страница 151: ...ce name 12 OUT Outgoing network interface name 13 MAC Destination MAC address 14 SRC Source IP addresses 15 DST Destination IP address 16 LEN Header Length in bytes 17 TOS Type of service 18 TTL Time...

Страница 152: ...stination address listed in the SYSLOG is the DNATTED ip address In this case it is 192 168 1 76 Slno 2 corresponds to a PASV Data connection Src 204 26 122 9 destined to 202 54 39 103 which in turn i...

Страница 153: ...a capture of FTP service Slno 2 in the above snapshot corresponds to the control connection Remarks in the second half of the snapshot is a continuation of the capture Remarks Outbound Src 192 168 1...

Страница 154: ...21 o Outbound Outbound Log o SRC 192 168 1 212 DST 195 220 108 108 SPORT 32823 DPORT 21 This corresponds to the CONTROL connection information for this data connection IV Access Requests through Firew...

Страница 155: ...Admin Port Access Log Figure 11 Snapshot of Admin Port Access Log VIII Startup History Log Figure 12 Snapshot of Startup History IX User Log Figure 13 Snapshot of User Log X Fragmented Dropped Log Fig...

Страница 156: ...ateway were configured properly Before You Start 1 Configuration Backup Backup your current RouteFinder configuration file and note the software version you are currently running 2 Record License Key...

Страница 157: ...file name is the same as Step 2 case sensitive See the ISO Notes at the beginning of this chapter Do you want an unattended install y n y Do you want to modify the current interface configuration y n...

Страница 158: ...ional Enter the protocol to be used ftp http tftp ftp For FTP enter the URL IP address or domain name ftp 192 168 2 2 Enter the ISO path and filename RouteFinder3xx iso Make sure the file name is the...

Страница 159: ...outeFinder will boot into the regular software 3 If ALT TAB works you will see a prompt At the prompt type in RFNetInstall case sensitive 4 Rescue Kernel terminates after the install process You can a...

Страница 160: ...N 48 N N N 49 62 N N N 63 N N N 64 N N N 65 78 N N N 79 N N N 80 N N N 81 94 N N N 95 N N N 96 N N N 97 110 N N N 111 N N N 112 N N N 113 126 N N N 127 N N N 128 N N N 129 142 N N N 143 N N N 144 N N...

Страница 161: ...N N 95 N N N 96 N N N 97 98 N N N 99 N N N 100 N N N 101 102 N N N 103 N N N 104 N N N 105 106 N N N 107 N N N 108 N N N 109 110 N N N 111 N N N 112 N N N 113 114 N N N 115 N N N 116 N N N 117 118 N N...

Страница 162: ...be upgraded to a total of 2GB The RF860 is shipped with 1GB and can be upgraded to a total of 2GB 1 Remove the RouteFinder top cover using the procedure earlier in this chapter 2 Pull back on the bei...

Страница 163: ...1 Year Content Filter Upgrade Email Anti Virus Code The RouteFinder is shipped with Email Anti Virus code within the core software Order model RFAVUPG to obtain the software key that enables this Ema...

Страница 164: ...vides excellent data protection but it s fairly slow A convenient method is to use a temporary key AKA a session key for most transactions and then destroy the session key when the transaction is comp...

Страница 165: ...uld close the most dangerous holes first It is segmented into three categories General Vulnerabilities Windows Vulnerabilities and Unix Vulnerabilities The SANS FBI Top Twenty list is valuable because...

Страница 166: ...ottage NY 10989 Phone 800 826 0279 Fax 914 267 2420 Email info thesupplynet com Internet http www thesupplynet com SupplyNet Online Ordering Instructions 1 Browse to http www thesupplynet com In the B...

Страница 167: ...ar overnight replacement service agreements are available for selected products Please call MTS customer service at 888 288 5470 or visit our web site at PARTNERS Programs overnight_replacement for de...

Страница 168: ...your questions regarding technical matters product configuration verification that the product is defective etc to our International Technical Support department at 763 717 5863 When calling the U S...

Страница 169: ...ny 2 As indicated below the suitable jack Universal Service Order Code connecting arrangement for this equipment is shown If applicable the facility interface codes FIC and service order codes SOC are...

Страница 170: ...requirements The Department does not guarantee the equipment will operate to the user s satisfaction Before installing this equipment users should ensure that it is permissible to be connected to the...

Страница 171: ...n any form to any person other than Customer and his employees and or agents without prior written consent from MTS Customer acknowledges that the techniques algorithms and processes contained in the...

Страница 172: ...agrees not to provide or otherwise make available any portion of this software in any form to any third party without the prior express written approval of Multi Tech Systems Inc Licensee is hereby i...

Страница 173: ...icensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and...

Страница 174: ...e only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular...

Страница 175: ...he Product on all copies you make No title to the Product or any part or copy is transferred to you B YOU MAY 1 use and display that part of the Product provided on a hardware box on a single stand al...

Страница 176: ...DAMAGES OR THEY ARE FORESEEABLE OR FOR CLAIMS BY A THIRD PARTY OUR MAXIMUM AGGREGATE LIABILITY AND THAT OF OUR SUPPLIERS AGENTS OFFICERS AND DIRECTORS TO YOU SHALL NOT EXCEED THE AMOUNT PAID BY YOU F...

Страница 177: ...intend to make such information available for any reason including without limitation costs you shall be permitted to take such steps to achieve interoperability provided that you may only reverse en...

Страница 178: ...supply or purported supply of failure to supply or delay in supplying the Software or the Documentation which might but for this paragraph v have effect between the Kaspersky Lab and your or would ot...

Страница 179: ...the costs of recovery from municipal collection points reuse and recycling of specified percentages per the WEEE requirements Instructions for Disposal of WEEE by Users in the European Union The symbo...

Страница 180: ...lection is 3 des md5 96 AES Advanced Encryption Standard The U S government standard for data encryption Rijndael was chosen as the U S government encryption standard to protect sensitive data and to...

Страница 181: ...and decrypt messages between parties and 3 provide a digital signature from the trusted organization that issued the certificate as well as when the certificate expires Certificate Authority The issue...

Страница 182: ...5535 In theory no service should be assigned to these ports DHCP Dynamic Host Configuration Protocol An IETF standard for dynamically allocating and managing a pool of IP addresses allowing a smaller...

Страница 183: ...main difference between the ESP authentication method and the AH authentication method is that ESP does not protect any IP header fields unless those fields are encapsulated by ESP tunnel mode ESP is...

Страница 184: ...uters on a network Individual users communicate by using application programs such as electronic mail Telnet and FTP HTTPS aka S HTTP Secure HyperText Transfer Protocol a secure way of transferring in...

Страница 185: ...uthentication and storage of keys Key Pair Full key information in a public key cryptosystem consists of the public key and private key L2TP Layer Two Tunneling Protocol A security protocol that facil...

Страница 186: ...protocol PING Packet InterNet Groper A program to test reachability of destinations by sending an ICMP echo request and waiting for a reply The term is also used as a verb Ping host X to see if it is...

Страница 187: ...ol process the received information at the application level and then transfer them Proxy ARP The technique in which one machine usually a router answers ARP requests intended for another machine By f...

Страница 188: ...e defined in IETF RFC 1812 RSA A public key encryption and digital signature algorithm It was invented by Ron Rivest Adi Shamir and Leonard Adleman The RSA algorithm was patented by RSA Security but t...

Страница 189: ...ctions from private networks to the Internet you should use the Masquerading function instead of SNAT The use of private IP addresses in combination with Network Address Translation NAT in the form of...

Страница 190: ...sites may not support the TLS protocol Trace Route A program available on many systems that traces the path a packet takes to a destination It is mostly used to debug routing problems between hosts A...

Страница 191: ...6 Broadcast on whole Internet 109 Bypass URL Filtering 70 C Cabling 15 CD ROM Adding 162 Certificate of Authority Generation 121 Change Status for LAN 39 Change the country region code 89 Change the r...

Страница 192: ...y Caution 8 Load Balancing 97 Local Authentication 56 Local RouteFinder User Authentication 139 Local Users 56 Login 18 Logo on logon page 47 Logout 41 M MAC address based filtering 112 Main 19 Mainte...

Страница 193: ...r Using SMTP Proxy 72 S Safe password 18 Safety 8 SAM 58 SAM Prerequisite 58 Save Settings 41 Select encryption method 117 Self Monitor 132 Serivces 62 Service Groups 65 Services entered display on ot...

Страница 194: ...iversal Resource Locator URL 38 Update Service 103 Updating 165 Uptime Logs 128 URL categories 69 URL Categories Allowed Filtered 40 URL Categorization Key 49 URL Categorization License Key 9 URL Lice...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды