Reference Manual LANCOM LCOS 3.
© 2004 LANCOM Systems GmbH, Wuerselen (Germany) While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM shall be liable only to the degree specified in the terms of sale and delivery. The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM.
Contents Contents LANCOM Reference Manual LCOS 3.50 Contents 1 Preface 10 2 System design 13 3 Configuration and management 15 3.1 Configuration tools and approaches 15 3.2 Configuration software 3.2.1 Configuration using LANconfig 3.2.2 Configuration with WEBconfig 3.2.3 Configuration using Telnet 3.2.4 Configuration using SNMP 16 16 18 19 20 3.3 Remote configuration via Dial-Up Network 20 3.3.1 This is what you need for ISDN remote configuration 21 3.3.
Contents LANCOM Reference Manual LCOS 3.50 Contents 4.1.1 Application examples 4.1.2 Configuration 4.1.3 5 Diagnosis 38 42 45 46 5.1 LANmonitor—know what's happening 5.1.1 Extended display options 5.1.2 Monitor Internet connection 46 46 47 5.2 Trace information—for advanced users 5.2.1 How to start a trace 5.2.2 Overview of the keys 5.2.3 Overview of the parameters 5.2.4 Combination commands 5.2.5 Examples 48 48 49 49 50 51 6 Security 52 6.1 Protection for the configuration 6.1.
Contents 7.4 N:N mapping 7.4.1 Application examples 7.4.2 Configuration 80 81 85 7.5 Configuration of remote stations 7.5.1 Name list 7.5.2 Layer list 89 89 90 7.6 Establishing connection with PPP 7.6.1 The protocol 7.6.2 Everything o.k.? Checking the line with LCP 7.6.3 Assignment of IP addresses via PPP 7.6.4 Settings in the PPP list 91 92 94 94 96 7.7 Extended connection for flat rates—Keep-alive 97 7.8 Callback functions 7.8.1 Callback for Microsoft CBCP 7.8.
Contents LANCOM Reference Manual LCOS 3.50 Contents 8.3.10 Firewall limitations 160 160 161 8.5 Protection against “Denial of Service” attacks 8.5.1 Examples of Denial of Service attacks 8.5.2 Configuration of DoS blocking 8.5.3 Configuration of ping blocking and Stealth mode 162 162 165 166 9 Quality of Service 168 9.1 Why QoS? 168 9.2 Which data packets to prefer? 9.2.1 Guaranteed minimum bandwidths 9.2.2 Limited maximum bandwidths 168 171 172 9.3 The queue concept 9.3.
Contents 10.3.4 Configuration with WEBconfig or Telnet 11 Wireless LAN – WLAN 201 203 11.1 What is a Wireless LAN? 203 11.1.1 Standardized radio transmission by IEEE 203 11.1.2 Operation modes of Wireless LANs and base stations 206 11.2 Developments in WLAN security 11.2.1 Some basic concepts 11.2.2 WEP 11.2.3 WEPplus 11.2.4 EAP and 802.1x 11.2.5 TKIP and WPA 11.2.6 AES and 802.11i 11.2.7 Summary 213 214 215 219 220 223 230 231 11.3 Protecting the wireless network 232 11.
Contents Contents LANCOM Reference Manual LCOS 3.50 13 Server services for the LAN 272 272 273 274 13.2 DNS 13.2.1 13.2.2 13.2.3 13.2.4 13.2.5 277 277 279 280 283 284 What does a DNS server do? DNS forwarding Setting up the DNS server URL blocking Dynamic DNS 13.3 Call charge management 13.3.1 Charge-based ISDN connection limits 13.3.2 Time dependent ISDN connection limit 13.3.3 Settings in the charge module 285 285 286 287 13.4 The SYSLOG module 13.4.1 Setting up the SYSLOG module 13.4.
Contents 14.5.5 14.5.6 14.5.7 14.5.8 Prepare VPN network relationships Configuration with LANconfig Configuration with WEBconfig Diagnosis of VPN connections 311 314 318 322 14.6 Specific examples of connections 14.6.1 Static/static 14.6.2 Dynamic/static 14.6.3 Static/dynamic (with LANCOM Dynamic VPN) 14.6.4 Dynamic/dynamic (with LANCOM Dynamic VPN) 322 323 323 324 325 14.7 How does VPN work? 14.7.1 IPSec—The basis for LANCOM VPN 14.7.2 Alternatives to IPSec 326 327 328 14.
LANCOM Reference Manual LCOS 3.50 Chapter 1: Preface 1 Preface User’s manual and reference manual Preface The documentation of your device consists of two parts: The user’s manual and the reference manual. The hardware of the LANCOM devices is documented in the respective user’s manuals.
Chapter 1: Preface LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.50 Chapter 1: Preface info@lancom.de Preface Our online services ( www.lancom.de) are available to you around the clock should you have any queries regarding the topics discussed in this manual or require any further support. In addition, support from LANCOM Systems is also available to you. Telephone numbers and contact information for LANCOM Systems support can be found on a separate insert, or at the LANCOM Systems website. Notes symbols Very important instructions.
Chapter 2: System design LANCOM Reference Manual LCOS 3.50 The LANCOM operating system LCOS is a collection of different software modules, the LANCOM devices themselves have different interfaces to the WAN and LAN. Depending on the particular application, data packets flow through different modules on their way from one interface to another. The following block diagram illustrates in abstract the general arrangement of LANCOM interfaces and LCOS modules.
LANCOM Reference Manual LCOS 3.50 Chapter 2: System design System design LANCOM Wireless access points resp. LANCOM routers with wireless modules offer additionally one or, depending on the respective model, also two wireless interfaces for the connection of Wireless LANs. A DMZ interface enables for some models a ’demilitarized zone’ (DMZ), which is also physically separated within the LAN bridge from other LAN interfaces.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 3 Configuration and management 3.1 Configuration tools Monitoring and diagnosis functions of the device and software Backup and restoration of entire configurations Installation of new firmware in the device Configuration tools and approaches LANCOM are flexible devices that support a variety of tools (i.e. software) and approaches (in the form of communication options) for their configuration.
LANCOM Reference Manual LCOS 3.50 3.2 Chapter 3: Configuration and management Configuration software Situations in which the device is configured vary—as do the personal requirements and preferences of the person doing the configuration. LANCOM routers thus feature a broad selection of configuration software: Configuration and management LANconfig – nearly all parameters of the LANCOM can be set quickly and with ease using this menu-based application.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 Configuration and management Once LANconfig has finished its search, it displays a list of all the devices it has found, together with their names and, perhaps a description, the IP address and its status.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management Management of multiple devices LANconfig supports multi device remote management. Simply select the desired devices, and LANconfig performs all actions for all selected devices then, one after the other. The only requirement: The devices must be of the same type. Configuration and management In order to support an easy management, the devices can be grouped together.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 Secure with HTTPS WEBconfig offers an encrypted transmission of the configuration data for secure (remote) management via HTTPS. For maximum security, please ensure to have installed the latest version of your Internet browser. For Windows 2000, LANCOM Systems recommends to use the “High Encryption Pack” or at least Internet Explorer 5.5 with Service Pack 2 or above. 3.2.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 The syntax of the TFTP call is dependent on the operating system. With Windows 2000 and Windows NT the syntax is: tftp -i [get|put] source [target] Configuration and management With numerous TFTP clients the ASCII format is preset. Therefore, for the transfer of binary data (e.g. firmware) the binary transfer must usually be explicitly selected.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 You can also reserve a special calling number for remote configuration. Then the support technician can always access the router even if it is really no longer accessible due to incorrect settings. This is what you need for ISDN remote configuration 3.3.2 An LANCOM with an ISDN connection A computer with a PPP client, e.g. Windows Dial-Up Network A program for inband configuration, e.g.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management 햳 Open a Telnet session to the LANCOM. Use the following IP address for this purpose: Configuration and management '172.17.17.18', if you have not defined an IP address for the PPP client. The LANCOM automatically uses this address if no other address has been defined. The PC making the call will respond to the IP '172.17.17.17'. Raise the IP address of the PC by one, if you have defined an address.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 Configuration and management 햲 Switch to the 'Security' tab in the 'Management' configuration section. 햳 Enter a number at your location which is not being used for other purposes in the 'Configuration access' area. Alternatively, enter the following command: set /setup/config-module/Farconfig 123456 Always provide additional protection for the settings of the device by setting a password.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management time under Windows operating systems—of all of the LANCOM routers in the network. Many of the internal messages generated by the devices are converted to plain text, thereby helping you to troubleshoot. Configuration and management You can also use LANmonitor to monitor the traffic on the router's various interfaces to collect important information on the settings you can use to optimize data traffic.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 monitor. If the configuration of the device is protected by password, enter the password too. 햳 LANmonitor automatically creates a new entry in the device list and initially displays the status of the transfer channels. Start your Web browser and enter any web page you like. LANmonitor now shows a connection being established on one channel and the name of the remote site being called.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management specify whether LANmonitor should create a log file daily, monthly, or on an ongoing basis. 3.5 Trace information—for advanced users Configuration and management Trace outputs may be used to monitor the internal processes in the router during or after configuration. One such trace can be used to display the individual steps involved in negotiating the PPP.
Chapter 3: Configuration and management 3.5.3 Overview of the keys This code... ... in combination with the trace causes the following: ? displays a help text + switches on a trace output - switches off a trace output # switches between different trace outputs (toggle) no code displays the current status of the trace Overview of the parameters The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the command line.
Chapter 3: Configuration and management Configuration and management LANCOM Reference Manual LCOS 3.50 3.5.4 This parameter... ...
Chapter 3: Configuration and management 3.6 Examples This code... ...
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 Convenient series configuration Configuration and management However, even when you are faced with the task of configuring several LANCOM of the same type, you will come to appreciate the function for saving and restoring configurations. In this case you can save a great deal of work by first importing identical parameters as a basic configuration and then only making individual settings to the separate devices.
LANCOM Reference Manual LCOS 3.50 The device no longer responds after loading the new firmware. If an error occurs during the upload, the device automatically reactivates the previous firmware version and reboots the device. 'Login': To avoid problems with faulty uploads there is the second option with which the firmware is uploaded and also immediately booted. In contrast to the first option, the device will wait for five minutes until it has successfully logged on.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management LANconfig then tells you the version number and the date of the firmware in the description and offers to upload the file. The firmware you already have installed will be replaced by the selected release by clicking Open. Configuration and management You also have to decide whether the firmware should be permanently activated immediately after loading or set a testing period during which you will activate the firmware yourself.
Chapter 3: Configuration and management Status Contains all read-only statistics of the individual SW modules Setup Contains all configurable parameters of all SW modules of the device Firmware Contains all firmware-management relevant actions and tables Other Contains dialling, boot, reset and upload actions 3.8.1 Command line reference Navigating the command line can be accomplished by DOS and UNIX style commands as follows: Command Description cd Change the current directory.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.50 Configuration and management Command Description set [] ? Show which values are allowed for a configuration item. If is empty, this is displayed for each item in the current directory. show Shows internal data. Run show ? for a list of available items, e.g.
Chapter 3: Configuration and management LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.50 Chapter 3: Configuration and management Configuration and management Time-controlled rules will not necessarily be executed at precisely zero seconds of real time, but at some indeterminate point of time in the minute in question.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 4 Management N:N mapping Network Address Translation (NAT) can be used for several different matters: for better utilizing the IP4 addresses ever becoming scarcer for coupling of networks with same (private) address ranges for producing unique addresses for network management In the first application the so-called N:1 NAT, also known as IP masquerading (’The hiding place—IP masquerading (NAT, PAT)’ →page 74) is used.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 the defined translation range. An “inbound” address mapping, whereby the source address is translated (instead of the destination address), needs to be realized by an appropriate “outbound” address translation on the remote side. 4.1.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 With the help of N:N mapping, all addresses of the LAN can be translated to a new address range for the coupling with the other network. The network of company A e. g. will be translated to 192.168.1.x, the network of company B to 192.168.2.x. Under these new addresses the two LANs are now reachable for the respective other network. The station from the network of company A is now addressing server 1 of company B under the address 192.168.2.1.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 Customer B, office 1: 10.1.2.x, 255.255.255.0 Gateway, e.g. Customer A, office 1: 10.1.2.1 10.1.2.x, 255.255.255.0 Customer A, headquarters: 10.1.x.x, 255.255.0.0 Customer B, headquarters: 10.1.x.x, 255.255.0.0 Gateway VP N tu nn el VPN tunnel Customer B, office 2: 10.1.3.x, 255.255.255.0 Customer A, office 2: 10.1.3.x, 255.255.255.0 Management Hot Spot, e.g. 172.16.10.11 Internet Gateway Customer C: 172.16.10.x, 255.255.255.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 The networks of client A and B use different address ranges in the respective head office and the connected branches. A standard network coupling via VPN is therefore possible between these networks. Traps from the networks report to the service provider whether e. g.
LANCOM Reference Manual LCOS 3.50 Chapter 4: Management with actual same address range looks like two different networks for the gateway of the service provider. The administrator selects the address ranges 192.168.2.x and 192.168.3.x for client C and D, so that the addresses of these networks do differ from the own network of the service provider. In order to enable the gateway of the provider to monitor the networks of clients C and D, the administrator sets up an address translation to 192.168.1.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 The address range for translation must be at minimum as large as the source address range. Please notice that the N:N mapping functions are only effective when the firewall has been activated. (’Firewall/QoS enabled’ →page 121)! By setting up address translation in the NAT table, the networks and workstations become only visible under another address at first in the higher network compound.
Chapter 4: Management LANCOM Reference Manual LCOS 3.50 ped” original addresses. The entries of the remote network use the “mapped” addresses of the remote side, valid on the VPN connection. Target address WAN interface, e.g. Ethernet LAN Firewall / IDS / DoS IP router LAN bridge IP masquerading Management WAN interface, e.g. ADSL VPN module WAN interface, e.g.
Chapter 4: Management WEBconfig, Telnet LANCOM Reference Manual LCOS 3.50 Under WEBconfig and Telnet you find the NAT table for configuration of N:N mapping at the following positions of the menu tree: Configuration tool Run WEBconfig Expert configuration / Setup / IP router / NAT table Terminal/Telnet Setup / IP router module / NAT table Management When starting a new entry under WEBconfig, the NAT table shows up as follows: 4.1.
LANCOM Reference Manual LCOS 3.50 Chapter 5: Diagnosis 5 Diagnosis 5.1 LANmonitor—know what's happening The LANmonitor includes a monitoring tool with which you can view the most important information on the status of your routers on your monitor at any time under Windows operating systems—of all of the LANCOM routers in the network. Many of the internal messages generated by the devices are converted to plain text, thereby helping you to troubleshoot.
Chapter 5: Diagnosis Monitor Internet connection To demonstrate the functions of LANmonitor we will first show you the types of information LANmonitor provides about connections being established to your Internet provider. 햲 To start LANmonitor, go to Start Programs LANCOM LANmonitor. Use Device New to set up a new device and in the following window, enter the IP address of the router that you would like to monitor.
LANCOM Reference Manual LCOS 3.50 Chapter 5: Diagnosis Under the general information you can watch the transmission rates at which data is currently being exchanged with the Internet. 햴 To break the connection manually, click on the active channel with the right mouse button. You may be required to enter a configuration password. 햵 If you would like a log of the LANmonitor output in file form, select Device Properties and go to the 'Logging' tab.
Chapter 5: Diagnosis 5.2.3 Overview of the keys This code... ... in combination with the trace causes the following: ? displays a help text + switches on a trace output - switches off a trace output # switches between different trace outputs (toggle) no code displays the current status of the trace Overview of the parameters The available traces depend individually on the particular model and can be listed by entering trace with no arguments on the command line. This parameter... ...
Chapter 5: Diagnosis Diagnosis LANCOM Reference Manual LCOS 3.50 5.2.4 This parameter... ...
Chapter 5: Diagnosis Examples This code... ...
LANCOM Reference Manual LCOS 3.50 Chapter 6: Security 6 Security You certainly would not like any outsider to have easy access to or to be able to modify the data on your computer. Therefore this chapter covers an important topic: safety.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 Note: If a password has not been set, the Power LED flashes, until the devices have been configured correctly. Tips for proper use of passwords Keep a password as secret as possible. Never write down a password. For example, the following are popular but completely unsuitable: Notebooks, wallets and text files in computers. It sounds trivial, but it can't be repeated often enough: don't tell anyone your password.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 ard Security Settings. In a terminal or Telnet session you set or change the password with the command passwd. Configuration tool Run LANconfig Management Security Configuration password WEBconfig Security settings Terminal/Telnet passwd Protecting the SNMP access Security At the same time you should also protect the SNMP read access with a password. For SNMP the general configuration password is used. 6.1.
Chapter 6: Security LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.50 Chapter 6: Security Security 햲 Change to the register card 'Security in the 'Management' configuration area: 햳 Enter as call number within 'configuration access' a call number of your connection, which is not used for other purposes.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 rately. The configuration access can generally be permitted or forbidden, a pure read access or - if your model is equipped with VPN - also can be permitted only over VPN.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 By default, this table does not contain entries. Thus the device can be accessed over TCP/IP from computers with arbitrary IP addresses. With the first entry of a IP address (as well as the associated net mask) the filter is activated, and solely the IP addresses contained in this entry are entitled to use the internal functions then. With further entries, the number of the entitled ones can be extended.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 You have a choice of the following: all: Calls are accepted from any remote station. by number: Only calls from those remote stations whose Calling Line Identification number (CLIP) is entered in the number list are accepted. by approved number: Only calls from those remote stations whose Calling Line Identification number (CLIP) is entered in the name list and whose number is approved by the Central Office.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 Checking the number When a call is placed over an ISDN line, the caller's number is normally sent over the D channel before a connection is even made (CLI – Calling Line Identifier). Access to your own network is granted if the call number appears in the number list, or the caller is called back if the callback option is activated.
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 An especially effective callback method is the fast-callback procedure (patent pending). This speeds up the callback procedure considerably. The procedure only works if it is supported by both stations. All current LANCOM routers are capable of fast callback. Additional information on callback can be found in section ’Callback functions’ →page 98.
LANCOM Reference Manual LCOS 3.50 Chapter 6: Security When a call is placed over an ISDN line, the caller's number is normally sent over the D channel before a connection is even made (CLI – Calling Line Identifier). Access to your own network is granted if the call number appears in the number list, or the caller is called back if the callback option is activated (this callback via the D channel is not supported by the Windows Dial-Up Network).
Chapter 6: Security LANCOM Reference Manual LCOS 3.50 will be permitted to use the internal functions. The circle of authorized users can be expanded by inputting further entries. The filter entries can describe both individual computers and whole networks. The access list can be found in LANconfig in the 'TCP/IP' configuration section on the 'General' tab.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections 7 Routing and WAN connections This chapter describes the most important protocols and configuration entries used for WAN connections. It also shows ways to optimize WAN connections. 7.1 General information on WAN connections WAN connections are used for the following applications. Internet access LAN to LAN coupling Remote access 7.1.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 A simplified example will clarify this process. Here we assume that the IP address of the computer being searched for is known in the Internet. Data packet with IP target address Internet user's PC DSL/ISDN/ ADSL Internet LANCOM IP routing tab.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections 햵 Transmission of data packets As soon as the connection is established, the router can send the data packet to the Internet. 7.2 IP routing An IP router works between networks which use TCP/IP as the network protocol. This only allows data transmissions to destination addresses entered in the routing table.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Configuration of the routing table Configuration tool Run LANconfig IP router Routing Routing table WEBconfig Expert Configuration Setup IP-router-module IP-routing-table Terminal/Telnet cd /setup/IP-router/IP-routing-table IP address IP netmask Router Distance Masquerading 192.168.120.0 255.255.255.0 MAIN 2 Off 192.168.125.0 255.255.255.0 NODE1 3 Off 192.168.130.0 255.255.255.0 191.168.140.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections That way routes which are forbidden on the Internet (private address spaces, e.g. '10.0.0.0'), for example, are excluded from transmission. If an IP address is input as router name, this is a locally available router, which is responsible for transfer of the relevant data packets. Distance Number of routers between your own and the destination router.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 How can you assist the workstation computer now? By default, the router sends the computer a response with the address of the router which knows the route to the destination network (this response is known as an ICMP redirect). The workstation computer then accepts this address and sends the data packet straight to the other router.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections Although the entries in the static routing table are set manually, this information changes according to the connection status of the router and so do the RIP packets transmitted. Routing and WAN connections If the router has established a connection to a remote station, it propagates all the networks which can be reached via this route in the RIPs with the distance '1'.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 column shows which router has revealed this route. This leaves the 'Time'. The dynamic table thus shows how old the relevant route is. The value in this column acts as a multiplier for the intervals at which the RIP packets arrive. A '1', therefore, stands for 30 seconds, a '5' for about 2.5 minutes and so on. New information arriving about a route is, of course, designated as directly reachable and is given the time setting '1'.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 packets and look on them as normal broadcast or multicast packets. Connections are continually established by the RIPs if this router holds the default route to a remote router. This can be prevented by entering the RIP port in the filter tables. Scaling with IP RIP If you use several routers in a local network with IP RIP, you can represent the routers outwardly as one large router. This procedure is also known as “scaling”.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 'address': The network mask is derived from the first bit that is set in the IP address entered. This and all high-order bits within the network mask are set. Thus, for example, the address 127.128.128.64 yields the IP network mask 255.255.255.192. 'class + address': The network mask is formed from the IP address class and a part attached after the address procedure. Thus, the above-mentioned address and the network mask 255.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 assume a certain order that differs from the protocol standard. In this case the SYN/ACK speedup can be deactivated: 7.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 any number. It also enters this new port on the table and forwards the packet with the new information. Source: 10.0.0.100 Target: 80.123.123.123 Source: 80.146.74.146, Port 3456 Target: 80.123.123.123 IP: 10.0.0.100 Internet Source IP Port 10.0.0.100 3456 The response to this new packet is now sent to the IP address of the router with the new sender port number.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Which protocols can be transmitted using IP masquerading? IP masquerading for all IP protocols that are based on TCP, UDP, or ICMP and communicate exclusively through ports. One example of this type of uncomplicated protocol is the one the World Wide Web is based on: HTTP. Individual IP protocols do use TCP or UDP, but do not, however communicate exclusively through ports.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 On the local side, the router supports two different networks: The Intranet and the DMZ (’de-militarized zone’). The DMZ marks a distinct, separate local network, usually for servers, that must be accessible from the Internet. Intranet (LAN) LAN IP: 10.0.0.1 public IP: 80.146.74.146 DMZ IP: 192.168.2.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 7.3.2 Inverse masquerading This masking operates in both directions: The local network behind the IP address of the router is masked if a computer from the LAN sends a packet to the Internet (simple masquerading). If, on the other hand, a computer sends a packet from the Internet to, for example, an FTP server on the LAN (’exposed host’), from the point of view of this computer the router appears to be the FTP server.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Configuration of the inverse masquerading Configuration tool Run LANconfig IP router Masq. Service list WEBconfig Expert Configuration Setup IP-router-module Masquerading Service-table Terminal/Telnet /setup/IP-router-module/masquerading/ service-table Stateful Inspection and inverse masquerading 7.3.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections Example: You are assigned the IP network address 123.45.67.0 with the netmask 255.255.255.248 by your provider. Then you can assign the IP addresses as follows: DMZ IP address Meaning/use 123.45.67.0 network address 123.45.67.1 LANCOM as a gateway for the Intranet 123.45.67.2 Device in the LAN which is to receive unmasked access to the Internet, e.g. web server connected at the DMZ port 123.45.67.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 In the first application the so-called N:1 NAT, also known as IP masquerading (’The hiding place—IP masquerading (NAT, PAT)’ →page 74) is used. All addresses (“N”) of the local network are mapped to only one (“1”) public address. This clear assignment of data streams to the respective internal PCs is generally made available by the ports of the TCP and UDP protocols.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Network coupling An often appearing scenario is the coupling of two company networks which internally use the same address range (e. g. 10.0.0.x). This is often the case, when one company should get access to one (or more) server(s) of the other one: Network of firm A: 10.0.0.x N:N mapping to 192.168.2.x Network of firm B: 10.0.0.x N:N mapping to 192.168.1.x Gateway Gateway VPN tunnel Routing and WAN connections Target: 192.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Remote monitoring and remote control of networks Remote maintenance and control of networks become more and more importance because of the possibilities given by VPN. With the use of the nearly ubiquitous broadband Internet connections, the administrator of such management scenarios is no longer dependent of the different data communication technologies or expensive leased lines. Customer B, office 1: 10.1.2.x, 255.255.255.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections client C operates a network with several public WLAN base stations as hot spots, and client D has got an additional router for ISDN dial-up accesses in his LAN. The networks of client A and B use different address ranges in the respective head office and the connected branches. A standard network coupling via VPN is therefore possible between these networks.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 head office. On this occasion, also all subnetworks located “behind” the head office are supplied with the needed new IP addresses. In this example, the administrator of the service provider selects 10.2.x.x as central address translation for the network of client B, so that both networks with actual same address range looks like two different networks for the gateway of the service provider.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections of the mapping address. Therefore, in an assignment of 10.0.0.0/ 255.255.255.0 to 192.168.1.0, a server of the LAN with IP address 10.1.1.99 will get assigned the mapping address 192.168.1.99. The address range for translation must be at minimum as large as the source address range. Please notice that the N:N mapping functions are only effective when the firewall has been activated.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 use the “mapped” addresses of the remote side, valid on the VPN connection. Target address Source address N:N mapping ISDN Configuration & management: WEBconfig, Telnet, Filter Encryption: 802.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 When starting a new entry under WEBconfig, the NAT table shows up as follows: 7.5 Configuration of remote stations In the name list(s) all information is set that applies individually to only one remote station. Parameters for the lower protocol levels (below IP or IPX) are defined in the communication layer table. The configuration of the authentication (protocol, user name, password) is not covered in this section.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 7.5.2 Layer list With a layer, a collection of protocol settings are defined, which should be used when connecting to specific remote stations. The list of the communication layers can be found under: Configuration tool List LANconfig Communication General Communication layers WEBconfig Expert Configuration Setup WAN-module Layer-list Terminal/Telnet cd /setup/WAN module/ set layer-list [...
Chapter 7: Routing and WAN connections Layer-3 Layer-2 7.6 Meaning The following options are available for the switching layer or network layer: 'Transparent' No additional header is inserted. 'PPP' The connection is established according to the PPP protocol (in the synchronous mode, i.e. bit-oriented). The configuration data are taken from the PPP table. 'AsyncPPP' Like 'PPP', only the asynchronous mode is used. This means that PPP functions character-oriented. '...
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections of routers made by different manufacturers since this protocol is supported by practically all manufacturers. Due to the increasing importance of this protocol family and the fact that PPP is not associated with any specific operating mode of the routers, we will be introducing the functions of the devices associated with the PPP here in a separate section. 7.6.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 The phases of PPP negotiation Establishment of a connection using PPP always begins with a negotiation of the parameters to be used for the connection. This negotiation is carried out in four phases which should be understood for the sake of configuration and troubleshooting. Establish phase Once a connection has been made at the data communication level, negotiation of the connection parameters begins through the LCP.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections to begin output of the PPP protocol frames exchanged during a terminal session. You can perform a detailed analysis once the connection has been broken if this terminal session has been logged in a log file. 7.6.2 Everything o.k.? Checking the line with LCP The devices involved in the establishment of a connection through PPP negotiate a common behaviour during data transfer.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 telecomputer), the LANCOM assigns it an IP address for the duration of the connection, enabling communications to take place. This type of address assignment is carried out during PPP negotiation and implemented only for connections via WAN. In contrast, the assignment of addresses via DHCP is (normally) used within a local network.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Windows users are able to view the assigned addresses via LANmonitor. In addition to the name of the remote station, the current IP address as well as the addresses of DNS and NBNS servers can be found there. Options such as channel bundling or the duration of the connection are also displayed. 7.6.
7.7 LANCOM Reference Manual LCOS 3.50 In this column of the PPP list... ...enter the following values: Time Time between two checks of the connection with LCP (see the following section). This is specified in multiples of 10 seconds (i.e. 2 for 20 seconds, for instance). The value is simultaneously the time between two verifications of the connection to CHAP. Enter this time in minutes. The time must be set to '0' for remote sites using a Windows operating system. Retr.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections holding time of 0 seconds then. However, connections interrupted by the remote site are not automatically re-established with this setting. With a holding time of 9,999 seconds the connection is always re-established after any disconnection. Additionally, the connection is re-established after a reboot of the device (’auto reconnect’). 7.8 Callback functions The LANCOM supports automatic callback via its ISDN port.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 No callback For this setting, the callback entry must be set to 'off' when configuring via WEBconfig or in the console. Callback number specified by caller For this setting the callback entry must be set to 'Call back the remote site after name verification' (or must have the value 'Name' in WEBconfig or in the console). In the name list no telephone number may be specified.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections The callback party selects 'Call back the remote site (fast procedure)' in the name list and enters the calling number ('LANCOM' when configuring via WEBconfig, terminal program or Telnet). For fast callback using the LANCOM method, the number list for answering calls must be kept up to date at both ends. 7.8.
LANCOM Reference Manual LCOS 3.50 With this entry ... ... you set up the callback in this manner: 'Name' Before a callback occurs, a protocol negotiation is always carried out even when the remote station was found in the numerical list (e.g. for computers with Windows having direct dialing on the device). Here only minor charges result. 'LANCOM' When the remote station is found in the numerical list, a quick callback is carried out, i.e.
LANCOM Reference Manual LCOS 3.50 Chapter 7: Routing and WAN connections Two methods of channel bundling Static channel bundling If a connection is established with static channel bundling, the LANCOM tries to establish the second B channel immediately after setting up the first B channel.
Chapter 7: Routing and WAN connections LANCOM Reference Manual LCOS 3.50 Depending on the type of application, the B1 hold time should be increased to such a level so that the connection is not dropped prematurely because of packets not being transmitted for a short time. Experience has shown that values between 60 and 180 seconds are a good basis which can be adapted as required during operation. The B2 holding time determines whether static or dynamic channel bundling will be used (see above).
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall 8 Firewall For most companies and many private users a work without the Internet is no longer conceivable. E-mail and web are indispensable for communication and information search. But each connection of the workstations from the own, local network to the Internet represents however a potential danger: Unauthorized users can try to see your data via this Internet connection, to modify it or to manipulate your PCs.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Destroy data on the workstations of the LAN. Paralyse workstations of the LAN or the connection to the Internet. We restrict ourselves in this section to the attacks of local networks (LAN) resp. to workstations and servers in such LANs. 8.1.2 The ways of the perpetrators In order to undertake their objectives, the perpetrators need at first a way to access your PCs and data.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall protocol, the search for open ports is also called “port scanning”. On the occasion, the attacker starts an inquiry for particular services with a certain program, either generally from the Internet, or, only on certain networks and unprotected workstations, which in turn will give the according answer. A third possibility is to access an existing data connection and use it as a freerider.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 that a defenceless workstation installed in the Internet will - perhaps even accidentally - become the victim of attacks. 8.2 What is a Firewall? The term “Firewall” is interpreted very differently. We want to define at this point the meaning of “Firewall” within the boundaries of this reference manual: A Firewall is a compilation of components, which monitors at a central place the data exchange between two networks.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall which are used for creation of the rules and which are checked during the operation of the Firewall, one distinguishes different types of Firewalls. Above all, the aspect of the “central” positioning is very Important: Only when the entire data traffic between “inside” and “outside” goes through the Firewall, it can fulfil its task reliably under any circumstances. Each alternative way can reduce or even turn off the security of the Firewall.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Packet filters One speaks about a packet filter-based Firewall, if the router only checks the details in the header of the data packets and decides on the basis of this information, whether the packet may pass or not.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 it is expecting the connection. The server will establish as a result from its port 20 a connection to the desired port of the client. Source port 4321 Destination port 21 Destination port 4322 Source port 20 Client Server To enable this process, the administrator of the packet filter must open all ports for incoming connections, because he does not know in advance for which port the client will inquire the FTP connection.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 packets that do not belong to one of the tracked session of the connection state table will be automatically discarded. Stateful Inspection: direction- dependent checking The filter sets of a Stateful Inspection Firewall are - contrary to classical port filter Firewalls dependent on their direction. Connections can only be established from source to their destination point. The other direction would require an explicit filter entry as well.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 table, because the connection to the LAN has been initiated from the client. Afterwards, the server can send so the desired data to the client. Source IP Dest. IP Sc. port Dst. port 10.0.0.1 80.190.240.17 4321 21 80.190.240.17 10.0.0.1 20 4322 outgoing connection permitted incoming connection unauthorized incoming connection Dest. port 4322 Source port 20 Firewall IP: 80.146.204.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 only the one with the correct delivery note will pass. Likewise, a second courier demanding access to the employee will be rejected, too. Application Gateway By checking of contents on application level, Application Gateways increase the address checking of the packet filters and the connection monitoring of the Stateful Packet Inspection.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Application Gateways: It never exists a direct connection e.g. between a client of the local network and a server of the Internet. The LAN workstations only see the proxy, the workstations of the Internet likewise. This physical separation of LAN and WAN, makes it quite difficult for attackers to intrude into the protected network.
Chapter 8: Firewall How the LANCOM Firewall inspects data packets The Firewall filters only those data packets out of the entire data stream running through the IP router of the LANCOM, for which a special treatment has been defined. Firewall 8.3.1 LANCOM Reference Manual LCOS 3.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 The Firewall only checks routed data packets! ISDN WLAN-1 WLAN-2 DMZ IPX router LANCAPI Firewall IPX over PPTP/ VPN Filter Encryption: 802.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 The LANCOM Firewall uses several lists for checking data packets, which are automatically generated from Firewall rules, resulting Firewall actions or by active data connections: Host block list Port block list Connection list Filter list When a data packet should be routed via the IP router, the Firewall uses the lists as follows: 햲 The first check is, whether the packet was coming from a workstation belonging to the host block list.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 list will be carried out. If the action intends to accept the packet, then an entry is made in the connection list, as well as for any further actions.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 a dynamic one, new entries can be added continuously with the appropriate Firewall actions. Entries automatically disappear after exceeding the timeout. For each established connection an entry is made in the connection list, if the checked packet has been accepted by the filter list. In the connection list is noted from which source to which destination, over which protocol and which port a connection is actually allowed.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 However, if the server wants to send larger sets of data (e.g.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 ICMP connections For ICMP two cases must be differentiated: The ICMP request/reply connections, like to be used with "ping", and the ICMP error messages, which can be received as an answer to any IP packet. ICMP request/reply connections can be clearly assigned to the identifier used by the initiator, i.e.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Please notice that the N:N mapping functions (’N:N mapping’ →page 80) are only active when the Firewall has been switched on! Default VPN rules A VPN rule consists, apart from some VPN specific information and among other things, of the definition of source and destination networks.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Route: Fragmented packets are passed on without any further checking by the Firewall, as long as permitted by valid filter settings. Re-assemble: Fragmented packets are buffered and re-assembled to complete IP packets. The re-assembled packets will then be checked and treated according to the valid filter settings. Session recovery The Firewall enters all actual permitted connections into the connection list.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall route" are also suppressed, so that the LANCOM cannot be found, neither by "ping" nor by "trace route". Possible settings are: Off: ICMP answers are not blocked. Always: ICMP answers are always blocked. WAN only: ICMP answers are blocked on all WAN connections. Default route only: ICMP answers are blocked on default route (usually Internet).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 the needed port will be opened for a short time (20 seconds) solely for the authentication inquiry. This behaviour of the Firewall in TCP Stealth mode can be suppressed specifically with the parameter “Always mask authentication port, too“. The activation of the option “Mask authentication port“ can lead to considerable delays for the dispatch and receipt of e. g.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Create VPN rule: Is this Firewall rule also used to create a VPN rule? (→page 127) Priority When setting up the filter list of the Firewall rules, the LANCOM will automatically sort the entries. Thereby the “grade of detail“ will be considered: All specified rules are observed at first, after that the general ones (e. g. Deny All).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 either a rule applies to the packet, for which observe further rules is not activated. or the list of the Firewall rules has been completely worked through without applying a further rule to the packet. To realize this aforementioned scenario it is necessary to install for each subnetwork a Firewall rule that rejects from a data rate of 512 kbps up additional packets of the protocols FTP and HTTP.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 action sets. If the same trigger is used for several action sets, the sequence of action sets can be adjusted. In section ’How the LANCOM Firewall inspects data packets’ →page 115 we have already described that in the end the lists for checking data packets are created from Firewall rules.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 The entire local network (LAN) Certain remote stations (described by the name of the name list) Certain stations of the LAN described by the host name) Certain MAC1 addresses Ranges of IP addresses Complete IP networks You can only operate with host names, when your LANCOM is able to transform the names into IP addresses.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Limit / Trigger The limit or trigger describes a quantified threshold value that must be exceeded on the defined connection before the filter action gets executed for a data packet. A limit is composed by the following parameters: Unit (kbit, kbyte or packets) Amount, that means data rate or number.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 SNMP/LANmonitor: Sends a SNMP trap, that will be analyzed e. g. by LANmonitor. Each of these three message measures leads automatically to an entry in the Firewall event table. Disconnect: Cuts the connection, over which the filtered packet has been received. On the occasion, the physical connection will be cut off (e. g.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Firewall. The specific parameters for the different alerting types such as the relevant email account can be set at the following places: Configuration tool Run LANconfig Log & Trace WEBconfig Expert Configuration Setup SMTP SNMP Module SYSLOG Module Terminal/Telnet /Setup/SMTP resp. SNMP Module or SYSLOG Module SMTP Account SNMP SYSLOG An example: Let us assume a filter named 'BLOCKHTTP', which blocks all access to a HTTP server 192.168.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 FROM: LANCOM_Firewall@MyCompany.com TO: Administrator@MyCompany.com SUBJECT: packet filtered Date: 9/24/2002 15:06:46 The packet below Src: 10.0.0.37:4353 {ntserver} (TCP) {cs2} Dst: 192.168.200.10:80 45 00 00 2c ed 50 40 00 80 06 7a a3 0a 00 00 25 | E..,.P@. ..z....% c0 a8 c8 0a 11 01 00 50 00 77 5e d4 00 00 00 00 | .......P .w^..... 60 02 20 00 74 b2 00 00 02 04 05 b4 | `. .t... ....
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall SNMP: Generic trap = enterpriseSpecific (6) SNMP: Specific trap = 26 (0x1A) SNMP: Time stamp = 1442 (0x5A2) System descriptor SNMP: OID = 1.3.6.1.2.1.1.1.0 1. SNMP: String Value = LANCOM Business 6021 2.80.0001 / 23.09.2002 8699.000.036 Device string SNMP: OID = 1.3.6.1.2.1.1.5.0 2. System-Name SNMP: String Value = LANCOM Business 6021 Time stamp SNMP: OID = 1.3.6.1.4.1.2356.400.1.6021.1.10.26.1.2.1 3.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 This contradiction shows the dilemma of the responsible administrators who have developed subsequently different strategies to solve this problem. Allow All The Allow All strategy favours unhindered communication of the employees compared over security. Any communication is allowed at first, the LAN is still open for attackers.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Local network DMZ FTP server Web server Some LANCOM models support this structure by a separate LAN interface only used for the DMZ. Looking at the path of data through the LANCOM, then the function of the Firewall for shielding the LAN against the DMZ becomes visible.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 A direct data exchange between LAN and DMZ via LAN bridge is not possible if a dedicated DMZ port is used. The path from LAN to DMZ and vice versa is therefore only possible through the router, and thus also only through the Firewall! This shields the LAN against inquiries from the DMZ, similar to the LAN against inquiries from the Internet.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall If you operate a web server in your LAN, that has been permitted access to this service from the outside (see ’The hiding place—IP masquerading (NAT, PAT)’ →page 74), stations from the Internet can establish from the outside connections to this server. The inverse masquerading has priority over the Firewall in this case, as long as no explicit "Deny All" rule has been set.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 For a network coupling you permit additionally the communication between the involved networks: Rule Source Destination Action Service ALLOW_LAN1_TO_LAN2 LAN1 LAN2 transmit ANY ALLOW_LAN2_TO_LAN1 LAN2 LAN1 transmit ANY If you operate e.g.
Chapter 8: Firewall Configuration of Firewall rules Firewall wizard The fastest method to configure the Firewall is provided by the Firewall wizard in LANconfig: Firewall 8.3.8 LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall LANconfig The filters can be installed very comfortably with LANconfig.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Firewall The option 'Observe further rules ...' can be used to create complex functions ensuring e.g. certain bandwidths with QoS (’Connection’ →page 128) The option 'This rule is used to create VPN rules' enables to utilize the information about source and destination networks of this rule also to define VPN networks (’Default VPN rules’ →page 122).
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Stations: Here the stations – as sender or addressee of the packets – are specified, for which the filter rule shall match. Firewall Services: Here the IP protocols, source and destination ports are specified for which the filter rule shall apply. For example, it can be specified here that only access to web pages and emails shall be permissible.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 WEBconfig, Telnet Under WEBconfig or Telnet the Firewall rules are configured in the following menus and lists: Configuration tool Run WEBconfig Expert Configuration / Setup / IP Router Module/ Firewall: Rule Table, Object Table, Actions Table Terminal/Telnet Setup / IP Router Module/ Firewall / Rule Table, Object Table, Actions Table There is a special syntax in LCOS for the description of the Firewall rules.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall action table for Firewall actions(→page 147). It can also contain direct descriptions in the appropriate LCOS syntax (e. g. %P6 for TCP). Firewall For direct entering of rule parameters in LCOS syntax, the same guidelines apply as described in the following sections for protocols, source and destination, as well as for Firewall actions. Object table The object table defines elements and objects that apply to the rule table of the Firewall.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Stations and services can be described according to the following rules in the object table: Description Object ID Examples and notes Local network %L Remote stations %H Name must be in DSL /ISDN /PPTP or VPN name list Host name %D Note advice for host names (→page 129) MAC address %E 00:A0:57:01:02:03 IP address %A %A10.0.0.1, 10.0.0.2; %A0 (all addresses) Netmask %M %M255.255.255.0 Protocol (TCP/UDP/ICMP etc.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Conditions Condition Description Object ID Connect filter The filter is active when no physical connection to the packet destination exists. @c DiffServ filter The filter is active when the packet contains the indicated Differentiated Services Code Point (DSCP) (’Evaluating ToS and DiffServ fields’ →page 183. @d (plus DSCP) Internet filter The filter is active when the packet is received or will be transmitted via default route.
Chapter 8: Firewall Limit Description Object ID Packet (rel) Number of packets/second, minute, hour on the connection after which the action is executed. %lcps %lcpm %lcph Global data (abs) Global data (abs): Absolute number of kilobytes received from the destination station or sent to it, after which the action is executed. %lgd Global data (rel) Number of kilobytes/second, minute or hour received from the destination station or sent to it, after which the action is executed.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Further measures Measure Description Object ID Syslog Gives a detailed notification via SYSLOG. %s Mail Sends an email to the administrator. %m SNMP Sends a SNMP trap. %n Close port Closes the destination port for a given time. %p Deny host Locks out the sender address for a given time. %h Disconnect Disconnects the connection to the remote site from which the packet was received or sent.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 send at the same time an email to the administrator, then the description of the object for the action reads as follows: Similar to the address and service objects of the object table, action objects can be provided with a name, and can arbitrarily be combined recursively, whereby the maximum recursion depth is limited to 16. In addition, they can be entered directly into the action field of the rule table.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 last five events, that were triggered either by a Firewall rule, the DoS, or the IDS system with activated ’SNMP/LANmonitor’ option. A new window with the complete logging table opens by clicking the right mouse button in the Firewall Event Log context menu. (→page 152).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 If you call up the logging table via LANmonitor, it looks like the following depiction: Firewall If you call up the logging table via WEBconfig, it looks like the following depiction: The table contains the following values: Element Element meaning Idx.
LANCOM Reference Manual LCOS 3.50 Element Chapter 8: Firewall Element meaning Src-p Source port of the filtered packet (only with port-related protocols) Dst-p Destination port of the filtered packet (only with port-related protocols) Filter-Rule Name of the rule, which has raised the entry. Limit Bit field, which describes the crossed limit, which has filtered the packet.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 On Telnet level, the content of the filter list can be displayed with the command show filter: Firewall Under WEBconfig the filter list has the following structure: The individual fields in the filter list have the following meaning: Entry Description Idx. Current index Prot Protocol to be filtered, e.g. 6 for TCP or 17 for UDP.
Firewall LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall Entry Description Src address Source IP address or 0.0.0.0, if the filter should apply to all packets. Source mask Source network mask, which determinates the source network together with the source IP address, or 0.0.0.0, if the filter should apply to packets from all networks. Q start Start source port of the packets to be filtered. Q end End source port of the packets to be filtered.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Element Element meaning Src addr. Source address of the connection Dst addr. Destination address of the connection Protocol Used protocol (TCP/UDP etc.). The protocol is decimally indicated. Src port Source port of the connection. The port is only indicated with port-related protocols (TCP/UDP) or protocols, which own a comparable field (ICMP/ GRE).
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Firewall Meaning of the flags of the connection list Flag Flag meaning 00000001 TCP: SYN sent 00000002 TCP: SYN/ACK received 00000004 TCP: waiting for ACK of the server 00000008 all: open connection 00000010 TCP: FIN received 00000020 TCP: FIN sent 00000040 TCP: RST sent or received 00000080 TCP: session will be re-established 00000100 FTP: passive FTP connection will be established 00000400 H.323: belonging to T.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 Sorting is done according to address, protocol and port. The table contains the following elements: Element Element meaning Address Address of the station, to which the blocking should apply. Protocol Used protocol (TCP/UDP etc.) The protocol is decimally indicated. Port Port to close at the station. If the respective protocol is not port related, then the entire protocol for this station becomes closed.
LANCOM Reference Manual LCOS 3.50 8.4 Chapter 8: Firewall Protection against break-in attempts: Intrusion Detection A Firewall has the task to examine data traffic across borders between networks, and to reject those packets, which do not have a permission for transmission. Beside attempts to access directly a computer in the protected network, there are also attacks against the Firewall itself, or attempts to outwit a Firewall with falsified data packets.
Chapter 8: Firewall LANconfig Configuration of the IDS Parameters of the Intrusion Detection System are set in LANconfig in the configuration tool 'Firewall/QoS' on index card 'IDS': Apart from the maximum number of port inquiries, fragment action and the possible registration mechanisms, also these reactions are possible: The connection will be cut off. The sender address will be blocked for an adjustable period of time.
LANCOM Reference Manual LCOS 3.50 8.5 Chapter 8: Firewall Protection against “Denial of Service” attacks Attacks from the Internet can be break-in attempts, as well as attacks aiming to block the accessibility and functionality of individual services. Therefore a LANCOM is equipped with appropriate protective mechanisms, which recognize well-known hacker attacks and which guarantee functionality. 8.5.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 during the attack and, moreover, the owner of the falsified address cannot receive normal data any more during the attack. If the falsified sender address is the broadcast address of the second network, also all workstations are blocked in this network, too. In this case the DoS recognition of the LANCOM blocks passing packets, which are addressed to the local broadcast address.
LANCOM Reference Manual LCOS 3.50 Chapter 8: Firewall a new Denial of Service attack can result thereby if the memory of the victim is exhausted. Teardrop The Teardrop attack works with overlapping fragments. After the first fragment another one is sent, which overlaps completely within the first one, i.e. the end of the second fragment is located before the end of the first.
Chapter 8: Firewall LANconfig Configuration of DoS blocking Parameters against DoS attacks are set in the LANconfig in the configuration tool 'Firewall/QoS' on the register card 'DoS': Firewall 8.5.2 LANCOM Reference Manual LCOS 3.
Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50 The connection will be cut off. The sender address will be blocked for an adjustable period of time. The destination port of the scan will be blocked for an adjustable period of time.
Chapter 8: Firewall With WEBconfig or Telnet the suppression of responses can be configured here: Configuration tool Run WEBconfig Expert Configuration: Setup/IP Router Module/Firewall Terminal/Telnet Setup/IP Router Module/Firewall Firewall WEBconfig, Telnet LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.50 Chapter 9: Quality of Service 9 Quality of Service This chapter dedicates itself to quality: Under the generic term Quality of Service (short: QoS) those LCOS functions are summarized, which are concerned with the guarantee of certain service availabilities. 9.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 desired data transfer, certain data packets must be treated preferentially. It is necessary for this, that at first a LANCOM recognizes which data packets should be preferred at all. There are two possibilities to signal the need for a preferential treatment of data packets in the LANCOM: The application, as e.g. the software of certain IP telephones, is itself able to mark the data packets appropriately.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 Limited maximum bandwidth What is DiffServ? DiffServ stands for “Differentiated Services” and is a quite recent model to signal the priority of data packets. DiffServ is based on the known Type-of-Service(ToS) field and uses the same byte within the IP header. ToS is using the first three bits to describe the priorities (precedence) 0 to 7, as well as four further bits (the ToS bits) to optimize the data stream (e.g.
Chapter 9: Quality of Service Guaranteed minimum bandwidths Hereby you give priority to enterprise-critical applications, e.g. Voice-over-IP (VoIP) PBX systems or certain user groups. Full dynamic bandwidth management for sending Concerning the sending direction, the bandwidth management takes place dynamically. This means that e.g. a guaranteed minimum bandwidth is only available, as long as the corresponding data transfer really exists.
LANCOM Reference Manual LCOS 3.50 9.2.2 Chapter 9: Quality of Service Limited maximum bandwidths Hereby you limit e.g. the entire or connection-related maximum bandwidth for server accesses. An example: You operate both a Web server and a local network on a shared Internet access. To prevent that your productive network (LAN) is paralyzed by many Internet accesses to your Web server, all server accesses are limited to half of the available bandwidth.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 As long as the interval for the minimum bandwidth is not exceeded (i.e. up to the end of the current second), all packets in this queue are treated without further special priority. All packets of this queue, of the "secured queue" and the "standard queue" share now the existing bandwidth. The packets are taken in order from the queues when sending in exactly the same sequence, in which they have been placed into these queues.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 data packets it is still able to receive, and thus brakes the data stream already within the router. As a result, the queues will automatically fill up. n x 64 kBps 54 MBps 100 MBps 64 KBit/s 128 KBps Internet Queues Quality of Service Different is the case, if an Ethernet interface represents the connection to the WAN.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 standard DSL connection, the DSL interface is thus adjusted in the LANCOM to the appropriate upstream rate (e.g. 128 kbps). Data rates indicated by providers are mostly likely net rates. The gross data rate, which is available for the interface is a little bit higher than the net data rate guaranteed by the provider.
LANCOM Reference Manual LCOS 3.50 Chapter 9: Quality of Service Standard reception queue All packets that do not need special treatment because of an active QoS rule on the receiving side end up here. Packets of this queue are directly passed on resp. confirmed without consideration of maximum bandwidths. 9.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 A resulting delay has no disadvantageous effect to the TCP-secured FTP transfer. Two different procedures exist to influence the packet length: Provided that the data connection already exists when the VoIP connection is started, the senders regulate packet lengths very quickly to the permitted value.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 office via VPN connection, over which the Internet traffic is not running simultaneously. 9.5 QoS parameters for Voice over IP applications An important task when configuring VoIP systems is to guarantee a sufficient voice quality.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 Accordingly, a VoIP connection should be configured such that the criteria for good speech quality are met: Packet loss up to 10%, delay up to 150 ms and jitter up to 10ms. Jitter can be removed in the receiving station by an appropriate buffer. In this buffer (jitter buffer) the packets are stored intermediately, and passed on at a constant rate to the addressee.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 In detail, delay is determined especially by the codec used, the resulting packet size and the available bandwidth: In comparison: satellite quality Processing Serialization Propagation Jitter buffer 150ms The time for processing is determined by the used codec. For a sampling time of 20 ms, exactly each 20 ms a new packet is generated. Times for compression can mostly be neglected.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 the IPSec header must be added (RTP and IPSec headers can be larger, depending on the configuration). Codec Net data rate Sampling Packets per sec. payload IP packet IPsec packet Bandwidth G.723.1 6,3 Kbit/s 30 ms 33,3 24 byte 64 byte 84 byte 22,3 Kbps G.711 64 Kbit/s 20 ms 50 160 byte 200 byte 276 byte 110.
LANCOM Reference Manual LCOS 3.50 Chapter 9: Quality of Service The transfer time of the packets to the interface (serialization) assumes a PMTU of 512 bytes on a 128 Kbps connection. Therefore, for slower interfaces or other codecs it is eventually necessary to adjust jitter buffers and/ or PMTU values. Please notice that the bandwidths are required in the sending and receiving direction, as well as just for one single connection. 9.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 tion always the physical data transfer via the respective interface applies as the direction! 9.7 9.7.1 QoS configuration Evaluating ToS and DiffServ fields LANconfig For configuration with LANconfig, select the configuration field 'IP router'. Adjust on index card 'General' whether the 'Type of service field' or alternatively the 'DiffServ field' is to be observed for prioritisation of data packets.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 DiffServ: The ToS/DiffServ field is interpreted as DiffServ field and evaluated as follows: DSCP code points Kind of transmission CSx (including CS0 = BE) normal transmission AFxx secured transmission EF preferred transmission DiffServ in Firewall rules The code points from the DiffServ field can be evaluated by Firewall rules for further control of QoS parameters such as minimum bandwidth or PMTU reduction.
Chapter 9: Quality of Service WEBconfig, Telnet LANCOM Reference Manual LCOS 3.50 For configuration with WEBconfig or Telnet, the parameters are entered at the following places into a new Firewall rule: Configuration tool Run WEBconfig Setup/IP router module/Firewall/Rule list Telnet Setup/IP router module/Firewall/Rule list The Firewall rule is extended by condition “@d” and the DSCP (Differentiated Services Code Point).
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 The guaranteed bandwidth is defined on index card 'QoS'. Quality of Service The option 'Action only for default route' limits the rule to those packets, which are sent or received via default route. The option 'Action only for VPN route' limits the rule to those packets, which are sent or received via VPN tunnel. The option 'Per connection' resp.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 A maximum bandwidth is simply defined by a limit rule, which discards by a “Drop” action all packets, which exceed the defined bandwidth. Examples: %Qcds32: Minimum bandwidth of 32 kbps for each connection %Lgds256 %d: Maximum bandwidth of 256 kbps for all connections (globally) Further information about defining Firewall rules can be found in chapter ’Firewall’ →page 104. 9.7.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 (e.g. Voice over IP), this extra overhead is quite noticeable.
Chapter 9: Quality of Service Sending and receiving direction LANconfig The interpretation of the data transfer direction can be adjusted in LANconfig when defining the QoS rule: WEBconfig, Telnet For configuration with WEBconfig or Telnet, the interpretation of the data transfer direction is specified at the following places in a new Firewall rule by parameters “R” for receive, “T” for transmit (send) and “W” for reference to the WAN interface: Configuration tool Run WEBconfig Setup/IP router mod
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 Quality of Service Not packets of certain protocols are reduced, rather than all packets globally on that interface.
Chapter 9: Quality of Service LANCOM Reference Manual LCOS 3.50 The following example shows a setting for Voice over IP telephony: Rule Source Destination Action Protocol VOIP IP addresses of IP telephones in the LAN, all ports IP addresses of IP telephones in the LAN, all ports %Qcds32 %Prt256 UDP Quality of Service This rule defines the minimum bandwidth for sending and receiving to 32 Kbps, forces and reduces the PMTU while sending and receiving to packets of 256 byte size.
LANCOM Reference Manual LCOS 3.50 Chapter 10: Virtual LANs (VLANs) 10 Virtual LANs (VLANs) 10.1 What is a Virtual LAN? The increasing availability of inexpensive layer 2 switches enables the setup of LANs much larger than in the past. Until now, smaller parts of a network had been combined with hubs. These individual segments (collision domains) had been united via routers to larger sections.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 Data traffic of certain logical units should be transmitted with a specific priority compared to other network users. An example to clarify: A switch is connected to a hub within a LAN, which connects four stations from the marketing department to the network. One server and two stations of the accounting department are directly connected to the switch.
LANCOM Reference Manual LCOS 3.50 Chapter 10: Virtual LANs (VLANs) The tagging is realized by an additional field within the MAC frame. This field contains two important information for the virtual LAN: VLAN ID: A unique number describes the virtual LAN. This ID defines the belonging of data packets a logical (virtual) LAN. With this 12 bit value it is possible to define up to 4094 different VLANs (VLAN IDs “0” and “4095” are reserved resp. inadmissible).
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 rules for generating and processing of the VLAN tags are assigned to the single interfaces. Coming back again to the first example: Data packet without VLAN tag Data packet without VLAN tag WLAN sales Data packet with VLAN ID=3 A workstation from the marketing sends a data packet to a workstation of the sales department. The marketing hub passes the packet simply on to the switch. The switch receives the packet at its port no.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 Management and user traffic on a LAN Several hot spots are installed on an university campus, so that students equipped with notebooks and WLAN cards have access to the Internet and to the server of the library. The hot spots are connected to the university LAN. Via this LAN the administrators also access the base stations to carry out several management tasks via SNMP.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 But this task is very burdensome to realize by hardware changes, or even not at all, because e.g. only one single central cabling exists in the office building. Company A, accounts dep. Company A, sales VLAN ID=5 VLAN ID=3 VLAN ID=3, 5 VLAN ID=11 Comp. A, administrat. Comp. B VLAN ID=3, 5, 11 Virtual LANs enable to perform this task in a very smart way.
LANCOM Reference Manual LCOS 3.50 10.3 Chapter 10: Virtual LANs (VLANs) Configuration of VLANs VLAN technology functions are presently only supported by LANCOM Wireless devices. The configuration of LANCOM Wireless devices within the VLAN realm has to perform two important tasks: Defining virtual LANs and assigning them a name, a VLAN ID and the affected interfaces. Defining for the interfaces how to proceed with data packets with or without VLAN tags. 10.3.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 Example for a network table: VLAN ID Port list Default 1 LAN-1, WLAN-1, WLAN-2 Sales 2 LAN-1, WLAN-1 Marketing 3 LAN-1, WLAN-2 The port table The port table configures the individual ports of the device for use by the VLAN. The table has got an entry for each port of the device with the following values: Port: Name of the port, not editable.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.50 10.3.
Chapter 10: Virtual LANs (VLANs) LANCOM Reference Manual LCOS 3.
LANCOM Reference Manual LCOS 3.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 11 Wireless LAN – WLAN 11.1 What is a Wireless LAN? The following sections are a general description of the LCOS operating system functions in wireless networks. The precise functions supported by your device are described in its manual. In this chapter we will show you briefly the technology of wireless networks. In addition, we give you an overview of the various applications, functions and abilities of your base station.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN IEEE 802.11a: 54 Mbps IEEE 802.11a describes the operation of Wireless LANs in the 5 GHz frequency band (5,15 GHz to 5,75 GHz), with up to 54 Mbps maximum transfer rate. The real throughput depends however on the distance and/or on the quality of the connection. With increasing distance and diminishing connecting quality, the transmission rate lowers to 48 Mbps, afterwards to 36 Mbps etc., up to a minimum of 6 Mbps.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 transmission. If exactly this range is used by another transmitter, interferences in transmission would be the result. With the DSSS procedure the transmitter uses a broader spread of the possible frequencies and becomes more insensitive to narrow-band disturbances then. This procedure is also used in military range for increasing tap-proof security. IEEE 802.11g: 54 Mbps The IEEE 802.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN Your LANCOM base station supports - according to the model type - the standards IEEE 802.11g (downward-compatible to IEEE 802.11b), and/or IEEE 802.11a. The operation of the integrated wireless card of your base station is only possible in one single frequency band, that is, either 2,4 GHz or 5 GHz. Thus a simultaneous operation of IEEE 802.11g and IEEE 802.11a is not possible. Since IEEE 802.11g is downward-compatible to IEEE 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Connecting the Wireless LAN to an existing LAN Extending the coverage of a Wireless LAN Additionally, the use of a base station enables a central administration of the Wireless LAN. Connection to an existing LAN An infrastructure network is ideally suitable as an extension to existing wired LANs.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Mobile station leaves radio cell A and … … changes into radio cell connection via LAN workstaradio cell A radio cell B In the example above, the roaming function of the mobile station enables the access to the workstation in radio cell A also after changing into radio cell B. After the radio cell change, the base station in radio cell B passes on the data of the mobile station via LAN to the base station in radio cell A.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 also possible to specifically control the access of workstations in the LAN to the IP routing function of the device. WLAN firewall LAN Internet WAN base station DSL modem or any broadband connection VPN pass-through VPN technology (VPN=Virtual Private Network) is more and more frequently in use to protect sensitive data.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 By the use of narrow beam antennas (e.g. AirLancer Extender), also larger distances can be bridged securely. An additional increase of reach can be achieved by use of further base stations, which operate in relay mode between two LAN segments. It is possible to couple up to seven remote network segments to an united network by wireless bridges in the so-called P2MP operation (point-tomultipoint) mode.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 base station. Due to the client mode, it is also possible to integrate devices like PCs or printers having only one Ethernet interface into a Wireless LAN. base stations in client mode base stations in standard mode Multiple radio cells with Multi- SSID Conventionally, a wireless network card supports exactly one radio cell.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 In some applications, however, it may be desirable to divide the clients the radio cell into different groups, each of which is treated in a certain way by the access point. It may be necessary, for example, to operate a public wireless network without any encryption simultaneous to a protected, WPA- or WEPencrypted wireless network that excludes unauthorised parties.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN On the way from the original WEP of the 802.11 standard to 802.11i, a whole series of concepts have arisen that have tended to increase confusion and insecurity among the users. This document should help to explain the concepts and the processes used, in chronological order of their development. 11.2.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 case, so-called assymetric encryption methods such as RSA can be used, that is, to decrypt the data, a different key is used than the one used to encrypt it. Such methods are, however, much slower than symmetric encryption methods, which leads to a two-phase solution: one side possesses an asymmetric key pair and transmits the encryption key to the other side, generally as a part of a certificate.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 data packet—a double application of the XOR operation with the same values cancels out.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 combination of two clear text packets. If one already knows the contents of one of the two packets, then the clear text of the other is easily determined. Thus WEP does not directly use the key entered by the user for the RC4 algorithm, but rather combines it with a so-called Initial Vector (IV) to arrive at the actual RC4 key.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN usually weaker than 40 or 104 bits (the current IEEE standards, for instance, assume that a typical password has a strength of about 2.5 bits per character.) The IEEE standard specifies that up to four different WEP keys can exist in one WLAN. The sender encodes the number of the WEP key used in the encrypted packet along with the IV, so that the receiver can use the appropriate key.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 for certain values of the RC4 key, conclusions may be drawn about the first values of the pseudo-random sequence it generates—thus about the bytes with which the beginning of the packet are encrypted. This property of RC4 can be relatively easily avoided, for instance by discarding the first bytes of the pseudo-random byte sequence and only using the "later" bytes for encryption, and this is often done nowadays when RC4 is used.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN which could automatically crack an arbitrary WLAN connection within a few hours. With this, WEP was essentially worthless.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 the possibility of installing a valid WEP key for the next session is more or less a byproduct. Figure 2 shows the basic process of a session secured by EAP. Access point Client RADIUS server WLAN registration EAP/802.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN The access point is thus a sort of middle man between client and server. it doesn't have to check the contents of these packets, it just has to check that no other data traffic to or from the client can occur. This process has two advantages: The implementation effort in the access point is low.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Further advantages of this procedure include its simple implementation in the access point, with little extension to existing hardware. The disadvantage of the procedure is its complexity. The maintenance of the central RADIUS server and the certificates stored there is generally only possible in large installations with a separate IT department—it is less suitable for use in the home or in smaller companies.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 A simplified procedure for deriving the Master Secret mentioned in the last section, which can be performed without a RADIUS server. Negotiation of encryption procedure between access point and client. TKIP TKIP stands for Temporal Key Integrity Protocol.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 a new component (green), however, besides the CRC, the unencrypted package also has a so-called Michael-MIC attached. This is a hash algorithm developed especially for WLAN, which was designed so that it can be computed on older WLAN hardware with reasonable overhead.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN decryption part of TKIP checks this sequentiality and discards packets which contain an already-used IV, which prevents replay attacks. As a further detail, TKIP also mixes the MAC address of the sender into the first phase. This ensures that the use of identical IVs by different senders cannot lead to identical RC4 keys and thus again to attack possibilities.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 The key handshake breaks down into two phases: first the pairwise key handshake, then the group key handshake (Figure 4). Client Access point 1 (Send ANonce) 2 (Send SNonce) 3 (Install Pairwise Key) 4 (Pairwise Key Installed) 1 (Install Group Key) 2 (Group Key Installed) As you can see, the handshake consists of pairs of packets which each consist in turn of a 'query' of the access point and a 'confirmation' of the client.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN The client still can't be 'approved', however, because the access point must still transmit a further key—the group key, which it uses to transmit broadcast and multicast packets simultaneously to all stations. This must be determined unilaterally by the access point, and it is simply transmitted to the station, which confirms receipt.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 point to show whether encryption should be used or not. This became insufficient the moment WEP was used with key lengths other than 40 bits— the user just had to take care that not only the same value but that the same length was defined as well. WPA provides a mechanism with which client and access point can agree on the encryption and authentication procedures to be used.
LANCOM Reference Manual LCOS 3.50 11.2.6 Chapter 11: Wireless LAN – WLAN AES and 802.11i In mid-2004, the long awaited 802.11i standard was approved by the IEEE, which should put the entire security concept of the WLAN on a new basis— which is to be expected, since errors as serious as those encountered during the introduction of WEP are unlikely to occur with 802.11i. As mentioned in the last section, WPA has already implemented a whole series of concepts from 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Similar to TKIP, CCM uses a 48-bit Initial Vector in each packet—an IV repetition is impossible in practice. As in TKIP, the receiver notes the last IV used and discards packets with an IV which is equal to or less than the comparison value. Pre-authentication and PMK caching For this reason, the so-called PMK caching was introduced as a first measure. The PMK, of course, serves as the basis for key negotiation in an 802.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN steps like WPA, the IEEE committee has now presented the new WLAN security standard 802.11i. The TKIP procedure used by WPA is based on the older RC4 algorithm, the foundation of WEP. AES is the first important and conclusive step towards a truly secure encryption system. 802.11i/AES have confined the practical and theoretical security loopholes in previous methods to history.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 example, is not a particularly secure SSID. (’Network settings’ →page 251) 햴 If you know exactly which wireless network cards are permitted to access your WLAN, you can enter the MAC addresses of these cards into the access control list, thus excluding all other cards from communications with the access point. This reduces access to the WLAN only to those clients with listed MAC addresses.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN apply to all of the logical wireless networks supported by this card. These parameters include, for example, the transmitting power of the antenna and the operating mode of the WLAN card (access point or client). Other parameters are related solely to the logical wireless network that is supported by a physical interface. These include, for example, the SSID or the activation of encryption, either 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Configuration with LANconfig For configuration with LANconfig you will find the general WLAN access settings under the configuration area 'WLAN Security' on the 'General' tab.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Check that the setting 'filter out data from the listed stations, transfer all other' is activated. New stations that are to participate in your wireless network are added with the button 'Stations'.
Chapter 11: Wireless LAN – WLAN For configuration with LANconfig you will find the protocol filter under the configuration area 'WLAN Security' on the 'Protocols' tab. Make an entry in the protocol list for each protocol that requires special handling. Enter the following values: A name of your choice for the filter entry Protocol number, e.g. '0800' for IP. If no protocol is entered, the filter will be applied to all packets. Subprotocol, e.g. '6' for TCP.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Redirect address when the 'Redirect' action is selected Example: Name Protocol Subty pe Start port End port Interface list Action Redirect IP address ARP 0806 0 0 0 WLAN-1-2 Let through 0.0.0.0 DHCP 0800 17 67 68 WLAN-1-2 Let through 0.0.0.0 TELNET 0800 6 23 23 WLAN-1-2 Redirect 192.168.11.5 ICMP 0800 1 0 0 WLAN-1-2 Let through 0.0.0.0 HTTP 0800 6 80 80 WLAN-1-2 Redirect 192.168.11.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 incorporated in the 802.11 standard for the encryption of data in wireless transmission. This method uses keys of 40 (WEP64), 104 (WEP128) or 128 bits (WEP152) in length. A number of security loopholes in WEP have come to light over time, and so the latest 802.11i/WPA methods should be used wherever possible. Further information about the 802.11i and WPA standards are available under ’Developments in WLAN security’ →page 213.
LANCOM Reference Manual LCOS 3.50 Key 1/passphrase Chapter 11: Wireless LAN – WLAN In line with the encryption method activated, you can enter a special WEP key for the respective logical WLAN interface or a passphrase when using WPAPSK: The passphrase, or the 'password' for the WPA-PSK method, is entered as a string of at least 8 and up to 63 ASCII characters. Please be aware that the security of this encryption method depends on the confidential treatment of this passphrase.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Configuration with LANconfig For configuration with LANconfig you will find the private WEP settings under the configuration area 'WLAN Security' on the '802.11i/WEP' tab.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 keys: a special key for each logical WLAN interface and three common group WEP keys for each physical WLAN interface. If 802.1x/EAP is in use and the 'dynamic key generation and transmission' is activated, the group keys from 802.1x/EAP will be used and are consequently no longer available for WEP encryption.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Rules for entering WEP keys WEP keys can be entered as ASCII characters or in hexadecimal form. The hexadecimal form begins with the characters '0x'.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Configuration with LANconfig For the configuration with LANconfig, the country settings can be found in the configuration area 'Management' on the tab 'Wireless LAN' in the group 'General': This group includes two other parameters in addition to the country setting: Mobile stations in the wireless network that are on standby do not answer the ARP requests from other network stations reliably.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 the list of physical WLAN interfaces by clicking on the button Physical WLAN settings. WLAN card operation LANCOM Wireless devices can be operated in two basic operation modes: As an access point, it forms the link between the WLAN clients and the cabled LAN. In Client mode the device seeks another access point and attempts to register with a wireless network.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Turbo mode Using two neighbouring, vacant channels for wireless transmissions can increase the transfer speeds up to 108 Mbps. Set this option for the 2.4-GHz band by selecting the drop down list '2.4 GHz mode', for the 5-GHz band in the appropriate list '5 GHz mode' below.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 possible range and, in particular, the highest possible data transfer rates. Access point density The more access points there are in a given area, the more the reception areas of the antennae intersect. The setting 'Access point density' can be used to reduce the reception sensitivity of the antenna. Maximum distance Large distances between transmitter and receiver give rise to increasing delays for the data packets.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Point-to-point 'Off': The access point only communicates with mobile clients Point-to-point 'On': The access point can communicate with other access points and with mobile clients Point-to-point 'Exclusive': The access point only communicates with other access points The input fields are for the MAC addresses of the WLAN cards for the pointto-point connections (up to 7).
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Create IBBS If the station can establish an IBBS (Independent Basic Service Set), meaning an adhoc network, then the station can connect to other WLAN clients. For the connection of devices with a client station, this is mostly unwanted or not required. Keep client connection alive This option ensures that the client station keeps the connection to the access point alive even when the connected devices do not send any data packets.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 LAN' tab. Open the list of logical WLAN interfaces by clicking on the button Logical WLAN settings and select the required logical interface. Set the SSID Define an unambiguous SSID (network name) for each of the logical wireless networks on the 'Network' tab for the logical interfaces. Only network cards that have the same SSID can register with this wireless network.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 The RTS threshold prevents the occurrence of the "hidden station“ phenomenon. RTS threshold Network coverage access point 쐃 쐃 Network coverage access point 쐋 쐇 쐋 Here, the three access points 쐃, 쐇, and 쐋 are positioned such that no direct wireless connection between the two outer devices is possible. If 쐃 sends a packet to 쐇, 쐋 is not aware of this as it is outside of 쐃's coverage area.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 11.4.5 Additional WLAN functions Apart from the different encryption methods 802.11i/AES, WPA/TKIP or WEP and the closed network, a variety of other functions exist for securing the operation of a wireless network. The Redirect function provides the convenient control over the connection of WLAN clients in changing environments.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 IEEE 802.1x/EAP The international industry standard IEEE 802.1x and the Extensible Authentication Protocol (EAP) enable access points to carry out reliable and secure access checks. The access data can be managed centrally on a RADIUS server and can be called up by the access point on demand. This technology also enables the secure transmission and the regular automatic changing of WEP keys. In this way, IEEE 802.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN IPSec over WLAN Only with the LANCOM VPN Option. Not available with all LANCOM devices. 11.5 With the help of the IPSec-over-WLAN technology in addition to the security measures described already, a wireless network for the exchange of especially sensitive data can be optimally secured. To this end, the LANCOM Wireless access point is upgraded to a VPN gateway with the LANCOM VPN Option. In addition to the encryption per 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 transmitter and receiver. The areas where the waves amplify or cancel themselves out are known as Fresnel zones. Fresnel zone 3 Fresnel zone 2 Fresnel zone 1 Distance d Radius R The radius (R) of Fresnel zone 1 is calculated with the following formula assuming that the signal wavelength (λ ) and the distance between transmitter and receiver (d) are known. R = 0.5 * √(λ * d) The wavelength in the 2.4-GHz band is approx. 0.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 To ensure that the Fresnel zone 1 remains unobstructed, the height of the antennae must exceed that of the highest obstruction by this radius.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 connections, and even the air, and amplifying elements such as the external antennae. Amplification with antenna gain Free-space loss Amplification with antenna gain Loss through cable, plugs and lightning Loss through cable, plugs and lightning Input signal at the radio module Output power of the radio module 햲 The calculation of the power over the path begins at the transmitters's radio module.
LANCOM Reference Manual LCOS 3.50 Chapter 11: Wireless LAN – WLAN The data transmission rate is set according to the reception power. A WLAN module has an input sensitivity equivalent to a power level of, for example, -80dBm. If the received power falls below this level, then a lower data rate can be switched in that corresponds with an improved sensitivity with a lower level of power.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 햸 The receiving end also has amplifying and attenuating elements. If the same antenna is used as at the transmitter, the antenna gain is 18 dB and the loss from cable (again 4m), lightning protection and plug connectors is 5 dB. The radio signal thus arrives at the receiver's radio module with the following power: - 97 dBm + 18 dBi - 5 dB = -84 dBm.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 (P2mP, connection from an access point to the registered clients, e.g. notebooks). The last column in the table shows the transmission power reduction to be set so that the upper limits of 30 dBm (802.11a) or 20 dBm (802.11b/g) cannot be exceeded. The specifications for 802.11a apply only for Germany, the Netherlands, Luxembourg and Great Britain. In Belgium, Austria and Switzerland, only the 802.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Assumed cable loss: 9 dB Maximum distance [km] Mbps P2P P2mP 1,0 2,82 1,58 2,0 2,51 1,41 5,5 2,24 1,26 6,0 2,24 1,26 9,0 2,24 1,26 11,0 2,00 1,12 12,0 1,78 1,00 18,0 1,41 0,79 24,0 1,00 0,56 36,0 0,71 0,40 48,0 0,35 0,20 54,0 0,18 0,10 AirLancer Extender O-70 (802.11b/g) Antenna gain: 8.
Chapter 11: Wireless LAN – WLAN LANCOM Reference Manual LCOS 3.50 Maximum distance [km] 11.5.4 Mbps P2P P2mP 36,0 0,32 0,27 48,0 0,16 0,13 54,0 0,08 0,07 Transmission power reduction Every country has regulations concerning the permissible output power from WLAN antennae, often with differences according to the WLAN standard or divided according to indoor or outdoor use. The output power from external antennae may not exceed these maximum power levels.
Chapter 12: Office communications with LANCAPI LANCOM Reference Manual LCOS 3.50 12 Office communications with LANCAPI LANCAPI from LANCOM is a special version of the popular CAPI interface. CAPI (Common ISDN Application Programming Interface) establishes the connection between ISDN adapters and communications programs. For their part, these programs provide the computers with office communications functions such as a fax machine or answering machine.
LANCOM Reference Manual LCOS 3.
Chapter 12: Office communications with LANCAPI LANCOM Reference Manual LCOS 3.50 햴 Activate the LANCAPI server for the outgoing and incoming calls, or allow only outgoing calls. 햵 In the latter case, the LANCAPI will not respond to incoming calls—to receive faxes, for example. Permitting outgoing calls only is useful if you do not have a specific call number available for the LANCAPI.
LANCOM Reference Manual LCOS 3.50 Chapter 12: Office communications with LANCAPI 햹 Switch to the 'Availability' tab. Here you can determine how the LANCOM should respond if a connection is to be established via the LANCAPI (incoming or outgoing) when both B channels are already busy (priority control). The meaning of the options offered here: Office communications with LANCAPI The connection via LANCAPI can not be performed.
Chapter 12: Office communications with LANCAPI LANCOM Reference Manual LCOS 3.50 If necessary, the system is restarted and LANCAPI is then ready to accept all jobs from the office communications software. After successful installation, an icon for LANCAPI will be available in the toolbar. A double-click on this icon opens a status window that permits current information on the LANCAPI to be displayed at any time. The LANCAPI client starts automatically and shows the status in the windows task bar.
LANCOM Reference Manual LCOS 3.50 Chapter 12: Office communications with LANCAPI It is also possible to set the interval at which the client checks whether the found or listed servers are still active. 12.3 How to use the LANCAPI Two options are available for the use of the LANCAPI: Office communications with LANCAPI You may use software which interacts directly with a CAPI (in this case, the LANCAPI) port.
Chapter 12: Office communications with LANCAPI LANCOM Reference Manual LCOS 3.50 Installation The CAPI Faxmodem can be installed from the CD setup. Always install the CAPI Faxmodem together with the current version of LANCAPI. After restarting, the CAPI Faxmodem will be available for you, e.g. in Windows 98 under Start Settings Control Panel Modems.
LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN 13 Server services for the LAN An LANCOM offers a number of services for the PCs in the LAN. These are central functions that can be used by workstation computers. They are in particular: 13.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 period of validity for the parameters assigned The DHCP server takes the IP addresses either from a freely defined address pool or determines the addresses automatically from its own IP address (or intranet address). In DHCP mode, a completely unconfigured device can even automatically assign IP addresses to itself and the computers in the network.
LANCOM Reference Manual LCOS 3.50 13.1.3 Chapter 13: Server services for the LAN How are the addresses assigned? IP address assignment Before the DHCP server can assign IP addresses to the computers in the network, it first needs to know which addresses are available for assignment. Three options exist for determining the available selection of addresses: The IP address can be taken from the address pool selected (start address pool to end address pool).
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 Otherwise, the network mask from the TCP/IP module is used. The order is the same as during the assignment of the addresses. Broadcast address assignment Normally, an address yielded from the valid IP addresses and the network mask is used for broadcast packets in the local network. In special cases, however (e.g.
LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN it requested. The DHCP module provides two settings for influencing the period of validity: Maximum lease time in minutes Here you can enter the maximum period of validity that the DHCP server assigns a host. If a host requests a validity that exceeds the maximum length, this will nevertheless be the maximum available validity! The default setting is 6000 minutes (approx. 4 days).
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 Checking of IP addresses in the LAN Configuration tool Run/Table WEBconfig Expert Configuration Setup / DHCP-module Table-DHCP Terminal/Telnet setup/DHCP-module/table-DHCP The DHCP table provides a list of the IP addresses in the LAN. This table contains the assigned or used IP address, the MAC address, the validity, the name of the computer (if available) and the type of address assignment.
LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN part specifies the domain. Specifying the domain is optional within a local network. These names could thus be 'www.domain.com' or 'ftp.domain.com', for example. If there is no DNS server in the local network, all locally unknown names will be searched for using the default route. By using a DNS server, it's possible to immediately go to the correct remote station for all of the names with known IP addresses.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 Finally, the DNS server checks whether the request to another DNS server is to be forwarded to another DNS server via a WAN interface (special DNS forwarding via the DNS destination table).
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 Initially the router checks whether a DNS server has been entered in its own settings. If it is successful there, it obtains the desired information from this server. Up to two higher-level DNS servers can be specified.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 햳 Enter the domain in which the DNS server is located. The DNS server uses this domain to determine whether the requested name is located in the LAN. Entering the domain is optional. WEBconfig … Domain Terminal/Telnet set domain yourdomain.com 햴 Specify whether information from the DHCP server and the NetBIOS module should be used.
LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN that are accessible via the router. With the following commands you add stations to the Host names table: LANconfig TCP/IP DNS Host names Add WEBconfig … DNS-table Add Terminal/Telnet cd setup/DNS-module/DNStable set mail.yourdomain.com 10.0.0.99 For example, if would like to access the mail server at your headquarters (name: mail.yourdomain.com, IP: 10.0.0.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 The DNS server may either be specified by the remote site name (for automatic setting via PPP), or by an explicit IP address of the according name server. URL blocking 햲 Finally, one can restrict access to certain names or domains with the filter list. To block the domain (in this case the web server) 'www.offlimits.
LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN To only block the access of a certain computer (e.g. with IP 10.0.0.123) to COM domains, enter the following values: In the console mode the command is: set 002 *.com 10.0.0.123 255.255.255.255 The hit list in the DNS statistics contains the 64 most frequently requested names and provides a good basis for setting up the filter list.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 The current WAN IP address of a LANCOM can be picked under the following address: http://
/config/1/6/8/3/ Figure: Picking the current IP address out of a LANCOM 13.3 Call charge management To reduce these costs, the software provides various options: The available online minutes can be restricted to a specific period. For ISDN connections, a limit on time or charges can be set for a particular period.LANCOM Reference Manual LCOS 3.50 Chapter 13: Server services for the LAN mum of 830 charge units may be used in six days. The router will not permit the establishment of any further connections once this limit has been reached. The best way to use the router's call charge monitoring function is if you have “call charge information enabled during the connection” to the ISDN network (i.e. AOCD). If necessary, subscribe to this facility from your telecommunications carrier.
Chapter 13: Server services for the LAN 13.3.3 LANCOM Reference Manual LCOS 3.50 Settings in the charge module Configuration tool Run/table LANconfig Management Costs WEBconfig Expert Configuration Setup Charges-module Terminal/Telnet cd /setup/charges-module In the charges module, the online time can be monitored and used to control call establishment. Day(s)/Period The duration of the monitoring period in days can be specified here.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 13.4.1 13.4.2 Setting up the SYSLOG module Configuration tool Run/Table LANconfig Management Log & Trace WEBconfig Expert Configuration Setup SYSLOG-module Terminal/Telnet cd /setup/SYSLOG-module Example configuration with LANconfig Create SYSLOG client 햲 Start LANconfig. Under 'Management', select the 'Log & Trace' tab. 햳 Turn the module on and click SYSLOG clients. 햴 In the next window click Add....
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 shows the alignment between the internal sources of the LANCOM and the SYSLOG facilities. Source Meaning Facility System system messages (boot processes, timer system etc.
Chapter 13: Server services for the LAN LANCOM Reference Manual LCOS 3.50 Priority Meaning SYSLOG priority Warning Error messages that do not affect normal operation of the device are sent to this level. WARNING Information All messages that are purely informative in character are sent to this level (e.g. accounting information). NOTICE, INFORM Debug Transfer of all debug messages. Debug messages generate a high data volume and interfere with the normal operation of the device.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 14 Virtual Private Networks—VPN What does VPN offer? A VPN (Virtual Private Network can be used to set up cost-effective, public IP networks, for example via the Internet. While this may sound unspectacular at first, in practice it has profound effects. To illustrate this, let's first look at a typical corporate network without VPN technology.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 The central LAN has a connection to the Internet so that its users can access the Web, and send and receive e-mail. All connections to the outside world are based on dedicated lines, i.e. switched or leased lines. Dedicated lines are very reliable and secure. On the other hand, they involve high costs. In general, the costs for dedicated lines are dependent on the distance.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 The subsidiary also has its own connection to the Internet. The RAS PCs connect to the headquarters LAN via the Internet. The Internet is available virtually everywhere and typically has low access costs. Significant savings can thus be achieved in relation to switched or dedicated connections, especially over long distances.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN Routing at the IP level with VPN IP connections must be established between routers with public IP addresses in order to link networks via the Internet. These routers provide the connections between multiple subnetworks. When a computer sends a packet to a private IP address in a remote network segment, the local router forwards the packet to the router of the remote network segment via the Internet.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 the Internet. With the proper technology, third parties can monitor and even record data traffic. As the packets are encrypted by VPN, the actual content of the packets is inaccessible. Experts compare this state to a tunnel: it's open at either end, but perfectly shielded in between. Secure connections within public IP networks are thus also referred to as "tunnels". .
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN following example illustrates a typical application that is often used in practice.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 When VPN clients are dialing in with the appropriate client software, extended functions in the IKE handshake of LANCOM VPN allow the use of different Preshared Keys (PSKs). Other conventional VPN client connections can use a single common PSK, a situation that is a compromise in terms of security.
LANCOM Reference Manual LCOS 3.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 In practice, LAN-LAN couplings are frequently used between company headquarters and subsidiaries, or for connections to partner companies. LAN LAN Internet A VPN-enabled router (VPN gateway) is located at either end of the tunnel. The configuration of both VPN gateways must be matched to one another. The connections are transparent for the remaining devices in the local networks, i.e., they appear to have a direct connection.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 software then sets up a tunnel to the VPN gateway of the LAN using this Internet connection. LAN Headquarters Remote computer with VPN client Internet Laptop with VPN client The VPN gateway of the LAN must support the establishment of VPN tunnels with the VPN client software of the remote PC. 14.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 of the Internet and a private one by which the computer can be reached within the local network. Static and dynamic IP addresses Public IP addresses must be applied for and managed, which involves costs. There is also only a limited number of public IP addresses. For this reason, not every Internet user has his or her own fixed (static) IP address. The alternative to static IP addresses are the so-called dynamic IP addresses.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN static – dynamic dynamic – dynamic Dynamic – static If a user on computer B in LAN 2 wishes to connect to computer A in LAN 1, then gateway 2 receives a request and tries to establish a VPN tunnel to gateway 1. Gateway 1 has a static IP address and can be directly contacted over the Internet.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 Static – dynamic If, on the other hand, computer A in LAN 1 requires a connection to computer B in LAN 2, for example when headquarters carries out remote maintenance at the external locations, then gateway 1 receives the request and attempts to establish a VPN tunnel to gateway 2. Gateway 2 only has a dynamic IP address and cannot be directly contacted over the Internet.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 translation via dynamic DNS services, a solution often used with flatrate connections. The described connection set up requires an ISDN connection for both VPN gateways. But usually no charges will arise for this procedure. Dynamic – dynamic With LANCOM Dynamic VPN, VPN tunnels can also be set up between two gateways that both only have dynamic IP addresses.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 The LLC element is not available in 1TR6, the German national ISDN. The procedure described above thus will not work with 1TR6. As a subaddress via the D- channel. If it is not possible to send the address via the LLC element, Gateway 1 will attempt to send the address as a so-called subaddress.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN address for the DNS name translation. This can be set up very conveniently with a Wizard under LANconfig (also see ’Dynamic DNS’ auf Seite 284): For reasons of security and availability, LANCOM recommends the use of Dynamic VPN in preference to dynamic DNS-based VPN solutions. Dynamic VPN is based on direct connections via the ISDN network and ensures a higher degree of availability than dynamic DNS services in the Internet.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 individual computers (RAS) or the connection of structured networks will be covered subsequently. VPN tunnel: Connections between VPN gateways Virtual Private Networks (VPNs) are used to interconnect local networks over the Internet. This involves the routing of the private LAN IP addresses via an Internet connection between two gateways with public IP addresses.
LANCOM Reference Manual LCOS 3.50 14.5.2 Chapter 14: Virtual Private Networks—VPN Set up VPN connections with the Setup Wizard If possible, make use of the Setup Wizard within LANconfig to set up VPN connections between local networks. The Wizard guides you through the configuration and makes all the necessary settings for you. Carry out the configuration on both routers, one after the other.
Chapter 14: Virtual Private Networks—VPN 14.5.3 LANCOM Reference Manual LCOS 3.50 Inspect VPN rules VPN rules represent a combination of various pieces of information and they are not directly defined in a LANCOM device; instead, they are compiled from a variety of sources. This is why it is not possible to inspect the VPN rules with LANconfig or any other configuration tool. Information about the current VPN rules in the device can be retrieved with the Telnet console.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN Definition of the tunnel endpoints Definition of the security-related parameters (IKE and IPSec) Definition of the VPN network relationships, i.e. the IP address ranges to be connected. Should the IP ranges overlap at both ends of the connection, please refer to the section ’N:N mapping’ auf Seite 80.
Chapter 14: Virtual Private Networks—VPN Prepare VPN network relationships The firewall integrated into LANCOM routers is a powerful instrument for defining source and target address ranges between which data transfer (and limitations to it) can be enabled or prohibited. These functions are also used for setting up the network relationships for the VPN rules. In the simplest case, the firewall can generate the VPN rules automatically. The local intranet serves as the source network, i.e.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN When only a portion of the local intranet is to be available to the remote network, then the automatic method is unsuited as the IP address range that is open to the VPN connection is too large. IP: 10.1.0.1 to 10.1.0.50 Net mask: 255.255.0.0 IP: 10.2.0.2 to 10.2.0.99 Net mask: 255.255.0.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 The firewall rules for generating VPN rules are active even when the actual firewall function in the LANCOM device is not required and is switched off! Make sure that the firewall action is set to “Transfer”. Sources and targets for the connection can be entered as individual stations, certain IP address ranges, or whole IP networks.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 14.5.6 Configuration with LANconfig The section demonstrates how LANconfig can be used to configure a LANLAN coupling with additional subnets. In this section, VPN gateway 1 will be configured and then the configuration of gateway 2 with the help of WEBconfig will be demonstrated. 10.2.0.0/16 LAN router 2: 10.1.0.2 10.1.0.0/16 Gateway 1: gw1.dyndns.org 10.5.0.0/16 LAN router 5: 10.4.0.5 10.4.0.0/16 Gateway 2: gw2.dyndns.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 gateway”, enter the public address of the remote station: either the fixed IP address or the name for translation by DNS. 햵 When using LANCOM Dynamic VPN: Change to the “Communication” configuration area. Using the “Protocols” tab, make a new entry in the PPP list.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 accessible in the remote and in the local LAN. In each case, define the router as the remote VPN gateway and switch the IP masquerading off. For the “VPN gateway 1”, the following entries are necessary so that the remote network sections can be reached. IP address Net mask Router IP masquerading 10.4.0.0 255.255.0.0 VPN gateway 2 No 10.5.0.0 255.255.0.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 As a rule, it is recommended that you keep the rules used for making network relationships separate from those firewall rules that affect the services used in communications, for example. 햸 On the “Actions” tab for these firewall rules, set the “Packet Action” to “Transmit”.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN The only difference is that the source and the destination networks are swapped. 14.5.7 Configuration with WEBconfig 햲 Under Configuration VPN IKE-Param. IKE key set a new IKE key for the connection: Virtual Private Networks— VPN 햳 Under Configuration VPN General Connection parameters define a new “VPN layer” for the connection parameters. Select the IKE key created earlier for this.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 햴 Under Configuration VPN Connection list generate a new entry with the name of the remote gateway set to “Name”. For the “Remote gateway”, enter the public address of the remote station: either the fixed IP address or the name for translation by DNS. Be sure to activate "IP routing" and, if required, "NetBIOS over IP" (→page 310).
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 accessible in the remote and in the local LAN. In each case, define the router as the remote VPN gateway and switch the IP masquerading off. For the “VPN gateway 2”, the following entries are necessary so that the remote network sections can be reached. IP address Net mask Router IP masquerading 10.1.0.0 255.255.0.0 VPN gateway 1 No 10.2.0.0 255.255.0.0 VPN gateway 1 No 10.3.0.0 255.255.0.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 “VPN-GW1-REMOTE”). Enter each subnet in the form “%A10.1.0.0 %M255.255.0.0”. 햸 Under Configuration Firewall/QoS Rules table define a new firewall rule named “VPN-GW1-OUT”. Set the objects to “CPN-GW1LOCAL” and “VPN-GW1-REMOTE”, the protocol to “ANY” and the action to “ACCEPT”. Activate the option “VPN rule” so that the IP networks described in this rule will be used in establishing VPN network relationships.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN only difference is that the source and the destination networks are swapped. 14.5.8 Diagnosis of VPN connections If the VPN connections fail to work after the configuration of the parameters, the following diagnostic methods can be applied: The command show vpn spd on the Telnet console calls the “Security Policy Definitions”.
Chapter 14: Virtual Private Networks—VPN 14.6.1 LANCOM Reference Manual LCOS 3.50 Static/static Headquarters Branch_office LAN 10.10.2.x LAN 10.10.1.x Internet VPN tunnel Static IP address Public IP Private IP 193.10.10.1 10.10.1.1 Static IP address ISDN Public IP Private IP 193.10.10.2 10.10.2.1 A VPN tunnel via the Internet serves as the connection between the LANCOM Headquarters and branch office. Both gateways have static IP addresses. Thus, both can initiate the connection.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 Headquarters has a fixed, static address. When the connection is set up, Branch office transmits its actual IP address to Headquarters. This is accomplished by a special ICMP packet (alternatively UDP, port 87).
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 Alternatively, this application can be solved with the help of dynamic DNS. In this constellation, the headquarters with its static IP address connects to the branch office with the help of a dynamic DNS name which is assigned to the current dynamic IP address. More information is available under ’Dynamic IP addresses and DynDNS’ →page 305.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN The entries for the ISDN connection are needed for the transmission of the actual dynamic IP address solely. The Internet access wizard configures the connection to the Internet. Alternatively, this application can be solved with the help of dynamic DNS. Instead of a static IP address, a dynamic DNS name helps to find the dynamic IP address that is currently in use.
Chapter 14: Virtual Private Networks—VPN IPSec—The basis for LANCOM VPN The original IP protocol does not contain any provisions for security. Security problems are compounded by the fact that IP packets do not go directly to a specific recipient, but are sent scattershot to all computers on a given network segment. Anyone can help themselves and read the packets. This leaves the door open to the misuse of data. IP has been developed further for this reason. A secure version is now available: IPSec.
LANCOM Reference Manual LCOS 3.50 14.7.2 Chapter 14: Virtual Private Networks—VPN Alternatives to IPSec IPSec is an open standard. It is not dependent on individual manufacturers and is being developed by the IETF with input from the interested public. The IETF is a nonprofit organization that is open to everyone. The broad acceptance of IPSec is the result of this open structure which unites a variety of technical approaches. Nevertheless, there are other approaches for the realization of VPNs.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 All of these layer-2 protocols only support end-to-end connections; they are therefore not suitable for coupling entire networks. On the other hand, these mechanisms do not require the slightest changes to the network devices or access software. And unlike protocols in lower network levels, they are still effective when the data content is already in the computer.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN Security Parameter Index (SPI) ID to distinguish multiple logical connections to the same target device with the same protocols Target IP address Security protocol used Designates the security protocol used for the connection: AH or ESP (further information will be provided on these protocols in the following sections). An SA applies only to one communication direction of the connection (simplex).
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 In transport mode, the IP header of the original packet is left unchanged and the ESP header, encrypted data and both trailers are inserted. The IP header contains the unchanged IP address. Transport mode can therefore only be used between two end points, for the remote configuration of a router, for example.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN The result is a nominal key length of 168 bit, with an effective key length of 112 bits. Triple-DES combines the sophisticated DES technology with a sufficiently long key and is therefore considered to be highly secure. Triple-DES is slower than other processes, however. Blowfish This development by the renowned cryptographer Bruce Schneier is a symmetrical encryption process.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 The AH process in the sender In the sender, the authentication data is generated in 3 steps. 햲 A checksum is calculated for the complete package using a hash algorithm. 햳 This checksum is once again sent through a hash algorithm together with a key known to both the sender and the recipient. 햴 This results in the required authentication data which is inserted in the AH header.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 packet. The comparison with the sent ICV of the packet determines the integrity and authenticity of the packet. 햴 IP header AH header Data 햲 Checksum (hash code) 햳 햴 Authentication data, ICV Authentication data, ICV 햵 Identical? Determining the checksum for the integrity check AH adds a checksum to each packet before it is sent to guarantee the integrity of the transferred packets.
Chapter 14: Virtual Private Networks—VPN LANCOM Reference Manual LCOS 3.50 Generation of the authentication data In the second step, AH generates a new hash code using the checksum and a key, the final authentication data. A variety of standards are available under IPSec for this process as well. LANCOM VPN supports HMAC (Hash-based Message Authentication Code). The hash functions MD5 and SHA-1 are available as hash algorithms. The HMAC versions are accordingly known as HMAC-MD5-96 and HMAC-SHA-1-96.
LANCOM Reference Manual LCOS 3.50 Chapter 14: Virtual Private Networks—VPN 햵 In two further messages, the devices exchange their public keys for DiffieHellman. The further communication is encrypted with Diffie-Hellman. 햶 Both ends use numbers that have been transferred (with the DiffieHellman method) and the Shared Secret to generate a common secret key that is used to encrypt the subsequent communication. Both sides additionally authenticate their Shared Secrets by using hash codes.
Chapter 15: Appendix LANCOM Reference Manual LCOS 3.50 15 Appendix: Overview of functions for LANCOM models and LCOS versions 800 1000 1100 I-10 821 Stateful Inspection 2.80 2.80 Intrusion Detection, DoS Protection 2.80 Extended IP QoS 3.30 1511 1521 1611 1621 2.80 2.80 2.80 2.80 3.30 3.30 3.30 N:N-Mapping VLAN 1711 3050 3550 4000 4100 6000 6001 6021 7011 2.80 2.80 2.80 2.80 2.80 2.80 2.80 2.80 3.30 3.30 3.30 3.30 3.30 3.30 3.30 3.30 3.30 3.
Chapter 16: Index LANCOM Reference Manual LCOS 3.42 16 Index Index Numerics 1 1 mapping 3 DES 3-DES 4-Port Switch 802.11i PMK caching VoIP 802.
Chapter 16: Index 33 265 277 97 15 20 29 15 286 285 337 D D channel 28, 50, 60 Data compression procedure LZS 102 Data transfer 102 Denial of Service attacks Bonk 164 Ping of Death 163 Teardrop 164 Denial-of-Service-Angriffe 162 Fragrouter 164 LAND 163 Smurf 162 SYN Flooding 162 DES 214, 298, 331 Device-name 96 DHCP 27, 49, 91, 272 assignment broadcast address 275 DNS and NBNS server 275 network mask 274 standard gateway 275 DHCP server 272, 278 mode 273 for WINS resolution 276 period of validity 275 D
Chapter 16: Index LANCOM Reference Manual LCOS 3.42 Dynamic – static Examples How it works ICMP Introduction PPP list Static – dynamic UDP 302, 323 323 301 324 300 310 303, 324 324 Index E 220 EAP Process of a session secured by EAP 221 RADIUS server 221 EAP/802.
IKE 298, 335 Inband 15 inband Configuration via Inband 15 with Telnet 19 Initial Vector 217 Install software 30 Internet 74 Internet access 95 Intranet IP address assignment 274 Intranet address 77 Intrusion Detection 160 Intrusion-Detection IP-Spoofing 160 Inverse masquerading 37, 78, 81 IP addresses Dynamic 301 Static 301 IP broadcast 72 IP header 169 IP masquerading 27, 37, 49, 74, 81, 209 simple masquerading 78 IP multicast 72 IP routing standard router 68 IP telephony 176 IP4 address 37, 80 IP-address
Chapter 16: Index LANCOM Reference Manual LCOS 3.
Chapter 16: Index Q QoS Direction of data transfer QoS – siehe Quality-of-Service Quality of Service Quality-of-Service Queue Queues Secured queue Standard queue Urgent queue I Urgent queue II R Radio cell RADIUS RADIUS server Range RAS RC4 Advantages Redirect Remote access Remote configuration Remote connection Remote control Remote maintenance 170 214 298 268 337 239 52 74 237 214 336 176, 337 182 168 168 172 172 173 173 172 172 208 221 255 205, 208 291, 293 214 216 236, 254 20, 95 15 21 38, 81 with
Chapter 16: Index LANCOM Reference Manual LCOS 3.42 TCP-Stealth-Modus Teardrop Telnet Temporal Key Integrity Protocol Term Terminal program TFTP Throughput Time Time budget Time dependent connectionlimit Time-out ToS High Reliability IPSec Low Delay Priority Trace examples keys and parameters outputs starting Transfer rates Transmission rates Transport mode Triple DES Trojans Troubleshooting Tunnel mode Type-of-Service – siehe ToS Index U UDP Upload Upstream rate User name V V.
Chapter 16: Index 324 323 299 322 309 308 295 311 309 W WAN-layer 90 WEBconfig 16, 18, 31 HTTPS 19 Well known groups 298 WEP 238, 241 Challenge-response procedure 218 CRC checksums 217 Explanation of the process 215 Initial Vector 217 Key length 217 Passphrase 217 Private WEP settings 238 Process of encryption 215 RC4 215 Sniffer tools 219 Weak points of the process 218 WEP group keys 242 WEP key dynamic 220 WEPplus 220 Limits 220 WiFi Alliance 223 Wifi Protected Access 223 Wildcards 283 Windows network
Chapter 16: Index LANCOM Reference Manual LCOS 3.42 VPN pass-through 207 WEP group keys 241 WLAN interface logical 250 physical 244 WLAN security 214 802.11i 230 802.
