Manualshelf

Specifications

ManualsBrandsMultitech ManualsComputer equipmentRF500S
31323334353637383940
34
8.5 10/100 Ethernet switch
The home office is wired with 4 Ethernet drops feed by the whole house 10/100 hub. This turned out to be
inadequate so the Router’s built in 4-port Ethernet switch is very handy. Since a simple hub feeds the house
the router has to have a switch, since two hubs cannot be cascaded at 100Mbp/s. One port on the switch is
configured as the uplink port. This connects to the 16-port hub. The file server and office desktop connect
to the switch to take advantage of switch bandwidth. Everything else goes through the hub. This increased
the number of SOHO office ports to 6 eliminating the need to pull more wire.
8.6 Virtual Private Network
Companies are using VPNs to extend the corporate network to telecommuters and business partners. In our
situation a Checkpoint firewall/VPN is used to provide secure remote access to the corporate network.
There are many was to configure a VPN. It can be setup to tunnel everything from the remote site to the
corporate LAN. This is typically used to connect remote offices. We wanted to provide employees with
secure access to the corporate network but not force all remote traffic through the VPN, this is called split
tunnel mode. In addition, some users such as yours truly, run home networks behind a NAT router. This
added a level of complexity to the setup.
The preferred VPN is IPsec, as defined by the Internet Engineering Task Force IETF. IPsec has two
security modes Authentication Header (AH) and Encapsulating Security Payload (ESP) AH authenticates
the IP address and cannot be used with NAT since the NAT router modifies the client’s address. Mutual
authentication is performed using Internet Key Exchange (IKE).
Getting this to work required updating the firmware in the SOHO router. Installing newer VPN software at
the office and client. Now that the VPN is up and running it works without a hitch. The only minor
inconvenience is on machines configured for dialup networking. When the VPN is activate it also pops up
the dialer even when connected to a LAN.
Depending on the type of VPN you use the router may have to support IPsec pass through. IPsec has a
similar problem as FTP. Even though the request originated from the local user, the server determines
which port to use for the actual session. The NAT router needs to be able to learn the association or the
session will fail. This requires the router function as an Application Level Gateway (ALG). It has to
understand IPsec, just like it needs to understand FTP.
Split-tunnel VPN creates a security concern. The client is able to access the Internet and corporate network
at the same time. An attacker can relay traffic directly into the corporate LAN from a compromised client.
As a minimum each client should be running the latest antiviral software. User training should stress safe
computing practices.
For more information refer to RFC 2709 Security model with tunnel-mode IPsec for NAT domains.
VPN Installation tips:
Verify VPN software is compatible with NAT
Verify broadband router firmware is compatible with your VPN software
Verify ISP does not block VPN traffic because it is considered biz use
Make sure your IT department has configured the VPN to be NAT friendly
If both the home network and work network use private IP addresses make sure no conflicts exist.
The same IP address range cannot be used in both locations.
If your ISP assigns dynamic IP addresses the network administrator cannot bind the remote VPN
client to a specific IP addresses.