User guide

ManualsBrandsMultitech ManualsComputer equipmentRouteFinder RF850

RouteFinder

Internet Security Appliance

RF850

RF860

User Guide

Summary of content (190 pages)

PAGE 1
RouteFinder ® Internet Security Appliance RF850 RF860 User Guide
PAGE 2
Copyright and Technical Support User Guide RouteFinder RF850/860 Document Number: S000400E, Revision E This publication may not be reproduced, in whole or in part, without prior expressed written permission from Multi-Tech Systems, Inc. All rights reserved. Copyright © 2006-2009 by Multi-Tech Systems, Inc. Multi-Tech Systems, Inc.
PAGE 3
Table of Contents Contents Chapter 1 – Product Description and Specifications ........................................................................................ 7 Product Description........................................................................................................................................... 7 RouteFinder Documentation ............................................................................................................................. 7 RouteFinder Features ......
PAGE 4
Table of Contents Administration > SSH ................................................................................................................................44 Administration > SNTP Client....................................................................................................................45 Administration > Administrative Access ....................................................................................................46 Administration > Change Root Password ...............
PAGE 5
Table of Contents Packet Filters ................................................................................................................................................ 108 Packet Filters > Packet Filter Rules ........................................................................................................108 Packet Filters > ICMP .............................................................................................................................110 Packet Filters > Advanced ........
PAGE 6
Table of Contents Appendix F – Ordering Accessories ............................................................................................................... 166 SupplyNet Online Ordering Instructions ..................................................................................................166 Appendix G – Regulatory Compliance ............................................................................................................ 167 Appendix H – License Agreements .......................
PAGE 7
Chapter 1 – Product Description and Specifications Chapter 1 – Product Description and Specifications Product Description The RouteFinder® all-in-one security appliance is designed to maximize network security without compromising network performance. It offers a Stateful Packet Inspection firewall for the ultimate in firewall security.
PAGE 8
Chapter 1 – Product Description and Specifications Safety Warnings Lithium Battery Caution Danger of explosion if battery is incorrectly replaced. A lithium battery on the RouteFinder PC board provides backup power for the time-keeping capability. The battery has an estimated life expectancy of ten years. When it starts to weaken, the date and time may be incorrect. If the battery fails, send the board back to Multi-Tech for battery replacement.
PAGE 9
Chapter 1 – Product Description and Specifications Ship Kit Contents The RouteFinder is shipped with the following: • One Multi-Tech Systems, Inc. RouteFinder • One external power supply with AC power cord • RJ-45 Ethernet cable • One printed Quick Start Guide • Two rack mounting brackets and four mounting screws. • One RouteFinder documentation CD which contains documentation, license agreements, Adobe Acrobat Reader, and license keys.
PAGE 10
Chapter 1 – Product Description and Specifications Typical Applications Remote User VPN. The client-toLAN VPN application replaces traditional dial-in remote access by allowing a remote user to connect to the corporate LAN through a secure tunnel over the Internet. The advantage is that a remote user can make a local call to an Internet Service Provider, without sacrificing the company’s security, as opposed to a long distance call to the corporate remote access server. Branch Office VPN.
PAGE 11
Chapter 1 – Product Description and Specifications Specifications Appliance Features Ethernet Ports Number of Network Users RAM Rackmount or Standalone Firewall Features Stateful Packet Inspection Anti-Virus Option Spam Filtering Application Proxies Port and IP Filtering Denial of Service Protection (DoS) Network Address Translation (NAT) Virtual Server Intrusion/Port Scan Detection H.
PAGE 12
Chapter 1 – Product Description and Specifications Power & Physical Description Power - Voltage & Frequency Power Consumption Physical Description Operating Environment Approvals RF850 100-240v AC, 50-60 Hz 42 Watts +12Vdc @ 3.5A Dimensions: 12" w × 1.75" h × 8" d; (30.4cm × 4.45cm × 20.3cm) Weight: 4.4 lbs. (2.0 kg) Temperature Range: 32° to 120° F (0-50°C) Humidity: 25-85% noncondensing FCC Part 68 FCC Part 15 (Class A) CE Mark UL60950 RF860 100-240v AC, 50-60 Hz 42 Watts +12Vdc @ 3.
PAGE 13
Chapter 2 – Installation and Setup Chapter 2 – Installation and Setup System Administrator Planning • • • • • • The system administrator must complete these setup requirements before installing the RouteFinder software: Set the correct configuration of the Default Gateway Install an HTTPS-capable browser (e.g.
PAGE 14
Chapter 2 – Installation and Setup Front Panel LEDs 10MB ACT 100MB Disk ACT Status Power Description WAN1, WAN2/DMZ Lights when a successful 10Base-T Internet connection is established. LAN Lights when a successful 10Base-T Ethernet connection is established. WAN1, WAN2/DMZ Blinks when it is receiving or transmitting data. LAN Blinks when it is receiving or transmitting data. WAN1, WAN2/DMZ Lights when a successful 100Base-T Internet connection is established.
PAGE 15
Chapter 2 – Installation and Setup Cabling Procedure Make the proper connections as illustrated in this drawing of the RouteFinder back panel. Basic Connections 1. Using an RJ-45 Ethernet cable, connect the LAN jack to a PC, internal network switch, or hub. Note: Use a cross-over Ethernet cable if connecting to a single device. 2. Using an RJ-45 Ethernet cable, connect the WAN 1 jack to a cable modem or DSL modem connected to an Internet Service Provider. 3.
PAGE 16
Chapter 2 – Installation and Setup Setting up a Workstation and Starting the RouteFinder This section of the Quick Start covers the steps for setting up TCP/IP communication on the PC(s) connected to the RouteFinder, starting up the RouteFinder, and opening the RouteFinder Web Management program. Establish TCP/IP Communication The RouteFinders have built-in DHCP server functionality, so you can set the PC to obtain a dynamic IP address. The following directions are for Windows 2000+/XP operating systems.
PAGE 17
Chapter 2 – Installation and Setup 4. The Local Area Connection Properties dialog box displays. • Select Internet Protocol [TCP/IP]. • Click the Properties button. 5. Once you click the Properties button, the following screen displays. To have your DHCP client obtain a dynamic IP address, click the button for Obtain an IP address automatically. 6. Close out of the Control Panel. 7. Repeat these steps for each PC on your network. Multi-Tech Systems, Inc.
PAGE 18
Chapter 2 – Installation and Setup Open a Web Browser Note: Be sure that the RouteFinder is cabled and that the power is connected. See the cabling drawings at the beginning of this chapter. Bring up a Web browser on the workstation. 1. Type the default Gateway address: https://192.168.2.1 2. Press Enter IMPORTANT: Be sure to type https (http will not work). Note: Make sure your PC’s IP address is in the same network as the router’s IP address.
PAGE 19
Chapter 2 – Installation and Setup Web Management Software Opens The Web Management software Home screen displays. This software is factory-installed on your RouteFinder. (This is a view of the top part of the Home screen.) A description of the Web Management software continues in Chapter 4. Before using the software, you may find the following information about navigating the screens and the structuring of the menus helpful.
PAGE 20
Chapter 2 – Installation and Setup Screen Buttons Home Wizard Setup Help Logout The main screen. Change passwords and quickly set up your RouteFinder with the basic configuration that will set it up as a firewall. Describes what to do on each screen. Logout and return to the login screen.
PAGE 21
Chapter 3 – Configuration Using Web Management Software Chapter 3 – Configuration Using Web Management Software Initial Configuration Step Set Up Your Time Zone • • • • Click Administration on the Menu Bar. The System Setup screen displays.
PAGE 22
Chapter 3 – Configuration Using Web Management Software Second Configuration Step – Using the Wizard Setup Using the Wizard Setup is a quick way to enter the basic configuration parameters to allow communication between the LAN’s workstation(s) and the Internet as shown in the example below. Important Note: An initial configuration must be completed for each type of RouteFinder functions: firewall configuration, LAN-to-LAN configuration, a LAN-to-Remote Client configuration.
PAGE 23
Chapter 3 – Configuration Using Web Management Software The Wizard Setup Screen – Configuration Example Click on the Wizard Setup button located under the Menu Bar. The Wizard Setup screen displays. The screen establishes the firewall setup and can be used to enter initial data for other setups. 1. Enter your Administrator Email Address (can be anything). Example: admin@yourdomain.com 2. Enter your Hostname for the RouteFinder (can be anything). Example: RouteFinder.domainname.com 3.
PAGE 24
Chapter 4 – Configuration Examples Chapter 4 – Configuration Examples These examples show how to configure the RouteFinder using the entire Web Management software program. The Wizard Setup utility provides a basic firewall connection, while the Web Management software allows you to configure VPN features, management features, and other options (see the menu outline in Chapter 2). Example 1 – Setup Two RouteFinders The example can be used for a LAN-to-LAN (branch office) setup.
PAGE 25
Chapter 4 – Configuration Examples Example 1, Side A Packet Filters > Packet Filter Rules 1. Go to the Packet Filters > Packet Filter Rules screen to set the VPN client tunnel rights. The Packet Filter rights established on this screen give the client access across the tunnel to your host network. 2. In the System Defined Rules section, uncheck the Status box, if a check mark is present when setting up User Defined Rules. 3.
PAGE 26
Chapter 4 – Configuration Examples Example 1, Side A VPN Setup (Continued) The Add IKE Connection screen displays. All settings can be left at the default unless otherwise indicated: 1. Connection Name: Enter in the name of the VPN tunnel you want to create. Example: Test-Tunnel 2. Secret: Enter a Secret password (which has to match on both ends of the tunnel). For this example, enter test. 3. Select Encryption: Select 3DES. 4. Local WAN IP: Select WAN. 5. Local LAN: Select LAN. 6.
PAGE 27
Chapter 4 – Configuration Examples Example 1, Side B RouteFinder Setup – Side B Side A Side B Networks & Services > Network 1. Log in to your RouteFinder software and go to Networks & Services > Network Configuration screen. 2. Click the Add button to open the fields for entering your network information. 3. Create a new network name for the Remote LAN by entering a Name, IP Address, and Subnet Mask. For this example, enter the following: Name: Remote-LAN IP Address: 192.168.2.0 Subnet Mask: 255.255.255.
PAGE 28
Chapter 4 – Configuration Examples Example 1, Side B Packet Filters > Packet Filter Rules 1. Go to the Packet Filters > Packet Filter Rules screen to set the VPN client tunnel rights. The Packet Filter rights established on this screen give the client access across the tunnel to your host network. 2. In the System Defined Rules section, uncheck the Status box, if a check mark is present when adding User Defined Packet Filters Rules. 3.
PAGE 29
Chapter 4 – Configuration Examples Example 1, Side B VPN Setup (Continued) The Add an IKE Connection screen displays. All settings can be left at the default unless otherwise indicated: 1. Connection Name: Enter in the name of the VPN tunnel you want to create. Example: TestTunnel. 2. Secret: Enter the Secret password (which has to match on both ends of the tunnel). For this example, enter test. 3. Select Encryption: Select 3DES. 4. Local WAN IP: Select WAN 5. Local LAN: Select LAN 6.
PAGE 30
Chapter 4 – Configuration Examples Example 2, Side A Example 2 – Set Up Two RouteFinders Behind a NAT Device Side A Side B RouteFinder Setup – Side A Networks & Services > Networks 1. Login to your RouteFinder and go to the Networks & Services > Network Configuration screen. 2. Click the Add button to open the fields for entering the network information. 3. Create a new network name for the RF850-LAN by entering the Name, IP Address, and Subnet Mask.
PAGE 31
Chapter 4 – Configuration Examples Example 2, Side A Packet Filters > Packet Filter Rules 1. Go to the Packet Filters > Packet Filters Rules screen to set the VPN client tunnel rights. The Packet Filter rights established on this screen give the client access across the tunnel to your host network. 2. In the System Defined Rules section, uncheck the Status box, if a check mark is present. 3.
PAGE 32
Chapter 4 – Configuration Examples Example 2, Side A VPN Setup (Continued) The Add IKE Connection screen displays. All settings can be left at the default unless otherwise indicated: 1. Connection Name: Enter a name for the VPN tunnel you want to create. For this example, enter Behind-NAT. 2. Secret: Enter the Secret password (which has to match on both ends of the tunnel). For this example, enter test. 3. Select Encryption: Select 3DES. 4. Local WAN IP: Select WAN. 5. Local LAN: Select LAN. 6.
PAGE 33
Chapter 4 – Configuration Examples Example 2, Side B RouteFinder Setup – Side B Side A Side B Network & Services > Network 1. 2. 3. 4. 5. 6. Log into your RouteFinder and go to the Networks & Services > Network Configuration screen. Click the Add button to open the fields for entering your network information. Create a new network name for the RF850-WAN by entering the Name, IP Address, and Subnet Mask. For this example, enter the following: Name: RF850-WAN IP Address: 65.126.90.250 Subnet Mask: 255.
PAGE 34
Chapter 4 – Configuration Examples Example 2, Side B Packet Filters > Packet Filter Rules 1. Go to the Packet Filters > Packet Filter Rules screen to set the VPN client tunnel rights. The Packet Filter rights established on this screen give the client access across the tunnel to your host network. 2. In the System Defined Rules section, uncheck the Status box, if a check mark is present. 3.
PAGE 35
Chapter 4 – Configuration Examples Example 2, Side B VPN Setup (Continued) The Add IKE Connection screen displays. All settings can be left at the default unless otherwise indicated: 1. Connection Name: Enter the name of the VPN tunnel you want to create. For this example, enter Behind-NAT. 2. Secret: Enter the Secret password (which has to match on both ends of the tunnel). For this example, enter test. 3. Select Encryption: Select 3DES. 4. Local WAN IP: Select WAN. 5. Local LAN: Select LAN. 6.
PAGE 36
Chapter 4 – Configuration Examples Example 3 Example 3 – Remote Client-to-LAN Configuration Using DNAT and Aliasing Use this procedure to configure the RouteFinder with DNAT and Aliasing. This configuration allows a Windows Remote Client to Telnet through the RouteFinder to several Windows Operating Systems located on the LAN. Remote Client-to-LAN Configuration Using DNAT and Aliasing Through the RouteFinder 1. Networks & Services > Network screen Enter: LAN Network, 192.168.2.0, 255.255.255.
PAGE 37
Chapter 4 – Configuration Examples Example 4 Example 4 – Client-to-LAN Configuration Using PPTP Tunneling Use this procedure to configure the RouteFinder as a PPTP server for VPN Remote Client Access. This is also known as the PPTP Roadwarrior configuration. Note: IPX and Netbeui are not supported when using PPTP tunneling. Remote Client-to-LAN Configuration Using PPTP Tunneling Through the RouteFinder 1. Networks & Services > Network screen Enter: LAN Network, 192.168.2.0, 255.255.255.
PAGE 38
Chapter 5 – URL Categorization Chapter 5 – URL Categorization The Universal Resource Locator (URL) Categorization License Key allows you to set up a URL database that limits clients’ access to places on the Internet by blocking sites you do not want accessed. In other words, you can deny users access to various categories of Web sites you select. Important Settings • • The RouteFinder must be connected to the Internet for the URL License to be activated.
PAGE 39
Chapter 5 – URL Categorization 2. On the HTTP Proxy > HTTP screen (see previous page), check the Status box and click Save. Important Note: Status must be checked before you can enter and activate your URL Categorization License Key. Note About URL License Key: The URL License number must be entered on the Administration > License Key screen before the URL Categorization section of this screen displays.
PAGE 40
Chapter 5 – URL Categorization 5. URL Categories (Allowed/Filtered) Click Edit for URL Categories (Allowed/Filtered). The following URL Categories screen displays. This screen allows you to choose Web site that you want blocked/filtered from users. Use the Filter and Allow buttons to move a URL Category from the URL Categories Allowed list to the URL Categories Filtered or back to the allowed list.
PAGE 41
Chapter 6 – RouteFinder Software Chapter 6 – RouteFinder Software This chapter describes each screen and its function in the RouteFinder software. The aim of the administrator in setting the options in the software should be to let as little as possible and as much as necessary through the RouteFinder, for both incoming as well as outgoing connections. Note: If you have not done so already, plan your network and decide which computers are to have access to various services.
PAGE 42
Chapter 6 – RouteFinder Software Administration > System Setup Administration Administration > System Setup In Administration, you can set the RouteFinder general system-based parameters. A Note About This Screen: When Logging Status is not checked, the section of the screen Configure Logging does not display. Email Notification Email Address Enter the Email Address of the administrator who will receive the email notifications. Click Save. You can delete the entry and change it at any time, if desired.
PAGE 43
Chapter 6 – RouteFinder Software Administration > System Setup Configure Email Notifications Select the types of notifications that you want sent. Click the Add button. The name will then appear in the Send Email Notification For box. You can remove a type by clicking the Delete button. The name will then move back to the Don't Send Email Notification For box. 1. Export Backup (the backup file will be attached) 2. File Intrusion Detection (File Integrity Checks and Network Intrusions) 3.
PAGE 44
Chapter 6 – RouteFinder Software Administration > System Setup Administration > SSH System Time Select the system time, time zone, and current date. Note: We do not recommend changing from summertime to wintertime and back. We suggest entering Greenwich Mean Time (GMT), regardless of your global position, especially if you operate Virtual Private Networks across different time zones.
PAGE 45
Chapter 6 – RouteFinder Software Administration > SSH Administration > SNTP Client Status and SSH Port Initially, this screen displays with Status as the only prompt. Once Status is checked and you click Save, SSH is enabled and the other options display. The TCP port number for the SSH session is specified in the SSH Port Number field; the default is Port 22. SSH requires name resolution for the access protocol; otherwise, a time-out occurs with the SSH registration. This time-out takes about one minute.
PAGE 46
Chapter 6 – RouteFinder Software Administration > Administrative Access Administration > Administrative Access The networks and hosts that are allowed to have administrative access are selected on this screen. This is a good way to regulate access to the configuration tools. Administrative Access - Available Networks/Hosts and Allowed Networks/Hosts Select the networks/hosts that will be allowed administrative access.
PAGE 47
Chapter 6 – RouteFinder Software Administration > Administrative Access Change Password You should change the password immediately after initial installation and configuration, and also change it regularly thereafter. To change the password, enter the existing password in the Old Password field, enter the new password into the New Password field, and confirm your new password by re-entering it into the Confirmation entry field.
PAGE 48
Chapter 6 – RouteFinder Software Administration > Site Certificate Administration > Site Certificate Public keys are used as the encryption algorithm for security systems. For the validity of public keys, certificates are issued by a Certificate Authority that certifies the person or the entity is authenticated and that the present public key belongs to that same person or entity. On this screen, enter server certificate information, which the firewall needs to authenticate itself to your browser.
PAGE 49
Chapter 6 – RouteFinder Software Administration > License Key Administration > License Key The system license key, virus scanner license key, and the URL Categorization engine license key can be configured from this screen. Notes: • Each RouteFinder ships with a unique individual system license key. It is a 20-digit code that is provided on the RouteFinder CD. • The AntiVirus key can be purchased from Multi-Tech Sales Support. License Click the Open button for the desired license key.
PAGE 50
Chapter 6 – RouteFinder Software Administration > Intruder Detection Administration > Intrusion Detection The Intrusion Detection mechanism notifies the administrator if there has been any tampering with the files on the server. Network Options Available When Load Balancing is Enabled: Intrusion Detection Enable File Integrity Check Check the box to enable File Integrity Checking. Time Interval Select the amount of time you would like the system to conduct this check.
PAGE 51
Chapter 6 – RouteFinder Software Administration > Intruder Detection User-Defined Network Intrusion Detection Rules Src IP Address This selection allows you to choose the network from which the information packet must be sent for the rule to match. Network groups can also be selected. The ANY option matches all IP addresses; it does not matter whether they are officially assigned addresses or private addresses. These Networks or groups must be predefined in the Networks menu.
PAGE 52
Chapter 6 – RouteFinder Software Administration > Tools Administration > Tools There are four tools that can help you test the network connections and RouteFinder functionality. Ping, Trace Route, TCP Connect, and DDNS Force Update test the network connections on the IP level. TCP Connect also tests TCP services for availability. • For these tools to function, the ICMP on firewall function in Packet Filter > ICMP must be enabled.
PAGE 53
Chapter 6 – RouteFinder Software Administration > Tools PING continued Start After clicking the Start button, a new browser window opens with the PING statistics accumulating. "Close the PING Statistics Window to A Sample" PING log is shown below. Trace Route Trace Route is a tool for finding errors in the network routing. It lists each router’s addresses on the way to remote systems. If the path for the data packets is temporarily unavailable, the interruption is indicated by asterisks (*).
PAGE 54
Chapter 6 – RouteFinder Software TCP Connect continued Start Start the test connection by clicking the Start button. A Sample TCP Connect Log DDNS Force Update To update the IP Address of the domain names in the DDNS server for WANInterfaces, click the Update button. Important Note: Forcing the DDNS to update more than 5 times without a change in the IP address will result in the IP address being blocked at the DDNS server. Multi-Tech Systems, Inc.
PAGE 55
Chapter 6 – RouteFinder Software Administration > System Scheduler Administration > Factory Defaults Administration > System Scheduler The System Scheduler is a module built into the RouteFinder that schedules the tracking or checking the events listed on the screen. SMTP Proxy Scheduler for Controlling High Disk Usage This defines the schedule period for an event to happen. It shows the Event Name, the Scheduled Period, and an option to change the schedule period. 1.
PAGE 56
Chapter 6 – RouteFinder Software Administration > User Authentication > Local Users Administration > User Authentication > Local Users In this part of the software enter local users and define their access to various proxies. External user databases can also be accessed (e.g., RADIUS servers, Windows NT servers, or Windows 2000 servers). User Authentication is useful if a user database already exists on such a server, in which case the user need not be created on the RouteFinder again.
PAGE 57
Chapter 6 – RouteFinder Software Administration > User Authentication > RADIUS & SAM Administration > User Authentication > RADIUS & SAM RADIUS (Remote Authentication Dial-In User Service) is a protocol with which equipment such as an ISDN router can access information from a central server for user authentication. It also manages technical information needed for the communication of the router with the equipment of the caller.
PAGE 58
Chapter 6 – RouteFinder Software Administration > User Authentication > RADIUS & SAM SAM Prerequisite In order to be able to use this authentication method, your network requires a Microsoft Windows NT or 2000 computer that contains the user information. This can be a Primary Domain Controller (PDC) or an independent server. This server has a NETBIOS name (the NT/2000 server name) and an IP address. Under the Administration menu, open User Authentication > RADUIS & SAM.
PAGE 59
Chapter 6 – RouteFinder Software Administration > Version Information Administration > Restart Administration > Shutdown Administration > Version Information This screen displays the number of the RouteFinder's current software and patches applied (if any). Administration > Restart 1. Click the Restart button to shut down and restart the RouteFinder. The message Are you sure you want to restart the system? is displayed. 2.
PAGE 60
Chapter 6 – RouteFinder Software Networks & Services > Networks Networks & Services Networks & Services > Networks A network always consists of a Name, an IP address, and a Subnet Mask address. Once you add a network, the information displays at the bottom of the screen. Important Notes: • The first four networks on this screen are default entries and cannot be changed. • LAN and WAN interfaces will change if changes are made to LAN/WAN IP addresses in Network Setup.
PAGE 61
Chapter 6 – RouteFinder Software Networks & Services > Networks After a successful definition, the new network is entered into the network table. This network will now be referenced in other menus under this name. You can edit and delete networks by clicking Edit or Delete in the Options column for the network you want to change. The Edit Network Publications (in this example) is displayed. The name of the network cannot be changed, but the IP Address and Subnet Mask can be edited.
PAGE 62
Chapter 6 – RouteFinder Software Networks & Services > Services Networks & Services > Services On this screen you can set the RouteFinder protocol services. Protocols make ongoing administration easier and enable the configuration of user-defined services. These services are used in many of the other configuration settings on the system. A service protocol setting consists of Name, Protocol, S-Port/Client (source port), and D-Port/Server (destination port).
PAGE 63
Chapter 6 – RouteFinder Software Networks & Services > Services Editing and Deleting User-Added Services There are options for editing or deleting the user added services. However, there are some standard services which cannot be edited or deleted. If the service is used by the Packet Filter rules, SNAT, or DNAT, it cannot be deleted. For editing any user-defined service, the Edit button has to be clicked to get the fields corresponding to the service entry.
PAGE 64
Chapter 6 – RouteFinder Software Networks & Services > Network Groups Networks & Services > Network Groups On this screen you can combine various networks into groups. The networks added in the screen Network & Services > Networks can be placed into groups. Rules and Suggestions for Establishing a Network Group • A network that is already a part of a group cannot be added to any other group. • It is suggested that you start a group name with a G- or Group-.
PAGE 65
Chapter 6 – RouteFinder Software Networks & Service > Service Groups Networks & Services > Service Groups On this screen you can combine multiple Services (see Services section) into groups, called Service Groups. Service Groups are treated like single services. Rules and Suggestions for Establishing Service Groups • A service that is already a part of a group cannot be added to any other group. • A service can also be deleted from a group. • Every change made to Service Groups is effective immediately.
PAGE 66
Chapter 6 – RouteFinder Software Proxy Proxy While the packet filter filters the data traffic on a network level, the use of a Proxy (also called an Application Gateway) increases the security of the RouteFinder on the application level, as there is no direct connection between client and server. Every proxy can offer further security for its application protocols.
PAGE 67
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy Proxy > HTTP Proxy The HTTP Proxy is a function built into the RouteFinder to redirect HTTP requests from LAN and DMZ clients to the Internet. The HTTP proxy acts as a caching server for Web clients, supporting FTP, Gopher, and HTTP meta objects. Unlike traditional caching software, HTTP proxy keeps metat data, especially hot objects, cached in RAM; it also caches DNS lookup.
PAGE 68
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy Banner Filter If this is enabled, the Web page banners will be filtered out before the page is forwarded to the Web client. Java Script Filter If this is enabled, then all the Java Script components in the Web pages will be filtered out before the page is forwarded to the Web client. Cookie Filter When this is enabled, then cookies in the Web pages will be filtered out before the page is forwarded to the Web client.
PAGE 69
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > URL Categorization URL Categorization Go to the main Proxy > HTTP Proxy screen (see previous page) and check the following boxes: • Enable URL Categorization by checking the URL Filter box. • Click the URL Categories (allowed/filtered) Edit button. The URL Categories screen displays as shown here. URL Categories (allowed/filtered) On this screen you can change URL categories from Allowed to Filtered and vice versa).
PAGE 70
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > User Authentication Networks / Hosts to Bypass URL Filtering Go to the main Proxy > HTTP Proxy screen, do the following: • Click the Edit button for Networks / Hosts to bypass URL Filtering. The Networks / Hosts to bypass URL Filtering screen displays. On this screen, use the Add button to move a network/host name into the Bypass URL Filtering box. To remove a network/host from the bypass filter, select the name and click the Delete button.
PAGE 71
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > Custom Filters Proxy > HTTP Proxy > Custom Filters The URL Categories in the HTTP Proxy page allows URLs to be filtered or forwarded by the firewall. On this screen, you can configure Custom Filters. Custom filters will take preference over URL categories. You can use custom filters to build groups of filters or lists that can be filtered by networks.
PAGE 72
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy Proxy > SMTP Proxy On this screen (the full screen displays once the Status box is checked), you can configure the SMTP proxy and the Virus Protection function. The SMTP proxy acts as an email relay. It accepts email for your Internet domains and passes them on to your internal email distribution system. This can be accomplished via a Microsoft Exchange Server, for example. Emails are transparently scanned for known viruses and other harmful content.
PAGE 73
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy SMTP Proxy Status To enable SMTP, check the Status box and click the Save button. When enabled, the SMTP Proxy starts functioning and listens on port 25. When Status is checked, the screen expands to display the following fields. Accepted Incoming Domains All the domains for which the SMTP Proxy can accept emails must be listed here. The domain for which emails are accepted must be registered with the DNS server.
PAGE 74
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy Example of SMTP Proxy An entry Company.com covers all further sub-domains; for example, subsidiary1.Company.com and subsidiary2.Company.com. The RouteFinder must be the MX (Mail Exchanger) for Company.com. Incoming emails to non-registered domains are rejected (except for senders listed in Mail relay for below). Confirm every registered domain by clicking the Add button.
PAGE 75
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering Proxy > SMTP Proxy > SMTP SPAM Filtering On this screen the SPAM filtering parameters can be set so that all incoming and outgoing emails sent to the internal mail server(s) will go through the SPAM filtering process. Multi-Tech Systems, Inc.
PAGE 76
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering RBL Check Real Time Black List (RBL) Check this box to block emails from the IP addresses listed in RBL sites. If emails are to be blocked, the IP address or URL of an RBL server must be entered. If you check RBL, then you will be provided with the list Authentic List. Here you can configure IP addresses for which the RBL check can be bypassed. RBL Server URL Enter the IP address of the sites to be blocked. Then click Save.
PAGE 77
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering 2. Asterisk (*): Stop all email from or to this domain. Example: All email from or to the domain abc.com will be stopped. *@abc.com 3. Set ([…]): Stop all email from a set such as @abc[0-9]*.com. Example: All email from or to the domains that include numbers in the first part of their names such as 0, 234, or 789023 will be stopped. 0.com 234.com 789023.com 4.
PAGE 78
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy Proxy > POP3 Proxy In order to use this function, you must have a valid Antivirus Scanner license key installed. To install one, go to the Administration > License > Virus Scanner page. Use this screen to configure POP3 virus filtering-related settings. All outgoing email will go through this POP3 virus filtering process. Note About This Screen: Initially, only the POP3 Virus Protection prompt and the Remote POP3 Virus Quarantine Status prompts display.
PAGE 79
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy > POP3 SPAM Filtering Proxy > POP3 Proxy > POP3 SPAM Filtering The administrator can configure POP3 SPAM filtering and related settings on this screen. All outgoing email retrieved from the internal mail server(s) will go through this POP3 virus filtering. POP3 SPAM Protection POP3 SPAM Protection Check the box to enable POP3 SPAM Protection.
PAGE 80
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy > POP3 SPAM Filtering Recipient White List Enter the recipient email IDs that will not be checked for SPAM. For example, if all the emails from the specific domain cde.com are not to be checked for SPAM, then the entry should be @cde.com. Once you enter the ID and click the Add button, the ID displays in a list below the entry field. You may enter more than one email ID, and each ID can be deleted.
PAGE 81
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy > Advanced Configurations Proxy > SOCKS Proxy Proxy > POP3 Advanced Configuration POP3 Advanced Configuration allows you to specify networks to scan for POP3 traffic for Virus and Spam Filtering. POP3 Advanced Configuration POP3 Virus / Spam Filtering Select one of the incoming networks from the first drop down list box. Then select ANY from the second drop down list box. Confirm by clicking the Add button.
PAGE 82
Chapter 6 – RouteFinder Software Proxy > SOCKS Proxy SOCKS Proxy Status To enable SOCKS, check the Status box. Click the Save button. External Interface The SOCKS Proxy uses an external interface to send outgoing requests. This is the external interface to the Internet. Select the interface that you want to use. The options are LAN, WAN, and DMZ when Load Balancing is disabled. The options are LAN, WANLINK1, and WANLINK2 when Load Balancing is enabled.
PAGE 83
Chapter 6 – RouteFinder Software Proxy > DNS Proxy Proxy > DNS Proxy DNS Proxy is a module used to redirect DNS requests to name servers. This module supports a caching-only name server which will store the DNS entries for a specified item. So, when there is a query next time, the values will be taken from the cache and the response will be sent from the module itself. This will shorten the waiting time significantly, especially if it is a slow connection.
PAGE 84
Chapter 6 – RouteFinder Software Network Setup > Interfaces Network Setup The Network Setup menus consist of Interface, PPP, PPPoE, DHCP Client, Dynamic DNS, Routes, Masquerading, SNAT, and DNAT screens. With the help of DNAT and SNAT, the destination and source address of the IP packets are converted. With Masquerading you can hide private networks from the outside world behind one official IP address.
PAGE 85
Chapter 6 – RouteFinder Software Network Setup > Interface Network Setup > Interface Network Setup > Interfaces Screen (with Load Balancing Disabled) Multi-Tech Systems, Inc.
PAGE 86
Chapter 6 – RouteFinder Software Network Setup > Interface Network Setup > Interfaces fields when Load Balancing is Enabled. Default Gateway: A Default Gateway must be defined for the RouteFinder. A default address was set during installation. If you want to change it, enter the address in the text field using the dotted decimal format. Then click the Save button.
PAGE 87
Chapter 6 – RouteFinder Software Network Setup > Interface Secondary DNS Address: Enter the Secondary DNS Address, the address of the secondary DNS server to be used by the local peer through the specific interface. Then click Save. This field can be left blank. Note that a secondary DNS server cannot be configured without a primary. Proxy ARP on Interface: Check this box to enable Proxy ARP on the interface.
PAGE 88
Chapter 6 – RouteFinder Software Network Setup > PPP Network Setup > PPP The PPP link is used as a backup link to the WAN interface. If the PPPoE or static link goes down, the backup link will automatically come up and the system will be again connected to the ISP. On this screen you can set up PPP dial up backup for your WAN interface. PPP Settings Enable PPP Dial Backup for WAN To enable PPP Dial Backup for WAN, check the corresponding checkbox.
PAGE 89
Chapter 6 – RouteFinder Software Network Setup > PPP Change Your Country/Region Code You will need to use a terminal (or run a data communications program on your computer) to communicate with the modem and issue the commands. Use the following syntax, substituting the appropriate country/region code: 1. Type AT%T19,0,nn, where nn is the country/region code in hexadecimal notation. Click Enter. OK displays. 2. Then save the changes by issuing the following command: AT&F&W Click Enter. 3.
PAGE 90
Chapter 6 – RouteFinder Software Network Setup > PPPoE Network Setup > PPPoE PPPoE (Point-to-Point Protocol over Ethernet) is a specification for connecting multiple computer users on an Ethernet local area network to a remote site through DSL or cable modems or similar devices. PPPoE can be used to have an office or building-full of users share a common Digital Subscriber Line (DSL), cable modem, or wireless connection to the internet.
PAGE 91
Chapter 6 – RouteFinder Software Network Setup > DHCP Client Network Setup > DHCP Client On this screen you can enable DHCP Client (Dynamic Host Configuration Protocol), which is a TCP/IP protocol that enables PCs and workstations to get temporary or permanent IP addresses out of a pool from centrallyadministered servers. This screen will provide user messages such as the one shown in red. Later, it will display the Current DHCP Client Status.
PAGE 92
Chapter 6 – RouteFinder Software Network Setup > Dynamic DNS (DDNS) Network Setup > Dynamic DNS (DDNS) Dynamic DNS allows a user to connect his PC to the Internet with a dynamic IP address, so that he will be able to use applications that require a static IP address. Dynamic DNS Settings Dynamic DNS Client Check the box to enable Dynamic DNS Client for this machine. Note: If you have Load Balancing enabled, there will be two DDNS Clients: Dynamic DNS Client on WANLINK1 and Dynamic DNS Client on WANLINK2.
PAGE 93
Chapter 6 – RouteFinder Software Network Setup > Routes Network Setup > Routes Routing information is used by every computer connected to a network to identify whether it is sending a data packet directly to the Firewall or passing it on to another network. There are two types of routes used by the firewall, interface routes that describe routing entries for directly connected networks and static routes that describe routes which are to be routed using a secondary router.
PAGE 94
Chapter 6 – RouteFinder Software Network Setup > Masquerading Network Setup > Masquerading Masquerading is a process which allows a whole network to hide behind one or several addresses preventing the identification of your network topology from the outside. Masquerading enables the user to enter only one source network. All services are automatically included in the transition. The translation takes place only if the packet is sent via the indicated network interface.
PAGE 95
Chapter 6 – RouteFinder Software Network Setup > SNAT Network Setup > SNAT The SNAT (Source Network Address Translation) process allows attaching private networks to public networks. SNAT is used when you want to have a LAN using a private IP network to be connected to the internet via a firewall. Since the private IP addresses are not routed on the internet, you have to apply SNAT on the firewall’s external interface. The firewall’s internal interface serves as the default gateway for the LAN.
PAGE 96
Chapter 6 – RouteFinder Software Network Setup > DNAT Network Setup > DNAT DNAT (Destination Network Address Translation) describes the target addresses of the IP packets for DNAT rerouting. Use DNAT if you want to operate a private network behind your RouteFinder firewall and provide network services that run only behind this private network available to the Internet. Note that for DNAT support, the TCP and/or UDP settings must be enabled (see Networks & Services > Services > Protocol).
PAGE 97
Chapter 6 – RouteFinder Software Network Setup > Load Balancing Network Setup > Load Balancing Load Balancing distributes LAN-to-LAN traffic over two or more WAN links. This allows for the amount of traffic on each line to be based on a specified weighed value so that communication can be made faster and more reliable. Important Note: If you check Enable Load Balancing, the following message displays: Enabling Load Balancing will delete the spooling rules between WAN and DMZ.
PAGE 98
Chapter 6 – RouteFinder Software Network Setup > Load Balancing Subnet Mask Enter the Subnet Mask of WANLINK1 and WANLINK2. Important Notes about IP Address and Subnet Mask • If the address/mask is assigned by PPPoE, a DHCP server, or through a backup link on the Internet, the address/mask cannot be edited. Similarly, if the gateway address and the DNS addresses are assigned by a PPPoE server or a DHCP server, the values cannot be edited.
PAGE 99
Chapter 6 – RouteFinder Software Network Setup > High Availability Network Setup > High Availability The High Availability module allows you to configure two RouteFinders to form a cluster to provide high availability and reliability. The two RouteFinders act in active-standby configuration. They are setup as Master and Slave. Master provides all the services, and Slave stands by waiting to take over if Master fails. Slave then takes over all the resources and starts to serve.
PAGE 100
Chapter 6 – RouteFinder Software Network Setup > High Availability High Availability Configuration Host Name and IP Address of Master / Slave If Master was selected above, this section of the screen will request you to enter the Slave full host name or FQDN and the IP Address of the peer (in this case the Master RouteFinder).
PAGE 101
Chapter 6 – RouteFinder Software DHCP Server > Subnet Settings DHCP Server > Fixed Addresses DHCP Server DHCP Server > Subnet Settings DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnet mask, broadcast address, etc.) from a DHCP server. The overall purpose of the DHCP is to make it easier to administer a large network.
PAGE 102
Chapter 6 – RouteFinder Software Tracking > Accounting Tracking Tracking > Accounting The Accounting function records all packets through network interfaces. It also keeps track of the traffic from / to other IP addresses configured and sums up their byte sizes. The traffic sum for each day and the current month is calculated. This is the amount that your ISP (Internet Service Provider) will charge to you if your payment plan is based on the amount of data you transfer.
PAGE 103
Chapter 6 – RouteFinder Software Tracking > Update Services Tracking > Update Services This purpose of this screen is to update services by downloading system upgrades from the specified update server. If you use the Update Service, your RouteFinder can be continually updated with new virus protection patterns, system patches, security features, and new features. Update resolves dependencies between modules during the update procedure.
PAGE 104
Chapter 6 – RouteFinder Software Tracking > Update Services System Update Server Server Name and Directory Enter the name or IP address of the server you want to specify as the system update server and enter the path to this server. Click the Save button. Virus Update Server Server Name and Directory Enter the name or IP address of the server you want to specify as the virus database update server and enter the path to this server.
PAGE 105
Chapter 6 – RouteFinder Software Tracking > Backup Tracking > Backup The Backup function lets you save the RouteFinder settings on a local hard disk. With a backup file, you can set a recently installed RouteFinder to the identical configuration level as an existing RouteFinder. This is useful in case there is a problem with your new settings. Also, a new RouteFinder can be installed and the backup read in minutes. This means a replacement system can be running in a very short time.
PAGE 106
Chapter 6 – RouteFinder Software Tracking > Backup Import Backup from Remote Client When a backup is taken, the backup file is sent to the administrator through email. This function is used for restoring the configuration files from a remote client. After clicking the Import button, a list of all the backup files maintained on the remote client’s PC display. Select the file you want to import and click the Get Comments button to read the comments for this file to verify that this is the file you want.
PAGE 107
Chapter 6 – RouteFinder Software Tracking > Version Control Tracking > Version Control These settings are the configuration management system settings. All configuration files can be saved in a repository in a CVS server. There are fields for setting the IP address of CVS server, user name, password, and the repository path. The corresponding user account and the directory structure should be created on the CVS server. CVS Settings User Name Enter the name of the user for whom the account will be created.
PAGE 108
Chapter 6 – RouteFinder Software Packet Filters > Packet Filter Rules Packet Filters Packet Filters > Packet Filter Rules The Packet Filter is a key element of the RouteFinder. Packet filters are used to set firewall rules which define what type of data traffic is allowed across the RouteFinder's firewall. There are certain System Defined Rules that exist by default. You can specify whether particular packets are to be forwarded through the RouteFinder system or filtered.
PAGE 109
Chapter 6 – RouteFinder Software Packet Filters > Packet Filter Rules System Defined Rules These rules define a set of common application services that are allowed outbound access through the RouteFinder's WAN interface. The software defines a default Service Group called default_outbound. Services under default_outbound are FTP, TELNET, SMTP, DNS, HTTP, POP3, IMAP, and HTTPS. Add User Defined Packet Filter Rules Packet filter rules are created by choosing from four drop-down lists.
PAGE 110
Chapter 6 – RouteFinder Software Packet Filters > ICMP Packet Filters > ICMP ICMP (Internet Control Message Protocol) is necessary to test network connections and to test functionality of your firewall. It is also used for diagnostic purposes. ICMP-forwarding and ICMP-on-firewall always apply to all IP addresses (“Any”). When these are enabled, all IPs can ping the firewall (ICMP-on-firewall) or the network behind it (ICMP-forwarding).
PAGE 111
Chapter 6 – RouteFinder Software Packet Filters > Advanced Packet Filters > Advanced On this screen you can configure the advanced packet filter settings. H.323 Packets Passthrough Check this box to enable the forwarding of H.323 packets across the firewall. Click Save. PPTP Packets Passthrough Check this box to enable the forwarding of PPTP packet passthrough (PPTP NAT support). Click Save. This includes two features: 1. Server behind the firewall and client on the Internet. DNAT of PPTP packets. 2.
PAGE 112
Chapter 6 – RouteFinder Software Packet Filters > Advanced Allow Strict TCP Connection Passthrough TCP Strict By default, packets with invalid flag combinations or TCP sequence numbers passing via the RouteFinder will be dropped. Check the TCP Strict box and click the Save button to allow these packets to passthrough instead of being dropped. To maintain the Strict TCP connection default, do not check this box.
PAGE 113
Chapter 6 – RouteFinder Software Packet Filters > Enable/Disable Log Packet Filters > Enable/Disable Log On this screen you can enable/disable RouteFinder firewall logging. Prerequisite: Enable Logging on the Administration > System Setup > System Logging screen.
PAGE 114
Chapter 6 – RouteFinder Software Packet Filters > QoS Packet Filters > QoS Qos (Quality of Service) addresses the issue of providing guaranteed service on the basis of priority. When a packet enters an interface, depending on the bandwidth available, the packets are either dropped or sent. In other words, it is based on “best effort” mechanism. IP does not provide a facility to either drop or send packets based on priority – it treats every packet the same.
PAGE 115
Chapter 6 – RouteFinder Software Packet Filters > QoS QoS on Firewall QoS Status Check the Status box to enable Quality of Service on the three interfaces: LAN, WAN, and DMZ. Then click the Save button. Clicking Save causes the entire screen to display. Show QoS Log Show QoS Firewall Rules in Popup Window Click the Show button to view the QoS IP table rules. Uplink Bandwidth The bandwidth available to be shaped is configured here by entering the units in Kbits. Click Save.
PAGE 116
Chapter 6 – RouteFinder Software VPN > IPSec VPN (Virtual Private Networks) VPN > IPSec Introduction to Virtual Private Networks A Virtual Private Network (VPN) is useful in situations where information is sent and received via the Internet and it is important that no third party can read or change that information. Such a connection is secured via VPN software that is installed at both ends of the connection.
PAGE 117
Chapter 6 – RouteFinder Software VPN > IPSec > Add IKE Connection Add an IKE Connection The IKE protocol automatically negotiates protocols and encryption algorithms; it keys automatic exchange of keys. Add IKE Connection Connection Name Enter a text name that will identify the connection for you. Compression Check the compression checkbox to enable IPCOMP, the compression algorithm.
PAGE 118
Chapter 6 – RouteFinder Software VPN > IPSec > IKE IKE Life Time The duration for which the ISAKMP SA should last is from successful negotiation to expiration. The default value is 3600 seconds and the maximum is 28800 seconds. Key Life The duration for which the IPSec SA should last is from successful negotiation to expiration. The default value is 28800 seconds and the maximum is 86400 seconds. Number of Retries Specify the number of retries for the IPSec tunnel. Enter zero for unlimited retries.
PAGE 119
Chapter 6 – RouteFinder Software VPN > IPSec > Manual Add a Manual Connection Add Manual Connection Connection Name Enter a text name that will identify the connection for you. Compression Check the compression checkbox to enable IPCOMP, the compression algorithm. Authentication Method Decides the encryption and authentication algorithms to be used for the respective security services. Options are: Authentication only: 1. AH using MD5 –128 bit key 2. AH using SHA1 – 160 bit key Encryption only: 1.
PAGE 120
Chapter 6 – RouteFinder Software VPN > IPSec > Manual ESP Encryption Key (Espenckey) - The VPN firewall box uses 3DES as its encryption algorithm. 3DES uses a 192 bit hexadecimal number as its encryption key. ESP Authentication Key (Espauthkey) - The VPN firewall could use either MD5 or SHA1 for ESP authentication: MD5 - 128 bit key example: 0x0123456789012345678901234567890ab.
PAGE 121
Chapter 6 – RouteFinder Software VPN > X.509 Certificates VPN > IPSec Bridging VPN > X.509 Certificates X.509 is an International Telecommunication ITU-T and ISO certificate format standard. The last release of this standard was X.509 Version 3 in the year 1996. An X.509 certificate is a confirmation of identity by binding an entity's unique name to its public key through the use of a digital signature. It also contains the unique name of the certificate user.
PAGE 122
Chapter 6 – RouteFinder Software VPN > IPSec Bridging IPSec Bridging Check the box to enable IPSec Bridging. If enable IPSec Bridging, then this machine is going to act as a hub. Upon enabling IPSec Bridging, you will be given options to select the pairs of tunnels for which bridging is to be setup. See example above. Bridge Endpoint Setup Configure a tunnel and two networks by selecting the From network, the To network, and the Through tunnel.
PAGE 123
Chapter 6 – RouteFinder Software VPN > PPTP VPN > PPTP PPTP is a tunneling protocol meant for tunneling IP/non-IP packets through the Internet. It lets you grant single specified hosts access to your network via an encrypted tunnel. PPTP is considerably easier to set up than IPSec because, if Microsoft Windows is being used, it does not require additional software on the client computer as IPSec does. Also, PPTP is part of the Microsoft Windows program.
PAGE 124
Chapter 6 – RouteFinder Software VPN > PPTP User Authentication Authentication Type Select the type of authentication to be used. Options are Local or RADIUS. Click the Save button. User Name and Password Enter the name (in lowercase) and password (in lowercase) of the PPTP user. Click the Add button. Allowed Users The names of the users entered above display in this text box. If you wish to delete a name, click the Delete button. Multi-Tech Systems, Inc.
PAGE 125
Chapter 6 – RouteFinder Software Wizard Setup Wizard Setup – Screen Description Using the Wizard Setup screen is a quick way to configure your RouteFinder. The screen contains the basic configuration input fields for setting up the RouteFinder as a firewall. If you desire to configure your RouteFinder to meet your company’s specific needs beyond what is cover in the Wizard, use the Web Management software. General Settings Administrator Mail Address Enter the administrator’s mail ID.
PAGE 126
Chapter 6 – RouteFinder Software Wizard Setup Packet Filter Rule If this setting is enabled by checking the checkbox, all packets coming from the LAN will be forwarded by the firewall. If disabled, none of the packets will go through. Modem Settings Use this checkbox to enable/disable the modem PPP dial backup feature. If enabled, enter the User Name, Password, Serial Port, Baud Rate, Dial Number, and Initialization Strings for the backup port.
PAGE 127
Chapter 6 – RouteFinder Software Statistics & Logs Statistics & Logs Various log files maintained by the RouteFinder can be viewed and/or downloaded to the browser. This function provides current system information, status, and usage information. The information is valuable for troubleshooting and for monitoring the RouteFinder‘s operational status and overall performance.
PAGE 128
Chapter 6 – RouteFinder Software Statistics & Logs > Uptime Statistics & Logs > Hardware Statistics & Logs > Networks Statistics & Logs > Uptime Uptime tells you how long the system has been running. The first line displays the date and time the system was started. The second line displays the total time elapsed since the system was started in days, hours, minutes, and seconds.
PAGE 129
Chapter 6 – RouteFinder Software Statistics & Logs > Networks Network Connections Click the Network Connections button to display the status of all current (active) network connections to or from your RouteFinder. It also shows you all of the established TCP sessions and all of the TCP and UDP ports that the RouteFinder is listening to for incoming connections. (Connections through the RouteFinder are not shown). TCP and UDP Connections Example Proto Protocol - TCP or UDP (RAW sockets are not supported).
PAGE 130
Chapter 6 – RouteFinder Software Statistics & Logs > Networks State This field contains one of the following keywords: FREE – The socket is not allocated. LISTENING – The socket is listening for a connection request. Such sockets are only included in the output if you specify - - listening (-I ) or - -all (-a) option. CONNECTING – The socket is about to establish a connection. CONNECTED – The socket is connected. DISCONNECTING – The socket is disconnecting.
PAGE 131
Chapter 6 – RouteFinder Software Statistics & Logs > Interfaces Statistics & Logs > SMTP Proxy Statistics & Logs > Interfaces The information displayed under each option shows the network traffic on each interface (LAN, WAN, DMZ) delineated by days, weeks, months, and years. Interfaces must be added on the Tracking > Accounting screen. Network Traffic Overview - LAN – WAN – DMZ Click the LAN Traffic button for a graphical overview of network traffic on the LAN interface.
PAGE 132
Chapter 6 – RouteFinder Software Statistics & Logs > Accounting Statistics & Logs > Self Monitor Statistics & Logs > Accounting This report gives the details of the amount of data transferred in bytes through the system on every interface (LAN, WAN, DMZ). The Accounting function records all the IP packets on the external network cards and sums up their sizes. Each day’s total is calculated once a day. Additionally, the number of bytes of data is calculated for each month.
PAGE 133
Chapter 6 – RouteFinder Software Statistics & Logs > IPSec Statistics & Logs > PPTP Statistics & Logs > IPSec IPSec Live Log Click the IPSec Live Log button to display information about initialization, encryption/decryption messages, route manipulation, IPSec/IKE interaction, and IKE processing messages. IPSec Live Connections Click the IPSec Live Connections button to display real-time VPN statistics about active VPN routes and connections.
PAGE 134
Chapter 6 – RouteFinder Software Statistics & Logs > Packet Filter Statistics & Logs > Packet Filter This report shows the RouteFinder firewall logs for various types of packets. The type and number of packets to be displayed can be configured. You can also select the refresh rate of the log display. In the Packet Filter > Packet Filter Rules page, if there is any user-defined filter with Action as LOG, the packets matching the corresponding source address and service will be logged.
PAGE 135
Chapter 6 – RouteFinder Software Statistics & Logs > Port Scan Logs Statistics & Logs > View Logs Statistics & Logs > Port Scans The Port Scans screen displays the information gathered by the Network Intrusion Detection module, which guarantees the integrity of the system by watching and logging stealth port scans and suspicious packets. The system administrator will receive emails every hour if such packets are received.
PAGE 136
Chapter 6 – RouteFinder Software Statistics & Logs > HTTP Access Statistics & Logs > HTTP Access HTTP Access reports provide a clear picture of “where” your users are going to on the Internet. Generate HTTP Access Reports From this screen you can generate and view HTTP Access and Reject Reports When you click the Generate the HTTP Access Reports button, the following screen displays. A similar screen for reject reports displays when you click the corresponding button. Generate HTTP Reject Reports 1.
PAGE 137
Chapter 6 – RouteFinder Software Statistics & Logs > DHCP Statistics & Logs > SMTP & POP3 Virus Quarantines Statistics & Logs > SMTP SPAM Quarantines Statistics & Logs > Administrative Authentication Log Statistics & Logs > DHCP This live Log gives information about the DHCP leases that have been provided so far. Click the DHCP Live Log button to view this log.
PAGE 138
Chapter 6 – RouteFinder Software Statistics & Logs > QoS Statistics & Logs > QoS This screen will display the bandwidth utilization WAN, DMZ, and LAN when Load Balancing is disabled. When Load Balancing is enabled, Bandwidth Utilization displays for WANLINK1, WANLINK2, and LAN. The graphs display daily, weekly, monthly, and yearly bandwidth utilization. Statistics & Logs > DDNS Log This screen provides information about the updating of the domain name or IP Address.
PAGE 139
Chapter 7 – User Authentication Methods Chapter 7 – User Authentication Methods While you can restrict access of your internal clients to proxy services at the IP level by using packet filter rules, you will run into problems when you use a dynamic IP configuration protocol like DHCP or BOOTP internally. That‘s where Proxy User Authentication steps in.
PAGE 140
Chapter 7 – User Authentication Methods Scenario 3: "Microsoft-style Windows Network - not all valid users able to use proxy services" You are running a Windows Domain controller or a standalone server on your network holding User Accounts. Typically, this is also the case if you are running MS Exchange on your network, but not all of your users should be able to use proxy services. You should use RADIUS user authentication with Microsoft's IAS (Internet Authentication Server).
PAGE 141
Chapter 7 – User Authentication Methods Choose Grant Remote Access Permission in the next screen. Edit the profile on the next screen. Select the Authentication Tab. Check Unencrypted Authentication (PAP). 10. Click OK and Finish. Remember you need one policy for each proxy service. 11. Configure the RADIUS authentication method on the RouteFinder (use the IP of the IAS server and the shared secret). Use the RADIUS authentication method settings in User Authentication > RADIUS & SAM. 12.
PAGE 142
Chapter 8 – Frequently Asked Questions (FAQs) Chapter 8 – Frequently Asked Questions (FAQs) Q1. A1. Where is the RouteFinder installed on the network? In a typical environment, the RouteFinder is installed between the internal network and an external network. Refer to Chapter 1 and 2 of this manual for more information. Q2. A2. If DMZ is used, does the exposed user share the public IP with the Router? Yes. Q3. A3.
PAGE 143
Chapter 8 – Frequently Asked Questions (FAQs) Q6. A6. Is it possible to have multiple IPs assigned to the external interface, and then have multiple internal Web-servers? Yes that is possible. You have to be sure that the request reaches the RouteFinder, and then you can use DNAT to redirect them to the Web servers. You don't need to bind those IP addresses to the external interface, as long as they are routed to the RouteFinder. The problem is that the IP packets have to reach the interface.
PAGE 144
Chapter 8 – Frequently Asked Questions (FAQs) Q8. A8. How do I set up RouteFinder Masquerading? Configure Masquerading in WebAdmin: 1. Define Interfaces in Network Setup > Interface. Here you define your Network Interface settings as well as your default gateway, for example: LAN Internal: 192.168.100.1/255.255.255.255 WAN External: 194.162.134.10/255.255.255.128 Gateway: 194.162.134.1/255.255.255.128 2. Define Network definitions in Networks & Services > Networks.
PAGE 145
Chapter 8 – Frequently Asked Questions (FAQs) Q15. I want to use DNAT with multiple original IPs, but my external NIC has just one IP. How can I do this? A15. Make sure that the request reaches the RouteFinder, and then use DNAT to redirect the request to the Web servers. There are two ways to do this: 1. Bind an alias to the external interface, so that it answers ARP requests for this address and the packets are sent to the MAC address of this NIC.
PAGE 146
Chapter 8 – Frequently Asked Questions (FAQs) Q19. Does SOCKS handle UDP? A19. SOCKS V5 does, SOCKS V4 does not. NEC's SOCKS V5 Reference Implementation includes a socksified archie client program that is a UDP application. Q20. How does SOCKS interact with DNS? A20. For SOCKS version 4.2 and earlier, SOCKS V4 clients MUST resolve local and Internet host IP addresses. Configure DNS so that the SOCKS clients' resolver can resolve the addresses. Multiple DNS servers require special arrangements.
PAGE 147
Chapter 9 – Troubleshooting Chapter 9 – Troubleshooting Before you call the Technical Support, check the following: 1. Review the RouteFinder FAQs in the previous section. 2. Verify that the pre-installation requirements are met. Refer to Chapter 2 of this manual. 3. Verify that the Administrations PC requirements are met (correct Default Gateway configuration, using an HTTPS-compatible Browser, JavaScript and Cascading Style active, and Proxies deactivated in the browser). 4.
PAGE 148
Chapter 9 – Troubleshooting 9. Observe the RouteFinder front panel LEDs. Verify that the LAN, WAN, and/or DMZ LEDs indicate proper RouteFinder operation in terms of the Ethernet LINK integrity, transmit/receive activity (ACT LED), and speed (100 MB /10 MB). Refer to the front panel LEDs description in Chapter 1 of this manual. 10.
PAGE 149
Appendix A – Disposition of Events Appendix A – Disposition of Events for the RouteFinder v3.xx For ICSA Certification Based on The Modular Firewall Certification Criteria Baseline module - version 4.0 Revision History Date 16-Aug-2004 I. Revision R1 Remarks/Changes Baseline document Abstract Disposition of Events The LVPN RouteFinder 3.2x provides logging capabilities for various types of Access requests to the product. The logging is classified as follows: • Inbound Access Requests (LO1.
PAGE 150
Appendix A – Disposition of Events Access Requests through Firewall Violating Security Policy An access request that traverses (routed through the firewall) but has to be dropped due to security restriction is logged as Through Firewall dropped. Access requests logged as Access Request through Firewall Violating Security Policy correspond to LO1.C of Baseline module - version 4.0, ICSA Labs Figure 7 show a snapshot of Through Firewall Dropped.
PAGE 151
Appendix A – Disposition of Events 9. kernel: mtrfThFWcon – Denotes connection tracked packets through the firewall. 10. kernel: mtrfFragDrop – Denotes dropped fragmented packets. The following fields are present in the log message for the packet logged: 11. IN – Incoming network interface name 12. OUT – Outgoing network interface name 13. MAC – Destination MAC address 14. SRC – Source IP addresses 15. DST – Destination IP address 16. LEN – Header Length (in bytes) 17. TOS – Type of service 18.
PAGE 152
Appendix A – Disposition of Events Figure 2 – Snapshot of Inbound Access Log Description of Figure 2 The Access request originated from the source (204.26.122.9) to the destination (204.54.39.103) is accepted by the candidate firewall. Classified as Inbound Accepted. Inbound Access (DNAT with Connection Tracking) Figure 3 – Inbound Access (DNAT with Connection Tracking) Description of Figure 3 The Access request originated from the source (204.26.122.9) to the destination (204.54.39.
PAGE 153
Appendix A – Disposition of Events III. Outbound Access Log Figure 4 – Outbound Access Figure 5 – Snapshot of Outbound Access Log Figure 6 – Snapshot of Outbound Access Log (with Connection Tracking) Description of Figure 6 The FTP Access request originated from the source (192.168.1.212 [SlNO 2]) to the destination (195.220.108.108). The above figure illustrates a capture of FTP service.
PAGE 154
Appendix A – Disposition of Events • Slno 4 corresponds to the PASV Data connection originated from 192.168.1.212 destined to 195.220.108.108. Remarks: “Outbound [SRC=192.168.1.212:DST=195.220.108.108:SPORT=32823:DPORT=21]” o Outbound – Outbound Log o [SRC=192.168.1.212: DST=195.220.108.108: SPORT=32823: DPORT=21]” – This corresponds to the CONTROL connection information for this data connection. IV. Access Requests through Firewall Dropped Figure 7 – Snapshot of Through Firewall Dropped Log V.
PAGE 155
Appendix A – Disposition of Events VII. Admin Port Access Log Figure 11 – Snapshot of Admin Port Access Log VIII. Startup History Log Figure 12 – Snapshot of Startup History IX. User Log Figure 13 – Snapshot of User Log X. Fragmented Dropped Log Figure 14 – Snapshot of Fragmented Dropped Log XI. ICMP Information Figure 15 – Snapshot of Log with ICMP Information Multi-Tech Systems, Inc.
PAGE 156
Appendix B – The RouteFinder Rescue Kernel Appendix B – The RouteFinder Rescue Kernel What Is a Rescue Kernel? Rescue Kernel is a software program that allows you to reinstall the RouteFinder software without connecting the CD-ROM drive and using the RouteFinder software CD. With the Rescue Kernel you can configure the WAN IP and default gateway. You can perform everything remotely without having to be onsite.
PAGE 157
Appendix B – The RouteFinder Rescue Kernel Three Methods for Performing the Software Reinstallation Using Rescue Kernel Method 1 – This method uses no external server. Method 2 – This method uses an external FTP server. Method 3 – This method can be used if Method 1 and 2 fail. Method 1 – How to Perform the Install Using No External Server Assumptions: Your RouteFinder still has SSH access and you are still able to copy files onto the RouteFinder box.
PAGE 158
Appendix B – The RouteFinder Rescue Kernel Method 2 – How to Perform the Install Using an External FTP Server Assumptions: Your workstation is on IP address 192.168.2.2. The LAN port of RouteFinder is on ip address 192.168.2.1. 1. Connect a workstation via the Ethernet to the LAN port of the RouteFinder box. 2. Create an FTP server on the workstation and copy the RouteFinder ISO image file onto the FTP server root directory. Setup the FTP server with anonymous access.
PAGE 159
Appendix B – The RouteFinder Rescue Kernel Method 3 – How to Perform the Install If the Other Methods Fail or If the File Systems Are Corrupted Use this method if Methods 1 and 2 have failed or if the file systems are totally corrupted and the RouteFinder can boot only with Rescue Kernel. 1. Set up an external FTP server. Refer to the steps above in Method 2. 2. Connect a monitor and keyboard to the RouteFinder box.
PAGE 160
Appendix C – Table of Commonly Supported Subnets Appendix C – Table of Commonly Supported Subnet Addresses This table lists commonly supported Subnets organized by Address. 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 Network Number N.N.N.0 N.N.N.128 Hosts Available N.N.N.1-126 N.N.N.129-254 Broadcast Address N.N.N.127 N.N.N.255 Network Number N.N.N.0 N.N.N.64 N.N.N.128 N.N.N.192 Hosts Available N.N.N.1-62 N.N.N.65-126 N.N.N.129-190 N.N.N.
PAGE 161
Appendix C – Table of Commonly Supported Subnets 255.255.255.252 /30 N.N.N.192 N.N.N.200 N.N.N.208 N.N.N.216 N.N.N.224 N.N.N.232 N.N.N.240 N.N.N.248 N.N.N.193-198 N.N.N.201-206 N.N.N.209-214 N.N.N.217-222 N.N.N.225-230 N.N.N.233-238 N.N.N.241-246 N.N.N.249-254 N.N.N.199 N.N.N.207 N.N.N.215 N.N.N.223 N.N.N.231 N.N.N.239 N.N.N.247 N.N.N.255 Network Number N.N.N.0 N.N.N.4 N.N.N.8 N.N.N.12 N.N.N.16 N.N.N.20 N.N.N.24 N.N.N.28 N.N.N.32 N.N.N.36 N.N.N.40 N.N.N.44 N.N.N.48 N.N.N.52 N.N.N.56 N.N.N.60 N.N.N.
PAGE 162
Appendix D – Hardware Upgrades & Add-ons and Software Add-ons Appendix D – Hardware Upgrades & Add-ons and Software Add-ons Hardware Upgrades and Add-ons This section provides the information needed to perform RouteFinder field upgrades. Caution: Use industry-standard grounding supplies and procedures so that you do not damage the PC board or upgrade components. Top Cover Removal As the first step for all upgrade procedures, use this procedure to remove the RouteFinder top cover. 1.
PAGE 163
Appendix D – Hardware Upgrades & Add-ons and Software Add-ons Rack Mounting The RouteFinder is shipped with four rubber feet for desktop applications, two rack mounting brackets, and four mounting screws. Note: Rack Mount screws are provided to attach the brackets to the RouteFinder. It is up to you to provide the bracket-to-rack rack mounting screws that match your rack's thread size.
PAGE 164
Appendix E – RouteFinder Maintenance Appendix E – RouteFinder Maintenance This section covers issues related to routinely maintaining the RouteFinder: • Housekeeping • Monitoring • Updating Housekeeping Housekeeping includes the on-going list of tasks that you need to perform to keep your environment safe and clean. The three main housekeeping tasks that you'll need to revisit periodically are: • System backups – This includes regular backups of RouteFinder configurations and reporting logs.
PAGE 165
Appendix E – RouteFinder Maintenance Updating This involves keeping both yourself and your RouteFinder abreast of new bugs, new attacks and new patches, new tools and resources, etc. Much of the RouteFinder updating effort can be done automatically (refer to the Tracking > Update Service section in Chapter 3). Administrators can keep themselves current with mailing lists, news groups, security forums, etc.
PAGE 166
Appendix F – Ordering Accessories Appendix F – Ordering Accessories SupplyNet, Inc. supplies replacement transformers, cables, and connectors for select Multi-Tech products. You can place an order with SupplyNet via mail, phone, fax, or the Internet at: Mail: SupplyNet, Inc. 614 Corporate Way Valley Cottage, NY 10989 Phone: 800 826-0279 Fax: 914 267-2420 Email: info@thesupplynet.com Internet: http://www.thesupplynet.com SupplyNet Online Ordering Instructions 1. 2. 3. 4. Browse to http://www.thesupplynet.
PAGE 167
Appendix G – Regulatory Compliance Appendix G – Regulatory Compliance EMC, Safety, and R&TTR Directive Compliance The CE mark is affixed to this product to confirm compliance with the following European Community Directives: Council Directive 89/336/EEC of 3 May 1989 on the approximation of the laws of Member States relating to electromagnetic compatibility.
PAGE 168
Appendix G – Regulatory Compliance Industry Canada for the Modem Operation This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel brouilleur du Canada.
PAGE 169
Appendix H – License Agreements Appendix H – License Agreements Multi-Tech Systems, Inc. End User License Agreement (EULA) IMPORTANT - READ BEFORE OPENING THE SOFTWARE PACKAGE This is a basic multi-user software license granted by Multi-Tech Systems, Inc., a Minnesota corporation, with its mailing address at 2205 Woodale Drive, Mounds View, MN 55112. This is a legal agreement between you (either an individual or a single entity) and Multi-Tech Systems, Inc.
PAGE 170
Appendix H – License Agreements I will not download or otherwise export or re-export the Programs, directly or indirectly, to persons on the above mentioned lists. I will not use the Programs for, and will not allow the Programs to be used for, any purposes prohibited by United States law, including, without limitation, for the development, design, manufacture or production of nuclear, chemical, or biological weapons of mass destruction.
PAGE 171
Appendix H – License Agreements GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
PAGE 172
Appendix H – License Agreements b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code.
PAGE 173
Appendix H – License Agreements Kaspersky Standard End User License Agreement Standard End User License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") PRODUCED BY KASPERSKY LAB. ("KASPERSKY LAB"). IF YOU HAVE PURCHASED THIS SOFTWARE VIA INTERNET BY CLICKING THE ACCEPT BUTTON, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT.
PAGE 174
Appendix H – License Agreements (iii) By completion of the Support Services Subscription Form you consent to the terms of the Kaspersky Lab Privacy Policy which is attached to this Agreement, and you explicitly consent to the transfer of data to other countries outside your own as set out in the Privacy Policy.
PAGE 175
Appendix I – Waste Electrical and Electronic Equipment Directive (WEEE) Appendix I – Waste Electrical and Electronic Equipment Directive (WEEE) Waste Electrical and Electronic Equipment (WEEE) Directive The WEEE directive places an obligation on manufacturers, distributors and retailers to take-back electronic products at the end of their useful life.
PAGE 176
Glossary Glossary * (Asterisk character) – The ‘wildcard’ character, used to signify “all within this group or function” (e.g., use * to specify all domain names). A special symbol that stands for one or more characters. Many operating systems and applications support wildcards for identifying files and directories. This lets you select multiple files with a single specification. For example, in DOS and Windows, the asterisk (*) is a wild card that stands for any combination of letters.
PAGE 177
Glossary Authentication Header (AH) – A provision of IPSec that adds a digital signature to an IP packet. The digital signature is created through a key-controlled "hashing" of each packet, providing user authentication, and system integrity. Broadcast – The address that a computer refers to if it wants to address all the computers of a network. Example: for a network with the IP address 212.6.145.0 and a net mask 225.225.225.240, a broadcast would be the address 212.6.145.15.
PAGE 178
Glossary Cryptography – The art and science of using mathematics to secure information and create a high degree of trust in the networking realm. See also public key, secret key. CSR (Certificate Signing Request) – The form used to obtain a certificate from a CA. A CSR generates a formatted certification. This request is located on the web site of all certificate authorities. Another way to generate a CSR is to use a utility such as Microsoft IIS or OpenSSL.
PAGE 179
Glossary DNS (Domain Name System) (also Domain Name Service) – Refers to the more user-friendly names, or aliases instead of having to use computer-friendly IP addresses. Name servers take care of the conversion from number to name. Every institution connected to the Internet must operate at least two independent name servers that can give information about its names and numbers. Additionally, there is a name server for every top-level domain that lists all the subordinate name servers of that domain.
PAGE 180
Glossary Firewall – A device that serves to shield and thus protect a (partial) network (e.g., RouteFinder) from another network (e.g. the Internet). The entire network traffic runs via the firewall where it can be controlled and regulated. Technically, this can be achieved in different ways. The use of special hardware firewalls is rare. More frequent is the use of routers with firewall options using firewall software on a dedicated computer.
PAGE 181
Glossary IP Address – A 32-bit number that identifies the devices using the IP protocol. An IP address can be unicast, broadcast, or multicast. See RFC 791 for more information. Every host has a clear IP address, comparable with a telephone number. An IP address consists of four decimal numbers between 1 and 254, divided by dots (e.g., a possible IP address is 212.6.145.0. At least one name of the form xxx belongs to every IP address (e.g. xxx).
PAGE 182
Glossary MPPE (Microsoft Point-to-Point Encryption) – An encryption technology developed by Microsoft to encrypt point-to-point links. The PPP connections can be over a VPN tunnel or over a dial-up line. MPPE is a feature of Microsoft's MPPC scheme for compressing PPP packets. The MPPC algorithm was designed to optimize bandwidth utilization in supporting multiple simultaneous connections.
PAGE 183
Glossary Port Scanning – Attempting to find "listening" UDP or TCP ports on an IP device, and then obtaining information about the device. Port scanning itself is not harmful, but it can be used by hackers to allow intrusion by brute-force password guessing. PPP (Point-to-Point Protocol) – An IETF standard which provides a method for transporting multi-protocol datagrams over point-to-point links.
PAGE 184
Glossary QMAIL – A security-oriented Unix mailer daemon developed by Dan Bernstein. RADIUS – RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a protocol with which the router can obtain information for the user authentication from a central server. RFC (Request For Comments) – A document of Internet Society under standardization. See also IETF. RFC 921 – A policy statement on the implementation of the Domain Style Naming System on the Internet.
PAGE 185
Glossary Security Policy – Enterprises should have a carefully planned set of statements in place regarding network protection. A good corporate Internet security policy should define acceptable use, acceptable means of remote access, information types and required encryption levels, firewall hardware and software management processes and procedures, non-standard access guidelines, and a policy for adding new equipment to the network.
PAGE 186
Glossary Static Route – A directive in a node that tells it to use a certain router or gateway to reach a given IP subnet. The simplest and most common example is the default router/gateway entry entered onto any IP-connected node (i.e., a static route telling the node to go to the Internet router for all subnets outside of the local subnet). Subnet Mask – The subnet mask or the net mask indicates into which groups the addresses are divided.
PAGE 187
Index Index A About Interfaces .................................................... 84 About Network Cards ............................................ 87 Accessories ......................................................... 166 Accounting ........................................................... 102 Accounting device ............................................... 102 Accounting Logs .................................................. 132 Action on infected emails ......................................
PAGE 188
Index GNU General Public License .............................. 171 H H.323 packets ..................................................... 111 Hardware Logs .................................................... 128 Hardware Upgrades & Add-ons .......................... 162 High Availability ..................................................... 99 History of Calls .................................................... 133 Housekeeping Accounts management ....................................
PAGE 189
Index Packet Filter Rules .............................................. 108 Packet Filters > Advanced .................................. 111 Packet Filters > Enable/Disable Logging ............ 113 Packet Filters > ICMP.......................................... 110 Packet Filters > Packet Filter Rules .................... 108 Password Changing ........................................46, 47 Perfect Forward Secrecy ..................................... 117 PING ...............................................
PAGE 190
Index Subnet Settings ................................................... 101 Supported Subnet Addresses ............................. 160 Switch off Proxy MS Explorer ....................................................... 66 Netscape ............................................................ 66 System license key................................................ 49 System License Key ................................................ 9 System Logging .....................................................