User guide
Chapter 8 – Frequently Asked Questions (FAQs)
Multi-Tech Systems, Inc. RouteFinder RF850/860 User Guide (PN S000400E) 144
Q8. How do I set up RouteFinder Masquerading?
A8. Configure Masquerading in WebAdmin:
1. Define Interfaces in Network Setup > Interface. Here you define your Network Interface settings as
well as your default gateway, for example:
LAN Internal: 192.168.100.1/255.255.255.255
WAN External: 194.162.134.10/255.255.255.128
Gateway: 194.162.134.1/255.255.255.128
2. Define Network definitions in Networks & Services > Networks. Here you define your host and
network definitions, which you will use for further configuration like Masquerading or Packet Filter
Rules later on (i.e., Internal-Network 192.168.100.0 255.255.255.0 / Peters-Laptop 192.168.100.12
255.255.255.255).
3. Define Masquerading in Network Setup > Masquerading. Here you define which network should be
masqueraded on which network interface (i.e., Internal-Network > External).
4. Define Packet filter Rules and Proxy Settings. Now you have set your Security Policy in terms of what
is allowed and what is not allowed. The RouteFinder uses stateful inspection, so you only have to
define which services are allowed; the way back is opened automatically (e.g., Internal-Network -
FTP - Any - Accept | Peters-Laptop - Telnet - Any - Accept). If you want to use the Proxies you
can configure them in Proxy.
Q9. Can I do DNAT with Port ranges?
A9. Yes. Mapping DNAT port ranges is supported, with the limitation that you can only map the same range (so, for
example, you can map ports 500-600 to 500-600 but not 500-600 to 300-400).
Q10. Does NAT take place before or after routing and filtering take place?
A10. In short, DNAT is done before the packets pass the packet filter, and SNAT and Masquerading are done after
that. The RouteFinder uses a 2.4 kernel and IP tables (the internal logic in the netfilter code).
Q11. What are the current Certificate export laws?
A11. New US encryption export regulations took effect on January 14th, 2000. At the time of this publication, CAs
may export certificates to any non-government entity and to any commercial government-owned entity (except
those that produce munitions), in any country except Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq,
Libya, North Korea, Serbia (except Kosovo), Sudan and Syria.
For the latest information on United States cryptography export and import laws, contact the Bureau of Export
Administration (BXA) (http://www.bxa.doc.gov/).
Q12. Why is the export of cryptography controlled?
A12. Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes
or even as a weapon of war. In wartime, the ability to intercept and decipher enemy communications is crucial.
Therefore, cryptographic technologies are subject to export controls. U.S. government agencies consider strong
encryption to be systems that use key sizes over 512 bits or symmetric algorithms (such as triple-DES) with key
sizes over 56 bits. Since government encryption policy is influenced by the agencies responsible for gathering
domestic and international intelligence (e.g., the FBI and NSA), the government tries to balance the conflicting
requirements of making strong cryptography available for commercial purposes while still making it possible for
those agencies to break the codes, if need be.
Q13. Can digital signature applications be exported from the U. S.?
A13. Digital signature applications are one of the nine special categories of cryptography that automatically fall under
the more relaxed Commerce regulations; digital signature implementations using RSA key sizes in excess of
512 bits were exportable even before the year 2000. However, there were some restrictions in developing a
digital signature application using a reversible algorithm (that is, the signing operation is sort of the reverse
operation for encryption), such as RSA. In this case, the application should sign a hash of the message, not the
message itself. Otherwise, the message had to be transmitted with the signature appended. If the message was
not transmitted with the signature, the NSA considered this quasi-encryption and the State controls would
apply.
Q14. Can DES be exported from the U.S. to other countries?
A14. For years, the government rarely approved the export of DES for use outside of the financial sector or by
foreign subsidiaries of U.S. companies. Several years ago, export policy was changed to allow the unrestricted
export of DES to companies that demonstrate plans to implement key recovery systems in a few years. Today,
Triple-DES is exportable under the regulations described above.