RS-3000 Office UTM Gateway User’s Manual 1
Copyright The contents of this publication may not be reproduced in any part or as a whole, stored, transcribed in an information retrieval system, translated into any language, or transmitted in any form or by any means, mechanical, magnetic, electronic, optical, photocopying, manual, or otherwise, without the prior written permission. Trademarks All products, company, brand names are trademarks or registered trademarks of their respective companies. They are used for identification purpose only.
Table of Contents Chapter 1 Introduction .......................................................................................................... 3 1.1 Functions and Features......................................................................................................................3 1.2 Front Panel ...........................................................................................................................................5 1.3 Packing List ..........................................
11.1 URL....................................................................................................................................................75 11.2 Script .................................................................................................................................................77 11.3 Download ..........................................................................................................................................79 11.4 Upload ..........................
C Chhaapptteerr 11 IInnttrroodduuccttiioonn Congratulations on your purchase of this outstanding RS-3000 Office UTM Gateway. This product is specifically designed for the office that has the higher security request. It provides an advanced security protection to internal clients or servers from threats, such as virus, spam and hacker attack. It can also manage user’s access right for IM and P2P, to save precious bandwidth from being exhausting.
IPSec and PPTP VPN VPN (Virtual Private Network) uses to secure the data transferring with encrypted and private channel, IPSec provides high level of data encrypted, and PPTP provides easily configuration. VPN Trunk VPN trunk function allows user to create two VPN tunnels simultaneously, and offers VPN fail-over feature. IM / P2P Blocking Currently IM and P2P can be managed separately the access right.
1.
C waarree IInnssttaallllaattiioonn Chhaapptteerr 22 N Neettw woorrkk S Seettttiinnggss aanndd S Sooffttw To use this product correctly, you have to properly configure the network settings of your computers and install the attached setup program into your MS Windows platform (Windows 95/98/NT/2000/XP). 2.1 Make Correct Network Settings of Your Computer The default IP address of this product is 192.168.1.1, and the default subnet mask is 255.255.255.0.
2.2 Example for configure RS-3000 Web UI STEP 1: 1. Connect the Admin’s PC and the LAN port of the Security Gateway. 2. Open an Internet web browser and type the default IP address of the Security Gateway as 192.168.1.1 in the address bar. 3. A pop-up screen will appear and prompt for a username and password. Enter the default login username (admin) and password (airlive) of Administrator.
Figure 2-2 WAN interface setting page STEP 3: Click on the Policy tab from the main function menu, and then click on Outgoing from the sub-function list. STEP 4: Click on New Entry button. STEP 5: When the New Entry option appears, enter the following configuration: Source Address – select Inside_Any Destination Address – select Outside_Any Service - select ANY Action - select Permit ALL Click on OK to apply the changes.
Figure 2-3 Policy setting page STEP 6: The configuration is successful when the screen below is displayed. Make sure that all the computers that are connected to the LAN port have their Default Gateway IP Address set to the Security Gateway’s LAN IP Address (i.e. 192.168.1.1). At this point, all the computers on the LAN network should gain access to the Internet immediately.
C Chhaapptteerr 33 A Addm miinniissttrraattiioonn “System” is the managing of settings such as the privileges of packets that pass through the RS-3000 and monitoring controls. The System Administrators can manage, monitor, and configure RS-3000 settings. But all configurations are “read-only” for all users other than the System Administrator; those users are not able to change any setting of the RS-3000. 3.1 Admin Administrator Name: The username of Administrators and Sub Administrator for the RS-3000.
Adding a new Sub Administrator STEP 1﹒In the Admin WebUI, click the New Sub Admin button to create a new Sub Administrator. STEP 2﹒In the Add New Sub Administrator WebUI (Figure 3-1) and enter the following setting: Sub Admin Name: sub_admin Password: 12345 Confirm Password: 12345 STEP 3﹒Click OK to add the user or click Cancel to cancel it.
3.2 Permitted IP Add Permitted IPs STEP 1﹒Add the following setting in Permitted IPs of Administration: (Figure 3-3) Name: Enter master IP Address: Enter 163.173.56.11 Netmask: Enter 255.255.255.
3.3 Logout STEP 1﹒Click Logout in System to protect the system while Administrator is away. (Figure 3-5) Figure 3-5 Confirm Logout WebUI STEP 2﹒Click OK and the logout message will appear in WebUI.
3.4 Software Update STEP 1﹒Select Software Update in System, and follow the steps below: To obtain the version number from Version Number and obtain the latest version from Internet. And save the latest version in the hardware of the PC, which manage the RS-3000 Click Browse and choose the latest software version file. Click OK and the system will update automatically. (Figure 3-7) Figure 3-7 Software Update It takes 3 minutes to update software. The system will reboot after update.
C Chhaapptteerr 44 C Coonnffiigguurree The Configure is according to the basic setting of the RS-3000. In this chapter the definition is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table, SNMP and Language settings. 4.1 Setting AirLive RS-3000 Configuration: The Administrator can import or export the system settings. Click OK to import the file into the RS-3000 or click Cancel to cancel importing. You also can revive to default value here.
SIP protocol pass-through: Select to enable the function of RS-3000 of passing SIP protocol. It is also possible that the SIP protocol can pass through RS-3000 without enabling this function depends on the SIP device’s type you have. Administration Packet Logging: After enable this function; the RS-3000 will record packet which source IP or destination address is RS-3000. And record in Traffic Log for System Manager to inquire about.
System Settings- Exporting STEP 1﹒In System Setting WebUI, click on button next to Export System Settings to Client. STEP 2﹒When the File Download pop-up window appears, choose the destination place where to save the exported file and click on Save. The setting value of RS-3000 will copy to the appointed site instantly.
System Settings- Importing STEP 1﹒In System Setting WebUI, click on the Browse button next to Import System Settings from Client. When the Choose File pop-up window appears, select the file to which contains the saved RS-3000 Settings, then click OK.
Restoring Factory Default Settings STEP 1﹒Select Reset Factory Settings in RS-3000 Configuration WebUI STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings.
Enabling E-mail Alert Notification STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings. STEP 2﹒Device Name: Enter the Device Name or use the default value. STEP 3﹒Sender Address: Enter the Sender Address. (Required by some ISPs.) STEP 4﹒SMTP Server IP: Enter SMTP server’s IP address STEP 5﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified. STEP 6﹒E-Mail Address 2: Enter the e-mail address of the second user to be notified.
Reboot RS-3000 STEP 1﹒Reboot RS-3000:Click Reboot button next to Reboot RS-3000 Appliance. STEP 2﹒A confirmation pop-up page will appear. STEP 3﹒Follow the confirmation pop-up page; click OK to restart RS-3000.
4.2 Date/Time Synchronize system clock: Synchronizing the RS-3000 with the System Clock. The administrator can configure the RS-3000’s date and time by either syncing to an Internet Network Time Server (NTP) or by syncing to your computer’s clock. STEP 1﹒Select Enable synchronize with an Internet time Server (Figure 4-7) STEP 2﹒Click the down arrow to select the offset time from GMT.
4.3 Multiple Subnet Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address that set by the LAN user’s network card. Alias IP of Interface / Netmask: The Multiple Subnet range WAN Interface IP: The IP address that Multiple Subnet corresponds to WAN. Forwarding Mode: To display the mode that Multiple Subnet use. (NAT mode or Routing Mode) Preparation RS-3000 WAN1 (60.250.158.66) connect to the ISP Router (60.250.158.254) and the subnet that provided by ISP is 162.
Adding Multiple Subnet Add the following settings in Multiple Subnet of System function: Click on New Entry Alias IP of LAN Interface: Enter 162.172.50.1 Netmask:Enter 255.255.255.0 WAN1: Choose Routing in Forwarding Mode, and press Assist to select Interface IP 60.250.158.66. WAN2:Enter Interface IP 211.22.22.
NAT Mode: It allows Internal Network to set multiple subnet address and connect with the Internet through different WAN IP Addresses. For example:The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into Service, Sales, Procurement, and Accounting department, the company can distinguish each department by different subnet for the purpose of managing conveniently. The settings are as the following: 1. R&D department subnet:192.168.1.1/24 (LAN) 168.85.
4.4 Route Table STEP 1﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.10.1 【Netmask】: Enter 255.255.255.0。 【Gateway】: Enter 192.168.1.252 【Interface】: Select LAN Click OK (Figure 4-9) Figure 4-9 Add New Static Route1 STEP 2﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.20.1 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter 192.168.1.
Figure 4-11 Add New Static Route3 STEP 4﹒Adding successful. At this time the computer of 192.168.10.1/24, 192.168.20.1/24 and 192.168.1.1/24 can connect with each other and connect to Internet by NAT.
4.5 DHCP Subnet: The domain name of LAN NetMask: The LAN Netmask Gateway: The default Gateway IP address of LAN Broadcast IP: The Broadcast IP of LAN STEP 1﹒Select DHCP in System and enter the following settings: Domain Name:Enter the Domain Name DNS Server 1: Enter the distributed IP address of DNS Server1. DNS Server 2: Enter the distributed IP address of DNS Server2. WINS Server 1: Enter the distributed IP address of WINS Server1.
Figure 4-12 DHCP WebUI When selecting Automatically Get DNS, the DNS Server will be locked as LAN Interface IP.
4.6 Dynamic DNS STEP 1﹒Select Dynamic DNS in System function (Figure 4-13). Click New Entry button Service providers:Select service providers. Automatically fill in the WAN 1/2 IP:Check to automatically fill in the WAN 1/2 IP.。 User Name:Enter the registered user name. Password:Enter the password. Domain name:Enter Your host domain name Click OK to add Dynamic DNS.
4.7 Host Table Host Name: It can be set by System Manager, to allow internal user accessing the information provided by the host of the domain. Virtual IP Address: The virtual IP address is corresponding to the Host. It must be LAN or DMZ IP address. STEP 1﹒ Select Host Table in Settings function and click on New Entry Host Name: The domain name of the server Virtual IP Address: The virtual IP address is corresponding to the Host. Click OK to add Host Table.
4.8 SNMP STEP 1﹒ Select SNMP in Settings function, click Enable SNMP Agent and type in the following information: Device Name: The default setting is “Office UTM Gateway”, and user can change it. Device Location: The default setting is “Taipei, Taiwan”, and user can change it. Community: The default setting is “public”, and user can change it. Contact Person: The default setting is “root@public”, and user can change it.
STEP 2﹒ Select SNMP in Settings function, click Enable SNMP Trap Alert Notification and type in the following information: SNMP Trap Receiver Address: Input SNMP Trap Receiver site of IP address SNMP Trap Port: Input the port number. Click OK. SNMP Trap setting is done. So administrator can receive alert message from PC installed with SNMP management software, via RS-3000 SNMP Trap function.
C Chhaapptteerr 55 IInntteerrffaaccee In this section, the Administrator can set up the IP addresses for the office network. The Administrator may configure the IP addresses of the LAN network, the WAN 1/2 network, and the DMZ network. The Netmask and gateway IP addresses are also configured in this section. Define the required fields of Interface LAN: Using the LAN Interface, the Administrator can set up the LAN network of RS-3000.
Connect Mode: Display the current connection mode: PPPoE (ADSL user) Dynamic IP Address (Cable Modem User) Static IP Address PPTP (European User Only) Saturated Connections: Set the number for saturation whenever session numbers reach it, the RS-3000 switches to the next agent on the list. Priority: Set priority of WAN for Internet Access. Connection Test: The function works to identify WAN port’s connection status.
5.1 LAN Modify LAN Interface Settings STEP 1﹒Select LAN in Interface and enter the following setting: Enter the new IP Address and Netmask Select Ping and HTTP Click OK (Figure 5-1) Figure 5-1 Setting LAN Interface WebUI The default LAN IP Address is 192.168.1.1. After the Administrator setting the new LAN IP Address on the computer , he/she have to restart the System to make the new IP address effective.
5.2 WAN Setting WAN Interface Address STEP 1﹒Select WAN in Interface and click Modify in WAN1 Interface. The setting of WAN2 Interface is almost the same as WAN1. The difference is that WAN2 has a selection of Disable. The System Administrator can close WAN2 Interface by this selection.
STEP 2﹒Setting the Connection Service (ICMP or DNS way): ICMP:Enter an Alive Indicator Site IP (can select from Assist) (Figure 5-3) DNS:Enter two different DNS Server IP Address and Domain Name (can select from Assist) (Figure 5-4) Setting time of seconds between sending alive packet. Figure 5-3 ICMP Connection Figure 5-4 DNS Service Connection test is used for RS-3000 to detect if the WAN can connect or not.
STEP 3﹒Select the Connecting way: PPPoE (ADSL User) (Figure 5-5): 1. Select PPPoE 2. Enter User Name as an account 3. Enter Password as the password 4. Select Dynamic or Fixed in IP Address provided by ISP. If you select Fixed, please enter IP Address, Netmask, and Default Gateway. 5. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth. (According to the flow that user apply) 6. Select Ping and HTTP 7.
Dynamic IP Address (Cable Modem User) (Figure 5-7): 1. Select Dynamic IP Address (Cable Modem User) 2. Click Renew in the right side of IP Address and then can obtain IP automatically. 3. If the MAC Address is required for ISP then click on Clone MAC Address to obtain MAC IP automatically. 4. Hostname: Enter the hostname provided by ISP. 5. Domain Name: Enter the domain name provided by ISP. 6. User Name and Password are the IP distribution method according to Authentication way of DHCP + protocol 7.
Static IP Address (Figure 5-9) 1. Select Static IP Address 2. Enter IP Address, Netmask, and Default Gateway that provided by ISP 3. Enter DNS Server1 and DNS Server2 In WAN2, the connecting of Static IP Address does not need to set DNS Server 4. Enter Max. Downstream Bandwidth and Max. Upstream Bandwidth (According to the flow applied by user) 5. Select Ping and HTTP 6.
PPTP (European User Only) (Figure 5-11): 1. Select PPTP (European User Only) 2. Enter User Name as an account. 3. Enter Password as the password. 4. If the MAC Address is required for ISP then click on Clone MAC Address to obtain MAC IP automatically. 5. Select Obtain an IP address automatically or Use the following IP address provided by ISP. 6. Hostname: Enter the hostname provided by ISP. 7. Domain Name: Enter the domain name provided by ISP. 8.
Figure 5-11 PPTP Connection Figure 5-12 Complete PPTP Connection Setting 43
5.
C Chhaapptteerr 66 A Addddrreessss The RS-3000 allows the Administrator to set Interface addresses of the LAN network, LAN network group, WAN network, WAN network group, DMZ and DMZ group. An IP address in the Address Table can be an address of a computer or a sub network. The Administrator can assign an easily recognized name to an IP address. Based on the network it belongs to, an IP address can be an LAN IP address, WAN IP address or DMZ IP address.
Define the required fields of Address Name: The System Administrator set up a name as IP Address that is easily recognized. IP Address: It can be a PC’s IP Address or several IP Address of Subnet. Different network area can be: Internal IP Address, External IP Address, and DMZ IP Address. Netmask: When correspond to a specific IP, it should be set as: 255.255.255.255. When correspond to several IP of a specific Domain. Take 192.168.100.
6.1 LAN Under DHCP situation, assign the specific IP to static users and restrict them to access FTP net service only through policy STEP 1﹒Select LAN in Address and enter the following settings: Click New Entry button (Figure 6-1) Name: Enter Jacky IP Address: Enter 192.168.3.2 Netmask: Enter 255.255.255.
STEP 2﹒Adding the following setting in Outgoing Policy: (Figure 6-3) Figure 6-3 Add a Policy of Restricting the Specific IP to Access to Internet STEP 3﹒Complete assigning the specific IP to static users in Outgoing Policy and restrict them to access FTP net service only through policy: (Figure 6-4) Figure 6-4 Complete the Policy of Restricting the Specific IP to Access to Internet When the System Administrator setting the Address Book, he/she can choose the way of clicking on to make the RS-3000 to fi
6.2 LAN Group Setup a policy that only allows partial users to connect with specific IP (External Specific IP) STEP 1﹒Setting several LAN network Address.
Figure 6-7 Complete Adding LAN Address Group The setting mode of WAN Group and DMZ Group of Address are the same as LAN Group.
STEP 4﹒To exercise STEP1~3 in Policy (Figure 6-10, 6-11) Figure 6-10 To Exercise Address Setting in Policy Figure 6-11 Complete the Policy Setting The Address function really take effect only if use with Policy.
C Chhaapptteerr 77 S Seerrvviiccee TCP and UDP protocols support varieties of services, and each service consists of a TCP Port or UDP port number, such as TELNET (23), SMTP (21), SMTP (25), POP3 (110), etc. The RS-3000 includes two services: Pre-defined Service and Custom Service The common-use services like TCP and UDP are defined in the Pre-defined Service and cannot be modified or removed.
7.1 Pre-defined Define the required fields of Service Pre-defined WebUI’s Chart and Illustration: Chart Illustration Any Service TCP Service, For example:AFPoverTCP, AOL, BGP, FTP, FINGER, HTTP, HTTPS, IMAP, SMTP, POP3, GOPHER, InterLocator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real-Media, RLOGIN, SSH, TCP-ANY, TELNET, VDO-Live, WAIS, WINFRAME, X-WINDOWS, MSN, …etc. UDP Service, For example:IKE, DNS, NFS, NTP, PC-Anywhere, RIP, SNMP, SYSLOG, TALK, TFTP, UDP-ANY, UUCP,…etc.
7.2 Custom Allow external user to communicate with internal user by VoIP through policy.
Figure 7-3 Add User Define Service Figure 7-4 Complete the Setting of User Define Service of VoIP Under general circumstances, the range of port number of client is 0-65535. Change the client range in Custom of is not suggested. If the port numbers that enter in the two spaces are different port number, then enable the port number under the range between the two different port numbers (for example: 15328:15333).
STEP 3﹒Compare Service to Virtual Server. (Figure 7-5) Figure 7-5 Compare Service to Virtual Server STEP 4﹒Compare Virtual Server to Incoming Policy.
7.
STEP 2﹒In LAN Group of Address function, set up an Address Group that can include the service of access to Internet. (Figure 7-10) Figure 7-10 Setting Address Book Group STEP 3﹒Compare Service Group to Outgoing Policy.
C Chhaapptteerr 88 S Scchheedduullee In this chapter, the RS-3000 provides the Administrator to configure a schedule for policy to take effect and allow the policies to be used at those designated times. And then the Administrator can set the start time and stop time or VPN connection in Policy or VPN. By using the Schedule function, the Administrator can save a lot of management time and make the network system most effective.
To configure the valid time periods for LAN users to access to Internet in a day STEP 1﹒Enter the following in Schedule: Click New Entry (Figure 8-1) Enter Schedule Name Set up the working time of Schedule for each day Click OK (Figure 8-2) Figure 8-1 Setting Schedule WebUI Figure 8-2 Complete the Setting of Schedule 60
STEP 2﹒Compare Schedule with Outgoing Policy (Figure 8-3) Figure 8-3 Complete the Setting of Comparing Schedule with Policy The Schedule must compare with Policy.
C Chhaapptteerr 99 Q QooS S By configuring the QoS, you can control the OutBound and InBound Upstream/Downstream Bandwidth. The administrator can configure the bandwidth according to the WAN bandwidth. Downstream Bandwidth:To configure the Guaranteed Bandwidth and Maximum Bandwidth. Upstream Bandwidth:To configure the Guaranteed Bandwidth and Maximum Bandwidth. QoS Priority:To configure the priority of distributing Upstream/Downstream and unused bandwidth.
Define the required fields of QoS WAN: Display WAN1 and WAN2 Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you applied from ISP Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you applied from ISP Priority: To configure the priority of distributing Upstream/Downstream and unused bandwidth. Guaranteed Bandwidth: The basic bandwidth of QoS.
Setting a policy that can restrict the user’s downstream and upstream bandwidth STEP 1﹒Enter the following settings in QoS: Click New Entry (Figure9-3) Name: The name of the QoS you want to configure.
STEP 2﹒Use the QoS that set by STEP1 in Outgoing Policy. (Figure9-5, 9-6) Figure9-5 Setting the QoS in Policy Figure9-6 Complete Policy Setting When the administrator are setting QoS, the bandwidth range that can be set is the value that system administrator set in the WAN of Interface. So when the System Administrator sets the downstream and upstream bandwidth in WAN of Interface, he/she must set up precisely.
C Chhaapptteerr 1100 A Auutthheennttiiccaattiioonn By configuring the Authentication, you can control the user’s connection authority. The user has to pass the authentication to access to Internet. The RS-3000 configures the authentication of LAN’s user by setting account and password to identify the privilege. Define the required fields of Authentication Authentication Management Provide the Administrator the port number and valid time to setup RS-3000 authentication.
Add the following setting in this function: (Figure10-1) Figure10-1 Authentication Setting WebUI When the user connect to external network by Authentication, the following page will be displayed: (Figure10-2) Figure10-2 Authentication Login WebUI 67
It will connect to the appointed website after passing Authentication: (Figure10-3) Figure10-3 Connecting to the Appointed Website After Authentication If user asks for authentication positively, he/she can enter the LAN IP with the Authentication port number. And then the Authentication WebUI will be displayed. Authentication-User Name: The user account for Authentication you want to set. Password: The password when setting up Authentication.
Configure specific users to connect with external network only when they pass the authentication of policy.(Adopt the built-in Auth User and Auth Group, RADIUS, or POP3 Function) STEP 1﹒Setup several Auth User in Authentication. (Figire10-4) Figure10-4 Setting Several Auth Users WebUI To use Authentication, the DNS Server of the user’s network card must be the same as the LAN Interface Address of RS-3000.
STEP 2﹒Add Auth User Group Setting in Authentication function and enter the following settings: Click New Entry Name: Enter Product_dept Select the Auth User you want and Add to Selected Auth User Click OK Complete the setting of Auth User Group (Figure10-5) Figure10-5 Setting Auth Group WebUI STEP 3﹒User also can select to authenticate user with RADIUS server. Just need to enter the Server IP, Port number, password, and enable the function.
Enable POP3 Server Authentication Enter POP3 Server IP Enter POP3 Server Port Complete the setting of POP3 Server (Figure10-7) Figure10-7 Setting POP3 WebUI STEP 5﹒Add a policy in Outgoing Policy and input the Address and Authentication of STEP 2 (Figure10-8, 10-9) Figure10-8 Auth-User Policy Setting Figure10-9 Complete the Policy Setting of Auth-User 71
STEP 6﹒When user is going to access to Internet through browser, the authentication UI will appear in Browser. After entering the correct user name and password, click OK to access to Internet. (Figure10-10) Figure10-10 Access to Internet through Authentication WebUI STEP 7﹒If the user does not need to access to Internet anymore and is going to logout, he/she can click LOGOUT Auth-User to logout the system.
C Chhaapptteerr 1111 C Coonntteenntt B Blloocckkiinngg Content Filtering includes「URL」,「Script」,「Download」,「Upload」. 【URL Blocking】: The administrator can set up to “Allow” or “Restrict” entering the specific website by complete domain name, key words, and meta-character (~and*). 【Script Blocking】: To restrict the access authority of Popup, ActiveX, Java, or Cookie. 【Download Blocking】: To restrict the authority of download specific sub-name file, audio, and some common video by http protocol directly.
Define the required fields of Content Blocking URL String: The domain name that restricts to enter or only allow entering.
11.1 URL Restrict the Internal Users only can access to some specific Website ※URL Blocking: Symbol: ~ means open up; * means meta-character Restrict to block specific website: Type the 「complete domain name」 or 「key word」of the website you want to restrict in URL String. For example: www.kcg.gov.tw or gov. Restrict to access specific website: 1. Type the symbol “~” in front of the 「complete domain name」or「key word」that represents to access the specific website only. For example: ~www.kcg.gov.tw or ~gov.
STEP 2﹒Add a Outgoing Policy and use in Content Blocking function: (Figure11-2) Figure11-2 URL Blocking Policy Setting STEP 3﹒Complete the policy of permitting the internal users only can access to some specific website in Outgoing Policy function: (Figure11-3) Figure11-3 Complete Policy Settings Afterwards the users only can browse the website that includes “yahoo” and “google” in domain name by the above policy.
11.
STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: (Figure11-5) Figure11-5 New Policy of Script Blocking Setting STEP 3﹒Complete the policy of restricting the internal users to access to Script file of Website in Outgoing Policy: (Figure11-6) Figure11-6 Complete Script Blocking Policy Setting The users may not use the specific function (like JAVA, cookie…etc.) to browse the website through this policy. It can forbid the user browsing stock exchange website…etc.
11.3 Download Restrict the Internal Users to download video, audio and some specific sub-name file from http or ftp protocol directly STEP 1﹒Enter the following settings in Download of Content Blocking function: Select All Types Blocking Click OK Complete the setting of Download Blocking.
STEP 3﹒Complete the Outgoing Policy of restricting the internal users to download video, audio, and some specific sub-name file by http protocol directly: (Figure11-9) Figure11-9 Complete Download Blocking Policy Setting 80
11.4 Upload Restrict the Internal Users to upload some specific sub-name file from http or ftp protocol directly STEP 1﹒Enter the following settings in Upload of Content Blocking function: Select All Types Blocking Click OK Complete the setting of Upload Blocking.
STEP 3﹒Complete the Outgoing Policy of restricting the internal users to upload some specific sub-name file by http protocol directly: (Figure11-12) Figure11-12 Complete Upload Blocking Policy Setting 82
C Chhaapptteerr 1122 A Apppplliiccaattiioonn B Blloocckkiinngg RS-3000 Application Blocking offers the system to block the connection of applications, such as IM, P2P, Video/Audio Application, Webmail, Game Application, Tunnel Application, and Remote Control Application. 【Application Signature Definition】: System will automatically check new signature per every one hour, or user can also click “Update NOW” button to check new signature.
【Peer-to-Peer Application】 : Restrict the authority to send files connection by using eDonkey, Bit Torrent, WinMX, Foxy, KuGoo, AppleJuice, AudioGalaxy, DirectConnect, iMesh, MUTE, Thunder5, GoGoBox, QQDownload, Ares, Shareaza, BearShare, Morpheus, Limewire, and KaZaa. (Figure 12-4) Figure 12-4 Peer-to-Peer Application WebUI 【Video / Audio Application】 : Restrict the authority to watch video or listen audio from Internet by using PPLive, PPStream, UUSee, QQLive, ezPeer, and qvodplayer.
【Tunnel Application】 :Restrict the authority to access Internet via tunnel application such as VNN Client, Ultra-Surf, Tor, and Hamachi. (Figure 12-8) Figure 12-8 Tunnel Application WebUI 【Remote Control Application】 :Restrict the authority to access remote control application such as TeamViewer, VNC, and RemoteDestop. (Figure 12-9) Figure 12-9 Tunnel Application WebUI Configuration Example GroupA users are not allowed to use MSN, Yahoo, and Skype.
STEP 3﹒Policy Object Application Blocking Setting: Create first Application Blocking rule for GroupA to block MSN, Yahoo and Skype. (Figure 12-11) Figure 12-11 Create first Application Groups STEP 4﹒Policy Object Application Blocking Setting: Create Second Application Blocking rule for GroupB. So the user in GroupB can access MSN, but can not send files using MSN.
STEP 6﹒Policy Outgoing: Create three Outgoing Policy rules and assign the group with its Application Blocking setting. (Figure 12-14) Figure 12-14 Create Policy rules with groups and enable Application Blocking P2P Transfer will occupy large bandwidth so that it may influence other users. And P2P Transfer can change the service port free so it is invalid to restrict P2P Transfer by Service. Therefore, the system manager must use Application Blocking to restrict users to use P2P Transfer efficiently.
C Chhaapptteerr 1133 V Viirrttuuaall S Seerrvveerr The real IP address provided from ISP is always not enough for all the users when the system manager applies the network connection from ISP. Generally speaking, in order to allocate enough IP addresses for all computers, an enterprise assigns each computer a private IP address, and converts it into a real IP address through RS-3000’s NAT (Network Address Translation) function.
Define the required fields of Virtual Server WAN IP: WAN IP Address (Real IP Address) Map to Virtual IP: Map the WAN Real IP Address into the LAN Private IP Address Virtual Server Real IP: The WAN IP address which mapped by the Virtual Server. Service name (Port Number): The service name that provided by the Virtual Server. External Service Port: The WAN Service Port that provided by the virtual server.
13.1 Mapped IP Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy STEP 1﹒Setting a server that provide several services in LAN, and set up the network card’s IP as 192.168.1.100. DNS is External DNS Server. STEP 2﹒Enter the following setting in LAN of Address function: (Figure13-1) Figure13-1 Mapped IP Settings of Server in Address STEP 3﹒Enter the following data in Mapped IP of Virtual Server function: Click New Entry WAN IP: Enter 61.11.
STEP 4﹒Group the services (DNS, FTP, HTTP, POP3, SMTP…) that provided and used by server in Service function. And add a new service group for server to send mails at the same time. (Figure13-3) Figure13-3 Service Setting STEP 5﹒Add a policy that includes settings of STEP3, 4 in Incoming Policy. (Figure13-4) Figure13-4 Complete the Incoming Policy STEP 6﹒Add a policy that includes STEP2, 4 in Outgoing Policy. It makes the server to send e-mail to external mail server by mail service.
13.2 Virtual Server 1/2/3/4 Make several servers that provide a single service, to provide service through policy by Virtual Server (Take Web service for example) STEP 1﹒Setting several servers that provide Web service in LAN network, which IP Address is 192.168.1.101, 192.168.1.102, 192.168.1.103, and 192.168.1.
Figure13-7 Virtual Server Configuration WebUI STEP 3﹒Add a new policy in Incoming Policy, which includes the virtual server, set by STEP2. (Figure13-8) Figure13-8 Complete Virtual Server Policy Setting In this example, the external users must change its port number to 8080 before entering the Website that set by the Web server. STEP 4﹒Complete the setting of providing a single service by virtual server.
The external user use VoIP to connect with VoIP of LAN (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328-15333) STEP 1﹒Set up VoIP in LAN network, and its IP is 192.168.1.100 STEP 2﹒Enter the following setting in LAN of Address function: (Figure13-9) Figure13-9 Setting LAN Address WebUI STEP 3﹒Add new VoIP service group in Custom of Service function.
Figure13-12 Virtual Server Configuration WebUI When the custom service only has one port number, then the external network port of Virtual Server is changeable; On the contrary, if the custom service has more than one port network number, then the external network port of Virtual Server cannot be changed.
Make several servers that provide several same services, to provide service through policy by Virtual Server. (Take POP3, SMTP, and DNS Group for example) STEP 1﹒Setting several servers that provide several services in LAN network. Its network card’s IP is 192.168.1.101, 192.168.1.102, 192.168.1.103, 192.168.1.104 and the DNS setting is External DNS server.
STEP 3﹒Group the service of server in Custom of Service. Add a Service Group for server to send e-mail at the same time. (Figure13-17) Figure13-17 Add New Service Group STEP 4﹒Enter the following data in Server1 of Virtual Server: Click the button next to Virtual Server Real IP (“click here to configure”) in Server1 Virtual Server Real IP: Enter 211.22.22.
STEP 5﹒Add a new Incoming Policy, which includes the virtual server that set by STEP 4: (Figure13-20) Figure13-20 Complete Incoming Policy Setting STEP 6﹒Add a new policy that includes the settings of STEP2, 3 in Outgoing Policy. It makes server can send e-mail to external mail server by mail service. (Figure13-21) Figure13-21 Complete Outgoing Policy Setting STEP 7﹒Complete the setting of providing several services by Virtual Server.
C Chhaapptteerr 1144 V VP PN N The RS-3000 adopts VPN to set up safe and private network service. And combine the remote Authentication system in order to integrate the remote network and PC of the enterprise. Also provide the enterprise and remote users a safe encryption way to have best efficiency and encryption when delivering data. Therefore, it can save lots of problem for manager. 【IPSec Autokey】:The system manager can create a VPN connection using Autokey IKE.
14.1 IPSec Autokey Define the required fields of VPN: Preshare Key: The IKE VPN must be defined with a Preshared Key. The Key may be up to 128 bytes long. ISAKMP (Internet Security Association Key Management Protocol): An extensible protocol-encoding scheme that complies to the Internet Key Exchange (IKE) framework for establishment of Security Associations (SAs).
It is a fast and convenient connecting mode to make sure its privacy and authentication without encryption. NULL Algorithm doesn’t provide any other safety services but a way to substitute ESP Encryption. SHA-1 (Secure Hash Algorithm-1): A message-digest hash algorithm that takes a message less than 264 bits and produces a 160-bit digest. MD5: MD5 is a common message digests algorithm that produces a 128-bit message digest from an arbitrary length input, developed by Ron Rivest.
Define the required fields of IPSec Function To display the VPN connection status via icon。 Chart -- Meaning Not be applied Disconnect Connecting Name: The VPN name to identify the IPSec Autokey definition. The name must be the only one and cannot be repeated. Gateway IP: The WAN interface IP address of the remote Gateway. IPSec Algorithm: To display the Algorithm way. Configure: Click Modify to change the argument of IPSec; click Remove to remote the setting.
14.2 PPTP Server Define the required fields of PPTP Server Function PPTP Server: To select Enable or Disable Client IP Range: Setting the IP addresses range for PPTP Client connection To display the VPN connection status via icon。 Chart -- Meaning Not be applied Disconnect Connecting User Name: Displays the PPTP Client user’s name when connecting to PPTP Server. Client IP: Displays the PPTP Client’s IP address when connecting to PPTP Server.
14.3 PPTP Client Define the required fields of PPTP Client Function To display the VPN connection status via icon Chart -- Meaning Not be applied Disconnect Connecting User Name: Ddisplays the PPTP Client user’s name when connecting to PPTP Server. Server IP or Domain Name: Displays the PPTP Server IP addresses or Domain Name when connecting to PPTP Server. Encryption: Displays PPTP Client and PPTP Server transmission, whether opens the encryption authentication mechanism.
14.4 Trunk Define the required fields of Tunnel Function To display the VPN connection status via icon。 Chart -- Meaning Not be applied Disconnect Connecting Name: The VPN name to identify the VPN tunnel definition. The name must be the only one and cannot be repeated. Source Subnet: Displays the Source Subnet. Destination Subnet: Displays the Destination Subnet. Tunnel: Displays the Virtual Private Network’s (IPSec Autokey, PPTP Server, PPTP Client) settings of Tunnel function.
Setting IPSec VPN connection between two RS-3000 Preparation Company A WAN IP: 61.11.11.11, LAN IP: 192.168.10.X Company B WAN IP: 211.22.22.22, LAN IP: 192.168.20.X This example takes two RS-3000s as work platform. Suppose Company A 192.168.10.100 create a VPN connection with Company B 192.168.20.100 for downloading the sharing file. The Default Gateway of Company A is the LAN IP of the RS-3000 192.168.10.1.
Figure14-8 IPSec Authentication Method Setting STEP 5﹒Select ISAKMP Algorithm in Encapsulation list. Choose the Algorithm when setup connection. Please select ENC Algorithm (3DES/DES/AES), AUTH Algorithm (MD5/SHA1), and Group (GROUP1, 2, 5). Both sides have to choose the same group. Here we select 3DES for ENC Algorithm, MD5 for AUTH Algorithm, and GROUP1 for Group.
Figure14-12 Complete Company A IPSec Autokey Setting STEP 9﹒Enter the following setting in Trunk of VPN function: (Figure14-13) Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. IPSec / PPTP Setting: Select VPN_A. Enter 192.168.20.
Figure14-14 Complete New Entry Tunnel Setting STEP 10﹒Enter the following setting in Outgoing Policy:(Figure14-15) Trunk: Select IPSec_VPN_Tunnel. Click OK.
STEP 11﹒Enter the following setting in Incoming Policy: (Figure14-17) Trunk: Select IPSec_VPN_Tunnel. Click OK.
The Default Gateway of Company B is the LAN IP of the RS-3000 192.168.20.1. Follow the steps below: STEP 1. Enter the default IP of Gateway of Company B’s RS-3000, 192.168.20.1 and select IPSec Autokey in VPN. Click New Entry. (Figure14-19) Figure14-19 IPSec Autokey Web UI STEP 2. In the list of IPSec Autokey, fill in Name with VPN_B. (Figure14-20) Figure14-20 IPSec Autokey Name Setting STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Destination list and enter the IP Address.
Figure14-23 IPSec Encapsulation Setting STEP 6. You can choose Data Encryption + Authentication or Authentication Only to communicate in IPSec Algorithm list: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1 Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for data transmission. (Figure14-24) Figure14-24 IPSec Algorithm Setting STEP 7.
STEP 8. Complete the IPSec Autokey setting. (Figure14-26) Figure14-26 Complete Company B IPSec Autokey Setting STEP 9. Enter the following setting in Trunk of VPN function: (Figure14-27) Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. IPSec / PPTP Setting: Select VPN_B. Enter 192.168.10.
Figure14-28 Complete New Entry Tunnel Setting STEP 10. Enter the following setting in Outgoing Policy: (Figure14-29) Trunk: Select IPSec_VPN_Tunnel. Click OK.
STEP 11. Enter the following setting in Incoming Policy: (Figure14-31) Trunk: Select IPSec_VPN_Tunnel. Click OK.(Figure14-32) Figure14-31 Setting the VPN Tunnel Incoming Policy Figure14-32 Complete the VPN Tunnel Incoming Policy Setting STEP 12. Complete IPSec VPN Connection.
Setting PPTP VPN connection between two RS-3000s Preparation Company A WAN IP: 61.11.11.11 LAN IP: 192.168.10.X Company B WAN IP: 211.22.22.22 LAN IP: 192.168.20.X This example takes two RS-3000s as flattop. Suppose Company B 192.168.20.100 is going to have VPN connection with Company A 192.168.10.100 and download the resource.
The Default Gateway of Company A is the LAN IP of the RS-3000 192.168.10.1. Follow the steps below: STEP 1. Enter PPTP Server of VPN function in the RS-3000 of Company A. Select Modify and enable PPTP Server: Client IP Range: Keep the setting with original, ex. 192.44.75.1-254. Enter DNS Server or WINS Server IP if necessary. Idle Time: Enter 0.
STEP 2. Add the following settings in PPTP Server of VPN function in the RS-3000 of Company A: Select New Entry. (Figure14-34) User Name: Enter PPTP_Connection. Password: Enter 123456789. Client IP assigned by: Select IP Range. Click OK.
STEP 3. Enter the following setting in Trunk of VPN function: (Figure14-36) Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. IPSec / PPTP Setting: Select PPTP_Server_PPTP_Connection. Select Show remote Network Neighborhood. Click OK.
STEP 4. Enter the following setting in Outgoing Policy: (Figure14-38) Trunk: Select PPTP_VPN_Tunnel. Click OK.
STEP 5. Enter the following setting in Incoming Policy: (Figure14-40) Trunk: Select PPTP_VPN_Tunnel. Click OK.
The Default Gateway of Company B is the LAN IP of the RS-3000 192.168.20.1. Follow the steps below: STEP 1. Add the following settings in PPTP Client of VPN function in the RS-3000 of Company B: Click New Entry Button. (Figure14-42) User Name: Enter PPTP_Connection. Password: Enter123456789. Server IP or Domain Name: Enter 61.11.11.11. Select Encryption. Click OK.
STEP 2. Enter the following setting in Tunnel of VPN function: (Figure14-44) Enter a specific Tunnel Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. IPSec / PPTP Setting: Select PPTP_Client_PPTP_Connection. Select Show remote Network Neighborhood. Click OK.
STEP 3. Enter the following setting in Outgoing Policy: (Figure14-46) Trunk: Select PPTP_VPN_Tunnel. Click OK.
STEP 4. Enter the following setting in Incoming Policy: (Figure14-48) Trunk: Select PPTP_VPN_Tunnel. Click OK.(Figure14-49) Figure14-48 Setting the VPN Tunnel Incoming Policy Figure14-49 Complete the VPN Tunnel Incoming Policy Setting STEP 5. Complete PPTP VPN Connection.
C Chhaapptteerr 1155 P Poolliiccyy Every packet has to be detected if it corresponds with Policy or not when it passes the RS-3000. When the conditions correspond with certain policy, it will pass the RS-3000 by the setting of Policy without being detected by other policy. But if the packet cannot correspond with any Policy, the packet will be intercepted.
Define the required fields of Policy Source and Destination: Source IP and Destination IP is according to the RS-3000’s point of view. The active side is the source; passive side is destination. Service: It is the service item that controlled by Policy. The user can choose default value or the custom services that the system manager set in Service function.
Option: To display if every function of Policy is enabled or not.
QoS: Setting the Guarantee Bandwidth and Maximum Bandwidth of the Policy (the bandwidth is shared by the users who correspond to the Policy) MAX. Bandwidth Per Source IP: Set the maximum bandwidth that permitted by policy. And if the IP bandwidth exceed the setting value, the surplus connection cannot be set successfully. MAX. Concurrent Sessions Per IP: Set the concurrent sessions that permitted by policy.
Set up the policy that can monitor the internal users.
Figure15-3 Traffic Log Monitor WebUI 131
STEP 4﹒To display the traffic record that through Policy to access to Internet in Policy Statistics of Statistics function.
Forbid the users to access to specific network.
Figure15-8 IM / P2P Blocking Setting URL Blocking can restrict the Internal Users only can access to some specific Website. Script Blocking can restrict the Internal Users to access to Script file of Website. (Java, Cookies…, etc.) Download Blocking can restrict the Internal Users to access to video, audio, and some specific sub-name file by http protocol directly.
STEP 2﹒Enter as following in WAN and WAN Group of Address function: (Figure15-9, 15-10) Figure15-9 Setting the WAN IP that going to block Figure15-10 WAN Address Group The Administrator can group the custom address in Address. It is more convenient when setting policy rule.
STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Destination Address: Select WAN_Group that set by STEP 2. (Blocking by IP) Action, WAN Port: Select Deny Select to enable Content Blocking Select to enable IM/P2P Blocking Click OK (Figure15-11) Figure15-11 Setting Blocking Policy STEP 4﹒Complete the setting of forbidding the users to access to specific network.
Only allow the users who pass Authentication to access to Internet in particular time STEP 1﹒Enter the following in Schedule function: (Figure15-13) Figure15-13 Add New Schedule STEP 2﹒Enter the following in Auth User and Auth User Group in Authentication function: (Figure15-14) Figure15-14 Setting Auth User Group The Administrator can use group function the Authentication and Service. It is more convenient when setting policy.
STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Authentication User: Select laboratory Schedule: Select Working_Time Click OK (Figure15-15) Figure15-15 Setting a Policy of Authentication and Schedule STEP 4﹒Complete the policy rule of only allows the users who pass authentication to access to Internet in particular time.
The external user controls the internal PC through remote control software (Take pcAnywhere for example) STEP 1﹒Set up a Internal PC controlled by external user, and Internal PC’s IP Address is 192.168.1.2 STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function: (Figure15-17) Figure15-17 Setting Virtual Server STEP 3﹒Enter the following in Incoming Policy: Click New Entry Destination Address: Select Virtual Server1 (61.11.11.
Figure15-19 Complete Policy Setting 140
Set a FTP Server under DMZ NAT Mode and restrict the download bandwidth and the MAX. Concurrent Sessions. STEP 1﹒Set a FTP Server under DMZ, which IP is 192.168.3.2 (The DMZ Interface Address is 192.168.3.1/24) STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function: (Figure15-20) Figure15-20 Setting up Virtual Server Corresponds to FTP Server When using the function of Incoming or WAN to DMZ in Policy, strong suggests that cannot select ANY in Service.
STEP 4﹒Enter the following in WAN to DMZ Policy: Click New Entry Destination Address: Select Virtual Server1 (61.11.11.12) Service: Select FTP (21) QoS: Select FTP_QoS MAX.
Set a Mail Server to allow the internal and external users to receive and send e-mail under DMZ Transparent Mode STEP 1﹒Set a Mail Server in DMZ and set its network card’s IP Address as 61.11.11.12. The DNS setting is external DNS Server.
STEP 4﹒Enter the following setting in WAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK (Figure15-26) Figure15-26 Setting a Policy to access Mail Service by WAN to DMZ STEP 5﹒Complete the policy to access mail service by WAN to DMZ.
STEP 6﹒Add the following setting in LAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK (Figure15-28) Figure15-28 Setting a Policy to access Mail Service by LAN to DMZ STEP 7﹒Complete the policy to access mail service by LAN to DMZ (Figure15-29) Figure15-29 Complete the Policy to access Mail Service by LAN to DMZ 145
STEP 8﹒Add the following setting in DMZ to WAN Policy: Click New Entry Source Address: Select Mail_Server Service: Select E-mail Click OK (Figure15-30) Figure15-30 Setting the Policy of Mail Service by DMZ to WAN STEP 9﹒Complete the policy access to mail service by DMZ to WAN.
C Chhaapptteerr 1166 M Maaiill S Seeccuurriittyy According to the Mail Security Configure function, it means the dealing standard towards mail of RS-3000. In this chapter, it is defined as Setting and Mail Relay. After scanning the mails that sent to Internal Mail Server by Anti-Spam and Anti-Virus functions of RS-3000, then to setup the relevant setting in Mail Relay function.
When receive unscanned mail, it will add the tag in front of the e-mail subject.
To setup RS-3000 as Gateway (Mail Server is in DMZ, Transparent Mode) Preparation WAN Port IP: 61.11.11.11 Mail Server IP: 61.11.11.12 Map the DNS Domain Name that apply from ISP (broadband.com.tw) to DNS Server IP (setup MX record is Mail Server IP) When external sender to send mail to the recipient account in broadband.com.
To setup RS-3000 between the original Gateway and Mail Server (Mail Server is in DMZ, Transparent Mode) Preparation The Original Gateway’s LAN Subnet: 172.16.1.0/16 WAN Port IP: 61.11.11.11 RS-3000’s WAN Port IP: 172.16.1.12 Mail Server IP: 172.16.1.13 Map the DNS Domain Name (broadband.com.tw) to DNS Server IP (setup MX record is Mail Server IP) When LAN (172.16.1.0/16) user use the sender account of broadband.com.
The Headquarters setup RS-3000 as Gateway (Mail Server is in DMZ, Transparent Mode) to make the Branch Company’s employees can send mails via Headquarters’ Mail Server Preparation WAN Port IP of RS-3000: 61.11.11.11 Mail Server IP: 61.11.11.12 WAN Port IP of the Branch Company’s Firewall: 211.22.22.22 Map the DNS Domain Name (broadband.com.
C Chhaapptteerr 1177 A Annttii--S Sppaam m RS-3000 can filter the e-mails that are going to send to the mail server of enterprise. In order to make sure the e-mail account that communicates with outside won’t receive a mass advertisement or Spam mail, meanwhile, it can reduce the burden of mail server. Also can prevent the users to pick up the message he/she needs from a mass of useless mails; or delete the needed mail mistakenly while deleting mails.
Action of Spam Mail: The mail that considered as spam mail can be coped with Delete mail, Deliver to the recipient, Forward to another mail account After setup the relevant settings in Mail Relay function of Configure, add the following settings in this function: 1. The Mail Server is placed in Internal (LAN or DMZ) 2. The threshold score: Enter 5 3. Add the message to the subject line: Enter ---spam--4. Select Add score tag to the subject line 5. Select Deliver to the recipient 6.
When receive Spam mail, it will add score tag and message in front of the subject of the E-mail.
When receive Ham mail, it will only add score tag in front of the e-mail’s subject (Figure17-3) Figure17-3 the subject of the mail that considered as Spam mail WebUI 155
17.2 Rule Define the required fields of Rule Rule Name: The name of the custom spam mail determination rule Comment: To explain the meaning of the custom rule Combination: Add: It must be fit in with all of the custom rule mails that would be considered as spam mail or ham mail. Or: Only be fit in with one of the custom rule mails that would be considered as spam mail or ham mail. Classification: When setting as Spam, it will classify the mails that correspond to the rule as spam mail.
When Item is set as Header and Body, the available conditions are: Contains, Does Not Contain, Is Equal To, Is Not Equal To, Starts With, Ends With, Exist and Does Not Exist. When Item is set as Size, the available conditions are: More Than, Is Equal To, Is Not Equal To and Less Than. Pattern: Enter the relevant value in Item and Condition field. For example: From Item and use Contains Condition, and enter josh as a characteristics.
17.3 Whitelist Define the required fields of Whitelist Whitelist: To determine the mail comes from specific mail address that can send to the recipient without being restricted. Direction: 【From】:To judge the sending address of the mail 【To】:To judge the receiving address of the mail 17.4 Blacklist Define the required fields of Blacklist Blacklist: To determine the mail comes from specific mail address that cannot be sent to the recipient.
17.5 Training Define the required fields of Training Training Database: The System Manager can Import or Export Training Database here. Spam Mail for Training: The System Manager can import the file which is not determined as spam mail here. To raise the judgment rate of spam mail after the RS-3000 learning the file. Ham Mail for Training: The System Manager can import the file which is determined as spam mail here.
Advance Instruction: When talking to Mail Server, it is the medium of sending or receiving all the e-mail in Internet. The indicative way of the e-mail is: acoount@server.name. In front of the @ means the account; behinds the @ mean the Master’s name. When you send e-mail to josh@yahoo.com.tw, your sending software will go to DNS Server to find the mail Master name, mapped IP, and MX record first.
The flow of delivering e-mail: The three key element of sending e-mail are: MUA, MTA, MDA MUA (Mail User Agent): The PC of client cannot send mail directly. It must deliver mail by MUA. No matter to send or to receive the mail, the Client user still has to use mail system by MUA that provided by operation system. For example: Outlook Express in Windows is MUA.
To introduce the delivery procedure of the mail by two Send and Receive way: If the user wants to send the mail, the steps can be divided as follows: Use MUA to send mail to MTA: Enter the following setting while the user write e-mail by MUA: 1. The e-mail address and the mail server of the sender (To receive the MTA that sent by MTA from the sender) 2.
2. Receiving e-mail: MUA connect to MTA user’s Mailbox by POP (Post Office Protocol) in order to read or download the mail in user’s mailbox. At present, common POP Protocol is POP3 (Post Office Protocol version 3), and the Port Number is 110. Generally, a MTA that provides sending/receiving mail function needs two protocols at least. They are SMTP and POP3. And as long as your MUA and MTA support SMPT and POP3, then they can connect with each other.
To detect if the mail from External Mail Server is spam mail or not STEP 1﹒In LAN Address to permit a PC receiving the mail from external mail server. Its network card is set as 192.168.139.12, and the DNS setting is DNS server. STEP 2﹒In LAN of Address function, add the following settings: (Figure17-4) Figure17-4 Mapped IP of Internal User’s PC in Address Book STEP 3﹒Add the following setting in Group of Service.
STEP 5﹒Add the following setting in Setting of Anti-Spam function: (Figure17-7) Figure17-7 Action of Spam Mail and Spam Setting 165
Anti-Spam function is enabled in default status. So the System Manager does not need to set up the additional setting and then the RS-3000 will filter the spam mail according to the mails that sent to the internal mail server or received from external mail server. (Figure17-8) Figure17-8 Default Value of Spam Setting When only filter the mail that internal users received from external server: 1.
STEP 6﹒When the internal users are receiving the mail from external mail account (js1720@ms21.pchome.com.tw), the RS-3000 will filter the mail at the same time and the chart will be in the Spam Mail in Anti-Spam function. (At this time, choose External to see the mail account chart) (Figure17-9) Figure17-9 Report Function Chart To setup the relevant settings in Mail Relay function of Configure, so that can choose to display the scanned mails that sent to Internal Mail Server.
Take RS-3000 as Gateway and use Whitelist and Blacklist to filter the mail. (Mail Server is in DMZ and use Transparent Mode) STEP 1﹒Set up a mail server in DMZ and set its network card IP as 61.11.11.12. The DNS setting is external DNS server, and the Master name is broadband.com.
STEP 5﹒Enter the following setting in DMZ to WAN Policy: (Figure17-13) Figure17-13 DMZ to WAN Policy Setting STEP 6﹒Enter the following setting in Mail Relay function of Setting: (Figure17-14) Figure17-14 Mail Relay Setting of External Mail to Internal Mail Server Mail Relay function makes the mails that sent to DMZ’s mail server could be relayed to its mapped mail server by RS-3000 169
STEP 7﹒Enter the following setting in Setting function of Anti-Spam: (Figure17-15) Figure17-15 Spam Setting and Action of Spam Mail When select Delete mail in Action of Spam Mail, and then the other functions (Deliver to the recipient, or Forward to) cannot be selected. So when RS-3000 had scanned spam mail, it will delete it directly. But still can check the relevant chart in Spam Mail function. Action of Spam Mail here is according to the filter standard of Blacklist to take action about spam mail.
STEP 8﹒Enter the following setting in Whitelist of Anti-Spam function: Click New Entry Whitelist: Enter share2k01@yahoo.com.tw Direction: Select From Enable Auto-Training Click OK (Figure17-16) Enter New Entry again Whitelist: Enter josh@broadband.com.
Figure17-18 Complete Whitelist Setting When enable Auto-Training function, the mail that correspond to Whitelist setting will be trained as Ham Mail automatically according to the time setting in Training function.
STEP 9﹒Enter the following setting in Blacklist of Anti-Spam function: Enter New Entry Blacklist: Enter *yahoo* Direction: Select From Enable Auto-Training Click OK (Figure17-19) Complete the Setting (Figure17-20) Figure17-19 Add Blacklist Setting Figure17-20 Complete Blacklist Setting When enable Auto-Training function, the mail that correspond to Blacklist setting will be trained as Spam Mail automatically according to the time setting in Training function.
STEP 10﹒When the external yahoo mail account send mail to the recipient account of mail server of broadband.com.tw in RS-3000; josh@broadband.com.tw and steve@broadband.com.tw If the sender account is share2k01@yahoo.com.tw, then these two recipient accounts both will receive the mail that sent by this sender account. If it comes from other yahoo sender account (share2k003@yahoo.com.tw), and then there will only be josh@broadband.com.
Place RS-3000 between the original Gateway and Mail Server to set up the Rule to filter the mail. (Mail Server is in DMZ, Transparent Mode) The LAN Subnet of enterprise’s original Gateway: 172.16.1.0/16 The WAN IP of RS-3000: 172.16.1.12 STEP 1﹒Setup a Mail Server in DMZ and its network card IP is 172.16.1.13. The DNS setting is external DNS Server. Its host name is broadband.com.
STEP 4﹒Enter the following setting in WAN to DMZ Policy: (Figure17-24) Figure17-24 WAN to DMZ Policy Setting STEP 5﹒Enter the following setting in DMZ to WAN Policy: (Figure17-25) Figure17-25 DMZ to WAN Policy Setting STEP 6﹒Add the following setting in Mail Relay in Configure: (Figure17-26) Figure17-26 Mail Relay Setting of External Mail to Internal Mail Server 176
STEP 7﹒Enter the following setting in Rule of Anti-Spam function: Enter New Entry Rule Name: Enter HamMail Comments: Enter Ham Mail Combination: Select Or Classification: Select Ham (Non-Spam) Enable Auto-Training In the first field Item: Select From; Condition: Select Contains; Pattern: share2k01 Click Next Row In the second Item field: Select To; Condition: Select Contains; Pattern: josh (Figure17-27) Press OK (Figure17-28) Figure17-27 The First Rule Item Setting F
STEP 8﹒Enter the following setting in Rule of Anti-Spam function: Enter New Entry Rule Name: Enter SpamMail Comments: Enter Spam Mail Combination: Select And Classification: Select Spam Action: Select Deliver to the recipient Enable Auto-Training Item: Select From; Condition: Select Contains; Pattern: yahoo (Figure17-29) Press OK (Figure17-30) Figure17-29 The Second Rule Setting Figure17-30 Complete the Second Rule Setting In Rule Setting, when the Classification select
The privilege of Rule is greater than Whitelist and Blacklist. And in Rule function, the former rule has the greater privilege. So when the RS-3000 is filtering the spam mail, it will take Rule as filter standard first and then is Whitelist; Blacklist is the last one be taken. Select one of the mails in Outlook Express. Press the right key of the mouse and select Content, and select Details in the pop-up page.
Use Training function of the RS-3000 to make the mail be determined as Spam mail or Ham mail after Training. (Take Outlook Express for example) To make the spam mail that had not detected as spam mail be considered as spam mail after training. STEP 1﹒Create a new folder SpamMail in Outlook Express: Press the right key of the mouse and select New Folder. (Figure17-32) In Create Folder WebUI and enter the Folder’s Name as SpamMail, and then click on OK.
Figure17-33 Create Folder WebUI 181
STEP 2﹒In Inbox-Outlook Express, move spam mail to SpamMail Folder: In Inbox, select all of the spam mails that do not judge correctly and press the right key of the mouse and move to the folder.
Figure17-35 Select Folder for Spam Mail to move to 183
STEP 3﹒Compress the SpamMail Folder in Outlook Express to shorten the data and upload to RS-3000 for training: Select SpamMail Folder (Figure17-36) Select Compact function in selection of the folder (Figure17-37) Figure17-36 Select SpamMail Folder 184
Figure17-37 Compact SpamMail Folder 185
STEP 4﹒To copy the route of SpamMail File in Outlook Express to convenient to upload the training to RS-3000: Press the right key of the mouse in SpamMail file and select Properties function. (Figure17-38) Copy the file address in SpamMail Properties WebUI.
Figure17-39 Copy the File Address that SpamMail File Store 187
STEP 5﹒Paste the route of copied from SpamMail file to the Spam Mail for Training field in Training function of Anti-Spam. And press OK to deliver this file to RS-3000 instantly and to learn the uploaded mail file as spam mail in the appointed time. (Figure17-40) Figure17-40 Paste the File Address that SpamMail File Save to make RS-3000 to be Trained The training file that uploads to RS-3000 can be any data file and not restricted in its sub-name, but the file must be ACS11 form.
STEP 6﹒Remove all of the mails in SpamMail File in Outlook Express so that new mails can be compressed and upload to RS-3000 to training directly next time. Select all of the mails in SpamMail File and press the right key of the mouse to select Delete function. (Figure17-41) Make sure that all of the mails in SpamMail file had been deleted completely.
Figure17-42 Confirm that All of the Mail in SpamMail File had been Deleted 190
To make the mail that is judged as spam mail can be received by recipient after training. STEP 1﹒Add a new HamMail folder in Outlook Express: Press the right key of the mouse in Local Folders and select New Folder. (Figure17-43) Enter HamMail in Folder Name in Create Folder WebUI and click OK.
Figure17-44 Create Folder Function WebUI 192
STEP 2﹒In Inbox-Outlook Express, move spam mail to HamMail Folder: In Inbox, select the spam mail that all of the recipients need and press the right key of the mouse on the mail and choose Move to Folder function. (Figure17-45) Select HamMail folder in Move WebUI and click OK.
Figure17-46 Select the Folder for Needed Spam Mail to Move to 194
STEP 3﹒Compact the HamMail folder in Outlook Express to shorten the data and upload to RS-3000 for training: Select HamMail File (Figure17-47) Select Compact function in selection of File (Figure17-48) Figure17-47 Select HamMail File 195
Figure17-48 Compact HamMail File 196
STEP 4﹒To copy the route of HamMail Folder in Outlook Express to convenient to upload the training to RS-3000: Press the right key of the mouse in HamMail file and select Properties function. (Figure17-49) Copy the file address in HamMail Properties WebUI.
Figure17-50 Copy the File Address that HamMail File Store 198
STEP 5﹒ Paste the route of copied HamMail file to the Ham Mail for Training field in Training function of Anti-Spam. And press OK to transfer this file to the RS-3000 instantly and to learn the uploaded mail file as ham mail in the appointed time.
STEP 6﹒Remove all of the mails in HamMail File in Outlook Express so that new mails can be compressed and upload to RS-3000 to training directly next time. Select all of the mails in HamMail and press the right key of the mouse to select Delete function. (Figure17-52) Make sure that all of the mails in HamMail file had been deleted completely.
C Chhaapptteerr 1188 A Annttii--V Viirruuss RS-3000 can scan the mail that sent to Internal Mail Server and prevent the e-mail account of enterprise to receive mails include virus so that it will cause the internal PC be attacked by virus and lose the important message of enterprise.
Action of Infected Mail: The mail that had been detected have virus can choose to Delete mail, Deliver to the recipient, or Forward to another mail account After setup the relevant settings in Mail Relay function of Configure, add the following settings in this function: 1. Virus Scanner: Select Clam 2. The Mail Server is placed in Internal (LAN or DMZ) 3. Add the message to the subject line ---virus--4. Select Remove virus mail and the attached file 5. Select Deliver to the recipient 6.
Add the message ---virus---in the subject line of infected mail (Figure18-2) Figure18-2 The Subject of Infected Mail WebUI When select Disable in Virus Scanner, it will stop the virus detection function to e-mail.
Define the required fields of Virus Mail: Top Total Virus: To show the top chart that represent the virus mail that the recipient receives and the sender sent In Top Total Virus Report, it can choose to display the scanned mail that sent to Internal Mail Server or received from External Mail Server In Top Total Virus, it can sort the mail according to Recipient and Sender, Total Virus and Scanned Mail.
To detect if the mail that received from external Mail Server have virus or not STEP 1﹒In LAN Address to permit a PC receiving the mail from external mail server. Its network card is set as 192.168.139.12, and the DNS setting is DNS server. STEP 2﹒In LAN of Address function, add the following settings: (Figure18-3) Figure18-3 Mapped IP of Internal User’s PC in Address Book STEP 3﹒Add the following setting in Group of Service.
STEP 5﹒Add the following setting in Setting of Anti-Virus function: (Figure18-6) Virus Scanner: Select Clam The Mail Server is placed in External (WAN) Add the message to the subject line: ---virus--- Select Deliver a notification mail instead of the original virus mail Figure18-6 Action of Infected Mail and Anti-Virus Settings Anti-Virus function is enabled in default status.
STEP 6﹒When the internal users are receiving the mail from external mail account (js1720@ms21.pchome.com.tw), the RS-3000 will scan the mail at the same time and the chart will be in the Virus Mail in Anti-Virus function. (At this time, choose External to see the mail account chart) (Figure18-7) Figure18-7 Report Function Chart To setup the relevant settings in Mail Relay function of Configure, so that can choose to display the scanned mail that sent to Internal Mail Server.
To detect the mail that send to Internal Mail Server have virus or not. (Mail Server is in LAN, NAT Mode) WAN IP of RS-3000: 61.11.11.12 LAN Subnet of RS-3000: 192.168.2.0/24 STEP 1﹒Set up a mail server in LAN and set its network card IP as 192.168.2.12. The DNS setting is external DNS server, and the Master name is broadband.com.
STEP 5﹒Enter the following setting in Incoming Policy: (Figure18-11) Figure18-11 Incoming Policy Setting STEP 6﹒Enter the following setting in Outgoing Policy: (Figure18-12) Figure18-12 Outgoing Policy Setting STEP 7﹒Enter the following setting in Mail Relay function of Configure: (Figure18-13) Figure18-13 Mail Relay Setting of External Mail to Internal Mail Server Mail Relay function makes the mails that sent to LAN’s mail server could be relayed to its mapped mail server by RS-3000.
STEP 8﹒Add the following setting in Setting of Anti-Virus function: Virus Scanner: Select Clam The Mail Server is placed in Internal (LAN or DMZ) Add the message to the subject line: ---virus--- Action of Infected Mail: Select Deliver to the recipient (Figure18-14) Figure18-14 Infected Mail Definition and Action of Infected Mail When select Delete mail in Action of Infected Mail, and then the other functions (Deliver to the recipient, or Forward to) cannot be selected.
STEP 9﹒When the external yahoo mail account sends mail to the recipient account of mail server of broadband.com.tw in RS-3000; josh@broadband.com.tw If the mails are from the sender account, share2k01@yahoo.com.tw, which include virus in the attached file. If it comes from other yahoo sender account share2k003@yahoo.com.tw, which attached file is safe includes no virus. After RS-3000 had scanned the mails above, it will bring the chart as follows in the Virus Mail function of Anti-Virus.
C Chhaapptteerr 1199 IID DP P The RS-3000 can detect the anomaly flow packets and notice the MIS engineer to handle the situation, in order to prevent any suspicious program to invade the destination PC. In other words, the RS-3000 can provide the instant network security protection as detects any internal or external attacks, to enhance the enterprises network stability. 19.1 Setting The RS-3000 can update signature definitions every 30 minutes or the MIS engineer can select to use manual update.
Set default action of all signatures: The internet attack risks included High, Medium and Low. The MIS engineer can select the action of Pass, Drop, and Log to the default signatures. In IDP Configure Setting, to add the following settings: 1. Select Enable Anti-Virus. 2. High Risk: Select Drop, and Log. 3. Medium Risk: Select Drop, and Log. 4. Low Risk: Select Pass, and Log. 5. Click OK. (Figure19-1) 6. Select enable IDP in Policy.
19.2 Signature The RS-3000 can provide the correspond comparison rules included Anomaly, Pre-defined and Custom according to different attack types. The Anomaly can detect and prevent the anomaly flow and packets via the signature updating. The Pre-defined can also detect and prevent the intrusion through the signature updating. Both the anomaly and pre-defined signatures can not be deleted or modified.
Pre-defined: Pre-defined signature contains 5 general classifications, includes Backdoor, DDoS, Dos, Exploit, NetBIOS and Spyware. Each type also includes its attack signatures, and user can select to enable the specific signature defense system based on the request. (Figure 19-3) User can modify the signature action of pass, drop, and log in each type. The RS-3000 can display all the attack signature attribute of Name, Risk, Action and Log.
To detect the anomaly flow and packets with the custom and predefined settings, in order to detect and prevent the intrusion.
STEP 3﹒In Signature Custom, add the following setting: Click New Entry. (Figure 19-6) Name, enter Software_Crack_Website. Protocol, select TCP. Source Port, enter 0:65535. Destination Port, enter 80:80. Risk, select High. Action, select Drop and Log. Content, enter cracks. Click OK to complete the setting.
STEP 4﹒In Policy Outgoing , add the new policy and enable IDP: (Figure 19-8, 19-9) Figure19-8 The IDP setting in Policy Figure19-9 Complete the IDP setting in Policy 218
19.3 IDP Report The RS-3000 can display the IDP record by statistics and log, so the enterprises can easily know the whole network status. STEP 1﹒In IDP Report Log, it shows the IDP status in RS-3000. Figure19-9 The IDP log The icon description in Log: 1. Action: Icon Description Pass Drop 2.
C Chhaapptteerr 2200 A Annoom maallyy FFlloow w IIP P When the RS-3000 had detected attacks from hackers and internal PC who are sending large DDoS attacks. The Anomaly Flow IP will start on blocking these packets to maintain the whole network.
RS-3000 Alarm and to prevent the computer which being attacked to send DDoS packets to LAN network STEP 2﹒Select Anomaly Flow IP setting and enter as the following: Enter The threshold sessions of anomaly flow (per Source IP) (the default value is 100 Sessions/Sec) Select Enable Anomaly Flow IP Blocking and enter the Blocking Time (the default time is 600 seconds) Select Enable E-Mail Alert Notification Select Enable NetBIOS Alert Notification IP Address of Administrator: Enter 192.168.1.
C Chhaapptteerr 2211 LLoogg Log records all connections that pass through the RS-3000’s control policies. The information is classified as Traffic Log, Event Log, and Connection Log. Traffic Log’s parameters are setup when setting up policies. Traffic logs record the details of packets such as the start and stop time of connection, the duration of connection, the source address, the destination address and services requested, for each control policy.
To detect the information and Protocol port that users use to access Internet or Intranet by RS-3000 STEP 1﹒Add new policy in DMZ to WAN of Policy and select Enable Logging: (Figure21-1) Figure21-1 Logging Policy Setting STEP 2﹒Complete the Logging Setting in DMZ to WAN Policy: (Figrue21-2) Figure21-2 Complete the Logging Setting of DMZ to WAN 223
STEP 3﹒Click Traffic Log. It will show up the packets records that pass this policy.
STEP 4﹒Click on a specific IP of Source IP or Destination IP in Figure20-3, it will prompt out a WebUI about Protocol and Port of the IP.
STEP 5﹒Click on Download Logs, RS-3000 will pop up a notepad file with the log recorded. User can choose the place to save in PC instantly.
To record the detailed management events (such as Interface and event description of RS-3000) of the Administrator STEP 1﹒Click Event log of LOG. The management event records of the administrator will show up (Figure21-6) Figure21-6 Event Log WebUI STEP 2﹒Click on Download Logs, RS-3000 will pop up a notepad file with the log recorded. User can choose the place to save in PC instantly.
To Detect Event Description of WAN Connection STEP 1﹒Click Connection in LOG. It can show up WAN Connection records of the RS-3000.
STEP 2﹒Click on Download Logs, RS-3000 will pop up a notepad file with the log recorded. User can choose the place to save in PC instantly. (Figure21-9) Figure21-9 Download Connection Log Records WebUI If the content of notepad file is not in order, user can read the file with WordPad or MS Word, Excel program, the logs will be displayed with good order.
To save or receive the records that sent by the RS-3000 STEP 1﹒Enter Setting in System, select Enable E-mail Alert Notification function and set up the settings. (Figrue21-10) Figure21-10 E-mail Setting WebUI STEP 2﹒Enter Log Backup in Log, select Enable Log Mail Support and click OK (Figure21-11) Figure21-11 Log Mail Configuration WebUI After Enable Log Mail Support, every time when LOG is up to 300Kbytes and it will accumulate the log records instantly.
STEP 3﹒Enter Log Backup in Log, enter the following settings in Syslog Settings: Select Enable Syslog Messages Enter the IP in Syslog Host IP Address that can receive Syslog Enter the receive port in Syslog Host Port Click OK Complete the setting (Figure21-12) Figure21-12 Syslog Messages Setting WebUI 231
C Chhaapptteerr 2222 A Accccoouunnttiinngg R Reeppoorrtt Administrator can use this Accounting Report to inquire the LAN IP users and WAN IP users, and to gather the statistics of Downstream/Upstream, First packet/Last packet/Duration and the Service for the entire user’s IPs that pass the RS-3000. Define the required fields of Accounting Report Accounting Report Setting: By accounting report function can record the sending information about Intranet and the external PC via RS-3000.
Inbound Accounting Report It is the statistics of downstream / upstream for all kinds of communication services; the Inbound Accounting report will be shown if Internet user connects to LAN Service Server via RS-3000. Source IP: The IP address used by WAN users who use RS-3000 Destination IP: The IP address used by LAN service server who use RS-3000 Service: The communication service which listed in the menu when WAN users use RS-3000 to connect to LAN Service server.
Outbound STEP 1﹒Select to enable the items for Outbound Accounting Report in Setting of Accounting Report function. (Figure22-1) Figure22-1 Accounting Report Setting STEP 2﹒Enter Outbound in Accounting Report and select Source IP to inquire the statistics of Send/Receive packets, Downstream / Upstream, First packet /Last packet/Duration from the LAN or DMZ user’s IP that pass the RS-3000. (Figure22-2) TOP: Select the data you want to review; it presents 10 results in one page.
Reset Counter:Click Reset Counter button to refresh Accounting Report. Figure22-2 Outbound Source IP Statistics Report STEP 3﹒Enter Outbound in Accounting Report and select Destination IP to inquire the statistics of Send/Receive packets, Downstream/Upstream, First packet/Last packet/Duration from the WAN Server to pass the RS-3000. (Figure22-3) TOP:Select the data you want to view; it presents 10 results in one page.
Figure22-3 Outbound Destination IP Statistics Report STEP 4﹒Enter Outbound in Accounting Report and select Top Services to inquire the statistics webpage of Send/Receive packets, Downstream/Upstream, First packet/Last packet/Duration and the service from the WAN Server to pass the RS-3000. (Figure22-4) TOP:Select the data you want to view. It presents 10 results in one page. :According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart.
Figure22-4 Outbound Services Statistics Report Figure22-5 The Pizza chart of Accounting report published base on Service 237
Press to return to List Table of Accounting Report window. Accounting Report function will occupy lots of hardware resource, so users must take care to choose the necessary items, in order to avoid slowing down the total performance.
Inbound STEP 1﹒Select to enable the items for Inbound Accounting Report in Setting of Accounting Report function. (Figure22-6) Figure22-6 Accounting Report Setting STEP 2﹒Enter Inbound in Accounting Report and select Top Users to inquire the statistics of Send/Receive packets, Downstream/Upstream, First packet / Last packet / Duration from the WAN user to pass the RS-3000. (Figure22-7) TOP:Select the data you want to view. It presents 10 pages in one page.
Figure22-7 Inbound Top Users Statistics Report STEP 3﹒Enter Inbound in Accounting Report and select Top Sites to inquire the statistics website of Send / Receive packets, Downstream / Upstream, First packet / Last packet / Duration from the WAN user to pass the RS-3000. (Figure22-8) TOP:Select the data you want to view. It presents 10 pages in one page. Destination IP:To display the report sorted by Destination IP, the IP address used by LAN service server passing through RS-3000 to WAN users.
STEP 4﹒Enter Inbound in Accounting Report and select Top Services to inquire the statistics website of Send/Receive packets, Downstream/Upstream, First packet/Last packet/Duration and the service from the WAN Server to pass the RS-3000. (Figure22-9) TOP:Select the data you want to view. It presents 10 results in one page. :According to the downstream / upstream report of the selected TOP numbering to draw the Protocol Distribution chart.
Figure22-10 The Pizza chart of Inbound Accounting report published base on Service Accounting Report function will occupy lots of hardware resource, so users must take care to choose the necessary items, in order to avoid slowing down the total performance.
C Chhaapptteerr 2233 S Sttaattiissttiicc WAN Statistics: The statistics of Downstream / Upstream packets and Downstream/Upstream traffic record that pass WAN Interface Policy Statistics: The statistics of Downstream / Upstream packets and Downstream / Upstream traffic record that pass Policy In this chapter, the Administrator can inquire the RS-3000 for statistics of packets and data that passes across the RS-3000.
WAN Statistics STEP 1﹒Enter WAN in Statistics function, it will display all the statistics of Downstream/Upstream packets and Downstream/Upstream record that pass WAN Interface. (Figure23-1) Figure23-1 WAN Statistics function Time: To detect the statistics by minutes, hours, days, week, months, or years. WAN Statistics is the additional function of WAN Interface. When enable WAN Interface, it will enable WAN Statistics too.
STEP 3﹒Statistics Chart (Figure23-2) Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute) Figure23-2 To Detect WAN Statistics 245
Policy Statistics STEP 1﹒If you had select Statistics in Policy, it will start to record the chart of that policy in Policy Statistics. (Figure23-3) Figure23-3 Policy Statistics Function If you are going to use Policy Statistics function, the System Manager has to enable the Statistics in Policy first.
STEP 3﹒Statistics Chart (Figure23-4) Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute/Day) Figure23-4 To Detect Policy Statistics 247
C Chhaapptteerr 2244 D Diiaaggnnoossttiicc User can realize RS-3000 WAN connecting status by using Ping or Traceroute tool. 24.1 Ping STEP 1﹒In Diagnostic Ping function, user can configure RS-3000 to ping specific IP address, and confirm RS-3000 WAN connecting status.
If Interface is selected “VPN”, it must be typed in with RS-3000 LAN IP address, and type in remote VPN site of LAN IP address in Destination IP / Domain name.
24.2 Traceroute STEP 1﹒In Diagnostic Traceroute function, user can configure RS-3000 to trace specific IP address or domain name, and confirm RS-3000 WAN connecting status.
C Chhaapptteerr 2255 W Waakkee oonn LLaann Wake on Lan (WOL) function works to power on the computer remotely. The computer’s network card must also support WOL function, when it receive the waked up packets and the computer will auto boot up. Normally the broadcast packets are not allowed to transfer within Internet, but user can login RS-3000 remotely and enable Wake on Lan function to boot up the LAN computer.
C Chhaapptteerr 2266 S Sttaattuuss The users can know the connection status in Status. For example: LAN IP, WAN IP, Subnet Netmask, Default Gateway, DNS Server Connection, and its IP…etc. Interface: Display all of the current Interface status of the RS-3000 Authentication: The Authentication information of RS-3000 ARP Table: Record all the ARP that connect to the RS-3000 DHCP Clients: Display the table of DHCP clients that are connected to the RS-3000.
Interface STEP 1﹒Enter Interface in Status function; it will list the setting for each Interface: (Figure 26-1) Forwarding Mode: The connection mode of the Interface WAN Connection: To display the connection status of WAN Max. Downstream / Upstream Kbps: To display the Maximum Downstream/Upstream Bandwidth of that WAN (set from Interface) Downstream Alloca.: The distribution percentage of Downstream according to WAN traffic Upstream Alloca.
Authentication STEP 1﹒ Enter Authentication in Status function; it will display the record of login status: (Figure 26-2) IP Address: The authentication user IP Auth-User Name: The account of the auth-user to login Login Time: The login time of the user (Year/Month/Day Hour/Minute/Second) Figure 26-2 Authentication Status WebUI 254
ARP Table STEP 1﹒Enter ARP Table in Status function; it will display a table about IP Address, MAC Address, and the Interface information which is connecting to the RS-3000: (Figure26-3) Anti-ARP virus software: Works to rewrite LAN ARP table as default IP Address: The IP Address of the network MAC Address: The identified number of the network card Interface: The Interface of the computer Figure 26-3 ARP Table WebUI 255
DHCP Clients STEP 1﹒In DHCP Clients of Status function, it will display the table of DHCP Clients that are connected to the RS-3000: (Figure26-4) IP Address: The dynamic IP that provided by DHCP Server MAC Address: The IP that corresponds to the dynamic IP Leased Time: The valid time of the dynamic IP (Start/End) (Year/Month/Day/Hour/Minute/Second) Figure 26-4 DHCP Clients WebUI 256
C Chhaapptteerr 2277 S Sppeecciiffiiccaattiioonn Hardware CPU Intel IXP 425, 533MHz DRAM 128 MB Flash ROM Console port 16MB (Flash) ○ RS232 Serial Port LAN port (Switch Shield RJ-45 Ethernet UTP port Hub) 1 (10/100) ○ Modify the MAC address Shield RJ-45 Ethernet UTP port WAN port 2 (10/100) Support xDSL/Cable/Leased Line Service ○ Modify the MAC address ○ Shield RJ-45 Ethernet UTP port 1 (10/100) DMZ port ○ Modify the MAC address Dimensions W x D x H (cm) 44x23.7x4.
Mail Relay Max entry 50 Internal Mail Server ○ Allowed External IP ○ Inbound Scanning for Internal Mail Server ○ (LAN & DMZ ) Inbound Scanning for External Mail Server ○ Score Tag ○ Spam Fingerprint ○ Bayesian Filtering ○ Check sender address in RBL ○ Check sender account ○ Spam signature ○ Delete spam mail ○ Deliver to the recipient ○ Forward mail ○ Setting Action of Spam Mail Max entry Anti-Spam 100 Global Rule Whitelist Blacklist Auto-Training ○ Export & Import White
Deliver the original virus mail ○ Forward mail ○ HTTP ○ FTP ○ Security Function Policy Anti-Virus P2P, IM, NetBIOS… ( IDP ) ○ Auto Update IDP Definitions 30 min ○ Anomaly Total IDP Signatures Number (2006/01/18) 716 Custom ( Max entry ) 256 IDP IDP Log Log ○ Enable Blaster Blocking ○ Blaster Alarm E-Mail / NetBIOS Alert Notification ○/○ ○ Un-detected IP ○ Static ARP Management Web Based UI Traditional Chinese , Simplified Chinese and English Web UI ○ HTTP ○ From LAN & WAN (We
DDNS(Max entry) 16 Save configuration to files ○ Load configuration from files ○ Load Default (Factory Reset) ○ DHCP Client / Server ○ ( LAN ) Protocols DHCP Server assign dynamic IP Up to 512 Supported DHCP Server assign static IP (MAC+IP) ○ NTP ( Network Time Protocol) ○ ○ Wake on Lan Bandwidth Manager Function QoS Guaranteed Bandwidth ○ Priority-bandwidth utilization ○ QoS(Max entry) 100 Max.
China Telecom & CNC ○ Group Max entry 20 DMZ Max entry 100 External DMZ Group(Max entry) 20 Custom(Max entry) 20 Group(Max entry) 20 Service Book Schedule(Max entry) Virtual Server Policy Control 20 Mapped IP(Max entry) 16 Multiple Virtual Servers 4 Virtual Server Service Name (Max entry) 16 Multi-Servers Load Balancing 4 SPI (Stateful Packet Inspection) ○ MAC Address Filtering ○ Assign WAN Link by Source IP ○ Assign WAN Link by Destination IP ○ Assign WAN Link by Port ○
○ All Types Block Extensions Block Upload (exe,zip,rar,iso,bin,rpm,doc,xl?,ppt,pdf,tgz,gz,bat,co Blocking ○ m,dll,hta,scr,vb?,wps,pif,com,msi,reg,mp3,mpeg,m pg) Auto Update Definitions 30 min eDonkey ○ BT ○ WinMX ○ Foxy ○ KuGoo ○ AppleJuice ○ AudioGalaxy ○ DirectConnect ○ iMesh ○ MUTE ○ Thunder5 ○ VNN Client ○ MSN Messenger ○ Yahoo Messenger ○ ICQ ○ QQ ○ Skype VoIP ○ Google Talk ○ Gadu-Gadu ○ P2P Blocking IM / P2P Blocking IM Blocking ○ IM / P2P Rule ○ Drop I
Allow to IPSec(Max entry) Configure / PPTP Server(Max entry) 32 / 32 PPTP Client(Max entry) 16 / 16 200 / 100 Connection Tunnels Stateful Packet Inspection ○ Supports Windows VPN Client ○ VPN Hub ○ VPN Trunk(Max entry) 50 263
C Chhaapptteerr 2288 N Neettw woorrkk G Glloossssaarryy The network glossary contains explanation or information about common terms used in networking products. Some of information in this glossary might be outdated, please use with caution. RJ-45 Standard connectors for Twisted Pair copper cable used in Ethernet networks. Although they look similar to standard RJ-11 telephone connectors, RJ-45 connectors can have up to eight wires, whereas telephone connectors have only four.
NAT Network Address Translation. A network algorithm used by Routers to enables several PCs to share single IP address provided by the ISP. The IP that a router gets from the ISP side is called Real IP, the IP assigned to PC under the NAT environment is called Private IP. DHCP Dynamic Host Configuration Protocol. A protocol that enables a server to dynamically assign IP addresses.
address can connect with the network. TCP A layre-4 protocol used along with the IP to send data between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the packets that a message is divided into for efficient routing through the Internet. UDP User Datagram Protocol. A layer-4 network protocol for transmitting data that does not require acknowledgement from the recipient of the data.
supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. PPTP Point-to-Point Tunneling Protocol: A VPN protocol developed by PPTP Forum. With PPTP, users can dial in to their corporate network via the Internet.
encryption. NULL Algorithm doesn’t provide any other safety services but a way to substitute ESP Encryption. SHA-1 (Secure Hash Algorithm-1) A message-digest hash algorithm that takes a message less than 264 bits and produces a 160-bit digest. MD5 MD5 is a common message digests algorithm that produces a 128-bit message digest from an arbitrary length input, developed by Ron Rivest.
Nimda Nimda is a computer worm, and is also a file infector. It quickly spread, eclipsing the economic damage caused by past outbreaks such as Code Red. Multiple propagation vectors allowed Nimda to become the Internet’s most widespread virus/worm within 22 minutes. SYN Flood A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system. ICMP Flood A smurf attack is one particular variant of a flooding DoS attack on the public Internet.
Tear Drop The Tear Drop attacks are packets that are segmented to small packets with negative length. Some Systems treat the negative value as a very large number, and copy enormous data into the System to cause System damage, such as a shut down or a restart. Detect Land Attack: Some Systems may shut down when receiving packets with the same source and destination addresses, the same source port and destination port, and when SYN on the TCP header is marked.
