DUA1611-0AAA02.book Page 1 Thursday, August 2, 2001 4:01 PM SuperStack® 3 Firewall User Guide SuperStack 3 Firewall 3CR16110-95 SuperStack 3 Firewall Web Site Filter 3C16111 http://www.3com.com/ Part No.
DUA1611-0AAA02.book Page 2 Thursday, August 2, 2001 4:01 PM 3Com Corporation 5400 Bayfront Plaza Santa Clara, California 95052-8145 Copyright © 2001, 3Com Technologies. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Technologies.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 11 Thursday, August 2, 2001 4:01 PM ABOUT THIS GUIDE This guide describes the following products: Introduction ■ SuperStack 3 Firewall 3CR16110-95 ■ SuperStack 3 Firewall 3CR16110-97 upgraded to v6.x firmware ■ SuperStack 3 Firewall Web Site Filter 3C16111 This guide describes how to set up and maintain the SuperStack® 3 Firewall and how to install and use the SuperStack 3 Web Site Filter.
DUA1611-0AAA02.book Page 12 Thursday, August 2, 2001 4:01 PM 12 ABOUT THIS GUIDE How to Use This Guide Table 1 shows where to look for specific information in this guide. Table 1 Where to find specific information If you are looking for... Turn to... A description of the Firewall’s features and example applications. Chapter 1 A description of the Firewall’s front and back panel displays and Chapter 2 connectors, and installation information. Conventions A quick setup guide for the Firewall.
DUA1611-0AAA02.book Page 13 Thursday, August 2, 2001 4:01 PM Terminology 13 Table 3 Text Conventions Convention Description Screen displays This typeface represents information as it appears on the screen. Commands The word “command” means that you must enter the command exactly as shown and then press Return or Enter. Commands appear in bold.
DUA1611-0AAA02.book Page 14 Thursday, August 2, 2001 4:01 PM 14 ABOUT THIS GUIDE a network number and a host number, or a network number, a subnet number, and a host number. IP Spoof — A type of DoS attack. An IP spoof uses a fake IP address to bypass security settings which may bar access from the real IP address. IRC — Internet Relay Chat. Provides a way of communicating in real time with people from all over the world. ISP — Internet Service Provider.
DUA1611-0AAA02.book Page 15 Thursday, August 2, 2001 4:01 PM Feedback about this User Guide 15 RADIUS — Remote Authentication Dial-in User Service. RADIUS enables network administrators to effectively deploy and manage VPN Client based remote users. The RADIUS server allows multiple users to share a single Group Security Association but require an additional unique password for accounting and access. SYN Flood — A type of DoS attack.
DUA1611-0AAA02.book Page 16 Thursday, August 2, 2001 4:01 PM 16 ABOUT THIS GUIDE ■ Part Number DUA1611-0AAA02 ■ Page 24 Do not use this e-mail address for technical support questions. For information about contacting Technical Support, see Appendix A. Registration To register your Firewall point your web browser to http://www.3com.com/ssfirewall click on Hardware Registration and follow the instructions.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 19 Thursday, August 2, 2001 4:01 PM 1 INTRODUCTION This chapter contains the following: What is the SuperStack 3 Firewall? ■ What is the SuperStack 3 Firewall? ■ Firewall and 3Com Network Supervisor ■ Firewall Features ■ Introduction to Virtual Private Networking (VPN) The SuperStack® 3 Firewall is a dedicated firewall appliance which is installed between a Private LAN and a Router.
DUA1611-0AAA02.book Page 20 Thursday, August 2, 2001 4:01 PM 20 CHAPTER 1: INTRODUCTION ■ Firewall and 3Com Network Supervisor The Demilitarized Zone (DMZ) port is used for public servers, such as Web or FTP servers. Machines attached to this port are visible from the WAN port, but are still protected from hacker attacks. Users on the secure LAN port can also access servers on the DMZ port. The Firewall is supplied with a copy of 3Com Network Supervisor.
DUA1611-0AAA02.book Page 21 Thursday, August 2, 2001 4:01 PM Firewall Features 21 3Com Network Supervisor offers the following support to Firewall users: ■ If your 3Com Network Supervisor management station is located on the LAN, it discovers the Firewall automatically and displays it on the topology map. ■ The topology map indicates that the Firewall is a 3Com Firewall and uses an appropriate icon to represent it. ■ Double-clicking on the Firewall icon launches the Web interface of the Firewall.
DUA1611-0AAA02.book Page 22 Thursday, August 2, 2001 4:01 PM 22 CHAPTER 1: INTRODUCTION Figure 2 Firewall Security Functions - Default Firewall Policy LAN DMZ WAN Uplink Uplink Uplink Normal Normal Normal DMZ Port - Connected to public servers e.g. Web, E-mail Protected from DoS attacks but visible from outside your network. LAN Port - Connected to your internal network e.g. network servers, workstations. Protected from DoS attacks and invisible from outside your network.
DUA1611-0AAA02.book Page 23 Thursday, August 2, 2001 4:01 PM Firewall Features 23 The Firewall will protect your network against the following Denial of Service attacks: ■ Ping of Death ■ Smurf Attack ■ SYN Flood ■ LAND Attack ■ IP Spoofing ■ Teardrop To find more information on DoS and other attacks refer to Chapter 13, “Types of Attack and Firewall Defences” Advanced users can extend the security functions of the Firewall by adding network access rules and user privileges.
DUA1611-0AAA02.book Page 24 Thursday, August 2, 2001 4:01 PM 24 CHAPTER 1: INTRODUCTION purchase a twelve month Web Site Filter (3C16111) subscription. Both the trial and the twelve month subscription are valid for an unlimited number of users. High Availability Given the mission critical nature of many Internet connections each component involved in your connection must be highly reliable.
DUA1611-0AAA02.book Page 25 Thursday, August 2, 2001 4:01 PM Introduction to Virtual Private Networking (VPN) 25 NAT automatically translates multiple IP addresses on the private LAN to one public address that is sent out to the Internet. It enables the Firewall to be used with broadband modems such as the OfficeConnect Cable Modem, and with low cost Internet accounts where only one IP address is provided by the ISP. See “Network Addressing Mode” on page 149 for more information.
DUA1611-0AAA02.book Page 26 Thursday, August 2, 2001 4:01 PM 26 CHAPTER 1: INTRODUCTION terminating device at the other end of the tunnel must be using the same level and type of encryption. See “Configuring Virtual Private Network Services” on page 123 for more details.
DUA1611-0AAA02.book Page 27 Thursday, August 2, 2001 4:01 PM 2 INSTALLING THE HARDWARE This chapter contains the following: ■ Before You Start ■ Positioning the Firewall ■ Firewall Front Panel ■ Firewall Rear Panel ■ Redundant Power System (RPS) ■ Attaching the Firewall to the Network WARNING: Before installing the Firewall, you must read the safety information provided in Appendix A of this User Guide.
DUA1611-0AAA02.book Page 28 Thursday, August 2, 2001 4:01 PM 28 CHAPTER 2: INSTALLING THE HARDWARE Positioning the Firewall Rack Mounting the Units ■ A SuperStack 3 Firewall CD. ■ Warranty Information. ■ Software License Agreement. When installing the Firewall, make sure that: ■ It is out of direct sunlight and away from sources of heat. ■ Cabling is away from power lines, fluorescent lighting fixtures, and sources of electrical noise such as radio transmitters and broadband amplifiers.
DUA1611-0AAA02.book Page 29 Thursday, August 2, 2001 4:01 PM Firewall Front Panel 29 CAUTION: Disconnect all cables from the unit before continuing. Remove the self-adhesive pads from the underside of unit, if already fitted. 1 Place the unit the right way up on a hard, flat surface with the front facing towards you. 2 Locate a mounting bracket over the mounting holes on one side of the unit (refer to Figure 3).
DUA1611-0AAA02.book Page 30 Thursday, August 2, 2001 4:01 PM 30 CHAPTER 2: INSTALLING THE HARDWARE The Firewall front panel contains the following components: 1 LAN Port - Use a Category 5 cable with RJ-45 connectors. Connect this port to any workstation or network device that has a 10BASE-T or 100BASE-TX port. 2 DMZ Port - Use a Category 5 cable with RJ-45 connectors. Use this port to connect the Firewall to any workstation, server, or network device that has a 10BASE-T or 100BASE-TX port.
DUA1611-0AAA02.book Page 31 Thursday, August 2, 2001 4:01 PM Firewall Rear Panel 31 To diagnose faults see “Troubleshooting Guide” on page 167. 8 Power/Self Test LED - This LED shows green to indicate that the unit is switched on. This LED flashes for about 90 seconds while self-test is running, and also when restarting. If you have installed a 3Com RPS unit with the Firewall and the RPS has a fault, the Power LED will flash to warn you.
DUA1611-0AAA02.book Page 32 Thursday, August 2, 2001 4:01 PM 32 CHAPTER 2: INSTALLING THE HARDWARE Attaching the Firewall to the Network ■ SuperStack 3 - Advanced RPS (3C16071) ■ and 60W RPS Power Module - (3C16072) Figure 6 illustrates one possible network configuration.
DUA1611-0AAA02.book Page 33 Thursday, August 2, 2001 4:01 PM Attaching the Firewall to the Network 33 To attach the Firewall to your network: 1 Connect the Ethernet port labeled WAN on the front of the Firewall to the Ethernet port on the Internet access device. Refer to the documentation for the Internet access device to find out the configuration of its Ethernet port. If it has an MDIX (normal) configuration, then you can use a standard Category 5 cable.
DUA1611-0AAA02.book Page 34 Thursday, August 2, 2001 4:01 PM 34 CHAPTER 2: INSTALLING THE HARDWARE The Firewall is now attached to the network. By default, no traffic that originates from the Internet is allowed onto the LAN, and all communications from the LAN to the Internet are allowed. That is, all inbound connections are blocked and all outbound connections are allowed. You can now configure the Firewall.
DUA1611-0AAA02.book Page 35 Thursday, August 2, 2001 4:01 PM 3 QUICK SETUP FOR THE FIREWALL This chapter contains the following: Introduction ■ Introduction ■ Setting up a Management Station ■ Configuring Basic Settings ■ Configuring WAN Settings ■ Configuring LAN Settings ■ Confirming Firewall Settings The first time the Firewall is started it runs an Installation Wizard.
DUA1611-0AAA02.book Page 36 Thursday, August 2, 2001 4:01 PM 36 CHAPTER 3: QUICK SETUP FOR THE FIREWALL The process followed by the Installation Wizard is described in the following sections: Setting up a Management Station ■ Configuring Basic Settings ■ Configuring WAN Settings ■ Configuring LAN Settings ■ Confirming Firewall Settings The Firewall has the following default settings: ■ IP address — 192.168.1.254 ■ Subnet mask — 255.255.255.
DUA1611-0AAA02.book Page 37 Thursday, August 2, 2001 4:01 PM Configuring Basic Settings 37 Figure 7 Installation Wizard Startup Screen Click the Next button to start configuring your Firewall using the Installation Wizard. The Set Your Password screen will be displayed as shown in Figure 8 below. If you want to configure your Firewall manually, click the Cancel button. You will then be returned to the Web interface.
DUA1611-0AAA02.book Page 38 Thursday, August 2, 2001 4:01 PM 38 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Figure 8 Set Password Screen Click the Next button to continue. Setting the Time Zone Select the Time Zone appropriate to your location and click the Next button to continue. The Time Zone you choose will affect the time recorded in the logs. Figure 9 Set Time Zone screen This completes the Basic setup of the Firewall.
DUA1611-0AAA02.book Page 39 Thursday, August 2, 2001 4:01 PM Configuring WAN Settings 39 Installation Wizard will prompt you for the required settings. Configuring WAN Settings Automatic WAN Settings The Installation Wizard detects if the Firewall has been automatically allocated an address for its WAN port. ■ If the Firewall has been allocated an IP address then it will attempt to configure itself automatically. See “Automatic WAN Settings” below.
DUA1611-0AAA02.book Page 40 Thursday, August 2, 2001 4:01 PM 40 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Manual WAN Settings If the Installation Wizard is unable to detect an automatic address server on the WAN Port or if the WAN port is not connected it will display a dialog box informing you of this and offer the choice of: ■ Connecting your Firewall (if not already connected) and restarting the Installation Wizard. ■ Configuring your Firewall manually.
DUA1611-0AAA02.book Page 41 Thursday, August 2, 2001 4:01 PM Configuring WAN Settings 41 ■ Using a Single Static IP Address — This address must be taken by the Firewall’s WAN port to allow devices connected to the LAN port to communicate with devices connected to the WAN port. Network Address Translation (NAT) will be enabled. ■ Using Multiple Static IP Addresses — One address will be taken by Firewall’s WAN port.
DUA1611-0AAA02.book Page 42 Thursday, August 2, 2001 4:01 PM 42 CHAPTER 3: QUICK SETUP FOR THE FIREWALL To configure the WAN networking of your Firewall enter the following 1 In the Firewall WAN IP Address field enter the single address which has been allocated to your Firewall. Enter the subnet mask for the above IP address in the WAN/DMZ Subnet Mask field. 2 In the WAN Gateway (Router) Address field enter the address of your internet access device.
DUA1611-0AAA02.book Page 43 Thursday, August 2, 2001 4:01 PM Configuring WAN Settings 43 Click the Next button to proceed to the Getting to the Internet screen shown in Figure 14 below. Figure 14 Setting the Firewall WAN configuration The Getting to the Internet screen contains the following fields: 1 Firewall WAN IP Address — Choose one of the addresses allocated by your ISP as the address of the Firewall’s WAN port.
DUA1611-0AAA02.book Page 44 Thursday, August 2, 2001 4:01 PM 44 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Using an IP Address provided by a PPPoE Server Select the Provided you with two or more IP addresses option and click the Next button. The Firewall’s ISP Settings (PPPoE) screen will be displayed as shown in Figure 15 below.
DUA1611-0AAA02.book Page 45 Thursday, August 2, 2001 4:01 PM Configuring LAN Settings Entering information about your LAN 45 ■ If there is no DHCP server found on the network connected to the LAN port then the Firewall’s DHCP server is activated allowing automatic address configuration on your LAN. ■ If there is a DHCP server found on the network connected to the LAN port then the Firewall deactivates its DHCP server.
DUA1611-0AAA02.book Page 46 Thursday, August 2, 2001 4:01 PM 46 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Otherwise the Firewall’s DHCP Server screen will be displayed as shown in Figure 17 below. Figure 17 Configuring the Firewall’s DHCP Server If you want to use the Firewall as a DHCP server to automatically provide IP addresses for the computers on your LAN click the enable DHCP server box and set the range of addresses you want it to allocate.
DUA1611-0AAA02.book Page 47 Thursday, August 2, 2001 4:01 PM Confirming Firewall Settings 47 Figure 18 Firewall Configuration Summary ■ If you want to keep a hard copy of this page click the Print This Page button. ■ To accept the settings click the Next button. ■ To change the configuration of the Firewall click the Back button.
DUA1611-0AAA02.book Page 48 Thursday, August 2, 2001 4:01 PM 48 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Figure 19 Congratulations Page Click the Restart button to complete the configuration of the Firewall using the Installation Wizard. The Firewall will take under a minute to restart during which time the Power/Self test LED will flash. When the Power/Self test LED stops flashing the Firewall is ready for use.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 51 Thursday, August 2, 2001 4:01 PM 4 BASIC SETTINGS OF THE FIREWALL Chapters 4 to 10 describe in detail, each of the management operations available from the Firewall’s web interface. You can access these operations using a Web browser. Refer to Figure 20 below for menu structure details of the Web interface of the Firewall.
DUA1611-0AAA02.book Page 52 Thursday, August 2, 2001 4:01 PM 52 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Examining the Unit Status ■ Chapter 7 — “Setting a Policy” describes the functions available in the Policy menu of the Web interface. These functions enable you to control the traffic across your Firewall. ■ Chapter 8 — “Advanced Settings” describes the functions available in the Advanced menu of the Web interface.
DUA1611-0AAA02.book Page 53 Thursday, August 2, 2001 4:01 PM Setting the Administrator Password ■ ROM Version ■ Firmware Version ■ Device Up-time in days, hours, minutes, and seconds 53 Problems appear in red text. For example, if the Internet router was not contacted, or the default password was not changed, this would be listed. Items listed in red require immediate, corrective action.
DUA1611-0AAA02.book Page 54 Thursday, August 2, 2001 4:01 PM 54 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Setting the Inactivity Timeout Setting the Time The Administrator Inactivity Timeout Setting allows you to extend or reduce the period of time before the administrator is automatically logged out of the Web interface. The Firewall is pre-configured to logout the administrator after 5 minutes of inactivity. From the General screen, select Set Time. A window similar to that in Figure 23 displays.
DUA1611-0AAA02.book Page 55 Thursday, August 2, 2001 4:01 PM Setting the Time 55 Automatically adjust clock for daylight savings changes Check this box to enable the Firewall to adjust to Daylight Savings Time automatically depending on the time zone you have chosen. This features works with NTP on or off. Display UTC (Universal Time) in logs instead of local time Check this box to set the time on the Firewall to Universal Time Co-ordinated (UTC) time.
DUA1611-0AAA02.book Page 56 Thursday, August 2, 2001 4:01 PM 56 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Changing the Basic Network Settings Click the Settings Tab from the Network Menu to display the Network Settings window (see Figure 24 below).
DUA1611-0AAA02.book Page 57 Thursday, August 2, 2001 4:01 PM Changing the Basic Network Settings 57 When using IP addresses on a LAN which have not been assigned by an Internet Service Provider, it is a good idea to use addresses from a special address range allocated for this purpose. The following IP address ranges can be used for private IP networks and do not get routed on the Internet: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.
DUA1611-0AAA02.book Page 58 Thursday, August 2, 2001 4:01 PM 58 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Connect/Disconnect Pressing the Connect button in the Network Addressing Mode Section will initiate a PPPoE session. If all fields have been entered correctly, the Firewall will connect to the Internet. You can terminate a PPPoE session by pressing the Disconnect button.
DUA1611-0AAA02.book Page 59 Thursday, August 2, 2001 4:01 PM Specifying DMZ Addresses Specifying the DNS Settings 59 In the Other Settings section, specify the DNS Servers. Up to three DNS servers can be specified, although not all have to be used. The Firewall uses these servers to look up the addresses of machines used to download the Web Site Filter and for the built-in DNS Lookup tool. Type the required values and click Update to save the changes.
DUA1611-0AAA02.book Page 60 Thursday, August 2, 2001 4:01 PM 60 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Click Network, and then select the DMZ Addresses tab. A window similar to that in Figure 25 displays. Figure 25 DMZ Address Window Type the addresses for the DMZ individually or as a range. Type an individual address in the From Address box. To enter a range of addresses, such as the IP addresses from 199.168.23.50 to 199.168.23.
DUA1611-0AAA02.book Page 61 Thursday, August 2, 2001 4:01 PM Setting up the DHCP Server 61 The Firewall can allocate up to 255 static or dynamic IP addresses. 3Com recommends you use a dedicated DHCP server if more addresses are required. To set up the DHCP server on the Firewall click Network, and then select the DHCP Server tab. A window similar to that in Figure 26 displays. Figure 26 DHCP Setup Window Global Options Enable DHCP Server Click this check box to enable or disable the DHCP server.
DUA1611-0AAA02.book Page 62 Thursday, August 2, 2001 4:01 PM 62 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Subnet Mask Enter the Subnet mask for your network. This value will be given out by the DHCP server and will be used by client devices to determine the extent of your network. Domain Name Type the registered domain name for the network in the Domain Name box, for example: 3com.com. If you do not have a Domain Name leave this blank.
DUA1611-0AAA02.book Page 63 Thursday, August 2, 2001 4:01 PM Viewing the DHCP Server Status 63 Delete Range To remove a range of addresses from the dynamic pool, select it from the scrolling list of dynamic ranges, and click Delete Range. Static Entries Static addresses are used by client machines that support BootP or those which require a fixed IP address. For example, client machines running Web or FTP servers require static addresses.
DUA1611-0AAA02.book Page 64 Thursday, August 2, 2001 4:01 PM 64 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL To delete a binding, which frees the IP address in the DHCP server, select the binding from the list and then click Delete. Using the Network Diagnostic Tools The Firewall has several tools built in which can help you solve network problems. Click Network, and then select the Diagnostics tab.
DUA1611-0AAA02.book Page 65 Thursday, August 2, 2001 4:01 PM Using the Network Diagnostic Tools 65 Find Network Path Use the Find Network Path tool to show on which port, LAN, WAN or DMZ where appropriate, an IP host is located. This is helpful to determine if the Firewall is properly configured. For example, if the Firewall thinks that a machine known to be on the Internet is located on the LAN port, then there is a problem with the configuration of the network or intranet settings.
DUA1611-0AAA02.book Page 66 Thursday, August 2, 2001 4:01 PM 66 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Packet Trace requires an IP address. Use the Firewall’s DNS Name Lookup tool to find the IP address of a host. 1 Enter the IP address of the remote host in the Trace on IP address box, and click Start. 2 Initiate an IP session with the remote host using an IP client, such as Web, FTP, or Telnet. Use the IP address in the Trace on IP address box, not a host name, such as www.3Com.com.
DUA1611-0AAA02.book Page 67 Thursday, August 2, 2001 4:01 PM 5 SETTING UP WEB FILTERING This chapter describes the commands and options available in the Filter menu. The menu is broken up into five sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.book Page 68 Thursday, August 2, 2001 4:01 PM 68 CHAPTER 5: SETTING UP WEB FILTERING Figure 29 Filter Settings Window Content Filtering only applies to nodes on the LAN Port. Select the options in the Settings window, described below, to tailor the content filtering to meet the needs of your organization. Restricting the Web Features Available The following is a list of the web features that you can control using the Web Filter.
DUA1611-0AAA02.book Page 69 Thursday, August 2, 2001 4:01 PM Changing the Filter Settings 69 Cookies Cookies are used by Web servers to track usage. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities. Because they represent a potential loss of privacy, some administrators may choose to block cookies.
DUA1611-0AAA02.book Page 70 Thursday, August 2, 2001 4:01 PM 70 CHAPTER 5: SETTING UP WEB FILTERING ■ Drugs/Drug Culture ■ Militant/Extremist ■ Sex Education ■ Questionable/Illegal & Gambling ■ Alcohol & Tobacco Visit http://www.cyberpatrol.com/cybernot to check the listing of a site or to submit a new site. Specifying When Filtering Applies Use the Time of Day setting to define time periods during which Internet filtering is enabled.
DUA1611-0AAA02.book Page 71 Thursday, August 2, 2001 4:01 PM Filtering Web Sites using a Custom List 71 Figure 30 Custom List Window You can add or remove web sites from the Custom List. For example, if a local radio station runs a contest on its Web site that is disrupting normal classroom Internet use, a school’s Technology Coordinator can easily add that site to the Forbidden Domains list.
DUA1611-0AAA02.book Page 72 Thursday, August 2, 2001 4:01 PM 72 CHAPTER 5: SETTING UP WEB FILTERING Enable Filtering on Custom List Use this to enable or disable the custom filtering without re-entering all site names. You do not have to re-enter names when the Web Site Filter is updated each week, as the custom list does not expire.
DUA1611-0AAA02.book Page 73 Thursday, August 2, 2001 4:01 PM Updating the Web Filter Updating the Web Filter 73 Since content on the Internet is constantly changing, make sure you update the Web Site Filter used by the Firewall on a regular basis. When you subscribe to the Web Site Filter, you can specify that it is updated automatically every week for one year.
DUA1611-0AAA02.book Page 74 Thursday, August 2, 2001 4:01 PM 74 CHAPTER 5: SETTING UP WEB FILTERING Downloading an Updated Filter List Download Now Click this button to download and update the Web Site Filter immediately. This process may take a couple of minutes, depending on Internet traffic conditions and requires a valid subscription to the Web Site Filter. Automatic Download Check this box to enable automatic, weekly updates to the Web Site Filter.
DUA1611-0AAA02.book Page 75 Thursday, August 2, 2001 4:01 PM Blocking Websites by using Keywords Blocking Websites by using Keywords 75 Click Filter and then select the Keywords tab. A window similar to that in Figure 32 displays. Figure 32 Keywords Window You can block Web URLs that contain specified keywords. This functions as a second line of defense against objectionable material. For example, if you specify the keyword XXX, the following URL: http://www.new-site.com/xxx.
DUA1611-0AAA02.book Page 76 Thursday, August 2, 2001 4:01 PM 76 CHAPTER 5: SETTING UP WEB FILTERING agree to the terms outlined in an organization’s Acceptable Use Policy before you allow them to browse the Web any further. Click Filter, and then select the Consent tab. A window similar to that in Figure 33 displays. Figure 33 Consent Window Configuring User Consent Settings Require Consent Check this box to enable the consent features.
DUA1611-0AAA02.book Page 77 Thursday, August 2, 2001 4:01 PM Filtering by User Consent 77 Consent page URL (Optional Filtering) When users begins an Internet session on a computer that is not always filtered, they are shown a consent page and given the option to access the Internet with or without filtering. Create this page in HTML. It may contain the text from, or links to your company’s Acceptable Use Policy (AUP).
DUA1611-0AAA02.book Page 78 Thursday, August 2, 2001 4:01 PM 78 CHAPTER 5: SETTING UP WEB FILTERING create this page, and can add the text from the Acceptable Use Policy, and notification that violations of the AUP are blocked and logged. Consent Page URL (Mandatory Filtering) When users access a page that you include in the list of Mandatory Filtered IP Addresses the user is shown a page to inform them that the page is Filtered.
DUA1611-0AAA02.book Page 79 Thursday, August 2, 2001 4:01 PM 6 USING THE FIREWALL DIAGNOSTIC TOOLS This chapter describes the commands and options available in the Log menu and the Tools menu. Each menu is broken up into sections shown in the user interface as tabs. To access a command click on either Log or Tools on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 81 Thursday, August 2, 2001 4:01 PM Viewing the Log 81 information. Much of this information refers to the Internet traffic passing through the Firewall. TCP, UDP, or ICMP packets dropped These log messages describe all traffic blocked from the Internet to the LAN. The source and destination IP addresses of the packet is shown. If the packet was TCP or UDP, the port number, in parentheses, follows each address. If the packet was ICMP, the number in parentheses is the ICMP code.
DUA1611-0AAA02.book Page 82 Thursday, August 2, 2001 4:01 PM 82 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS When ActiveX or Java code is compressed into an archive it is not always possible to differentiate between the two. If either ActiveX or Java blocking is enabled, all code archives are blocked. Cookie blocked The IP addresses of the local machine and the remote server are shown.
DUA1611-0AAA02.book Page 83 Thursday, August 2, 2001 4:01 PM Changing Log and Alert Settings Sending the Log 83 Use the Sending the Log feature to inform your administrator of the performance of the Firewall and to make sure that the log file always has space for new entries. Mail Server To enable sending log or alert messages via e-mail, you must specify the numerical IP address or the name of your SMTP server.
DUA1611-0AAA02.book Page 84 Thursday, August 2, 2001 4:01 PM 84 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS every connection’s source and destination IP addresses, IP service, and number of bytes transferred. To support Syslog, you must have an external server running a Syslog daemon on UDP Port 514. Syslog is a standard feature of UNIX. Enter the Syslog server’s IP address in the Syslog Server box. To download the free 3Com Syslog Server visit: http://www.3com.
DUA1611-0AAA02.book Page 85 Thursday, August 2, 2001 4:01 PM Changing Log and Alert Settings 85 When log overflows In some cases, the log buffer may fill up, which can happen if there is a problem with the mail server and the log cannot be successfully e-mailed. By default the Firewall overwrites the log and discards its contents. As a security measure, you can choose to shut down the Firewall, which prevents any further traffic from traveling through without being logged.
DUA1611-0AAA02.book Page 86 Thursday, August 2, 2001 4:01 PM 86 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS Attacks When enabled, log messages showing SYN Floods, Ping of Death, IP Spoofing, and attempts to manage the Firewall from the Internet are generated. This is enabled by default. Dropped TCP When enabled, log messages showing blocked incoming TCP connections are generated. This is enabled by default. Dropped UDP When enabled, log messages showing blocked incoming UDP packets are generated.
DUA1611-0AAA02.book Page 87 Thursday, August 2, 2001 4:01 PM Generating Reports 87 Blocked Web Sites When enabled, all log entries that are categorized as a Blocked Web Site are generated as an alert message. This is disabled by default. Click Update to save your changes.
DUA1611-0AAA02.book Page 88 Thursday, August 2, 2001 4:01 PM 88 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS Reset Data Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the Firewall is restarted. Current Sample Period Displays the current sample period shown in the reports. Viewing Report Data Select the desired report from the Display Report popup menu.
DUA1611-0AAA02.book Page 89 Thursday, August 2, 2001 4:01 PM Restarting the Firewall 89 services, such as HTTP, FTP, RealAudio and so forth, and the number of megabytes received from the service during the current sample period. Use the Bandwidth Usage by Service report to make sure the Internet services being used are appropriate for the organization.
DUA1611-0AAA02.book Page 90 Thursday, August 2, 2001 4:01 PM 90 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS When the Front Panel Power LED stops flashing you can refresh your browser. To reset the Firewall clearing it of all settings see “Resetting the Firewall” on page 162 for details. Managing the Firewall Configuration File The Configuration tool allows you to save and restore the configuration settings of the Firewall. Click Tools and then select the Configuration tab.
DUA1611-0AAA02.book Page 91 Thursday, August 2, 2001 4:01 PM Managing the Firewall Configuration File Importing the Settings File 91 Use this function to import a previously saved settings file back into the Firewall. 1 Click Import. A window similar to that in Figure 39 displays. Figure 39 Import Window 2 Click Browse to find a file which was previously saved using Export. You may need to set File type to *.* to be able to see the.exp file you exported. 3 Once you have selected the file, click Import.
DUA1611-0AAA02.book Page 92 Thursday, August 2, 2001 4:01 PM 92 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS Exporting the Settings File You can save the Firewall configuration settings to a file on a local system and then reload those settings. 1 Click Export. A window similar to that in Figure 40 displays. Figure 40 Export Window 2 Choose the location to save the settings file. This should be saved as .exp. This defaults to 3com_firewall.exp. The process may take up to a minute.
DUA1611-0AAA02.book Page 93 Thursday, August 2, 2001 4:01 PM Upgrading the Firewall Firmware 93 When upgrading the firmware, all settings will be reset to factory default. 3Com recommends that you export the Firewall’s configuration settings before uploading new firmware and then import them again after the upgrade has been completed. The Firewall checks to see if new firmware is available for download on a weekly basis.
DUA1611-0AAA02.book Page 94 Thursday, August 2, 2001 4:01 PM 94 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS Figure 42 Save Settings Window 2 Click Yes if you have saved the settings. A window similar to that in Figure 43 displays. Figure 43 Firmware Upload Window 3 Click Browse... and select the firmware file you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN. 4 Click Upload to begin the upload. Make sure that your Web browser supports HTTP uploads.
DUA1611-0AAA02.book Page 95 Thursday, August 2, 2001 4:01 PM Upgrading the Firewall Firmware interrupted this way, it may result in the Firewall not responding to attempts to log in. If your Firewall does not respond, see Chapter 12, “Troubleshooting Guide”. 5 Restart the Firewall for the changes to take effect.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 97 Thursday, August 2, 2001 4:01 PM 7 SETTING A POLICY This chapter describes the commands and options available in the Policy menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on Policy on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.book Page 98 Thursday, August 2, 2001 4:01 PM 98 CHAPTER 7: SETTING A POLICY Click Policy, and then select the Services tab. A window similar to that in Figure 44 displays. Figure 44 Services Window Amending Network Policy Rules The Services window contains a table showing the defined Network Policy Rules. At the bottom of the table is the Default rule which affects all IP services. Any rules you create for a specific protocol override the Default rule with respect to that protocol.
DUA1611-0AAA02.book Page 99 Thursday, August 2, 2001 4:01 PM Changing Policy Services 99 DMZ In Checkbox If you are using the DMZ port on the Firewall access to the protocol is not permitted from the Internet to the DMZ when this check box is cleared. When the service is selected, users on the Internet can access all hosts on the DMZ via that protocol. The default value is enabled.
DUA1611-0AAA02.book Page 100 Thursday, August 2, 2001 4:01 PM 100 CHAPTER 7: SETTING A POLICY HTTP protocol even if both NetBIOS Passthrough boxes are left unchecked. Enabling Stealth Mode By default, the Firewall responds to incoming connection requests as either blocked or open. If you check the box to enable Stealth Mode and click on the Update button, no response will be made to inbound requests, which makes your network invisible to potential attackers.
DUA1611-0AAA02.book Page 101 Thursday, August 2, 2001 4:01 PM Adding and Deleting Services Adding and Deleting Services 101 If a protocol is not listed in the Services window, you can add the service. Click Policy, and then select the Add Service tab. A window similar to that in Figure 45 displays. Figure 45 Add Service Window The scroll list on the right side of the screen displays all IP protocols that are currently defined and that appear in the Services window.
DUA1611-0AAA02.book Page 102 Thursday, August 2, 2001 4:01 PM 102 CHAPTER 7: SETTING A POLICY The new service appears in the list box to the right, along with its numeric protocol description. Note that some well-known services add more than one entry to the list box. Adding a Custom Service To add a custom service: 1 From Add a known service drop-down list, select Custom Service. 2 In the Name box, type a unique name, such as CC:mail or Microsoft SQL.
DUA1611-0AAA02.book Page 103 Thursday, August 2, 2001 4:01 PM Editing Policy Rules 103 marked Name Service (DNS) [53,6] deletes just the TCP portion of the service. Editing Policy Rules Network Access Policy Rules evaluate network traffic’s source IP address, destination IP address, and IP protocol type to decide if the IP traffic is allowed to pass through the Firewall. Custom rules take precedence, and may override the Firewall’s default state packet inspection. Up to 100 policy rules may be entered.
DUA1611-0AAA02.book Page 104 Thursday, August 2, 2001 4:01 PM 104 CHAPTER 7: SETTING A POLICY Rules are arranged in order of precedence from the most specific to the most general. For example if you block all FTP traffic in one rule and allow a machine with a specific IP address to use FTP in another rule then the second rule will override the first and will be displayed above it.
DUA1611-0AAA02.book Page 105 Thursday, August 2, 2001 4:01 PM Editing Policy Rules 105 would only be necessary if you wanted the server on the WAN to initiate connections with the PC on the LAN network port. Destination The Destination for a rule refers to the target of the connection made by the source. As with the Source this can be set to a network port specific address or range of addresses. Time The Time of a Rule shows the hours between which it operates.
DUA1611-0AAA02.book Page 106 Thursday, August 2, 2001 4:01 PM 106 CHAPTER 7: SETTING A POLICY Adding a New Rule To add a new rule click on the Add New Rule button and fill in the fields that you want to change. To keep the field general rather than use a specific value leave the field at its default value. All fields can be left as default apart from the Action field which must have either Allow or Deny selected.
DUA1611-0AAA02.book Page 107 Thursday, August 2, 2001 4:01 PM Updating User Privileges 107 Changing the Timeout for Privileged Users To change the amount of time a privileged user can keep their connection open without using it enter the time in minutes into the Timeout Privileged Users After box and click the Update button. The changes made in this dialog box apply to both Remote Access users and users that have been allowed to Bypass Filters.
DUA1611-0AAA02.book Page 108 Thursday, August 2, 2001 4:01 PM 108 CHAPTER 7: SETTING A POLICY Changing Passwords and Privileges To change a user’s password or privileges: 1 Highlight the name in the scrollable box. 2 Make the changes. 3 Click Update User. Deleting a User To delete a user, highlight the name and click Remove User. To configure a user’s machine to support privileged users see “Establishing an Authenticated Session” below.
DUA1611-0AAA02.book Page 109 Thursday, August 2, 2001 4:01 PM Setting Management Method Setting Management Method 109 You can manage your Firewall locally, or remotely from a remote host such as a laptop. Click the button labeled Policy on the left side of the browser window and then click the tab labeled Management at the top of the window. A window similar to the following displays.
DUA1611-0AAA02.book Page 110 Thursday, August 2, 2001 4:01 PM 110 CHAPTER 7: SETTING A POLICY Selecting Remote Management When remote management is selected, a Management SA is automatically generated. The Management SA uses Manual Keying to set up a VPN tunnel between the Firewall and the VPN client. The Management SA also defines Inbound and Outbound Security Parameter Indices (SPIs) which match the last eight digits of the Firewall’s serial number.
DUA1611-0AAA02.book Page 111 Thursday, August 2, 2001 4:01 PM 8 ADVANCED SETTINGS This chapter describes the commands and options available in the Advanced menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.book Page 112 Thursday, August 2, 2001 4:01 PM 112 CHAPTER 8: ADVANCED SETTINGS The problem with installing a proxy server on the LAN is that each client must be configured to support the proxy, which adds to administration tasks. The alternative is to move the proxy to the WAN or DMZ, depending upon the level of protection desired, and enable Automatic Proxy Forwarding. The Firewall can automatically forward all Web proxy requests to the proxy server without client configuration.
DUA1611-0AAA02.book Page 113 Thursday, August 2, 2001 4:01 PM Automatic Proxy/Web Cache Forwarding 113 Figure 50 Deploying the Firewall and Webcache together F re u ct ru N st a LA fr In R S C Key: 10/100 Mbps Switch R Superstack 3 Webcache S C F SuperStack 3 Firewall Router Client PC 1 Install the Webcache as described in the Superstack 3 Webcache User Guide (DUA1611-5AAA0x) taking into account any safety information.
DUA1611-0AAA02.book Page 114 Thursday, August 2, 2001 4:01 PM 114 CHAPTER 8: ADVANCED SETTINGS c In the Proxy Web Server Port field enter the number 8080 d Click Update to save your changes. 3 No configuration is necessary on the client machines. The Firewall will intercept any HTTP requests for external URLs and will forward the traffic to the Webcache. Specifying Intranet Settings In some cases, it is desirable to prevent access to certain resources by unauthorized users on the LAN.
DUA1611-0AAA02.book Page 115 Thursday, August 2, 2001 4:01 PM Specifying Intranet Settings 115 Figure 51 Connecting the Firewall to protect an internal part of the network F1 Unrestricted Area Optionally Firewalled from the external networks. R F2 Restricted Area Firewalled from the rest of your network.
DUA1611-0AAA02.book Page 116 Thursday, August 2, 2001 4:01 PM 116 CHAPTER 8: ADVANCED SETTINGS Figure 52 Intranet Window To enable intranet firewalling, it is necessary to identify which machines are protected against unauthorized access by specifying the IP addresses of these machines. You can do this in two ways: ■ Inclusively by specifying which machines are members of the segment with restricted access.
DUA1611-0AAA02.book Page 117 Thursday, August 2, 2001 4:01 PM Setting Static Routes ■ 117 Firewall’s WAN link is connected directly to the Internet router — Use this setting if the Firewall is protecting the entire network. This is the default setting. Click Update to save the configuration. ■ Specified address ranges are attached to the LAN link — Select this when it is easier to specify which devices are on the LAN.
DUA1611-0AAA02.book Page 118 Thursday, August 2, 2001 4:01 PM 118 CHAPTER 8: ADVANCED SETTINGS Figure 53 Isolating a network using a second router S F 1 R S re o C rk o tw e N 2 R n g si e D rk o tw e N To configure static routes click Advanced and then select the Static Routes tab. A window similar to that in Figure 54 displays.
DUA1611-0AAA02.book Page 119 Thursday, August 2, 2001 4:01 PM Setting up One-to-One NAT 119 LAN The IP Address and Subnet on the Firewall’s LAN port are shown at the top of the window. See “Specifying the LAN Settings” on page 57 to change these settings. DMZ/WAN The IP addresses of the DMZ, if appropriate, and WAN ports are shown. These differ from that of the LAN port if NAT is enabled. See “Specifying the WAN/DMZ Settings” on page 58 to change these settings.
DUA1611-0AAA02.book Page 120 Thursday, August 2, 2001 4:01 PM 120 CHAPTER 8: ADVANCED SETTINGS . Table 4 Address Correspondence in One-to-One NAT LAN Address Corresponding WAN Address 192.168.1.1 209.19.28.16 Inaccessible: Firewall WAN IP Address 192.168.1.2 209.19.28.17 209.19.28.17 [...] [...] [...] 192.168.1.16 209.19.28.31 209.19.28.31 192.168.1.17 No corresponding valid IP address Inaccessible except as Public LAN Server [...] [...] [...] 192.168.1.
DUA1611-0AAA02.book Page 121 Thursday, August 2, 2001 4:01 PM Setting up One-to-One NAT 121 Private Range Begin Type the beginning IP address of the private address range being mapped in the Private Range Begin box. This is the IP address of the first machine being made accessible from the Internet. Do not include the Firewall WAN IP Address in any range. Public Range Begin Type the beginning IP address of the public address range being mapped in the Public Range Begin box.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 123 Thursday, August 2, 2001 4:01 PM 9 CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES This chapter describes the commands and options available in the VPN menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on VPN on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.book Page 124 Thursday, August 2, 2001 4:01 PM 124 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Figure 56 VPN Summary Window Changing the Global IPSec Settings The Firewall’s security uses the IPSec protocol to transmit encrypted data. The settings in the Current IPSec Settings section affect all traffic transmitted across the Firewall. Unique Firewall Identifier The Unique Firewall Identifier is used to identify the Firewall within a network.
DUA1611-0AAA02.book Page 125 Thursday, August 2, 2001 4:01 PM Configuring a VPN Security Association 125 Check the Disable all Windows Networking (NetBIOS) Broadcasts check box to disable NetBIOS traffic. Click the Update button to save your changes. Enable Fragmented Packet Handling Check the Enable Fragmented Packet Handling box to allow the Firewall to reduce that packet size when communicating with other Firewalls.
DUA1611-0AAA02.book Page 126 Thursday, August 2, 2001 4:01 PM 126 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Figure 57 VPN Configure Window Adding/Modifying IPSec Security Associations To add a new Security Association (SA) click the drop down box labelled Security Associations and select the option labelled Add New SA. Set up the new SA using the options below. Click Update to save your changes.
DUA1611-0AAA02.book Page 127 Thursday, August 2, 2001 4:01 PM Configuring a VPN Security Association 127 SA Name Enter a descriptive name for the Security Association in the SA Name field. This allows you to identify the link for which this Security Association was created. The SA Name field is not available when using GroupVPN. Disable This SA Check the Disable this SA box to temporarily disable a Security Association.
DUA1611-0AAA02.book Page 128 Thursday, August 2, 2001 4:01 PM 128 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Leave the Disable all Windows Networking (NetBIOS) Broadcasts box unchecked for the Enable Windows Networking (NetBIOS) broadcast setting to have effect. See “Disable all Windows Networking (NetBIOS) Broadcasts” on page 124 for details.
DUA1611-0AAA02.book Page 129 Thursday, August 2, 2001 4:01 PM Configuring a VPN Security Association 129 The Incoming SPI and Outgoing SPI are only used when Manual Keying is employed. These fields do not appear when using IKE as your IPSec Keying Mode. Encryption Method The Firewall supports seven encryption methods for establishing a VPN tunnel. These are shown in Table 5 below.
DUA1611-0AAA02.book Page 130 Thursday, August 2, 2001 4:01 PM 130 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Table 5 Firewall Encryption Methods Method Speed Security Supported by Very Fast Tunnel Only (ESP NULL) provides no encryption or authentication but can be used to access machines at private addresses behind NAT. Can also be used to allow unsupported protocols through the Firewall. Low Manual Key, IKE Slow Encrypt (ESP DES) uses 56 bit DES to provide an encrypted VPN tunnel.
DUA1611-0AAA02.book Page 131 Thursday, August 2, 2001 4:01 PM Configuring a VPN Security Association 131 alphanumeric characters with a minimum length of 4 characters and a maximum of 128 characters. Precautions should be taken when delivering/exchanging this shared secret to assure that a third party cannot compromise the security of a VPN tunnel. Enter your chosen shared secret in the Shared Secret field. This setting is not available if the IPSec Keying Mode is set to Manual Key.
DUA1611-0AAA02.book Page 132 Thursday, August 2, 2001 4:01 PM 132 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES This option does not appear for the GroupVPN SA. This SA allows does not restrict the IP address of the client. You do not need to configure the destination network if you are configuring a VPN tunnel to a single VPN device such as Firewall. You only need configure this range if you are connecting to a range of devices such as VPN clients.
DUA1611-0AAA02.book Page 133 Thursday, August 2, 2001 4:01 PM Configuring the Firewall to use a RADIUS Server 133 does not respond within the specified number of retries, the VPN connection will be dropped. This field may range between 0 and 30. A value of 3 is recommended for a typical network. RADIUS Server Timeout in Seconds The RADIUS Server Timeout in Seconds field determines the length of time that will elapse before the Firewall attempts to contact the RADIUS server again after a failure.
DUA1611-0AAA02.book Page 134 Thursday, August 2, 2001 4:01 PM 134 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Enter the shared secret or administrative password of your RADIUS server in the Shared Secret Field. Click the Update button to save your changes. When configured for a RADIUS server the Firewall will record both successful and failed User Logins using XAUTH/RADIUS.
DUA1611-0AAA02.book Page 135 Thursday, August 2, 2001 4:01 PM Using the Firewall with Check Point Firewall-1 135 selected for Firewall VPN. If SecuRemote is used, FWZ must also be selected. 2 Create the Remote Object(s). These are the resources behind the remote Firewall (Workstations, Network or Group Objects). Refer to the following example: a From the Manage menu select Network Objects. b Press the New button and select Network.
DUA1611-0AAA02.book Page 136 Thursday, August 2, 2001 4:01 PM 136 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES f Select Gateway for the Type. g Leave the Firewall-1 Installed box unchecked. h Go to the Encryption Tab. Select the Other radio button and select the Group or Network the Firewall will be encrypting for. i Select the encryption method Manual IPSEC. j Press the OK button when finished. 5 Create the SPI key(s) needed to synchronize encryption algorithms.
DUA1611-0AAA02.book Page 137 Thursday, August 2, 2001 4:01 PM Configuring the IRE VPN Client for use with the Firewall 137 9 Select the Manual IPSec and the Logging radio buttons. 10 Press the Edit button. Select the SPI Key for this VPN Tunnel. 11 Press the OK button when finished with the IPSec properties and press the OK button when finished with the Encryption properties. 12 From the Policy menu, select Install to activate the security policy.
DUA1611-0AAA02.book Page 138 Thursday, August 2, 2001 4:01 PM 138 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Setting up the GroupVPN Security Association 1 Click on VPN on the left hand side of the screen and then on the Summary tab. a Ensure that the Enable VPN checkbox is ticked. b Click the Update button to save any changes you have made. 2 Click on the Configure tab. a Select GroupVPN from the Security Association drop-down box.
DUA1611-0AAA02.book Page 139 Thursday, August 2, 2001 4:01 PM Configuring the IRE VPN Client for use with the Firewall 139 Installing the IRE VPN Client Software 1 Insert the CD that came with the Firewall into your CD-ROM Drive. 2 Go to the VPN CLIENT directory on the CD.s 3 Double-Click setup.exe and follow the VPN client Setup program's step-by-step instructions. This product does not require any serial key for installation.
DUA1611-0AAA02.book Page 140 Thursday, August 2, 2001 4:01 PM 140 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES 5 Close the Security Policy Editor saving changes when prompted. 6 Delete the export file from the hard drive if it was previously copied there. The client is now set up to access your network safely across the Internet.
DUA1611-0AAA02.book Page 141 Thursday, August 2, 2001 4:01 PM 10 CONFIGURING HIGH AVAILABILITY This chapter describes the commands and options available in the High Availability menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on High Availability on the left hand side of the screen and then on the appropriate tab.
DUA1611-0AAA02.book Page 142 Thursday, August 2, 2001 4:01 PM 142 CHAPTER 10: CONFIGURING HIGH AVAILABILITY primary Firewall and the backup Firewall then two addresses are required. High Availability does not allow the use of dynamic IP address assignment from your ISP. ■ Network Configuration for High Availability Pair Each Firewall in the High Availability pair must have the same upgrades and subscriptions enabled.
DUA1611-0AAA02.book Page 143 Thursday, August 2, 2001 4:01 PM Configuring High Availability ■ 143 Configuring High Availability on the Backup Firewall Both steps must be completed before the two Firewalls will function as a High Availability pair. Configuring High Availability on the Primary Firewall Click the High Availability button on the left side of the Firewall browser window, and then click the Configure tab at the top of the window. A window similar to the following displays.
DUA1611-0AAA02.book Page 144 Thursday, August 2, 2001 4:01 PM 144 CHAPTER 10: CONFIGURING HIGH AVAILABILITY The primary and backup Firewalls use a “heartbeat” signal to communicate with one another. This heartbeat is sent between the Firewalls over the network segment connected to the LAN ports of the two Firewalls. The interruption of this heartbeat signal triggers the backup Firewall to take over operation from the active unit of the High Availability pair.
DUA1611-0AAA02.book Page 145 Thursday, August 2, 2001 4:01 PM Making Configuration Changes 145 4 Log into the backup Firewall. Click the Tools button on the left side of the browser window, and then click the Configuration tab at the top of the window. Next, click the Import button. 5 Click the Browse button and select the file that was previously saved using the Export button. Once the file has been selected, click the Import button. Restart the Firewall for the settings to take effect.
DUA1611-0AAA02.book Page 146 Thursday, August 2, 2001 4:01 PM 146 CHAPTER 10: CONFIGURING HIGH AVAILABILITY Checking High Availability Status If a failure of the primary Firewall occurs, the backup Firewall will assume the primary Firewall’s LAN and WAN IP Addresses. It is therefore not possible to determine which Firewall is active by logging into the LAN IP Address alone.
DUA1611-0AAA02.book Page 147 Thursday, August 2, 2001 4:01 PM Checking High Availability Status 147 If the backup Firewall has taken over for the primary, for example, in the event of a failure to the primary Firewall, the first line in the status window indicates that the backup Firewall is currently Active. Check the status of the backup Firewall by logging into the LAN IP Address of the backup Firewall.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 149 Thursday, August 2, 2001 4:01 PM Forcing Transitions CAUTION: If the Preempt Mode checkbox has been checked for the primary Firewall, the primary unit will take over operation from the backup unit after the restart is complete.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 153 Thursday, August 2, 2001 4:01 PM 11 ADMINISTRATION AND ADVANCED OPERATIONS This chapter provides some background on Firewall concepts and describes some administration functions not available through the menu structure.
DUA1611-0AAA02.book Page 154 Thursday, August 2, 2001 4:01 PM 154 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS In evaluating a site for inclusion in the list, the team consider the effect of the site on a typical twelve year old searching the Internet unaccompanied by a parent or educator. Any easily accessible pages with graphics, text or audio which fall within the definition of the categories below will be considered sufficient to place the source in the category.
DUA1611-0AAA02.book Page 155 Thursday, August 2, 2001 4:01 PM Introducing the Web Site Filter 155 sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. ■ Satanic/Cult: Satanic material is defined as: Pictures or text advocating devil worship, an affinity for evil, or wickedness.
DUA1611-0AAA02.book Page 156 Thursday, August 2, 2001 4:01 PM 156 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS ■ Questionable/Illegal & Gambling: Pictures or text advocating materials or activities of a dubious nature which may be illegal in any or all jurisdictions, such as illegal business schemes, chain letters, copyright infringement, computer hacking, phreaking (using someone's phone lines without permission) and software piracy.
DUA1611-0AAA02.book Page 157 Thursday, August 2, 2001 4:01 PM Using Network Access Policy Rules 157 You must have already registered the Firewall before Activating the Web Site Filter. Using Network Access Policy Rules Network Access Policy Rules are the tools you use to control traffic between the LAN, DMZ and WAN ports of your Firewall. Use this list to help you create rules. ■ State the intent of the rule.
DUA1611-0AAA02.book Page 158 Thursday, August 2, 2001 4:01 PM 158 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS ■ Does this rule conflict with any existing rules? Once you have answered these questions, to add rules you type the information into the correct boxes in the Policy Rules window. a Action Select the Allow or Deny option button depending on the intent of the rule, as defined by item 2 in the “Using Network Access Policy Rules” on page 157.
DUA1611-0AAA02.book Page 159 Thursday, August 2, 2001 4:01 PM Using Network Access Policy Rules 159 When evaluating rules, the Firewall uses the following criteria: ■ A rule defining a specific service is more specific than the default rule. ■ A defined Ethernet link, such as LAN, WAN, or DMZ, is more specific than * (all). ■ A single IP address is more specific than an IP address range.
DUA1611-0AAA02.book Page 160 Thursday, August 2, 2001 4:01 PM 160 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS 4 Enter the blocked network’s starting IP address in the Source Addr. Range Begin box and the blocked network’s ending IP address in the Source Addr. Range End box. 5 Select * from the Destination Ethernet list. 6 Since the intent is to block access to all servers, enter * in the Destination Addr. Range Begin box. 7 Click Add Rule.
DUA1611-0AAA02.book Page 161 Thursday, August 2, 2001 4:01 PM Using Network Access Policy Rules 161 Restoring the default rules will delete all custom rules and Public LAN Servers. If an IKE VPN Security Association has been created, a service will need to be recreated to permit IKE negotiations. Protocols/Services to Filter Although the Firewall is shipped in a safe mode by default, the user can alter the Policy Rules and potentially cause the Firewall to be vulnerable to attacks.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 163 Thursday, August 2, 2001 4:01 PM Resetting the Firewall Resetting the Firewall 163 To reset the Firewall: 1 Disconnect the power from the Firewall. 2 Using a blunt pointed object, fully press in the reset button on the back panel. 3 Whilst holding this button in, reconnect the power to the unit. 4 Continue holding the reset button in until the Alert LED starts flashing. This should be approximately 20 seconds. 5 When the Alert LED stops flashing, the reset is complete.
DUA1611-0AAA02.book Page 164 Thursday, August 2, 2001 4:01 PM 164 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS Make sure that you are using the browser that supports HTML uploads, otherwise you cannot upload the firmware. 2 In the box labeled Please select a firmware file, type in the full file and path name of the firmware image that you want to upload to the unit. Use the Browse button to locate the file if you are not sure of its location.
DUA1611-0AAA02.book Page 165 Thursday, August 2, 2001 4:01 PM Direct Cable Connection 165 only provide limited protection the first time the administrator’s password is set. In principle, an individual inside the network could capture all network transmissions and then perform mathematical analyses to discover the new Administrator Password.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 167 Thursday, August 2, 2001 4:01 PM 12 TROUBLESHOOTING GUIDE This chapter contains the following: Introduction ■ Introduction ■ Potential Problems and Solutions ■ Troubleshooting the Firewall VPN Client ■ Frequently Asked Questions about PPPoE The Firewall has been designed to help you detect and solve possible problems with its installation and operation in your network.
DUA1611-0AAA02.book Page 168 Thursday, August 2, 2001 4:01 PM 168 CHAPTER 12: TROUBLESHOOTING GUIDE Power LED Flashes Continuously Power and Alert LED Lit Continuously Link LED is Off Ethernet Connection is Not Functioning Cannot Access the Web interface If the Power LED continues to flash after 120 seconds, please contact Technical Support (see Appendix A for information about contacting Technical Support).
DUA1611-0AAA02.book Page 169 Thursday, August 2, 2001 4:01 PM Potential Problems and Solutions LAN Users Cannot Access the Internet Firewall Does Not Save Changes Duplicate IP Address Errors Are Occurring 169 ■ Remember that passwords are case-sensitive; make sure the Caps Lock key is off. ■ Click Reload or Refresh in the Web browser and try again. For security reasons, the Firewall sends a slightly different Authentication page each time you log in to the Web interface.
DUA1611-0AAA02.book Page 170 Thursday, August 2, 2001 4:01 PM 170 CHAPTER 12: TROUBLESHOOTING GUIDE Machines on the WAN Are Not Reachable Troubleshooting the Firewall VPN Client Make sure the Intranet settings in the Advanced section are correct. If the Firewall client is unable to negotiate with the Firewall, the Firewall VPN Client Viewer will display detailed error messages. To access the Log Viewer, select and right click on the icon in the Windows Task Bar and then select Log Viewer.
DUA1611-0AAA02.book Page 171 Thursday, August 2, 2001 4:01 PM Troubleshooting the Firewall VPN Client Restarting the Firewall with Active VPN Tunnel 171 If you restart the Firewall with a VPN Client active you must deactivate and reactivate the IRE VPN Client. Restarting the Firewall kills all the current VPN tunnels on the Firewall side. In this case the IRE VPN assumes that the connection is still intact and sends encrypted packets that eventually get dropped.
DUA1611-0AAA02.book Page 172 Thursday, August 2, 2001 4:01 PM 172 CHAPTER 12: TROUBLESHOOTING GUIDE Frequently Asked Questions about PPPoE Why are ISPs using PPPoE in their broadband services? The theory is that PPPoE makes it easier for the end user of broadband services to connect to the Internet by simulating a Dial-up connection. The ISP realizes significant advantages because much of the existing Dial-up infrastructure (billing, authentication, security, etc.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 175 Thursday, August 2, 2001 4:01 PM 13 TYPES OF ATTACK AND FIREWALL DEFENCES This chapter describes the some of attacks that hackers may use to infiltrate and attack your network. It also details the way in which the Firewall will counter the attacks.
DUA1611-0AAA02.book Page 176 Thursday, August 2, 2001 4:01 PM 176 CHAPTER 13: TYPES OF ATTACK AND FIREWALL DEFENCES The return address of the ping has been faked (spoofed) to appear to come from a machine on another network (the victim). The victim is then flooded with responses to the ping. As many responses are generated for only one attack, the attacker is able use many amplifiers on the same victim. The results of a smurf attack range from slowing of the network to the crashing of the victim devices.
DUA1611-0AAA02.book Page 177 Thursday, August 2, 2001 4:01 PM Trojan Horse Attacks Port Scanning 177 Port Scanning is the testing of ports to see which are active and which are disabled. Although ports are scanned as part of normal traffic the scanning of many ports in a short period of time is a common precursor to an attack Firewall Response: None - the Firewall will allow port scanning but will log all port scans to aid diagnosis. Ports not in use will be disabled by the Firewall.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 179 Thursday, August 2, 2001 4:01 PM 14 NETWORKING CONCEPTS This appendix contains the following: Introduction to TCP/IP ■ Introduction to TCP/IP ■ Network Address Translation (NAT) ■ Dynamic Host Configuration Protocol (DHCP) ■ Port Numbers ■ Virtual Private Network Services Protocols are rules that networking hardware and software follow to communicate with one another. The Firewall uses the TCP/IP protocol. IP and TCP IP stands for Internet Protocol.
DUA1611-0AAA02.book Page 180 Thursday, August 2, 2001 4:01 PM 180 CHAPTER 14: NETWORKING CONCEPTS (called dotted decimal notation), for example, 123.45.67.89. Because computers use a binary number system, each number in the set must be less than 255. There are three components that contribute to an IP address: ■ IP address itself ■ Subnet mask ■ Default gateway The following sections discuss each of these components in detail.
DUA1611-0AAA02.book Page 181 Thursday, August 2, 2001 4:01 PM Introduction to TCP/IP 181 Most large centralized companies have a network manager in charge of all IP address numbers. Other companies have a distributed administration scheme that allows the local network manager to set local IP addresses. In this case, the local manager gets a sub network or “interchange” number from the company’s central network manager and then assigns local IP address numbers.
DUA1611-0AAA02.book Page 182 Thursday, August 2, 2001 4:01 PM 182 CHAPTER 14: NETWORKING CONCEPTS the network, use an IP address of 0.0.0.0 in fields that apply to a default gateway. Network Address Translation (NAT) Network Address Translation (NAT) is used to re-map all the addresses on a LAN to a single address on the Internet. This can be useful for three reasons: ■ You may have a pre-existing LAN, not connected to the Internet, which uses invalid Internet addresses.
DUA1611-0AAA02.book Page 183 Thursday, August 2, 2001 4:01 PM Dynamic Host Configuration Protocol (DHCP) 183 ■ Not All Applications lend themselves easily to address translation by NAT devices. Especially, the applications that carry IP Addresses inside the payload. ■ NAT devices operate on the assumption that each session is independent. Application, such as H.323, that use one or more control follow-on sessions, require the use of an Application Level Gateway (ALG).
DUA1611-0AAA02.book Page 184 Thursday, August 2, 2001 4:01 PM 184 CHAPTER 14: NETWORKING CONCEPTS Port Numbers Well Known Port Numbers The port numbers are divided into three ranges: ■ Well Known ports — those from 0 to 1023 ■ Registered ports — those from 1024 to 49151 ■ Dynamic or Private ports — those from 49152 to 65535 The Well Known Ports are controlled and assigned by the Internet Assigned Numbers Authority (IANA) http://www.iana.
DUA1611-0AAA02.book Page 185 Thursday, August 2, 2001 4:01 PM Virtual Private Network Services ■ Introduction to Virtual Private Networks 185 Basic Terms and Concepts Virtual Private Networks (VPN) provide an easy, affordable, and secure means for businesses to conduct operations and provide network connectivity to all offices and partners. Using 3Com’s intuitive Web interface, a secure connection may be established between two or more sites.
DUA1611-0AAA02.book Page 186 Thursday, August 2, 2001 4:01 PM 186 CHAPTER 14: NETWORKING CONCEPTS ■ Linking two or more Private Networks Together VPN is the perfect way to connect branch offices and business partners to the primary business. Using VPN over the Internet, instead of leased site-site lines, offers significant cost savings and improved performance.
DUA1611-0AAA02.book Page 187 Thursday, August 2, 2001 4:01 PM Virtual Private Network Services 187 communications can range in length, but are typically 16 or 32 characters. The longer the key, the more difficult it is to break the encryption. The reason for this is most methods used to break encryption involve trying every possible combination of characters, similar to trying to open a safe when the combination is not known. ■ Asymmetric vs.
DUA1611-0AAA02.book Page 188 Thursday, August 2, 2001 4:01 PM 188 CHAPTER 14: NETWORKING CONCEPTS When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message, or to generate and verify a message authentication code. 3Com's implementation of DES uses a 56-bit key. 3Com's DES Key must be exactly 16 characters long and is comprised of hexadecimal characters.
DUA1611-0AAA02.book Page 189 Thursday, August 2, 2001 4:01 PM Virtual Private Network Services 189 The SPI must be unique, is from one to eight characters long, and is comprised of hexadecimal characters. Valid hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f. The range from “0” to “ff” inclusive, is reserved by the Internet Engineering Task Force (IETF) and are not allowed for use as an SPI.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 193 Thursday, August 2, 2001 4:01 PM A SAFETY INFORMATION WARNING: Please read the ‘Important Safety Information’ section before you start. VORSICHT: Bitte lesen Sie den Abschnitt ‘Wichtige Sicherheitsinformationen’ sorgfältig durch, bevor Sie das Gerät einschalten. AVERTISSEMENT: Veuillez lire attentivement la section ‘Consignes importantes de sécurité’ avant de mettre en route.
DUA1611-0AAA02.book Page 194 Thursday, August 2, 2001 4:01 PM 194 APPENDIX A: SAFETY INFORMATION WARNING: There are no user-replaceable fuses or user-serviceable parts inside the unit. If you have a physical problem with the unit that cannot be solved with problem solving actions in this guide, contact your supplier. WARNING: Disconnect the power adapter before moving the unit. WARNING: RJ-45 Ports. These are shielded RJ-45 data sockets.
DUA1611-0AAA02.book Page 195 Thursday, August 2, 2001 4:01 PM Consignes Importantes de Sécurité 195 VORSICHT: Es sind keine von dem Benutzer zu ersetzende oder zu wartende Teile in dem Gerät vorhanden. Wenn Sie ein Problem mit dem Switch haben, das nicht mittels der Fehleranalyse in dieser Anleitung behoben werden kann, setzen Sie sich mit Ihrem Lieferanten in Verbindung. VORSICHT: Vor dem Ausbau des Geräts das Netzadapterkabel herausziehen. VORSICHT: RJ-45-Porte.
DUA1611-0AAA02.book Page 196 Thursday, August 2, 2001 4:01 PM 196 APPENDIX A: SAFETY INFORMATION AVERTISSEMENT: L’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme CEI 950. Ces conditions ne sont maintenues que si l'équipement auquel il est raccordé fonctionne dans les mêmes conditions. AVERTISSEMENT: Il n’y a pas de parties remplaceables par les utilisateurs ou entretenues par les utilisateurs à l’intérieur du moyeu.
DUA1611-0AAA02.book Page 197 Thursday, August 2, 2001 4:01 PM B TECHNICAL SPECIFICATIONS AND STANDARDS This appendix lists the technical specifications for the SuperStack 3 Firewall. The Firewall has been designed and certified to the following standards: Table 7 Technical Specifications of the Firewall Physical Width: 440 mm (17.3 in.) Depth: 230 mm (9.0 in.) Height: 44 mm (1.7 in.) or 1 U Weight: 2.55 kg (5.6 lb) Mounting: Free standing, or 19in.
DUA1611-0AAA02.book Page 198 Thursday, August 2, 2001 4:01 PM 198 APPENDIX B: TECHNICAL SPECIFICATIONS AND STANDARDS Table 7 Technical Specifications of the Firewall Functional ISO/IEC 8802-3, IEEE 802.3, ICSA Firewall Certification Safety UL1950, EN 60950, CSA 22.
DUA1611-0AAA02.book Page 199 Thursday, August 2, 2001 4:01 PM C Cable Specifications Pinout Diagrams CABLE SPECIFICATIONS The Firewall supports the following cable types and maximum lengths: ■ Category 5 cable. ■ Maximum cable length of 100 m (327.86 ft). Figure 66 and Figure 67 below show the pin connections when using a straight through Category 5 cable. This is the standard cable used for Ethernet and Fast Ethernet.
DUA1611-0AAA02.book Page 200 Thursday, August 2, 2001 4:01 PM 200 APPENDIX C: CABLE SPECIFICATIONS Figure 68 and Figure 69 below show the pin connections when using a crossover Category 5 cable. It is not necessary to use a crossover cable with your Firewall as the Normal/Uplink switch beside each port serves the same purpose.
DUA1611-0AAA02.book Page 201 Thursday, August 2, 2001 4:01 PM D TECHNICAL SUPPORT 3Com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site.
DUA1611-0AAA02.book Page 202 Thursday, August 2, 2001 4:01 PM 202 APPENDIX D: TECHNICAL SUPPORT 3Com FTP Site Download drivers, patches, software, and MIBs across the Internet from the 3Com public FTP site. This service is available 24 hours a day, 7 days a week. To connect to the 3Com FTP site, enter the following information into your FTP client: ■ Hostname: ftp.3com.
DUA1611-0AAA02.book Page 203 Thursday, August 2, 2001 4:01 PM Support from 3Com ■ A list of system hardware and software, including revision levels ■ Diagnostic error messages ■ Details about recent configuration changes, if applicable 203 Here is a list of worldwide technical telephone support numbers. These numbers are correct at the time of publication. Refer to the 3Com Web site for updated information. Country Telephone Number Country Telephone Number P.R.
DUA1611-0AAA02.book Page 204 Thursday, August 2, 2001 4:01 PM 204 APPENDIX D: TECHNICAL SUPPORT Returning Products for Repair Before you send a product directly to 3Com for repair, you must first obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender’s expense.
DUA1611-0AAA02.book Page 205 Thursday, August 2, 2001 4:01 PM Returning Products for Repair Country Telephone Number Fax Number U.S.A.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 207 Thursday, August 2, 2001 4:01 PM INDEX Numbers 0.0.0.0 182 10 Mbps status LED 30 100 Mbps staus LED 30 10BASE-T cable DMZ connection 33 LAN connection 33 255.255.255.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.
DUA1611-0AAA02.book Page 213 Thursday, August 2, 2001 4:01 PM REGULATORY NOTICES FCC STATEMENT This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
DUA1611-0AAA02.
