3Com SUPERSTACK 3CR16110-95, User Manual

Page 1: ...Part No DUA1611 0AAA02 Published August 2001 SuperStack 3 Firewall User Guide SuperStack 3 Firewall 3CR16110 95 SuperStack 3 Firewall Web Site Filter 3C16111 DUA1611 0AAA02 book Page 1 Thursday Augus...

Page 2: ...ny licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and...

Page 3: ...Web URL Filtering 23 High Availability 24 Logs and Alerts 24 User Remote Access from the Internet 24 Automatic IP Address Sharing and Configuration 24 Introduction to Virtual Private Networking VPN 25...

Page 4: ...provided by a DHCP Server 44 Configuring LAN Settings 44 Automatic LAN Settings 44 Entering information about your LAN 45 Configuring the DHCP Server 45 Confirming Firewall Settings 46 II CONFIGURING...

Page 5: ...site is blocked 72 Updating the Web Filter 73 Checking the Web Filter Status 73 Downloading an Updated Filter List 74 Setting Actions if no Filter List is Loaded 74 Blocking Websites by using Keyword...

Page 6: ...estoring Rules to Defaults 106 Updating User Privileges 106 Establishing an Authenticated Session 108 Setting Management Method 109 Selecting Remote Management 110 Using the Firewall with the NBX 100...

Page 7: ...E VPN Client Software 139 Configuring the IRE VPN Client 139 10 CONFIGURING HIGH AVAILABILITY Getting Started 141 Network Configuration for High Availability Pair 142 Configuring High Availability 142...

Page 8: ...s the Internet 169 Firewall Does Not Save Changes 169 Duplicate IP Address Errors Are Occurring 169 Machines on the WAN Are Not Reachable 170 Troubleshooting the Firewall VPN Client 170 The IKE Negoti...

Page 9: ...Known Port Numbers 184 Registered Port Numbers 184 Private Port Numbers 184 Virtual Private Network Services 184 Introduction to Virtual Private Networks 185 VPN Applications 185 Basic VPN Terms and C...

Page 10: ...ld Wide Web Site 201 3Com Knowledgebase Web Services 201 3Com FTP Site 202 Support from Your Network Supplier 202 Support from 3Com 202 Returning Products for Repair 204 INDEX REGULATORY NOTICES DUA16...

Page 11: ...ave to web sites Sites can be blocked on a site wide or individual basis and by the features a web site uses or content it provides This guide is intended for use by the person responsible for install...

Page 12: ...tion about installing and setting up the Web Site Filter Chapter 11 Troubleshooting common Firewall problems Chapter 12 Information about Denial of Service and other attacks Chapter 13 An introduction...

Page 13: ...reen displays This typeface represents information as it appears on the screen Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands...

Page 14: ...based application which you use to set up the Firewall to protect your network from attack and to control access to the Internet for LAN users NAT Network Address Translation NAT refers to the proces...

Page 15: ...o as GMT or World Time VPN stands for Virtual Private Network and is a method of networking that uses data encryption and the public internet to provide secure communications between sites without inc...

Page 16: ...l support questions For information about contacting Technical Support see Appendix A Registration To register your Firewall point your web browser to http www 3com com ssfirewall click on Hardware Re...

Page 17: ...I GETTING STARTED Chapter 1 Introduction Chapter 2 Installing the Hardware Chapter 3 Quick Setup for the Firewall DUA1611 0AAA02 book Page 17 Thursday August 2 2001 4 01 PM...

Page 18: ...18 DUA1611 0AAA02 book Page 18 Thursday August 2 2001 4 01 PM...

Page 19: ...LAN to be securely connected to the Internet You can use the Firewall to Prevent theft destruction and modification of data Filter incoming data for unsafe or objectionable content Log events which m...

Page 20: ...1 3Com Network Supervisor display Network Supervisor automatically discovers up to 1500 network devices and shows devices and connections on a graphical display Network managers can view network acti...

Page 21: ...the Firewall you must follow the steps below before Network Supervisor will detect your Firewall 1 Access the Web interface from a Web browser connected to the LAN port of the Firewall 2 Click on the...

Page 22: ...ers LAN DMZ WAN STOP DoS Attacks Blocked Web Access Allowed Unauthorised External Access Blocked Authorised External Access using VPN Encrypted STOP STOP STOP Internet Access Filtered optional LAN Nor...

Page 23: ...you want to restrict access Alternatively you can restrict access to the Internet to certain trusted URLs See Setting up Trusted and Forbidden Domains on page 165 for more information Web site techno...

Page 24: ...of Internet bandwidth You can also set up the Firewall to send an alert message through e mail when a high priority concern such as a hacker attack is detected See Log Alert Settings on page 177 for...

Page 25: ...rading partners legal and financial advisors as well as remote workers and branch offices This real time requirement often leads to the creation of an extranet where branch offices and partners are co...

Page 26: ...ating device at the other end of the tunnel must be using the same level and type of encryption See Configuring Virtual Private Network Services on page 123 for more details DUA1611 0AAA02 book Page 2...

Page 27: ...s relatives la s curit qui se trouvent dans l Appendice A de ce guide VORSICHT Bevor Sie den Firewall hinzuf gen lesen Sie die Sicherheitsanweisungen die in Anhang A in diesem Handbuch aufgef hrt sind...

Page 28: ...nd sources of electrical noise such as radio transmitters and broadband amplifiers Water or moisture cannot enter the case of the unit Air flow around the unit and through the vents in the side of the...

Page 29: ...k the feet to the marked areas at each corner of the underside of the unit if you intend to place the unit directly on top of the desk Firewall Front Panel Figure 4 shows the front panel of the Firewa...

Page 30: ...each have a Status LED that indicates the following Green indicates that the link between port and the next network device is operational at 100 Mbps Yellow indicates that the link between the port an...

Page 31: ...se this connector to attach a Redundant Power System to the Firewall 11 Reset Switch recessed Use to reset the Firewall CAUTION Holding the Reset Switch when you power on the Firewall will erase the o...

Page 32: ...l to the same physical network For example never connect the LAN and DMZ ports into the same device as this bypasses all firewall functions S LAN DMZ WAN N R F S S L B W C W N R Key S L B S C F W N eb...

Page 33: ...he Normal position 3 Connect the Ethernet port labeled DMZ to the public servers If you are installing the Firewall DMZ and want to protect the public servers such as Web and FTP servers use the DMZ p...

Page 34: ...wall See the following chapters for more information Chapter 3 for a quick setup guide for the Firewall Chapters 4 to 8 for full information about all the configuration options Chapter 11 for informat...

Page 35: ...se the Installation Wizard to configure the Firewall you can activate the Installation Wizard manually To start the Installation Wizard manually click on the Tools menu followed by the Configuration t...

Page 36: ...have finished using the Installation Wizard 2 Change the IP address to a value within the Firewall s default subnet This will be a value between 192 168 1 1 and 192 168 1 254 but not 192 168 1 254 as...

Page 37: ...rewall manually click the Cancel button You will then be returned to the Web interface See Configuring the Firewall starting on page 49 to configure the Firewall using the Web interface Setting the Pa...

Page 38: ...click the Next button to continue The Time Zone you choose will affect the time recorded in the logs Figure 9 Set Time Zone screen This completes the Basic setup of the Firewall The Firewall will now...

Page 39: ...e 40 Automatic WAN Settings The Installation Wizard checks for the presence of a DHCP Server or a PPPoE server on the WAN port Depending on the server found the Firewall configures itself appropriatel...

Page 40: ...tion Wizard s automatic detection then 1 Disconnect the power cord from the Firewall 2 Wait at least 5 seconds 3 Reconnect the power cord 4 Point your browser at the Firewall 5 Follow the instructions...

Page 41: ...lation Wizard Using an IP Address provided by a PPPoE Server One IP address is provided by the PPPoE server This is taken by the WAN port Network Address Translation NAT will be enabled Using a Static...

Page 42: ...first is unavailable or is unable to answer your query 4 Click the Next button to proceed to the final part of the configuration See Configuring LAN Settings on page 44 Using Multiple Static IP Addres...

Page 43: ...by your ISP 3 WAN Gateway Router Address Enter the IP address of your route or internet access device This must be in the same address range as the WAN IP Address 4 DNS Server Address Enter the IP ad...

Page 44: ...ynamic IP address DHCP option and click the Next button If a DHCP server is detected the Firewall will obtain its IP address automatically and will enable NAT for all devices connected to the LAN port...

Page 45: ...you are not using NAT this screen will not appear as these settings will be the same as the WAN settings Figure 16 Configuring LAN Settings Choose an IP address for the LAN port of your Firewall and...

Page 46: ...ate The addresses you set must be contained entirely within your LAN subnet and must be currently unused Click the Next button to continue The Firewall will now review its settings See Confirming Fire...

Page 47: ...iguration of the Firewall click the Back button If you want to configure the Firewall manually Click the Cancel button to lose the changes made by the Installation Wizard or Click the Next Button cont...

Page 48: ...plete the configuration of the Firewall using the Installation Wizard The Firewall will take under a minute to restart during which time the Power Self test LED will flash When the Power Self test LED...

Page 49: ...etting up Web Filtering Chapter 6 Using the Firewall Diagnostic Tools Chapter 7 Setting a Policy Chapter 8 Advanced Settings Chapter 9 Configuring Virtual Private Network Services Chapter 10 Configuri...

Page 50: ...50 DUA1611 0AAA02 book Page 50 Thursday August 2 2001 4 01 PM...

Page 51: ...for another role Chapter 5 Setting up Web Filtering describes the functions available in the Filter menu of the Web interface These functions allow you to control the access your users have to informa...

Page 52: ...available in the VPN menu of the Web interface These functions enable you encrypt and authenticate external access to your Firewall Chapter 10 Configuring High Availability describes the functions ava...

Page 53: ...nistrator Password From the General screen select Set Password A window similar to that in Figure 22 displays If you are setting the password for the first time the default password is password Change...

Page 54: ...x at the top of the screen If you cannot find your time zone in the list you should set this to the one with the same offset from GMT as is used at your location Use NTP Network Time Protocol to set t...

Page 55: ...Universal Time Co ordinated UTC time UTC is the standard time common to all places in the world It is also commonly referred to as Greenwich Mean Time or World Time Many ISPs require firewall logs to...

Page 56: ...Choose NAT Enabled if you want to use a single IP address for accessing the Internet or if you do not have an IP address allocated by your ISP for each machine that requires access to the Internet NA...

Page 57: ...h PPPoE Client if your Internet connection for the Firewall WAN IP Address is to be obtained from a remote PPPoE server Specifying the LAN Settings For the LAN settings specify Firewall LAN IP Address...

Page 58: ...ter the value specified by your ISP WAN DMZ Subnet Mask This value is automatically set to the LAN Subnet Mask for the Firewall unless PPPoE is selected For PPPoE enter the value specified by your ISP...

Page 59: ...prevents users from reaching servers intended for public access such as a Web or e mail server which are crucial for effective Internet use In order to allow such services the Firewall comes with a sp...

Page 60: ...dress Obtain these IP addresses from your ISP Usually the ISP can also supply information on setting up public Internet servers Click the Update button to save your changes To delete an address or ran...

Page 61: ...manual addressing is used on the LAN computers Lease Time This is the amount of time that the IP address is leased or given to the client machine before the DHCP server attempts to renew that address...

Page 62: ...CP client you can select the Set DNS Servers by Internet Firewalls DHCP Client to have these fields set automatically Dynamic Ranges When a client makes a request for an IP address the Firewall s DHCP...

Page 63: ...requesting client type an IP address and the Ethernet MAC address of the client machine in the appropriate boxes and click Update Delete Static To remove a static address select it from the scrolling...

Page 64: ...Service DNS is an internet service which allows users to enter an easily remembered host name such as www 3Com com instead of numerical IP addresses to access Internet resources The Firewall has a DN...

Page 65: ...e Firewall s DNS Name Lookup tool to find the IP address of a host Ping The Ping tool bounces a packet off a machine on the Internet back to the sender This test shows if the Firewall is able to conta...

Page 66: ...name such as www 3Com com 3 Click Refresh to display the packet trace information 4 Click Stop to terminate the packet trace and Reset to clear the results Technical Support Report The Tech Support R...

Page 67: ...e appropriate tab This following sections are covered in this chapter Changing the Filter Settings Filtering Web Sites using a Custom List Updating the Web Filter Blocking Websites by using Keywords F...

Page 68: ...heck the checkbox corresponding to that category ActiveX ActiveX is a programming language that is used to embed small programs in Web pages It is generally considered an insecure protocol to allow in...

Page 69: ...selected the Firewall logs and blocks access to all sites on the Web Site Filter custom and keyword lists Log Only When selected the Firewall logs and then allows access to all sites on the Web Site F...

Page 70: ...he Web Site Filter Custom Sites and Keywords Consent and Restrict Web Features such as ActiveX Java cookies and Web Proxy are not affected Always Block When selected Internet Filtering is always activ...

Page 71: ...allows www 3Com com my support 3com com shop 3com com and so forth Up to 256 entries are supported in the Trusted Domains list Click Update to send the update to the Firewall Forbidden Domains To blo...

Page 72: ...n a site is blocked When a user attempts to access a site that is blocked by the Web Site Filter a message is displayed on their screen The default message is Web Site Blocked by 3Com SuperStack 3 Fir...

Page 73: ...difficult to add and maintain the numerical addresses of every server in the pool Many sites included in the Web Site Filter regularly change the IP address of the server to try to bypass the Web Site...

Page 74: ...le in the event of the Filter List expiring or a download failing See Setting up Trusted and Forbidden Domains on page 71 for more information Allow traffic to all websites Select this option to provi...

Page 75: ...se caution when enabling this feature For example blocking the word breast may stop access to sites on breast cancer as well as objectionable or pornographic sites To enable this function check the En...

Page 76: ...sroom or library time limits are often imposed You can set up the Firewall to remind users when their time has expired by displaying the page defined in the Consent page URL box Type the time limit in...

Page 77: ...for filtered access and the link for unfiltered access are case sensitive Enter the URL of the page you have created in the When entering these addresses you should not enter http before the address C...

Page 78: ...tFilter html If you have changed the IP address or the Firewall use the IP Address of the Firewall instead of 192 168 1 254 Click the Update button to save your changes The link for filtered access is...

Page 79: ...he Firewall Configuration File Upgrading the Firewall Firmware Logs and Alerts The Firewall maintains an event log which contains events that may be security concerns You can view this log with a brow...

Page 80: ...t in Figure 34 displays Figure 34 View Log Window The log is usually displayed as a list in a table but may appear differently depending on the browser used You may have to adjust the browser s font s...

Page 81: ...r Newsgroup blocked The LAN IP and Ethernet addresses of a machine that attempted to connect to the blocked site or newsgroup is displayed In most cases the name of the site which was blocked will als...

Page 82: ...the source of the attack Varying conditions on the Internet can produce conditions which may cause the appearance of an attack even when no one is deliberately attacking one of the machines on the LAN...

Page 83: ...page 92 for more information If there is a new software release an e mail notification is sent to this address Send Alerts To Alerts are events such as an attack which may warrant immediate attention...

Page 84: ...rver field Click the Update button on the right of the browser window and restart the Firewall for changes to take effect E mail Log Now Immediately sends the log to the address in the Send Log To box...

Page 85: ...ctivity such as administrator logins automatic loading of Web Site Filters activation and restarting the Firewall are generated This is enabled by default System Errors When enabled log messages showi...

Page 86: ...g messages showing Ethernet broadcasts ARP resolution problems ICMP redirection problems and NAT resolution problems are generated This category is intended for experienced network administrators This...

Page 87: ...ccessed Web sites Top 25 users of bandwidth by IP address Top 25 services that consume the most bandwidth Click Log and then select the Reports tab A window similar to that in Figure 36 displays Figur...

Page 88: ...e Web Site Hits report to ensure that the majority of Web access is to sites considered applicable to the primary business function If leisure sports or other similar sites are on this list it may sig...

Page 89: ...Firewall To restart the Firewall 1 Click Tools and select the Restart tab A window similar that in Figure 37 displays Figure 37 Restart Window 2 Click Restart SuperStack 3 Firewall 3 Click Yes to con...

Page 90: ...to save and restore the configuration settings of the Firewall Click Tools and then select the Configuration tab A window similar to that in Figure 38 displays Figure 38 Configuration Window Use the...

Page 91: ...sing Export You may need to set File type to to be able to see the exp file you exported 3 Once you have selected the file click Import 4 Once the file transfer has completed the status at the bottom...

Page 92: ...g Factory Default Settings Click Restore to clear all configuration information and restore the Firewall to its factory state Clicking Restore will not change the Firewall s LAN IP Address LAN Subnet...

Page 93: ...re the Firewall to send an e mail notification to the address in the Send log to box Click Tools and then select the Upgrade tab A window similar to that in Figure 41 displays To be notified automatic...

Page 94: ...ile you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN 4 Click Upload to begin the upload Make sure that your Web browser supports HTTP uploads When uploading the fi...

Page 95: ...ay it may result in the Firewall not responding to attempts to log in If your Firewall does not respond see Chapter 12 Troubleshooting Guide 5 Restart the Firewall for the changes to take effect DUA16...

Page 96: ...96 CHAPTER 6 USING THE FIREWALL DIAGNOSTIC TOOLS DUA1611 0AAA02 book Page 96 Thursday August 2 2001 4 01 PM...

Page 97: ...n the appropriate tab This following sections are covered in this chapter Changing Policy Services Adding and Deleting Services Editing Policy Rules Updating User Privileges Setting Management Method...

Page 98: ...ers of that type on the Internet The default value is enabled When the Warning Icon is displayed to the right of the check box there is a Custom Rule in the Rules tab section that modifies the behavio...

Page 99: ...otocol type 0 0 0 0 in the box Changing NetBIOS Broadcast Settings Systems running Microsoft Windows Networking communicate with one another through NetBIOS broadcast packets By default the Firewall b...

Page 100: ...Point to point Tunneling Protocol PPTP and IPSec are forms of VPN that allows data to pass through the Firewall without termination In some cases passing large amounts of data through the Firewall can...

Page 101: ...icates the IP port number which defines the service either TCP Port UDP Port or ICMP Type The second number indicates the IP protocol type 6 for TCP 17 for UDP or 1 for ICMP There may be more than one...

Page 102: ...If you create multiple entries with the same name they are grouped together as a single service and may not function as expected Disabling Screen Logs You can disable the log of events which is usuall...

Page 103: ...he Internet Use extreme caution when creating or deleting Network Access Rules Network Access Rules do not disable protection from Denial of Service attacks such as SYN Flood Ping of Death or LAND How...

Page 104: ...dress range Action The Action for a rule can be set to either Allow or Deny traffic across the Firewall For security reasons common protocols are often denied and more specific rules created to descri...

Page 105: ...you want to edit Clicking on the icon will bring up the Edit Rule window where you can make the changes you need In the Edit Rule window To save your changes click Update To leave the Edit Rule window...

Page 106: ...s The Firewall provides an authentication mechanism which gives authorized users access to the LAN from remote locations on the Internet as well as a means to bypass the Internet filtering and blockin...

Page 107: ...names of friends family pets places and so on Good passwords can be created by Making up nonsense words such as dwizdell Including non alphanumeric ASCII characters in words such as so n c Passwords...

Page 108: ...pting To establish an Authenticated Session you point your Web browser at the Firewall s LAN IP Address This process is identical to the administrator login A dialog box is displayed asking you for th...

Page 109: ...wser on the LAN network When operating in this mode no Security Association information is needed Remotely from the WAN interface allows you to manage your Firewall from a remote host When operating i...

Page 110: ...n the Authentication Key field An example of a valid authentication key is 1234567890ABCDEF1234567890ABCDEF 3 Click the Update button and then restart the Firewall for the change to take effect Using...

Page 111: ...if it can fulfill the requests by returning a locally stored copy of the requested information If not the proxy Completes the request to the server Returns the requested information to the user Saves...

Page 112: ...the network The Web Cache can be placed either on the WAN or the DMZ side of the Firewall The installation is the same as for a Proxy Server See below 1 Click Advanced and then select the Proxy Relay...

Page 113: ...Wizard or by selecting Device View System Caching Set Caching Mode from the Web interface c In the Port Number field enter the number 8080 this is the default value d Do not configure Web Site Blocki...

Page 114: ...rs in the Student Computer Lab Similarly an organization s accounting research or other sensitive resources may be protected against unauthorized access by other users on the same network By default p...

Page 115: ...he network Devices connected to the WAN port do not have firewall or Web Site Filter protection It is advised that you use another Firewall to protect these computers 3 Connect the power cord to the b...

Page 116: ...number of machines with restricted access rather than the larger number of machines on the corporate network Using the exclusive method you specify the IP addresses of the machines connected to the F...

Page 117: ...to 192 168 23 100 type the starting address in the From Address box and the ending address in the To Address box To specify an individual address type it in the From Address box only You can specify u...

Page 118: ...r To configure static routes click Advanced and then select the Static Routes tab A window similar to that in Figure 54 displays Figure 54 Static Routes Window R 1 R 2 F S S D e s i g n N e t w o r k...

Page 119: ...nal addresses to internal addresses hidden by NAT Machines with an internal address may be accessed at the corresponding external valid IP address To create this relationship between internal and exte...

Page 120: ...6 for details Figure 55 One to One NAT Window Table 4 Address Correspondence in One to One NAT LAN Address Corresponding WAN Address Accessed Through 192 168 1 1 209 19 28 16 Inaccessible Firewall WAN...

Page 121: ...ge Begin box This address is assigned by the ISP Range Length Type the number of IP addresses for the range The range length may not exceed the number of valid IP address You can add up to 64 ranges T...

Page 122: ...122 CHAPTER 8 ADVANCED SETTINGS DUA1611 0AAA02 book Page 122 Thursday August 2 2001 4 01 PM...

Page 123: ...tab This following sections are covered in this chapter Editing VPN Summary Information Configuring a VPN Security Association Configuring the Firewall to use a RADIUS Server Using the Firewall with C...

Page 124: ...Firewall CAUTION The Unique Firewall Identifier must be different for each Firewall within your network as VPN connections may refer to Firewalls by name Enable VPN To enable VPN connections check the...

Page 125: ...Security Associations SAs that have been created in the VPN Configure window The Name listed in the summary table links to the corresponding VPN configuration A Renegotiate button will appear next to...

Page 126: ...ick the Update button to save your changes To delete a SA click the drop down box labelled Security Associations and select the SA you want to delete Click the Delete button to delete the SA The Group...

Page 127: ...tting up a SA for VPN clients which do not have a fixed IP address Security Policy The options in the Security policy area of the screen relate to the current Security Association being created modifi...

Page 128: ...when the keys are renegotiated a low value short time will increase security but may cause inconvenience The default value for the SA Life time secs field is 28800 seconds 8 hours Enter the number 28...

Page 129: ...d when Manual Keying is employed These fields do not appear when using IKE as your IPSec Keying Mode Encryption Method The Firewall supports seven encryption methods for establishing a VPN tunnel Thes...

Page 130: ...Fast Encrypt ESP ARCFour uses 56 bit ARCFour to provide an encrypted VPN tunnel ARCFour is widely considered to be a secure encryption method Medium Medium Manual Key IKE Encrypt for Check Point ESP D...

Page 131: ...n the value stated above it will be rejected by the Firewall If it is longer than stated then the number will be truncated and the stated number of digits used The Encryption Key is only used when Man...

Page 132: ...ing a Network Range To edit a network range click of the icon of the pencil and paper next to the range you want to edit Change the range to the desired value and click the Update button Configuring t...

Page 133: ...ribed below If you have a backup or secondary RADIUS server on your network then repeat the process for the Secondary Server fields Name or IP Address Enter the DNS name or IP address of your RADIUS s...

Page 134: ...large network from internal threats Thus it is possible to have firewalls as portals and use Virtual Private Networks VPNs between the enterprise network and remote offices A VPN provides a secure enc...

Page 135: ...Press the OK button when finished 3 For easier management you should create a group and place all objects that are protected by the remote Firewall in that group a Press the New button and select the...

Page 136: ...on Key and SPI Key number must match the settings on the remote Firewall for the VPN to work 6 Now you must create a rule to allow the Check Point Firewall to exchange IPSEC packets with the remote Fi...

Page 137: ...heckbox 2 Enter a valid destination address range referring to the LAN behind Check Point Specify the Check Point s external address as the IPSec Gateway address 3 Select the Encryption Method Encrypt...

Page 138: ...US Server on page 132 4 If you do not have a RADIUS server or do not wish to use your RADIUS server to authenticate users ensure that the Require XAUTH RADIUS checkbox is not ticked 5 Set the SA Life...

Page 139: ...figuring the IRE VPN Client 1 Copy the previously saved export file created in Setting up the GroupVPN Security Association to a floppy disk or to the hard drive of the client machine 2 Start the Safe...

Page 140: ...he Security Policy Editor saving changes when prompted 6 Delete the export file from the hard drive if it was previously copied there The client is now set up to access your network safely across the...

Page 141: ...walls together as a pair Although only one Firewall will function at a time the second will automatically take over from the first in the event of a failure Before attempting to configure two Firewall...

Page 142: ...Do not mix the LAN DMZ and WAN networks when connecting the Firewalls together as this will compromise the security of your network All Firewall ports being used must be connected together with a hub...

Page 143: ...ewall s serial number and network settings The bottom half of the window is used to configure High Availability 1 To enable High Availability check the Enable High Availability box 2 Enter the Serial...

Page 144: ...artbeats respectively the backup Firewall will take over from the primary Firewall after 10 seconds in the event of a failure in the primary Firewall 6 Click the Update button Once the Firewall has be...

Page 145: ...ton on the left side of the browser window and then click the Status tab at the top of the window Both the firmware version and the Firewall serial number are displayed at the top of the window In the...

Page 146: ...elow High Availability Status Window One method to determine which Firewall is active is to check the High Availability status page for the High Availability pair To view the High Availability status...

Page 147: ...mary Firewall to send e mail alerts you will receive an alert e mail when there is a change in the status of the High Availability pair For example when the backup Firewall takes over from the primary...

Page 148: ...may be accomplished by disconnecting the active Firewall s LAN port by shutting off power on the currently active unit or by restarting it from the Web interface In all of these cases heartbeats from...

Page 149: ...ION If the Preempt Mode checkbox has been checked for the primary Firewall the primary unit will take over operation from the backup unit after the restart is complete DUA1611 0AAA02 book Page 149 Thu...

Page 150: ...150 CHAPTER 10 CONFIGURING HIGH AVAILABILITY DUA1611 0AAA02 book Page 150 Thursday August 2 2001 4 01 PM...

Page 151: ...III ADMINISTRATION AND TROUBLESHOOTING Chapter 11 Administration and Advanced Operations Chapter 12 Troubleshooting Guide DUA1611 0AAA02 book Page 151 Thursday August 2 2001 4 01 PM...

Page 152: ...152 DUA1611 0AAA02 book Page 152 Thursday August 2 2001 4 01 PM...

Page 153: ...ided so Internet access can be tailored to the needs of the organization Just like the Custom List and filtering by Keywords see Chapter 8 access to these sites can be enabled or disabled The 3Com Web...

Page 154: ...ote The Partial Nudity and Full Nudity categories do not include sites containing nudity or partial nudity of a non prurient nature For example web sites for publications such as National Geographic o...

Page 155: ...mely aggressive and combative behavior or advocacy of unlawful political measures Topics include groups that advocate violence as a means to achieve their goals Includes How to information on weapons...

Page 156: ...ental are not in this category For further details refer to http www cyberpatrol com Activating the Web Site Filter When you register the Firewall you will be given 30 days free subscription to the We...

Page 157: ...List which computers on the Internet will be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on t...

Page 158: ...are IP address restrictions on the source of the traffic such as keeping competitors off the company s Web site type the starting and ending IP addresses of the range in the Addr Range Begin and Addr...

Page 159: ...access to NNTP servers on the Internet 1 For the Action choose Deny 2 From the Service list choose NNTP If the service is not listed in the menu add it in the Add Service window 3 Select LAN from the...

Page 160: ...ss of the ISP s network in the Source Addr Range Begin box and the network s ending IP address in the Source Addr Range End box 5 Select WAN from the Destination Ethernet list 6 Since the intent is to...

Page 161: ...servers and routers and can also be used to read any file on the system if set up incorrectly X Windows 6000 This can leak information from X window displays including all keystrokes DNS Domain Names...

Page 162: ...set your Firewall to factory default settings and can access the Web interface of the Firewall successfully 3Com recommends that you use the Restore Factory Defaults command described on page 187 Howe...

Page 163: ...ps flashing and the Alert LED is illuminated continuously indicating that the unit has been reset and the firmware erased Reloading the Firmware Even when the firmware has been erased you can use a ba...

Page 164: ...assword is password Once you have logged into the Web interface you may upload your saved settings file as described in Configuration on page 185 Note that the administrator password is not uploaded a...

Page 165: ...gement station from the local Ethernet network 2 Attach the Firewall directly to the management station To do this connect a cable from the Ethernet port on the management station to the LAN Port of t...

Page 166: ...166 CHAPTER 11 ADMINISTRATION AND ADVANCED OPERATIONS DUA1611 0AAA02 book Page 166 Thursday August 2 2001 4 01 PM...

Page 167: ...Technical Support First try the following Make sure that all equipment is switched on Switch off the Firewall wait approximately 5 seconds and then switch it back on Wait for the Power LED to stop fl...

Page 168: ...ernative position Ethernet Connection is Not Functioning If the Ethernet connection does not work try the following Check the physical connections to make sure they are secure Try replacing the cable...

Page 169: ...ternet router connected to the WAN port they are not accessible to users on the LAN To see if the problem is outside the Firewall disconnect the Firewall and try to access the Internet Try restarting...

Page 170: ...MP OAK AG SA KE NON ID VID New connection message not received Retransmitting This means the VPN client cannot contact the Firewall either because the VPN client is misconfigured or the Internet Servi...

Page 171: ...remote users from changing the VPN client policy Click No to permit remote user configuration Then name the security policy database file spd and save it to a local folder or to a floppy disk Import...

Page 172: ...using PPPoE without a Firewall is that the ISP requires the customer to have a PPPoE account for each computer attempting to access the Internet The Firewall is able to manage PPPoE connections elimi...

Page 173: ...IV FIREWALL AND NETWORKING CONCEPTS Chapter 13 Types of Attack and Firewall Defences Chapter 14 Networking Concepts DUA1611 0AAA02 book Page 173 Thursday August 2 2001 4 01 PM...

Page 174: ...174 DUA1611 0AAA02 book Page 174 Thursday August 2 2001 4 01 PM...

Page 175: ...t its vulnerabilities to crash any server at will Denial of Service attacks work by exploiting weaknesses in TCP IP exploiting weaknesses in your servers or by generating large amounts of traffic brut...

Page 176: ...accept any more connections and will be unresponsive Firewall Response The connection request will be completed by the Firewall and the connection monitored to check if data is sent If no data is sen...

Page 177: ...Firewall will drop any spoofed packets log the event and alert the administrator Trojan Horse Attacks Trojan Horse attacks rely on a piece of software installed within your network prior to the attack...

Page 178: ...178 CHAPTER 13 TYPES OF ATTACK AND FIREWALL DEFENCES DUA1611 0AAA02 book Page 178 Thursday August 2 2001 4 01 PM...

Page 179: ...Transmission Control Protocol In TCP IP TCP works with IP to ensure the integrity of the data traveling over the network TCP IP is the protocol of the Internet IP Addressing To become part of an IP ne...

Page 180: ...P addresses provide for varying levels of interchanges or subnetworks and extensions or device numbers The classes are based on estimated network size Class A used for very large networks with hundred...

Page 181: ...bnet mask of 255 255 255 0 results in a sub network number of 123 45 67 0 and a device number of 89 The IP address numbers that are valid to use are those assigned by InterNIC this prevents someone se...

Page 182: ...N which have not been assigned to you by your Internet Service Provider it is a good idea to use addresses in a special range allocated for this purpose The following three blocks of IP address space...

Page 183: ...provides a dynamic leased address to a DHCP client This means that the client will be able to use the provided IP address for a certain period of time The DHCP server will not give this address to a d...

Page 184: ...nge for the assigned ports managed by the IANA has been expanded to the range 0 1023 Registered Port Numbers The Registered Ports are not controlled by the IANA and on most systems can be used by ordi...

Page 185: ...ssor The data is delivered via the Web and decrypted at the intended destination The SuperStack 3 Firewall VPN implementation uses the IPSec VPN standard This guarantees compliance with other VPN prod...

Page 186: ...mmon terms and expressions used in VPN VPN Tunnel Tunnelling is the encapsulation of point point transmission inside IP packets A VPN Tunnel is a term that is used to describe a connection between two...

Page 187: ...by trusted organizations Once a key has been generated the user must register his or her public key with a central administration called a Certifying Authority CA Organizations such as RSA Data Securi...

Page 188: ...nications with secure Web Sites using the SSL protocol Many banks use a 40 bit key ARC4 for online banking while others use a 128 bit key 3Com s implementation of ARCFour uses a 56 bit key ARCFour is...

Page 189: ...will not be accepted by the Firewall when entered as an SPI an error message will be displayed at the bottom of the Web browser window when the Update button is pressed Security Association SA A Secur...

Page 190: ...190 CHAPTER 14 NETWORKING CONCEPTS DUA1611 0AAA02 book Page 190 Thursday August 2 2001 4 01 PM...

Page 191: ...ix A Safety Information Appendix B Technical Specifications and Standards Appendix C Cable Specifications Appendix D Technical Support Index Regulatory Notices DUA1611 0AAA02 book Page 191 Thursday Au...

Page 192: ...192 DUA1611 0AAA02 book Page 192 Thursday August 2 2001 4 01 PM...

Page 193: ...safety information carefully before you install or remove the unit WARNING Exceptional care must be taken during installation and removal of the unit WARNING To ensure compliance with international s...

Page 194: ...rer eigenen Sicherheit befolgen m ssen Alle Anweisungen sind sorgf ltig zu befolgen VORSICHT Sie m ssen die folgenden Sicherheitsinformationen sorgf ltig durchlesen bevor Sie das Ger t installieren od...

Page 195: ...d rfen an diese Datensteckdosen angeschlossen werden Consignes Importantes de S curit AVERTISSEMENT Les avertissements pr sentent des consignes que vous devez respecter pour garantir votre s curit per...

Page 196: ...ution des probl mes dans ce guide contacter votre fournisseur AVERTISSEMENT D branchez l adaptateur lectrique avant de retirer cet appareil AVERTISSEMENT Points d acc s RJ 45 Ceux ci sont prot g s par...

Page 197: ...ding or 19in rack mounting using the mounting kit supplied Capacity Maximum Number of Simultaneous IP Connections 30 000 Maximum Number of Security Associations 1 000 Maximum Number of VPN Tunnels 1 9...

Page 198: ...n Safety UL1950 EN 60950 CSA 22 2 950 IEC 950 EMC EN55022 Class A EN 50082 1 FCC Part 15 Part Class A ICES 003 Class A VCCI Class A EN 55024 CNS 13438 Class A Environmental EN 60068 IEC 68 Power Inlet...

Page 199: ...used for Ethernet and Fast Ethernet Figure 66 Connecting the Firewall to a hub or switch using a straight through cable Figure 67 Connecting the Firewall to a Network Interface Card using a straight t...

Page 200: ...pose Figure 68 Connecting the firewall to a hub or switch using a crossover cable Figure 69 Connecting the firewall to a network interface card using a crossover cable TxD TxD RxD RxD 1 2 3 6 Pins 4 5...

Page 201: ...n World Wide Web site enter this URL into your Internet browser http www 3com com This service provides access to online support information such as technical documentation and software as well as sup...

Page 202: ...maintenance application training and support services When you contact your network supplier for assistance have the following information ready Product model name part number and serial number A list...

Page 203: ...1 463 00798 611 2230 or 02 3455 6455 00798 611 2230 0080 611 261 001 800 611 2000 Europe Middle East and Africa From anywhere in these regions call 44 0 1442 435529 phone 44 0 1442 432524 fax Europe a...

Page 204: ...a Ecuador Mexico Paraguay Peru Uruguay Venezuela 0810 222 3266 511 241 1691 0800 133266 or 55 11 5643 2700 525 201 0004 562 240 6200 525 201 0004 525 201 0004 525 201 0004 525 201 0004 511 241 1691 52...

Page 205: ...r Repair 205 U S A and Canada 1 800 NET 3Com 1 800 638 3266 Enterprise Customers 1 800 876 3266 1 408 326 7120 not toll free Country Telephone Number Fax Number DUA1611 0AAA02 book Page 205 Thursday A...

Page 206: ...206 APPENDIX D TECHNICAL SUPPORT DUA1611 0AAA02 book Page 206 Thursday August 2 2001 4 01 PM...

Page 207: ...24 automatic LAN settings 44 automatic WAN settings 39 B bandwidth usage by IP address 88 by service 88 blocking categories 69 81 broadband modems 25 C cable specifications 199 Categories tab 67 cloc...

Page 208: ...positioning 28 purpose 19 quick setup 35 uses 19 firewall security 21 Firewall moving 35 firmware e mail notification 93 loading 93 lost 162 reloading 163 uploading 93 forbidden domains 71 front pane...

Page 209: ...ual WAN settings 40 maximum idle time 76 web usage option 76 MIBs 202 moving your Firewall 35 N NAT 14 119 overview 24 network addressing mode 56 network access rules 23 103 creating 157 examples 159...

Page 210: ...features 68 returning products for repair 204 routes adding 119 specifying static 117 rubber feet 29 rules creating 103 S safety information 193 sample network diagram 32 saving configuration 90 scree...

Page 211: ...uploading firmware 93 URL 201 registration 16 URLs forbidden 23 trusted 23 user inactivity timer 107 privileges 23 106 remote access 24 settings authentication 106 users advanced 23 deleting 108 Inte...

Page 212: ...212 INDEX DUA1611 0AAA02 book Page 212 Thursday August 2 2001 4 01 PM...

Page 213: ...eceiver Plug the equipment into a different outlet so that equipment and receiver are on different branch circuits If necessary the user should consult the dealer or an experienced radio television te...

Page 214: ...DUA1611 0AAA02 book Page 214 Thursday August 2 2001 4 01 PM...