Perle Systems 1700 manual Configure Firewall, Sample Firewall Application

Page 62

Applications

Configure Firewall

The P1705 & P1730 provide Firewall security for restricting access between any two networks connected through the router. Firewalls are set-up on a per connection basis for the LAN and remote sites. The direction of filtering is from the perspective of the router; incoming traffic is from the network in question to the router, outgoing is from the router to the network. The direction of filtering may be set to incoming, outgoing, both or none. Once the direction of filtering for a connection has been set, holes may be created in the firewall to allow specified traffic through. Normally, the LAN firewall is used for restricting intranet traffic (connections within the corporate network) and remote site firewalls are used to limit access from less trusted sources, such as the Internet or dial-up ISDN links.

The following diagram shows a corporate head office network, which is connected, to the Internet with an router. There is also a branch office at a remote site connected with a leased link. The administrator at the corporate head office wishes to set-up an IP firewall to allow everyone on the Internet to have access to the corporate FTP and Web servers and nothing else. The administrator also wishes to allow all of the TCP traffic from the branch office network to have access to the head office. Anyone in the corporation may have unrestricted access to the Internet.

Main FTP server: 195.100.1.12

Main Web server: 195.100.1.20

Corporate Head

Office Network

195.100.1.0 Branch Office Network 195.100.2.0

Router with firewall enabled.

Internet

Any other network any IP address

Figure 2 -13 Sample Firewall Application

The following steps must be performed on the P1705 & P1730 to set-up the firewall support as desired.

56

Image 62

Contents Bridge / Routers User And System Administration Guide Federal Communications Commission FCC Using This Manual Contents Introduction to Filtering Appendix D Interface Pinouts Unpack the Router Select a SiteIdentify the Reset Switch Location of the Reset Hole on RouterP1730 Identify the ConnectorsP1705 Connect to the Console Make the Link ConnectionsPower Up the Bridge/Router Managing the P1705 & P1730 Using the MenusConventions Option NameLogin to Bridge/Router and Enter the Required Configuration PasswordT1 or E1 56/64 kbpsNumber of channels As specifedFirst channel ReservedMandatory Configuration Isdn U Isdn S/T PPP IsdnIdentify the Status LEDs OffTypical Applications & How to Configure Them Bridging and Routing Should You Bridge or Route? Bridging Networks Bridged across a WAN linkIP Routing IP Address / Size of Subnet MaskIP Addressing Masks IP SubnetsDefining an IP Subnet Mask IP Default Gateway IP Static RouteIPX Routing Novell Servers in Both LocationsNovell Servers in One Location Only IPX Routed Local Area Networks Servers on one sideRAW 802.3 Frames IPX RoutingEthernet-II Frames Ieee 802.2 FramesSelect LAN1 or LAN2 Novell Server with Dual LANsIPX Forwarding Numbered Links PPP Link ConfigurationPPP Overview Link IP addressUnnumbered Links Peer IP addressMultilink Operation Basic WAN Configurations Basic Isdn ConnectionsSpid Switch TypeDirectory Number Soft Reset Console after a full resetPPP Isdn Manual Call Quick Connections Manual Call IP Address / Subnet mask sizeBasic Frame Relay Configuration Frame Relay configurationAuto Learning the Frame Relay Configuration Link SpeedManual Configuration LMI Type LMI TypeIP Address / mask size PPP EnabledQuick Start Frame Relay Basic Leased Line Configuration Quick Start PPP Leased Line ConnectionsBridge Connection Configure Remote Site Profiles Configure Remote Site Profiles for Isdn PPP Isdn NumberEnabled Remote Site Alias Configure Remote Site Profile for Frame RelayªConfiguration WAN Set up Remote Site Set-up DlciPrimary Link CIRDisabled EIRConfigure Remote Site Profiles for Leased Line PPP Site profile Recovery ScheduleLAN Configure Remote Site Profiles for PPPoEªenabled ªTCP mss value ª1452 ªISP provided username ªPPPoE remote site aliasªServer Advanced FeaturesConfigure Dynamic Host Configuration Protocol ªIP Address / number of addressesIP address local DNS server IP address external DNS serverEnter the private network IP address of each service offered Network Address Translation and Port Translation11 Napt Configuration Security Level Configure PPP SecuritySecurity Incoming Chap Secret Outgoing Chap Secret Incoming PAP PasswordOutgoing PAP Password Configure Firewall 13 Sample Firewall ApplicationID# 1 for ISP remote site Enter ID# 1 for ISP remote siteInbound FTP ServerSource Address Filter ID # Destination AddressDestination Mask Source MaskFilters CompressionNetwork Address Translation Enable Bandwidth On DemandQOS Priority Queuing Location MainªPriority ªPriority List Number ªenable Simple Network Time Protocol SntpªIP Address ªTimeIntroduction to Filtering MAC Address FilteringPattern Filtering NotBridge NetBIOS &NetBEUI Windows For WorkgroupsPopular Filters IP & Related TrafficBanyan NetBIOS over TCPIP Router Other interesting TCP PortsAppendix a Menu Trees Menu Tree Menu Tree Appendix B Octet Locations on Ethernet Frames Octet Locations on a Bridged TCP/IP FrameConfiguration Pages Octet Locations Octet Locations on a Bridged XNS Frame Appendix C Servicing Information Opening the caseIdentifying the Internal Components Selecting MDI or MDI-X LAN Interface To Clear a Lost PasswordChanging LAN or WAN Interfaces Installing the Isdn Link Modules Processor settings for the Isdn Link ModulesConnecting to the ISDN-U Link Module Changing the Termination Straps on the Isdn S/T InterfacePerforming a Software Upgrade PC used for Tftp transfers Router a Router B Router C ATL-CSU/DSU Link Module Information Pinout InformationLink Clocking Information Switches Console Pinouts DB25 Female DCE24 & RS232C Link Pinouts DB25 Female DTE11/X.21 Link Pinouts DB15 Female DTERS442 & RS530 Link Pinouts DB25 Female DTELink Pinouts DCERS232 Null-Modem Cable Configuration Figure D-9 RS232 Null-Modem CableNull-Modem Cable Configuration Figure D 10 V-35 Null-Modem CableRS530 Null-Modem Cable Configuration Figure D-11 RS530 Null-Modem CableRS530 To RS449 Conversion Cable Figure D-12 RS530 to RS449 Conversion Cable11/X.21 Null-Modem Cable Configuration Figure D-13 V.11/X.21 Null-Modem Cable