WatchGuard Technologies WatchGuard SOHO and SOHO | tc manual Allowing incoming services

Page 47

Allowing incoming services

Allowing incoming services

By default, the security stance of the SOHO is to deny unsolicited incoming packets to computers on the private network protected by the SOHO firewall. You can, however, selectively open your network to certain types of Internet connectivity. For example, if you would like to set up a Web server behind the SOHO, you can add an incoming Web service.

It is important to remember that each service you add opens a small window into your private network and marginally reduces your security. This is the inherent trade-off between access and security.

Network address translation

All incoming connections through a SOHO automatically use a feature called dynamic network address translation (dynamic NAT). Without dynamic NAT, your internal, private addresses would not be passed along the Internet to their destination.

Furthermore, the SOHO protects your internal network by disguising private IP addresses. During an Internet connection, all traffic passed between computers includes their IP address information. However, due to the dynamic NAT feature, applications and servers on the Internet only see the public, external IP address of the SOHO itself and are never privy to the addresses in your private network address range when they exchange information with a computer behind your firewall.

Imagine that you install a computer behind the SOHO with the private IP address 192.168.111.12. If this address were broadcast to the Internet, hackers could easily direct an attack on the computer itself. Instead, the SOHO converts the address automatically to the public, external address of the SOHO. When a hacker tries to

User Guide 2.3

35

Image 47

Contents WatchGuard Soho User Guide Copyright and patent information Registration and identification informationUser Guide Iii WatchGuard Soho End-User License AgreementPage User Guide WatchGuard Limited Hardware Warranty User Guide Vii Welcome Redeeming Soho upgrade certificatesFollowing conventions are used throughout this guide Using this guidePage Table of Contents Additional Soho Features Before you begin InstallationPre-installation checklist Determine your current TCP/IP settings Performing manual installationOther operating systems Unix, Linux Microsoft Windows NT orMicrosoft Windows 95 or 98 or ME MacintoshDisable your browser’s Http proxy Internet Explorer Netscape 4.5 orCabling the Soho for one to four devices Physically connecting your SohoThis creates a connection between the Soho and the modem Cabling the Soho for more than four computers This creates a connection between the Soho and the modem Physically connecting your Soho How does a firewall work? Setting Up Your Soho NetworkNetwork addressing Configuring your public networkDouble-click the Network icon Configuring your public network Configuring the Soho public network for dynamic addressing Select the Obtain an IP address automatically option. Click Configuring the Soho public network for static addressingOn your computer Click Public Network On the SohoConfiguring Soho public network for PPPoE Click Automatically restore lost connections Release and renew the IP configurationConfiguring your private network Configure additional computers to the private network Select System Password Changing the Soho system name and passwordSelect System Administration Default factory settings Default factory settings Virtual Private Networking IPSec VPN is not installed Troubleshooting installation and network configurationHow do I change to a Dhcp private IP address? What do the on and Mode lights signify on the SOHO?Where are the Soho settings stored? How do I register my SOHO?How do I change to a static private IP address? How do I allow any incoming service?How do I allow incoming IP protocols? How do I set up and disable Web blocking?Click Services and then click Allowed Incoming Services VPN Management How do I set up VPN between two SOHOs?How do I reset the Soho to factory defaults? How do I reboot my SOHO?How do I set up my Soho for remote configuration? How do I get to the Soho Knowledge Base? Set a password on my unit, but I forgot it. Can you help?How do I install a Soho using a Macintosh? How does the seat limitation on the Soho work?How can I see the MAC address of my SOHO? What is a Soho feature key?Cant get a certain Soho feature to work with a DSL modem How do I register for Live Security?IP addresses Configuring Services for a SohoHow does information travel on the internet? Port number ServicesWatchGuard Soho services ProtocolNetwork address translation Allowing incoming servicesClick Add a Service Adding a pre-configured incoming serviceSelect Allowed Incoming Services Click Add Other TCP or UDP Service Creating a custom incoming serviceAdding an incoming TCP or UDP service Click Allowed Incoming Services. Click Add a ServiceClick Add Other Service Adding an incoming service with another type of protocolAdding the Any service Click Allowed Incoming Services Removing an incoming serviceClick Add Any Service Click Remove a Service Blocking outgoing servicesBlocking a TCP or UDP service Blocking an alternative protocol Select Blocked Outgoing ServicesClick Block TCP or UDP Service Click Blocked Outgoing ServicesClick Remove Blocked Service Removing a blocked outgoing serviceWhy create a virtual private network? Configuring Virtual Private NetworkingOne WatchGuard Soho with VPN and an IPSec-compliant Device What you will needIP Address Table example Step-by-step instructions for configuring a Soho VPN tunnel About Feature KeysObtaining a VPN Feature Key Enabling the VPN Feature KeySpecial considerations How do I connect three or four offices together? Frequently asked questionsWhy do I need a static public address? How do I get a static public IP address?OK, ping is not working How do I obtain a VPN Feature Key?How do I enable a VPN Tunnel? Frequently asked questions Socks for Soho Additional Soho FeaturesSoho Socks implementation Configuring your Socks application on the SohoDisabling Socks on the Soho Select Service OptionsClick System Information Setting a remote log hostSoho logging Viewing Soho log messagesSelect Remote Logging Rebooting a WatchGuard SohoClick System Administration Rebooting a WatchGuard Soho How WebBlocker works WatchGuard Soho WebBlockerBypassing the Soho WebBlocker Web site not in WebBlocker databaseWeb site in WebBlocker database WatchGuard WebBlocker database unavailableSelect Web Blocking Configuring the Soho WebBlockerPurchasing and enabling Soho WebBlocker WebBlocker categories Enter the full access passwordAlcohol/Tobacco Satanic/Cult Search Engines Click Check if the URL is on the CyberNOT List Searching for blocked sitesIndex Primary IP address 44 secondary IP address TCP UDP