Manuals / Billion Electric Company / Computer Equipment / Network Card

Billion Electric Company 30 user manual There are three major functions of IPSec

Models: 30

1 209

Download 209 pages 59.73 Kb

Page 160

There are three major functions of IPSec:

data authentication, integrity, and confidentiality as data is transferred across IP networks. IPSec provides data security at the IP packet level, and protects against possible security risks by protecting data. IPSec is widely used to establish VPNs.

There are three major functions of IPSec:

-Confidentiality: Conceals data through encryption.

-Integrity: Ensures that contents did not change in transit.

-Authentication: Verifies that packets received are actually from the claimed sender.

E.2.1 IPSec Security Components

IPSec contains three major components:

-Authentication Header (AH): Provides authentication and integrity.

-Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity.

-Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.

These components are discussed below.

E.2.1.1 Authentication Header (AH)

The Authentication Header (AH) is a protocol that provides authentication and integrity, protecting data from tampering. It provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram.

The AH can also protect packets from unauthorized re-transmission with anti-replay functionality. The presence of the AH header allows us to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy. ESP protects data confidentiality. Both AH and ESP can be used together for added protection.

A typical AH packet looks like this:

160

Image 160

Billion Electric Company 30 user manual There are three major functions of IPSec, E.2.1.1 Authentication Header AH

Contents

BiGuard Version Release 7.01 FW1.06piBusiness Security Gateway SMB User’s Manual Updated March 28 Copyright Information BiGuard 30 User’s ManualDisclaimer TrademarksSafety Warnings Table of Contents Chapter 1 Introduction 1.3 Package ContentsChapter 2 Router Applications 1.1 Overview 1.2 Product HighlightsChapter 4 Router Configuration 3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router3.4 Configuring PCs for TCP/IP Networking 3.5 Factory Default Settings4.4 Configuration 4.3 Quick Start4.4.2.1 ISP Settings 4.4.2.2 Bandwidth Settings 4.4.2.3 WAN IP AliasChapter 5 Troubleshooting 4.5 Save Configuration To Flash 4.6 Logout5.1 Basic Functionality 5.2 LAN InterfaceAppendix A Product Specifications Appendix B Customer Support 5.4 ISP Connection 5.5 Problems with Date and Time5.6 Restoring Factory Defaults E.1 What is a VPN?E.2 What is IPSec? E.2.1.1 Authentication Header AHE.2.1 IPSec Security Components E.2.2 IPSec ModesAppendix H Router Setup Examples What is Quality of Service?H.7 VPN Configuration H.12 PPTP Remote Access by Windows XP1.1 Overview Chapter 1 Introduction1.2 Product Highlights 1.3 Package Contents BiGuard 30 iBusiness Security Gateway SMBWAN1 WAN2 Power Status1.3.2 Rear Panel RESET WAN2 WAN1 LAN 1.3.4 Cabling 2.1 Overview 2.2 Bandwidth Management with QoSChapter 2 Router Applications 2.2.1 QoS Technology2.2.2 QoS Policies for Different Applications VoIP Normal PCs Restricted PClow network latencies to function properly. If bandwidth is being used by other applications such as an FTP server, users using VoIP will experience network lag and/or service interruptions during use. To avoid this scenario, this network has assigned VoIP with a guaranteed bandwidth and higher priority to ensure smooth communications. The FTP server, on the other hand, has been given a maximum bandwidth cap to make sure that regular service to both VoIP and normal Internet applications is uninterrupted policies for different PCs on the network. Policy based traffic shaping lets you better manage your bandwidth, providing reliable Internet and network service to your organization 2.2.6 Management by IP or MAC address 2.2.7 DiffServ DSCP Marking2.3 Outbound Traffic 2.2.8 DSCP Matching2.3.1 Outbound Fail Over 1st Connection ISP 2nd connection192.168.2.2 192.168.2.32.4 Inbound Traffic 2.4.1 Inbound Fail OverAfter Fail Over Before Fail Over2.4.2 Inbound Load Balancing 2.5 DNS Inbound Remote Access from InternetHTTP ISP ISP 2.5.1 DNS Inbound Fail OverAfter Fail Over Before Fail OverHeavy load on WAN Heavy load on WANDNS Request DNS Reply2.6 Virtual Private Networking In the example above, the client is making a DNS request. The request is sent to the DNS server of BiGuard 30 through WAN2 1. WAN2 will route this request to the embedded DNS server of BiGuard 30 2. BiGuard 30 will analyze the bandwidth of both WAN1 and WAN2 and decide which WAN IP to reply to the request 3. After the decision is made, BiGuard 30 will route the DNS reply to the user through WAN2 4. The user will receive the DNS reply with the IP address of WAN1 5. The browser will initiate an HTTP request to the WAN1 IP address 6. The HTTP request will be send to BiGuard 30’s URL Host Map 7. The Host Map will then redirect the HTTP request to the HTTP server 8. The HTTP server will reply 9. The URL Host Map will route the packet through WAN1 to the user 10. Finally, the client will receive an HTTP reply packet2.6.1 General VPN Setup BiGuard ClientAfter Fail Over Before Fail Over2.6.2 VPN Planning - Fail Over Before Fail Over BiGuard3.2 Before You Begin 3.1 OverviewChapter 3 Getting Started 3.3 Connecting Your Router 3.4 Configuring PCs for TCP/IP Networking 3.4.1 Overview3.4.2.1 Configuring 1. Select Start Settings Network Connections 3.4.2 Windows XP3. Select Internet Protocol TCP/IP and click Properties 5. Click OK to finish the configuration 3.4.2.2 Verifying Settings To verify your settings using a command prompt1. Click Start Programs Accessories Command Prompt 2. In the Command Prompt window, type ipconfig and then press ENTER1. Click Start Settings Network Connections To verify your settings using the Windows XP GUIAn IP address between 192.168.1.1 and A subnet mask of 3. Click the Support tab 3.4.3.1 Configuring 1. Select Start Settings Control Panel If you are using BiGuard 30’s default settings, your PC shouldHave an IP address between 192.168.1.1 and Have a subnet mask of Page 4. In the Local Area Connection window, click Properties 5. Select Internet Protocol TCP/IP and click PropertiesPage 3.4.3.2 Verifying Settings 7. Click OK to finish the configuration1. Click Start Programs Accessories Command Prompt If you are using BiGuard 30’s default settings, your PC should have 2. In the Command Prompt window, type ipconfig and then press ENTERAn IP address between 192.168.1.1 and A subnet mask of 3.4.4.1 Installing Components 3.4.4 Windows 98 / MeYou must have the following installed An Ethernet adapter TCP/IP protocol Client for Microsoft Networks If you need to install a new Ethernet adapter, follow these stepsa. Click Add b. Select Adapter, then Add If you need TCP/IP a. Click Add b. Select Protocol, then click Add c. Select Microsoft. Æ TCP/IP, then OK If you need Client for Microsoft Networks a. Click Addb. Select Client, then click Add 3.4.4.2 Configuring 1. Select Start Settings Control Panel3. Restart your PC to apply your changes Page Page 6. Click OK to apply the configuration 3.4.4.3 Verifying Settings To check the TCP/IP configuration, use the winipcfg.exe utility1. Select Start Run 2. Type winipcfg, and then click OK 3. From the drop-down box, select your Ethernet adapter3.5 Factory Default Settings A default gateway ofWeb Interface Username admin Password admin LAN Device IP Settings An IP address between 192.168.1.1 and A subnet mask ofIP address Subnet Mask 3.6 Information From Your ISPLAN Port WAN PortDHCP Static IP PPPoE PPTP Big Pond 3.6.2.1 Windows 1. Select Start Settings Control Panel2. Double-click the Network icon 4. Select Internet Protocol TCP/IP and click Properties Page server address automatically radio button 7. Click OK to save your changes3.7 Web Configuration Interface BiGuard 30 includes a Web Configuration Interface for easy administration via virtually any browser on your network. To access this interface, open your web browser, enter the IP address of your router, which by default is 192.168.1.254, and click Go. A user name and password window prompt will appear. Enter your user name and password the default user name and password are admin and admin to access the Web Configuration Interface4.1 Overview Chapter 4 Router Configuration4.2 Status 4.2.1 ARP Table4.2.2 Routing Table Sessions 4.2.5 IPSec Status 4.2.6 PPTP Status 4.2.7 Traffic Statistics4.2.8 System Log 4.2.9 IPSec Log4.3 Quick Start 4.3.1 DHCP4.3.2 Static IP 4.3.3 PPPoE4.3.4 PPTP 4.3.5 Big Pond4.4 Configuration RIP RIP v2 Broadcast and RIP v2 Multicast. Check to enable RIP Subnet Mask Enter the subnet mask 255.255.255.0 by defaultAddress Mapping 4.4.1.1 Ethernet 4.4.1.2 DHCP Server 4.4.1.3 LAN Address Mapping WAN IP AliasPlease click Create to create a LAN Address Mapping rule IP Alias 4.4.2.1 ISP Settings 4.4.2.1.1 DHCP 4.4.2.1.2 Static IP 4.4.2.1.3 PPPoE 4.4.2.1.4 PPTP Settings 4.4.2.1.5 Big Pond Settings 4.4.2.2 Bandwidth Settings 4.4.2.3 WAN IP Alias 4.4.3.1 General Settings 4.4.3 Dual WAN4.4.3.2 Outbound Load Balance 1. By session mechanism 2. By IP address hash mechanism Choose one by clicking the corresponding radio button4.4.3.3 Inbound Load Balance Admin. Mail Box The administrator’s email account.e.gadmin@abc.com Serial Number It is the version number that keeps in the SOA recordRefresh Interval The interval refreshes are done. Denoted in seconds Retry Interval The interval retries are done. Denoted in secondsTo add a host mapping URL to the list, click Create Domain Name The domain name of the local hostHost URL The URL to be mapped Private IP Address The IP address of the local host4.4.3.4 Protocol Binding Interface Choose which WAN port to use WAN1, WAN2 Source IP Range All Source IP Click it to specify all source IPsDestination IP Range All Destination IP Click it to specify all source IPs4.4.4.1 Time Zone 4.4.4.2 Remote Access Only the PC Please specify the IP Address that is allowed to access Allow Remote Access By4.4.4.3 Firmware Upgrade 4.4.4.4 Backup / Restore 4.4.4.6 Password 4.4.4.5 RestartClick Reset to reset to the default administration password admin 4.4.4.7 System Log Server4.4.4.8 E-mail Alert 4.4.5.1 Packet Filter When the entry is upper, the priority is higher Destination IP Select Any, Subnet, IP Range or Single Address Source IP Select Any, Subnet, IP Range or Single Address4.4.5.2 URL Filter URL Filtering You can choose to Enable or Disable this feature Domains Filtering Click the top checkbox to enable this feature. You can also choose to disable all web traffic except for trusted sites by clicking the bottom checkbox. To edit the list of filtered domains, click Details 4.4.5.3 LAN MAC Filter 4.4.5.4 Block WAN Request 4.4.5.5 Intrusion Detection 4.4.6.1 IPSec You can find two items under the VPN section IPSec and PPTP4.4.6.1.1 IPSec Wizard Connection Name A user-defined name for the connection Back Back to the Previous page Next Go to the next page Back Back to the Previous page Next Go to the next page Next Go to the next page Back Back to the Previous page Next Go to the next page Done Click Done to apply the ruleConfiguring a New VPN Connection 4.4.6.1.2 IPSec PolicyConnection Name A user-defined name for the connection interface if Auto is selected Any Local Address Will enable any local address on the network DPD Setting DPD, Dead Peer Detection Click Create to create a new PPTP VPN connection account Peer Encryption Mode Only Stateless or Allow Stateless and Stateful4.4.6.2 PPTP 4.4.7 QoS WAN1 Outbound Creating a New QoS Rule Bandwidth Type For IP Address4.4.8 Virtual Server For MAC Address4.4.8.1 DMZ 4.4.8.2 Port Forwarding Table 4.4.9 Advanced 4.4.9.1 Static Route 4.4.9.2 Dynamic DNS Wildcard Select this check box to enable the DYNDNS Wildcard Web Server Settings SNMP Access Control4.4.9.3 Device Management Device NameSNMP SNMP V1 and4.4.9.4 IGMP 4.4.9.5 VLAN Bridge 4.5 Save Configuration To Flash 4.6 LogoutChapter 5 Troubleshooting 5.1 Basic Functionality5.1.1 Router Won’t Turn On 5.1.2 LEDs Never Turn Off5.1.4 Forgot My Password 5.2.1 Can’t Access BiGuard 30 from the LAN5.2 LAN Interface 5.2.2 Can’t Ping Any PC on the LANCheck the corresponding LAN LEDs on your PC’s Ethernet device are on 4. Click OK under Internet Options to close the dialogue Disabling All Pop-ups Enabling Pop-up Blockers with ExceptionsIf you only want to allow pop-up windows with your BiGuard 5.2.3.1 Pop-up Windows4. Ensure that Scripting of Java applets is set to Enabled 5.2.3.3 Java Permissions5.3 WAN Interface 5.4 ISP Connection4. Click OK to close the dialogue If an IP address cannot be obtained 5.6 Restoring Factory Defaults 5.5 Problems with Date and TimeIf an IP address can be obtained, but your PC cannot load any web pages from the Internet Availability and Resilience Appendix A Product SpecificationsVirtual Private Network Content Filtering Quality of Service ControlNetwork Protocols and Features FirewallPhysical Specifications Power RequirementPhysical Interface Operating EnvironmentAppendix B Customer Support Contact BillionAppendix C FCC Interference Statement This device may not cause harmful interferenceD.1 Network Basics Appendix D Network, Routing, and Firewall BasicsD.1.1.1 Net mask D.1.1.3 Private IP Addresses D.1.1.2 Subnet Addressing10.0.0.0 172.16.0.0 192.168.0.0 from these ranges Routers can vary in performance and scale, the types of physical WAN connection they support, and the number of routing protocols supported. BiGuard 30 offers a convenient and powerful way for small-to-medium businesses to connect their networks D.2 Router BasicsD.3 Firewall Basics D.3.1.2 Denial of Service DoS AttackD.3.1.1 Stateful Packet Inspection With a LAN connected to the Internet through a router, there is a chance for hackers to access or disrupt your network. A simple NAT router provides a basic level of protection by shielding your network from the outside Internet. Still, there are ways for more dedicated hackers to either obtain information about your network or disrupt your network’s Internet access. Your BiGuard 30 provides an extra level of protection from such attacks with its built-in firewall E.1 What is a VPN? E.2 What is IPSec?Appendix E Virtual Private Networking VPNs are traditionally used three waysE.2.1.1 Authentication Header AH There are three major functions of IPSecE.2.1.2 Encapsulating Security Payload ESP ESP divides its fields into three components…E.2.1.3 Security Associations SA SA is identified by 3 parametersE.2.3 Tunnel Mode AH AH/ETC Dat AH/EESP Authentication Main Mode Aggressive ModeQuick Mode With PFS Quick Mode Without PFSF.1 IPSec Log Event Categories F.2 IPSec Log Event Tableencryption algorithm, hash algorithm, and authentication method encryption algorithm, hash algorithm, and authentication methodSending the third message of main mode. Done for authentication Received the third message of main mode. Done for authenticationSend Aggressive mode first Received Aggressive mode firstRejected IKE Messages IKE Negotiated Status MessagesReceived Delete SA payload Deleting ISAKMP State integer Main/Aggressive mode peer ID is identifier stringISAKMP SA Established IPsec SA Established G.2 What is Quality of Service? G.1 OverviewG.3 How Does QoS Work? Appendix G Bandwidth Management with QoSG.4 Who Needs QoS? G.4.1 Home UsersApplication Data Ratio %Priority ApplicationH.1 Outbound Fail Over Appendix H Router Setup ExamplesPage H.2 Outbound Load Balancing Step 2 Configure your WAN2 ISP settings and click Apply Step 6 Click Save Config to save all changes to flash memory H.3 Inbound Fail Over General Settings. Select the Fail Over radio buttonStep 2 Configure Fail Over options if necessary Step 4 From the same menu, set the WAN2 DDNS settings Step 5 Click Save Config to save all changes to flash memoryH.4 DNS Inbound Fail Over Before Fail OverAfter Fail Over 1st connectionEnable radio button and configure DNS Server 1 by clicking Edit Step 3 Input DNS Server 1 settings and click ApplyH.5 DNS Inbound Load Balancing Heavy load on WANHeavy load on WAN DNS RequestStep 3 Go to Configuration Dual WAN Inbound Load Balance Host URL Balance radio buttonStep 4 Next configure your HTTP mapping Mapping and configure your FTP mappingStep 5 Click Save Config to save all changes to flash memory H.6 Dynamic DNS Inbound Load Balancing Remote Access from Internetinbound and outbound bandwidth HTTPStep 2 Go to Configuration Dual WAN General Settings and enable Load Balance mode. You may then decide whether to enable Service Detection or not WAN1 Page H.7 VPN Configuration H.7.1 LAN to LANBranch Office Head OfficeLocal RemoteSingle client H.7.2 Host to LANHead Office H.8 IP Sec Fail Over Gateway to Gateway Before Fail OverAfter Fail Over ProposalPage Page H.9 VPN Concentrator BiGuardBranch A BiGuardand configure the and configure the Step 5 Click Save Config to save all changes to flash memory H.10 Protocol BindingBalancing radio button Step 2 Go to Configuration Dual WAN Protocol Binding and configure settings for WAN1 H.11 Intrusion Detection H.12 PPTP Remote Access by Windows XPInternet InternetStep2 Click Create to create a PPTP Account ApplyStep3 Click Apply, you can see the account is successfully created Step4 Click Save Config to save all changes to flash memory Step5 In Windows XP, go Start Settings Network ConnectionsStep6 In Network Tasks, Click Create a new connection, and press Next Step7 Select Connect to the network at my workplace and press NextStep8 Select Virtual Private Network connection and press Next Step9 Input the user-defined name for this connection and press NextStep10 Input PPTP Server Address and press Next Step11 Please press FinishStep12 Double click the connection, and input Username and Password that defined in BiGuard PPTP Account Settings H.13 PPTP Remote Access by BiGuard InternetInternet Branch OfficeStep2 Click Create to create a PPTP Account Step4 Click Save Config to save all changes to flash memoryStep3 Click Apply, you can see the account is successfully created Step6 Click Apply, and Save CONFIG