Manuals / Netopia / Computer Equipment / Network Router

Netopia 2200 Link Stateful Inspection, Stateful Inspection Firewall installation procedure, 140

Models: 2200

1 351

Download 351 pages 59.91 Kb

Page 140

Link: Stateful Inspection

All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or Internet Protocol (IP) layers. Stateful Inspection ﬁrewalls intercept and analyze incoming data packets to determine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspection improves security by tracking data packets over a period of time, examining incoming and outgoing packets. Out- going packets that request speciﬁc types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the ﬁrewall.

Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can conﬁgure UDP and TCP “no-activity” periods that will also apply to NAT time-outs if stateful inspection is enabled on the interface. Stateful Inspection param- eters are active on a WAN interface only if enabled on your Gateway. Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.

Stateful Inspection Firewall installation procedure

☛NOTE:

Installing Stateful Inspection Firewall is mandatory to comply with Required Services Security Policy - Residential Category module - Version 4.0 (speciﬁed by ICSA Labs)

For more information please go to the following URL: http://www.icsalabs.com/html/communities/ﬁrewalls/certiﬁcation/ criteria/Residential.pdf.

1.Access the router through the web interface from the private LAN.

DHCP server is enabled on the LAN by default.

2.The Gateway’s Stateful Inspection feature must be enabled in order to prevent TCP, UDP and ICMP packets destined for the router or the private hosts.

This can be done by navigating to Expert Mode -> Security -> Stateful Inspection.

140

Image 140

Netopia 2200 manual Link Stateful Inspection, Stateful Inspection Firewall installation procedure, 140

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index Introduction What’s NewAbout Netopia Documentation Intended AudienceCommand Line Interface Documentation ConventionsGeneral Internal Web InterfaceBold terminal type User-entered text face Organization Word About Example ScreensPage Basic Mode Setup Important Safety Instructions Power Supply InstallationBewahren Sie diese Anweisungen auf Wichtige SicherheitshinweiseAchtung Setting up the Netopia Gateway Microsoft WindowsThen go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway MiAVo Vdsl and Ethernet WAN models Quickstart Click the Connect to the Internet buttonPPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Accessing the Expert Web Interface Open the Web ConnectionPage Home Page Expert Mode Field Status and/or Description Home Page InformationSummary Information Dhcp Link Breadcrumb Trail ToolbarNavigating the Web Interface Restart Button RestartLink Alert Symbol Help Button HelpLink Quickstart ConﬁgureButton Conﬁgure Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page Examples WPA Version AllowedMultiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears Other WAN Options WAN IP InterfacesIP Gateway Available Encapsulation types Available Multiplexing typesSustained Cell Rate SCR Class Transmit Priority CommentsLink Advanced Link IP Static Routes IP Static Route Entry page appearsPage Link IP Static ARP Link PinholesTCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static IPMaps Block Diagram Netopia Gateway WAN Interface LAN Interface192.168.1.1 192.168.1.2Link Default Server Internet Gateway NAT LAN STN #2Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp ServerConfigure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure Link UPnP 100Link LAN Management 101Link Advanced Ethernet Bridge 102Conﬁguring for Bridge Mode 103Enable Concurrent Bridging/Routing checkbox 104105 Link Vlan 106107 Vlan Port Conﬁguration screen appears Enable Multiple Wireless IDs on108 109 110 Link Syslog Parameters 111112 Administration Related Log Messages Log Event Messages113 System Log MessagesDSL Log Messages most common Access-related Log Messages114 115 Mented packet116 Link Internal ServersLink Software Hosting 117 List of Supported Games and Software118 FTPRename a UserPC 119Link Clear Options 120Link Time Zone 121122 SecurityButton Security Link Passwords 123124 Conﬁguring for a BreakWater Setting Link Firewall125 Use a Netopia Firewall126 Basic Firewall Background 127Tips for making your BreakWater Basic Firewall Selection BreakWater Setting ClearSailing SilentRunning LANdLocked 128129 Link IPSec 130SafeHarbour IPSec VPN 131132 Conﬁguring a SafeHarbour VPNIPSec Tunnel Details Parameter Setup Worksheet 133134 Parameter Descriptions on page 136 as required135 Make the Tunnel Details entriesField Description 136Parameter Descriptions 137 PAT Address138 Soft MBytes139 140 Stateful Inspection Firewall installation procedureLink Stateful Inspection Exposed Addresses 141142 143 Stateful Inspection Options 144Port Protocol Description LAN Private WAN Public Interface Open Ports in Default Stateful Inspection Installation145 Firewall Tutorial General ﬁrewall termsBasic IP packet components 146Basic protocol types 147Example TCP/UDP Ports TCP Port Service Firewall design rules148 Firewall Logic149 Implied rules150 Example ﬁlter setFilter basics 151What it means Example networkExample Example ﬁlters152 153 Link Packet Filter 154155 What’s a ﬁlter and what’s a ﬁlter set?How ﬁlter sets work Filter priority How individual ﬁlters work156 Parts of a ﬁlter 157ﬁltering rule Port number comparisons 158Port numbers Putting the parts together 159Other ﬁlter attributes 160 Filtering example #1161 162 Filtering example #2163 An approach to using ﬁltersDesign guidelines 164 Working with IP Filters and Filter SetsAdding a ﬁlter set Adding ﬁlters to a ﬁlter set 165166 Netopia Router167 168 Enter the Source Mask for the source IP address169 Viewing ﬁltersDeleting a ﬁlter set 170Modifying ﬁlters Deleting ﬁltersAssociating a Filter Set with an Interface 171172 173 Policy-based Routing using FiltersetsTOS ﬁeld matching 174 175 176 Using the Security Monitoring LogLink Security Log 177 178 Timestamp Background179 InstallButton Install Link Install Software 180181 Required FilesNetopia ﬁrmware Image File Click the Install Software button 182183 Verify the Netopia Firmware ReleaseLink Install Keys Use Netopia Software Feature KeysObtaining Software Feature Keys Procedure Install a New Feature Key File185 To check your installed features 186187 Link Install Certiﬁcate 188189 190 Basic Troubleshooting 191Status Indicator Lights 192Action Ethernet193 Ethernet 1, 2, 3Wireless 194195 DSL Sync196 197 Special patterns198 LAN 1, 2, 3199 DSL SyncFront View 200LED Function Summary Matrix 201202 EN Link UnlitActive LinkFactory Reset Switch 2033397GP 2247NWG3347W/3357W 2240NAdvanced Troubleshooting 205Home 206207 Status of Connection208 Expert ModeButton Troubleshoot Link System Status 209Link Ports Ethernet 210Link Ports DSL 211Link IP Interfaces 212Link DSL Circuit Conﬁguration 213Link System Log Entire 214Link Diagnostics 215Link Network Tools 216217 218 If Ping is not successful, possible causes are219 220 Command Line Interface 221Overview 222Keywords Command Verbs Status and/or Description223 Starting and Ending a CLI Session LoggingEnding a CLI Session 224Using the CLI Help Facility About Shell CommandsSaving Settings Shell Command ShortcutsShell Commands Common CommandsDiagnose Download serveraddress ﬁlename conﬁrmDownload -cert serveraddress ﬁlename conﬁrm 227Install serveraddress ﬁlename conﬁrm License keyLoglevel level 228229 NetstatNetstat -r Reset arp Reset atmReset crash Reset dhcp serverReset ipmap Reset logReset security-log Reset wan-users all ip-addressShow features Show conﬁgShow crash Show dhcp agentShow ip igmp Show ip interfacesShow ip ipsec Show ip ﬁrewallShow wireless all Show wireless clients MACaddressShow log Show memory allUpload serveraddress ﬁlename conﬁrm View conﬁgWho 235WAN Commands Navigating the Config Hierarchy About Config CommandsConfig Mode Prompt Netopia-3000/9437188 top quit 238Entering Commands in Config Mode Set ip ethernet a ipaddressSet ip ethernet a 239Guidelines Config Commands Displaying Current Gateway SettingsStep Mode a CLI Conﬁguration Technique 240Validating Your Conﬁguration 241Config Commands DSL CommandsSet atm vcc n qos sustained-cell-rate 1 ...n Set atm vcc n qos max-burst-size 1 ...nSet atm vcc n vpi 0 Set atm vcc n vci 0Bridging Settings Set atm vccn pppoe-sessions 1Set bridge sys-bridge on off Set bridge concurrent-bridging-routing on offSet bridge table-timeout 30 Dhcp SettingsSet bridge ethernet option on off Set bridge dsl vccn option on offSet dhcp start-address ipaddress Set dhcp end-address ipaddressSet dhcp lease-time lease-time Set dhcp server-address ipaddressDMT Settings Set dmt wiringMode auto tipring AA1Set dmt metallic-termination auto disabled alwayson Set dmt autoConﬁg off onDomain Name System Settings Set dns proxy-enableSet dns domain-name domain-name Set dns primary-address ipaddressIgmp Settings Set igmp snooping off onSet igmp robustness value Set igmp query-intvl valueIP Settings Set ip arp-timeout 60Set ip option on off Set ip dsl vccn address ipaddressSet ip dsl vccn restriction admin-disabled none Set ip dsl vccn netmask netmaskSet ip dsl vccn addr-mapping on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5 Set ip ethernet a option on offSet ip ethernet a address ipaddress Set ip ethernet a broadcast broadcastaddressSet ip ethernet a restrictions none admin-disabled Set ip ethernet a netmask netmaskSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 253Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5 Set ip gateway option on offSet ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn option on offSet ip ip-ppp vccn restriction admin-disabled none Set ip ip-ppp vccn address ipaddressSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn addr-mapping on off256 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip static-arp ip-addressipaddress Set ip igmp-forwarding off onSet ip ipsec-passthrough off on 257Set ip prioritize off on Set diffserv option off onSet diffserv lohi-ratio 60 100 percent 258259 260 Set ip sip-passthrough on offSet ip static-routes destination-networknetaddress Delete ip static-routes destination-network netaddress 261IPMaps Settings Network Address Translation NAT Default SettingsSet nat-default host-hardware-address MACaddress Network Address Translation NAT Pinhole SettingsSet pinhole name name Set pinhole name name protocol-select tcp udpPPPoE /PPPoA Settings Set ppp module vccn mru integer Set ppp module vccn magic-number on offSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on offSet ppp module vccn restart-timer integer Set ppp module vccn conﬁgure-max integerSet ppp module vccn terminate-max integer Set ppp module vccn connection-type instant-on always-onSet ppp module vccn port-authentication username username Set ppp module vccn port-authentication password passwordEthernet Port Settings Command Line Interface Preference SettingsSet preference more lines 268Port Renumbering Settings Set servers web-http 1Set servers telnet-tcp 1 269Security Settings Set security ipsec option off on offSet security ipsec tunnels name 270Set security ipsec tunnels name 123 tun-enable on on off 271Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 272Set security ipsec tunnels name 123 xauth enable off on Set security ipsec tunnels name 123 xauth password passwordSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username username274 Set security ipsec tunnels name 123 local-id idvalueSet security ipsec tunnels name 123 remote-id idvalue 275 Set security state-insp tcp-timeout 30 276277 Set security state-insp udp-timeout 30Set security state-insp xposed-addr exposed-address# n Packet Filtering Settings 278279 280 281 Snmp Settings System Settings Set snmp notify type v1-trap v2-trap informSet system name name 283Set system idle-timeout telnet 1...120 http 1 Set system username administrator name user nameSet system log-size 10240 Set system persistent-log off on285 Set system password admin userSleep Contact-email string@domainname location string 286 287 Set system zerotouch option on offSet system zerotouch redirect-url redirection-URL Syslog 289 Set security state-insp eth B option onWireless Settings supported models 291 Set wireless mode both-b-and-g b-only g-onlySet wireless multi-ssid option on off 292 293 Set wireless no-bridging off onSet wireless tx-power full medium fair low minimal 294 Set wireless network-id privacy pre-shared-key stringSet wireless network-id privacy default-keyid Example 256bit key 295Example 40bit key 02468ACE02 Set wireless mac-auth option on off Set radius radius-name servernamestringSet radius radius-secret sharedsecret Set radius alt-radius-name servernamestring297 Set radius radius-port portnumberSet vlan name string 298 To make the Vlan vlan1 routable add the port lan-uplink299 Set upnp option on offSet dslf-lanmgmt option off on 300 301 Vdsl Settings 302Vdsl Parameter Defaults 303304 Vdsl Parameters Accepted Values305 Parameter306 Etsi M2 CAB307 308 309 310 Glossary 311312 313 314 315 316 Ethernet crossover cable. See crossover cable317 318 319 320 321 322 323 324 325 326 Description 327328 Software and protocolsAgency approvals 329North America InternationalManufacturer’s Declaration of Conformance 330331 Declaration for Canadian usersImportant Safety Instructions Australian Safety InformationTelecommunication installation cautions 332CFR Part 68 Information 333Electrical Safety Advisory 334Overview of Major Capabilities 335Wide Area Network Termination PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATMInstant-On PPP 336Simpliﬁed Local Area Network Setup Dhcp Dynamic Host Conﬁguration Protocol ServerDNS Proxy 337Diagnostics ManagementEmbedded Web Server 338Remote Access Control Password Protection339 Network Address Translation NATNetopia Gateway 340Netopia Advanced Features for NAT 341Internal Servers PinholesCombination NAT Bypass Conﬁguration Default Server342 VPN IPSec Pass Through 343IP-Passthrough 344 VPN IPSec Tunnel TerminationStateful Inspection Firewall SSL Certiﬁcate SupportIndex 345346 NAT 255, 262 347NTP 348349 350