Chapter Security, Suggested security measures | Netopia R3100

Security 15-1

Chapter 15

Security

The Netopia R3100 provides a number of security features to help protect its conﬁguration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.

This section covers the following topics:

■“Suggested security measures” on page 15-1, lists actions for blocking potential security holes.

■“User accounts,” beginning on page 15-2, shows you how to set up name/password combinations to protect the Netopia R3100’s conﬁguration screens.

■“Dial-in Console Access” on page 15-3

■“Telnet access” on page 15-4, shows you how to control access to the Netopia R3100 by those using the Telnet protocol.

■“About ﬁlters and ﬁlter sets,” beginning on page 15-4, and “Working with IP ﬁlters and ﬁlter sets,” beginning on page 15-12, have information on what ﬁlters are, how they work, how to customize them, and how to use them in sets. For information on IPX ﬁlters and ﬁlter sets, see “IPX ﬁlters,” beginning on page 15-22.

■“Firewall tutorial” on page 15-30

■“Token Security Authentication” on page 15-37

Suggested security measures

In addition to setting up user accounts, Telnet access, and ﬁlters (all of which are covered later in this chapter), there are other actions you can take to make the Netopia R3100 and your network more secure:

■Change the SNMP community strings (or passwords). The default community strings are universal and could easily be known to a potential intruder.

■Set the answer proﬁle so it must match incoming calls to a connection proﬁle.

■Use CallerID.

■Leave the “Enable Dial-in Console Access” option set to No.

■Where possible, insist on using PAP, CHAP, or secure authentication token card to authenticate connections to and from connection proﬁles.

■When using AURP, accept connections only from conﬁgured partners.

■In high risk areas, conﬁgure the Netopia R3100 through the serial console port to ensure that your communications cannot be intercepted.

Image 179

Netopia R3100 manual Chapter Security, Suggested security measures

Contents

Netopia R3100 Isdn Routers Part Number Contents Ii User’s Reference Guide Part II Advanced Configuration Iv User’s Reference Guide Aurp Vi User’s Reference Guide Part III Appendixes Viii User’s Reference Guide Contents User’s Reference Guide Conﬁguration options for your Netopia R3100 Isdn Router Small Ofﬁce connection to the Internet Small Ofﬁce connection to the Internet Direct Connection to a Corporate Ofﬁce Telecommuter Conﬁgured to accept incoming dial-up connections Conﬁgured for Idsl Part I Getting Started User’s Reference Guide Introduction Features and capabilitiesChapter Introduction Overview How to use this guide Making the Physical Connections Chapter Making the Physical ConnectionsFind a location What you need Identify the connectors and attach the cables Netopia R3100 Isdn Router Back Panel Ports Cable to your router on Services on Netopia R3100 LED front panel Netopia R3100 Isdn Router Status Lights Setting up your Router with the SmartStart Wizard Chapter Setting up your Router with the SmartStart Wizard Before running SmartStart SmartStart Wizard conﬁguration screens Setting up your Router with the SmartStart Wizard Easy option Easy or Advanced setup Setting up your Router with the SmartStart Wizard User’s Reference Guide Setting up your Router with the SmartStart Wizard User’s Reference Guide Advanced option Connection Proﬁle screen on Conﬁguration tab Dynamic conﬁguration recommended Static conﬁguration optional Add. Repeat this process for the secondary DNS TCP/IP Conﬁguring TCP/IP on Macintosh computers TCP/IP or MacTCP Dynamic conﬁguration using MacIP optional Setting up your Router with the SmartStart Wizard User’s Reference Guide Connecting Your Local Area Network Chapter Connecting Your Local Area Network Readying computers on your local network 10Base-T Connecting to an Ethernet network 10BASE-T Remote console Connecting to a LocalTalk network Wiring guidelines for PhoneNET cabling User’s Reference Guide SmartView Chapter SmartViewSmartView overview General Machine information Navigating SmartView Event history pages Connection Proﬁles Device Event History WAN Event History Standard Html web-based monitoring pages User’s Reference Guide Console-based Management Chapter Console-based ManagementAbout Console-based Management Connecting through a Telnet session Conﬁguring Telnet software Connecting a local terminal console cable to your router PC ANSI-BBS Navigating through the console screens User’s Reference Guide Easy Setup Chapter Easy SetupEasy Setup console screens How to access the Easy Setup console screens See Appendix A, Troubleshooting, for more suggestions Isdn Easy Setup Beginning Easy Setup PPP Cancel Idsl Easy Setup Previous Screen Easy Setup Proﬁle User’s Reference Guide Previous Screen Next Screen IP Easy Setup Easy Setup Security Conﬁguring Frame Relay Isdn Easy Setup Frame Relay screens WAN Conﬁguration Frame Relay screens Setup Isdn Line Configuration Frame Relay conﬁguration Easy Setup Frame Relay Dlci conﬁguration Displaying a Frame Relay Dlci conﬁguration table Changing a Frame Relay Dlci conﬁguration Adding a Frame Relay Dlci conﬁguration ADD Dlci NOW Cancel Deleting a Frame Relay Dlci conﬁguration Part II Advanced Configuration User’s Reference Guide WAN and System Conﬁguration Chapter WAN and System ConfigurationCreating a new Connection Proﬁle Add Connection Proﬁle screen appears IPX Profile Parameters Remote IPX Network BAP Telco Options Initiate Data Service 64 kb/sec Dial Default Proﬁle How the default proﬁle works Configuration Default Profile Customizing the Default Proﬁle IP parameters default proﬁle screen WAN and System Conﬁguration Auxiliary Port Conﬁguration IPX parameters default proﬁle screen System Conﬁguration screens System Conﬁguration features PAP Date and Time Network Protocols SetupFilter Sets Firewalls IP Address Serving MM/DD/YY Security Upgrade Feature SetConsole Conﬁguration Snmp Simple Network Management Protocol Logging Telephone setup Nov Specifying telephone connections Chapter Using SmartPhone for Telephone ServicesUsing SmartPhone for Telephone Services Inbound Directory Number Using SmartPhone for Telephone Services Preview Ring Deﬁning priority ringing Line provisioning Advanced calling features Conﬁguring supplementary services Call Accounting and Default Answer Proﬁle Chapter Call Accounting and Default Answer ProfileCost control feature -- call accounting Viewing call accounting statistics Call Accounting Statistics screen appears Scheduled connections Viewing scheduled connections Adding a scheduled connection Set Weekly Schedule Set Once-Only Schedule Deleting a scheduled connection Default Answer ProﬁleHow the Default Answer Proﬁle works Modifying a scheduled connection Customizing the default proﬁle Call Accounting and Default Answer Proﬁle Call acceptance scenarios IP Setup and Network Address Translation Chapter IP Setup and Network Address TranslationNetwork Address Translation features HOW NAT Works Using Network Address Translation ISP Network Address Translation guidelines Using multiple Connection ProﬁlesAssociating port numbers to nodes IP setup IP Setup and Network Address Translation Select Add Export. The Add Exported Service screen appears IP Setup IP subnets IP Setup and Network Address Translation Static routes Viewing static routes Adding a static route Deleting a static route Rules of static route installationModifying a static route Main System IP Address Menu Configuration Serving 163.176.56.90 Dhcp NetBIOS Options MacIP Kip Forwarding Options You have ﬁnished your IP Setup IPX Deﬁnitions Chapter IPX SetupIPX Features IPX Setup Routing Information Protocol RIP Service Advertising Protocol SAPIPX address Socket IPX Spooﬁng NetBIOSIPX setup Default Gateway Address IPX routing tables User’s Reference Guide AppleTalk Setup Chapter AppleTalk SetupInstalling AppleTalk AppleTalk protocol AppleTalk networks AppleTalk Setup Aurp MacIP Routers and seeding Conﬁguring AppleTalk EtherTalk Setup LocalTalk Setup Aurp Free Trade Zone Aurp setupViewing Aurp partners Modifying an Aurp partner Adding an Aurp partner Conﬁguring Aurp Options Deleting an Aurp partnerReceiving Aurp connections User’s Reference Guide Monitoring Tools Chapter Monitoring ToolsQuick View status overview General status Status lights Current status General Statistics Statistics & Logs Network Interface Event historiesPhysical Interface Request from our DN WAN Event History Device Event History Routing tables IP routing table AppleTalk routing table IPX routing tableIPX Sap Bindery table Served IP Addresses IP Address Lease Management screen appears Snmp System Information Community strings Snmp Setup screen Snmp traps Deleting IP trap receivers Setting the IP trap receiversViewing IP trap receivers Modifying IP trap receivers User’s Reference Guide Security Chapter SecuritySuggested security measures Protecting the conﬁguration screens User accountsProtecting the Security Options screen Dial-in Console Access What’s a ﬁlter and what’s a ﬁlter set? Enable SmartStart/SmartView/Web ServerTelnet access About ﬁlters and ﬁlter sets Filter priority How ﬁlter sets work Packet First filter Match? Yes Parts of a ﬁlter How individual ﬁlters workﬁlter’s actions ﬁltering rule Port number comparisons Port numbers Putting the parts together Other ﬁlter attributes Filtering example #1 UDP Filtering example #2 Design guidelines Disadvantages of ﬁlters An approach to using ﬁltersWorking with IP ﬁlters and ﬁlter sets Adding a ﬁlter set Input and output ﬁlters-source and destination Naming a new ﬁlter set Adding ﬁlters to a ﬁlter set Netopia R-series Router ADD this Filter NOW Cancel Deleting ﬁlters Viewing ﬁlter setsViewing ﬁlters Modifying ﬁlters Sample IP ﬁlter set Modifying ﬁlter setsDeleting a ﬁlter set TCP Icmp UDP Possible modiﬁcations Security IPX ﬁlters Adding a packet ﬁlter IPX packet ﬁltersViewing and modifying packet ﬁlters Adding a packet ﬁlter set IPX packet ﬁlter setsDeleting a packet ﬁlter Viewing and modifying packet ﬁlter sets ADD Filter SET NOW Cancel Viewing and modifying SAP ﬁlters IPX SAP ﬁltersDeleting a packet ﬁlter set Adding a SAP ﬁlter Adding a SAP ﬁlter set IPX SAP ﬁlter setsDeleting a SAP ﬁlter Viewing and modifying SAP ﬁlter sets Deleting a SAP ﬁlter set Basic Protocol Types Firewall tutorial General Firewall TermsBasic IP Packet Components Firewall Logic Firewall design rulesExample TCP/UDP Ports Implied Rules Binary RepresentationLogical ANDing Example IP Filter Set Screen Filter BasicsEstablished Connections Example Example FiltersExample Network Example Example Securing network environments Token Security AuthenticationUsing the SecurID token card Key Security Authentication Features of the Netopia R3100 Conﬁguring for security authentication Security authentication components Establishing a dial-on-demand DOD connection call Connecting using security authentication Current Connection Status Establishing a manual connection call User’s Reference Guide Utilities and Diagnostics Chapter Utilities and Diagnostics Start Ping Ping Utilities and Diagnostics Stop Ping Telnet client Telnet client screen appears Trace Route Secure Authentication Monitor Transferring conﬁguration and ﬁrmware ﬁles with Tftp Factory defaultsDisconnect Telnet Console Session Updating ﬁrmware Uploading conﬁguration ﬁles Downloading conﬁguration ﬁles Transferring conﬁguration and ﬁrmware ﬁles with Xmodem Do you want to send a saved configuration to your Netopia? Restarting the system Isdn Switch Loopback Test User’s Reference Guide If the loopback test fails Part III Appendixes User’s Reference Guide Troubleshooting A-1 Appendix a TroubleshootingConﬁguration problems Network problems SmartStart TroubleshootingConsole connection problems Before contacting Netopia Power outagesHow to get support Technical support FAX-Back Online product information Choosing an Isdn line Appendix B Setting Up Telco ServicesFinding an Isdn service provider Obtaining an Isdn line Isdn Ordering Codes Setup tipsPhysical Isdn line Circuit ID number U models only Switch protocol typeOutside North America only Directory and Spid numbers U models only Long-distance Isdn calls North American models only Testing the Isdn line Completing the Isdn worksheet Isdn Telco Worksheet for North America Isdn Telco Worksheet for Outside North America User’s Reference Guide North American Telco Provisioning for Isdn Appendix C North American Telco Provisioning for Isdn User’s Reference Guide Unique requirements Appendix D Setting Up Internet ServicesFinding an Internet service provider Setting Up Internet Services D-1 Endorsements Deciding on an ISP account Setting up a Netopia R3100 accountPricing and support ISP’s Point of presence Remote WAN IP address information to obtain Obtaining information from the ISPLocal LAN IP address information to obtain With Network Address Translation Remote WAN IP address information to obtain Understanding IP Addressing E-1 What is IP?Appendix E Understanding IP Addressing About IP addressing Subnets and subnet masks Subnet masks Example Using subnets on a Class C IP internetUnderstanding IP Addressing E-3 ISP Network Network conﬁguration Background Example Working with a Class C subnetDistributing IP addresses Understanding IP Addressing E-5 Technical note on subnet masking Dhcp Address Serving Netopia R3100 Dhcp Server CharacteristicsConﬁguration Understanding IP Addressing E-7 MacIP Serving Using address servingManually distributing IP addresses Tips and rules for distributing IP addresses Dhcp example Understanding IP Addressing E-9 Internet Nested IP subnets Understanding IP Addressing E-11 Packet header types Broadcasts Understanding Netopia NAT Behavior F-1 Appendix F Understanding Netopia NAT BehaviorNetwork Conﬁguration Background User’s Reference Guide Understanding Netopia NAT Behavior F-3 Router Netopia Router Netopia Understanding Netopia NAT Behavior F-5 Exported services Important notes Understanding Netopia NAT Behavior F-7 Summary Understanding Frame Relay G-1 Appendix G Understanding Frame RelayVirtual Circuits Excess Burst Size Be Committed Information Rate CIRCommitted Burst Size Bc Understanding Frame Relay G-3 AddressingLocal and Global DLCIs Local Management Interface LMI Frame Relay partial mesh support Encapsulation and FragmentationNetwork Protocol Addressing and Virtual Interfaces Understanding Frame Relay G-5 User’s Reference Guide Event Histories Appendix H Event HistoriesLeased line events Isdn events Isdn event cause codes Event Histories User’s Reference Guide Event Histories User’s Reference Guide Isdn Conﬁguration Guide Appendix Isdn Conﬁguration GuideDeﬁnitions About SPIDs Dynamic B-channel usage Example SPIDs Other incoming call restrictions User’s Reference Guide Binary Conversion Table J-1 Appendix J Binary Conversion Table Decimal Binary Further Reading K-1 Appendix K Further Reading User’s Reference Guide Further Reading K-3 User’s Reference Guide Pinouts for Auxiliary Port Modem Cable Appendix L Technical Specifications and Safety InformationTechnical Speciﬁcations and Safety Information L-1 DSR Environment Power requirementsTechnical Speciﬁcations and Safety Information L-3 Description International Agency approvalsRegulatory notices North America Technical Speciﬁcations and Safety Information L-5 Declaration for Canadian users Important safety instructionsAustralian Safety Information Battery Technical Speciﬁcations and Safety Information L-7Telecommunication installation cautions User’s Reference Guide Glossary Glossary User’s Reference Guide Glossary User’s Reference Guide Glossary Remapping See network number remapping Glossary User’s Reference Guide Index-1 Index Index-2 ISP Index-3 NAT Index-4 Spid Index-5 Index-6 Limited Warranty and Limitation of Remedies Limited Warranty and Limitation of Remedies User’s Reference Guide