Manuals / Netopia / Computer Equipment / Network Router

Netopia R3100 manual Chapter Security, Suggested security measures

Models: R3100

1 320

Download 320 pages 53.76 Kb

Page 179

Security 15-1

Chapter 15

Security

The Netopia R3100 provides a number of security features to help protect its conﬁguration screens and your local network from unauthorized access. Although these features are optional, it is strongly recommended that you use them.

This section covers the following topics:

■“Suggested security measures” on page 15-1, lists actions for blocking potential security holes.

■“User accounts,” beginning on page 15-2, shows you how to set up name/password combinations to protect the Netopia R3100’s conﬁguration screens.

■“Dial-in Console Access” on page 15-3

■“Telnet access” on page 15-4, shows you how to control access to the Netopia R3100 by those using the Telnet protocol.

■“About ﬁlters and ﬁlter sets,” beginning on page 15-4, and “Working with IP ﬁlters and ﬁlter sets,” beginning on page 15-12, have information on what ﬁlters are, how they work, how to customize them, and how to use them in sets. For information on IPX ﬁlters and ﬁlter sets, see “IPX ﬁlters,” beginning on page 15-22.

■“Firewall tutorial” on page 15-30

■“Token Security Authentication” on page 15-37

Suggested security measures

In addition to setting up user accounts, Telnet access, and ﬁlters (all of which are covered later in this chapter), there are other actions you can take to make the Netopia R3100 and your network more secure:

■Change the SNMP community strings (or passwords). The default community strings are universal and could easily be known to a potential intruder.

■Set the answer proﬁle so it must match incoming calls to a connection proﬁle.

■Use CallerID.

■Leave the “Enable Dial-in Console Access” option set to No.

■Where possible, insist on using PAP, CHAP, or secure authentication token card to authenticate connections to and from connection proﬁles.

■When using AURP, accept connections only from conﬁgured partners.

■In high risk areas, conﬁgure the Netopia R3100 through the serial console port to ensure that your communications cannot be intercepted.

Image 179

Netopia R3100 manual Chapter Security, Suggested security measures

Contents

Netopia R3100 Isdn Routers Part Number Contents Ii User’s Reference Guide Part II Advanced Configuration Iv User’s Reference Guide Aurp Vi User’s Reference Guide Part III Appendixes Viii User’s Reference Guide Contents User’s Reference Guide Conﬁguration options for your Netopia R3100 Isdn Router Small Ofﬁce connection to the Internet Small Ofﬁce connection to the Internet Direct Connection to a Corporate Ofﬁce Telecommuter Conﬁgured to accept incoming dial-up connections Conﬁgured for Idsl Part I Getting Started User’s Reference Guide Introduction Features and capabilitiesChapter Introduction OverviewHow to use this guide Making the Physical Connections Chapter Making the Physical ConnectionsFind a location What you needIdentify the connectors and attach the cables Netopia R3100 Isdn Router Back Panel Ports Cable to your router on Services on Netopia R3100 LED front panel Netopia R3100 Isdn Router Status LightsSetting up your Router with the SmartStart Wizard Chapter Setting up your Router with the SmartStart WizardBefore running SmartStart SmartStart Wizard conﬁguration screens Setting up your Router with the SmartStart WizardEasy option Easy or Advanced setupSetting up your Router with the SmartStart Wizard User’s Reference Guide Setting up your Router with the SmartStart Wizard User’s Reference Guide Advanced option Connection Proﬁle screen on Conﬁguration tab Dynamic conﬁguration recommendedStatic conﬁguration optional Add. Repeat this process for the secondary DNS TCP/IP Conﬁguring TCP/IP on Macintosh computersTCP/IP or MacTCP Dynamic conﬁguration using MacIP optional Setting up your Router with the SmartStart Wizard User’s Reference Guide Connecting Your Local Area Network Chapter Connecting Your Local Area NetworkReadying computers on your local network 10Base-T Connecting to an Ethernet network10BASE-T Remote console Connecting to a LocalTalk network Wiring guidelines for PhoneNET cabling User’s Reference Guide SmartView Chapter SmartViewSmartView overview General Machine information Navigating SmartViewEvent history pages Connection ProﬁlesDevice Event History WAN Event History Standard Html web-based monitoring pages User’s Reference Guide Console-based Management Chapter Console-based ManagementAbout Console-based Management Connecting through a Telnet session Conﬁguring Telnet software Connecting a local terminal console cable to your routerPC ANSI-BBS Navigating through the console screens User’s Reference Guide Easy Setup Chapter Easy SetupEasy Setup console screens How to access the Easy Setup console screensSee Appendix A, Troubleshooting, for more suggestions Isdn Easy Setup Beginning Easy SetupPPP Cancel Idsl Easy Setup Previous Screen Easy Setup ProﬁleUser’s Reference Guide Previous Screen Next Screen IP Easy SetupEasy Setup Security Conﬁguring Frame Relay Isdn Easy Setup Frame Relay screensWAN Conﬁguration Frame Relay screens Setup Isdn Line ConfigurationFrame Relay conﬁguration Easy Setup Frame Relay Dlci conﬁguration Displaying a Frame Relay Dlci conﬁguration table Changing a Frame Relay Dlci conﬁguration Adding a Frame Relay Dlci conﬁguration ADD Dlci NOW CancelDeleting a Frame Relay Dlci conﬁguration Part II Advanced Configuration User’s Reference Guide WAN and System Conﬁguration Chapter WAN and System ConfigurationCreating a new Connection Proﬁle Add Connection Proﬁle screen appears IPX Profile Parameters Remote IPX Network BAP Telco Options Initiate Data Service 64 kb/sec Dial Default Proﬁle How the default proﬁle works Configuration Default Profile Customizing the Default ProﬁleIP parameters default proﬁle screen WAN and System Conﬁguration Auxiliary Port Conﬁguration IPX parameters default proﬁle screenSystem Conﬁguration screens System Conﬁguration features PAP Date and Time Network Protocols SetupFilter Sets Firewalls IP Address ServingMM/DD/YY Security Upgrade Feature SetConsole Conﬁguration Snmp Simple Network Management ProtocolLogging Telephone setupNov Specifying telephone connections Chapter Using SmartPhone for Telephone ServicesUsing SmartPhone for Telephone Services Inbound Directory Number Using SmartPhone for Telephone Services Preview Ring Deﬁning priority ringingLine provisioning Advanced calling featuresConﬁguring supplementary services Call Accounting and Default Answer Proﬁle Chapter Call Accounting and Default Answer ProfileCost control feature -- call accounting Viewing call accounting statistics Call Accounting Statistics screen appears Scheduled connections Viewing scheduled connections Adding a scheduled connection Set Weekly Schedule Set Once-Only Schedule Deleting a scheduled connection Default Answer ProﬁleHow the Default Answer Proﬁle works Modifying a scheduled connectionCustomizing the default proﬁle Call Accounting and Default Answer Proﬁle Call acceptance scenarios IP Setup and Network Address Translation Chapter IP Setup and Network Address TranslationNetwork Address Translation features HOW NAT Works Using Network Address Translation ISP Network Address Translation guidelines Using multiple Connection ProﬁlesAssociating port numbers to nodes IP setup IP Setup and Network Address Translation Select Add Export. The Add Exported Service screen appears IP Setup IP subnets IP Setup and Network Address Translation Static routes Viewing static routes Adding a static route Deleting a static route Rules of static route installationModifying a static route Main System IP Address Menu Configuration Serving 163.176.56.90 Dhcp NetBIOS Options MacIP Kip Forwarding Options You have ﬁnished your IP Setup IPX Deﬁnitions Chapter IPX SetupIPX Features IPX SetupRouting Information Protocol RIP Service Advertising Protocol SAPIPX address SocketIPX Spooﬁng NetBIOSIPX setup Default Gateway Address IPX routing tables User’s Reference Guide AppleTalk Setup Chapter AppleTalk SetupInstalling AppleTalk AppleTalk protocol AppleTalk networksAppleTalk Setup Aurp MacIPRouters and seeding Conﬁguring AppleTalk EtherTalk Setup LocalTalk Setup Aurp Free Trade Zone Aurp setupViewing Aurp partners Modifying an Aurp partner Adding an Aurp partnerConﬁguring Aurp Options Deleting an Aurp partnerReceiving Aurp connections User’s Reference Guide Monitoring Tools Chapter Monitoring ToolsQuick View status overview General status Status lights Current statusGeneral Statistics Statistics & LogsNetwork Interface Event historiesPhysical Interface Request from our DN WAN Event HistoryDevice Event History Routing tablesIP routing table AppleTalk routing table IPX routing tableIPX Sap Bindery table Served IP Addresses IP Address Lease Management screen appears Snmp System InformationCommunity strings Snmp Setup screenSnmp traps Deleting IP trap receivers Setting the IP trap receiversViewing IP trap receivers Modifying IP trap receiversUser’s Reference Guide Security Chapter SecuritySuggested security measures Protecting the conﬁguration screens User accountsProtecting the Security Options screen Dial-in Console Access What’s a ﬁlter and what’s a ﬁlter set? Enable SmartStart/SmartView/Web ServerTelnet access About ﬁlters and ﬁlter setsFilter priority How ﬁlter sets workPacket First filter Match? Yes Parts of a ﬁlter How individual ﬁlters workﬁlter’s actions ﬁltering rulePort number comparisons Port numbersPutting the parts together Other ﬁlter attributesFiltering example #1 UDPFiltering example #2 Design guidelinesDisadvantages of ﬁlters An approach to using ﬁltersWorking with IP ﬁlters and ﬁlter sets Adding a ﬁlter set Input and output ﬁlters-source and destination Naming a new ﬁlter setAdding ﬁlters to a ﬁlter set Netopia R-series RouterADD this Filter NOW Cancel Deleting ﬁlters Viewing ﬁlter setsViewing ﬁlters Modifying ﬁltersSample IP ﬁlter set Modifying ﬁlter setsDeleting a ﬁlter set TCP Icmp UDP Possible modiﬁcations Security IPX ﬁlters Adding a packet ﬁlter IPX packet ﬁltersViewing and modifying packet ﬁlters Adding a packet ﬁlter set IPX packet ﬁlter setsDeleting a packet ﬁlter Viewing and modifying packet ﬁlter setsADD Filter SET NOW Cancel Viewing and modifying SAP ﬁlters IPX SAP ﬁltersDeleting a packet ﬁlter set Adding a SAP ﬁlter Adding a SAP ﬁlter set IPX SAP ﬁlter setsDeleting a SAP ﬁlter Viewing and modifying SAP ﬁlter setsDeleting a SAP ﬁlter set Basic Protocol Types Firewall tutorial General Firewall TermsBasic IP Packet Components Firewall Logic Firewall design rulesExample TCP/UDP Ports Implied Rules Binary RepresentationLogical ANDing Example IP Filter Set Screen Filter BasicsEstablished Connections Example Example FiltersExample Network Example Example Securing network environments Token Security AuthenticationUsing the SecurID token card Key Security Authentication Features of the Netopia R3100Conﬁguring for security authentication Security authentication componentsEstablishing a dial-on-demand DOD connection call Connecting using security authenticationCurrent Connection Status Establishing a manual connection call User’s Reference Guide Utilities and Diagnostics Chapter Utilities and DiagnosticsStart Ping PingUtilities and Diagnostics Stop Ping Telnet clientTelnet client screen appears Trace RouteSecure Authentication Monitor Transferring conﬁguration and ﬁrmware ﬁles with Tftp Factory defaultsDisconnect Telnet Console Session Updating ﬁrmware Uploading conﬁguration ﬁles Downloading conﬁguration ﬁlesTransferring conﬁguration and ﬁrmware ﬁles with Xmodem Do you want to send a saved configuration to your Netopia? Restarting the system Isdn Switch Loopback Test User’s Reference Guide If the loopback test fails Part III Appendixes User’s Reference Guide Troubleshooting A-1 Appendix a TroubleshootingConﬁguration problems Network problems SmartStart TroubleshootingConsole connection problems Before contacting Netopia Power outagesHow to get support Technical supportFAX-Back Online product informationChoosing an Isdn line Appendix B Setting Up Telco ServicesFinding an Isdn service provider Obtaining an Isdn lineIsdn Ordering Codes Setup tipsPhysical Isdn line Circuit ID number U models only Switch protocol typeOutside North America only Directory and Spid numbers U models onlyLong-distance Isdn calls North American models only Testing the Isdn lineCompleting the Isdn worksheet Isdn Telco Worksheet for North America Isdn Telco Worksheet for Outside North America User’s Reference Guide North American Telco Provisioning for Isdn Appendix C North American Telco Provisioning for IsdnUser’s Reference Guide Unique requirements Appendix D Setting Up Internet ServicesFinding an Internet service provider Setting Up Internet Services D-1Endorsements Deciding on an ISP account Setting up a Netopia R3100 accountPricing and support ISP’s Point of presenceRemote WAN IP address information to obtain Obtaining information from the ISPLocal LAN IP address information to obtain With Network Address TranslationRemote WAN IP address information to obtain Understanding IP Addressing E-1 What is IP?Appendix E Understanding IP Addressing About IP addressingSubnets and subnet masks Subnet masks Example Using subnets on a Class C IP internetUnderstanding IP Addressing E-3 ISP Network Network conﬁgurationBackground Example Working with a Class C subnetDistributing IP addresses Understanding IP Addressing E-5Technical note on subnet masking Dhcp Address Serving Netopia R3100 Dhcp Server CharacteristicsConﬁguration Understanding IP Addressing E-7MacIP Serving Using address servingManually distributing IP addresses Tips and rules for distributing IP addressesDhcp example Understanding IP Addressing E-9Internet Nested IP subnetsUnderstanding IP Addressing E-11 Packet header types BroadcastsUnderstanding Netopia NAT Behavior F-1 Appendix F Understanding Netopia NAT BehaviorNetwork Conﬁguration BackgroundUser’s Reference Guide Understanding Netopia NAT Behavior F-3 Router NetopiaRouter Netopia Understanding Netopia NAT Behavior F-5 Exported servicesImportant notes Understanding Netopia NAT Behavior F-7 Summary Understanding Frame Relay G-1 Appendix G Understanding Frame RelayVirtual Circuits Excess Burst Size Be Committed Information Rate CIRCommitted Burst Size Bc Understanding Frame Relay G-3 AddressingLocal and Global DLCIs Local Management Interface LMIFrame Relay partial mesh support Encapsulation and FragmentationNetwork Protocol Addressing and Virtual Interfaces Understanding Frame Relay G-5 User’s Reference Guide Event Histories Appendix H Event HistoriesLeased line events Isdn eventsIsdn event cause codes Event Histories User’s Reference Guide Event Histories User’s Reference Guide Isdn Conﬁguration Guide Appendix Isdn Conﬁguration GuideDeﬁnitions About SPIDsDynamic B-channel usage Example SPIDsOther incoming call restrictions User’s Reference Guide Binary Conversion Table J-1 Appendix J Binary Conversion TableDecimal Binary Further Reading K-1 Appendix K Further ReadingUser’s Reference Guide Further Reading K-3 User’s Reference Guide Pinouts for Auxiliary Port Modem Cable Appendix L Technical Specifications and Safety InformationTechnical Speciﬁcations and Safety Information L-1 DSR Environment Power requirementsTechnical Speciﬁcations and Safety Information L-3 DescriptionInternational Agency approvalsRegulatory notices North AmericaTechnical Speciﬁcations and Safety Information L-5 Declaration for Canadian users Important safety instructionsAustralian Safety Information Battery Technical Speciﬁcations and Safety Information L-7Telecommunication installation cautions User’s Reference Guide Glossary GlossaryUser’s Reference Guide Glossary User’s Reference Guide Glossary Remapping See network number remapping Glossary User’s Reference Guide Index-1 IndexIndex-2 ISP Index-3NAT Index-4Spid Index-5Index-6 Limited Warranty and Limitation of Remedies Limited Warranty and Limitation of RemediesUser’s Reference Guide