Manuals / Netopia / Computer Equipment / Network Router

Netopia R910 Firewall design rules, User’s Reference Guide, Example TCP/UDP Ports, Firewall Logic

Models: R910

1 209

Download 209 pages 33.84 Kb

Page 144

13-144 User’s Reference Guide

Example TCP/UDP Ports

TCP Port	Service	UDP Port	Service

20/21	FTP	161	SNMP

23	Telnet	69	TFTP

25	SMTP	387	AURP

80	WWW

144	News

Firewall design rules

There are two basic rules to ﬁrewall design:

■“What is not explicitly allowed is denied.”

and

■“What is not explicitly denied is allowed.”

The ﬁrst rule is far more secure, and is the best approach to ﬁrewall design. It is far easier (and more secure) to allow in or out only certain services and deny anything else. If the other rule is used, you would have to ﬁgure out everything that you want to disallow, now and in the future.

Firewall Logic

Firewall design is a test of logic, and ﬁlter rule ordering is critical. If a packet is passed through a series of ﬁlter rules and then the packet matches a rule, the appropriate action is taken. The packet will not pass through the remainder of the ﬁlter rules.

For example, if you had the following ﬁlter set...

Allow WWW access;

Allow FTP access;

Allow SMTP access;

Deny all other packets.

and a packet goes through these rules destined for FTP, the packet would pass through the ﬁrst rule (WWW), go through the second rule (FTP), and match this rule; the packet is allowed through.

If you had this ﬁlter set for example....

Allow WWW access;

Allow FTP access;

Deny FTP access;

Deny all other packets.

Image 144

Netopia R910 manual Firewall design rules, User’s Reference Guide, Example TCP/UDP Ports, Firewall Logic

Contents

Netopia R910 Ethernet Router for DSL and Cable Modems User’s Reference GuideCopyright Part NumberPrinted Copies Contents Features and capabilitiesHow to use this guide Chapter 2 - Setting Up Internet ServicesConnecting a console cable to your router Chapter 7 - Easy SetupEasy Setup console screens Accessing the Easy Setup console screensDHCP NetBIOS Options VPN Default Answer ProﬁleInstalling Dial-Up Networking Installing the VPN ClientThe SNMP Setup screen Telnet accessChapter 12 - Monitoring Tools 12-109Chapter 14 - Utilities and Diagnostics Factory defaultsAppendix A - Troubleshooting Conﬁguration problemsUsing address serving Exported servicesAppendix F - Technical Speciﬁcations and Safety Power requirementsFeatures and capabilities “Features and capabilities” on page “How to use this guide” on pageChapter Introduction OverviewHow to use this guide 1-10 User’s Reference GuideChapter Setting Up Internet Services Setting Up Internet ServicesDeciding on an ISP account DSL and cable modemsLocal LAN IP address information to obtain 2-12 User’s Reference GuideWith Network Address Translation Without Network Address Translation“Identify the connectors and attach the cables” on page Chapter Making the Physical ConnectionsFind a location Making the Physical ConnectionsIdentify the connectors and attach the cables What you need3-14 User’s Reference Guide Netopia R910 Ethernet Router back panel ports your router” on pageMaking the Physical Connections Netopia R910 Ethernet Router status lights 3-16 User’s Reference Guide8 9 10 12 13 14 15 16 Chapter Connecting to Your Local Area Network Connecting to Your Local Area Network“Connecting to an Ethernet network” on page Network ModelReadying computers on your local network 4-18 User’s Reference GuideAfter Connecting to Your Local Area Network Application software TCP/IP stack Ethernet/EtherTalk Driver Your PCConnecting to an Ethernet network 10Base-T4-20 User’s Reference Guide Connecting to Your Local Area Network The Netopia R910 in a 10Base-T networkThe Netopia R910 in a 10Base-T network with a hub 4-22 User’s Reference Guide Chapter Configuring TCP/IP Hardware and operating system requirementsConﬁguring TCP/IP “Hardware and operating system requirements” on pageConﬁguring TCP/IP on Windows 95 or 5-24 User’s Reference GuideDynamic conﬁguration recommended Static conﬁguration optional Conﬁguring TCP/IPConﬁguring TCP/IP on a Macintosh Computer 5-26 User’s Reference GuideDynamic conﬁguration recommended Conﬁguring TCP/IP Static conﬁguration optional1. Go to the Apple menu. Select Dynamic conﬁguration using MacIP optional 5-28 User’s Reference GuideConﬁguring TCP/IP 5-30 User’s Reference Guide “Connecting through a Telnet session” on page “Connecting a console cable to your router” on pageChapter Console-Based Management Console-Based ManagementConnecting through a Telnet session Upgrade feature set. See “Upgrade feature set” on page6-32 User’s Reference Guide Filter sets ﬁrewalls. See “About ﬁlters and ﬁlter sets” on pageConnecting a console cable to your router Conﬁguring Telnet softwareConsole-Based Management Navigating through the console screens 6-34 User’s Reference GuideChapter Easy Setup Easy Setup console screensAccessing the Easy Setup console screens Easy SetupSee Appendix A, “Troubleshooting,” for more suggestions 7-36 User’s Reference GuideQuick Easy Setup connection path If your ISP supports DHCPIf your ISP doesn’t support DHCP Easy SetupFor more Easy Setup options see “More Easy Setup options” on page 7-38 User’s Reference GuideMore Easy Setup options WAN Ethernet ConﬁgurationEasy Setup IP Easy Setup 7-40 User’s Reference GuideEasy Setup Security Conﬁguration Easy Setup7-42 User’s Reference Guide Easy Setup is now complete1. Select RESTART DEVICE. A prompt asks you to conﬁrm your choice Chapter WAN and System Configuration “System conﬁguration features” on pageWAN conﬁguration WAN and System ConﬁgurationSystem conﬁguration screens 8-44 User’s Reference GuideNavigating through the system conﬁguration screens WAN and System ConﬁgurationSystem conﬁguration features 8-46 User’s Reference GuideIP setup Filter sets ﬁrewallsIP address serving Date and timeUpgrade feature set Console conﬁgurationSNMP Simple Network Management Protocol SecurityLogging WAN and System ConﬁgurationInstalling the Syslog client 8-50 User’s Reference GuideChapter IP Setup and Network Address Translation Network Address Translation featuresIP Setup and Network Address Translation “Network Address Translation features” on page9-52 User’s Reference Guide HOW NAT WORKS With NAT ISP 163.167.132.1 Without NATor corporate intranet router 192.168.1.100 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105Using Network Address Translation Note See “Associating port numbers with nodes” on pageIP Setup and Network Address Translation 9-54 User’s Reference Guide Associating port numbers with nodes Network Address Translation guidelineIP Setup and Network Address Translation 9-56 User’s Reference Guide IP setupIP Setup and Network Address Translation 9-58 User’s Reference Guide Select Add Export. The Add Exported Service screen appearsCANCEL Exports, Add Export, and Delete ExportIP Setup and Network Address Translation Select Service. A pop-up menu of services and ports appearsIP subnets 9-60 User’s Reference GuideIP Setup and Network Address Translation For exampleStatic routes 9-62 User’s Reference Guidepage Viewing static routes IP Setup and Network Address Translation9-64 User’s Reference Guide Adding a static routeRules of static route installation Modifying a static routeDeleting a static route IP Setup and Network Address Translation9-66 User’s Reference Guide Serve DHCP Clients Serve BootP Clients Serve Dynamic WAN ClientsIP address serving IP Setup and Network Address Translation Follow these steps to conﬁgure IP Address ServingIP Address Pools 9-68 User’s Reference GuideIP Setup and Network Address Translation Numerous factors inﬂuence the choice of served address. It is difﬁcult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been conﬁgured, and the clients involved have no prior address serving interactions, the Netopia R910 will generally serve the ﬁrst unused address from the ﬁrst address pool with an available address. The Netopia R910 starts from the pool on the ﬁrst row and continues to the pool on the last row of this screenDHCP NetBIOS Options 9-70 User’s Reference GuideIP Setup and Network Address Translation 9-72 User’s Reference Guide Select Release BootP Leases and press ReturnYou have ﬁnished your IP setup “VPN Default Answer Proﬁle” on page “VPN QuickView” on page “Installing the VPN Client” on page “About ATMP Tunnels” on pageChapter Virtual Private Networks VPN Virtual Private Networks VPN10-74 User’s Reference Guide Transi t In t ern etwor k“About PPTP Tunnels” on page “About IPsec Tunnels” on page “About ATMP Tunnels” on pageSummary Virtual Private Networks VPNPPTP configuration About PPTP Tunnels10-76 User’s Reference Guide Note Proﬁles using PPTP do not offer a Telco Options screen Virtual Private Networks VPN10-78 User’s Reference Guide Encryption Support MS-CHAP V2 and strong encryptionVirtual Private Networks VPN Configuration About IPsec Tunnels10-80 User’s Reference Guide Virtual Private Networks VPN The Add Connection Proﬁle screen appears10-82 User’s Reference Guide IP Profile Parameters Virtual Private Networks VPNAdvanced IP Profile Options 10-84 User’s Reference GuideVPN Default Answer Profile Virtual Private Networks VPNInteroperation with other features VPN QuickView10-86 User’s Reference Guide Virtual Private Networks VPN Proﬁle Name Lists the name of the Connection Proﬁle being used, if anyInstalling Dial-Up Networking Dial-Up Networking for VPN10-88 User’s Reference Guide Creating a new Dial-Up Networking profile Virtual Private Networks VPNConfiguring a Dial-Up Networking profile 10-90 User’s Reference Guide4. Click the TCP/IP Settings button Virtual Private Networks VPNInstalling the VPN Client Windows 95 VPN installationWindows 98 VPN installation 10-92 User’s Reference GuideConnecting using Dial-Up Networking Virtual Private Networks VPNATMP configuration About ATMP Tunnels10-94 User’s Reference Guide Note Proﬁles using ATMP do not offer a Telco Options screen Virtual Private Networks VPN10-96 User’s Reference Guide Virtual Private Networks VPN Allowing VPNs through a Firewall 10-98 User’s Reference Guide“PPTP example” on page “ATMP example” on page PPTP example Virtual Private Networks VPNDisplay/Change Input Filter screen 10-100 User’s Reference Guide Virtual Private Networks VPN 0.0.0.00.0.0.0 0.0.0.0ATMP example 10-102 User’s Reference GuideVirtual Private Networks VPN 10-104 User’s Reference Guide 0.0.0.00.0.0.0 0.0.0.0Chapter PPP over Ethernet PPP over Ethernet11-106 User’s Reference Guide PPP Ethernet LAN Reconfiguration ConfigurationThe Netopia R910 offers the ability for PPP to reconﬁgure the router’s Ethernet LAN when establishing an unnumbered, non-NAT connection PPP over EthernetQuick View 11-108 User’s Reference GuideChapter Monitoring Tools Quick View status overviewMonitoring Tools “Quick View status overview” on page “Statistics & Logs” on pageGeneral status Status lights12-110 User’s Reference Guide Statistics & Logs General StatisticsMonitoring Tools Event histories 12-112 User’s Reference GuidePhysical Interface Network InterfaceWAN Event History Device Event HistoryMonitoring Tools Routing tables 12-114 User’s Reference GuideIP routing table Monitoring ToolsServed IP Addresses 12-116 User’s Reference GuideSystem Information Monitoring ToolsThe SNMP Setup screen SNMP12-118 User’s Reference Guide SNMP traps Community stringsMonitoring Tools Setting the IP trap receivers 12-120 User’s Reference GuideViewing IP trap receivers Modifying IP trap receiversDeleting IP trap receivers Monitoring Tools12-122 User’s Reference Guide “Telnet access” on page “About ﬁlters and ﬁlter sets” on page Chapter SecuritySuggested security measures User accounts13-124 User’s Reference Guide Protecting the Security Options screenProtecting the conﬁguration screens Telnet access SecurityAbout ﬁlters and ﬁlter sets What’s a ﬁlter and what’s a ﬁlter set?How ﬁlter sets work 13-126 User’s Reference GuideFilter priority Securitypacket first filter match? send to next filter yes pass or discard? discard delete passHow individual ﬁlters work 13-128 User’s Reference GuideA ﬁlter’s actions A ﬁltering ruleParts of a ﬁlter Port numbersPort number comparisons Security13-130 User’s Reference Guide Other ﬁlter attributesPutting the parts together Filtering example #1 SecurityDesign guidelines 13-132 User’s Reference GuideFiltering example #2 An approach to using ﬁlters Working with IP ﬁlters and ﬁlter setsDisadvantages of ﬁlters SecurityAdding a ﬁlter set 13-134 User’s Reference GuideNaming a new ﬁlter set Security13-136 User’s Reference Guide Input and output ﬁlters-source and destinationAdding ﬁlters to a ﬁlter set 1. To make the ﬁlter active in the ﬁlter set, select Enabled and toggle it to Yes. If Enabled is toggled to No, the ﬁlter can still exist in the ﬁlter set, but it will have no effect SecurityViewing ﬁlter sets 13-138 User’s Reference GuideViewing ﬁlters Modifying ﬁltersModifying ﬁlter sets Deleting a ﬁlter setA sample IP ﬁlter set Security13-140 User’s Reference Guide Possible modiﬁcations Security13-142 User’s Reference Guide Firewall tutorial General ﬁrewall terms Basic IP packet componentsBasic protocol types SecurityFirewall design rules 13-144 User’s Reference GuideExample TCP/UDP Ports Firewall LogicBinary representation Logical AND functionImplied rules SecurityFilter basics 13-146 User’s Reference GuideEstablished connections Example IP ﬁlter set screenExample ﬁlters Incoming Packet FilterNetopia Internet13-148 User’s Reference Guide ExampleExample Security ExampleExample 13-150 User’s Reference Guide RADIUS client configuration RADIUS Client SupportSecurity 13-152 User’s Reference Guide RADIUS Server Authentication PortRADIUS then Local Local then RADIUSbe unable to configure this device unless a Radius Server is SecurityAdvanced Security Options 13-154 User’s Reference Guide Chapter Utilities and Diagnostics Utilities and Diagnostics“Factory defaults” on page “Ping” on page “Trace Route” on page “Telnet client” on pagePing 14-156 User’s Reference GuideUtilities and Diagnostics Trace Route 14-158 User’s Reference GuideTelnet client Utilities and DiagnosticsFactory defaults Disconnect Telnet console sessionTransferring conﬁguration and ﬁrmware ﬁles with TFTP 14-160 User’s Reference GuideUpdating ﬁrmware Utilities and DiagnosticsGET WAN MODULE FIRMWARE FROM SERVER Config File Name GET CONFIG FROM SERVER SEND CONFIG TO SERVERDownloading conﬁguration ﬁles 14-162 User’s Reference GuideUploading conﬁguration ﬁles Transferring conﬁguration and ﬁrmware ﬁles with XMODEMUtilities and Diagnostics 14-164 User’s Reference Guide Updating ﬁrmwareUtilities and Diagnostics Downloading conﬁguration ﬁlesUploading conﬁguration ﬁles Restarting the system 14-166 User’s Reference GuideAppendix A Troubleshooting Conﬁguration problemsTroubleshooting A-167 “Conﬁguration problems” on page A-167Console connection problems Network problemsProblems communicating with remote IP hosts Local routing problemsHow to reset the router to factory defaults Power outagesReset Switch Slot Troubleshooting A-169How to reach us Technical supportA-170 User’s Reference Guide Before contacting NetopiaTroubleshooting A-171 Online product informationOnline Technical Support A-172 User’s Reference Guide What is IP? “What is IP?” on page B-173 “About IP addressing” on page B-173Appendix B Understanding IP Addressing About IP addressingSubnets and subnet masks B-174 User’s Reference GuideExample Using subnets on a Class C IP internet Understanding IP Addressing B-175Subnet masks B-176 User’s Reference Guide Network conﬁgurationCustomer Site A ISP NetworkExample Working with a Class C subnet Distributing IP addressesUnderstanding IP Addressing B-177 BackgroundTechnical note on subnet masking B-178 User’s Reference GuideNetopia R910 DHCP server characteristics ConﬁgurationUnderstanding IP Addressing B-179 DHCP address servingUsing address serving Manually distributing IP addressesTips and rules for distributing IP addresses B-180 User’s Reference GuideUnderstanding IP Addressing B-181 Nested IP subnets B-182 User’s Reference GuideA DHCP example Understanding IP Addressing B-183 InternetB-184 User’s Reference Guide Broadcasts Packet header typesUnderstanding IP Addressing B-185 B-186 User’s Reference Guide Appendix C Understanding Netopia NAT Behavior Network conﬁgurationBackground ISP NetworkC-188 User’s Reference Guide Understanding Netopia NAT Behavior C-189 Workstation AC-190 User’s Reference Guide WorkstationsExported services Understanding Netopia NAT Behavior C-191Important notes C-192 User’s Reference GuideUnderstanding Netopia NAT Behavior C-193 ConﬁgurationSummary C-194 User’s Reference GuideAppendix D Binary Conversion Table Binary Conversion Table D-195D-196 User’s Reference Guide DecimalBinary DecimalAppendix E Further Reading Further Reading E-197E-198 User’s Reference Guide Further Reading E-199 E-200 User’s Reference Guide Appendix F Technical Specifications and Safety Information Power requirementsTechnical Speciﬁcations and Safety Information F-201 DescriptionRegulatory notices F-202 User’s Reference GuideDeclaration for Canadian users Important safety instructions Technical Speciﬁcations and Safety Information F-203Telecommunication installation cautions BatteryF-204 User’s Reference Guide Index NumericsIndex-205 Index-206 Index-207 13-131 Index-208Index-209