Manuals / Netopia / Computer Equipment / Network Router

Netopia R910 manual Advanced Security Options

Models: R910

1 209

Download 209 pages 33.84 Kb

Page 153

Advanced Security Options

Security 13-153

hostname to be resolved using the Domain Name System (DNS) information conﬁgured in the router, or by using an IP address in dotted-quad notation. The RADIUS Server Addr/Name items are limited to 63 characters.

■In addition to specifying the server’s hostname or IP address, you must also specify a RADIUS Server Secret and an Alt RADIUS Server Secret (if conﬁgured) known to both the router and the RADIUS server. The secret is used to encrypt RADIUS transactions in transit. The RADIUS Server Secret items are limited to 31 characters.

The router’s RADIUS client implementation supports passwords longer than 16 characters and properly encrypts such passwords per RFC 2138. Not all RADIUS server implementations handle passwords longer than 16 characters.

■RADIUS Identiﬁer can be either an IP address or an arbitrary string to be used as the identiﬁer in the router’s outgoing Access-Request packets. The RADIUS identiﬁer is limited to 63 characters.

■RADIUS Server Authentication Port speciﬁes the UDP destination port to which the router’s RADIUS authentication requests will be sent. The default value is 1812, the ofﬁcial IANA assigned UDP port number for the RADIUS authentication service.

Note: Certain security-related conﬁguration changes cause the router to display a warning alert. Choosing either Local then RADIUS or RADIUS then Local from the Security Databases pop-up menu when there are no conﬁgured username/password pairs causes the router to present the following warning alert:

	Advanced Security Options
+---------------------------------------------------------------	+
+---------------------------------------------------------------	+

You have no local passwords defined. If you continue you will

be unable to configure this device unless a Radius Server is
available to authenticate you.

	CONTINUE	CANCEL

+---------------------------------------------------------------			+

Attempting to delete the last non-URG username/password pair from the local authentication database when the Security Databases pop-up menu is set to either “Local then RADIUS” or “RADIUS then Local” causes the router to present the following warning alert:

Image 153

Netopia R910 manual Advanced Security Options, be unable to configure this device unless a Radius Server is

Contents

User’s Reference Guide Netopia R910 Ethernet Router for DSL and Cable ModemsCopyright Part NumberPrinted Copies Features and capabilities ContentsHow to use this guide Chapter 2 - Setting Up Internet ServicesChapter 7 - Easy Setup Connecting a console cable to your routerEasy Setup console screens Accessing the Easy Setup console screensVPN Default Answer Proﬁle DHCP NetBIOS OptionsInstalling Dial-Up Networking Installing the VPN ClientTelnet access The SNMP Setup screenChapter 12 - Monitoring Tools 12-109Factory defaults Chapter 14 - Utilities and DiagnosticsAppendix A - Troubleshooting Conﬁguration problemsExported services Using address servingAppendix F - Technical Speciﬁcations and Safety Power requirements“Features and capabilities” on page “How to use this guide” on page Features and capabilitiesChapter Introduction Overview1-10 User’s Reference Guide How to use this guideSetting Up Internet Services Chapter Setting Up Internet ServicesDeciding on an ISP account DSL and cable modems2-12 User’s Reference Guide Local LAN IP address information to obtainWith Network Address Translation Without Network Address TranslationChapter Making the Physical Connections “Identify the connectors and attach the cables” on pageFind a location Making the Physical ConnectionsIdentify the connectors and attach the cables What you need3-14 User’s Reference Guide Netopia R910 Ethernet Router back panel ports your router” on pageMaking the Physical Connections Netopia R910 Ethernet Router status lights 3-16 User’s Reference Guide8 9 10 12 13 14 15 16 Connecting to Your Local Area Network Chapter Connecting to Your Local Area Network“Connecting to an Ethernet network” on page Network ModelReadying computers on your local network 4-18 User’s Reference GuideAfter Application software TCP/IP stack Ethernet/EtherTalk Driver Your PC Connecting to Your Local Area NetworkConnecting to an Ethernet network 10Base-T4-20 User’s Reference Guide Connecting to Your Local Area Network The Netopia R910 in a 10Base-T networkThe Netopia R910 in a 10Base-T network with a hub 4-22 User’s Reference Guide Hardware and operating system requirements Chapter Configuring TCP/IPConﬁguring TCP/IP “Hardware and operating system requirements” on pageConﬁguring TCP/IP on Windows 95 or 5-24 User’s Reference GuideDynamic conﬁguration recommended Conﬁguring TCP/IP Static conﬁguration optionalConﬁguring TCP/IP on a Macintosh Computer 5-26 User’s Reference GuideDynamic conﬁguration recommended Conﬁguring TCP/IP Static conﬁguration optional1. Go to the Apple menu. Select 5-28 User’s Reference Guide Dynamic conﬁguration using MacIP optionalConﬁguring TCP/IP 5-30 User’s Reference Guide “Connecting a console cable to your router” on page “Connecting through a Telnet session” on pageChapter Console-Based Management Console-Based ManagementUpgrade feature set. See “Upgrade feature set” on page Connecting through a Telnet session6-32 User’s Reference Guide Filter sets ﬁrewalls. See “About ﬁlters and ﬁlter sets” on pageConnecting a console cable to your router Conﬁguring Telnet softwareConsole-Based Management 6-34 User’s Reference Guide Navigating through the console screensEasy Setup console screens Chapter Easy SetupAccessing the Easy Setup console screens Easy Setup7-36 User’s Reference Guide See Appendix A, “Troubleshooting,” for more suggestionsIf your ISP supports DHCP Quick Easy Setup connection pathIf your ISP doesn’t support DHCP Easy Setup7-38 User’s Reference Guide For more Easy Setup options see “More Easy Setup options” on pageMore Easy Setup options WAN Ethernet ConﬁgurationEasy Setup 7-40 User’s Reference Guide IP Easy SetupEasy Setup Easy Setup Security Conﬁguration7-42 User’s Reference Guide Easy Setup is now complete1. Select RESTART DEVICE. A prompt asks you to conﬁrm your choice “System conﬁguration features” on page Chapter WAN and System ConfigurationWAN conﬁguration WAN and System Conﬁguration8-44 User’s Reference Guide System conﬁguration screensWAN and System Conﬁguration Navigating through the system conﬁguration screens8-46 User’s Reference Guide System conﬁguration featuresFilter sets ﬁrewalls IP setupIP address serving Date and timeConsole conﬁguration Upgrade feature setSNMP Simple Network Management Protocol SecurityWAN and System Conﬁguration Logging8-50 User’s Reference Guide Installing the Syslog clientNetwork Address Translation features Chapter IP Setup and Network Address TranslationIP Setup and Network Address Translation “Network Address Translation features” on pageHOW NAT WORKS With NAT ISP 163.167.132.1 Without NAT 9-52 User’s Reference Guideor corporate intranet router 192.168.1.100 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105Using Network Address Translation Note See “Associating port numbers with nodes” on pageIP Setup and Network Address Translation 9-54 User’s Reference Guide Associating port numbers with nodes Network Address Translation guidelineIP Setup and Network Address Translation IP setup 9-56 User’s Reference GuideIP Setup and Network Address Translation Select Add Export. The Add Exported Service screen appears 9-58 User’s Reference GuideCANCEL Exports, Add Export, and Delete ExportSelect Service. A pop-up menu of services and ports appears IP Setup and Network Address Translation9-60 User’s Reference Guide IP subnetsFor example IP Setup and Network Address TranslationStatic routes 9-62 User’s Reference Guidepage IP Setup and Network Address Translation Viewing static routesAdding a static route 9-64 User’s Reference GuideModifying a static route Rules of static route installationDeleting a static route IP Setup and Network Address Translation9-66 User’s Reference Guide Serve DHCP Clients Serve BootP Clients Serve Dynamic WAN ClientsIP address serving Follow these steps to conﬁgure IP Address Serving IP Setup and Network Address Translation9-68 User’s Reference Guide IP Address PoolsNumerous factors inﬂuence the choice of served address. It is difﬁcult to specify the address that will be served to a particular client in all circumstances. However, when the address server has been conﬁgured, and the clients involved have no prior address serving interactions, the Netopia R910 will generally serve the ﬁrst unused address from the ﬁrst address pool with an available address. The Netopia R910 starts from the pool on the ﬁrst row and continues to the pool on the last row of this screen IP Setup and Network Address Translation9-70 User’s Reference Guide DHCP NetBIOS OptionsIP Setup and Network Address Translation 9-72 User’s Reference Guide Select Release BootP Leases and press ReturnYou have ﬁnished your IP setup “Installing the VPN Client” on page “About ATMP Tunnels” on page “VPN Default Answer Proﬁle” on page “VPN QuickView” on pageChapter Virtual Private Networks VPN Virtual Private Networks VPNTransi t In t ern etwor k 10-74 User’s Reference Guide“About ATMP Tunnels” on page “About PPTP Tunnels” on page “About IPsec Tunnels” on pageSummary Virtual Private Networks VPNPPTP configuration About PPTP Tunnels10-76 User’s Reference Guide Virtual Private Networks VPN Note Proﬁles using PPTP do not offer a Telco Options screen10-78 User’s Reference Guide Encryption Support MS-CHAP V2 and strong encryptionVirtual Private Networks VPN Configuration About IPsec Tunnels10-80 User’s Reference Guide The Add Connection Proﬁle screen appears Virtual Private Networks VPN10-82 User’s Reference Guide Virtual Private Networks VPN IP Profile Parameters10-84 User’s Reference Guide Advanced IP Profile OptionsVirtual Private Networks VPN VPN Default Answer ProfileInteroperation with other features VPN QuickView10-86 User’s Reference Guide Proﬁle Name Lists the name of the Connection Proﬁle being used, if any Virtual Private Networks VPNInstalling Dial-Up Networking Dial-Up Networking for VPN10-88 User’s Reference Guide Virtual Private Networks VPN Creating a new Dial-Up Networking profile10-90 User’s Reference Guide Configuring a Dial-Up Networking profileVirtual Private Networks VPN 4. Click the TCP/IP Settings buttonWindows 95 VPN installation Installing the VPN ClientWindows 98 VPN installation 10-92 User’s Reference GuideVirtual Private Networks VPN Connecting using Dial-Up NetworkingATMP configuration About ATMP Tunnels10-94 User’s Reference Guide Virtual Private Networks VPN Note Proﬁles using ATMP do not offer a Telco Options screen10-96 User’s Reference Guide Virtual Private Networks VPN Allowing VPNs through a Firewall 10-98 User’s Reference Guide“PPTP example” on page “ATMP example” on page PPTP example Virtual Private Networks VPNDisplay/Change Input Filter screen 10-100 User’s Reference Guide 0.0.0.0 Virtual Private Networks VPN0.0.0.0 0.0.0.010-102 User’s Reference Guide ATMP exampleVirtual Private Networks VPN 0.0.0.0 10-104 User’s Reference Guide0.0.0.0 0.0.0.0PPP over Ethernet Chapter PPP over Ethernet11-106 User’s Reference Guide Configuration PPP Ethernet LAN ReconfigurationThe Netopia R910 offers the ability for PPP to reconﬁgure the router’s Ethernet LAN when establishing an unnumbered, non-NAT connection PPP over Ethernet11-108 User’s Reference Guide Quick ViewQuick View status overview Chapter Monitoring ToolsMonitoring Tools “Quick View status overview” on page “Statistics & Logs” on pageGeneral status Status lights12-110 User’s Reference Guide Statistics & Logs General StatisticsMonitoring Tools 12-112 User’s Reference Guide Event historiesPhysical Interface Network InterfaceWAN Event History Device Event HistoryMonitoring Tools 12-114 User’s Reference Guide Routing tablesMonitoring Tools IP routing table12-116 User’s Reference Guide Served IP AddressesMonitoring Tools System InformationThe SNMP Setup screen SNMP12-118 User’s Reference Guide SNMP traps Community stringsMonitoring Tools 12-120 User’s Reference Guide Setting the IP trap receiversViewing IP trap receivers Modifying IP trap receiversMonitoring Tools Deleting IP trap receivers12-122 User’s Reference Guide Chapter Security “Telnet access” on page “About ﬁlters and ﬁlter sets” on pageSuggested security measures User accounts13-124 User’s Reference Guide Protecting the Security Options screenProtecting the conﬁguration screens Security Telnet accessWhat’s a ﬁlter and what’s a ﬁlter set? About ﬁlters and ﬁlter setsHow ﬁlter sets work 13-126 User’s Reference GuideSecurity Filter prioritypacket first filter match? send to next filter yes pass or discard? discard delete pass13-128 User’s Reference Guide How individual ﬁlters workA ﬁlter’s actions A ﬁltering rulePort numbers Parts of a ﬁlterPort number comparisons Security13-130 User’s Reference Guide Other ﬁlter attributesPutting the parts together Security Filtering example #1Design guidelines 13-132 User’s Reference GuideFiltering example #2 Working with IP ﬁlters and ﬁlter sets An approach to using ﬁltersDisadvantages of ﬁlters Security13-134 User’s Reference Guide Adding a ﬁlter setSecurity Naming a new ﬁlter set13-136 User’s Reference Guide Input and output ﬁlters-source and destinationAdding ﬁlters to a ﬁlter set Security 1. To make the ﬁlter active in the ﬁlter set, select Enabled and toggle it to Yes. If Enabled is toggled to No, the ﬁlter can still exist in the ﬁlter set, but it will have no effect13-138 User’s Reference Guide Viewing ﬁlter setsViewing ﬁlters Modifying ﬁltersDeleting a ﬁlter set Modifying ﬁlter setsA sample IP ﬁlter set Security13-140 User’s Reference Guide Security Possible modiﬁcations13-142 User’s Reference Guide Basic IP packet components Firewall tutorial General ﬁrewall termsBasic protocol types Security13-144 User’s Reference Guide Firewall design rulesExample TCP/UDP Ports Firewall LogicLogical AND function Binary representationImplied rules Security13-146 User’s Reference Guide Filter basicsEstablished connections Example IP ﬁlter set screenIncoming Packet Filter Example ﬁltersNetopia Internet13-148 User’s Reference Guide ExampleExample Security ExampleExample 13-150 User’s Reference Guide RADIUS client configuration RADIUS Client SupportSecurity RADIUS Server Authentication Port 13-152 User’s Reference GuideRADIUS then Local Local then RADIUSbe unable to configure this device unless a Radius Server is SecurityAdvanced Security Options 13-154 User’s Reference Guide Utilities and Diagnostics Chapter Utilities and Diagnostics“Factory defaults” on page “Ping” on page “Trace Route” on page “Telnet client” on page14-156 User’s Reference Guide PingUtilities and Diagnostics 14-158 User’s Reference Guide Trace RouteUtilities and Diagnostics Telnet clientDisconnect Telnet console session Factory defaultsTransferring conﬁguration and ﬁrmware ﬁles with TFTP 14-160 User’s Reference GuideUtilities and Diagnostics Updating ﬁrmwareGET WAN MODULE FIRMWARE FROM SERVER Config File Name GET CONFIG FROM SERVER SEND CONFIG TO SERVER14-162 User’s Reference Guide Downloading conﬁguration ﬁlesUploading conﬁguration ﬁles Transferring conﬁguration and ﬁrmware ﬁles with XMODEMUtilities and Diagnostics Updating ﬁrmware 14-164 User’s Reference GuideUtilities and Diagnostics Downloading conﬁguration ﬁlesUploading conﬁguration ﬁles 14-166 User’s Reference Guide Restarting the systemConﬁguration problems Appendix A TroubleshootingTroubleshooting A-167 “Conﬁguration problems” on page A-167Network problems Console connection problemsProblems communicating with remote IP hosts Local routing problemsPower outages How to reset the router to factory defaultsReset Switch Slot Troubleshooting A-169Technical support How to reach usA-170 User’s Reference Guide Before contacting NetopiaTroubleshooting A-171 Online product informationOnline Technical Support A-172 User’s Reference Guide “What is IP?” on page B-173 “About IP addressing” on page B-173 What is IP?Appendix B Understanding IP Addressing About IP addressingB-174 User’s Reference Guide Subnets and subnet masksExample Using subnets on a Class C IP internet Understanding IP Addressing B-175Subnet masks Network conﬁguration B-176 User’s Reference GuideCustomer Site A ISP NetworkDistributing IP addresses Example Working with a Class C subnetUnderstanding IP Addressing B-177 BackgroundB-178 User’s Reference Guide Technical note on subnet maskingConﬁguration Netopia R910 DHCP server characteristicsUnderstanding IP Addressing B-179 DHCP address servingManually distributing IP addresses Using address servingTips and rules for distributing IP addresses B-180 User’s Reference GuideUnderstanding IP Addressing B-181 Nested IP subnets B-182 User’s Reference GuideA DHCP example Internet Understanding IP Addressing B-183B-184 User’s Reference Guide Broadcasts Packet header typesUnderstanding IP Addressing B-185 B-186 User’s Reference Guide Network conﬁguration Appendix C Understanding Netopia NAT BehaviorBackground ISP NetworkC-188 User’s Reference Guide Workstation A Understanding Netopia NAT Behavior C-189Workstations C-190 User’s Reference GuideUnderstanding Netopia NAT Behavior C-191 Exported servicesC-192 User’s Reference Guide Important notesConﬁguration Understanding Netopia NAT Behavior C-193C-194 User’s Reference Guide SummaryBinary Conversion Table D-195 Appendix D Binary Conversion TableDecimal D-196 User’s Reference GuideBinary DecimalFurther Reading E-197 Appendix E Further ReadingE-198 User’s Reference Guide Further Reading E-199 E-200 User’s Reference Guide Power requirements Appendix F Technical Specifications and Safety InformationTechnical Speciﬁcations and Safety Information F-201 DescriptionRegulatory notices F-202 User’s Reference GuideDeclaration for Canadian users Technical Speciﬁcations and Safety Information F-203 Important safety instructionsTelecommunication installation cautions BatteryF-204 User’s Reference Guide Index NumericsIndex-205 Index-206 Index-207 Index-208 13-131Index-209