Perle Systems IOLINK-520 2.4.3 - Security

Applications

IOLINK-520 & IOLINK-PRO Installation & Applications Guide — 2.39

2.4.3 - Security

The IOLINK router provides a number of means of providing security on incoming and

outgoing traffic on a network. These methods include the IPsec protocol suite, access

password authentication, firewall limiting access to only designated device addresses, private

network address translation (NAT) and filtering for both incoming and outgoing traffic.

2.4.3.1 – IPSec Protocol Suite

The PPP IOLINK-520 & IOLINK-PRO support a number of features from the Internet

Protocol Security (IPSec) extensions that provide data encryption, authentication and

privacy. IPSec can be used to establish a secure Virtual Private Network (VPN) over a

public network. The connection through the unsecured public network between two routers

on a VPN is often referred to as a “tunnel”.

A VPN is set-up as a Security Association (SA) between the two routers (also known as

security gateways in this case) on either end of the desired secure connection. The SA

defines the security parameters that will be used between the two routers. Many of the

settings define “source” and “destination” parameters. These settings will be mirror images

on the partner routers; i.e. the “source” value for a parameter will become the “destination”

setting when configuring the partner router.

Each router on the VPN has a policy list which defines the SAs, the IPSec authentication

and encryption parameters, and the rules used to determine which packets are passed

through the interface. The IPSec policy is applied at the outbound interface of the router

and packets enter the tunnel at the outbound interface.

Figure 2 -12 Sample IPSec Application

The figure above illustrates an example if a VPN made up of two private address LANs joined

through the Internet by IPsec tunnels from router 1 to router 2 and router 2 to router 1. The routers

are set-up with numbered links, so that each routers Internet connection has a publicly known address

that is separate from the private LAN IP address for that router. Note that this example does not

LAN #1 LAN #2

Internet

Router 2

Internet IP

201.55.44.2

Router 1

Internet IP

199.22.33.1

192.168.10.1

through

192.168.10..255

10.10.10.1

through

10.10.10.127

Contents

Main Page Page Export Control Notice Federal Communications Commission (FCC) Canadian Emissions Standard ICES-003 For products marked with the CE Telecommunications label, the following declaration applies: ISDN Type Approval Labels Canadian ISDN Approval Using This Manual Installation Typical Applications & How to Configure Them Introduction to Filtering Menu Trees Page Page Page Page 1 Installation Unpack the IOLINK Router Select a Site Identify the Reset Switch Identify the Connectors IOLINK-PRO IOLINK-520 Connect to the Console Make the Link Connection(s) Power Up the Bridge/Router Managing the IOLINK-520 & IOLINK-PRO Using the Menus Conventions ! ! ! Login to Bridge/Router and Enter the Required Configuration Note: ! ! ! Mandatory Configuration Identify the Status LEDs POWER LAN LINK 1/LAN 2 LINK 2 Page 2 Typical Applications & How to Configure Them 2.1 - Bridging and Routing Should You Bridge or Route? 2.1.1 - Bridging 2.1.2 - IP Routing ! ! 2.1. 2 .1 - IP Addressing 2.1.2.2 Masks 2.1.2.3 - IP Subnets Page 2.1.2.3 - IP Default Gateway 2.1.2.4 - IP Static Route ! ! ! ! ! ! ! ! 2.1.3 - IPX Routing 2.1.3.1 - Novell Servers in Both Locations 2.1.3.2 - Novell Servers in One Location Only Page Page 2.1.4 - PPP Overview 2.1.4.1 - PPP Link Configuration 2.1.4.2 - Numbered Links ! ! ! 2.1.4.3 - Unnumbered Links Page 2.2 Basic WAN Configurations 2.2.1 - Basic ISDN Connections ! ! ! ! ! ! 2.2.1.1 - PPP ISDN Manual Call Quick Connections Page 2.2.2 - Basic Frame Relay Configuration ! 2.2.2.1 - Auto Learning the Frame Relay Configuration 2.2.2.2 - Manual Configuration - LMI Type ! ! 2.2.2.3 - Quick Start Frame Relay ! ! ! 2.2.3 - Basic Leased Line Configuration ! 2.2.3.1 - Quick Start PPP Leased Line Connections ! ! ! 2.3 - Configure Remote Site Profiles Page Page 2.3.2 - Configure Remote Site Profile for Frame Relay ! ! ! Page Page 2.3.3 - Configure Remote Site Profiles for Leased Line PPP ! ! Page 2.4 Advanced Features Page Page Applications 2.38 IOLINK-520 & IOLINK-PRO Installation & Applications Guide Figure 2 -11 NAPT Configuration 2.4.3 - Security 2.4.3.1 IPSec Protocol Suite Page Page Page Page Page Page 2.4.3.2 - Configure PPP Security ! ! Page 2.4.3.3 - Configure Firewall Page Page Page Page 3 Introduction to Filtering MAC Address Filtering Pattern Filtering Popular Filters Bridge IP & Related Traffic Novell IPX Frames NetBIOS &NetBEUI (Windows For Workgroups) IP Router NetBIOS over TCP Other interesting TCP Ports Page MAIN Menu Tree LAN IPX Set-Up LAN-NAT set-up Bridge-STP Set-Up LAN Set-Up IP Address Connect Connections Set-Up BACP Set-Up Schedule Usage Set-Up 4] 8] 5] 4] 5] 4] Edit Route Edit Service 2] IPX Routing Set-Up Static Routes Static Services IPSecurity Set-Up Policy Set-up 5] SNMP Set-Up 4] 5] 6] Page Page Octet Locations B.2 IOLINK-520 & IOLINK-PRO000 Installation & Applications Guide Octet Locations on a Bridged Novell Netware Frame ETHERNET Type Codes Page Page Appendix C Servicing Information Opening of the case and changing of modules is only to be performed by qualified service personnel. WARNING ! Opening the case Identifying the Internal Components To Clear a Lost Password Changing LAN or WAN Interfaces Selecting MDI or MDI-X LAN Interface Installing the ISDN Link Modules Processor settings for the ISDN Link Modules Changing the Termination Straps on the ISDN S/T Interface Connecting to the ISDN-U Link Module Performing a Software Upgrade Page Page Appendix D Interface Pinouts Pinout Information Link Clocking Information ATL-CSU/DSU Link Module Information Switches up down Console Pinouts D.4 IOLINK-520 & IOLINK-PRO00 Installation & Applications Guide V.24 & RS232C Link Pinouts Figure D-5 RS232 Link Pinouts V.11/X.21 Link Pinouts D.6 IOLINK-520 & IOLINK-PRO00 Installation & Applications Guide RS442 & RS530 Link Pinouts Figure D-7 RS530 Link Pinouts V.35 Link Pinouts D.8 IOLINK-520 & IOLINK-PRO00 Installation & Applications Guide RS232 Null-Modem Cable Configuration Figure D-9 RS232 Null-Modem Cable Interface Pinouts IOLINK-520 & IOLINK-PRO Installation & Applications Guide D.9 V.35 Null-Modem Cable Configuration Figure D 10 V-35 Null-Modem Cable D.10 IOLINK-520 & IOLINK-PRO00 Installation & Applications Guide RS530 Null-Modem Cable Configuration Figure D-11 RS530 Null-Modem Cable Interface Pinouts IOLINK-520 & IOLINK-PRO Installation & Applications Guide D.11 RS530 To RS449 Conversion Cable Figure D-12 RS530 to RS449 Conversion Cable V.11/X.21 Null-Modem Cable Configuration Index IOLINK-520 & IOLINK-PRO Installation & Applications Guide A B BACP, 2.50 Bandwidth on Demand, 2.52 Index IOLINK-520 & IOLINK-PRO Installation & Applications Guide N O P Lifetime Warranty Limited Lifetime Warranty Policy Limited Lifetime Warranty Schedules Part 1