Avaya Business Secure Router 252 Configuration - Basics Configuration manual
Contents
1. Filter default policy Access matched a default filter policy denied LAN IP and DROP the Business Secure Router dropped the packet to block access Filter default policy TCP access matched a default filter policy Access was FORWARD allowed and the router forwarded the packet Filter default policy UDP access matched a default filter policy Access was FORWARD allowed and the router forwarded the packet Filter default policy ICMP access matched a default filter policy Access was FORWARD allowed and the router forwarded the packet Filter default policy Access matched a default filter policy Access was allowed FORWARD and the router forwarded the packet Filter default policy Access matched a default filter policy denied LAN IP FORWARD Access was allowed and the router forwarded the packet Filter match DROP TCP access matched the listed filter rule and the Business set d rule d gt Secure Router dropped the packet to block access Filter match DROP UDP access matched the listed filter rule and the Business set d rule d gt Secure Router dropped the packet to block access Filter match DROP ICMP access matched the listed filter rule and the set d rule d gt Business Secure Router dropped the packet to block access Filter match DROP Access matched the listed filter rule and the Business set d rule d gt Secure Router dropped the packet to block access Filte2. Address followed by the subnet mask The IP 0 0 0 0 0 means all Destination This field displays the port number of the destination O means all ports Port Source IP This field displays the source IP address in dotted decimal notation Address followed by the subnet mask The IP 0 0 0 0 0 means all Source Port This field displays the port number of the source The 0 means all ports Protocol ID This field displays the protocol ID service type number for example 1 for ICMP 6 for TCP or 17 for UDP The 0 means all protocols Move Type the number of a filter entry and the number for where you want to put it Click Move to move the filter to the number that you typed The ordering of your filters is important as they are applied in order of their numbering The filter entry numbers are not static names for the entries A filter entry s number changes as you move the filter entry up or down in the list Also only the existing filter entries are counted you cannot have any blank filter entries For example if you have only three filters and try to move number one to seven it becomes filter three Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Setup screen You must use the Summary screen to enable bandwidth management on an interface before you can configure subclasses for that interface To add a subclass click BW MGMT and then the Class Setup tab Click the Add Sub C
3. Label Description Class Name This field displays the name of the class the statistics page is showing Budget kbps This field displays the amount of bandwidth allocated to the class Tx Packets This field displays the total number of packets transmitted Tx Bytes This field displays the total number of bytes transmitted Dropped This field displays the total number of packets dropped Packets PUDE This field displays the total number of bytes dropped ytes Bandwidth Statistics for the Past 8 Seconds t 8 to t 1 This field displays the bandwidth statistics in b s for the past one to eight seconds For example t 1 means one second ago Update Enter the time interval in seconds to define how often the information is Period refreshed Seconds Set Interval Click Set Interval to apply the new update period you entered in the Update Period field above Stop Update Click Stop Update to stop the browser from refreshing bandwidth management statistics Clear Counter Click Clear Counter to clear all of the bandwidth management statistics Nortel Business Secure Router 252 Configuration Basics 310 Chapter 15 Bandwidth management Monitor To view bandwidth usage and allotments click BW MGMT then the Monitor tab The screen appears as shown in Figure 102 Figure 102 Bandwidth manager monitor BANDWIDTH MANAGEMENT Monitor Monitor Interface VAN x
4. UPnP pass through Firewall UPnP packets can pass through the firewall Table 126 Content Filtering Logs Category Log Message Description URLFOR IP Domain Name The Business Secure Router allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name due to a forbidden keyword All Web traffic is disabled except for trusted domains untrusted domains or the cybernot list JAVBLK IP Domain Name The Business Secure Router blocked access to this IP address or domain name because of a forbidden service such as ActiveX a Java applet a cookie or a proxy Table 127 Attack Logs Log Message Description attack TCP The firewall detected a TCP attack attack UDP The firewall detected an UDP attack attack IGMP The firewall detected an IGMP attack NN47923 500 Appendix B Log Descriptions 433 Table 127 Attack Logs Log Message Description attack ESP The firewall detected an ESP attack attack GRE The firewall detected a GRE attack attack OSPF The firewall detected an OSPF attack attack ICMP type d _ The firewall detected an ICMP attack see the section code d about ICMP messag
5. Note All of the recorded reports data is erased when you turn off the Business Secure Router Viewing Web site hits In the Reports screen select Web Site Hits from the Report Type drop down list to have the Business Secure Router record and display which Web sites have been visited the most often and how many times they have been visited NN47923 500 Chapter 20 Logs Screens 381 Figure 152 Web site hits report example LOGS View Log Log Settings Reports Setup Collect Statistics Send Raw Traffic Statistics to Syslog Server for Analysis Apply Reset Statistics Report Report Type Web Site Hits Refresh Flush _ 1 ad doubleclick net 1 m2 2mdn net 2 3 4 pagead2 googlesyndication com BEEN 5 6 7 en wikipedia org m3 doubleclick net NEED HE BEEN EHE www g00gle com tw E E 8 www webopedia com Table 102 describes the fields in Figure 152 Table 102 Web site hits report Label Description Web Site This column lists the domain names of the Web sites visited most often from computers on the LAN The names are ranked by the number of visits to each Web site and listed in descending order with the most visited Web site listed first The Business Secure Router counts each page viewed in a Web site as another hit on the Web site Hits This column lists how many times each Web site has been visited The count star
6. F 0 0 0 0 g Cancel Table 56 describes the fields in Figure 73 Table 56 VPN Branch Office IP Policy Port Forwarding Server Label Description Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address all packets received for ports not specified in this screen are discarded Number of an individual port forwarding server entry Active Select this check box to activate the port forwarding server entry Name Enter a descriptive name for identifying purposes Nortel Business Secure Router 252 Configuration Basics 238 Chapter 13 VPN Table 56 VPN Branch Office IP Policy Port Forwarding Server Label Description Start Port Type a port number in this field To forward only one port type the port number again in the End Port field To forward a series of ports type the start port number here and the end port number in the End Port field End Port Type a port number in this field To forward only one port type the port number in the Start Port field above and then type it again in this field To forward a series of ports type the last port number in a series that begins with the port number in the Start Port field above Server IP Addre
7. NN47923 500 Chapter 22 Maintenance 397 Table 108 System Status Label Description IP Address This is the WAN port IP address IP Subnet Mask This is the WAN port subnet mask Default Gateway This is the IP address of the default gateway if applicable VPINCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control or Ethernet address unique to your Business Secure Router IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the LAN port DHCP role Server Relay or None DHCP Start IP This is the first of the contiguous addresses in the IP address pool DHCP Pool Size This is the number of IP addresses in the IP address pool Show Statistics Click Show Statistics to see router performance statistics such as aa of packets sent and number of packets received for each System statistics Read only information here includes port status and packet specific statistics Also provided are system up time and poll intervals The Poll Interval s field is configurable Nortel Business Secure Router 252 Configuration Basics 398 Chapter 22 Maintenance Figure 159 System Status Show statistics System Up Time 0 19 47 CPU Load 0 00 WAN Port Statistics Link Status Initializing Up
8. AT Command Initial String Type the AT command string to initialize the WAN device Consult the manual of your WAN device connected to your Dial Backup port for specific AT commands Advanced Modem Setup Click this button to display the Advanced Setup screen and edit the details of your dial backup setup TCP IP Options Priority Metric This field sets this route s priority among the three routes the Business Secure Router uses normal traffic redirect and dial backup Type a number 1 to 15 to set the priority of the dial backup route for data transmission The smaller the number the higher the priority If the three routes have the same metrics the priority of the routes is as follows WAN Traffic Redirect Dial Backup Get IP Address Automatically from Remote Server Select this check box if your ISP will automatically assign you an IP address dynamic IP address Nortel Business Secure Router 252 Configuration Basics 122 Chapter 7 WAN screens Table 21 Dial Backup Setup Label Description Used Fixed IP Address Select this check box if your ISP assigned you a fixed IP address and then enter the IP address in the following field My WAN IP Address Leave the field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically assign your WAN IP address if you do not know it Type your WAN IP address here if you know it s
9. NN47923 500 Chapter 18 Remote management screens 347 Note Nortel recommends that you disable Telnet and FTP when you configure SSH for secure connections Secure Telnet using SSH examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the Business Secure Router The configuration and connection steps are similar for most SSH client programs For more information about SSH client programs refer to your SSH client program user s guide Example 1 Microsoft Windows This section describes how to access the Business Secure Router using the Secure Shell Client program 1 Launch the SSH client and specify the connection information IP address port number or device name for the Business Secure Router Configure the SSH client to accept connection using SSH version 1 A window appears prompting you to store the host key in you computer Click Yes to continue Figure 123 SSH Example 1 Store Host Key Host Identification x 4 You are connecting to the host 192 168 1 1 for the first time The host has provided you its identification a host public key The fingerprint of the host public key is yeyvac bycor kubyz dipah ravut fyduz kazuk goler cavom hifat sexox You can save the host key to the local database by clicking Yes You can continue without saving the host key by clicking No You can also cancel the connec
10. Nortel Business Secure Router 252 Configuration Basics 400 Chapter 22 Maintenance Figure 160 DHCP Table MAINTENANCE Status DHCP Table Diagnostic F WUpload Configuration Restart t IP Address MAC Address E 192 168 12 Tw11746 00 0f fe 1 4a e0 Table 110 describes the fields in Figure 160 Table 110 DHCP Table Label Description This is the index number of the host computer IP Address This field displays the IP address relative to the field listed above Host Name This field displays the computer host name MAC Address This field shows the MAC address of the computer with the name in the Host Name field Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Reserve Select the check box to have the Business Secure Router always assign the displayed IP address to the corresponding MAC address and host name After you click Apply the MAC address and IP address also display in the LAN Static DHCP screen where you can edit them Refresh Click Refresh to renew the screen Diagnostic Screen From the Site Map screen click Diagnostic to open the screen shown next NN47923 500 Chapter 22 Maintenance 401 Figure 161 Diagnostic Diagnostic Status DHCP Table Dia
11. Starting IP Address When the Address Type field is configured to Single Address enter a static IP address on the LAN behind your Business Secure Router When the Address Type field is configured to Range Address enter the beginning static IP address in a range of computers on your LAN behind your Business Secure Router When the Address Type field is configured to Subnet Address this is a static IP address on the LAN behind your Business Secure Router Ending IP Address Subnet Mask When the Address Type field is configured to Single Address this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your Business Secure Router When the Address Type field is configured to Subnet Address this is a subnet mask on the LAN behind your Business Secure Router NN47923 500 Chapter 13 VPN 235 Table 55 VPN Branch Office IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy For example use 1 for ICMP 6 for TCP 17 for UDP 0 is the default and signifies any protocol For example if you select 1 ICMP only ICMP packets can go through the tunnel If you specify a protocol other than 1 ICMP or 0 any protocol you cannot use the control ping feature If you set this field to 6
12. Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 152 Chapter 9 Static Route screens NN47923 500 153 Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the Business Secure Router firewall Firewall overview Originally the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another The networking term firewall is a system or group of systems that enforces an access control policy between two networks It can also be defined as a mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It must never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself Types of firewalls There are three main types of firewalls 1 Packet Filtering firewalls 2 Application level firewalls 3 Stateful Inspection firewalls Nortel Business Secure Ro
13. ESP AH Encryption DES default Data Encryption Standard DES is a widely used method of data encryption using a secret key DES applies a 56 bit key to each 64 bit block of data 3DES Triple DES 3DES is a variant of DES which iterates 3 times with 3 separate keys 3 x 56 168 bits effectively doubling the strength of DES AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data during phase 1 You can configure the device to use a 128 bit 192 bit or 256 bit key for phase 2 AES is faster than 3DES Select NULL to set up a phase 2 tunnel without encryption Authentication MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data Select MD5 for minimal security and SHA 1 for maximum security Key management Your Business Secure Router uses IKE ISAKMP key management in order to set up a VPN Nortel Business Secure Router 252 Configuration Basics 206 Chapter 13 VPN Encapsulation The two modes of operation for IP
14. SUA Server A SUA server set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world You can enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it is better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports With many residential broadband ISP accounts you cannot run any server processes such as a Web or FTP server from your location Your ISP periodically checks for servers and can suspend your account if it discovers any active services at your location If you are unsure refer to your ISP Default server IP address In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen Note If you do not assign a Default Server IP Address the Business Secure Router discards all packets received for ports that are not specified here or in the remote management setup Nortel Business S
15. The Business Secure Router discards any packets received with the wrong sequence number Inbound packet authentication failed The authentication configuration settings are incorrect Check them Inbound packet decryption failed The decryption configuration settings are incorrect Check them Rule 4d idle time out disconnect If an SA has no packets transmitted for a period of time configurable through Cl command the Business Secure Router drops the connection Nortel Business Secure Router 252 Configuration Basics 446 Appendix B Log Descriptions Table 134 shows RFC 2408 ISAKMP payload types that the log displays Refer to RFC 2408 for detailed information about each type Table 134 RFC 2408 ISAKMP Payload Types Log Display Payload Type SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 135 PKI Logs Log Message Description Enrollment successful The SCEP online certificate enrollment succeeded The Destination field records the certification authority server IP address and port Enrollment failed The SCEP online certificate enrollment failed The Destination field records the certification authority server IP addr
16. European Freephone p0800 2008 9009 European Alternative 44 870 907 9009 Africa 127 11 808 4000 israel 800 945 9779 United Kingdom F44 870 907 9009 FNote Calls are not free from all countries in Europe Middle East and Africa CALA Caribbean amp Latin America Country Call Center IPhone Number Anguilla 1 919 905 4211 Antigua 1 8005270797 Argentina 1 919 905 4211 Aruba 1 919 905 4211 Bahamas 1 866 291 1757 Barbados 1 800 5342519 Belize 1 919 905 4211 Bermuda 1 866 291 1757 Bolivia 1 919 905 4211 Bonaire 1 919 905 4211 Brazi 00814 550 4189 Bvr 1 919 905 4211 Cayman Islands 1 866 291 1757 Chile 1230 020 3016 Colombia fb1so0 915 5093 Costa Rica 800 012 1059 Curacao 1 919 905 4211 Dominica 1 919 905 4211 Dominican Republic 1 883 156 1857 Ecuador 1 919 905 4211 El Salvador 1 919 905 4211 Grenada 1 919 905 4211 Guatemala 1 919 905 4211 Guyana 1 866 291 1757 Haiti 1 919 905 4211 Honduras 1 919 905 4211 Mexico 01 866 291 1757 Montserrat 1 919 905 4211 Nicaragua p01 800 220 1152 Panama po1 800 507 1567 Paraguay 919 905 4211 Peru ps00 50755 Puerto Rico L 800 4N ortelC1 800 466 7835 Bt Kitts amp Nevis 1 866 291 1757 Bt Lucia 1 866 291 1757 Bt Maarten 1 919 905 4211 Bt Thomas 1 800 4N ostel1 800 466 783
17. Type This field displays what kind of certificate this is REQ represents a certification request and is not yet a valid certificate Send a certification request to a certification authority which then issues a certificate Use the My Certificate Import screen to import the certificate and replace the request SELF represents a self signed certificate SELF represents the default self signed certificate which the Business Secure Router uses to sign imported trusted remote host certificates CERT represents a certificate issued by a certification authority Subject This field displays identifying information about the owner of the certificate such as CN Common Name OU Organizational Unit or department O Organization or company and C Country Nortel recommends that each certificate have unique subject information Issuer This field displays identifying information about the certification authority that issued the certificate such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and
18. Figure 23 Static DHCP LAN Static DHCP IP Alias MAC Address IP Address 0 0 0 0 a E O 8 Table 15 describes the fields in Figure 23 Table 15 Static DHCP Label Description This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the size or count of the IP address pool Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh NN47923 500 Chapter 6 LAN screens 105 Configuring IP Alias With IP Alias you can partition a physical network into different logical networks over the same Ethernet interface The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet interface with the Business Secure Router itself as the gateway for each LAN network Note Make sure that the subnets of the logical networks do not overlap gt To change the IP Alias settings of your Business Secure Router click LAN then the IP Alias tab The screen appears as shown in Figure 24 Figure 24 IP Alias LAN Static DHCP IP Alias IP Alias 1 IP Address jo00 IP Subnet Mask i000 RIP Direction None El RIP Version Ripa E IP Alias2 IP Address jo00 IP Subnet Mask noon RIP Direction None
19. 4 Name Se Valid From Valid To Modify 2003 Apr 30th 2006 Apr 30th LAOficect CN Glenn 02 09 22 GMT 02 09 22 GMT Import Refresh Table 71 describes the labels in Figure 90 Table 71 Trusted Remote Hosts Label Description PKI Storage This bar displays the percentage of the PKI storage space that is Space in Use currently in use The bar turns from green to red when the maximum is approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates Issuer My This field displays identifying information about the default self signed Default certificate on the Business Secure Router that the Business Secure Self signed Router uses to sign the trusted remote host certificates Certificate This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the owner of the certificate such as CN Common Name OU Organizational Unit or department O Organization or company or C Country Nortel recommends that each certificate have unique subject information NN47923 500 Chapter 14 Certificates 287 Table 71 Trusted Remote Hosts Label Description Valid From This field displays the date that the certificate becomes applicable The t
20. Budget kbps _Current Usage kbps Root Class 100000 0 WAN 1 1000 0 WAN 2 1000 0 Default Class 98000 0 Refresh Table 82 describes the labels in Figure 102 Table 82 Bandwidth manager monitor Label Description Interface Select an interface from the drop down list to view the bandwidth usage of its bandwidth classes Class This field displays the name of the class Budget kbps This field displays the amount of bandwidth allocated to the class Current Usage kbps This field displays the amount of bandwidth that each class is using Refresh Click Refresh to update the page NN47923 500 311 Chapter 16 IEEE 802 1x IEEE 802 1x overview The IEEE 802 1x standard outlines enhanced security methods for both the authentication of users and encryption key management Authentication can be done using the local user database internal to the Business Secure Router authenticate up to 32 users or an external RADIUS server for an unlimited number of users RADIUS RADIUS is based on a client sever model that supports authentication and accounting where users are the clients and the server is the RADIUS server The RADIUS server handles the following tasks among others e Authentication Determines the identity of the users e Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your Business S
21. Chapter 7 WAN screens 125 Configuring Advanced Modem Setup Click the Edit button in the Dial Backup screen to display the Advanced Setup screen shown in Figure 32 Note Consult the manual of your WAN device connected to your dial backup port for specific AT commands Note Figure 32 Advanced Setup WAN ADVANCED MODEM SETUP AT Command Strings Dial atat Drop Phase ath Answer ata iv Drop DTR When Hang Up AT Response Strings CLID NMBR Called ID Speed CONNECT Call Control Dial Timeout sec eo Retry Count e Retry Interval sec fio Drop Timeout sec feo Call Back Delay sec fis Apply Cancel Nortel Business Secure Router 252 Configuration Basics 126 Chapter 7 WAN screens Table 22 describes the fields in Figure 32 Table 22 Advanced Setup sec Router to wait between dropping a callback request call and dialing the corresponding callback call Label Description Example AT Command Strings Dial Type the AT Command string to make a call atdt Drop Type the AT Command string to drop a call ath represents a one second wait For example ath can be used if your modem has a slow response time Answer Type the AT Command string to answer a call ata Drop DTR When Select this check box to have the Business Secure Hang Up Router drop the DTR Data Terminal Ready signal after the AT Command String
22. Phase 2 A phase 2 exchange uses the IKE SA established in phase 1 to negotiate the SA for IPSec Nortel Business Secure Router 252 Configuration Basics 244 Chapter 13 VPN Table 57 VPN Branch Office Advanced Rule Setup Label Description Multiple Proposal Select this check box to allow the Business Secure Router to use any of its phase 2 encryption and authentication algorithms when negotiating an IPSec SA Clear this check box to have the Business Secure Router use only the phase 2 encryption and authentication algorithms when negotiating an IPSec SA Active Protocol Select ESP or AH from the drop down list The Business Secure Router s IPSec Protocol must be identical to the remote IPSec router The ESP Encapsulation Security Payload protocol RFC 2406 provides encryption as well as the authentication offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields The AH protocol Authentication Header Protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field Encryption Algorithm Select DES 3DES AES or NULL from the drop down list When you use one of these encryption algorithms for data communicatio
23. The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This field displays the protocol that the directory server uses Modify Click the details icon to open a screen where you can change the information about the directory server Click the delete icon to remove the directory server entry A window displays asking you to confirm that you want to delete the directory server Note that subsequent certificates move up by one when you take this action You cannot delete a certificate that is currently in use Add Click Add to open a screen where you can configure information about a directory server so that the Business Secure Router can access it Add or edit a directory server Click CERTIFICATES Directory Servers to open the Directory Servers screen Click Add or the details icon to display the screen shown in Figure 96 Use this screen to configure information about a directory server that the Business Secure Router can access Nortel Business Secure Router 252 Configuration Basics 296 Chapter 14 Certificates Figure 96 Directory server add CERTIFICATES DIRECTORY SERVER ADD Directory Servic
24. m IP Address Obtain an IP Address Automatically C Static IP Address Connection Connect on Demand Max Idle fi 00 sec Timeout C Nailed Up Connection Network Address Translation SUA Only Table 3 describes the fields in Figure 9 Table3 Internet connection with PPPoA Label Description User Name Enter the logon name your ISP gave you Password Enter the password associated with the username above IP Address This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Click Obtain an IP Address Automatically if you have a dynamic IP address otherwise click Static IP Address and type your ISP assigned IP address in the IP Address text box below NN47923 500 Chapter 3 Wizard setup 61 Table 3 Internet connection with PPPoA continued Label Description Connection Select Connect on Demand if you do not want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on Demand with 0 as the idle time out which means the Internet session does not timeout Select Nailed Up Connection if you want your connection
25. 2 The priority of the WAN port route must always be higher than the dial backup and traffic redirect route priorities If the WAN port route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the WAN port route acts as the primary default route If the WAN port route fails to connect to the Internet the Business Secure Router tries the traffic redirect route next In the same manner the Business Secure Router uses the dial backup route if the traffic redirect route also fails Nortel Business Secure Router 252 Configuration Basics 108 Chapter 7 WAN screens The dial backup or traffic redirect routes cannot take priority over the WAN routes Configuring Route Click WAN to open the Route screen Figure 25 WAN Route NN47923 500 Chapter 7 WAN screens 109 Table 17 describes the fields in Figure 25 Table 17 WAN Route Label Description WAN The default WAN connection is 1 as your broadband connection through the WAN port must always be your preferred method of Traffic Redirect accessing the WAN The default priority of the routes is WAN Traffic Redirect and then Dial Backup dial backup does not apply to all Dial Backup models You have two choices for an auxiliary connection in the event that your regular WAN connection goes down If Dial Backup is preferred to Traffic Redirect then type 14 in the Dial Backup Priority metric field
26. Each time you reload this page the Business Secure Router synchronizes the date with the time server Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date time zone and daylight saving at the same time the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it New Time hh mm ss This field displays the last updated time from the time server or the last time configured manually After you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date yyyy mm dd This field displays the last updated date from the time server or the last date configured manually After you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the Business Secure Router get the time and date from the time server that you specified Time Protocol Select the time service protocol that your time server sends when you turn on the Business Secure Router Not all time servers support all protocols so you need to check with your ISP or network administrator or use trial and error to find a protocol that works The main difference between the protocols is the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byt
27. Figure 141 Internet gateway icon Network Connections File Edit View Favorites Tools Advanced Help Q x Q 7 Pp Search Folders E Address e Network Connections Internet Gateway Network Tasks E Create anew connection Set up a home or small office network Disable this network device Rename this connection view status of this connection Change settings of this rnnnertinn LANorH Status Create Shortcut Rename 3 Inthe Internet Connection Properties window click Settings to see the port mappings that were automatically created Figure 142 Internet connection properties Y Internet Connection Properties General Connect to the Intemet using Intemet Connection This connection allows you to connect to the Internet through a shared connection on another computer V Show icon in notification area when connected emen Nortel Business Secure Router 252 Configuration Basics 370 Chapter 19 UPnP 4 You can edit or delete the port mappings or click Add to manually add port mappings Figure 143 Internet connection properties advanced setup Advancec Settings Semice Selec Ihe services unnig on jour ralwctk that Infemel usare can BRB TCF 192 1681 659059 27177 UDP 1921681 91 7281 25037 UDP 192 168 1 97 7810 31 711 TCP Service Settings Description of service Test Name or IP ad
28. Label Description Server Port The HTTPS proxy server listens on port 443 by default If you change the HTTPS proxy server port to a different number on the Business Secure Router for example 8443 you must notify people who need to access the Business Secure Router WebGUI to use https Business Secure Router IP Address 8443 as the URL Server Access Select a Business Secure Router interface from Server Access on which incoming HTTPS access is allowed You can allow only secure WebGUI access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface Secure Client A secure client is a trusted computer that is allowed to communicate with IP Address the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service HTTP Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the Business Secure Router u
29. Nortel Business Secure Router 252 Configuration Basics BSR252 Business Secure Router Document Number NN47923 500 Document Version 1 2 Date May 2007 NORTEL Copyright Nortel 2005 2006 All rights reserved The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty The information in this document is proprietary to Nortel Trademarks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Microsoft MS MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are the property of their respective owners NN47923 500 Contents PYOTAGE 65 605 864 454 15 60S 69 OS tirnod neni ienen SEN TS ae eas 29 Before YOU Degli accuse le ur vena rex REG eino reit GER REESE e 29 TEXECORVEIIORB 9 4 55 20x 23 9393 nidie RR E OR eS OE RUE o E eos dob Ra 29 Pala MRI p P IIT 30 Hard copy technical manuals csi srrericresresr reistist es tiedo ERROR 30 PAROS NO ct ue aes UE ERE EON 31 Getting Help from the Nortel Web site 000 c cece eee 31 Getting Help over the phone from a Nortel Solutions Center 31 Getting Help from a specialist by using an Express Routing Code
30. Server With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world Port numbers do not change for One to One and Many One to One NAT mapping types Nortel Business Secure Router 252 Configuration Basics 134 Chapter 8 Network Address Translation NAT Screens Table 24 summarizes these types Table 24 NAT mapping type Type IP Mapping SMT Abbreviations One to One ILA1 gt IGA1 1 1 Many to One SUA PAT ILA1 gt IGA1 M 1 ILA2 IGA1 Many to Many Overload ILA1 IGA1 M M Ov ILA2 gt IGA2 ILA3 gt IGA1 ILA4 gt IGA2 Many One to One ILA1 lt gt IGA1 M 1 1 ILA2 gt IGA2 ILA3 gt IGA3 Server Server 1IP gt IGA1 Server Server 2 IP gt IGA1 Server 3IP gt IGA1 Using NAT Note You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the Business Secure Router SUA Single User Account versus NAT SUA Single User Account is an implementation of a subset of NAT that supports two types of mapping Many to One and Server The Business Secure Router also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types Select either SUA Only or Full Feature in WAN IP NN47923 500 Chapter 8 Network Address Translation NAT Screens 135
31. Starting Address Specify the first of the IP addresses in the IP address pool Subnet Mask Specify a subnet mask to define the IP address pool NN47923 500 Chapter 13 VPN 255 Table 62 VPN Client Termination IP pool edit Label Description Pool Size Specify how many IP addresses the Business Secure Router is to give out from the pool created by the starting address and subnet mask 256 is the maximum Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the IP Pool Summary screen without saving your changes VPN Client Termination advanced In the WebGUI click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen Then click the Advanced button to open the following screen Use this screen to configure detailed settings for use with all of the Contivity VPN Client tunnels Nortel Business Secure Router 252 Configuration Basics 256 Chapter 13 VPN Figure 81 VPN Client Termination advanced VPN Client Termination Advanced NN47923 500 Chapter 13 VPN 257 Table 63 describes the fields in Figure 81 Table 63 VPN Client Termination advanced Label Description NAT Traversal Select Enabled in order to Use NAT traversal when there is a NAT router between the Business Secure Router and the Contivity VPN clients The Co
32. Tubp i dibiicsd4330dq DNE ces CRUDO PvE SEE dI ke 74 POUNT opeteta PER ERR ee He EG d ea PER eor Pepe p Wer ERU d 74 Advanced Router Configuration 22 2 6 cius eee se ea eked eek dre a Roms TB Setting up the router when the system has a server 0000000 75 Connecting two sites to establish a virtual private network 75 Adding IP telephony to a multi site network lees 76 Configuring the router to act as a Nortel VPN Server Client Termination 77 Configuring the router to connect to a Nortel VPN Server Client Emulation 77 Allowing remote management of a LAN connected BCM50 78 Setting up the router for guest ACCESS lllllll leise 78 Preventing heavy data traffic from impacting telephone calls 79 Setting Up a Remote Office with a UNIStim IP Telephone 79 Inter Operability With Third Party Routers 000 e eee eee ae 80 VPN Connections With Cisco Routers 0000 cece eee eee 80 Chapter 5 System SCIOENS cee cccccuescorsebczieercisacsceceseerges ERE PER 81 SUS DOVEIVIBW uoa seers ed arco riedeseee ieee paras tengo SER Po Red 81 ENS OU La doe ee een hs wend Da ile ac kde She he oy tur de BUR eels 81 Private DNS SEVE perecer sees xoc doch e cx ue edi a Rd aor S E 81 Contiguring General Setup iudei adds ibRR beak Lede eel eke A Hees bees x 82 Dinamie DONS acad qa s udo xe donde RE pad CERES ade A RCOd dos d Rut R3 85 DYNENS wild
33. two authentication algorithms MD5 and SHA1 and three key groups DH1 DH2 and DH5 when you configure a VPN rule see Configuring advanced Branch office setup on page 241 The ID type and content act as an extra level of identification for incoming SAs NN47923 500 Chapter 13 VPN 219 Configure the ID type and content in the VPN Branch Office Rule Setup screen see Figure 71 on page 222 The type of ID can be a domain name an IP address or an e mail address The content is the IP address domain name or e mail address Table 50 Local ID type and content fields Local ID type Content IP Type the IP address of your computer or leave the field blank to have the Business Secure Router automatically use its own IP address DNS Type a domain name up to 31 characters by which to identify this Business Secure Router E mail Type an e mail address up to 31 characters by which to identify this Business Secure Router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 51 Peer ID type and content fields Peer ID type Content IP Type the IP address of the computer with which you make the VPN connection or leave the field blank to have the Business Secure Router automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 c
34. 1000 Series and above In particular VPN Clients cannot be added to the LAN subnet They must have addresses outside of the LAN subnet Nortel Business Secure Router 252 Configuration Basics 74 Chapter 4 User Notes VPN Clients can have dynamically assigned IP addresses or they can have a statically assigned addresses However the router does not support both modes at once All addresses must either be dynamically assigned or they must all be statically assigned 7 Establishing a Client Tunnel From One Business Secure Router to Another When defining a Client Termination account for another Business Secure Router that will connect using Contivity Client Emulation the following configuration is required e Encryption must be Triple DES with SHA1 integrity or Triple DES with MDS integrity e IKE Encryption must be Triple DES with Diffie Hellman Group 2 e Perfect Forward Secrecy PFS must be enabled Security 1 Exporting or Saving Self Signed Certificate To export or save a self signed certificate click details the icon that looks like a paper note then click Export or copy the PEM text into the clipboard and paste into a file Routing 1 RIP Version Advertisement Control To change the version of generated RIP advertisements the following CLI command needs to be used ip rip mode enifOlenif1 inlout 0111213 where enifO is the LAN side and enifl is the WAN side in affects recognition
35. 32 Getting Help through a Nortel distributor or reseller llus 32 Chapter 1 Getting to know your Business Secure Router 33 Introducing the Business Secure Router 0 00 cee eee eee eens 33 E oe ah a E N T A E S ES T EE AAA E T TAE E P ANT 34 Prysteal PAOS ineeie ekea E ea ees oa et RC AUR ox 34 High speed Internet access 2c cine ew de Skee ee Cee wk ee ee ee 34 ADSL Sana TUS duisi cd eR ERERCEAd RP P UAR ERE OR PER RE 34 Networking compgstbilir isses sarethrasaue ker Rak 4x Re RR di 35 ONDENI emus 9o dq id eg pies ie eeu i 9c dep Sedes aba fed Rr d 35 Encapsulation asas ves rue xr Ye X EqRez WEG awe dud dd s 35 FOURP ON SWOR ocu cedes a dpa va Re abbat ud Reip Sc dg Po ear ies 35 Autonegotiating 10 100 Mb s Ethernet LAN 0000 cece eens 36 Autosensing 10 100 Mb s Ethernet LAN 0 00 e eee eee eee 36 MADMIN ose oe deeb kas paw tatu Rad ect a deus bed do E 36 Tire and dale occ ccees x44 GS I R3 EXE SEO ERE Ye errcedQdvsQees 36 Roco BURGI mirri EAS RE Ed ERE RS e ERO CUERO 4 ee ee ERR 36 Nonphysical fRaIUFGB usps d eae coe ACE ROO ESPERSEN SR DROP ANNEES 36 Nortel Business Secure Router 252 Configuration Basics 4 Contents I Sec VPN Capability ccs acces acces cee tere eueds RID EUR RI 3 rd 36 Nortel Contivity Client Termination lslelseeeesleeee 37 CRUIGHES Me EUER 37 Ot Eea caine eb a EE Ld LS CU tM E A cid 37 MUTES ated Augen ix Rc EPI
36. 88 Chapter 5 System screens Figure 19 Password SYSTEM Administrator Setting Old Password New Password Retype to Confirm Client User Setting User Name New Password Retype to Confirm Apply Table 10 describes the fields in Figure 19 Table 10 Password Label Description Administrator Setting The administrator can access and configure all of the Business Secure Router s features Old Password Type your existing system administrator password PlsChgMe is the default password New Password Type your new system password up to 31 characters Note that as you type a password the screen displays a for each character you type Retype to Confirm Retype your new system password for confirmation NN47923 500 Chapter 5 System screens 89 Table 10 Password Label Description Client User Setting The client user is the person who uses the Business Secure Router s Contivity Client VPN tunnel The client user can do the following e Configure the WAN ISP and IP screens e Configure the VPN Contivity Client settings except the Advanced screen exclusive use mode for client tunnel and MAC address allowed settings e View the SA monitor e Configure the VPN Global Setting screen e View logs e View the Maintenance Status screen e Use the Maintenance F W Upload and Restart screens User Name Type a username for the
37. ADSL standards 34 AES 205 AH 204 AH Protocol 204 Alert 177 Allocated Budget 123 Allow Through IPSec Tunnel 247 Allow Trigger Dial 117 Always On 123 Answer 126 Application level Firewalls 154 Applications 41 AT Command Initial String 121 AT Command Strings 124 126 AT Response Strings 126 ATDP 124 ATH 124 ATM loopback test 402 Attack Alert 190 192 Attack Types 160 Authentication Type 121 Autonegotiating 10 100 Mb s Ethernet LAN 36 Autosensing 10 100 Mb s Ethernet LAN 36 Auxiliary 36 Backup 406 Bandwidth Class 300 Bandwidth Filter 300 307 Bandwidth Management 299 Bandwidth Management Statistics 308 Bandwidth Manager Class Configuration 305 Bandwidth Manager Class Setup 303 Bandwidth Manager Monitor 310 Bandwidth Manager Summary 302 Blocking Time 191 193 Branch Office 221 Branch Tunnel NAT Address Mapping Rule 232 Broadcast Dial Backup Route 123 Brute force Attack 159 Brute Force Password Guessing Protection 38 Budget 123 Bypass Triangle Route 177 C Call Back Delay 126 Call Control 126 Nortel Business Secure Router 252 Configuration Basics 454 Index Call Scheduling 38 387 Maximum Number of Schedule Sets 387 391 Precedence 387 Precedence Example 387 Called ID 126 Calling Line Identification 126 Central Network Management 39 CHAP 121 CLID 126 Client IKE Source Port Switching 257 Client Minimum Version 258 Client Termination 248 255 Client Termination IP Po
38. Diffie Hellman public key cryptography see Perfect Forward Secrecy PFS on page 241 Select None the default to disable PFS e Choose Tunnel mode or Transport mode Nortel Business Secure Router 252 Configuration Basics 240 Chapter 13 VPN e Set the IPSec SA lifetime In this field you can determine how long the IPSec SA will stay up before it times out The Business Secure Router automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires The Business Secure Router also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out the IPSec router must renegotiate the SA the next time someone attempts to send traffic Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA is established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses six messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity is not revealed in the negotiation Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication phase 1 However the trade off is
39. Figure 41 Trigger Port SUAINAT Trigger Port Incoming nd Port 4 2 z J B D B D m E OTTE OTTE mmm Nortel Business Secure Router 252 Configuration Basics 146 Chapter 8 Network Address Translation NAT Screens Table 29 describes the fields in Figure 41 Table 29 Trigger Port Label Description No This is the rule index number read only Name Type a unique name up to 15 characters for identification purposes All characters are permitted including spaces Incoming Incoming is a port or a range of ports that a server on the WAN uses when it sends out a particular service The Business Secure Router forwards the traffic with this port or range of ports to the client computer on the LAN that requested the service Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Trigger The trigger port is a port or a range of ports that causes or triggers the Business Secure Router to record the IP address of the LAN computer that sent the traffic to a server on the WAN Start Port Type a port number or the starting port number in a range of port numbers End Port Type a port number or the ending port number in a range of port numbers Apply Click Apply to save your changes to the
40. Importing a Trusted CA certificate 2 0 ee 280 Trusted CA Certificate details 0 0 0 0 en eee ee 281 Trusted remote NOSIS bese guk DER c3 eke Eh S es OPRAH EES d Xd dc REA 285 Verifying a certificate of a trusted remote host 2000 ce eee eee 287 Trusted remote host certificate fingerprints 0 2 00 cece eee ee 287 Importing a certificate of a trusted remote host 0 00 eee eee ee eee 289 Trusted remote host certificate details llle 290 DiC SOIPOEIS voices MEA GEO S PEE IDE PP a 294 Add or edit a directory Server inia E TERRA ehh SR ERE RE ER VAR GOGORE EROR 295 Chapter 15 Bandwidth management 00 eee ee 299 Bandwidth management overview 0 0 00 cece eee ee 299 Bandwidth classes and filters 0 0 eee eee eens 300 Proportional bandwidth allocation 0 cee ee 300 Application based bandwidth management 2000 eee eee eee 300 Subnet based bandwidth management 000 eee eens 300 Application and subnet based bandwidth management 2 45 301 Reserving bandwidth for nonbandwidth class traffic 204 301 Conigunng SUMA eke b ERA EXORDIO E VERO A ICE I RR COE AS 302 Conilipurig class SAUD xxi eden cane o d CR aE ae RRO ORR ee hee 303 Bandwidth Manager Class Configuration cece eee 305 Bandwidth management statistics llle 308 MONIO us x rb a oA DOR UU SORORE CODES ore se
41. Nailed Up Select this check box to turn on the nailed up feature for this SA Turn on nailed up to have the Business Secure Router automatically reinitiate the SA after the SA lifetime times out even if there is no traffic The Business Secure Router also reinitiates the SA when it restarts NAT Traversal Select this check box to enable NAT traversal With NAT traversal you can set up a VPN connection when there are NAT routers between the two IPSec routers The remote IPSec router must also have NAT traversal enabled You can use NAT traversal with ESP protocol using Transport or Tunnel mode but not with AH protocol In order for a IPSec router behind a NAT router to receive an initiating IPSec packet set the NAT router to forward UDP port 500 to the IPSec router behind the NAT router Name Type a name to identify this VPN policy You can use any character including spaces but the Business Secure Router drops trailing spaces Key Management Your Business Secure Router uses IKE ISAKMP key management in order to set up a VPN Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords Multiple SAs connecting through a IPSec router must have the same negotiation mode Encapsulation Mode Select Tunnel mode or Transport mode from the drop down list Tunnel is compatible with NAT Transport is n
42. Note If you do not assign a Default Server IP Address then all packets received for ports not specified in this screen are discarded Click SUA NAT to open the SUA Server screen Refer to Chapter 10 Firewalls on page 153 and Chapter 11 Firewall screens on page 169 for port numbers commonly used for particular services Nortel Business Secure Router 252 Configuration Basics 138 Chapter 8 Network Address Translation NAT Screens Figure 37 SUA NAT setup SUA NAT SUA Server Active Le a 8 10 m E E Table 26 describes the fields in Figure 37 Table 26 SUA NAT setup Label Description Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a default server IP address then all packets received for ports not specified in this screen are discarded Number of an individual SUA server entry NN47923 500 Chapter 8 Network Address Translation NAT Screens 139 Table 26 SUA NAT setup Label Description Active Select this check box to enable the SUA server entry Clear this check box to disallow forwarding of these ports to an inside server without having to delete the entry Name Enter a name to identify this
43. TCP or 17 UDP you can use the Port field to specify the port number of the allowed traffic Port This field is available when you set the Protocol field to 6 TCP or 17 UDP Use this field to specify the port number of the traffic that is allowed to go through the VPN tunnel that is built using this IP policy The default is O and it signifies any port Type a port number from 0 to 65 535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 Do this if you want to allow only traffic of a particular port number to go through the VPN tunnel For example if you only wanted to allow FTP traffic to go through the VPN tunnel specify 6 TCP in the Protocol field and 21 FTP in the Port field Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields do not apply when the Secure Gateway Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN Two active SAs cannot have the local and remote IP addresses both the same You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Two IP policies can have the same local or remote IP address but not both Address Type Use the drop down menu to choose Single Address Range Address or Subnet Address Select Single Address for a single IP addr
44. To add or remove a component select or clear the check box If the check box is shaded only part of the component will be installed To see what s included in a component click Details Components sl Address Book 17MB 4 I2 Communication 6 MB RY Desktop Themes 00MB d Games 10 1 MB C1 Multilanguage Support 00MB v Space used by installed components 424MB Space required 0 0 MB Space available on disk 866 3 MB Description Includes accessories to help you connect to other computers and online services 5 of 10 components selected Details 0K Cancel Apply 3 Inthe Communications window select the Universal Plug and Play check box in the Components selection box 4 Click OK to return to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Figure 137 Communications x Ta install a component select the check box next to the component name or clear the check box if you do not want to install it A shaded box means that only part of the component will be installed To see what s included in a component click Details Components M NetMeeting vi amp amp Phone Dialer 0 2 MB Universal Plug and Play 0 4 MB C gl Virtual Private Networking 0 0 MB 4 Space used by installed components 42 4 MB Space required 0 0 MB Space available on disk 866 3 MB Description Universal Plug and Play enables seamle
45. Trusted CAs Click CERTIFICATES Trusted CAs to open the Trusted CAs screen shown in Figure 87 This screen displays a summary list of certificates of the certification authorities that you have set the Business Secure Router to accept as trusted The Business Secure Router accepts any valid certificate signed by a certification authority on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certification authorities Nortel Business Secure Router 252 Configuration Basics 278 Chapter 14 Certificates Figure 87 Trusted CAs CERTIFICATES My Certificates Trusted CAs in PKI Storage Space in Use Trusted CA Certificates Valid Prone sie mor Yat v tw CHT SubCA f f ES CA OU eCA for for Test Test 2001 Nov 2021 Nov Sten tea 26th 26th No 2 a Telecom Telecom 10 26 35 10 26 35 Co Ltd Co Ltd GMT GMT Cw CTW Import Refresh Table 68 describes the labels in Figure 87 Table 68 Trusted CAs Label Description PKI Storage Space in Use This bar displays the percentage of the PKI storage space that is currently in use The bar turns from green to red when the maximum is approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical
46. processing load on the Business Secure Router but is less secure since the Contivity VPN clients unencrypted sessions make them vulnerable to attacks Select Enabled Inverse to force traffic not going to the network subnets that you specify to be encrypted and sent through the VPN tunnel Select Enable Inverse locally connected to force traffic not going to directly connected networks or the network subnets that you specify to be encrypted and sent through the VPN tunnel Configure Click this link to set up the list of networks to use as split or inverse split Network networks Nortel Business Secure Router 252 Configuration Basics 322 Chapter 17 Authentication server Table 85 Local User database edit Label Description Split Tunnel This field applies when you select Enabled in the Split Tunneling field Networks Select the network for which you force traffic to be encrypted and go through the VPN tunnel Inverse Split This field applies when you select Enabled Inverse or Enabled Inverse Tunnel locally connected in the Split Tunneling field Select the network for Network which you do not force traffic to be encrypted and go through the VPN tunnel Apply Click Apply to save the user account settings Cancel Click Cancel to exit this screen without saving Current split networks In the Local User Database Edit screen click Configure Network to display the Current Spli
47. static IP addresses of a range of computers when the IP policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to Many to One or Many One to one in the IP Policy screen NN47923 500 Chapter 13 VPN 225 Table 54 VPN Branch Office rule setup Label Description Local IP Address This field displays the IP address or range of IP addresses of the computers on your Business Secure Router s local network for which you have configured this IP policy This field displays the IP policy s virtual IP address or range of addresses when you enable branch tunnel NAT address mapping in the IP Policy screen This field displays a single static IP address when the IP policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to One to one or Many to One in the IP Policy screen This field displays the beginning and ending static IP addresses of a range of computers when the policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to Many One to one in the IP Policy screen This field displays the policy s local IP address or range of addresses when you disable branch tunnel NAT address mapping in the IP Policy screen This field displays a single static IP address when the IP policy s Local Address Type field is configured to Single Address in the IP Policy screen This field displays the beginning and ending static IP addresses of a range of computers
48. 118 Chapter 7 WAN screens The network topology illustrated in Figure 29 avoids triangle route security issues when the backup gateway is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the Business Secure Router itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in Figure 29 and the backup gateway in another subnet Subnet 2 Configure a LAN to LAN Business Secure Router firewall rule that forwards packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 29 Traffic Redirect LAN Setup ec Subnet 1 192 168 1 0 192 168 1 24 WAN Subnet 2 Business Secure Router 192 168 2 0 192 168 2 24 Backup gateway Configuring Traffic Redirect To change the traffic redirect settings click WAN then the Traffic Redirect tab The screen appears as shown in Figure 30 NN47923 500 Chapter 7 WAN screens 119 Figure 30 Traffic Redirect WAN ERR Se PERS Active Backup Gateway IP Address 0 0 0 0 Apply Reset Traffic Redirect Table 20 describes the fields in Figure 30 Table 20 Traffic Redirect Label Description Active Select this check box to have the Business Secure Router use traffic redirect if the normal WAN connection goes down Backup Type the IP address of your backup gateway in dotted decimal Gatew
49. 147 Network connections Network Connections File Edit View Favorites Tools Advanced Help Qe a P Search Folders EJ Address e Network Connections Internet Gateway Network Tasks Internet Connection s Create a new connection Disabl Set up a home or small Mp Internet Connection office network LAN or High Speed Internet See Also Local Area Connection Network Troubleshooter Enabled a 4 Accton EN1207D TX PCI Fast Other Places control Panel X9 My Network Places E Mv Documents ij My Computer Details Network Connections System Folder 4 Anicon with the description for each UPnP enabled device displays under Local Network 5 Right click the icon for your Business Secure Router and select Invoke The WebGUI logon screen displays Figure 148 My Network Places Local network File Edit View Favorites Tools Help OQ B JO search E Folders Fz Address My Network Places Local Network Network Tasks je Add a network place View network connections e Security Gateway Set up a home or small office network y View workgroup computers Create Shortcut Rename Other Places e Properties NN47923 500 373 Chapter 20 Logs Screens This chapter contains information about configuring general log settings and viewing the Business Secure Router logs Refer to Appendix B Log Descriptions on page 431 for example log me
50. 178 Figure 179 Figure 180 Figure 181 Figure 182 Figure 183 Figure 184 Figure 185 Figure 186 Figure 187 Hostal SOIBBIT o lt sed eee tee AERE Nara AWO OR TORRES HC reds 409 Poo BIDEN 22 259 dud edes pred added hd quada aS 416 lateret OPOS e scuro RO Y RR a EXORR Ex WR eR Rd d d ad mos Wo d 417 MEWS CNS oos auos ako as bande Goa Ee a dicc uc ac ap t aad s 418 Pop up Blocker settings cca 6006s adn deasedeesag oben Aa Gi EE 419 lite tiet GEIOIB sc senesced toe se od CORO CECI eeee HU rS EUR 420 Security Settings Java Scripting sussana enansar eanan 421 Security Settings Java ccc cae d ee eee cde eye e x x Rer sewed 422 dala COU ond gang sabe RP EPR RI GER EA edd d Pied eV ex 423 Allow Popups from this SIG u ssa ees RR as X RC XUEROR OR RES 424 Netscape Search Toolbar iiiossce rmx eem memes 424 POOH SUCRE wait dte Scis bU denen eodd E asl a didus 425 l ODUD PATENS bdiwq s spews gee kh eee SG PIA TER IE Pit 426 PRONE DIE Coder whe HERPES FON LEX ERES SET NEN 427 BUOBEIOBIT 1 Src ct cect d ees IR ARSE Seu aes 428 Seripts amp PIUA oues eie RR Ed RIPE E itk irap eae eee dea 429 Example VPN Initiator IPSec Log 000 eee eee eee 441 Example VPN Responder IPSec Log 20020ee ee eaee 442 NN47923 500 23 Tables Table 1 Feature specificaliong 240cccesc eset nese eee eet ed RR Ra ux ewes 34 Table 2 Wizard SEEN T aaceiaeie ieee ee ioe sesh bee ieee CE esos aks 56 Table 3 Internet connection
51. 190 TCP maximum incomplete and blocking period 05 191 Chapter 12 Content fillarlhg issus sos asa b sha rsen RashoAgeAESERERE 195 introduction to content fillanneg sso ssrressii mem ew Xem Ra tenses 195 Resiict Web lease S erebexmaRXEAE RV OAS EA EX SEN WS RES REA ADR E Rn 195 Das dd ENSE soda 3 e REP SQUE RA CARE AERE RARE SIGNE SA E REJSER NS 195 Configure Content Filtering lsleelellele ee 196 Chapter 13 VPN ee Rh EA srian i dnr a oan RAO er ee ee CCCII 199 PEE S accen ke Erasm cu ne tbe Cle We LER aia Cep cc ede ita 199 lg C SO TPTUUTTT 199 Business Secure Router VPN functions 000 c eee eee 199 VP Bele he DUBII VIBWE Loi i re qub S Tq Kel ra beta aub dp bsec car ini al Ro fin 200 Iher Tela sosesosscbudEPResRR Sade oer tR aee dud Saee did eed 201 iy vpn PSP TP AME ERU D iets 201 Data conidenlally Loasessdaqideqaas xqasexdamDpgque sqexe docu 202 Das IRON a oat odor R UDRERRENVRR a ROGER po ER SIC PROPER 202 Data origin authentication sio ersessiririrera rii artt M RR UR eae 202 VEN applications uude rra RR REG ex 3k RE x qe Re ae RR ded ct Rn 202 ccof pep mee p UTIMS 202 I See algm cessa sess xp d pied DOR GPS R3 ene REP ees Rene RS 203 AH Authentication Header protocol liliis 204 ESP Encapsulating Security Payload protocol 000 cee eee 204 Foy TIONS NOIL 3 45929 ddr oy eden qoi sabado E TEE T 205 Encapsuladfb ee ces GERYSERN PRR CSG E
52. 2 2 e4cc000cseareeeance evades 381 Figure 153 Protocol Port report example 000 ccc eee lere 382 Figure 154 LAN IP address report example 0000 nunana 384 Figure 155 Call schedule summary 0000 cee eee eee eee 388 Figure 156 Call schedule edit css eese RR RR RD 389 Figure 157 Applying Schedule Sets to a remote node uussuue 392 Figure 158 System SAWS i uesecuesete x uk ern xd EK Rer RUR TR ACE URGE Ua WORK 396 Figure 159 System Status Show statistics llli 398 Figure 160 DHCP Table ccaceees cds ee eees anced see ka ERE EE RR d nx RA 400 Figura 161 DIBGMOSC ocicn cer caw eee steered sent EE OR t ERG REUS SURE 401 Figure 162 Fiimware Upload Ls sos ceed ead HOR eran aad PENE amare 403 Figure 163 Firmware Upload In Process sostresk bs kbeas ate ACOMROR EROR CERE dared 404 Figure 164 Network Temporarily Disconnected 00 cee eee eee 404 Figure 165 Firmware upload error 2 2 2525 2665 eee ce eee ee eee 404 Figure 168 COMNQUISUON cclooescentr iem m Esp RR ERROR Rea 405 Figure 167 Reset warning message lseeseseesele lees 406 Figure 168 Configuration Upload Successful sllseeslslsesssss 407 Figure 169 Network Temporarily Disconnected 00 cee eee esee 408 Nortel Business Secure Router 252 Configuration Basics 22 Figures Figure 170 Figure 171 Figure 172 Figure 173 Figure 174 Figure 175 Figure 176 Figure 177 Figure
53. 4r REX RCS ET Y ose Gi RESRRGQ 318 Local User database edil oss suc bade ennai backs ue ERE oa wee 320 Current split haDWOIKS cc sser uade ere ewe eee RR Saas eee RE 322 Current split networks edit ck cdc se hn 324 RADIUS catch cadeopeseis onan nied es qp amd A DRE Rb ERA 326 HrTPSidnplemeontaflon ih ome esee ER me RR RERO amen 332 opo Mx P prrc erm dae Tee I 333 Security Alert dialog box Internet Explorer liess 335 Figure 18 4 Security Certificate 1 Netscape 336 Security Certificate 2 Netscape lilsllslsllellelssn 337 Logon screen Internet Explorer 00 0c cece eee 339 Login screen NetscapBl os i 0cccccarss uhr RE RRERRROE ER RR 340 Popice COMICS 2405 ide ado du spi ero dS Wade an RR ERR 341 Device specific certificate ccce cesse eek e x 342 Common Business Secure Router certificate 343 SSH Communication Example 0000 0c eee eee else 344 Flow SOM VICE ssepe RR ea ge ER RO CORE CRACK OR Re SER 344 BS os ae died abus d cst E cast a as etnies iurat sau aoe Pub uan 346 SSH Example 1 Store Host Key lilslllslslelsls lesus 347 Som Exame 3 TOSE erir RE Ew REP a RGUqeni ev s 348 SSH Example 2 Log On cava ons da ads Pees REX REINCBGO nent x RE PA 349 Secure FTP Firmware Upload Example sss 350 Telnet configuration on a TCP IP network ssssssss 350 irure ero ICT 351 c MT EET 356 BNG casenenis p
54. Business Secure Router Web settings click REMOTE MGMT to open the WWW screen NN47923 500 Chapter 18 Remote management screens 333 Figure 111 WWW REMOTE MANAGEMENT HTTPS Server Certificate auto_generated_self_signed_cert See My Certificates I Authenticate Client Certificates See Trusted CAs Server Port 443 Server Access Disable Secured Client IP Address All Selected HTTP Server Port 80 Server Access LAN Secured Client IP Address All C Selected Reset Table 89 describes the labels in Figure 111 Table 89 WWW Label Description HTTPS Server Select the Server Certificate that the Business Secure Router uses to Certificate identify itself The Business Secure Router is the SSL server and must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router Authenticate Select Authenticate Client Certificates optional to require the SSL Client client to authenticate itself to the Business Secure Router by sending the Certificates Business Secure Router a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the Business Secure Router see the appendix on importing certificates for details Nortel Business Secure Router 252 Configuration Basics 334 Chapter 18 Remote management screens Table 89 WWW
55. DHCP Server IP Pool Starting Address 1821681 2 Pool Size fi26 DHCP Server Address fo 1 0 0 DNS Servers Assigned by DHCP Server First DNS Server From ISP gt fi 0 0 0 Second DNS Server From ISP gt 0 0 0 Third DNS Server From ISP gt fi 0 0 0 LAN TCP IP IP Address 192 168 1 1 RIP Direction None gt IP Subnet Mask 255 255 255 0 RIP Version RIPA z Multicast None J Windows Networking NetBIOS over TCP IP Allow between LAN and WAN Reset NN47923 500 Chapter 6 LAN screens 101 Table 14 describes the fields in Figure 22 Table 14 LAN IP Label Description DHCP With DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients workstations can obtain TCP IP configuration at startup from a server Unless you are instructed by your ISP leave this field set to Server When configured as a server the Business Secure Router provides TCP IP configuration for the clients When set as a server fill in the IP Pool Starting Address and Pool Size fields Select Relay to have the Business Secure Router forward DHCP requests to another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the Business Secure Router from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Starting Address This field specifies the first of the
56. Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling NMBR Line Identification in the AT response string This lets the Business Secure Router capture the CLID in the AT response string that comes from the WAN device CLID is required for CLID authentication Called ID Type the keyword preceding the dialed number Speed Type the keyword preceding the connection speed CONNECT Call Control Dial Timeout sec Type a number of seconds for the Business Secure 60 Router to try to set up an outgoing call before timing out stopping Retry Count Type a number of times for the Business Secure 0 Router to retry a busy or no answer phone number before blacklisting the number Retry Interval Type a number of seconds for the Business Secure 10 sec Router to wait before trying another call after a call has failed This applies before a phone number is blacklisted Drop Timeout Type the number of seconds for the Business Secure 20 sec Router to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Call Back Delay Type a number of seconds for the Business Secure 15 NN47923 500 Chapter 7 WAN screens 127 Table 22 Advanced Setup Label Description Example Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Confi
57. EX Pep RPRIHOORPRT Poin dain EX 424 Enable Pop up Blockers with Exceptions lleslslssselnn 425 Netscape Java Permissions and JavaScript 0 00 cee eee eee 427 Appendix B Log De scripli ne s ississrisaidsriss sssrin sierras sinarapan 431 MPO eee LODS Liumeusaadspi duda ud pt E a eae eE didi 440 VPN Responder Page EDO ia sddaesqay bua ioi keon RAEE REN bs oes 441 Log COmmaltib odi y exei SAX LOEO PED ee PRI eRe CRM E dex C ERE 450 Configuring what you want the Business Secure Router tolog 450 Displaying LOGS secedere x yere yd eee x Eee dak ea RR Ra 451 Log Command Exempli a2 o puce xedorrERG hOrY a PX GERE PRLERRICE I S PERS 452 453 NN47923 500 17 Figures Figure 1 Secure Internet Access and VPN Application lesse 42 Figure LOO BO DNE a is QR ERERODER CURREYSARR XEM ESET iGo RES 46 Figure3 Change password Screen 000 cece eee 47 Figure4 Replace certificate screen 0 0 ce es 47 Figure5 Example Xmodem Upload 0 0002 eee ee eee 49 Figures MAIN MENU Stress accrstesnieptedebe ened ce RERO Sox SE aes 50 Figura Comat SUBDIT 2 2s6uiocas teases eee ieee reed ee E433 ed 51 Fijunz b Wiad BOOT ccna eewakoi sae E ebd eo a Roses RR oec wee eek Gd dee 56 Figure9 Internet connection with PPPOA lslllllselees eee 60 Figure 10 Internet connection with RFC 1483 sssasaaaaa aeaaaee 61 Figure 11 Internet
58. Figure 156 Figure 156 Call schedule edit CALL SCHEDULE EDIT Schedule Name l Active How Often Once 2000 fi ft Start Time 24 Hour Format fo hour fo min Duration Time 24 Hour Format NN hour fo min Action Forced On Apply Cancel Nortel Business Secure Router 252 Configuration Basics 390 Chapter 21 Call scheduling screens If a connection has been already established your Business Secure Router will not drop it After the connection is dropped manually or it times out that remote node can not be triggered again until the end of the Duration Table 107 Call schedule edit Label Description Schedule Enter a name up to 16 characters for the call schedule set You can use Name numbers the letters A Z upper or lower case and the underscore _ and symbols Active Select this check box to turn on this call schedule set Clear this check box to turn this call schedule set off Start Date Set the date in year month day format when you want this call schedule set to take effect How Often Select Once to use this schedule set only one time Select Weekly to use this schedule every week If you select Once then enter the date the set will activate in year month day format If you selected Weekly in the How Often field then select the day or days of the week when the set will activate Start Time Enter the start time in hour minute format when you want the sched
59. Hasta SUEDE usua cose XV we eee eee XE TY Y V WR EXE Peas 408 Appendix A TroubleshooHlngj liluuaaeuaahakaa sura RR naa Ra dee nae ces a A Ra a 411 Problems Starting Up the Business Secure Router 000 ccc eens 411 Problems with the LAM LED cccccseccccese cence gerne RR mmt RR mes 412 Problems with the LAM interlace ccc cee es s sues nk ee ade irtir etara 412 Problems with the WAN interlace ueuzaoaci xka DECOR ER SERE ek end RE RR 413 Problems with Internet access visos desk p RR REDGhoe pk Rc beg Rx RA E PRAE 413 Problems accessing an Internet Web site lille 414 Problems with tha password successum renee Gee mec m ox mr mds 414 Problems with the WebGUI icissosukeecrdkige ra dian EEn EERE EE renia 415 Problems with Remote Management 00 cece ta rur reran 415 Allowing Pop up Windows JavaScript and Java Permissions 416 Internet Explorer Pop up Blockers 00 0 eee eee eee eee 416 PICMG PUDUDS cox scomiu a tw adcend eda xc ebedies by Ee d e Ni 416 Nortel Business Secure Router 252 Configuration Basics 16 Contents Enabling Pop up Blockers with Exceptions 000 00005 417 Intemet Explorer JavaScript ascseccneee and ripi ERROR Er AANE kh ES EO 419 Internet Explorer Java Permissions 00 00 0c eee eee eee 421 ee DU orei A be cleaned EE ae eae 422 Netscape Pop up Blockers 2 a RR hU Rew eee R EA Rw OO 423 Allowing POBUDE ases kxa REPAS AEG
60. IKE key exchange process fails if this limit is exceeded IKE Packet Retransmit The Business Secure Router did not receive a response from the peer and retransmits the last packet sent Failed to send IKE Packet The Business Secure Router cannot send IKE packets due to a network error Too many errors The Business Secure Router deletes an SA when Deleting SA too many errors occur Phase 1 ID type The ID type of an incoming packet does not match mismatch the local s peer ID type Phase 1 ID content The ID content of an incoming packet does not mismatch match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type Peer ID IP address type IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the IP address type and IP address of the incoming packet vs My Remote IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the configured remote IP address type or IP address for this router that the incoming packet did not match vs My Local IP address The IP address type or IP address of an incoming packet does not match the peer IP address type o
61. IP address This is equivalent to SUA for example PAT port address translation the Single User Account feature 3 Many to Many Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One Many One to one mode maps each local IP address to unique global IP addresses 5 Server With this type you can specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local IP Address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP NN47923 500 Chapter 8 Network Address Translation NAT Screens 143 Table 28 Address Mapping edit Label Description Global End IP This is the ending Inside Global IP Address IGA This field is N A for One to One Many to One and Server mapping types Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Trigger Port Forwarding Som
62. LAN It is sometimes necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa Allow Through IPSec Select this check box to send NetBIOS packets through Tunnel the VPN connection Exclusive Use Mode for Select this check box to permit only the computer with the Client Tunnel MAC address that you specify to set up a VPN connection to the remote IPSec router Nortel Business Secure Router 252 Configuration Basics 248 Chapter 13 VPN VPN Client Termination Table 59 VPN Global Setting Label Description MAC Address Allowed Enter the MAC address of the computer you want to allow to use the VPN tunnel Contivity Client Fail Over The Contivity Client fail over feature allows a Contivity client to establish a VPN connection to a backup IPSec router when the default remote IPSec router specified in the Destination field is not accessible The VPN fail over feature must also be set up in the remote IPSec router First Gateway Second Gateway Third Gateway These read only fields display the IP addresses of the backup IPSec routers The Business Secure Router automatically gets this information from the default remote IPSec router After the remote IPSec router is unreachable or fails to respond to IKE negotiation the Business Secure Router tries to establish a VPN connection to a backup I
63. Managed Device An SNMP managed network consists of two main types of component agents and a manager An agent is a management software module that resides in a managed device the Business Secure Router An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables and managed objects that define each piece of information to be collected about a device Examples of variables include number of packets received and node port status A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request and response protocol based on the manager and agent model The manager issues a request and the agent returns responses using the following protocol operations NN47923 500 Chapter 18 Remote management screens 355 e Get Allows the manager to retrieve an object variable from the agent e GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series
64. NAT sessions A system restart will guarantee the change to take effect at Local Start IP Local End IP ne Global End IP Jd DH Du DE Insert Edit Delete Table 27 describes the fields in Figure 38 Table 27 Address Mapping Label Description Local Start IP This refers to the Inside Local Address ILA that is the starting local IP address Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This refers to the Inside Global IP Address IGA 0 0 0 0 is for a dynamic IP address from your ISP with Many to One and Server mapping types Global End IP This is the ending Inside Global Address IGA that is the starting global IP address This field is N A for One to One Many to One and Server mapping types NN47923 500 Chapter 8 Network Address Translation NAT Screens 141 Table 27 Address Mapping Label Description Type 1 One to One mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type 2 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA t
65. Phase 1 or Phase 2 negotiations do not match Check all protocols and settings for these phases For example one party uses 3DES encryption but the other party uses DES encryption so the connection fails Verifying Local ID failed Verifying Remote ID failed During IKE Phase 2 negotiation both parties exchange policy details including local and remote IP address ranges If these ranges differ the connection fails Local remote IPs of incoming request conflict with rule td If the security gateway is 0 0 0 0 the Business Secure Router uses the peer Local Addr as its Remote Addr If this IP range conflicts with a previously configured rule the connection is not allowed Invalid IP IP start gt IP end The peer Local IP Addr range is invalid Nortel Business Secure Router 252 Configuration Basics 444 Appendix B Log Descriptions Table 132 Sample IKE Key Exchange Logs Log Message Description Remote IP IP start IP end conflicts If the security gateway is 0 0 0 0 the Business Secure Router uses the peer Local Addr as its Remote Adar If a peer Local Addr range conflicts with other connections the Business Secure Router does not accept VPN connection requests from this peer Active connection allowed exceeded The Business Secure Router limits the number of simultaneous Phase 2 SA negotiations The
66. RIP Version Nortel Business Secure Router 252 Configuration Basics 106 Chapter 6 LAN screens Table 16 describes the fields in Figure 24 Table 16 IP Alias Label Description IP Alias 1 2 Select the check box to configure another LAN network for the Business Secure Router IP Address Enter the IP address of your Business Secure Router in dotted decimal notation IP Subnet Mask Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router RIP Direction With RIP Routing Information Protocol RFC 1058 and RFC 1389 a router can exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the Business Secure Router broadcasts its routing table periodically When set to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate
67. Replace Factory Default Certificate Factory Default Certificate Name auto generated self signed cert The factory default certificate is common to Business Secure Router models Click Replace to create a certificate using your Business Secure Router s MAC address that will be specific to this device Replace My Certificates Valid Valid AL SN END CN Business CN Business Secure Secure l 2000 2030 Router Router Jan 1st Jan 1st SELF Factory Factory 00000000000 Default Default GMT GMT Certificate Certificate a generated self signed cert Import Create Refresh SSH overview Unlike Telnet or FTP which transmit data in clear text SSH Secure Shell is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Nortel Business Secure Router 252 Configuration Basics 344 Chapter 18 Remote management screens Figure 120 SSH Communication Example SSH Server j wc SSH Client How SSH works Figure 121 summarizes how a secure connection is established between two remote hosts Figure 121 How SSH Works C TN 1 Host Identification The SSH client sends a connection request to the SSH server The server identifies itself with a host key The client encrypts a randomly generated session key with the host key and server key and sends the result
68. Secure Shell Remote Logon Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Using syslog you can send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the logon and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution Alerts are reports on events such as attacks that you want to know about right away You can choose to generate an alert when an attack is detected in the Attack Alert screen Figure 61 check the Generate alert when attack detected check box or when a rule is matched in the Rule Edit screen see Figure 53 Configure the Log Settings screen to have the Business Secure Router send an immediate e mail message to you when an event generates an alert Nortel Business Secure Router 252 Configuration Basics 190 Chapter 11 Firewall screens Configuring attack alert Attack alerts are the first defense against DOS attacks In the Attack Alert screen Figure 61 you can choose to generate an alert whenev
69. This field displays the user s first name NN47923 500 Chapter 17 Authentication server 319 Table 84 Local User database Label Description Status This field displays the status of IPSec user accounts A dash appears for all other accounts Valid displays if an IPSec user can use the account to logon Expired displays if an IPSec user can no longer use the account to logon This happens when you have enabled Password Management in the VPN Client Termination Advanced screen and the account password has exceeded the time that you configured as the Maximum Password Age Edit Select a user account and click Edit to go to the screen where you can configure the account settings Delete Select a user account and click Delete to remove the account Edit Local User Database To change a local user database entry click AUTH SERVER In the Local User Database screen select the radio button of an entry and click the Edit button to display the Local User Database Edit screen as shown in Figure 106 Nortel Business Secure Router 252 Configuration Basics 320 Chapter 17 Authentication server Figure 106 Local User database edit User Edit 802 1x IPSec v 0 0 0 0 0 0 0 0 Enabled E Configure Network exemple None selected Ay Cancel NN47923 500 Chapter 17 Authentication server 321 Table 85 describes the labels in F
70. This field specifies the IP address or the domain name up to 31 case sensitive characters of the remote IPSec router You can use alphanumeric characters the underscore dash period and the symbol in a domain name No spaces are allowed User Name Enter the username exactly as the IPSec router administrator gives it to you Password Enter the password exactly as the IPSec router administrator gives it to you Advanced Click Advanced to configure group authentication and on demand client tunnel settings Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the VPN Summary screen without saving your changes Configuring Advanced Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule If the Branch Office screen is displayed select Contivity Client from the Connection Type list box Click Advanced to display the VPN Contivity Client Advanced Rule Setup screen as shown in Figure 70 NN47923 500 Chapter 13 VPN 217 Figure 70 VPN Contivity Client advanced rule setup VPN Contivity Client Advanced Group Authentication Group ID Group Password I On Demand Client Tunnel Cancel Table 49 describes the fields in Figure 70 Table 49 VPN Contivity Client advanced rule setup Label Description Group Authentication Enable Group Authentication to have the Business Secure Router send a Group ID and G
71. This helps reduce delays and dropped packets at the next routing device For example you can set the WAN interface speed to 1 024 kb s or less if the broadband device connected to the WAN port has an upstream speed of 1 024 kb s Nortel Business Secure Router 252 Configuration Basics 300 Chapter 15 Bandwidth management Bandwidth classes and filters Use bandwidth subclasses to allocate specific amounts of bandwidth capacity bandwidth budgets Configure a bandwidth filter to define a bandwidth subclass based on a specific application or subnet Use the Class Setup tab see Bandwidth Manager Class Configuration on page 305 to set up a bandwidth class name bandwidth allotment and filter specifics Each bandwidth subclass consists of a single filter you can define by editing the subclass Unallocated bandwidth bandwidth that is not controlled by a subclass you specify is allocated to traffic not controlled by any subclass View your configured bandwidth subclasses for a given interface in the Class Setup tab see Configuring class setup on page 303 for details The total of the configured bandwidth budgets cannot exceed the configured bandwidth budget for the interface as specified in Configuring summary on page 302 Proportional bandwidth allocation With bandwidth management you can define how much bandwidth each class gets however the actual bandwidth allotted to each class decreases or increases in
72. Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase Business Secure Router processing requirements and communications latency delay Refresh Click Refresh to display the current active VPN connections This button is available when you have active VPN connections Disconnect Select a security association index number that you want to disconnect and then click Disconnect This button is available when you have active VPN connections Next Page Click Next Page to view more items in the summary if you have a if applicable summary list that exceeds this page NN47923 500 Chapter 13 VPN 247 Global settings In the WebGUI click VPN on the navigation panel then click the Global Setting tab Figure 77 VPN Global Setting VPN SA Monitor Global Setting Client Termination _ Windows Networking NetBIOS over TCP IP iv Allow Through IPSec Tunnel Contivity Client Global Setting Exclusive Use Mode for Client Tunnel MAC Address Allowed 00 00 00 00 00 00 Contivity Client Fail Over First Gateway 0 0 0 0 Second Gateway 0 0 0 0 Third Gateway 0 0 0 0 Apply Reset Table 59 describes the fields in Figure 77 Table 59 VPN Global Setting Label Description Windows Networking NetBIOS Network Basic Input Output System are TCP or NetBIOS over TCP IP UDP packets that enable a computer to connect to and communicate with a
73. Use Internet Explorer 6 0 and later or Netscape Navigator 7 0 and later versions The recommended screen resolution is 1 024 by 768 pixels In order to use the WebGUI you need to allow e Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 e JavaScripts enabled by default e Java permissions enabled by default See Allowing Pop up Windows JavaScript and Java Permissions on page 416 if you want to make sure these functions are allowed in Internet Explorer Accessing the Business Secure Router WebGUI Make sure your Business Secure Router hardware is properly connected and prepare your computer and computer network to connect to the Business Secure Router Refer to Nortel Business Secure Router 252 Fundamentals NN47923 301 Nortel Business Secure Router 252 Configuration Basics 46 Chapter 2 Introducing the WebGUI Launch your web browser Type 192 168 1 1 as the URL Type the username nnadmin is the default and the password PlsChgMe is the default and click Login Click Reset to clear any information you have entered in the Username and Password fields Figure 2 Login screen 4 A screen asking you to change your password highly recommended appears and is shown in Figure 3 Type a new password and retype it to confirm and click Apply or click Ignore NN47923 500 Chapter 2 Introducing the WebGUI 47 Figu
74. WAN IP of the BSR222 252 router and the Cisco router are not in the same subnet 2 Configure the connection to use DES Encryption and MD5 Authentication NN47923 500 81 Chapter 5 System screens This chapter provides information on the System screens System overview This section provides background information on features that you cannot configure in the Wizard DNS overview There are three places where you can configure DNS Domain Name System setup on the Business Secure Router Use the System General screen to configure the Business Secure Router to use a DNS server to resolve domain names for Business Secure Router system features like VPN DDNS and the time server Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN Use the Remote Management DNS screen to configure the Business Secure Router to accept or discard DNS queries Private DNS server In cases where you want to use domain names to access Intranet servers on a remote private network that has a DNS server you must identify that DNS server You cannot use DNS servers on the LAN or from the ISP because these DNS servers cannot resolve domain names to private IP addresses on the remote private network Nortel Business Secure Router 252 Configuration Basics 82 Chapter 5 System screens Figure 16 depicts an example where three VPN tunnels are created
75. WX 4 REA 282 Trusted remote NOSIS sane ca nee X nee Poe RRS REOR GRRE HERR Enis 286 Remote host certificates llle 288 SONICS delais ioi ict ace ne d Rinks oo Ro Dike a em que ics B OR dd aee 288 Trusted remote host IMPOR uasa eek CE OR RI ROR dea RR bea eed ee RR s 289 Trusted remote host details 2 00 20 cee eee eee eee 291 Dreco 4 1 cA eh al e ees ee 294 Directory Server add 2c ccc cic seeker t x om eens a eR e 296 Subnet based bandwidth management example 301 Bandwidth Manager SUMMA scesesesakee areas Pdesasudu hs 302 Bandwidth Manager Class setup 0000 eee eee eee aes 304 Nortel Business Secure Router 252 Configuration Basics 20 Figures Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 Figure 134 Bandwidth Manager Edit class i eor e rm 306 Bandwidth management statistics 0 ccc eee eee eee 309 Bandwidth manager monitor illus Rr Re eee de RR Rok 310 EAP Authentication oa iod ios ab RE ERE E are p Acte aaa E od iu 313 BOCA SedacSagexeedust gece ca aedbaeendeutageneeauers hacia 314 Local User daleDasE oi icdin ceed
76. a VPN setup is processing intensive the system is vulnerable to Detection Denial of Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Enable replay detection by setting this field to YES Phase 1 A phase 1 exchange establishes an IKE SA Security Association NN47923 500 Chapter 13 VPN 243 Table 57 VPN Branch Office Advanced Rule Setup Label Description Multiple Proposal Select this check box to allow the Business Secure Router to use any of its phase 1 encryption and authentication algorithms when negotiating an IKE SA Clear this check box to have the Business Secure Router use only the phase 1 encryption and authentication algorithms configured below when negotiating an IKE SA Negotiation Mode Select Main for identity protection Select Aggressive to allow more incoming connections from dynamic IP addresses to use separate passwords The Business Secure Router s negotiation mode must be identical to that on the remote IPSec router Multiple SAs connecting through a IPSec router must have the same negotiation mode Encryption Algorithm Select DES 3DES or AES from the drop down list When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify
77. a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm Select SHA1 or MD5 from the drop down list The Business Secure Router s authentication algorithm must be identical to the remote IPSec router MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate the source and integrity of packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select SHA 1 for maximum security SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field It can range from 60 to 3 000 000 seconds almost 35 days A short SA life time increases security by forcing the two IPSec routers to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1 024 bit 1Kb random number DH5 refers to Diffie Hellman Group 5 a 1 536 bit random number
78. a pre shared key or an imported certificate Enter the IP Address assigned to the router WAN port This should be a static address or a dynamic DNS name and the IP address of the remote router Select the encryption and authentication algorithms Add an IP policy by specifying the IP address ranges of the local and remote hosts that will use the tunnel 2 Repeat these steps at the other end of the branch Note If VPN Client Termination is used on these sites the client termination address range will need to be included in the tunnel policies in order for the VPN clients to see the other site Adding IP telephony to a multi site network Scenario 1 A BCM5O in the primary site acting as the gateway for both sites 1 Ensure that the DHCP Server in the BCM50 is disabled that the BCM50 is connected to the router and both have booted Add the IP phones to the primary site as per BCM50 installation guide Create a tunnel to the remote site as described above In the remote site set the S1 and S2 addresses to the IP address of the BCM50 which is identified in the router DHCP table or in the BCM50 This is done with a CLI command TELNET or SSH to the router This needs TELNET or SSH enabled on that router Select menu 24 select menu 8 and enter the commands ip dhcp enifO server voipserver 1 BCMS50 IP Address 7000 1 ip dhcp enifO server voipserver 2 BCMS50 IP Address 7000 1 5 Add the IP phones to the remote s
79. address specified in this field If this field is left blank logs are not sent through e mail Send Alerts To Alerts are sent to the e mail address specified in this field If this field is left blank alerts are not sent through e mail Syslog Logging Syslog logging sends a log to an external syslog server used to store logs Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that logs the selected categories of logs Log Facility Select a location from the drop down list In the log facility you can log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as e mail Daily Weekly Hourly When the Log is Full None If you select Weekly or Daily specify a time of day when the e mail will be sent If you select Weekly you must also specify which day of the week the e mail is to be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list to select which day of the week to send the logs Nortel Business Secure Router 252 Configuration Basics 378 Chapter 20 Logs Screens Table 100 Log settings Label Descr
80. allows all requests Destination Type the IP address of the station to send your SNMP traps to SNMP Service Port You change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Service Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Configuring DNS Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa for example the IP address of www nortel com is 47 249 48 20 To change your Business Secure Router DNS settings click REMOTE MANAGEMENT and then the DNS tab The screen appears as shown in Figure 132 Nortel Business Secure Router 252 Configuration Basics 358 Chapter 18 Remote management screens Figure 132 DNS REMOTE MANAGEMENT SNMP DNS DNS Service Port 3
81. an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server the Business Secure Router helps a user s computer and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server or the AP NN47923 500 Chapter 16 IEEE 802 1x 313 Your Business Secure Router supports EAP MD5 Message Digest Algorithm 5 with the local user database Figure 103 shows an overview of authentication when you specify a RADIUS server on your Business Secure Router Figure 103 EAP Authentication LAN The steps below provide a general description of how IEEE 802 1x EAP authentication works 1 The user sends a start message to the Business Secure Router 2 The Business Secure Router sends a request identity message to the user for identity information The user replies with identity information including username and password The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the user Configuring 802 1X To change the authentication settings click 802 1X The screen appears as shown in Figure 104 Nortel Business Secure Router 252 Configuration Basics 314 Chapter 16 IEEE 802 1x Figure 104 802 1X 802 1X 802 1X Setup Authentication Type No Authentication Require
82. an error or warning message Table 132 shows sample log messages during IKE key exchange Note A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same preshared key NN47923 500 Appendix B Log Descriptions 443 Table 132 Sample IKE Key Exchange Logs Log Message Description Send lt Symbol gt Mode request to lt IP gt Send lt Symbol gt Mode request to lt IP gt The Business Secure Router started negotiation with the peer Recv lt Symbol gt Mode request from lt IP gt Recv lt Symbol gt Mode request from lt IP gt The Business Secure Router received an IKE negotiation request from the peer Recv lt Symbol gt IKE uses the ISAKMP protocol refer to RFC 2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Table 134 Phase 1 IKE done SA process Phase 1 negotiation finished Start Phase 2 Quick Mode Phase 2 negotiation begins using Quick Mode IKE process Negotiation is in The Business Secure Router has begun negotiation with the peer for the connection but the IKE key exchange has not completed Duplicate requests with the same cookie The Business Secure Router received multiple requests from the same peer but is still processing the first IKE packet from that peer No proposal chosen The parameters configured for
83. and leave the Traffic Redirect Priority metric at the default of 15 Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh PPPoE encapsulation The Business Secure Router supports PPPoE Point to Point Protocol over Ethernet PPPoE is an IETF Draft standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wireless etc connection The PPPoE option is for a dial up connection using PPPoE For the service provider PPPoE offers an access and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing Microsoft Dial Up Networking software can activate and therefore requires no new learning or procedures for Windows users One of the benefits of PPPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carrier as it requires no specific configuration of the broadband modem at the customer site Nortel Business Secure Router 252 Configuration Basics 110 Chapter 7 WAN screens By implementing PPPoE directly on the Business Secure Router rather than individual com
84. and second WINS server IP addresses to Secondary WINS assign to the Contivity VPN clients Client Minimum Version Requirement Selects the lowest version of Contivity VPN client software that you require the clients to use Action Specifies what the Business Secure Router does when it detects a noncompliant version of Contivity VPN client software Select None to allow the VPN tunnel without displaying any messages to tell the user where to download the required version of the Contivity VPN client software Select Send Message to allow the VPN tunnel but display a message to tell the user where to download the required version of the Contivity VPN client software Select Send Message and Force Logoff to disconnect the VPN tunnel and display a message to tell the user where to download the required version of the Contivity VPN client software Message Enter a message that tells where to download the required version of the Contivity VPN client software Use from 1 to 255 ASCII characters Display Banner Select Enabled to have the Business Secure Router show the Contivity VPN client users a message across the top of the screen after they log on Banner Enter the message such as the name of your company that you want to show at the top of the Contivity VPN client users screens after they log on Use from 1 to 255 ASCII characters Allow Password Storage on Client Use this to let the Contiv
85. are detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The Business Secure Router continues to delete half open requests as necessary until the number of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open sessions rises above this number the Business Secure Router deletes half open sessions as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number The above values say 80 in the Maximum Incomplete Low field and 100 in this field cause the Business Secure Router to start deleting half open sessions when the number of existing half open sessions rises above 100 and to stop deleting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule choose a smaller number for a smaller network a slower system or limited bandwidth Blocking Period When TCP
86. automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions With NAT traversal the device can do the following e Dynamic port mapping e Learning public IP addresses Assigning lease times to mappings Nortel Business Secure Router 252 Configuration Basics 362 Chapter 19 UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports can present network security issues Network information and configuration can also be obtained and modified by users in some network environments All UPnP enabled devices can communicate freely with each other without additional configuration If this is not your intention disable UPnP UPnP implementation The device has UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC This UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing the UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested The Business Secure Router only sends UPnP multicasts to the LAN Configuring UPnP Clic
87. call scheduling applicable for PPPoA or PPPoE encapsulation only you can dictate when a remote node is to be called and for how long Call scheduling introduction Using the call scheduling feature the Business Secure Router can manage a remote node and dictate when a remote node is to be called and for how long This feature is similar to the scheduler in a video cassette recorder you can specify a time period for the VCR to record Apply schedule sets in the WAN IP screen or the WAN Dial Backup screen Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node set 1 takes precedence over set 2 3 and 4 as the Business Secure Router by default applies the lowest numbered set first Set 2 takes precedence over sets 3 and 4 You can design up to 12 schedule sets You can apply up to four schedule sets for a remote node Call schedule summary Click CALL SCHEDULE to open the Call Schedule Summary screen Nortel Business Secure Router 252 Configuration Basics 388 Chapter 21 Call scheduling screens Figure 155 Call schedule summary CALL SCHEDULE Eu DH DELE a mme Table 106 describes the fields in Figure 155 Table 106 Call Schedule Summary Label Description This is the call schedule set number Name Th
88. client user up to 31 characters New Password Type a password for the client user up to 31 characters Note that as you type a password the screen displays a for each character you type Retype to Confirm Retype the client user password for confirmation Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Predefined NTP time server list The Business Secure Router uses the predefined list of NTP time servers listed in Table 11 if you do not specify a time server or if it cannot synchronize with the time server you specified The Business Secure Router can use this predefined list of time servers regardless of the Time Protocol you select Nortel Business Secure Router 252 Configuration Basics 90 Chapter 5 System screens When the Business Secure Router uses the predefined list of NTP time servers it randomly selects one server and tries to synchronize with it If the synchronization fails then the Business Secure Router goes through the rest of the list in order from the first one tried until either it is successful or all the predefined NTP time servers have been tried Table 11 Default Time Servers a ntp alphazed net ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu tock usno navy mil ntp3 cs wisc edu ntp cs strath ac uk ntp1 sp se time1 stupi se
89. connection with ENET ENCAP ssssreeees 62 Figure 12 Internet connection with PPPoE lllsslelseres sees 63 Figure 13 Wizard DONE Luis dax aca as p eS dona de Rc d ec Roe o o LR 66 Figure 14 Wizard LAN configuration llle 67 Figue 1S Wizard Seren T ceoxccctrypo eee UR dE GYAURETTPRERUCURR RP 69 Figure 16 Private DNS server example 0 00 ccc eee eee eee 82 Figure 17 System general setup 000 ete 83 Fidum 16 DONS pe csshun ees sce ROUES ER ARR eee eee d ed a es 86 FOUG 19 PASSWORD scgantesecdGad oR cegehino debe igh eye RbRSQaSq Que 88 Figure 20 Time arid Date cccccar ei vert x R cette saric etir eras 91 FOGAT ALO usc uu Sacs Sepia arare aie irat iode ds UA noa Do oan meee dk dew 94 Fue ss LOI ccsatecuabea seed sagi aw b aca hibb a heawe sake eR p mds 100 Figuig 25 Salie DHOP 265 laseka dae PR LCD es Sh ee EXP RS TR 104 Fio 24 UP AAS Loue adostcqo d ecd Sek Rs E e es ea hs 105 Figure25 WAN HOUIG aiieass cues sm om Rh eee dene y RR ERR GR Ra 108 Figure 26 WAN WAN SP conisocszeeenseareck e e Rey RR iaaa ERR TR EARN 111 FOU GAMME uuasssuakt idest i pr edd E A ex bd mde ees 114 Figure 28 Traffic Redirect WAN Setup lsllslelsellellllee 117 Figure 29 Traffic Redirect LAN Setup 2 0 0000 e eee eee ee 118 Nortel Business Secure Router 252 Configuration Basics 18 Figures Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figur
90. contiguous addresses in the IP address pool The default is 192 168 1 2 Pool Size This field specifies the size or count of the IP address pool The default is 126 DHCP Server Type the IP address of the DHCP server in dotted decimal notation like DHCP Server Address 192 168 1 5 DNS Servers The Business Secure Router passes a DNS Domain Name System Assigned by server IP address in the order you specify here to the DHCP clients The Business Secure Router only passes this information to the LAN DHCP clients when you select the DHCP Server check box When you clear the DHCP Server check box DHCP service is disabled and you must have another DHCP sever on your LAN or else the computers must have their DNS server addresses manually configured Nortel Business Secure Router 252 Configuration Basics 102 Chapter 6 LAN screens Table 14 LAN IP Label Description First DNS Server Second DNS Server Third DNS Server Select From ISP if your ISP dynamically assigns DNS server information and the Business Secure Router s WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right Select DNS Relay to have the Business Secure Router act as a DNS proxy The Business Secure Router s LAN IP address displays in
91. customized rules take precedence and override the Business Secure Router default rules NN47923 500 Chapter 11 Firewall screens 171 Rule logic overview Note Study these points carefully before configuring rules gt Rule checklist 1 O a 5 W N State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server Is the intent of the rule to forward or block traffic What direction of traffic does the rule apply to What IP services are affected What computers on the LAN are affected if any What computers on the Internet are affected The more specific the better For example if traffic is allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN Security ramifications Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule 1 Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service Is it possible to modify the rule to be more specific For example if IRC is blocked for all users a rule that blocks just certain users can be more effective Does a rule that allows Internet users access to resources on the LAN create a security
92. did not have a default route vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP tvpe d code d The firewall detected an ICMP traceroute attack For type and code details see Table 130 Table 128 Access Logs Log Message Description Firewall default policy TCP set d TCP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall default policy UDP set d UDP access matched the default policy of the listed ACL set and the Business Secure Router blocked or forwarded it according to the configuration of the ACL set NN47923 500 Appendix B Log Descriptions 435 Table 128 Access Logs Log Message Description Firewall default ICMP access matched the default policy of the listed ACL policy ICMP set d setand the Business Secure Router blocked or forwarded type d code d it according to the configuration of the ACL set Firewall default IGMP access matched the default policy of the listed ACL policy IGMP set d set and the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall default ESP access matched the default policy of the listed ACL policy ESP set d seta
93. exchange public keys for use in authentication A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the Business Secure Router to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority In public key encryption and decryption each host has two keys One key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other Tim keeps the private key and makes the public key openly available Tim uses his private key to encrypt the message and sends it to Jenny Jenny receives the message and uses Tim s public key to decrypt it a Ff o N Additionally Jenny uses her own private key to encrypt a message and Tim uses Jenny s public key to decrypt the message Nortel Business Secure Router 252 Configuration Basics 262 Chapter 14 Certificates The Business Secure Router uses certificates based on public key cryptology to authenticate users attempting to establish a connection not to encrypt the data that is sent after estab
94. for this VPN tunnel You must have certificates already configured in the My Certificates screen Click My Certificates to go to the My Certificates screen where you can view the Business Secure Router s list of certificates Local ID Type Select IP to identify this Business Secure Router by its IP address Select DNS to identify this Business Secure Router by a domain name Select E mail to identify this Business Secure Router by an e mail address Local Content When you select IP in the Local ID Type field type an IP address or leave the field blank to have the Business Secure Router automatically use its own IP address When you select DNS in the Local ID Type field type a domain name up to 31 characters by which to identify this Business Secure Router When you select E mail in the Local ID Type field type an e mail address up to 31 characters by which to identify this Business Secure Router The IP address domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Peer ID Type Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain name Select E mail to identify the remote IPSec router by an e mail address Nortel Business Secure Router 252 Configuration Basics 228 Chapter 13 VPN Table 54 VPN Br
95. from Business Secure Router A one to branch office 2 one to branch office 3 and another to headquarters HQ In order to access computers that use private domain names on the HQ network the Business Secure Router at branch office 1 uses the Intranet DNS server in headquarters Figure 16 Private DNS server example ISP DNS Servers 212 54 64 170 21254 64 171 rj _ ui LAN HQ Sin DN S 212 54 64 170 emote 10 1 1 1 200 c 212 54 64 171 EI n Peesceseaee naa Aintranet DNS wee meen Pe 10 1 1 10 gt Sasa Private DNS 10 1 1 10 VPN Tunnel 192 168 1 1 50 Note If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote private network Configuring General Setup Click SYSTEM to open the General screen NN47923 500 Chapter 5 System screens 83 Figure 17 System general setup SYSTEM General System Name I Domain Name Administrator Inactivity Timer 5 minutes 0 means no timeout System DNS Servers First DNS Server From ISP fo 0 0 0 Second DNS Server From ISP o 0 0 0 Third DNS Server From ISP fi 0 0 0 Apply Reset Table 8 describes the fields in Figure 17 Table 8 System general setup Label Description System Name Choose a descriptive name for identification purposes Nortel recommends that yo
96. from the LAN Refer to Problems with the LAN interface on page 412 for instructions about checking your LAN connection Refer to the Problems with the WAN interface on page 413 for instructions about checking your WAN connection See also Problems with the WebGUI on page 415 Nortel Business Secure Router 252 Configuration Basics 416 Appendix A Troubleshooting Allowing Pop up Windows JavaScript and Java Permissions In order to use the WebGUI you must allow e Web browser pop up windows from your device e JavaScript e Java permissions Internet Explorer Pop up Blockers Note Internet Explorer 6 screens are used here Screens for other Internet Explorer versions vary Disable pop up blocking to log on to your device if necessary Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or enable pop up blocking and create an exception for your device IP address Allowing Pop ups 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 171 Pop up Blocker Mail and News LM Pop up Blocker Manage Add ons Pop up E ings Synchronize ae Windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab NN47923 500 Appendix A Troubleshooting 417 1 In Internet Explorer select Tools Inte
97. in this tab Note When there is outbound traffic but no inbound traffic the SA times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not time out until the SA lifetime period expires See the section Keep Alive on page 212 about keep alive to have the Business Secure Router renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic Nortel Business Secure Router 252 Configuration Basics 246 Chapter 13 VPN VPN Summary Current IPSec Security Associations Figure 76 VPN SA Monitor SA Monitor Global Setting Client Termination Connection Local IP Ig IPSec i Type Address i Encapsulation rithm YF Address A E S 1 E B E E Refresh Disconnect Table 58 describes the fields in Figure 76 Table 58 VPN SA Monitor Label Description This is the security association index number Name This field displays the identification name for this VPN policy Connection Type This field displays whether this is a connection to another IPSec router or to a Contivity VPN client Local IP Address This field displays the IP address of the computer using the VPN IPSec feature of your Business Secure Router Remote IP This field displays IP address in a range of computers on the Address remote network behind the remote IPSec router Encapsulation This field displays Tunnel or
98. is coming into the Business Secure Router LAN from the WAN Outgoing refers to traffic that is going out from the Business Secure Router LAN to the WAN Amount This column lists how much traffic has been sent and received for each protocol or service port The measurement unit shown bytes Kilobytes Megabytes or Gigabytes varies with the amount of traffic for the particular protocol or service port The count starts over at 0 ifa protocol or port passes the bytes count limit see Table 105 on page 385 Viewing LAN IP address In the Reports screen select LAN IP Address from the Report Type drop down list to have the Business Secure Router record and display the LAN IP addresses that the most traffic has been sent to and from and how much traffic has been sent to and from those IP addresses Note Computers take turns using dynamically assigned LAN IP addresses The Business Secure Router continues recording the bytes sent to or from a LAN IP address when it is assigned to a different computer Nortel Business Secure Router 252 Configuration Basics 384 Chapter 20 Logs Screens Figure 154 LAN IP address report example LOGS View Log Log Settings Reports Setup IV Collect Statistics Send Raw Traffic Statistics to Syslog Server for Analysis Statistics Report Report Type LAN IP Address Refresh Flush IP Address Direction Amount 2 192 168 1 3 Outgoing Il 52
99. is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines because they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also NN47923 500 Chapter 7 WAN screens 123 Table 21 Dial Backup Setup Label Description RIP Direction RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both In Only or Out Only When set to Both or Out Only the Business Secure Router broadcasts its routing table periodically When set to Both or In Only the Business Secure Router incorporates RIP information that it receives Broadcast Dial Backup Route Select this check box to forward the backup route broadcasts to the WAN Enable Multicast Select this check box to turn on IGMP Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data Multicast Version Select IGMP v1 or IGMP v2 IGMP version 2 RFC 2236 is an impr
100. is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Logon RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers NN47923 500 Chapter 11 Firewall screens 189 Alerts Table 40 Predefined services Service Description SIP V2 UDP 5060 The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol SSH TCP UDP 22
101. it Klee eee Ron Weed RC o mon dn 134 Table 25 Services and port numbers 0 000 cece eee eee eens 136 Table 26 SUANAT SWB vs sors ceereganeeu dese Ya GR ERR ERR CERE RR 138 Tables Address Mapping pccdivcnd edo TE Ree oeeen a REF eden adr 140 Table28 Address Mapping edit 000 nananana 142 Tables Tigor POM nos couse sewn s Paes oia ewe kok bes READ Seen 146 Nortel Business Secure Router 252 Configuration Basics 24 Tables Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Table 39 Table 40 Table 41 Table 42 Table 43 Table 44 Table 45 Table 46 Table 47 Table 48 Table 49 Table 50 Table 51 Table 52 Table 53 Table 54 Table 55 Table 56 Table 57 Table 58 Table 59 Table 60 Table 61 Table 62 Table 63 Table 64 IP Static Route SUMMA sordes RI x Rx RR inna REL RR RS 149 Edit IP Stale AQUIS iud adio d P HEUS IR Vu dad UR d DR dde 150 Common IP DONS uuexcsencetez5iexeucewwe wa ee d Riad bd re Rd 157 ICMP commands that trigger alerts llli 160 Legal NetBIOS commands xssexaxerubERERERXYEERSEREETEXRCA SERE 160 Legal SMTP commands sisse as othrer ERA REGI HERR R4 Rer ERR 161 Firewall rules summary First screen 000 ee eee eee 176 Creating and editing a firewall rule 0 0000 e eee eee 179 Adding or editing source and destination addresses 181 Creating Editing A Custom Port 00 0c eee eee 182 Predefine
102. keys see Chapter 14 Certificates on page 261 for more information HTTPS on the Business Secure Router is used so that you can securely access the Business Secure Router using the WebGUI The SSL protocol specifies that the SSL server the Business Secure Router must always authenticate itself to the SSL client the computer that requests the HTTPS connection with the Business Secure Router whereas the SSL client only authenticates itself when the SSL server requires it to do so select Authenticate Client Certificates in the REMOTE MGMT WWW screen Authenticate Client Certificates is optional and if selected means the SSL client must send the Business Secure Router a certificate You must apply for a certificate for the browser from a trusted CA on the Business Secure Router Refer to Figure 110 about HTTPS implementation 1 HTTPS connection requests from an SSL aware Web browser go to port 443 by default on the Business Secure Router WS Web server 2 HTTP connection requests from a Web browser go to port 80 by default on the Business Secure Router WS Web server Nortel Business Secure Router 252 Configuration Basics 332 Chapter 18 Remote management screens Figure 110 HTTPS implementation WS 443 80 HTTPS HTTP Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen the Business Secure Router blocks all HTTP connection attempts Configuring WWW To change your
103. means that there can only be one certification authority in the certification path CRL Distribution Points This field displays how many directory servers with Lists of revoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the message digest of the certificate that the Business Secure Router calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually a valid certificate SHA1 Fingerprint This is the message digest of the certificate that the Business Secure Router calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually a valid certificate NN47923 500 Chapter 14 Certificates 285 Table 70 Trusted CA details Label Description Certificate in PEM This read only text box displays the certificate or certification request Base 64 in Privacy Enhanced Mail PEM format PEM uses 64 ASCII Encoded Format characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later dis
104. network topology inside the firewall 4 Often many DoS attacks also employ a technique known as IP Spoofing as part of their attack IP Spoofing can be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and is allowed through the router or firewall The Business Secure Router blocks all IP Spoofing attempts Stateful inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access an outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering is called saving the state When the outside system responds to your request the firewall compares the received packets with the saved state to determine if they are allowed in The Business Secure Router uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet By default the Business Secure Router stateful inspection allows all communications to the Internet that originate from the LAN and blocks all traffic to the LAN th
105. of GetNext operations e Set Allows the manager to set values for object variables within an agent e Trap Used by the agent to inform the manager of some events Supported MIBs The Business Secure Router supports MIB II which is defined in RFC 1213 and RFC 1215 The focus of the MIBs is to let administrators collect statistical data and monitor status and performance SNMP Traps The Business Secure Router sends traps to the SNMP manager when any one of the following events occurs Table 93 SNMP traps Trap Trap Name Description 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in A trap is sent to the manager when RFC 1215 receiving any SNMP get or set requirements with the wrong community password 6 whyReboot defined in MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files and Cl command sys reboot 6b For fatal error A trap is sent with the message of the fatal code if the system reboots because of fatal errors Nortel Business Secure Router 252 Configuration Basics 356 Chapter 18 Remote management screens REMOTE M
106. of received advertisements and out applies to generated advertisements NN47923 500 Chapter 4 User Notes 75 The number controls the operating mode None disabled RIP 1 only RIP 2 only Both RIP 1 and RIP 2 Advanced Router Configuration The following notes are intended to help with advanced router configuration Setting up the router when the system has a server 1 If you are using a Full Feature NAT configuration first do the following a In SUA NAT Address Mapping add a Server rule specifying the Public IP address of the server 2 For both SUA Only and Full Feature NAT configurations do the following a In SUA NAT SUA Server add server private IP address and port number s to the SUA NAT Server table b In FIREWALL add a WAN to LAN rule C If the service is not in the list of available services add it as a Custom Port d Add the rule selecting the service and entering the server IP address as the destination IP address Connecting two sites to establish a virtual private network The recommended method to do this is through a branch to branch IPSec tunnel 1 In VPN Summary add a new tunnel by editing an unused rule Create an Active Branch Office tunnel a Select Nailed Up if the tunnel should not be closed while not in use Nortel Business Secure Router 252 Configuration Basics 76 Chapter 4 User Notes b Enter the authentication information with either
107. of the certificate that the Business Secure Router calculated using the SHA1 algorithm NN47923 500 Chapter 14 Certificates 277 Table 67 My Certificate details Label Description Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste a certification request into a certification authority Web page an e mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment You can copy and paste a certificate into an e mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution through floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen displays browse to the location that you want to use and click Save Apply Click Apply to save your changes to the Business Secure Router You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that signs the imported trusted remote host certificates Cancel Click Cancel to quit and return to the My Certificates screen
108. or else the computer must be manually configured DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 IP pool setup The Business Secure Router is preconfigured with a pool of IP addresses for the client machines Wizard setup configuration third screen 1 Verify the settings in the following screen To change the LAN information on the Business Secure Router click Change LAN Configurations Otherwise click Save Settings to save the configuration and skip to Test your Internet connection on page 69 Nortel Business Secure Router 252 Configuration Basics 66 Chapter 3 Wizard setup Figure 13 Wizard Screen 3 Wizard Setup ISP Parameters for Internet Access WAN Information Mode Routing Encapsulation PPPoE Multiplexing LLC VPI VCI 0 33 Service Name User Name 1 Password 77 IP Address 0 0 0 0 Network Address Translation None Connect on Demand Max Idle Timeout 100 sec LAN Information IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Client IP Pool Starting Address 192 168 1 2 Size of Client IP Pool 126 DHCP Server Address 0 0 0 0 Change LAN Configuration Save Settings 2 To change your Business Secure Router LAN settings click Change LAN Configuration to display the following screen Note If you change the Business Secure Router LAN IP address you must use the new IP address to access the WebGUI again NN47923 500 Chapter 3 Wizard setup 6
109. packets When set to Both or Out Only the Business Secure Router broadcasts its routing table periodically When set to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received RIP Version controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology NN47923 500 Chapter 6 LAN screens 99 Both RIP 2B and RIP 2M send routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP Direction is set to Both and RIP Version to RIP 1 Multicast Traditionally IP packets are transmitted in one of two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just 1 IGMP Internet Group Multicast Protocol is a network layer protocol used to establish
110. private key pairs Certificates provide a way to exchange public keys for use in authentication SSH The Business Secure Router uses the SSH Secure Shell secure communication protocol to provide secure encrypted communication between two hosts over an unsecured network HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts web sessions Use HTTPS for secure WebGUI access to the Business Secure Router IEEE 802 1x for network security The Business Secure Router supports the IEEE 802 1x standard for user authentication With the local user profile in the Business Secure Router you can configure up to 32 user profiles without a network authentication server In addition centralized user and accounting management is possible on an optional network authentication server Firewall The Business Secure Router has a stateful inspection firewall with DoS Denial of Service protection By default when the firewall is activated all incoming traffic from the WAN Wide Area Network to the LAN is blocked unless it is initiated from the LAN The Business Secure Router firewall supports TCP UDP inspection DoS detection and protection real time alerts reports and logs Nortel Business Secure Router 252 Configuration Basics 38 Chapter 1 Getting to know your Business Secure Router Brute force password guessing protection The Business Secure Router has a special
111. protection mechanism to discourage brute force password guessing attacks on the Business Secure Router management interfaces You can specify a wait time that must expire before you can enter a fourth password after entering three incorrect passwords Content filtering The Business Secure Router can block web features such as ActiveX controls Java applets and cookies as well as disable web proxies The Business Secure Router can block specific URLs by using the keyword feature The administrator can also define time periods and days during which content filtering is enabled Packet filtering The packet filtering mechanism blocks unwanted traffic from entering or leaving your network Universal Plug and Play UPnP Using the standard TCP IP protocol the Business Secure Router and other UPnP enabled devices can dynamically join a network obtain an IP address and convey its capabilities to other devices on the network Call scheduling Configure call time periods to restrict and allow access for users on remote nodes PPPoE PPPoE facilitates the interaction of a host with an Internet modem to achieve access to high speed data networks through a familiar dial up networking user interface NN47923 500 Chapter 1 Getting to know your Business Secure Router 39 Dynamic DNS support With Dynamic DNS Domain Name System support you can have a static host name alias for a dynamic IP address so the host is more easily a
112. rule 6 if there is one becomes rule 7 3 Click Insert to display the firewall rule configuration screen Figure 56 Firewall edit rule screen example FIREWALL EDIT RULE Packet WAI Direction M Active io LAN Source Address Destination Address fH Source IP Address Sor FG Destination IP Address ttt Any Any SrcAdd SrcEdit SrcDelete DestAdd DestEdit DestDelete Available Services Selected Services AIM NEWW_ICQ TCP 5190 lt lt BOOTP CLIENT UDP 68 BOOTP SERVER UDP B7 Custom Port Add Edit Delete Action for Matched Packets Forward j Log Alert Apply Cancel 4 Select WAN to LAN as the Packet Direction 5 Select Any in the Destination Address box and then click DestEdit Nortel Business Secure Router 252 Configuration Basics 184 Chapter 11 Firewall screens 6 Configure the Firewall Rule Edit IP screen as follows and click Apply Figure 57 Firewall rule edit IP example FIREWALL EDIT RULE EDIT IP Address Type Range Address Start IP Address fi 0 0 0 10 End IP Address E 0 0 0 15 Subnet Mask fi 0 0 Cancel 7 Inthe firewall rule configuration screen click Add under Custom Port to open the Edit Custom Port screen Configure it as shown in Figure 58 and click Apply Figure 58 Edit custom port example FIREWALL EDIT RULE EDIT CUSTOM PORT Service Name My Service Service Type TCP UDP j Port Configuration Type Single C Ra
113. screens to view online help Note The help icon does not appear in the MAIN MENU screen gt Nortel Business Secure Router 252 Configuration Basics 50 Chapter 2 Introducing the WebGUI Figure 6 MAIN MENU Screen NORTEL Contact SYSTEM LAN WAH e Click WIZARD to configure your system for Internet access SUAMAT STATIC ROUTE FIREWALL CONTENT FILTER VPH Click MAINTENANCE to access a range of maintenance menus CERTIFICATES BW MGMT 802 1x AUTH SERVER REMOTE MGMT UPnP LOGS CALL SCHEDULE Click any link under MAIN MENU to configure advanced settings Click LOGOUT to exit the WebGUI z Status Ready Click the Contact link to display the customer support contact information Figure 7 is a sample of what displays NN47923 500 Chapter 2 Introducing the WebGUI 51 Figure 7 Contact Support Contact NORTEL NETWORKS Technical Support Contact Numbers USA and Canada Authorized Distributors Nortel Networks Global Networks Technical Support GNTS Telephone 1 800 ANORTEL 1 800 466 7835 If you already have a PIN Code you can enter Express Routing Code ERC 1964 If you do not yet have a PIN Code or for general questions and first line support you can enter ERC 3384 Presales Support CSAN Telephone 1 800 4NORTEL 1 800 466 7835 Use Express Routing Code ERC 10634 EMEA Europe Middle East Africa Country Call Center Phone Number
114. serial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to timeout 26 Database method failed 27 Path was not verified 28 Maximum path length reached NN47923 500 Appendix B Log Descriptions 449 Table 137 IEEE 802 1X Logs Log Message Description Local User Database accepts user A user was authenticated by the local user database Local User Database reports user credential error A user was not authenticated by the local user database because of an incorrect user password Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database RADIUS accepts user A user was authenticated by the RADIUS Server RADIUS rejects user Pls check RADIUS Server A user was not authenticated by the RADIUS Server Check the RADIUS Server Local User Database does not support authentication method The local user database only supports the EAP MD5 method A user tried to use another authentication method and was not authenticated User logout because of Session timeout expired The router logged off a user whose session expired authentication response from user User logout because of user The router logged off a user who ended the deassociat
115. signed the Business Secure Router This check box is only available with certificate that self signed certificates signs the If this check box is already selected you cannot clear it in this screen you must select this check box in the details screen of another self signed certificate This automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates Certification Path Click the Refresh button to have this read only text box display the hierarchy of certification authorities that validate the certificate and the certificate itself If the issuing certification authority is one that you have imported as a trusted certification authority it can be the only certification authority in the list along with the certificate itself If the certificate is a self signed certificate the certificate itself is the only one in the list The Business Secure Router does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the Information certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the owner of the certificate sig
116. tate 3 X UUR tae ee desea ee 377 HS eacus QUO Vobis pce nwt oe donde aV e MR Ee dbrdile ubt 380 Web site HIS repon EE 381 Protocol Pon Report harroi aie ved toe tore deci RR sed eee 383 LAN IP Address Repol sccascsce adage asads ERROR RR GRO Y RE R GER EA 384 Repor SpecificallOHS suokeoeixecxrerikhrwbR er ER eR EP OE ER 385 Call Schedule SUMMA ux assa ance se thw e race ek a RR eo e a 388 Call schedule GUI oocaucetceuedckeece RR EI e beh RE RR eee RE 390 SUSE SIUS Las qaa ee hake el es Rao eeiam eie S 396 System Status Show Statistics 0 0 0000 eee 398 DACP TADE unius cee ri ER RE ERRARE Ome ne doe RE RA RA RUE 400 B Ivi eru aod TC PP TEES 401 Fibra DONIS nad dude das PRESQUE a IM IP REC PII P RREE 4038 Restore configuration s xr Y ar XE EYRS GO GUERRE da e Re dees 407 Troubleshooting the Start Up of your Business Secure Router 411 Troubleshooting the LAN LED selleseleeeleeees 412 Troubleshooting the LAN interface 20200 0c cee eee 412 Troubleshooting the WAN Interface llllslleesenss 413 Troubleshooting Internet access lilii e ee eee 413 Troubleshooting Web Site Internet Access 000 eae 414 Troubleshooting the password 0 0 cece eee eee eee 414 Troubleshooting the WebGUI 0 00 cece eee 415 Troubleshooting Remote Management sss 415 System Eror Loge 2 otsec kee sige kc REOR si kirip bang aeaii 431 System Maintena
117. that don t match firewall rules Block Forward Log packets that don t match these rules Source Destination Service fee LR Insert New Rule Before ZZ Rule Number Move Selected Rule select an Index Number To Rule Number Edit Selected Rule Delete Selected Rule Apply Reset Table 36 describes the fields in Figure 52 Table 36 Firewall rules summary First screen Label Description Enable Firewall Select this check box to activate the firewall The Business Secure Router performs access control and protects against Denial of Service DoS attacks when the firewall is activated The firewall allows traffic to go through your VPN tunnels NN47923 500 Chapter 11 Firewall screens 177 Table 36 Firewall rules summary First screen Label Description Bypass Triangle Select this check box to have the Business Secure Router permit the Route use of asymmetrical route topology on the network not reset the connection Firewall Rules Storage Space in Use This read only bar shows how much of the Business Secure Router s memory for recording firewall rules is currently being used The bar turns from green to red when the maximum is approached You can typically configure up to ten rules per traffic direction Packet Direction Use the drop down list to select a direction of travel of packets for which you want to display firewall rules Block Forw
118. the field to the right read only The Business Secure Router tells the DHCP clients on the LAN that the Business Secure Router itself is the DNS server When a computer on the LAN sends a DNS query to the Business Secure Router the Business Secure Router forwards the query to the Business Secure Router s system DNS server configured in the SYSTEM General screen and relays the response to the computer You can only select DNS Relay for one of the three servers Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP address of a machine in order to access it LAN TCP IP IP Address Type the IP address of your Business Secure Router in dotted decimal notation 192 168 1 1 factory default IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your Business Secure Router automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Business Secure Router 255 255 255 0 RIP Direction With RIP Routing Information Protocol RFC 1058 and RFC 1389 a router can exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the Business Secure Router broadcasts its routing table periodicall
119. the VPN Branch Office Rule Setup screen to identify this VPN policy Active This field displays whether the VPN rule is active or not A Yes signifies that this VPN rule is active No signifies that this VPN rule is not active Private Local Remote Policy IP Address These are the IP addresses of the computers that can use the VPN tunnel Ranges of IP addresses are indicated by the starting and ending IP addresses separated by a dash You configure these IP addresses in the VPN Branch Office IP Policy screen This field is empty if you do not configure the VPN branch office rule to use an IP policy Private IP addresses are IP addresses of computers on your Business Secure Router s local network for which you have configured the IP policy to use NAT for the VPN tunnel Local IP addresses are the IP addresses of the computers on your Business Secure Router s local network that can use the VPN tunnel Remote IP addresses are the IP addresses of the computers behind the remote IPSec router that can use the VPN tunnel When 0 0 0 0 displays only the remote IPSec router can initiate the VPN The address 0 0 0 0 displays when the Secure Gateway Address field is configured to 0 0 0 0 or the IP policy s Remote Starting IP Address field is set to 0 0 0 0 in the IP Policy screen Encap This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocols used for an SA Both AH and
120. the client is not behind a NAT router it will be shown as inactive in the VPN Client Monitor This may confuse some users NN47923 500 Chapter 4 User Notes 73 VPN Client Termination 1 Change of User Account Does Not Drop Existing Connections If a VPN Client user account is de activated deleted or changed and that user is currently connected the connection is not automatically dropped To drop the connection the administrator needs to disconnect the user using the Disconnect function in the VPN SA Monitor GUI This is consistent with other Nortel Contivity products 2 User Name Restrictions User names are limited to a maximum length of 63 characters 3 VPN Client Account Password Restrictions The password for a VPN Client user cannot contain the single or double quote characters 4 IP Pool Address Overlap When defining multiple VPN Client Termination IP pools the router uses the IP Subnet mask and not the pool size to determine if the pools are overlapping The subnet mask of each pool should be appropriate for the size of the VPN Client Termination IP pool 5 VPN Client Termination Failure In Specific Addressing Situation If the Client has an assigned IP address that is the same as the IP address assigned for the Client Tunnel the connection will fail to be established 6 VPN Client Termination Configuration Restrictions This router has some restrictions when compared to larger Contivity Routers
121. they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in order to build virtual connections in the cache For instance any UDP packet that originates on the LAN creates a cache entry Its IP address and port pairs are stored For a short period of time UDP packets from the WAN that have matching IP and UDP information are allowed back in through the firewall A similar situation exists for ICMP except that the Business Secure Router is even more restrictive Specifically only outgoing echoes allow incoming echo replies outgoing address mask requests allow incoming address mask replies and outgoing timestamp requests allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they can be used to reroute traffic through attacking machines Upper layer protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is used for sending commands between endpoints and then data connections which are used for transmitting bulk information Consider the FTP protocol A user on the LAN opens a control connection to a server on the Internet and re
122. to the Business Secure Router The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network Upstream Click this button to display the upstream noise margin Noise Margin Downstream Click this button to display the downstream noise margin Noise Margin F W Upload screen Find firmware at www nortel com index html in a file that usually uses the system model name with a bin extension The upload process uses FTP File Transfer Protocol and can take up to two minutes After a successful upload the system reboots Click MAINTENANCE and then the F W UPLOAD tab Follow the instructions to upload firmware to your Business Secure Router Note Only upload firmware for your specific model NN47923 500 Chapter 22 Maintenance 403 Figure 162 Firmware upload MAINTENANCE Status DHCP Table Diagnostic F WUpload Configuration Restart To upgrade the internal router firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure the router after upgrading File Path Browse Upload Table 112 describes the fields in Figure 162 Table 112 Firmware Upload Label Description File Path Type in the location of the file you want to upload in this field
123. to the server NN47923 500 Chapter 18 Remote management screens 345 The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved version on the client computer 2 Encryption Method Once the identification is verified both the client and server must agree on the type of encryption method to use 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information username and password to the server to log on to the server SSH implementation on the Business Secure Router Your Business Secure Router supports SSH version 1 5 using RSA authentication and three encryption methods DES 3DES and Blowfish The SSH server is implemented on the Business Secure Router for remote SMT management and file transfer on port 22 Only one SSH connection is allowed at a time Requirements for using SSH You must install an SSH client program on a client computer Windows or Linux operating system that is used to connect to the Business Secure Router over SSH Configuring SSH To change the Secure Shell settings click REMOTE MGMT and then the SSH tab The screen shown in Figure 122 appears Nortel Business Secure Router 252 Configuration Basics 346 Chapter 18 Remote management screens F
124. use rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities can use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate key pair the Business Secure Router uses RSA encryption and the length of the key set in bits 1 024 bits for example Subject Alternative Name This optional field displays the IP address IP domain name DNS or e mail address EMAIL of the owner of the certificate Key Usage This field displays for what functions the certificate key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority certificate and Path Length Constraint 1
125. want the Business Secure Router to log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Business Secure Router is to record Use sys logs category followed by a log category and a parameter to decide what to record Table 138 Log categories and available settings Log Categories Available Parameters access 0 1 2 3 attack 0 1 2 3 error 0 1 2 3 ike 0 1 2 3 ipsec 0 1 2 3 javablocked 0 1 2 3 mten 0 1 upnp 0 1 urlblocked 0 1 2 3 NN47923 500 Appendix B Log Descriptions 451 Table 138 Log categories and available settings Log Categories Available Parameters urlforward 0 1 Use 0 to record no logs for a selected category 1 to record only logs a selected category 2 to record only alerts for a selected category and 3 to record both logs and alerts for a selected category Use the sys logs save command to store the settings in the Business Secure Router you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the Business Secure Router log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to show the logs in an individual Business Secure Router log category Use the sys logs clear command to erase all of the Business Secur
126. when the IP policy s Local Address Type field is configured to Range Address in the IP Policy screen This field displays a static IP address and a subnet mask when the IP policy s Local Address Type field is configured to Subnet Address in the IP Policy screen Nortel Business Secure Router 252 Configuration Basics 226 Chapter 13 VPN Table 54 VPN Branch Office rule setup Label Description Remote IP Address This field displays the IP addresses of computers on the remote network behind the remote IPSec router This field displays a single static IP address when the IP policy s Remote Address Type field is configured to Single Address in the IP Policy screen This field displays the beginning and ending static IP addresses of a range of computers when the IP policy s Remote Address Type field is configured to Range Address in the IP Policy screen This field displays a static IP address and a subnet mask when the IP policy s Remote Address Type field is configured to Subnet Address in the IP Policy screen This field displays ALL whenever the Secure Gateway Address field is set to 0 0 0 0 This field also displays ALL whenever the IP policy s Remote Starting IP Address field is set to 0 0 0 0 in the IP Policy screen When ALL displays only the remote IPSec router can initiate the VPN Add Select Add to open a screen where you can configure an IP policy Edit Select the radio
127. with PPPOA 21 6 lt c2ssn84 lt cee ERR AR EROR 60 Table 4 Internet connection with RFC 1483 0 61 Table 5 Internet connection with ENET ENCAP 00000 cee 62 Table 6 Internet connection with PPPoE 0 00 cc cee eee eee eee 64 Table 7 Wizard LAN configuration iine e ue imet E33 x 334i xs 67 Table 8 System general setup 1 teens 83 Table 9 DONS usua AREE RURAL ERA ER ARAS RES MEE da Ra hd Re 86 Table 1D Password vusscoiRpROSLRDRS UA RE CREE Ye ERROR C bx RO b Pel ERR 88 Table 11 Default Time Servers 0 0 0 0c cc eee ree 90 Table 12 Timeand Dale uuoslcorscck3 age c dee bode erpe ESSA Ss 92 Yelle TS ADDE s kok Ses a ra ec Boa usc da ton ee ON Re i ke end dee 95 Table 4 LANIP ccsccccataadaceda ARx datas RSqQASRRCIA S0 SOR GA EORR CA 101 Tablets Siate DHOP LooceossetpQIRIRSMORPRPICERYACER RYXGG PERRO Bad RAERTA 104 AOS IPAS i c DEPT IM 106 Table 17 WAN POUC Seca kee bg ae coke ARS CARE ea ERE ESAE CORRES 109 Table 5 WAN WANISP S adus adde VAS E ORA OS eas VORGEHEN CEA ee 112 Table 9 ADDE UE us scusa QUod ECHO RERO AE RRS ER DOSS Ro RERO ERMA ERO 115 Table 20 Caio Redireet 225222 cciitescdiasietacec inetd Geet Sd EERE DAEA 119 Table PHialBackup SOW aes ceed earn eee Robot x dena raa RR de ACA 121 Table22 Advanced Sup qussceukeuasdcwa ioc RN deua qiu Re E a ane e 126 Table 23 WAT HGHHIUDDS s due EEG RESGOR hai oe EGUOG Ege EE ERR GC ER EWR 130 Table 24 NAT mapping Wie suc occu ns uxo owes
128. 0 Chapter 14 Certificates 283 Table 70 describes the labels in Figure 89 Table 70 Trusted CA details Check incoming certificates issued by this CA against a CRL Label Description Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You can use any character not including spaces Property Select this check box to have the Business Secure Router check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Clear this check box to have the Business Secure Router not check incoming certificates that are issued by this certification authority against a Certificate Revocation List CRL Certification Path Click the Refresh button to have this read only text box display the certificate of the end entity and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity certificate If the issuing certification authority is one that you have imported as a trusted certification authority it can be the only certification authority in the list along with the certificate of the end entity The Business Secure Router does not trust the end entity certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked Refresh Click Refre
129. 0 header and responds IPSec routers A and B build a VPN connection NAT Traversal configuration Enable or disable NAT traversal in the VPN Branch Office Rule Setup screen see Figure 71 on page 222 For NAT traversal to work you must e Use ESP security protocol in either transport or tunnel mode e Use IKE keying mode e Enable NAT traversal on both IPSec endpoints In order for IPSec router A see Figure 71 on page 222 to receive an initiating IPSec packet from IPSec router B set the NAT router to forward UDP port 500 to IPSec router A Preshared key A preshared key identifies a communicating party during a phase 1 IKE negotiation see IKE phases on page 238 for more information It is called preshared because you have to share it with another party before you can communicate with them over a secure connection For Contivity Client VPN connections the Business Secure Router generates the preshared key from the username and password Configuring Contivity Client VPN Rule Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule If the Branch Office screen is displayed select Contivity Client from the Connection Type list box The VPN Contivity Client Rule Setup screen is shown in Figure 69 NN47923 500 Chapter 13 VPN 215 Figure 69 VPN Contivity Client rule setup VPN Contivity Client Connection Type Contivity Client Active Keep Alive Description Des
130. 1 Howe SOD usate ace qoo Mud UAR RERO XO deioie s bud p Sap rd ea a VIQR 42 Chapter 2 introducing he WebGUI iicosianceal see os e RI DER REFERRE YT eR TE 45 TOBDOUL QVBPIBW cop cuss eraeent EPA ER RO CER PR WHER PRHCR OG RURAL ee 45 Accessing the Business Secure Router WebGUI 0 000 45 Restoring the factory default configuration settings 0 0 eee eee 48 NN47923 500 Contents 5 Procedure to use the reset button 0 00 eee eee eee 48 Uploading a configuration file through console port 20 eee eee 48 Navigating the Business Secure Router WebGUI 00000 eee eee 49 Chapter 3 Wizard SOlUB iis sas a REERRBARRERRARARRARRARWAAARIRARRATRAAAAEAARAAA 53 uincicpo u s MER rU 53 Ericapsulati rt iilius see c RR LR ERR RERO RERO X REO ERE Ree eee eS 53 ENET ENGAR eds teks Vade CORRER nee eras eRe en en RG Se ADE E dor aS 53 PPP Over EIGN Gu b ga puc cons tere Paci bo TEARS DRE 54 dui P rrrR 54 IRE i cube dad spes d sc Ban dota UR aule doo dio ede ue mu DR d aie eee 54 PURE N edad QUERI oU EE AE PESCE SS XdUqQeREd IER b ES 54 Veobssed mulliplexitig eb cocked Peake EG RR RRX C a Ede GERA 55 LLC based Multiplexing cc meum meh mem mox eee be mx 55 VPLand VOL sce 5 hhc 658i tines See Re ER cane basditevese Sees E Persa 55 Wizard setup configuration first screen 00 cee ees 55 IF address nd SUDHECERSSKE 2a adc d E RIO statens aktre UR d B7 IP address ass
131. 13 VPN Figure 67 Summary VPN Summary Contivity VPN Client Connect IP Audiess Private Local Remote um Pa 192 168 2 33 192 168 1 33 Tunnel Tunnel Secure Gateway Address ESP DES SHA1 0 0 0 0 ESP DES SHA1 0 0 0 0 ESP DES SHA1 0 0 0 0 test8 test9 test10 ESP DES SHA1 0 0 0 0 Tunnel ESP DES SHA1 0 0 0 0 MJ C ESP DES SHA1 0 0 0 0 n FO Tunel ESP DES SHA1 0 0 0 0 m Tun ESP DES SHA1 0 0 0 0 NN47923 500 Chapter 13 VPN 211 Table 47 describes the fields in Figure 67 Table 47 Summary Label Description Contivity VPN Client The Contivity VPN Client is a simple VPN rule that lets you define and store connection information for accessing your corporate network using the Business Secure Router The Contivity VPN Client uses the IPSec protocol to establish a secure end to end connection If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive When this button displays Connect click it to create a VPN connection to the remote Contivity switch When this button displays Disconnect click it to drop the Contivity VPN connection This is the VPN rule index number Name This field displays the name you specified in
132. 17 Chapter 17 Authentication server The Business Secure Router can use either the local user database internal to the Business Secure Router or an external RADIUS server for an unlimited number of users Introduction to Local User database By storing user profiles locally on the Business Secure Router your Business Secure Router is able to authenticate users without interacting with a network RADIUS server However there is a limit on the number of users you can authenticate in this way Local User database To see the local user list click AUTH SERVER The Local User Database screen appears as shown in Figure 105 Nortel Business Secure Router 252 Configuration Basics 318 Chapter 17 Authentication server Figure 105 Local User database Local User Database Local User k Database x Status Active User type Last Name First Name IPSec only ED EH a ME T UNE s DH f Delete Table 84 describes the labels in Figure 105 Table 84 Local User database Label Description User ID This field displays the logon name for the user account Active This field displays Yes if the user account is enabled or No if it is disabled User type This field displays whether the user account can be used for a IEEE 802 1X or IPSec logon or both Last Name This field displays the user s last name First Name
133. 2 Configuration Basics 380 Chapter 20 Logs Screens Table 101 describes the fields in Figure 151 Table 101 Reports Label Description Collect Statistics Select the check box and click Apply to have the Business Secure Router record report data Send Raw Traffic Statistics to Syslog Server for Analysis Select the check box and click Apply to have the Business Secure Router send unprocessed traffic statistics to a syslog server for analysis You must have the syslog server already configured in the Log Settings screen Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Report Type Use the drop down list to select the type of reports to display Web Site Hits displays the Web sites that have been visited the most often from the LAN and how many times they have been visited Protocol Port displays the protocols or service ports that have been used the most and the amount of traffic for the most used protocols or service ports LAN IP Address displays the LAN IP addresses to and from which the most traffic has been sent and how much traffic has been sent to and from those IP addresses Refresh Click Refresh to update the report display The report also refreshes automatically when you close and reopen the screen Flush Click Flush to discard the old report data and update the report display
134. 34 SUA Single User Account versus NAT 00000 cee eee eee e 134 BLA SENEI socsssuusee us ewRRFRR ar 3a qduceesidaqguekmRidu qucm ades 135 Default server IF address iusiexeieu OR RR EO WA CERE ieee XR Chee 135 Port forwarding Services and Port Numbers llsllllessss 136 Configuring servers behind SUA example lessen 136 Configuring SUA Server uua iostaxau ent dus QR Rande scs ic de kee a ac 137 Contiguring Address Mapping assesses ke Edo RERO AR GO OE RC ROC 4 2484 139 Tagger Fon Forwarding i459 8284 X E EEG A XUM RAQOGUG VS ORG SSRN EN RO I 143 Trigger Port Forwarding example 2 006 ce dn ede ee ee be eden ee wb Sas 143 Two points to remember about Trigger Ports 00 e eee eee eee 144 Configuring Trigger Port Forwarding 0000 e cece eee eee eee 145 Chapter 9 Siac Roule roll AMET 147 Static Route DVEIVIDW s caaaqereX id Es RReag eR ARR ARRA REGG Gba dane 147 Gontiganng IP Static PIOUIO auesa ez ketERX cede ede e hea ARES E Ri Rx epa 148 Connie unin Route OP Visus daas sd RR ak BR Dawe e Rn eda o 150 Chapter 10 Firewalls ine sas 6i96 40s 00606 1440S 01S qeisA a ed aar ward 153 Firewall OVERVIEW audio sue esee xm Genes gear CER ER RUE Ro RR UR EAE 153 gcn god GMT T c ECT 153 Packet Jtem MOWA agar mach b Row RR SOR Rt E REG ERR E s dE RR 154 Application level Tirgwalls 133 22m ve ERI REA RO RE RR REGE RA RR RU bas 154 Stateful Inspection firewalls 0 000 cece 154 Int
135. 38 SUA Single User Account 134 SUA Only 115 SUA Server 137 Subclass Layers 303 Subnet Mask 57 181 subnet mask 57 SYN Flood 158 159 SYN ACK 158 Syslog 185 System DNS Servers 84 System General Setup 83 System Name 83 System Screens 81 System Timeout 330 System up Time 398 T TA 124 TCP Maximum Incomplete 191 192 193 TCP Security 164 TCP IP 156 157 158 350 Teardrop 157 technical publications 30 Telnet 350 Telnet Configuration 350 text conventions 29 TFTP Restrictions 329 Third DNS Server 84 Threshold Values 190 Time and Date 36 Time Setting 90 Traceroute 161 Tracing 41 trademarks 2 Traffic Redirect 40 117 118 Trigger Port Forwarding Process 143 c DP ICMP Security 165 niversal Plug and Play 38 niversal Plug and Play UPnP 361 363 pgradeable Firmware 41 cix c CI ploading a Configuration File through Console Port 48 PnP 38 PnP Examples 365 PnP Port Mapping 364 pper Layer Protocols 165 p C c cc pstream noise margin 402 RL Keyword Blocking 197 ser defined DNS server 68 ser Profiles 317 sername 46 c GC Gg tc V VCI 55 56 Virtual Channel Identifier VCI 55 virtual circuit VC 54 Virtual Path Identifier VPI 55 VPI 55 56 VPI amp VCI 55 Nortel Business Secure Router 252 Configuration Basics 460 Index VPN Client Termination 248 W WAN to LAN Rules 173 Web Proxy 197 Web Site Hits 380 WebGUI 45 49 155 166 172 Windows Netw
136. 386 bytes Table 104 describes the fields in Figure 154 Table 104 LAN IP Address Report Label Description IP Address This column lists the LAN IP addresses to and from which the most traffic has been sent The LAN IP addresses are listed in descending order with the LAN IP address to and from which the most traffic was sent listed first Amount This column displays how much traffic has gone to and from the listed LAN IP addresses The measurement unit shown bytes Kilobytes Megabytes or Gigabytes varies with the amount of traffic total traffic sent to and from a LAN IP passes the bytes count limit see Table 105 on page 385 NN47923 500 sent to and from the LAN IP address The count starts over at 0 if the Chapter 20 Logs Screens 385 Reports specifications Table 105 lists detailed specifications on the reports feature Table 105 Report Specifications Label Description Number of Web 20 sites protocols or ports IP addresses listed Hit count limit Up to 2 hits can be counted per Web site The count starts over at 0 if it passes four billion Bytes count limit Up to 26 bytes can be counted per protocol port or LAN IP address The count starts over at 0 if it passes 29 bytes Nortel Business Secure Router 252 Configuration Basics 386 Chapter 20 Logs Screens NN47923 500 387 Chapter 21 Call scheduling screens With
137. 47923 500 Tables 25 Tabless My Certificate IMPO ccsccascccasvevees v RR RRECERR REOR ERR 268 Table 66 My Certificate create uses ese E XOORARCE OL CORO CARE ORCACACKOCROR RC 271 Table67 My Certificate details llle 275 BS cC MEES LO Os PE 278 Table G8 Trusted OA Impolt issaszashoimecaushskexbsac dae hk bad ARRAS 280 Table 70 Thweted GA details iisces Desa eR rne RERHR ER PRO RRC ORE RES 283 Table 71 Trusted Remote HOS ccc cn exa ias gra tu Ronde ue Leads tcs 286 Table 72 Trusted remote host import 0c eee eee 290 Table 73 Trusted remote host details 0 ccc eee eee eee 292 Table 74 Directory Servers cs ccccc0gscaseesaksn esas esnoeee asa cance 295 Table 75 Directory server add 00 cee ees 296 Table 76 Application and Subnet based Bandwidth Management Example 301 Table 77 Bandwidth Manager Summary 0000 cee eee eee 302 Table 78 Bandwidth Manager Class Setup 0 0000 cece eee 304 Table 79 Bandwidth Manager Edit class 0 0 00 e eee eee eee 306 Table 80 Services and port numbers 0020 0 eee eee eee 308 Table 81 Bandwidth management statistics llle 309 Table 82 Bandwidth manager monitor 2 00 eee eee ee eee 310 TAGS S021 oooseeste5bexeeTui dex c4 p ues dave ok x dde uds 314 Table 84 LocalUser dalabase accuse suus cuo om ex XR ROTER RR RA OR S GRO 318 Table85 LocalUser database edit 0 c c
138. 5 Bt Vincent 1 866 291 1757 Surinam 1 919 905 4211 Trinidad amp Tobago 1 8005270797 Turks amp Caicos Islands 1 866 291 1757 Uruguay o0 413 598 2271 US Virgin Islands 1 800 4N ortel1 800 466 7835 Wenezuela D500 1 00 2721 APAC Asia Pacific Country Call Center Phone Number Australia I 800 Nortel 1 800 667835 China 800 810 5000 or 86 10 6510 7770 Hong Kong B00 96 4199 india b91 11 5154 2210 Indonesia 0018 036 1004 Japan 0120 332 533 South Korea 079 8611 2001 Malaysia f1 800 805 380 jew Zealand P800 449 716 Philippines 63 2 580 5561 Bingapore B00 616 2004 Taiwan p00 310 500 Thailand or 800 611 3007 All Other Countries 61 2 8870 8800 Nortel Business Secure Router 252 Configuration Basics 52 Chapter 2 Introducing the WebGUI NN47923 500 53 Chapter 3 Wizard setup This chapter provides information on the Wizard screens in the WebGUI Wizard overview The setup wizard in the WebGUI helps you configure your device to access the Internet The second screen has three variations depending on which encapsulation type you use Refer to your ISP checklist in the Nortel Business Secure Router 252 Fundamentals NN47923 301 to know what to enter in each field Leave a field blank if you do not have the required information Encapsulation Be sure to use the encapsulation method required by your ISP The Business Secure Router supports the following methods ENET ENC
139. 500 Chapter 10 Firewalls 157 When computers communicate on the Internet they use the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For example a Web server typically listens on port 80 Note that while a computer can be intended for use over a single port such as Web on port 80 other ports are also active and vulnerable to attack by hackers Some of the most common IP ports are Table 32 Common IP ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 Types of DoS attacks There are four types of DoS attacks e Those that exploit bugs in a TCP IP implementation e Those that exploit weaknesses in the TCP IP specification e Brute force attacks that flood a network with useless data e IP Spoofing 1 Ping of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system and can cause systems to crash hang or reboot Teardrop attack exploits weaknesses in the reassembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it conta
140. 68 1 12 Computer IP 192 168 1 11 Inside Global Addresses IGA Inside Local Addresses ILA Computer IP d PRU EUM i Business Secure Router Port restricted cone NAT The Business Secure Router uses port restricted cone NAT Port restricted cone NAT maps all requests from the same private IP address and port to the same public IP address and port A host on the Internet can only send a packet to the private IP address and port if the private IP address and port has previously sent a packet to the IP address and port of that host Nortel Business Secure Router 252 Configuration Basics 132 Chapter 8 Network Address Translation NAT Screens In Figure 34 B can send packets with source IP address e f g h and port 20202 to A because A previously sent a packet to IP address e f g h and port 20202 B cannot send packets with source IP address e f g h and port 10101 to A because A has not sent a packet to IP address e f g h and port 10101 Figure 34 Port Restricted Cone NAT WAN IP a b c d Port 30080 5 n efg A L 4 Port 20202 d Se IP 10 0 0 3 a I IP efgh Port 80 Port 10104 e IP m n o p jy Port 10101 NAT application Figure 35 illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Business Secure Router can communicate with three distinct WAN networks More examples follow at the end of this chapter NN47923 500 C
141. 7 Figure 14 Wizard LAN configuration Wizard Setup ISP Parameters for Internet Access LAN IP Address E 92 168 1 1 LAN Subnet Mask 255 255 255 0 DHCP DHCP Server Client IP Pool Starting 3216812 Address 192 168 1 2 Size of Client IP Pool 126 DHCP Server Address 0 0 0 First DNS Server Obtained From isP m noon Second DNS Server Obtained From isP v noon Third DNS Server Obtained From isP v rooo Finish Table 7 describes the fields in Figure 14 Table 7 Wizard LAN configuration Label Description LAN IP Address Enter the IP address of your Business Secure Router in dotted decimal notation for example 192 168 1 1 factory default LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP Nortel Business Secure Router 252 Configuration Basics 68 Chapter 3 Wizard setup Table 7 Wizard LAN configuration continued Label Description DHCP With DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients workstations can obtain TCP IP configuration at startup from a server Unless you are instructed by your ISP leave this field set to Server When configured as a server the Business Secure Router provides TCP IP configuration for the clients When set as a server fill in the IP Pool Starting Address and Pool Size fields Select Relay to have the Business Secure Router forward DHCP requests to
142. 99 116 IP Address 57 135 399 IP Address Assignment 57 ENET ENCAP 58 PPPoA or PPPoE 58 RFC 1483 58 IP Alias 39 105 IP Multicast 39 Internet Group Management Protocol IGMP 39 IP Pool Setup 65 97 IP Ports 157 IP Spoofing 157 161 IP Static Route 148 IPSec VPN Capability 36 37 ISAKMP Initial Contact Payload 258 J Java 197 K Key Fields For Configuring Rules 172 L LAN IP Address 380 383 LAN Setup 97 107 LAN TCP IP 98 LAN to WAN Rules 173 LAND 158 159 Local 130 Local End IP 140 142 Local Start IP 140 142 Log 177 Logging 41 Logs 373 M MAC Addresses 103 MAC Encapsulated Routing Link Protocol 53 MAIN MENU 50 Management Information Base MIB 354 Many One to One 141 142 Many to Many No Overload 133 Many to Many Overload 133 Many to One 133 Many to Many Ov 142 Many to Many Overload 141 142 Many to On 142 Many to One 141 Maximum Incomplete High 193 Maximum Incomplete Low 193 Max incomplete High 191 Max incomplete Low 191 193 MD5 205 Media Access Control 103 Metric 107 115 121 151 Mode 56 Multicast 99 116 123 NN47923 500 Index 457 Multicast Version 123 Multiplexing 35 54 LLC based 55 VC based 55 multiplexing method 54 56 Multiprotocol Encapsulation 54 My Password 321 327 N Nailed Up Connection 59 NAT 59 115 122 135 136 137 138 Application 132 Definitions 129 How NAT Works 131 Mapping Types 133 Port Restricted Cone 131 Restricte
143. ANAGEMENT SNMP To change your Business Secure Router SNMP settings click REMOTE MANAGEMENT Figure 131 and then the SNMP tab The screen appears as shown in Figure 131 SNMP REMOTE MANAGEMENT HTTP SSH TELNET FTP SNMP DNS Security SNMP Configuration Get Community Set Community Trap Community Destination SNMP Service Port Service Access Secured Client IP Address PlsChgMe RO PlsChgMelPW public 0 0 0 0 161 LAN hd AH C Selected Reset Table 94 describes the fields in Figure 131 Table 94 SNMP Label Description SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is PlsChgMe RO Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is PlsChgMe RW NN47923 500 Chapter 18 Remote management screens 357 Table 94 SNMP Label Description Trusted Host If you enter a trusted host your Business Secure Router only responds to SNMP messages from this address In the field 0 0 0 0 default means your Business Secure Router responds to all SNMP messages it receives regardless of source Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and
144. AP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment For instance the Business Secure Router encapsulates routed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP Nortel Business Secure Router 252 Configuration Basics 54 Chapter 3 Wizard setup PPP over Ethernet PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP The Business Secure Router bridges a PPP session over Ethernet PPP over Ethernet RFC 2516 from your computer to an ATM Asynchronous Transfer Mode PVC Permanent Virtual Circuit which connects to an ADSL Access Concentrator where the PPP session terminates One PVC can support any number of PPP sessions from your LAN For more information about PPPoE see the PPPoE appendix in the Nortel Business Secure Router 252 Configuration Advanced guide PPPoA A Point to Point Protocol over ATM Adaptation Layer 5 PPPoA connection functions like a dial up Internet connection The Business Secure Router encapsulates the PPP session based on RFC 1483 and sends it through an ATM PVC Permanent Vir
145. Business Secure Router Reset Click Reset to begin configuring this screen afresh NN47923 500 147 Chapter 9 Static Route screens This chapter shows you how to configure static routes for your Business Secure Router Static Route overview Each remote node specifies only the network to which the gateway is directly connected and the Business Secure Router has no knowledge of the networks beyond For instance the Business Secure Router knows about network N2 in Figure 42 through remote node Router 1 However the Business Secure Router is unable to route a packet to network N3 because it does not know that there is a route through the same remote node Router 1 through gateway Router 2 The static routes are for you to tell the Business Secure Router about the networks beyond the remote nodes Nortel Business Secure Router 252 Configuration Basics 148 Chapter 9 Static Route screens Figure 42 Example of Static Routing topology N1 Business Secure Router lalala Configuring IP Static Route Mr C R1 N2 N3 Eea R2 Click STATIC ROUTE to open the Route Entry screen Note The first static route entry is for the default WAN route You cannot modify or delete this static default route NN47923 500 Chapter 9 Static Route screens 149 Figure 43 Static Route screen STATIC ROUTE IP Static Route ee a NNEITNNETUU A n Reserved DEB pa pg pg Eu L
146. Business Secure Router 252 Configuration Basics 326 Chapter 17 Authentication server Figure 109 RADIUS AUTH SERVER RADIUS Authentication Server Active Server IP Address nono Port Number e Key l Retype to Confirm NENNEN Accounting Server Active Server IP Address booo Port Number 513 Key C ee Retype to Confirm PO Apply Reset Table 88 describes the labels in Figure 109 Table 88 RADIUS Label Description Authentication Server Active Select the check box to enable user authentication through an external authentication server Clear the check box to enable user authentication using the local user profile on the Business Secure Router Server IP Address Enter the IP address of the external authentication server in dotted decimal notation NN47923 500 Chapter 17 Authentication server 327 Table 88 RADIUS Label Description Port Number The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the Business Secure Router Note that as you type a password the screen displays an for each character you type The key is not sent over the network This key must be the same on t
147. Cancel to return to the VPN Branch Office screen without saving your changes Port forwarding server A NAT server set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the devices using the VPN branch NAT tunnel from behind the remote IPSec router even though NAT makes your inside network appear as a single machine The servers must be using the VPN branch NAT tunnel from behind the Business Secure Router You can enter a single port or a range of ports to be forwarded and then the local IP address of the desired inside servers Configuring a port forwarding server Select one of the IP Policies in the VPN Branch Office screen and click Edit to display the Branch Office IP Policy setup screen For the Mapping Rule Type select Many to One enter the private and virtual IP addresses and click the Port Forwarding Server button to display the screen shown in Figure 73 NN47923 500 Chapter 13 VPN 237 Figure 73 VPN Branch Office IP Policy Port Forwarding Server VPN Branch Office IP Policy Port Forwarding Server H Name tart Port Server IP Address Default Server 0 0 0 0 0 0 0 0 fo 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Name C bw b L W w ee W M W M mm Ww W M ee W M L mW Ww iW fo
148. Chapter 13 VPN Table 55 VPN Branch Office IP Policy Label Description Virtual Ending IP Address When the Type field is configured to One to one or Many to One this field is N A When the Type field is configured to Many One to one enter the ending static IP address of the range of IP addresses that you want to use for the VPN tunnel Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at a time Two IP policies can have the same local or remote IP address but not both In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the full IP address range of the LAN as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 Address Type Use the drop down menu to choose Single Address Range Address or Subnet Address Select Single Address for a single IP address Select Range Address for a specific range of IP addresses Select Subnet Address to specify IP addresses on a network by their subnet mask
149. Click Reset to begin configuring this screen afresh VPN Client Termination IP pool summary In the WebGUI click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen Then click the Configure IP Address Pool link to open the screen in Figure 79 Use this screen to manage the list of ranges of IP addresses to assign to the Contivity VPN clients NN47923 500 Chapter 13 VPN 253 Figure 79 VPN Client Termination IP pool summary Return to VPN gt Client Termination Page IP Pool Summary Name ___ Active Starting Address Subnet mask s z D Edit Delete Table 61 describes the fields in Figure 79 Table 61 VPN Client Termination IP pool summary Label Description Return to gt Client Termination Page Click this link to return to the screen used to configure the general settings for use with all of the Contivity VPN Client tunnels These numbers are an incremental value The position of the IP address pool in the list does not matter Name This field displays the label that you configure for the IP address pool Active This field displays whether or not the IP address pool is turned on Starting Address This field displays the first IP address in the IP address pool Subnet mask This field displays the subnet mask that you specified to define the IP address pool Pool size Th
150. Diffie Hellman Group 2 uses a 1 024 bit 1Kb random number Diffie Hellman Group 5 uses a 1 536 bit random number Assignment of Client IP Select Use Static Addresses if the Contivity VPN clients are using static IP addresses You must specify these in the remote user profiles Nortel Business Secure Router 252 Configuration Basics 252 Chapter 13 VPN Table 60 VPN Client Termination Label Description IP Address Pool Have the Business Secure Router assign IP addresses to the Contivity VPN clients from a pool of IP address that you define Select the pool to use Click Configure IP Address Pool to define the ranges of IP addresses that you can select from Enable Perfect Perfect Forward Secrecy PFS is disabled by default in phase 2 Forward Secrecy IPSec SA setup This allows faster IPSec setup but is not so secure Turn on PFS to use the Diffie Hellman exchange to create a new key for each IPSec SA setup Rekey Timeout Set the allowed lifetime for an individual key used for data encryption before negotiating a new key A setting of 00 00 00 disables the rekey timeout Rekey Data Count Set how much data can be transmitted through the VPN tunnel before negotiating a new key A setting of 0 disables the rekey data count Advanced Click Advanced to configure detailed VPN client tunnel termination settings Apply Click Apply to save your changes to the Business Secure Router Reset
151. ESP increase Business Secure Router processing requirements and communications latency delay Secure Gateway Address This is the static WAN IP address or URL of the remote IPSec router This field displays 0 0 0 0 when you configure the Secure Gateway Address field in the VPN Branch Office screen to 0 0 0 0 Nortel Business Secure Router 252 Configuration Basics 212 Chapter 13 VPN Table 47 Summary Label Description Edit Click the radio button next to a VPN index number and then click Edit to edit a specific VPN policy Delete Click the radio button next to a VPN policy number you want to delete and then click Delete When a VPN policy is deleted subsequent policies do not move up in the page list Keep Alive When you initiate an IPSec tunnel with keep alive enabled the Business Secure Router automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Configuring advanced Branch office setup on page 241 section for more information about the IPSec SA lifetime The keep alive option is available with the Contivity Client rule See the VPN Contivity Client Rule Setup screen Figure 69 on page 215 In effect the IPSec tunnel becomes an always on connection after you initiate it Both IPSec routers must have a Business Secure Router compatible keep alive feature enabled in order for this feature to work If the Business Secure Router has its maximum numbe
152. Ere E tenita daere RE NU Y ee 240 Picshialed av utes LT T T E ean te ewes 240 Diffie Hellman DH Key Groups 0 000 cece eee ee 241 Perfect Forward Secrecy PFS 00 00 eee eee eee eee tenes 241 Configuring advanced Branch office setup llle 241 SA ns MT 245 COPS ENOG 115 20 3 Db ERN aa tup aco ana Wiese d dra aiet a oun A ioo ib adt diri ao a 247 VPN Client Termination uucessosu ere sr E d up Equo x xu ead crew a 248 VPN Client Termination IP pool summary ssesle eee eee 252 VPN Client Termination IP pool edit llli 254 VPN Client Termination advanced 000 c cece eee 255 Chapter 14 CarlifiGaMaS iiuiodasessanA RaRRESERRRERRAARARRARRRRAR ESRRARAA 261 Cerificates overview P IS 261 Advantages of certificates 00 ee eese 262 saelf signad COMMAS cssic 4 ccs ueber RAS EXC Race ERRERRGSXXE RE PARE 262 Conkgouraton SOBITBPE uud be deoa seed pice dopo SERERE nee VR Pt E 263 My Cenleates Locos eR ERE Wexeteex bases seed SESE P eR AN Rd m oa d 263 Nortel Business Secure Router 252 Configuration Basics 12 Contents Garificale file formals 22 cscesceeescvorecaes areca reereaciavaesceaes 266 MBSE ALONG erred ER 2b Ed ab piv xD dee dod vaca e rd dms boas 267 Creating a Gertilioale codes edax dee 4 CARO RR cR ERIG d E uada 269 Wi Cancale details 6a coh exse Ros Bob ee ORO A occ eed e CR E OO ke 273 Tite C NE at conned aaah eee sh See dee ERE ESE eenobiewkees Gi 277
153. IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand if you do not want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on Demand with 0 as the idle time out which means the Internet session does not timeout Select Nailed Up Connection if you want your connection up all the time The Business Secure Router tries to bring up the connection automatically if it is disconnected The schedule rules in SMT menu 26 has priority over your Connection settings Network Address Translation Select None SUA Only or Full Feature from the drop down list box For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen NN47923 500 Chapter 3 Wizard setup 65 DHCP setup Using Dynamic Host Configuration Protocol DHCP individual clients can obtain TCP IP configuration from a server You can configure the Business Secure Router as a DHCP server When configured as a server the Business Secure Router provides the TCP IP configuration for the clients If you turn DHCP service off you must have another DHCP server on your LAN
154. IP Alias 1 Define a subnet for the corporate equipment Statically assign addresses to the corporate equipment that are within the IP Alias subnet 4 SetupLAN IP to enable DHCP Server with an address range that will be used for guest equipment NN47923 500 Chapter 4 User Notes 79 5 In the FIREWALL set up a LAN to LAN rule to block traffic between the guest subnet DHCP Pool and the corporate subnet IP Alias subnet Note If branch tunnels are being used the policies on these tunnels should exclude the guest subnet Preventing heavy data traffic from impacting telephone calls To ensure voice quality during heavy data traffic bandwidth needs to be reserved for voice traffic 1 Determine your actual WAN up stream bandwidth by connecting to a web site such as http myvoipspeed visualware com On BANDWIDTH MANAGEMENT Summary activate WAN bandwidth management and fill in your actual uplink speed in the WAN Speed field On BANDWIDTH MANAGEMENT Class Setup add a WAN subclass and reserve sufficient bandwidth based on the number of telephones for Protocol ID 17 UDP Traffic The amount of bandwidth should be based on a reasonable peak number of simultaneous calls and the data rate needed by the IP telephony CODECs Setting Up a Remote Office with a UNIStim IP Telephone For a remote office with a PC and a UNIStim IP telephone behind a Business Secure Router Client Emulation is the recommended met
155. IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts Nortel Business Secure Router 252 Configuration Basics 188 Chapter 11 Firewall screens Table 40 Predefined services Service Description NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING ICMP 0 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer receive e mail from a POPS server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This
156. Maximum Incomplete is reached you can choose to either allow or block the next session If you select the Blocking Period check box any new sessions are blocked for the length of time you specify in the next field min and all old incomplete sessions are cleared during this period If you want strong security it is better to block the traffic for a short time as it gives the server some time to digest the loading min Enter the length of Blocking Period in minutes Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 194 Chapter 11 Firewall screens NN47923 500 195 Chapter 12 Content filtering This chapter provides a brief overview of content filtering using the embedded WebGUI Introduction to content filtering With Internet content filtering you can create and enforce Internet access policies tailored to their needs Content filtering is the ability to block certain web features or specific URL keywords and is not to be confused with packet filtering through SMT menu 21 1 To access these functions from the Main Menu click Content Filter to expand the Content Filter menus Restrict web features The Business Secure Router can block web features such as ActiveX controls Java applets and cookies and disable web proxies Days and Times With the Bu
157. Only or Full Feature from the drop down list box Translation For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen Figure 12 Internet connection with PPPoE Wizard Setup ISP Parameters for Internet Access Service Name User Name Password IP Address Obtain an IP Address Automatically C Static IP Address i 0 0 0 Connection Connect on Demand Max Idle 100 Timeout C Nailed Up Connection Network Address Translation None Ne Nortel Business Secure Router 252 Configuration Basics 64 Chapter 3 Wizard setup Table 6 describes the fields in Figure 12 Table 6 Internet connection with PPPoE Label Description Service Name Type the name of your PPPoE service here User Name Enter the username exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the username above IP Address A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an
158. PSec router Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Use these screens to configure the Business Secure Router for VPN connections from computers using Nortel Contivity VPN Client software In the WebGUI click VPN on the navigation panel and the Client Termination tab to open the screen illustrated in Figure 78 This screen sets the general settings for use with all of the Contivity VPN client tunnels NN47923 500 Chapter 13 VPN 249 Figure 78 VPN Client Termination VPN Summary sA Monitor GlobalSeting Client Termination Enable Client Termination Authentication Local User Database Configure Local User Database User Name and Password Pre Shared Key RADIUS Server Configure RADIUS Server Group ID and Password Group ID Group Password Retype to Confirm Authentication Type User Name and Password Encryption ESP 128 bit AES with SHA1 Integrity ESP Triple DES with SHA1 Integrity ESP Triple DES with MDS Integrity ESP 56 bit DES with SHA1 Integrity ESP 56 bit DES with MDS Integrity I AH Authentication Only HMAC SHA1 AH Authentication Only HMAC MD5 IKE Encryption and Diffie Hellman Group 56 bit DES with Group 1 768 bit prime Triple DES with Group 2 1024 bit prime 128 bit AES with Group 5 1536 bit prime Assignment of Client IP Use St
159. RG dave UG IAE RS PENNA dep 206 TSE REUS caes dac Eu BuU Rae ace a a ae ae ee dees 206 Iu E e eerceewd sew heey edema ea dram rior EAER 207 I Sac Sn NAT ac ager dc Dep E AERE one assed ase so easrede tee pencee IG dde 207 Secure Gateway Address iexeserxm dem RETAINS RE Sas Ra ded 208 Dynamic Secure Gateway Address 000 c cece eee 209 NN47923 500 Contents 11 DUMMY BOUSDEI oaa 020 0400d ao eei DER UAM CR CAU weed RATER ee bdo aa 209 Keene scedateretied os secdoce toe pm bat ORE qp dua x TE TTT T 212 Nailed Up 2usae cesar eee RR Ghee ORE EX Ck GARS UFU RR RU PUR Ree UR S 212 MAT Maer Soret bec rud Lae Cadre dee or ua d ec bee aca t oe 213 NAT Traversal configuration coaseca sgn ea ERRARE ra XX cR X RR IE A DERE RI 214 Presha AkO coosesexertER rw REP Rp dor d EGO dope P HUE dur saan 214 Configuring Contivity Client VPN Rule Setup llsllsls else 214 Configuring Advanced Setup iussluecu s Rer gez ERR Ra RR 216 I Tope and Sotelo io iube Ra EA RULERS FART ETRE E AJ qe EAR PARE A ERE 218 ID type and content examples 00 cece eee eee 219 My IP p o 220 Configuring Branch Office VPN Rule Setup islsesles essere 221 Dong mg an E FoC a qiio ee ad p ERE PEE EE ORE HH DE ade Ka pip 230 Fon forwarding Bevel 44445346 RERUEPRGRRANSE NK P 3upRA GE XR Ad dedi 236 Configuring a port forwarding server 0 00 c cee ene 236 licec MM 238 Negollalon Mode cese ssxtetetrs
160. Sec VPNs are Transport mode and Tunnel mode Figure 65 Transport and Tunnel mode IPSec encapsulation Original IP TCP Data IP Packet Header Header Transport Mode IP IPSec TCP DE Protected Packet Header Header Header Tunnel Mode IP IPSec IP TCP Data Protected Packet Header Header Header Header Transport mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet In Transport mode the IP packet contains the security protocol AH or ESP located after the original IP header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process NN47923 500 Chapter 13 VPN 207 Tunnel mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mod
161. Secure Router 252 Configuration Basics 406 Chapter 22 Maintenance Figure 167 Reset warning message CONFIGURATION Router back to factory defaults The router will now reboot As there will be no indication of when the process is complete please wait for one minute before attempting to access the router again You can also press the RESET button on the rear panel to reset the factory defaults of your Business Secure Router The Business Secure Router LAN IP address changes back to 192 168 1 1 and the password reverts to PlsChgMe Backup configuration With backup configuration you can back up and save the current device configuration to a 104 KB file on your computer After your device is configured and functioning properly Nortel recommends that you back up your configuration file before making configuration changes The backup configuration file is useful in case you need to return to your previous settings Click Backup to save the current device configuration to your computer NN47923 500 Chapter 22 Maintenance 407 Restore configuration With restore configuration you can upload a new or previously saved configuration file from your computer to your Business Secure Router Table 113 Restore configuration Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the file you want t
162. Service Access LAN Secured Client IP Address All Selected Reset Table 95 describes the fields in Figure 132 Table 95 DNS Label Description Server Port The DNS service port number is 53 and cannot be changed here Server Access Select the interfaces if any through which a computer can send DNS queries to the Business Secure Router Secured Client IP_ A secured client is a trusted computer that is allowed to send DNS Address queries to the Business Secure Router Select All to allow any computer to send DNS queries to the Business Secure Router Choose Selected to just allow the computer with the IP address that you specify to send DNS queries to the Business Secure Router Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Configuring Security To change your Business Secure Router security settings click REMOTE MANAGEMENT and then the Security tab The screen appears as shown in Figure 133 NN47923 500 Chapter 18 Remote management screens 359 If an outside user attempts to probe an unsupported port on your Business Secure Router an ICMP response packet is automatically returned This allows the outside user to know the Business Secure Router exists The Business Secure Router series support antiprobing which prevents the ICMP response packet from being sent This keeps outsiders from di
163. Sets to a remote node Enable Dial Backup Basic Settings Login Name Password Retype to Confirm Authentication Type Primary Phone Number Secondary Phone Number Dial Backup Port Speed AT Command Initial String Advanced Modem Setup TCP IP Options Priority Metric CHAP PAP x Optional 115200 z at amp fs0 0 Edit 15 T Highest 15 Lowest Get IP Address Automatically from Remote Server C Use Fixed IP Address My WAN IP Address Remote Node IP Address Remote IP Subnet Mask iv Enable SUA Enable RIP RIP Version RIP Direction Broadcast Dial Backup Route I Enable Multicast Multicast Version PPP Options PPP Encapsulation Enable Compression Budget C Always On Configure Budget Allocated Budget Period Idle Call Schedule 1st Schedule Set 2nd Schedule Set 3rd Schedule Set 4th Schedule Set Apply et sj Both bd IGMP v1 x Standard PPP 0 Minutes y Hours UU cm None z None gt None gt Reset NN47923 500 Chapter 21 Call scheduling screens 393 Nortel Business Secure Router 252 Configuration Basics 394 Chapter 21 Call scheduling screens NN47923 500 395 Chapter 22 Maintenance This chapter displays system information such as firmware port IP addresses and port traffic statistics Maintenance overview The maintenance screens can help you view system information upload new
164. Tools Internet Options and then the Security tab Click the Custom Level button Scroll down to Microsoft VM Under Java permissions make sure that a safety level is selected Nortel Business Secure Router 252 Configuration Basics 422 Appendix A Troubleshooting 5 Click OK to close the window Figure 177 Security Settings Java Security Settings 2 xi Settings Disable 9 Enable gs Font download Q Disable 9 Enable ag Prompt 3 Microsoft VM 3 Java permissions Custom C pisable Jav 9 High safety O Low safety Reset to Medium a Reset v custom settings cma JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab Make sure that Use Java 2 for applet under Java Sun is selected Click OK to close the window NN47923 500 Appendix A Troubleshooting 423 4 Close your existing browser session and open a new browser Figure 178 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling E HTTP 1 1 settings v Use HTTP 1 1 aH Use HTTP 1 1 through proxy connections amp Java P teie z141 aero PER 2 v1 4 1 07 for Z Use Java 2 41 OT or apple equites esa requires restart 3 Microso O Java E enabled requires restart O Java logging enabled JIT co
165. Windows screen in the Privacy amp Security directory 1 In Netscape click Edit and then Preferences 2 Click the Privacy amp Security directory and then select Popup Windows NN47923 500 Appendix A Troubleshooting 425 3 Clear the Block unrequested popup windows check box Figure 181 Popup Windows I 0x Helper Applicati Smart Browsing Popup Windows Internet Search Tabbed Browsing q _ Block unrequested popup windows ee Allowed Sites Downloads When a popup window has been blocked D Composer d lay a sound D Mail amp Newsgroups 0 Play a soun D ICQ Display an icon in the Navigator status bar Privacy amp Security Cookies Note Blocking all popups may prevent important features of some web sites from working such as login windows For banks and shopping sites For Images details of how to allow specific sites to use popups while blocking all others Popup Windows click Help Even if blocked sites may use other methods to show popups Forms Passwords Master Passwo SSL Certificates Validation gt Advanced Cox Ceres tee 4 Click OK to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device follow these steps 1 In Netscape click Edit and then Preferences 2 Inthe Privacy amp Security directory select Popup Windows 3 Make sure the Block unrequested popup windows check
166. a DE ag EE EAA 310 Chapter 16 IEEE 802 lX seiveccce ch fossa Er shee ek Ras YIeer dau eR dard 311 IEEE 802 1X GVEIVIBW rosscee ERPETRIRAIAMWAXATYOEERRLR ERG G paw Red RES 311 MDU octet bee waked Md ERE OS eet ee dq dudes ease ee Da 311 Types of RADIUS messages 0000 c eet es 311 NN47923 500 Contents 13 EAP Authentication overview sssscskertkre sedi ARA XRRG n RAD C eR Ro RR ES 312 OMIM 202 1 if eid chen eeke need REP PM IU DEUX qe qae uua i RR 313 Chapter 17 Authentication Server 6s css c eke ence evacenwes chews eves cu ews 317 Introduction to Local User database 0 2 00 c eee 317 Loss DISSI a BAED uocat bd sd pes de Y Pseud kasd eee bbe 317 Edit Local User Database csoceceone c xr ku ER xx RR Re ben des 319 Curent spit DOINWOINS qusxbeiePRECXQ rt PRG EE eee a Ua NK eR 322 Gurrent split networks edit 5ec vaceecavaaerecs cee ease eeaee enna ewe RM 323 Conhigunng RADIUS usse mmu RR ener Re RE aeesens Sate etemes 325 Chapter 18 Remote management screens seeeeee eee 329 Remote management overview 0 00 c eee ne 329 Remote management limitations llle 329 Remote management and NAT 0 0 cee eee eee eere 330 SVC BOSQUE dece dE Rr Rate ees o eor eR ul o abu ao RS Aldd dei EE RR 330 lntroductior tO HPEBS ad c2ciadeucsedoe RRECEQqe PER RE NER RE AE CE RM 331 LooRTICUCHE WIN ou cease Cm ELO recle tel cede dia o t eo d di 332 HTTPS Ponies 3 iunad e d dex
167. able a computer to connect to and communicate with a LAN For some dial up services such as PPPoE NetBIOS packets cause unwanted calls NN47923 500 Chapter 7 WAN screens 117 Table 19 WAN IP Label Description Allow from WAN to LAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you must also create a WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN This field does the same as the Allow between LAN and WAN field in the LAN IP screen Enabling one automatically enables the other Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Traffic redirect Traffic redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet through its normal gateway Connect the backup gateway on the WAN so that the Business Secure Router still provides firewall protection This feature is not available on all models Figure 28 Traffic Redirect WAN Setup ga ba WAN Nortel Business Secure Router 252 Configuration Basics
168. access is just the beginning For more detailed information on the complete range of features for the Business Secure Router see the rest of this guide If you cannot access the Internet open the WebGUI again to confirm that the Internet settings you configured in the Wizard Setup are correct Nortel Business Secure Router 252 Configuration Basics 70 Chapter 3 Wizard setup NN47923 500 71 Chapter 4 User Notes General Notes There are some router functions that although performing as expected might cause some confusion These are summarized below General 1 Default Address Mapping Rules When First Enable NAT Full Feature When NAT Full Feature is first enabled two address mapping rules are added to the address mapping table This is done to facilitate programming and matches the default SUA rule The rules can be deleted 2 Response to Invalid User ID or Password When the wrong user ID or password is entered into the router login screen no error message is displayed Instead the login screen is simply displayed again 3 First DHCP Address Reserved for BCM50 The first address of the DHCP Address Pool is reserved for a BCM50 in the subnet and will not be assigned to any other equipment Once assigned to a BCM50 it is reserved for that BCM50 and will not be assigned to any other If the BCM50 is changed the following command must be used to enable the router to assign the first address to a differe
169. actory defaults including the password Press the rear panel RESET button for longer than three seconds to return the Business Secure Router to the factory defaults NN47923 500 Appendix A Troubleshooting 415 Problems with the WebGUI Table 121 Troubleshooting the WebGUI Problem Corrective Action cannot access the WebGUI Make sure that there is not an SMT session running Check that you have enabled Web service access If you have configured a remote management secured client IP address your computer IP address must match it For WAN access you must configure remote management to allow server access from the Wan or all You must also configure a firewall rule to allow access from the WAN The IP addresses of your computer and the Business Secure Router must be on the same subnet for LAN access If you changed the Business Secure Router LAN IP address then enter the new one as the URL Remove any filters in SMT menu 3 1 LAN or menu 11 1 4 WAN that block Web service Problems with Remote Management Table 122 Troubleshooting Remote Management Problem Corrective Action cannot remotely manage the Business Secure Router from the LAN or the WAN Check your remote management and firewall configuration Use the Business Secure Router WAN IP address when configuring from the WAN Use the Business Secure Router LAN IP address when configuring
170. age display in the drop down list Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Time This field displays the time the log was recorded Refer to Configuring Time and Date on page 90 for information about configuring the time and date Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Note This field displays additional information about the log entry Email Log Now _ Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in the Address Info fields in Log Settings NN47923 500 Chapter 20 Logs Screens 375 Table 99 View Log Label Description Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to delete all the logs Configuring Log settings To change your Business Secure Router log settings click Logs then the Log Settings tab The screen appears as shown in Figure 150 Use the Log Settings screen to configure to where the Business Secure Router sends logs the schedule for when the Business Secure Router is to send the logs and which logs and immediate alerts the Business Secur
171. ailover Tuning 257 Features 34 Finger 136 Firewall 37 Access Methods 169 Address Type 181 Alerts 189 Connection Direction 172 Creating Editing Rules 178 Custom Ports 182 Enabling 169 Firewall Vs Filters 166 Guidelines For Enhancing Security 166 Introduction 155 LAN to WAN Rules 173 Policies 169 Rule Checklist 171 Rule Logic 171 Rule Security Ramifications 171 Services 186 Types 153 When To Use 167 Firmware Version 396 396 First DNS Server 84 FIP 5 135 130 329 994 FTP Restrictions 329 FTP Server 41 Full Feature 115 Full Network Management 40 G General Setup 82 Global 130 Global End IP 140 143 Global Start IP 140 142 Group Authentication 217 Group ID 217 250 Group Password 217 250 H Half Open Sessions 190 Hardware Setup 42 Host 88 Host Names 86 How SSH works 344 HTTP 136 154 156 157 HTTPS 37 331 HTTPS Example 334 IANA 58 ICMP Commands That Trigger Alerts 160 ICMP echo 159 ICMP Vulnerability 160 Idle Timeout 123 IEEE 802 1x 37 Nortel Business Secure Router 252 Configuration Basics 456 Index IGMP 99 116 123 IGMP V1 116 IGMP v1 123 IGMP V2 116 IGMP v2 123 Illegal Commands 160 Initial Contact Payload 258 Inside 130 Inside Global Address 130 Inside Local Address 130 Internet access 34 Internet Assigned Number Authority IANA 57 Internet Assigned Numbers Authority 58 Internet Control Message Protocol ICMP 159 Internet Group Multicast Protocol
172. an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate key pair the Business Secure Router uses RSA encryption and the length of the key set in bits 1 024 bits for example Subject Alternative This optional field displays the certificate owner s IP address IP Name domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the certificate key can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority certificate and Path Length Constraint 1 means that there can only be one certification authority in the certification path of the certificate MD5 Fingerprint This is the message digest of the certificate that the Business Secure Router calculated using the MD5 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the Business Secure Router has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Verifying a certificate of a trusted remote host on page 287 for how to verify a remote h
173. anch Office rule setup Label Description Peer Content When you select IP in the Peer ID Type field type the IP address of the computer with which you make the VPN connection or leave the field blank to have the Business Secure Router automatically use the address in the Secure Gateway Address field When you select DNS in the Peer ID Type field type a domain name up to 31 characters by which to identify the remote IPSec router When you select E mail in the Peer ID Type field type an e mail address up to 31 characters by which to identify the remote IPSec router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address The domain name also does not have to match the remote router s IP address or what you configure in the Secure Gateway Address field Regardless of how you configure the ID Type and Content fields two active SAs cannot have both the local and remote IP address ranges overlap between rules My IP Address Enter the WAN IP address of your Business Secure Router The VPN tunnel has to be rebuilt if this IP address changes The following applies if this field is configured as 0 0 0 0 the default The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel e If the WAN connection goes down the Business Secure R
174. andwidth for SIP traffic and is useful for example when there is a VoIP Voice over Internet Protocol device on your LAN If you select SIP make sure you also turn on the SIP ALG For more information about ALG see ALG on page 94 Select All from the drop down list if you do not want to use a predefined application for the bandwidth class When you select All you must configure at least one of the following fields other than the Subnet Mask fields which you only enter if you also enter a corresponding destination or source IP address Destination IP Address Enter the destination IP address in dotted decimal notation Destination Subnet Mask Enter the destination subnet mask This field is N A if you do not specify a Destination IP Address Destination Port Enter the port number of the destination See Predefined services on page 186 in Chapter 11 Firewall screens for a table of services and port numbers Nortel Business Secure Router 252 Configuration Basics 308 Chapter 15 Bandwidth management Table 79 Bandwidth Manager Edit class Label Description Source IP Address Enter the source IP address Source Subnet Enter the destination subnet mask This field is N A if you do not Mask specify a Source IP Address Source Port Enter the port number of the source See Table 80 for some common services and port numbers Protocol ID Enter the protocol ID s
175. another DHCP server When set to Relay fill in the DHCP Server Address field Select None to stop the Business Secure Router from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured Client IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Size of Client IP Pool This field specifies the size or count of the IP address pool DHCP Server Address Type the IP address of the DHCP server in dotted decimal notation like 192 168 1 5 First DNS Server Second DNS Server Third DNS Server Select Obtained From ISP if your ISP dynamically assigns DNS server information and the Business Secure Router WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns Select UserDefined if you have the IP address of a DNS server Enter the DNS server IP address in the field to the right Select DNS Relay to have the Business Secure Router act as a DNS proxy The Business Secure Router LAN IP address displays in the field to the right read only The Business Secure Router tells the DHCP clients on the LAN that the Business Secure Router itself is the DNS server When a computer on the LAN sends a DNS query to the Business Secure Router the Business Secure Router forwards the query to the Business Secure Router system DNS server conf
176. ant to be controlled by the specific rule can get the general rule applied to it instead Any traffic that does not match the first firewall rule matches the default rule and the Business Secure Router forwards the traffic Note If an alternate gateway on the LAN has an IP address in the same subnet as the Business Secure Router LAN IP address return traffic does not go through the Business Secure Router This is called an asymmetrical or triangle route and causes the Business Secure Router to reset the connection as the connection has not been acknowledged Note Allowing asymmetrical routes can let traffic from the WAN go directly to the LAN without passing through the Business Secure Router A better solution is to use IP alias to put the Business Secure Router and the backup gateway on separate subnets See the Appendix B Triangle Route of Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for more about triangle route topology Nortel Business Secure Router 252 Configuration Basics 176 Chapter 11 Firewall screens Figure 52 Enabling the firewall FIREWALL The firewall protects against Denial of Service DoS attacks when it is enabled Iv Enable Firewall I Bypass Triangle Route Firewall Rules Storage Space in Use oi Packet Direction LAN to LAN Business Secure Router Configured rules for this packet direction are displayed in the summary table below Action for packets
177. ara Ep ioi p dide bsc RR 357 Conmipurim SeOUB usus decus ques Ue CR eR ek r atibaia eea 358 Chapter 19 UP OP ics EXAERRE RA REXZGIRGAGG4 Ad AEEXYGXG 4xddGdd AX dos E ARR SR 361 Universal Plug and Play overview ilicoceuexcueu edes xr m RR hcr beee wk nus 361 How de I kiow ii lam gsing UPDP osseceseseeyRRCPEXERPUAT T STR ODER ER 361 HAT TOOUDISHI nauersbesSAR 4 Gehan bed 4d R PU SX P ta YR ERE OC aes 361 Ca tons wiih DEBE uu i ord aoo ES AQUIS WES Xu dL RES Ado eod ae 362 UPnP implemgrTallgll 2lssclsec oem eek dro RI eeeareeneeavbewees 362 Gon gang UPP Leva tasidd RR RESQUE CORREO THER EqOX da RpqaS Rb dad a is 362 Displaving UPnP BOE ROBBIE diua S dE 279 EC SCR RR fede aa ROS Rr 364 Installing UPnP in Windows example 00 0c eee eee eee eee 365 installing UPnP in Windows MO 2 ag cokes ceed ieee dee RR Rm ek dao 365 installing UPNF in Windows AP iacasuskuaEe ha desmcaq ARA 3 QUEE XE EEG 366 Using UPnP in Windows XP example 000 ee eee eee eee eee 368 Autodiscover Your UPnP enabled Network Device 2 0 055 368 WebGUI easy ACCESS eos Ra uk PR RRWEEXG XSER E eee PRORA Wee x SEA 371 Chapter 20 Logs Sres ocooueionhARRARARRRRRARARRRRASSASEARARSAARARERRAAS 373 Coning VIW LOI 3 xacdaceg ee hand ees aR ade o No UR don Rd 373 Donor Log setings caverkadenecid axiwens a EO RR cu Cu RUE RUE a ROK awn 375 Compara GOONS 44 4 4 voACKaG EE o X GE SOC e ORO OCC ee a ae 378 Miewind Web Se HiS Lie ssa test Rx aw eh esed E Ron
178. ard Use the option buttons to select whether to Block silently discard or Forward allow the passage of packets that are traveling in the selected direction Log packets that don t match these rules Select the check box to create a log when the above action is taken for packets that are traveling in the selected direction and do not match any of the rules below The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings above This is your firewall rule number The ordering of your rules is important as rules are applied in turn The Move field allows you to reorder your rules Status This field displays whether a firewall is turned on Active or not Inactive Rules that have not been configured display Empty Source Address This drop down list displays the source addresses or ranges of addresses to which this firewall rule applies Note that a blank source or destination address is equivalent to Any Destination This drop down list displays the destination addresses or ranges of Address addresses to which this firewall rule applies Note that a blank source or destination address is equivalent to Any Service Type This drop down list displays the services to which this firewall rule applies Not
179. as adjusted its time based on information from the time server Time calibration failed The router failed to get information from the time server DHCP client gets s A DHCP client got a new IP address from the DHCP server Jg HCP client IP expired A DHCP client s IP address has expired Jg HCP server assigns s The DHCP server assigned an IP address to a client SMT Login Successfully Someone has logged on to the router s SMT interface SMT Login Fail Someone has failed to log on to the router s SMT interface WEB Login Successfully Someone has logged on to the router s WebGUI interface WEB Login Fail Someone has failed to log on to the router s WebGUI interface TELNET Login Successfully Someone has logged on to the router through Telnet Nortel Business Secure Router 252 Configuration Basics 432 Appendix B Log Descriptions Table 124 System Maintenance Logs Log Message Description TELNET Login Fail Someone has failed to log on to the router through Telnet FTP Login Successfully Someone has logged on to the router through FTP FTP Login Fail FTP Someone has failed to log on to the router through NAT Session Table is Full The maximum number of SUA NAT session table entries has been exceeded and the table is full Table 125 UPnP Logs Log Message Description
180. at originates from the Internet In summary stateful inspection Nortel Business Secure Router 252 Configuration Basics 162 Chapter 10 Firewalls Allows all sessions originating from the LAN local network to the WAN Internet Denies all sessions originating from the WAN to the LAN Figure 49 Stateful inspection SS User A initiates a Telnet session LAN Retyrn traffic for user A s Telnet se ent HOC iiam dica Figure 49 shows the Business Secure Router default firewall rules in action and demonstrates how stateful inspection works User A can initiate a Telnet session from within the LAN and responses to this request are allowed However other Telnet traffic initiated from the WAN is blocked Stateful inspection process In the following example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the packet is permitted a denied packet is dropped at this point 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet s connection This information is recorded in a new state table entry created for t
181. ate Cancel Click Cancel to quit configuring this screen and return to the Trusted Remote Hosts screen Directory servers Click CERTIFICATES Directory Servers to open the Directory Servers screen Figure 95 This screen displays a summary list of directory servers that contain lists of valid and revoked certificates that have been saved into the Busine incomi ss Secure Router If you decide to have the Business Secure Router check ng certificates against the issuing certification authority s list of revoked certificates the Business Secure Router first checks the servers listed in the CRL Distribution Points field of the incoming certificate If the certificate does not list a server or the listed server is not available the Business Secure Router checks the servers Figure CERTI listed here 95 Directory servers FICATES Directory Servers PKI Storage Space in Use o MEN 00 Directory Services Name Address Port Protocol _ Modify NN47923 500 Chapter 14 Certificates 295 Table 74 describes the labels in Figure 95 Table 74 Directory Servers Label Description PKI Storage Space in Use This bar displays the percentage of the PKI storage space that is currently in use The bar turns from green to red when the maximum is approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates
182. atic Addresses Configured in eWC AUTH SERVER gt gt Local User Database IP Address Pool None selected Configure IP Address Pool Enable Perfect Forward Secrecy Rekey Timeout 08 00 00 Range 00 02 00 23 59 59 Rekey Data Count fo Kbytes minimum is 5 Kbytes and 0 means disable roo nest Nortel Business Secure Router 252 Configuration Basics 250 Chapter 13 VPN Table 60 describes the fields in Figure 78 Table 60 VPN Client Termination Label Description Enable Client Turn on the client termination feature if you want the Business Termination Secure Router to support VPN connections from computers using Contivity VPN Client software Local User Database Select this option to have the Business Secure Router use its internal list of users to authenticate the Contivity VPN clients Click Configure Local User Database to edit the list of users and their usernames and passwords User Name and Password Pre Shared Key Select this option to have the Business Secure Router use the Contivity VPN clients usernames and passwords as a preshared key to identify them during phase 1 IKE negotiations RADIUS Server Select this option to have the Business Secure Router use an external RADIUS server to identify the Contivity VPN clients during phase 1 IKE negotiations Click Configure RADIUS Server to specify the associated external RADIUS server Group ID The Contivity VPN
183. ay IP notation The Business Secure Router automatically forwards traffic to Address this IP address if the Business Secure Router s Internet connection terminates Apply Click Apply to save your changes back to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Configuring Dial Backup To change the dial backup settings click WAN then the Dial Backup tab The screen appears as shown in Figure 31 Nortel Business Secure Router 252 Configuration Basics 120 Chapter 7 WAN screens Figure 31 Dial Backup Setup WAN Enable Dial Backup Basic Settings Login Name Password Retype to Confirm Authentication Type Primary Phone Number Secondary Phone Number Dial Backup Port Speed AT Command Initial String Advanced Modem Setup TCP IP Options Priority Metric CHAP PAP v Optional 115200 et amp ts0 0 Edit f 5 1 Highest 15 Lowest Get IP Address Automatically from Remote Server C Use Fixed IP Address My WAN IP Address Remote Node IP Address Remote IP Subnet Mask Enable SUA Enable RIP RIP Version RIP Direction Broadcast Dial Backup Route Enable Multicast Multicast Version PPP Options PPP Encapsulation Enable Compression C Always On Configure Budget Allocated Budget Period Idle Timeout Call Schedule 1st Schedule Set 2nd Schedule Set 3rd Schedule Set 4th Schedule Set ue s Both IGMP z Standar
184. box is selected Nortel Business Secure Router 252 Configuration Basics 426 Appendix A Troubleshooting 4 Click the Allowed Sites button Figure 182 Popup Windows Preferences Smart Browsing Internet Search abbed Browsing Downloads D Composer D Mail amp Newsgroups D Instant Messenger D ICQ Privacy amp Security Passwords Master Passwo d Certificates D Advanced 5 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 NN47923 500 Appendix A Troubleshooting 427 6 Click Add to move the IP address to the Site list Figure 183 Allowed Sites Allowed Web Sites Allow popups from the Following web sites Add Site aim com x aimtoday com aol com bankofamerica com carsdirect com channels netscape com cnn com compuserve com digitalcity com ea com home netscape com mapquest com match com netscape com 7 Click OK to return to the Popup Windows screen 8 Click OK to save this setting Netscape Java Permissions and JavaScript If pages of the WebGUI do not display properly in Netscape check that JavaScript and Java permissions are enabled 1 In Netscape click Edit and then Preferences 2 Click the Advanced directory 3 Inthe Advanced screen make sure the Enable Java check box is selected Nortel Business Secure Router 252 Configuratio
185. button next to an IP policy and then click Edit to edit that IP policy Delete Select the radio button next to an IP policy that you want to remove and then click Delete Authentication Select the Pre Shared Key radio button to use a preshared Method secret key to identify the Business Secure Router Select the Certificate radio button to identify the Business Secure Router by a certificate Pre Shared Key Type your preshared key in this field A preshared key identifies a communicating party during a phase 1 IKE negotiation It is called preshared because you must share it with another party before you can communicate with that party over a secure connection Type from 8 to 32 case sensitive ASCII characters or from 16 to 62 hexadecimal 0 9 A F characters You must precede a hexadecimal key with a Ox zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF Ox denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself Both ends of the VPN tunnel must use the same preshared key You see a PYLD_MALFORMED payload malformed log if the same preshared key is not used on both ends Retype to Confirm Type your preshared key again in this field NN47923 500 Chapter 13 VPN 227 Table 54 VPN Branch Office rule setup Label Description Certificate Use the drop down list to select the certificate to use
186. c summa TORIS Pusat teas ceed ares bedke ER FE PG qa 209 GUMMA ucuecocperidwecruRRug ver QE Ed edades Sade tid 210 NAT router between IPSec routers lille 213 VPN Contivity Client rule setup 000 cece leere 215 VPN Contivity Client advanced rule setup 2 00 0005 217 VPN Branch Office rule setup 4 05 cis caes ee ee frg 222 VPN Branch Office IP Polity Lise em RR ERI xa 231 VPN Branch Office IP Policy Port Forwarding Server 237 Two phases to set up the IPSec SA 1 ene 239 VPN Branch Office advanced rule setup 0000 ee a 242 MPP MINI api eras am a amp dona dim ka e but an ied RUNE id aida 246 VPN GEASAN aae das pea End ed p dU d b E dE Rd a 247 VPN Dent Termination stonbeereXdrtib ew eset svaesobei ceases 249 VPN Client Termination IP pool summary 000000 ees 253 VPN Client Termination IP pool edit 000 eee ee eee 254 VPN Client Termination advanced 000 cee eee eee 256 Certificate configuration overview llis eee 263 ra dujrc dec T UEM 264 My Certificate Import 2 24 cde asus Ree RR ema Run ER n 268 My Certificate Create acci cues se RREAEKEREEYZEGSERARARGGASARE GARE 270 My Cerificate detalle socssescusswexbeeexGaduckRReebeei 4 pe G3 uc 274 TUSA DAS ui ose S oh wt bx apud douia dat idis Re RE dr ee hs 278 T sted CA IMPO 6 oc ns syrin Rr DE Re Wax E Ra Rad Shaeds bees 280 Tiustad GA delale uavesdatesbeeti ee x X9 ees teed
187. cR ce ee og ans 380 viewing Proloco POE asma hr ERCOS Y RR pyra de er ER oae en 382 Viewing LAM IP Address 04 55 obruere 449444040488 DERE ORE RE ARA 383 tapas opece NONE uos aoa ODE y plor ao oce V eda eee qae bee 385 NN47923 500 Contents 15 Chapter 21 Call scheduling screens 2222 25266 secesesseeesncnsesceenas 387 Call scheduling introduction 5cncas cece n Ru EAE RRERGOGROREG X REQUE EEG RO BER 387 Call schedule SUMMAN 2 issxelebberkrao 4 RR ROPA R4 RE TOLAERE ERI ERE 387 Sall apnea GAE us bates cee teg qun Saeed ea maka RR de dolens 389 Applying Schedule Sets to a remote node slslslseslssun 391 Chapter 22 Malntenabl6B iras ada RARGRRRGORARRANWAAERR OREO Re eee eee ee 395 Maimtenante IUBIVIDIE soca ca piros ur bans dauid aun piu E EEEE dr iiid 395 Bst SOON uos dw dE HIE aeons ERN ENG S OE R4 eq dd d a pE d arene 395 USB a e 3 wakes bake Coed lt PER AGORA R Eo AERA EAD ee CRX 397 DHCP Table Sereen osuczud opa s scaip Gc GI a ede Se b Cas dL beamed a druide 399 Disancsti SHEEN uineis dues cee e RERO RRERRERRES RI diner RR aa PE Rie 400 FAN Upload SCAN uu sdkcicad kA oe c e RE CURT CERO SUE oH Hd EE 402 COMMU SEISE q quee Sog qud REA RECESSO P RUE RADI E eos 405 Back to Factory Details 2c cccc ce se Rm mex ERE RREE E reka BENi 405 Babk p COMIQUISUON ausis cseR e mE vanes Kwek p EORR Reb oan Ron e ICA BOE OR d bum 406 Restore conhguUration saeqquada pictas REG a YA C RARERXPARGOGaA VOU RI SEEREN a 407
188. ccessible from various locations on the Internet You must register for this service with a Dynamic DNS service provider IP Multicast The Business Secure Router can use IP multicast to deliver IP packets to a specific group of hosts IGMP Internet Group Management Protocol is the protocol used to support multicast groups The Business Secure Router supports versions 1 and 2 IP Alias Using IP Alias you can partition a physical network into logical networks over the same Ethernet interface The Business Secure Router supports three logical LAN interfaces through its single physical Ethernet LAN interface with the Business Secure Router itself as the gateway for each LAN network Central Network Management With Central Network Management CNM an enterprise or service provider network administrator can manage your Business Secure Router The enterprise or service provider network administrator can configure your Business Secure Router perform firmware upgrades and do troubleshooting for you SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Business Secure Router supports SNMP agent functionality which means that a manager station can manage and monitor the Business Secure Router through the network The Business Secure Router supports SNMP versions 1 and 2 SNMPv1 and SNMPv2 Nortel Business Se
189. ce Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to have the Business Secure Router generate the certificate and act as the Certification Authority CA itself This way you do not need to apply to a certification authority for certificates Nortel Business Secure Router 252 Configuration Basics 272 Chapter 14 Certificates Table 66 My Certificate create Label Description Create a certification request and save it locally for later manual enrollment Select Create a certification request and save it locally for later manual enrollment to have the Business Secure Router generate and store a request for a certificate Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority Copy the certification request from the My Certificate Details screen see My Certificate details on page 273 and then send it to the certification authority Create a certification request and enroll for a certificate immediately online Select Create a certification request and enroll for a certificate immediately online to have the Business Secure Router generate a request for a certificate and apply to a certification authority for a certificate You must have the certification authority certificate already i
190. clients send the group ID and group password to the Business Secure Router for or initial authentication After a successful initial authentication the associated external RADIUS server uses the username and password from the Contivity VPN client to authenticate the Contivity VPN client Enter a group ID of up to 31 ASCII characters Group Password Retype to Confirm Enter a group password of up to 31 ASCII characters Enter it a second time to make sure you have entered it correctly Authentication Type Select User Name and Password to have the external RADIUS server use the Contivity VPN clients usernames and passwords to authenticate them during phase 1 IKE negotiations NN47923 500 Chapter 13 VPN 251 Table 60 VPN Client Termination Label Description Encryption Select the combinations of protocol and encryption and authentication algorithms that the Business Secure Router is to use for the phase 2 VPN connections VPN tunnels with Contivity VPN clients The ESP Encapsulation Security Payload protocol RFC 2406 uses encryption as well as the services offered by AH The AH Authentication Header Protocol protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed It does not use encryption When you use one of the encryption algorithms for data communicati
191. configured using the Custom Ports function which is discussed in Configuring custom ports on page 182 Table 40 Predefined services Service Description AIM New ICQ TCP 5190 AOL Internet Messenger service used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP CLIENT UDP 68 DHCP Client BOOTP SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 24032 A popular videoconferencing solution from White Pines Software DNS UDP TCP 53 Domain Name Server a service that matches Web names for example www nortel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program is a program to enable fast transfer of files including large files that cannot be sent by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol is a client server protocol for the World Wide Web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICQ UDP 4000 This is a popular Internet chat program IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IPSEC TUNNEL AH 0 The IPSEC AH Authentication Header tunneling protocol uses this service IPSEC_TUNNEL ESP 0 The
192. console port 2 Make sure the communications program is configured correctly Configure the communications software as follows e VT100 terminal emulation 9600 b s is the default speed on leaving the factory Try other speeds in case the speed has been changed e No parity 8 data bits 1 stop bit data flow set to none Nortel Business Secure Router 252 Configuration Basics 412 Appendix A Troubleshooting Problems with the LAN LED Table 115 Troubleshooting the LAN LED Problem Corrective Action The LAN LEDs do not turn on Check your Ethernet cable connections Check for faulty Ethernet cables Make sure the Ethernet Card in your computer is working properly Problems with the LAN interface Table 116 Troubleshooting the LAN interface Problem Corrective Action cannot access the Business Secure Router from the LAN Check your Ethernet cable type and connections For LAN connection instructions see Nortel Business Secure Router 252 Fundamentals NN47923 301 Make sure the Ethernet adapter is installed in the computer and functioning properly cannot ping any computer on the LAN Check the 10M 100M LAN LEDs on the front panel If they are all off check the cables between your Business Secure Router and hub or the computer Verify that the IP address and the subnet mask of the Business Secure Router and the computers are on th
193. ctions on getting started Nortel Business Secure Router 252 Configuration Advanced NN47923 501 This guide covers how to use the SMT menu to configure your Business Secure Router e WebGUI Online Help Embedded WebGUI help is available to provide descriptions of individual screens and supplementary information Hard copy technical manuals You can print selected technical manuals and release notes free directly from the Internet Go to www nortel com documentation Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Use Adobe Reader to open the manuals and release notes search for the sections you need and print them on most standard printers Go to the Adobe Systems Web site at www adobe com to download a free copy of Adobe Reader NN47923 500 Preface 31 How to get Help This section explains how to get help for Nortel products and services Getting Help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site www nortel com support This site provides quick access to software documentation bulletins and tools to address issues with Nortel products More specifically the site enables you to e download software documentation and product bulletins e search the Technical Support Web site and the Nortel Knowledge Base for answers to tech
194. cure Router 252 Configuration Basics 40 Chapter 1 Getting to know your Business Secure Router Network Address Translation NAT NAT Network Address Translation NAT RFC 1631 translate multiple IP addresses used within one network to different IP addresses known within another network Traffic Redirect Traffic Redirect forwards WAN traffic to a backup gateway when the Business Secure Router cannot connect to the Internet thus acting as an auxiliary backup when your regular WAN connection fails Port Forwarding Use this feature to forward incoming service requests to a server on your local network You can enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server DHCP Dynamic Host Configuration Protocol With DHCP Dynamic Host Configuration Protocol individual client computers can obtain the TCP IP configuration at start up from a centralized DHCP server The Business Secure Router has built in DHCP server capability enabled by default which means it can assign IP addresses an IP default gateway and DNS servers to all systems that support the DHCP client The Business Secure Router can also act as a surrogate DHCP server where it relays IP address assignment from another DHCP server to the clients Full network management The embedded web configurator is an all platform web based utility that you can use to easily manage and configure the Business S
195. d Reauthentication Period fi an In Seconds Idle Timeout oUL In Seconds Authentication Databases Reset Table 83 describes the labels in Figure 104 Table 83 802 1X Label Description Authentication Select Authentication Required No Access or No Authentication Type Required from the drop down list Select Authentication Required to authenticate all users before they can access the network Select No Authentication Required to allow all users to access your network without authentication Select No Access to deny all users access to your wired network Reauthentication Specifies the time interval between the RADIUS server authentication Period checks of users connected to the network This field is active only when you select Authentication Required in the Authentication Type field Idle Timeout The Business Secure Router automatically disconnects a user after a Seconds period of inactivity The user needs to enter the username and password again before access is allowed NN47923 500 Chapter 16 IEEE 802 1x 315 Table 83 802 1X Label Description Authentication Databases The authentication database contains user login information The local user database is the built in database on the Business Secure Router The RADIUS is an external server Use this drop down list to select the first database the Business Secure Router will use to authenticate a user Be
196. d Cone 131 What NAT does 130 NAT Traversal 257 361 362 363 NetBIOS commands 160 NetBIOS over TCP IP 116 247 Network Address Translation 59 115 122 Network Address Translation NAT 40 Network Management 136 NNTP 136 Number of Retransmissions 257 O Obtained From ISP 68 Off Line 87 On Demand Client Tunnel 217 One Minute High 193 One Minute Low 192 One to One 133 One Minute High 191 One to One 142 Outside 130 P Packet Direction 177 179 Packet Filtering 38 166 Packet Filtering Firewalls 154 PAP 121 Password 46 87 321 327 Password Management 259 PAT 142 Permanent Virtual Circuit 54 Phone Number 121 ping 402 Ping of Death 157 Point to Point Protocol over ATM Adaptation Layer 5 54 Point to Point Protocol over Ethernet 109 Point to Point Tunneling Protocol 136 POP3 136 156 157 Port Configuration 182 Port Forwarding 40 Port Restricted Cone NAT 131 PPP over Ethernet 54 PPPoE 38 54 PPPoE Encapsulation 109 PPPoE Pass Through 113 PPTP 136 Predefined NTP Time Server List 89 Preshared Key 214 240 Primary Phone Number 121 Priority 121 Private 115 151 private IP address 57 Proportional Bandwidth Allocation 300 Protocol Port 380 382 publications hard copy 30 related 30 Nortel Business Secure Router 252 Configuration Basics 458 Index PVC 54 Q Quick Start Guide 45 R RADIUS 311 Shared Secret Key 312 RADIUS Message Types 311 reboot 402 regulatory info
197. d PPP z o Minutes 100 Seconds None x None x None x None z Reset NN47923 500 Chapter 7 WAN screens 121 Table 21 describes the fields in Figure 31 Table 21 Dial Backup Setup Label Description Enable Dial Backup Select this check box to turn on dial backup Basic Settings Login Name Type the logon name assigned by your ISP Password Type the password assigned by your ISP Retype to Confirm Type your password again in this field Authentication Type Use the drop down list to select an authentication protocol for outgoing calls Options are CHAP PAP Your Business Secure Router accepts either CHAP or PAP when requested by this remote node CHAP Your Business Secure Router accepts CHAP only PAP Your Business Secure Router accept PAP only Primary Secondary Phone Number Type the first primary phone number from the ISP for this remote node If the Primary Phone number is busy or does not answer your Business Secure Router dials the Secondary Phone number if available Some areas require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list to select the speed of the connection between the Dial Backup port and the external device Available speeds are 9 600 19 200 38 400 57 600 115 200 or 230 400 b s
198. d services cucaescesiecenec weed er EE Me PR ERS 187 PISO UNE 1i epo ada E E keeled a a aede RR adim 192 Cone fen acea eia PU pP PEE QUERN FSI USE AX Rd pigs 197 VPN Screens OVerviBW iioi eios a aA bees sd eaceaees 200 VPN Bereens OVelVIGW 22506065 ond 4 sGe nen x ndm Rm xor d ee 201 Aand ESP illl2ricesgensocnRec tan rarei b ee IR ERE X E PE RR a 205 VPN PED NAT 2s ase ice RR EE IePERE RS AA HERE CERE RR 208 co M TP 211 VPN Contivity Client rule setup 0 00000 eee eee eee 215 VPN Contivity Client advanced rule setup 0 0000 eeu 217 Local ID type and content fields iussa aan nh rr x RR Rn 219 Peer ID type and content fields 2 00 e eee eee eee 219 Matching ID type and content configuration example 220 Mismatching ID Type and Content Configuration Example 220 VPN Branch Office rule setup ilsles leeren 223 VPN Branch Office IP Polit aaaxatsac Fk RA RERO ER RR 232 VPN Branch Office IP Policy Port Forwarding Server 237 VPN Branch Office Advanced Rule Setup 0 00000 242 VERSA MOMOL eec T aoe kibirni enn EE 246 VPN Global Seung aee r a OR eee EY Gd CHESS S 247 VPN Client Termination 20 404 uuum ERR ERR eee ee 250 VPN Client Termination IP pool summary 0 0000e ees 253 VPN Client Termination IP pool edit 0 00 0 eee eee 254 VPN Client Termination advanced 000 cece eee eee 297 rae c deme EUM 265 NN
199. d yep qd 108 FFPOE BICHDOUIBUNT 424592005 68504494 54ER Pate EE Req Gu bac A EE 109 Gonkguung WAN ISP iuga depot odd cad oboe Cape ce uo coal dedos dto alb ced RR UR 110 Comig unng VAN P 2 5 cadences 94a v3 Ru ER RR EAE REI NE ra Us 113 cua hoe ere tee eee ee SCORE Cee eee S band o9 ee 117 Configuring Traffic Redirect 2 45 22 0500052 cence eke soa eee B RERERRR RAE 118 Configuring Dial BackUp ccccceceeaebages Rec RR RR ERR irati Rs 119 Advan ed Modem SEP 2 iussa aea a acd e ao tl aoi am s d CR de d been 124 AT Gommnand inte dap esnin SUE a JO Edi a bb P dr Ra ice act deos aad 124 DET ODD ia2zsxs4xberexta XE EEEE AAE XU dE S Lames exes 124 Response SUNG MR CRIMES 124 Configuring Advanced Modem Setup 0 00 c eee e eee eee 125 Chapter 8 Network Address Translation NAT Screens 129 NAT OVEN ac ccs Saka et So Een Ese Pa Pe Rice quu Ao a ea uat agus 129 BUT ESHDIUDIE Lud vaca rer n pene eae Ra eek ROI Og eee seer E Maren Gee al 129 Nortel Business Secure Router 252 Configuration Basics 8 Contents Mihi he oe ee ee ee ee ee ee ee re eee 130 Fe A DUREE d ade oe da pole d Pec ac Rak e RF T Sema Rod ed OR os 131 Pori restricted cone NAT iisueccs see rues ew casero ox drea RR enews 131 BE Ap uctus ia ob UE RU pa Kad e Ketek e doe v n dod ac Cao t ied s 132 NAT mappo RPGS suse x reg d ER etane Erari bE Pa chee eR RaT RES 133 Using MAT iaaesdaacadarrei Rik near eres seeder Seine eden RE E Yued Rara 1
200. ded TREE Pad tu snb bu dub al osa 37 IEEE BU2 1x for network SOCUFMY ss 45s cess doe kreC RR CH DRRE ERR 37 duris ciel TC KT 37 Brute force password guessing protection 0c ee eee eee 38 Coment ISIE eee tta reta Mek S D TL ooh EG ead LIT 38 PACK ING lt seacudberotadus Sed Oe m oR REOR QE RARE URN E GU ARR 38 Universal Plug and Play UPAP 2i52 cc00cc5eeceeeeceees R mmn 38 a Encre NE E wine eet o UO io 38 PPPUE cistine Sadoc de dq ke DU Eee Sed ese REIN 38 Dynamic DNS Suppo ccs ERES eeta XGA TRE Ru RO E RXSEE EVE RP Rx 39 IF PODIUEB SE Lis ure cu odes E koi ca ck o oos EAS IRL Roa RR Ca A eid ees 39 IP AINIS oi oe P eee SSE TELE CERRO CE EER ETS Ree ee eS 39 Central Network Management 0 000 cece ees 39 SOME useoneads S E E acd d poop ede de dea OF ard d 39 Network Address Translation NAT 00000 cece eee eee 40 None o e P MEI EET RETE 40 I ECC CIS nc ctu cance cop eneds ied hp 17 0015 ARDES 40 DHCP Dynamic Host Configuration Protocol 0200 000e 40 Full network management kings shee bene kn heed A xen RR ORNA eae de aed 40 Logging and Traci iussus x wee cR eden x x HR Rc a RR a 41 Upgrade Business Secure Router Firmware llllllllllsssn 41 Embedded FTP and TFTP Servers 000 0c eee e eee eee eee eee 41 Applications for the Business Secure Router 00 000 cee ees 41 Secure broadband internet access and VPN 000 cece lesus 4
201. down list The Business Secure Router s encapsulation mode must be identical to the remote IPSec router Tunnel is compatible with NAT Transport is not NN47923 500 Chapter 13 VPN 245 Table 57 VPN Branch Office Advanced Rule Setup Label Description Perfect Forward Perfect Forward Secrecy PFS is disabled None by default in phase Secrecy PFS 2 IPSec SA setup This allows faster IPSec setup but is not as secure Choose from DH1 DH2 or DH5 to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1 024 bit 1Kb random number more secure yet slower DH5 refers to Diffie Hellman Group 5 a 1 536 bit random number Apply Click Apply to temporarily save the settings and return to the VPN Branch Office Rule Setup screen The advanced settings are saved to the Business Secure Router if you click Apply in the VPN Branch Office Rule Setup screen Cancel Click Cancel to return to the VPN Branch Office screen without saving your changes SA Monitor In the WebGUI click VPN and the SA Monitor tab Use this screen to display and manage all of the active VPN connections IPSec sessions A Security Association SA is the group of security settings related to a specific VPN tunnel This screen displays active VPN connections Use Refresh to display active VPN connections This screen is read only Table 58 describes the fields
202. dress for example 192 168 0 12 of the computer hosting this service on your network f192 168 1 11 External Port number for this service f143 TCP C UDP Internal Port number for this service 143 conc Note When the UPnP enabled device is disconnected from your computer all port mappings are deleted automatically NN47923 500 Chapter 19 UPnP 371 5 Select the Show icon in notification area when connected check box and click OK An icon displays in the system tray Figure 145 Internet connection icon i Internet Connection is now connected Click here For more information s Ls 6 43 PM 5 upnp2 Paint 6 Double click the icon to display your current Internet connection status Figure 146 Internet connection status E Internet Connection Status General Internet Gateway Connected 00 00 56 100 0 Mbps Status Duration Speed Activity Internet Internet Gateway My Computer g 33 8 Received 5 943 T ie WebGUI easy access With UPnP you can access the WebGUI without first finding out its IP address This is helpful if you do not know the IP address of your Business Secure Router Follow the steps below to access the WebGUI 1 Click Start and then Control Panel 2 Double click Network Connections Nortel Business Secure Router 252 Configuration Basics 372 Chapter 19 UPnP 3 Select My Network Places under Other Places Figure
203. dress of the same inside host when the packet is on the WAN side Table 23 summarizes this information Table 23 NAT definitions Term Description Inside This refers to the host on the LAN Outside This refers to the host on the WAN Local This refers to the packet address source or destination as the packet travels on the LAN Global This refers to the packet address source or destination as the packet travels on the WAN Note NAT never changes the IP address either local or global of an outside host What NAT does In the simplest form NAT changes the source IP address in a packet received from a subscriber the inside local address to another the inside global address before forwarding the packet to the WAN side When the response comes back NAT translates the destination address the inside global address to the inside local address before forwarding it to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a Telnet server on your local network and make them accessible to the outside world You can make designated servers on the LAN accessible to the outside world If you do not define any servers for Many to One and Many to Many Overload mapping NAT offe
204. e 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 WANG AGUS m 119 Mal BacKUE SSUP 52a xad pida ung heed a ctbls de Sn Rc aba dod donc 120 Advanced SOUP cock steeds duu dleedaceud Ca ev oT E qe us 125 How NAT WOIKS Loud ers e Ee o ee E S de eb Rd E gabe aai a d uclolus 131 Port Restricted Cone NAT ccsascaccsesecewa ERR REESE ERR E 132 NAT application with IP Alias 0 0 0 eee eee 133 Multiple servers behind NAT example Llsssse 137 SUSINAT SOIUD ue zn ERR RI Y Ree RR Ee HEP ER EG PR e edes 138 Address Mapping voc ia eta PRE GOEL redira ED EROR CAR RT 140 Address Mapping edit isass sues ws ghee SRE RR ERED WDR ORES 142 Trigger Port Forwarding process example lisse 144 THOT PO Ea EE Rp d ar dci dris kee de SCR andis 145 Example of Static Routing topology csssosonue RR RR nn 148 Slate ROME SCIBEIT adi ere CREER he Ris VRROS RARE Rd RA 149 Edt IP Statie ROG cos caosa ipao iiy a ek ER otc m EE Cr dd ag RO auk 150 Business Secure Router firewall application lilius 156 Three way handshake 00 c eee eee eee esee 158 ET OU sonde dau onc 90 9 es not ecw eaten Sca T ees 159 DIT alasK uosnontussstuseptadad ced ud adqesesguxadeaqus ends 160 SUT
205. e 72 Table 55 VPN Branch Office IP Policy Label Description Protocol Enter a number to specify what type of traffic is allowed to go through the VPN tunnel that is built using this IP policy For example use 1 for ICMP 6 for TCP 17 for UDP 0 is the default and signifies any protocol For example if you select 1 ICMP only ICMP packets can go through the tunnel If you specify a protocol other than 1 ICMP or 0 any protocol you cannot use the control ping feature If you set this field to 6 TCP or 17 UDP you can use the Port field to specify the port number of the allowed traffic Enable Control Ping Select the check box and configure an IP address in the Control Ping IP Address field to have the Business Secure Router periodically test the VPN tunnel to the branch office The Business Secure Router pings the IP address every minute The Business Secure Router starts the IPSec connection idle timeout timer when it sends the ping packet If there is no traffic from the remote IPSec router by the time the timeout period expires the Business Secure Router disconnects the VPN tunnel Control Ping IP Address If you select Enable Control Ping enter the IP address of a computer at the branch office The computer s IP address must be in this IP policy s remote range see the Remote fields Branch Tunnel NAT Address Mapping Rule Port Forwarding Server Click Port Forwarding Server to co
206. e Address TE Address m r g WAN 1 FTP 0 0 0 0 0 a 0 0 0 0 00 D H WAN2 SIP 00000 a 192 168 1 33 0 Move filter 0 to filter o filter number Table 78 describes the labels in Figure 99 Table 78 Bandwidth Manager Class Setup Label Description Interface Select an interface from the drop down list for which you wish to set up classes Bandwidth This field displays whether bandwidth management on the interface you Management selected in the field above is enabled Active or not Inactive Add Sub Class Click Add Sub Class to add a subclass Edit Click Edit to go to a screen where you can configure the selected subclass You cannot edit the root class Delete Click Delete to remove the selected subclass You cannot delete the root class Statistics Click Statistics to display the status of the selected class NN47923 500 Chapter 15 Bandwidth management 305 Table 78 Bandwidth Manager Class Setup Label Description This is the number of a filter entry The ordering of your filters is important as they are applied in turn Use the Move button to reorder your filters Filter Name This is the Class Name that you configured in the Edit Class screen Service If you selected a predefined application FTP H 323 or SIP it displays here Destination IP This field displays the destination IP address in dotted decimal notation
207. e Router logs Nortel Business Secure Router 252 Configuration Basics 452 Appendix B Log Descriptions Log Command Example This example shows how to set the Business Secure Router to record the access logs and alerts and then view the results ras gt sys logs load ras gt sys logs ras gt sys logs save ras gt sys logs time message 0 11 11 2002 15 10 BLOCK Firewall default 1 11 11 2002 15 10 BLOCK Firewall default 2 11 11 2002 15 10 Firewall default 3 11 11 2002 15 10 BLOCK Firewall default 4 11 11 2002 15 10 BLOCK Firewall default BLOCK 5 11 11 2002 15 10 T2 pol 12 pol TI pol rI pol 10 pol 10 category access 3 display access source 172 22 3 80 icy 172 21 4 17 icy 172 17 2 1 icy 172 22 3 80 icy UDP set icy UDP set 172 21 4 67 UDP set UDP set 137 8 138 8 IGMP set 8 137 8 192 168 10 1 520 8 137 destination 172 22 255 255 172 21 255 255 224 0 1 60 172 22 255 255 192 168 10 255 172 21 255 255 137 138 137 520 137 notes ACCESS ACCESS ACCESS BLOCK ACCESS ACCESS ACCESS NN47923 500 453 Index Numbers Authentication databases 315 3DES 205 Authentication Header 204 4 Port Switch 35 A Action 177 Action for Matched Packets 180 ActiveX 197 Administrator Inactivity Timer 83
208. e Router is to send An alert is a type of log that warrants more serious attention including system errors attacks access control and attempted access to blocked Web sites or Web sites with restricted Web features such as cookies or Active X Some categories such as System Errors consist of both logs and alerts You can differentiate between logs and alerts by their color in the View Log screen Alerts display in red and logs display in black Note Alerts are e mailed as soon as they happen Logs can be e mailed as soon as the log is full Selecting many alert and log categories especially Access Control can result in many e mails being sent Nortel Business Secure Router 252 Configuration Basics 376 Chapter 20 Logs Screens Figure 150 Log settings Locs 0 0 0 0 Local 1 None Sunday 0 NN47923 500 Chapter 20 Logs Screens 377 Table 100 describes the fields in Figure 150 Table 100 Log settings Label Description Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages are not sent through e mail Server Port Enter the port number that the mail server uses Mail Subject Type a title that you want to be in the subject line of the log e mail message that the Business Secure Router sends Send Log To Logs are sent to the e mail
209. e Setting Name Access Protocol LDAP gt Server Address Pc 0 jJ Host Name or IP Address Server Port 389 Login Setting Login Re Password De Apply Cancel Table 75 describes the labels in Figure 96 Table 75 Directory server add Label Description Directory Service Setting Name Type up to 31 ASCII characters spaces are not permitted to identify this directory server Access Protocol Use the drop down list to select the access protocol used by the directory server LDAP Lightweight Directory Access Protocol is a protocol over TCP that specifies how clients access directories certificates and lists of revoked certificates Server Address Type the IP address in dotted decimal notation or the domain name of the directory server NN47923 500 Chapter 14 Certificates 297 Table 75 Directory server add Label Description Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You can change the server port number if needed however you must use the same server port number that the directory server uses The default server port number for LDAP is 389 Login Setting Login The Business Secure Router must authenticate itself in order to assess the directory server Type the logon name up to 31 ASCII characters from the entity maintaining the directory se
210. e integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Time Server Address Enter the IP address or URL of your time server Check with your ISP or network administrator if you are unsure of this information Synchronize Now Click this button to have the Business Secure Router get the time and date from a time server see the Time Server Address field This also saves your changes including the time server address NN47923 500 Chapter 5 System screens 93 Table 12 Time and Date Label Description Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time Start Date Configure the day and time when Daylight Saving Time starts if you select Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the first Sunday of April Each time zone in the United States starts using Daylight Saving Time at 2 a m local time So in the United States select Fi
211. e is required for Business Secure Router to Business Secure Router and host to Business Secure Router communications Tunnel mode communications have two sets of IP headers Outside header The outside IP header contains the destination IP address of the Business Secure Router Inside header The inside IP header contains the destination IP address of the final system behind the Business Secure Router The security protocol appears after the outer IP header and before the inside IP header IPSec and NAT Read this section if you are running IPSec on a host computer behind the Business Secure Router NAT is incompatible with the AH protocol in both Transport and Tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a hash value appended to the packet When using AH protocol packet contents the data payload are not encrypted A NAT device in between the IPSec endpoints rewrites either the source or destination address with one of its own choosing The VPN device at the receiving end verifies the integrity of the incoming packet by computing its own hash value and complains that the hash value appended to the received packet does not match The VPN device at the receiving end does not know about the NAT in the middle so it assumes that the data was maliciously altered Nortel Business Secure Router 252 Configuration Basics 208 Chapter 13 VPN IPSec using ESP
212. e listed keywords Day to Block Select check boxes for the days that you want the Business Secure Router to perform content filtering Select the Everyday check box to have content filtering turned on all days of the week Nortel Business Secure Router 252 Configuration Basics 198 Chapter 12 Content filtering Table 42 Content filter Label Description Time of Day to Block Time of Day to Block allows the administrator to define during which time periods content filtering is enabled Time of Day to Block restrictions only apply to the keywords see above Restrict web server data such as ActiveX Java Cookies and Web Proxy are not affected Enter the time period in 24 hour format during which content filtering will be enforced Select the All Day check box to have content filtering always active on the days selected in Day to Block with time of day limitations not enforced Apply Click Apply to save your changes Reset Click Reset to begin configuring this screen afresh NN47923 500 199 Chapter 13 VPN VPN This chapter introduces the basics of IPSec VPNs and covers the VPN WebGUI See Chapter 20 Logs Screens on page 373 for information about viewing logs and the appendices for IPSec log descriptions A VPN Virtual Private Network provides secure communications between sites without the expense of leased site to site lines A secure VPN is a c
213. e same subnet NN47923 500 Appendix A Troubleshooting 413 Problems with the WAN interface Table 117 Troubleshooting the WAN Interface Problem Corrective Action Cannot get WAN IP address from the ISP For initial setup of the Business Secure Router see Nortel Business Secure Router 252 Fundamentals NN47923 301 The ISP provides the WAN IP address after authentication Authentication can be through the username and password the MAC address or the host name Use the following corrective actions to make sure the ISP can authenticate your connection You need a username and password if you are using PPPoE or PPPoA encapsulation Make sure that you have entered the correct service type username and password the username and password are case sensitive Use the WAN screens in the WebGUI If your ISP requires host name authentication configure your computer name as the system name of the Business Secure Router use the System General screen to configure the system name Problems with Internet access Table 118 Troubleshooting Internet access Problem Corrective Action Cannot access the Internet Check your cable connections Refer to the Nortel Business Secure Router 252 Fundamentals NN47923 301 guide for connection information Verify your settings in the WAN screens Internet connection disconnects Check the call scheduling rules If you u
214. e services use a dedicated range of ports on the client side and a dedicated range of ports on the server side With regular port forwarding you set a forwarding port in NAT to forward a service coming in from the server on the WAN to the IP address of a computer on the client side LAN The problem is that port forwarding only forwards a service to a single LAN IP address In order to use the same service on a different LAN computer you have to manually replace the LAN computer s IP address in the forwarding port with another LAN computer s IP address Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service The Business Secure Router records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol a trigger port When the WAN port on the Business Secure Router receives a response with a specific port number and protocol incoming port the Business Secure Router forwards the traffic to the LAN IP address of the computer that sent the request After that connection closes another computer on the LAN can use the service in the same manner This way you do not need to configure a new IP address each time you want a different LAN computer to use the application Trigger Port Forwarding example Figure 40 illustrates an example of trigger port forwarding Nortel Business Secure Router 252 Configuration Bas
215. e that a blank service type is equivalent to Any For more information see Table 40 on page 187 Action This is the specified action for the selected rule either Block or Forward Note that Block means the firewall silently discards the packet Log This field shows you if a log is created for packets that match the rule Match don t match the rule Not Match both Both or no log is created None Alert This field tells you whether this rule generates an alert Yes or not No when the rule is matched Nortel Business Secure Router 252 Configuration Basics 178 Chapter 11 Firewall screens Table 36 Firewall rules summary First screen Label Description Insert Type the index number for where you want to put a rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 Click Insert to display the screen where you configure a firewall rule Move Select the Index option button of a rule and type a number for where you want to put that rule Click Move to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Rule to Rule Click a rule s option button and type the number for where you want Number to put that rule Edit Click Edit to create or edit a rule Delete Click Delete to delete an existing firewall rule Note that subsequent firewall ru
216. eatd 2n cie ra Mieke eek eta dde ede etd ee E eee der ER 85 Gopgonmy Deremie DNS res ua eda adicere n Rot cda ab ears a pde an e 85 Commun PSESWOIU asas dame ed dpi Cea ER aS ERU dap Su a 87 Predefined NTP time server list llle BIA 89 Config ring Timeand Dat 1 cus ccd edd ceed A OX E Cebu ee alga 90 cR n 94 GO ALES uuiaad cede dederehie ebay ced eae eeqede tegaeere dior egecs 94 NN47923 500 Contents 7 Chapter 6 LAN S6rOGlg lleuaanaseaiauksasak mac RnRaaaazd Rs E nae s Seen AR 97 LAB DIO daudpideyVATARTRRESISERRERDOPREIEQARERIRGAN S PeJERSZG MORES 97 DHUOP SEE s cL bea ax Seded dE RR d HUBER IPAE OCCUR A OPIRRE SCR Ter HEU ERE 97 PSO ape Pcr eA ee Re eee ee PT 97 DNS SONOS cacceheesnbere Chee bee deeleccbed bees bane XA dnb d 98 LANITORAP sins dudit Gees d os d SRL ES Ce TREE NEA ede d PARS edd E 98 Factory LAN delats caasa m Rc E cpa UE GUECEO RR GDUOERURCE E SORGROUR ges RRES 98 AIP SOUD CCCII 98 Dres ped cC M PDC PT 99 DORIOUPIEO P sensei do p been o da P e A CROCO Balac dab bees 100 Gunfiiunng Sai DAP 22 ci teievacte ER X EA RA RE REGE RXGGG Ed EX RR 103 COBIQUORE IP SIGS 1 ataca icio a Sca ks bac de eo doo p EOS bw Ded dabis 105 Chapter 7 WAN SCICGNS ci iced ie vied deeds is dtre SAO ds bce Dede ET ae 107 ls uev pr ead beaded Ree eR eT eee Se RR 107 TPT POG NERC 1 ic a oaks ew Rios Rae Nel Sd he ons os ded tuos 107 DOMIUNNG ROUGE 2k preadh eee adda dene eget pee sete Ree o nS
217. ece eee 321 Table 86 Current Split Networks isse cea rere RR ERR DRE RR 323 Table 87 Current split networks edit 0 00 cee eee eee 324 Table 98 BADIUS 22gclccesk cused XXE beeen sees DE Wee ue E Wed pu 326 Table Ge MOM 225 ehcp cate bees beed S54 a Aa a eC Heese 4 MGE 333 Table 4D SSH cuscatckns decadoesa bas sano debs eee eae eem ees anne hue ba 346 Table DT Tenet ccc cad eteerteaeeee ee items idee Re eS E RR teams RS Re 351 Tables UD sauteed ae ides ia a ea ee TC 352 Table 05 SNMP traps os caguca ees istir honor Ri B n ci hse REN d 355 Table 9 SMP 2cu tees saan Ad ERA Hees CEP re ARR SR dE S E ear 356 TEESE DHS ouod soie pic bs 2 bg pedet du bead a eyed eed talo Ae 358 Table 95 SECUN cc eect eee ses by RR ERES RERO que pr ee DRE ee 359 Table 97 Configuring UPBP ssc0s qax chee ceneeoeees OR RERO RA ERS 363 Jub Ol el alg eee eee CERE RP PR xd RP RE Rd Pg Veg Wu dt adn 364 Table B9 VibwiLOQ uedesuss Res RE ENG sees SWR GER REX RR RO RR 374 Nortel Business Secure Router 252 Configuration Basics 26 Tables Table 100 Table 101 Table 102 Table 103 Table 104 Table 105 Table 106 Table 107 Table 108 Table 109 Table 110 Table 111 Table 112 Table 113 Table 114 Table 115 Table 116 Table 117 Table 118 Table 119 Table 120 Table 121 Table 122 Table 123 Table 124 Table 125 Table 126 Table 127 Table 128 Table 129 Table 130 Table 131 Table 132 Table 133 Table 134 LOO SOIN uoa sdb E RIAVEREEN
218. ect the check box to enable DYNDNS Wildcard Off Line This option is available when CustomDNS is selected in the DDNS Type field Check with your Dynamic DNS service provider to have traffic redirected to a URL that you can specify while you are off line IP Address Update Policy DDNS Server Auto Detect IP Address Select this option only when there are one or more NAT routers between the Business Secure Router and the DDNS server This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address Note The DDNS server not be able to detect the proper IP address if there is an HTTP proxy server between the Business Secure Router and the DDNS server Use Specified IP Address Select this option to update the IP address of the host names to the IP address specified below Use this option if you have a static IP address Use IP Address Enter the IP address if you select the User Specify option Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to return to the previously saved settings Configuring Password To change the password of your Business Secure Router recommended click SYSTEM then the Password tab The screen illustrated in Figure 19 appears In this screen you can change password of the Business Secure Router Nortel Business Secure Router 252 Configuration Basics
219. ect this option the Business Secure Router does not send ICMP response packets to port requests for unused ports thus leaving the unused ports and the Business Secure Router unseen If the firewall blocks a packet from the WAN the Business Secure Router sends a TCP reset packet Use the sys firewall tcprst rst off command in the command interpreter if you want to stop the Business Secure Router from sending TCP reset packets Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh NN47923 500 361 Chapter 19 UPnP This chapter introduces the Universal Plug and Play feature Universal Plug and Play overview Universal Plug and Play UPnP is a distributed open networking standard that uses TCP IP for simple peer to peer network connectivity between devices A UPnP device can dynamically join a network obtain an IP address convey its capabilities and learn about other devices on the network In turn a device can leave a network smoothly and automatically when it is no longer in use How do know if am using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network appears as a separate icon By selecting the icon of a UPnP device you can access the information and properties of that device NAT Traversal UPnP NAT traversal
220. ecure Router Most functions of the Business Secure Router are also software configurable through the SMT System Management Terminal interface The SMT is a menu driven interface that you can access from a terminal emulator through the console port or over a Telnet connection NN47923 500 Chapter 1 Getting to know your Business Secure Router 41 Logging and tracing The Business Secure Router supports the following logging and tracing functions to help with management e Built in message logging and packet tracing e Unix syslog facility support Upgrade Business Secure Router Firmware The firmware of the Business Secure Router can be upgraded through the console port or the LAN Embedded FTP and TFTP Servers The embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file backups and restoration Applications for the Business Secure Router Secure broadband internet access and VPN The Business Secure Router provides broadband Internet access through ADSL The Business Secure Router also provides IP address sharing and a firewall protected local network with traffic management The Business Secure Router VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense of leased lines between sites The LAN computers can share the VPN tunnels for secure connections to remote computers Nortel Business Secure Router 252 C
221. ecure Router acts as a message relay between the user and the network RADIUS server Types of RADIUS messages The following types of RADIUS messages are exchanged between the Business Secure Router and the RADIUS server for user authentication Nortel Business Secure Router 252 Configuration Basics 312 Chapter 16 IEEE 802 1x e Access Request Sent by the Business Secure Router requesting authentication e Access Reject Sent by a RADIUS server rejecting access e Access Accept Sent by a RADIUS server allowing access e Access Challenge Sent by a RADIUS server requesting more information in order to allow access The Business Secure Router sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the Business Secure Router and the RADIUS server for user accounting e Accounting Request Sent by the Business Secure Router requesting accounting e Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the Business Secure Router and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access EAP Authentication overview EAP Extensible Authentication Protocol is
222. ecure Router 252 Configuration Basics 136 Chapter 8 Network Address Translation NAT Screens Port forwarding Services and Port Numbers The most often used port numbers are shown in Table 25 Refer to Assigned Numbers RFC 1700 for further information about port numbers Table 25 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 Configuring servers behind SUA example For example you want to assign ports 22 25 to one server port 80 to another and assign a default server IP address of 192 168 1 35 as shown in Figure 36 NN47923 500 Chapter 8 Network Address Translation NAT Screens 137 Figure 36 Multiple servers behind NAT example The NAT network appears as a single host on the Internet FTP Telnet SMT P server 192 168 1 1 i IP address x 9 192 168 1 33 I ox 5 z Y S Computer Business Secure Router m 9 2 IPAddress C Q T 192168 1 34 25 to o D Computer 20 IP Address Earn d 192 168 1 35 IP address assigned by ISP Computer IP Address 192 168 1 36 Configuring SUA Server
223. ed RSA1 key fingerprint is 21 6c 07 25 7e 4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password sftp put firmware bin ras Uploading firmware bin to ras Read from remote host 192 168 1 1 Connection reset by peer Connection closed You can configure your Business Secure Router for remote Telnet access as shown in Figure 127 Figure 127 Telnet configuration on a TCP IP network Your LAN User telnets into the LAN via the Contivity Business Secure Router Incoming Traffic NN47923 500 Chapter 18 Remote management screens 351 Configuring TELNET Click REMOTE MANAGEMENT to open the TELNET screen Figure 128 Telnet REMOTE MANAGEMENT HTTP SSH TELNET FTP SNMP DNS TELNET Server Port 23 Server Access Disable Secured ClientIP AIL C Address Selected 0 0 0 Reset Table 91 describes the fields in Figure 128 Table 91 Telnet Label Description Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secured Client IP A secured client is a trusted computer that is al
224. egrrckingd sak 2 PR PIS dg d bed qiEqss 358 SOC Lacon ii C DEA LPS d xe pd e dae Vara enue ed Baldi 359 Conngunne UPhE csse d gu Le peWRa Ese REP ede ded NEN E 363 NN47923 500 Figures 21 Figure 138 UPNP PONS crcr iaa rerin cba peedrceerenes Pe EUR OE As 364 Figure 136 Add Remove programs Windows setup 00000e ee eee 366 Figure 137 Communications scit sese rx Rx eisni osr braised 366 Figure 138 Network connections 02 00 04 6426 ec ee eee reiss ee 367 Figure 139 Windows optional networking components wizard 367 Figure 140 Windows XP networking services 0 000000 e eee aes 368 Figure 141 Internet gateway icon one ce a eae ead eke eed eo eee docs 369 Figure 142 Internet connection properties 00 cee ees 369 Figure 143 Internet connection properties advanced setup 370 Figure 144 Service settings 0 000 cece tees 370 Figure 145 Internet connection icon 0200s 371 Figure 146 Internet connection status iiie seno luus emat Ra eda 371 Figure 147 Network Connecuons suoiuossrRaimORPERRG OS RO RR e SOROR tex bh RR 372 Figure 148 My Network Places Local network 0 000 000 000 e aes 372 Figure 149 View Log uos sc ocr Ee RIUCONERS Cah mi dc WE PUER ee Ropa x Kowa 374 Figure 150 Log Settings iosexecceeeue rur x RR eee p RI REGERE ER RR 376 aco el Bep LEE ESFE QUAERE RAQUGOG RE PREGA OUS qadqA 379 Figure 152 Web site hits report example
225. ens Remote management overview Remote management allows you to determine which services and protocols can access which Business Secure Router interface if any from which computers Note When you configure remote management to allow management from the WAN you still need to configure a firewall rule to allow access You can manage your Business Secure Router from a remote location through e Internet WAN only e LAN only e ALL LAN and WAN e Neither Disable Note If you choose WAN only or ALL LAN amp WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Server Access field Remote management limitations Remote management over LAN or WAN does not work if Nortel Business Secure Router 252 Configuration Basics 330 Chapter 18 Remote management screens 1 7 A filter in SMT menu 3 1 LAN or in menu 11 1 4 WAN is applied to block a Telnet FTP or Web service A service is disabled in one of the remote management screens The IP address in the Secured Client IP field does not match the client IP address If it does not match the Business Secure Router disconnects the session immediately An SMT console session is running Another remote management session of the same type web FTP or Telnet is running You can only have one remote management session of the same type running at o
226. er an attack is detected For DoS attacks the Business Secure Router uses thresholds to determine when to drop sessions that do not become fully established These thresholds apply globally to all sessions You can use the default threshold values or you can change them to values more suitable to your security requirements Threshold values Tune these parameters when something is not working and after you have checked the firewall counters These default values work fine for normal small offices with ADSL bandwidth Factors influencing choices for threshold values are e The maximum number of opened sessions e The minimum capacity of server backlog in your LAN network e The CPU power of servers in your LAN network e Network bandwidth e Type of traffic for certain servers If your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy then the default values must be reduced You must make any changes to the threshold values before you continue configuring firewall rules Half open sessions An unusually high number of half open sessions either an absolute number or measured as the arrival rate indicates that a Denial of Service attack is occurring For TCP half open means that the session has not reached the established state and the TCP three way handshake has not yet been completed see Figure 46 For UDP half open means that the firewal
227. er than three seconds to return the Business Secure Router to the factory defaults 6 Reset Button on the Router LineFeed Press the RESET button for longer than three seconds to return the Business Secure Router to the factory defaults Uploading a configuration file through console port 1 Download the default configuration file from the Nortel FTP site unzip it and save it in a folder 2 Turn off the Business Secure Router begin a terminal emulation software session and turn on the Business Secure Router again When you see the NN47923 500 Chapter 2 Introducing the WebGUI 49 message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode Enter y at the prompt to go into debug mode Enter atlc after the Enter Debug Mode message displays Wait for the Starting XMODEM upload message before activating Xmodem upload on your terminal Figure 5 is an example of an Xmodem configuration upload using HyperTerminal 6 Click Transfer then Send File to display the screen illustrated in Figure 5 Figure 5 Example Xmodem Upload Send File 2 x Folder C Program Files Filename C Product confia rom Browse Protocol Xmodem Close Cancel 7 After the firmware uploads successfully enter atgo to restart the router Navigating the Business Secure Router WebGUI Follow the instructions in the MAIN MENU screen or click the help icon located in the top right corner of most
228. er when it performs bandwidth management You must enter a value in at least one of the following fields other than the Subnet Mask fields which are only available when you enter the destination or source IP address Service This field simplifies bandwidth class configuration by allowing you to select a predefined application When you select a predefined application you do not need to configure the rest of the bandwidth filter fields other than the Active check box FTP File Transfer Program is a program to enable fast transfer of files including large files that are not possible by e mail Select FTP from the drop down list to configure the bandwidth filter for FTP traffic If you select FTP make sure you also turn on the FTP ALG For more information about ALG see ALG on page 94 H 323 is a protocol standard used for multimedia communications over networks for example NetMeeting Select H 323 from the drop down list to configure the bandwidth filter for H 323 traffic If you select H 323 make sure you also turn on the H 323 ALG For more information about ALG see ALG on page 94 SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging events notification and conferencing The Business Secure Router supports SIP traffic pass through Select SIP from the drop down list to configure this bandwidth filter for SIP traffic This option makes it easier to manage b
229. erence number and key to identify you when you send a certification request Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol Just fill in the Key field if your certification authority uses the SCEP enrollment protocol Key Type the key that the certification authority gave you NN47923 500 Chapter 14 Certificates 273 Table 66 My Certificate create Label Description Apply Click Apply to begin certificate or certification request generation Cancel Click Cancel to quit and return to the My Certificates screen After you click Apply in the My Certificate Create screen you see a screen that tells you the Business Secure Router is generating the self signed certificate or certification request After the Business Secure Router successfully enrolls a certificate or generates a certification request or a self signed certificate you see a screen with a Return button that takes you back to the My Certificates screen If you configured the My Certificate Create screen to have the Business Secure Router enroll a certificate and the certificate enrollment is not successful you see a screen with a Return button that takes you back to the My Certificate Create screen Click Return and check your information in the My Certificate Create screen Make sure that the certification authority information is correct and that your Internet connect
230. erface to configure your Business Secure Router Not all features can be configured through all interfaces The WebGUI parts of this guide contain background information on features configurable by the WebGUI and the SMT For features not configurable by the WebGUI only background information is provided Text conventions This guide uses the following text conventions Enter means type one or more characters and press the enter key Select or Choose means use one of the predefined choices The SMT menu titles and labels are written in Bold Times New Roman font The choices of a menu choices are written in Bold Arial font Nortel Business Secure Router 252 Configuration Basics 30 Preface A single keystroke is written in Arial font and enclosed in square brackets For instance ENTER means the Enter key ESC means the escape key and SPACE BAR means the space bar UP and DOWN are the up and down arrow keys Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem Related publications For more information about using the Business Secure Router refer to the following publications e Nortel Business Secure Router 252 Fundamentals NN47923 301 This guide helps you get up and running right away It contains connection information and instru
231. ervice type number for example 1 for ICMP 6 for TCP or 17 for UDP Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving Table 80 Services and port numbers Services Port Number ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POPS Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 Bandwidth management statistics Use the Bandwidth Management Statistics screen to view network performance for the interface root class or a specific subclass Select the root or subclass from the Class Setup screen and then click Statistics to see how it is performing NN47923 500 Chapter 15 Bandwidth management 309 Figure 101 Bandwidth management statistics Budget 100000 kbps _Tx Bytes Dropped Packets Dropped Bytes T9057 w Q0 0 Class Name Root Class _ Tx Packets 11942 Bandwidth Statistics for the Past 8 Seconds e ti i EE NE 0 0 0 0 0 0 Update Period Seconds Set Interval Stop Update Clear Counter Table 81 describes the labels in Figure 101 Table 81 Bandwidth management statistics
232. es for type and code details land TCP The firewall detected a TCP land attack land UDP The firewall detected an UDP land attack land IGMP The firewall detected an IGMP land attack land ESP The firewall detected an ESP land attack land GRE The firewall detected a GRE land attack land OSPF The firewall detected an OSPF land attack land ICMP type d The firewall detected an ICMP land attack see the section code d about ICMP messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN The firewall detected an IGMP IP spoofing attack on the IGMP WAN port ip spoofing WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port ip spoofing WAN GRE The firewall detected a GRE IP spoofing attack on the WAN port ip spoofing WAN The firewall detected an OSPF IP spoofing attack on the OSPF WAN port ip spoofing WAN The firewall detected an ICMP IP spoofing attack on the ICMP type d WAN port code d icmp echo ICMP The firewall detected an ICMP echo attack tvpe d code d syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack N
233. ess Select Range Address for a specific range of IP addresses Select Subnet Address to specify IP addresses on a network by their subnet mask Starting IP Address When the Address Type field is configured to Single Address enter a static IP address on the LAN behind your Business Secure Router When the Address Type field is configured to Range Address enter the beginning static IP address in a range of computers on your LAN behind your Business Secure Router When the Address Type field is configured to Subnet Address this is a static IP address on the LAN behind your Business Secure Router Nortel Business Secure Router 252 Configuration Basics 236 Chapter 13 VPN Table 55 VPN Branch Office IP Policy Label Description Ending IP Address When the Address Type field is configured to Single Address Subnet Mask this field is N A When the Address Type field is configured to Range Address enter the end static IP address in a range of computers on the LAN behind your Business Secure Router When the Address Type field is configured to Subnet Address this is a subnet mask on the LAN behind your Business Secure Router Port By default 0 signifies any port Type a port number from 0 to 65 535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 Apply Click Apply to save your changes to the Business Secure Router Cancel Click
234. ess Secure Router provides the TCP IP configuration for the clients If DHCP service is disabled you must have another DHCP server on your LAN or else the computer must be configured manually IP pool setup The Business Secure Router is preconfigured with a pool of IP addresses for the DHCP clients DHCP Pool Do not assign static IP addresses from the DHCP pool to your LAN computers Nortel Business Secure Router 252 Configuration Basics 98 Chapter 6 LAN screens DNS servers Use the LAN IP screen to configure the DNS server information that the Business Secure Router sends to the DHCP client devices on the LAN LAN TCP IP The Business Secure Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability Factory LAN defaults The LAN parameters of the Business Secure Router are preset in the factory with the following values e JP address of 192 168 1 1 with subnet mask of 255 255 255 0 24 bits e DHCP server enabled with 126 client IP addresses starting from 192 168 1 2 These parameters work for the majority of installations If your ISP gives you explicit DNS server addresses read the embedded WebGUI help regarding which fields need to be configured RIP setup RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers RIP Direction controls the sending and receiving of RIP
235. ess and port Failed to resolve lt SCEP CA server url gt The SCEP online certificate enrollment failed because the certification authority server address cannot be resolved Enrollment successful The CMP online certificate enrollment was succeeded The Destination field records the certification authority server IP address and port Enrollment failed The CMP online certificate enrollment failed The Destination field records the certification authority server IP address and port NN47923 500 Appendix B Log Descriptions 447 Table 135 PKI Logs Log Message Description lt subject name gt Failed to resolve The CMP online certificate enrollment failed because the lt CMP CA server url certification authority server IP address cannot be resolved Rcvd ca cert The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert gubject name gt The router received a user certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd CRL size issuer name gt The router received a CRL Certificate Revocation List with size and issuer name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size The route
236. et contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer IP headers up to the application layer The firewall performs stateful inspection It takes into account the state of the connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering or smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur When to use the firewall To prevent DoS attacks and prevent hackers cracking your network A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required To selectively block or allow inbound or outbound traffic between inside host or networks and outside host or networks Remember that filters cannot Nortel Business Secure Router 252 Configuration Basics 168 Chapter 10 Firewalls distinguish traffic originating from an inside host or an outside h
237. etailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 Windows Networ king NetBIOS over TCP IP Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you also need to create a WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN This field does the same as the Allow between WAN and LAN field in the WAN IP screen Enabling one automatically enables the other Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Configuring Static DHCP With Static DHCP you can assign IP addresses on the LAN to specific individual computers based on their MAC Addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for e xample 00 A0 C5 00 00 02 Nortel Business Secure Router 252 Configuration Basics 104 Chapter 6 LAN screens To change the static DHCP settings click LAN then the Static DHCP tab The screen appears as shown in Figure 23
238. ext displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate Note that subsequent certificates move up by one when you take this action You cannot delete a certificate that is currently in use Import Click Import to open a screen where you can save the certificate of a remote host which you trust from your computer to the Business Secure Router Refresh Click this button to display the current validity status of the certificates Verifying a certificate of a trusted remote host Certificates issued by certification authorities have the signature of the certification authority for you to check Self signed certificates only have the signature of the host itself This means that you must be very careful when deciding to import and thereby trust the self signed certificate of a remote host Trusted remote host certificate fingerprints Certificate fingerprints are message digests calculated using the MD5 or SHA1 algorithms The followin
239. ext wizard screen Figure 11 Internet connection with ENET ENCAP Wizard Setup ISP Parameters for Internet Access IP Address Obtain an IP Address Automatically C Static IP Address IP Address 0 0 0 0 Subnet Mask 0 0 0 0 ENET ENCAP Gateway 0 0 0 0 Network Address Translation SUA Only j Back Next Table 5 describes the fields in Figure 11 Table5 Internet connection with ENET ENCAP Label Description IP Address A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet The Single User Account feature can be used with either a dynamic or static IP address Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Subnet Mask Enter a subnet mask in dotted decimal notation If you are implementing subnetting see the IP subnetting appendix in the Nortel Business Secure Router 252 Configuration Advanced guide NN47923 500 Chapter 3 Wizard setup 63 Table 5 Internet connection with ENET ENCAP continued Label Description Gateway ENET ENCAP You must specify a gateway IP address supplied by your ISP when you use ENET ENCAP in the Encapsulation field in the previous screen Network Address Select None SUA
240. face Figure 98 Bandwidth Manager Summary BANDWIDTH MANAGEMENT Summary Class Setup Monitor Bandwidth Management Setup BW Manager manages the bandwidth of traffic flowing out of router on the specific interface BW Manager can be switched on off independently for each interface Class Active Speed kbps WAN B 100000 LAN r fiooooo Apply Reset Table 77 describes the labels in Figure 98 Table 77 Bandwidth Manager Summary Label Description WAN These read only labels represent the physical interfaces Select the LAN check box next to an interface to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic source Traffic redirect or IP alias can cause LAN to LAN traffic to pass through the Business Secure Router and be managed by bandwidth management Active Select a check box to enable bandwidth management on that interface NN47923 500 Chapter 15 Bandwidth management 303 Table 77 Bandwidth Manager Summary Label Description Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface root class see Configuring class setup on page 303 Nortel recommends that you set this speed to match what the device connected to the po
241. fic from UPnP enabled firewall applications to bypass the firewall Clear this check box to have the firewall block all UPnP application packets for example MSN packets Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 364 Chapter 19 UPnP Displaying UPnP port mapping Click UPnP and then Ports to display the screen as shown in Figure 135 Use this screen to view the NAT port mapping rules that UPnP creates on the Business Secure Router Figure 135 UPnP Ports UPnP UPnP Ports Retain UPnP port forwarding RemotejExternall tocol nternallinternalie tedDescri igh Lease Host Port Port Client F Duration Apply Refresh Table 98 describes the labels in Figure 135 Table 98 UPnP Ports Label Description Retain UPnP port forwarding Select this check box to have the Business Secure Router retain UPnP created NAT rules even after restarting If you use UPnP and you set a port on your computer to be fixed for a specific service for example FTP for file transfers the Business Secure Router can keep a record when your computer uses UPnP to create a NAT forwarding rule for that service The following read only table displays information about the UPnP created NAT mapping rule entries in the NAT routing table This i
242. firmware manage configuration and restart your Business Secure Router Status screen Click MAINTENANCE to open the Status screen where you can monitor your Business Secure Router Note that these fields are READ ONLY and only used for diagnostic purposes Nortel Business Secure Router 252 Configuration Basics 396 Chapter 22 Maintenance Figure 158 System Status MAINTENANCE Status DHCP Table Diagnostic FAW Upload Configuration Restart System Name Nortel Firmware Version VBSR252 2 6 0 0 001b2 06 27 2006 DSL FW Version STMI 2 6 4 Standard Multi Mode WAN Information IP Address 0 0 0 0 IP Subnet Mask 0 0 0 0 Default Gateway 0 0 0 0 VPI VCI 0 33 LAN Information MAC Address 00 13 49 00 00 01 IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 DHCP Server DHCP Start IP 192 168 1 2 DHCP Pool Size 126 Show Statistics Table 108 describes the fields in Figure 158 Table 108 System Status Label Description System Name This is the System Name you chose in the first Internet Access Wizard screen It is for identification purposes Nortel Firmware The release of firmware currently on the Business Secure Router Version and the date the release was created DSL FW Version This is the DSL firmware version currently on the Business Secure Router Standard This is the ADSL standard that your Business Secure Router is using WAN Information
243. for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines because they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh NN47923 500 107 Chapter 7 WAN screens This chapter describes how to configure WAN settings WAN overview This section provides background information on features that you cannot configure in the Wizard TCP IP Priority metric The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost 1 The metric sets the priority for the routes of the Business Secure Router to the Internet Each route must have a unique metric
244. fore you specify the priority make sure you have set up the corresponding database correctly first Select Local User Database Only to have the Business Secure Router just check the built in user database on the Business Secure Router for usernames and passwords Select RADIUS Only to have the Business Secure Router just check the user database on the specified RADIUS server for a user s username and password Select Local first then RADIUS to have the Business Secure Router first check the user database on the Business Secure Router for a user s username and password If the username is not found the Business Secure Router then checks the user database on the specified RADIUS server Select RADIUS first then Local to have the Business Secure Router first check the user database on the specified RADIUS server for a user s username and password If the Business Secure Router cannot reach the RADIUS server the Business Secure Router then checks the local user database on the Business Secure Router When the username is not found or password does not match in the RADIUS server the Business Secure Router does not check the local user database and the authentication fails Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 316 Chapter 16 IEEE 802 1x NN47923 500 3
245. g procedure describes how to use a certificate fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer Nortel Business Secure Router 252 Configuration Basics 288 Chapter 14 Certificates 2 Make sure that the certificate has a cer or crt file name extension Figure 91 Remote host certificates JLondon office cer kd y ji L1 amp LA office crt Remote Host Certificates 3 Double click the certificate icon to open the Certificate window Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields Figure 92 Certificate details certificate rx General Details Certification Path Value Glenn RSA 1024 Bits Digital Signature Certificate Signing DNS Name Glenn Subject Type CA Path Length Cons shal BOA7 22B6 7960 FF92 52F4 6B4C A2 v Verify over the phone for example that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields NN47923 500 Chapter 14 Certificates 289 Importing a certificate of a trusted remote host Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen Follow the instructions in this screen to save a trusted host certificate to the Business Secure Router see Figure 93 Note The trus
246. ge is the trade off for this extra security This can be unnecessary for data that does not require such security so PFS is disabled None by default in the Business Secure Router Disabling PFS means new authentication and encryption keys are derived from the same root secret which can have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange Configuring advanced Branch office setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule The basic IKE rule setup screen displays In the VPN Branch Office Rule Setup screen click the Advanced button to display the VPN Branch Office Advanced Rule Setup screen Nortel Business Secure Router 252 Configuration Basics 242 Chapter 13 VPN Figure 75 VPN Branch Office advanced rule setup VPN Branch Office Advanced Enable Replay Detection NO S Phase 1 Multiple Proposal Negotiation Mode Main Encryption Algorithm DES Authentication Algorithm MD5 x SA Life Time Seconds 28800 Key Group DH Phase 2 Multiple Proposal Active Protocol ESP Encryption Algorithm DES E Authentication Algorithm SHA1 SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS NONE Apply Cancel Tu Table 57 describes the fields in Figure 75 Table 57 VPN Branch Office Advanced Rule Setup Label Description Enable Replay As
247. geeeree t darot t ieders e pa 171 Securty ramificato sis ririncse patatia eo Rosin mee dees SR ones ees 171 Key fields for configuring II GS sissrrisrsesrtsrnr s srar dake eee RENS 172 AOON canteen deers aeeny RP ieee S668 oes oo ees ERR Parse b 172 WER E E pude Ne eos eae Barr dubai genoa ge died 172 Source addiges senast Saeed dX WES ESAME E ea x dqe cups 172 Dostnablon address uoiieamibr ry PR URPCRXAGEG NN EE AGO UD A GEES 172 Connection direction examples lssseeeeel es 172 LAN to WAN HGS 0ccin ee Ge eet ea dee reete RR ek ege RU ittir ine e res 173 WANO LANTUS udis iussum erie Ee acd deni o datura aaah dei roe dpud dad 173 Conk MWA anarai aaa PCR Bde t a Re Re dp d e 174 Contiguring firewall MNCS i dux ERI DERRPAER rena Rx Eu REG dana 178 Configuring source and destination addresses sslsuss 181 Configuring eustom BoffS iei mtm RR 9m rk E Rente mr da Rem aca 182 Example nm ewell edle amp ususo epe ReEYGORHEXXOE GUR Y EX RYAN ER E COUR UR o eden 183 Pigdolsd SEIVICBS esie 3n wd a PF ETE PR T Hd uaqep taque pius 186 FIGS sek cotee babe bees Pee elEehes QR E GNE eK WERE KE eK Wee eee Rees 189 Nortel Business Secure Router 252 Configuration Basics 10 Contents Gonfiganng stack alet cscs bear cerit teen cena gear eebee Gass GSC RP dad ARA 190 Vitae WO VANES os ocd sq Ex Seat ERE RA LOE LASER C dua e SED aq ds RE 190 Half opon Sessions ccce zucca esce eed wee xx E P dee Read oe RUN a
248. gnostic FAW Upload Configuration Restart General TCP IP Address Ping System Reset System DSL Line Reset ADSL Line Upstream Noise Margin ATM Status Downstream Noise Margin ATM Loopback Test Table 111 describes the fields in Figure 161 Table 111 Diagnostic Label Description General TCP IP Type the IP address of a computer that you want to ping in order to test a Address connection Nortel Business Secure Router 252 Configuration Basics 402 Chapter 22 Maintenance Table 111 Diagnostic Label Description Ping Click this button to ping the IP address that you entered Reset Click this button to reboot the Business Secure Router A warning dialog System box is then displayed asking you if you re sure you want to reboot the system Click OK to proceed DSL Line Reset ADSL Click this button to reinitialize the ADSL line The large text box above then Line displays the progress and results of this operation for example Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully ATM Status Click this button to view ATM status ATM Click this button to start the ATM loopback test Make sure you have Loopback configured at least one PVC with proper VPIs VCls before you begin this Test test The Business Secure Router sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back
249. guration Basics 128 Chapter 7 WAN screens NN47923 500 129 Chapter 8 Network Address Translation NAT Screens This chapter discusses how to configure NAT on the Business Secure Router NAT overview NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet For example the source address of an outgoing packet used within one network is changed to a different IP address known within another network NAT definitions Inside outside denotes where a host is located relative to the Business Secure Router For example the computers of your subscribers are the inside hosts while the Web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router For example the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Nortel Business Secure Router 252 Configuration Basics 130 Chapter 8 Network Address Translation NAT Screens Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the local network while an inside global address IGA is the IP ad
250. h oo Maximum Incomplete Low ao Maximum Incomplete High oo TCP Maximum Incomplete fio Blocking Period b min Reset Table 41 describes the fields in Figure 61 Table 41 Attack alert Label Description Generate alert when A detected attack automatically generates a log entry Check this attack detected box to generate an alert as well as a log whenever an attack is detected Denial of Service Thresholds One Minute Low This is the rate of new half open sessions that causes the firewall to stop deleting half open sessions The Business Secure Router continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number NN47923 500 Chapter 11 Firewall screens 193 Table 41 Attack alert Label Description One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the Business Secure Router deletes half open sessions as required to accommodate new connection attempts The numbers for example 80 in the One Minute Low field and 100 in this field cause the Business Secure Router to start deleting half open sessions when more than 100 session establishment attempts are detected in the last minute and to stop deleting half open sessions when fewer than 80 session establishment attempts
251. h office rule since the Business Secure Router uses a VPN tunnel when it relays DNS queries to the private DNS server The rule must also have an IP policy that includes the LAN IP address of the Business Secure Router as a local IP address and the IP address of the DNS server as a remote IP address A Private DNS entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate Private DNS entry changes to None after you click Apply NN47923 500 Chapter 5 System screens 85 Dynamic DNS With Dynamic DNS you can update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you as in NetMeeting or CU SeeMe You can also access your FTP server or Web site on your own computer using a domain name for instance myhost dhs org where myhost is a name of your choice that will never change instead of using an IP address that changes each time you reconnect Your friends or relatives can always call you even if they don t know your IP address First of all you must register a dynamic DNS account with for example www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that still wants a domain name The Dynamic DNS service provider gives you a password or key DYNDNS wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if y
252. hapter 8 Network Address Translation NAT Screens 133 Figure 35 NAT application with IP Alias LANI 192 168 1 X Network Server Serverin Admin 192 168 1 1 Admin Network PC2 PC3 IP 1 GA 1 m PC3 PC2 Corporation A NTSever l f d ll h 192 168 1 1 bie Pot Corporation B PC2 Server in Sales Network zIP 2 IGA 2 LAN2 192 168 2 X Network Server Sales 192 168 2 1 NT Server 192 168 2 1 I PC PC Server in R amp D Network NTS PC3 ziP 3 IGA 3 LANS 192 168 3X 19216831 Network Server R amp D 192 168 3 1 WAN Addresses LAN Addresses Default Ps 1 68 1 1 IGA 1 gt 192 168 PC1 c PC2 IGA2 19216821 IGA 3 192 168 3 1 NAT mapping types NAT supports five types of IP port mapping They are e One to One In One to One mode the Business Secure Router maps one local IP address to one global IP address Many to One In Many to One mode the Business Secure Router maps multiple local IP addresses to one global IP address This is equivalent to SUA for example PAT port address translation the Single User Account feature the SUA Only option e Many to Many Overload In Many to Many Overload mode the Business Secure Router maps the multiple local IP addresses to shared global IP addresses e Many One to One In Many One to One mode the Business Secure Router maps each local IP address to a unique global IP address
253. haracters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters by which to identify the remote IPSec router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address The domain name also does not have to match the IP address of the remote IPSec router or what you configure in the Secure Gateway Address field below ID type and content examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel Nortel Business Secure Router 252 Configuration Basics 220 Chapter 13 VPN The two Business Secure Routers shown in Table 52 can complete negotiation and establish a VPN tunnel Table 52 Matching ID type and content configuration example Business Secure Router A Business Secure Router B Local ID type E mail Local ID type IP Local ID content tom 9 yourcompany com Local ID content 1 1 1 2 Peer ID type IP Peer ID type E mail Peer ID content 1 1 1 2 Peer ID content tom yourcompany com The two Business Secure Routers shown in Table 53 cannot complete their negotiation because the Local ID type of Business Secure Router B is IP but the Peer ID type in Business Secure Router A is set to E mail An ID mismatched message displays in the IPSEC LOG Table 53 Mis
254. hat is PAT port address translation the Single User Account feature 3 Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses 4 Many One to One mode maps each local IP address to unique global IP addresses 5 Server permits you to specify inside servers of different services behind the NAT to be accessible to the outside world Edit Click Edit to go to the Address Mapping Rule screen Delete Click Delete to delete an address mapping rule Insert Click Insert to insert a new mapping rule before an existing one Configuring Address Mapping To edit an Address Mapping rule click the Edit button to display the screen shown in Figure 39 Nortel Business Secure Router 252 Configuration Basics 142 Chapter 8 Network Address Translation NAT Screens Figure 39 Address Mapping edit SUAINAT Address Mapping Address Mapping Rule Type One to One Local Start IP 0 0 0 0 Local End IP N A Global Start IP 0 0 0 0 Global End IP N A Apply Reset Table 28 describes the fields in Figure 39 Table 28 Address Mapping edit Label Description Type Choose the port mapping type from one of the following 1 One to One One to one mode maps one local IP address to one global IP address Note that port numbers do not change for One to one NAT mapping type 2 Many to One Many to One mode maps multiple local IP addresses to one global
255. he external authentication server and Business Secure Router Retype to Confirm Enter the password again to make sure that you have entered it correctly Accounting Server Active Select the check box to enable user accounting through an external authentication server Server IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number The default port of the RADIUS server for accounting is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Key Enter a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the Business Secure Router Note that as you type a password the screen displays a for each character you type The key is not sent over the network This key must be the same on the external accounting server and Business Secure Router Retype to Confirm Enter the password again to make sure that you have entered it correctly Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 328 Chapter 17 Authentication server NN47923 500 329 Chapter 18 Remote management screens This chapter provides information on the Remote Management scre
256. he new connection If there is not a firewall NN47923 500 Chapter 10 Firewalls 163 rule for this packet and it is not an attack the Action for packets that don t match firewall rules field determines the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected The outbound packet is forwarded out through the interface Later an inbound packet reaches the interface This packet is part of the connection previously established with the outbound packet The inbound packet is evaluated against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rule and the connection s state table entry is updated as necessary You can modify the inbound extended access list temporary entries based on the updated state information in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminate
257. he power off Click MAINTENANCE and then Restart Click Restart to have the Business Secure Router reboot This does not affect the Business Secure Router s configuration NN47923 500 Chapter 22 Maintenance 409 Figure 170 Restart screen MAINTENANCE System Restart Click Restart to have the device perform a software restart The SYS or PWR LED blinks as the device restarts and then stays steady on if the restart is successful Wait a minute before logging into the device again Restart Nortel Business Secure Router 252 Configuration Basics 410 Chapter 22 Maintenance NN47923 500 411 Appendix A Troubleshooting This chapter covers potential problems and the corresponding remedies Problems Starting Up the Business Secure Router Table 114 Troubleshooting the Start Up of your Business Secure Router Problem Corrective Action None of the LEDs Make sure that the power adapter is connected to the Business Secure Router and turn on when I turn plugged in to an appropriate power source Check that the Business Secure Router on the Business and the power source are both turned on Secure Router Turn the Business Secure Router off and on If the error persists you likely have a hardware problem In this case contact your vendor cannot access the 1 Make sure the Business Secure Router is connected to your computer s serial Business Secure port Router through the
258. hentication Header Protocol The AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed If you select AH here you must select options from the Authentication Algorithm field Encryption Algorithm Select DES 3DES AES 128 AES 192 AES 256 or NULL from the drop down list When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Select SHA1 or MD5 from the drop down list MD5 Message Algorithm Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for
259. hod to connect to the main office 1 At the main office Contivity Client Server establish two user accounts one for the telephone and one for the PC On the remote office Business Secure Router do the following Under WAN WAN IP ensure that Network Address Translation is set to SUA Only default Also ensure that the Gateway IP address is set not 0 0 0 0 Under VPN Summary create an entry for the IP telephone client tunnel Contivity Client Active Keep Alive Fill in the IP address of the Contivity Client Server and the name and password of the telephone set user account Nortel Business Secure Router 252 Configuration Basics 80 Chapter 4 User Notes Under VPN Global Setting enable Exclusive Mode and fill in the MAC address of the telephone set Under Bandwidth Management set up WAN bandwidth management to reserve 110 kbps of bandwidth for UDP traffic protocol ID 17 See the preceding section titled Preventing heavy data traffic from impacting telephone calls Provision the IP set with the corporate call server address On the PC install Contivity Client Software and configure it with the PC user account information Inter Operability With Third Party Routers VPN Connections With Cisco Routers When establishing a VPN Client tunnel or Branch Office Tunnel between the Business Secure Router and a Cisco router the following configuration rules should be followed 1 Ensure that the
260. ical Link Control based multiplexing e Support OAM Operational Administration and Maintenance VC Hunt 1 610 FA F5 OAM Networking compatibility Your Business Secure Router is compatible with the major ADSL Digital Subscriber Line Access Multiplexer DSLAM providers making configuration as simple as possible Multiplexing The Business Secure Router supports VC based and LLC based multiplexing Encapsulation The Business Secure Router supports PPPoA RFC 2364 PPP over ATM Adaptation Layer 5 RFC 1483 encapsulation over ATM MAC Media Access Control encapsulated routing ENET encapsulation as well as PPP over Ethernet RFC 2516 Four Port switch A combination of switch and router makes your Business Secure Router a cost effective and viable network solution You can connect up to four computers or phones to the Business Secure Router without the cost of a switch Use a switch to add more than four computers or phones to your LAN Nortel Business Secure Router 252 Configuration Basics 36 Chapter 1 Getting to know your Business Secure Router Autonegotiating 10 100 Mb s Ethernet LAN The LAN interfaces automatically detect if they are on a 10 or a 100 Mb s Ethernet Autosensing 10 100 Mb s Ethernet LAN The LAN interfaces automatically adjust to either a crossover or straight through Ethernet cable Auxiliary port The Business Secure Router uses the same port for console management and for an auxi
261. icate you import replaces the corresponding request in the My Certificates screen Note 3 You must remove any spaces from the certificate filename before you can import it Nortel Business Secure Router 252 Configuration Basics 268 Chapter 14 Certificates Figure 84 My Certificate Import CERTIFICATES MY CERTIFICATE IMPORT Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats Binary X 509 PEM Base 64 encoded X 509 Binary PKCS PEM Base 64 encoded PKCS For my certificate importation to be successful a certification request corresponding to the imported certificate must already exist on BSR50e After the importation the certification request will automatically be deleted File Path Browse Apply Cancel Table 65 describes the labels in Figure 84 Table 65 My Certificate Import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate to the Business Secure Router Cancel Click Cancel to quit and return to the My Certificates screen NN47923 500 Chapter 14 Certificates 269 Creating a certificate Click CERTIFICATES My Certificates and then Create to open the My Certificate C
262. ics 144 Chapter 8 Network Address Translation NAT Screens Figure 40 Trigger Port Forwarding process example Jane A requests a file from the Real Audio server port 7070 2 Port 7070 is a trigger port and causes the Business Secure Router to record Jane s computer IP address The Business Secure Router associates Jane s computer IP address with the incoming port range of 6970 7170 3 The Real Audio server responds using a port number ranging between 6970 7170 4 The Business Secure Router forwards the traffic to Jane s computer IP address 5 Only Jane can connect to the Real Audio server until the connection is closed or times out The Business Secure Router times out in three minutes with UDP User Datagram Protocol or two hours with TCP IP Transfer Control Protocol Internet Protocol Two points to remember about Trigger Ports Trigger events only happen on data that is coming from inside the Business Secure Router and going to the outside If an application needs a continuous data stream that port range is tied up so that another computer on the LAN cannot trigger it NN47923 500 Chapter 8 Network Address Translation NAT Screens 145 Configuring Trigger Port Forwarding To change trigger port settings of your Business Secure Router click SUA NAT and the Trigger Port tab The screen appears as shown in Figure 41 Note Only one LAN computer can use a trigger port range at a time gt
263. ification Path oa Refresh Certificate Information Type CA signed X 509 Certificate Version V3 Serial Number 68735430130868711293154270205497531363 Subi OU SSL CA for Test O Chunghwa Telecom Co Ltd ubject C TW Issuer QU eCA for Test O0 Chunghwa Telecom Co Ltd C TW Signature Algorithm Valid From 2001 Nov 26th 10 26 35 GMT Valid To 2021 Nov 26th 10 26 35 GMT Key Algorithm rsaEncryption 1024 bits Key Usage KeyCertSign CRLSign Basic int Subject Type CA CRL Distribution Points MD5 Fingerprint SHA1 Fingerprint rsa pkcs1 shal 1 CRL Distribution Point Full Name URI http 10 144 133 196 crl ca crl 41 83 77 87 9f7d 49 ed 41 35 83 62 43 af 9e c1 B4 49 d3 7 e 5a 39 Be ff d3 1b 36 13 dd 13 f1 1c 11 29 7e 0f Certificate in PEM Base 64 Encoded Format MIIDSTCCAjGgAwIBAgIQOSHSe844XoqnNPpexbHigzANBgkqhkiG9wOBAQUFADBJ MOswCQYDVQOGEwJUVZzE jMCEGA1UEChMaQ2hibmdod2EgVGVsZWNvbSBDby4sIExO 2C4xF TATBGNVBAsTDGVDQSBmb3 IgVGVzdDAeFwOwMTExMjYxMDI2MzVaFwOyMTEx Nj YxMD12NzVaNEwxC zaJBGNVBAYTALRXMSMwIQYDVQQKExpDaHVuZ2h3 YSBUZUx1 Y29tIENvLiwgTHRkLjEYMBYGA1UECXxMPUINMIENBIGZvciBUZXNOMIGfMAOGCSqG SIb3DQEBAQUAA4GNADCBiQKBgODkquFaKPZzzmoaNEYst6gROVByE28ZJKEoemvu Lf6b EgUVJh7Iu79kpYfXTEOFQbHVUmoruV jH NQDAa9nGNbaNITY6jwH8nweMRwi NSASBsUMhqusLW7tN5UAdZ1UyQJk3k40 eJQc2pYNSTa G6 InbqnPxD1UdZx3xOF uUfEEWIDAQABO4GtMIGqMBBSGAIUdIvOYMBaAFNSDTnpfmpTaU S4KvOplRAn7y2P v Export Apply Cancel NN47923 50
264. ignineht pec e ei ceee cec kem RR ERR n YR RO X EORR Eee Ce RoR es BF IP assignment with PPPoA or PPPoE encapsulation lesus 58 IP assignment with RFC 1483 encapsulation 0 00 eee eee eee 58 IP assignment with ENET ENCAP encapsulation 000000 58 Ee IF SUIIDSEDE 625 cacuchosrs take eer icdcicacen tas adde ado maid ENERE 58 Nailed up connection only with PPP 00 0c eee eee eee eee 59 aT etter se er eT ST ee ee eee ee eee eee eer ee SQ EA 59 Wizard setup configuration second screen 0 00 eee ees 59 DHCP SEUD Ke touted ones coaehienedee abet aes SERRE S ECG Reese Ss 65 IP DOO SEE Lock i Pot ek eke ques doi d dc aite we eed ame b d moteurs 65 Wizard setup configuration third SCIBOE 4i ERR RO REOR Heke A ROO ES RD US x 65 Wizard setup configuration connection tests llle 69 Test your Internet connection usua eium owe eh Chee een ox eR RR RON Ra d 69 Chapter 4 User NOMS 6 640601040500 105 115096 RHIAN C10 Ree EET ORE ERS 71 General NOIES nciecetsudeh ERE Rob base we eee PERE ds bees dee cu E 71 Nortel Business Secure Router 252 Configuration Basics 6 Contents CGNCIAl to3 2hee0ed i0des deen ide se CRAdor eX Eaque ed dol adde eus 71 Files igsed i uni ed MA ERI A V pies sedata dU quada due dud die bui ara fe MAE 2s tach eed eee bee he bade RH Ee IRE PESE ERE eased cee ee Ss 72 VPN Client TEMMNGUOW cock deck ck Loe eee xi dom RR RR ced ood Rs 73 IDECUEIDE
265. igure 106 Table 85 Local User database edit Label Description Active Select this check box to turn on the user account Clear this check box to turn off the user account User Type Select 802 1X to set this user account to be used for a IEEE 802 1X logon Select IPSec to set this user account to be used for an IPSec logon Select 802 1X IPSec to set this user account to be used for both IEEE 802 1X and IPSec logons User Name Specify the user ID to be used as the logon name for the user account Password Enter a password up to 31 characters long for this user account Note that as you type a password the screen displays a for each character you type Retype to Enter the password again to make sure that you have entered it correctly Confirm IPSec User The following fields display when you select IPSec or 802 1X IPSec in the Profile User Type field First Name Enter the user s first name Last Name Enter the user s last name Static IP Enter the IP address of the remote user in dotted decimal notation Address Static Enter the subnet mask of the remote user Subnet Mask Split Enable or disable split tunneling or inverse split tunneling Tunneling Select Disable to force all traffic to be encrypted and go through the VPN tunnel Select Enabled to allow traffic not going through the VPN tunnel to go through the WAN interface without being encrypted This reduces the
266. igure 122 SSH REMOTE MANAGEMENT SSH Server Certificate auto_generated_self_signed_cert gt See My Certificates Server Port 22 Server Access Disable Secured Client IP Address All C Selected fi Reset Table 90 describes the labels in Figure 122 Table 90 SSH Label Description Server Host Select the certificate whose corresponding private key is to be used to Key identify the Business Secure Router for SSH connections You must have certificates already configured in the My Certificates screen Click My Certificates and see Chapter 14 Certificates on page 261for details Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service Secure Client A secure client is a trusted computer that is allowed to communicate with IP Address the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh
267. igured in the SYSTEM General screen and relays the response back to the computer You can only select DNS Relay for one of the three servers Select None if you do not want to configure DNS servers If you do not configure a DNS server you must know the IP addresses of devices or web sites in order to access them Back Click Back to go back to the previous screen Finish Click Finish to save the settings and proceed to the next wizard screen NN47923 500 Chapter 3 Wizard setup 69 Wizard setup configuration connection tests The Business Secure Router automatically tests the connection to the computers connected to the LAN ports To test the connection from the Business Secure Router to the ISP and the connected LAN devices click Start Diagnose Otherwise click Finish to go back to the site map screen Figure 15 Wizard Screen 4 Wizard Setup ISP Parameters for Internet Access Your DSL Gateway is now configured Your device is capable of testing your DSL service The individual tests are listed below Click Start Diagnose button if you want to test otherwise click Finish button LAN connections Test your Ethernet Connection PASS WAN connections Test ADSL synchronization PASS Test ADSL ATM OAM loopback test PASS Test PPP PPPoE server connection PASS Ping default gateway PASS Finish Test your Internet connection Launch your Web browser and navigate to www nortel com Internet
268. in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending Business Secure Router and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted The encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device Transport mode ESP with authentication is not compatible with NAT although NAT traversal provides a way to use Transport mode ESP when there is a NAT router between the IPSec endpoints see NAT Traversal on page 213 for details Table 46 VPN and NAT Security Protocol Mode NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote secure gateway You can specify this for a VPN rule in the VPN Branch Office Rule Setup screen see Figure 71 on page 222 If the remote secure gateway has a static WAN IP address enter it in the Secure Gateway Address field You can alternatively enter the domain name of the re
269. ination host address rises above a threshold TCP Maximum Incomplete the Business Secure Router starts deleting half open sessions according to one of the following methods e If the Blocking Period timeout is O the default the Business Secure Router deletes the oldest existing half open session for the host for every new connection request to the host This ensures that the number of half open sessions to a given host never exceeds the threshold e If the Blocking Period timeout is greater than 0 the Business Secure Router blocks all new connection requests to the host giving the server time to handle the present connections The Business Secure Router continues to block all new connection requests until the Blocking Period expires Nortel Business Secure Router 252 Configuration Basics 192 Chapter 11 Firewall screens The Business Secure Router also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click the Attack Alert tab to bring up the screen shown in Figure 61 Figure 61 Attack alert FIREWALL Attack Alert The firewall is set by default to prevent attacks on your network Any detected attacks will automatically generate a log entry You can also choose to generate an alert whenever such an attack is detected lv Generate alert when attack detected Denial of Service Thresholds One Minute Low Eo One Minute Hig
270. includes an Expiring or Expired message if the certificate is about to expire or has already expired Nortel Business Secure Router 252 Configuration Basics 266 Chapter 14 Certificates Table 64 My Certificates Label Description Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that one or more features are configured to use Do the following to delete a certificate that shows SELF in the Type field 1 Make sure that no other features such as HTTPS VPN or SSH are configured to use the SELF certificate 2 Click the details icon next to another self signed certificate see the description on the Create button if you need to create a self signed certificate 3 Select the Default self signed certificate which signs the imported remote host certificates check box 4 Click Apply to save the changes and return to the My Certificates screen 5 The certificate that originally showed SELF displays SELF and you can delete it now Note that subsequent certificates move up by one when you take this action Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the Business Secure Route
271. ins an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields After these fragments are reassembled at the destination some systems crash hang or reboot Nortel Business Secure Router 252 Configuration Basics 158 Chapter 10 Firewalls 2 Weaknesses in the TCP IP specification leave it open to SYN Flood and LAND attacks These attacks are executed during the handshake that initiates a communication session between two applications Figure 46 Three way handshake Client Server SYN I ack Under normal circumstances the application that initiates a session sends a SYN synchronize packet to the receiving server The receiver sends back an ACK acknowledgment packet and its own SYN and then the initiator responds with an ACK acknowledgment After this handshake a connection is established SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way ha
272. inspect lobt uu ou ao edo OR ER onn pon XE god Bob aom cn dec d dics 162 LAN O VIS ERG uu saca d qe RS troos ROSA Sq CE d X RR RE 173 MAIN LANTANG ua usse qe HERRERA ER 174 Enabling the irewall 4 uda ud ee See Rede awe Eure 176 Creating and editing a firewall rule 0 000 c eee eee eee 179 Adding or editing source and destination addresses 181 Creating or editing a custom port 00 00 c eee eee 182 Firewall edit rule screen example 00 0 cee ee eee eee eee 183 Firewall rule edit IP example 000 e eee eee ee eee 184 Edit cusiom BOTE example ad chtasee CER RARO CR HH Rd 184 MyService rule configuration example slsslsess 185 My Service example rule summary 00000 00 e eee eee 186 nucon TT 192 CODE BOE a eo sd reco EHOREREERS ERO XX WEE ERIP PREDA P4 Aaa 196 Entcryplion and decrvbLDol ug eue deatur eer tum edd pk 201 IPSec amhileetlll ai cseed 9 ces Leben tees rz ote tids de RE 203 NN47923 500 Figures 19 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Transport and Tunnel mode IPSec encapsulation 206 IPSe
273. ion alive Interval Specifies how long the VPN Contivity client waits between VPN connection checks Max Number of Retransmissions Specifies the maximum number of retransmissions 0 255 of the keep alive packets This is how many times the VPN Contivity client can resend the keep alive packet to the Business Secure Router to check the connection before attempting to use the first fail over gateway Nortel Business Secure Router 252 Configuration Basics 258 Chapter 13 VPN Table 63 VPN Client Termination advanced Label Description Accept ISAKMP Initial Contact Payload The Business Secure Router can accept the INITIAL CONTACT status messages to inform it that the Contivity VPN client is establishing a first SA The Business Secure Router then deletes the existing SAs because it assumes that the sending Contivity VPN client has restarted and no longer has access to any of the existing SAs Idle Timeout Specifies how long the Contivity VPN client connection can go without traffic before the Business Secure Router terminates the session The Business Secure Router does not time out idle connections when this field is set to 00 00 00 Domain Name Specifies the domain name that is used while the VPN tunnel is connected Primary DNS Specifies the first and second DNS server IP addresses to assign Secondary DNS to the Contivity VPN clients Primary WINS Specifies the first
274. ion session User logout because of no The router logged off a user from which there was no authentication response User logout because of idle timeout expired The router logged off a user whose idle timeout period expired User logout because of user request A user logged off Local User Database does not support authentication mothed A user tried to use an authentication method that the local user database does not support it only supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the RADIUS server check the RADIUS server Use Local User Database to authenticate user The local user database operates as the authentication server Use RADIUS to authenticate user The RADIUS server operates as the authentication server Nortel Business Secure Router 252 Configuration Basics 450 Appendix B Log Descriptions Table 137 IEEE 802 1X Logs Log Message Description No Server to authenticate user There is no authentication server to authenticate a user Local User Database does not find user s credential A user was not authenticated by the local user database because the user is not listed in the local user database Log Commands Go to the command interpreter interface the Command Interpreter Appendix explains how to access and use the commands Configuring what you
275. ion Protocol applications to go through the Business Secure Router The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol To avoid retranslating the SIP device s IP address do not use the SIP ALG with a SIP device that is using STUN Simple Traversal of User Datagram Protocol UDP through NAT Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 96 Chapter 5 System screens NN47923 500 97 Chapter 6 LAN screens This chapter describes how to configure LAN settings LAN overview Local Area Network LAN is a shared communication system to which many computers are attached The LAN screens can help you configure a LAN DHCP server manage IP addresses configure RIP and multicast settings and partition your physical network into logical networks DHCP setup Using DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients can obtain TCP IP configuration at start up from a server You can configure the Business Secure Router as a DHCP server or disable it When configured as a server the Busin
276. ion is working properly if you want the Business Secure Router to enroll a certificate online My Certificate details Click CERTIFICATES and then My Certificates to open the My Certificates screen see Figure 83 Click the details icon to open the My Certificate Details screen You can use this screen see Figure 86 to view in depth certificate information and change the name of the certificate In the case of a self signed certificate you can set it to be the one that the Business Secure Router uses to sign the trusted remote host certificates that you import to the Business Secure Router Nortel Business Secure Router 252 Configuration Basics 274 Chapter 14 Certificates Figure 86 My Certificate details CERTIFICATES MY CERTIFICATE DETAILS Name auto generated self signed cert Property I7 Default self signed certificate which signs the imported remote host certificates Certification Path CN Business Secure Router Factory Default Certificate Certificate Information Type Self signed X 509 Certificate Version V3 Serial Number 946684800 Subject CN Business Secure Router Factory Default Certificate Issuer CN Business Secure Router Factory Default Certificate Signature rsa pkcs1 sha1 Algorithm P Valid From 2000 Jan 1st 00 00 00 GMT Valid To 2030 Jan 1st 00 00 00 GMT Key Algorithm rsaEncryption 512 bits Sed ui Namo EMAIL factory auto gen cert Key Usage DigitalSignature KeyEncipherment KeyCertSig
277. iption Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 p m to send the logs Log Select the categories of the logs that you want to record Logs include alerts Send Immediate Alert Select the categories of alerts for which you want the Business Secure Router to instantly e mail alerts to the e mail address specified in the Send Alerts To field Log Consolidation Active Some logs such as the Attacks logs can be so numerous that it becomes easy to ignore other important log messages Select this check box to merge logs with identical messages into one log You can use the sys log consolidate msglist command to see which log messages are consolidated Log Consolidation Specify the time interval during which to merge logs with Period identical messages into one log Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Configuring Reports To change your Business Secure Router log reports click Logs and then the Reports tab The screen appears as shown in Figure 151 The Reports page displays which computers on the LAN send and receive the most traffic what kinds of traffic are used the most and which Web sites are visited the most often Use the Reports screen to have the Business Secure Router record and display the following network usage details e Web site
278. is field displays how many IP addresses you set the Business Secure Router to give out from the pool created by the starting address and subnet mask Edit Click the radio button next to an IP address pool entry and click Edit to open the screen where you can configure the entry Delete Click the radio button next to an IP address pool entry and click Delete to remove it Nortel Business Secure Router 252 Configuration Basics 254 Chapter 13 VPN VPN Client Termination IP pool edit In the WebGUI click VPN on the navigation panel and the Client Termination tab to open the VPN Client Termination screen Then click the Configure IP Address Pool link to open the VPN Client Termination IP Pool Summary screen Click the radio button next to an IP address pool entry and click Edit to open the following screen where you can configure the entry Use this screen to configure a range of IP addresses to assign to the Contivity VPN clients Figure 80 VPN Client Termination IP pool edit IP Pool Edit Active IP Pool Name o O O Starting Address noon Subnet Mask noon Pool Size fo Apply Cancel Table 62 describes the fields in Figure 80 Table 62 VPN Client Termination IP pool edit Label Description Active Turn on the IP pool if you want the Business Secure Router to use it in assigning IP addresses to the Contivity VPN clients IP Pool Name Specify a label for the IP address pool
279. is field displays the DNS host name or IP address of a client on the LAN Multiple NAT clients can use a single port simultaneously if the internal client field is set to 255 255 255 255 for UDP mappings Enabled This field displays whether or not this UPnP created NAT mapping rule is turned on The UPnP enabled device that connected to the Business Secure Router and configured the UPnP created NAT mapping rule on the Business Secure Router determines whether or not the rule is enabled Description This field displays a text explanation of the NAT mapping rule Lease Duration This field displays the time to live in seconds for a dynamic port mapping rule It displays 0 if the port mapping is static Apply Click Apply to save your changes to the Business Secure Router Refresh Click Refresh to update the table Installing UPnP in Windows example This section shows how to install UPnP in Windows Me and Windows XP Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me 1 Click Start and Control Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details Nortel Business Secure Router 252 Configuration Basics 366 Chapter 19 UPnP Figure 136 Add Remove programs Windows setup Add Remove Programs Pro 2 2x Install Uninstall Windows Setup Startup Disk
280. is field displays the name of the call schedule set Active This field shows whether the call schedule set is turned on Yes or off No Start Date This is the date in year month day format that the call schedule set takes effect Duration Date This is the date in year month day format that the call schedule set ends NN47923 500 Chapter 21 Call scheduling screens 389 Table 106 Call Schedule Summary Label Description Start Time This is the time in hour minute format when the schedule set takes effect Duration Time This is the maximum length of time in hour minute format that the schedule set applies the action displayed in the Action field Action Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line Edit Click Edit to change a call schedule set Delete Select the a call schedule set s radio button and click Delete to remove that call schedule set Call scheduling edit To configure a schedule set click the Edit button to display the screen shown in
281. is mandatory The certification authority can add fields such as a serial number to the subject information when it issues a certificate Nortel recommends that each certificate have unique subject information Common Name Select a radio button to identify the owner of the certificate by IP address domain name or e mail address Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address can be up to 31 ASCII characters The domain name or e mail address is for identification purposes only and can be any string Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs You can use any character including spaces but the Business Secure Router drops trailing spaces Organization Type up to 127 characters to identify the company or group to which the certificate owner belongs You can use any character including spaces but the Business Secure Router drops trailing spaces Country Type up to 127 characters to identify the nation where the certificate owner is located You can use any character including spaces but the Business Secure Router drops trailing spaces Key Length Select a number from the drop down list to determine how many bits are used for the key 512 to 2 048 The longer the key the more secure it is A longer key also uses more PKI storage spa
282. is the Certification Authority that signed the certificate X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate identification number given by the device that created the certificate Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O or Country C Issuer This field displays identifying information about the default self signed certificate on the Business Secure Router that the Business Secure Router uses to sign the trusted remote host certificates Signature Algorithm This field displays the type of algorithm that the Business Secure Router used to sign the certificate which is rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable NN47923 500 Chapter 14 Certificates 293 Table 73 Trusted remote host details Label Description Valid To This field displays the date that the certificate expires The text displays in red and includes
283. is to use the VPN tunnel When the Type field is configured to Many to One or Many One to one enter the beginning static IP address of the range of computers on your Business Secure Router s LAN that are to use the VPN tunnel Private Ending IP Address When the Type field is configured to One to one this field is N A When the Type field is configured to Many to One or Many One to one enter the ending static IP address of the range of computers on your Business Secure Router s LAN that are to use the VPN tunnel Virtual Starting IP Address Virtual addresses must be static and correspond to the remote IPSec router s configured remote IP addresses The computers on the Business Secure Router s LAN and the remote network can function as if they were on the same subnet when the virtual IP address es is on the same subnet as the remote IP addresses Two active SAs can have the same virtual or remote IP address but not both You can configure multiple SAs between the same virtual and remote IP addresses as long as only one is active ata time When the Type field is configured to One to one or Many to One enter the static IP address that you want to use for the VPN tunnel When the Type field is configured to Many One to one enter the beginning static IP address of the range of IP addresses that you want to use for the VPN tunnel Nortel Business Secure Router 252 Configuration Basics 234
284. ite configured for full DHCP client mode NN47923 500 Chapter 4 User Notes 77 Scenario 2 A BCM50O in each site each acting as the backup call server for the other site 1 Ateach site a Ensure that the DHCP Server in the BCM50 is disabled that the BCM50 is connected to the router and both have booted b Add the IP phones to the site as per BCM50 installation guide C At each router change the S2 address to the IP address of the remote BCM50 using TELNET or SSH and the CLI command ip dhcp enifO server voipserver 2 Remote BCM50 IP Address 7000 1 Create a tunnel between the sites as described above Create an H 323 trunk between the BCM50s as per the BCM50 User Guide Configuring the router to act as a Nortel VPN Server Client Termination 1 Under VPN Client Termination a Enable Client Termination b Select authentication type and the encryption algorithms supported C If the clients are assigned IP addresses from a pool define the pool and enable it 2 Assuming a Local User Database is used for authentication a Add user name and password to the local user database as an IPSec user and activate it If the hosts will be assigned a static IP address enter the address that will be assigned to the user Configuring the router to connect to a Nortel VPN Server Client Emulation 1 Goto VPN Summary and select Edit 2 Selecta connection type of Contivity Client and fill in the web page wi
285. ity VPN clients save their logon passwords instead of always having to enter them manually NN47923 500 Chapter 13 VPN 259 Table 63 VPN Client Termination advanced Label Description Password You can have the Business Secure Router use some password Management requirements to enhance security Alpha Numeric Password Required Use this to have the Business Secure Router require the Contivity VPN client passwords to have both numbers and letters Maximum Password Age Enter the maximum number of days that a Contivity VPN client can use a password before it has to be changed 0 means that a password never expires Minimum Password Length Enter the minimum number of characters that can be used for a Contivity VPN client password Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 260 Chapter 13 VPN NN47923 500 261 Chapter 14 Certificates This chapter gives background information about public key certificates and explains how to use them Certificates overview The Business Secure Router can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the identity and public key of the certificate owner Certificates provide a way to
286. k UPnP to display the screen shown in Figure 134 NN47923 500 Chapter 19 UPnP 363 Figure 134 Configuring UPnP UPnP UPnP I Ports Device Name Business Secure Router Enable the Universal Plug and Play UPnP feature Allow users to make configuration changes through UPnP Allow UPnP to pass through Firewall Note For UPnP to function normally the HTTP service must be available for LAN computers using UPnP Reset Table 97 describes the fields in Figure 134 Table 97 Configuring UPnP Label Description Device Name This identifies the device in UPnP applications Enable the Universal Plug Select this check box to activate UPnP Be aware that and Play UPnP feature anyone can use a UPnP application to open the WebGUI s logon screen without entering the Business Secure Router s IP address although you must still enter the password to access the WebGUI Allow users to make Select this check box to allow UPnP enabled applications configuration changes to automatically configure the Business Secure Router so through UPnP that they can communicate through the Business Secure Router For example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device eliminating the need to manually configure port forwarding for the UPnP enabled application Allow UPnP to pass through Select this check box to allow traf
287. l has detected no return traffic NN47923 500 Chapter 11 Firewall screens 191 The Business Secure Router measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute After the number of existing half open sessions rises above a threshold max incomplete high the Business Secure Router starts deleting half open sessions as required to accommodate new connection requests The Business Secure Router continues to delete half open requests as necessary until the number of existing half open sessions drops below another threshold max incomplete low After the rate of new connection attempts rises above a threshold one minute high the Business Secure Router starts deleting half open sessions to accommodate new connection requests as required The Business Secure Router continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period TCP maximum incomplete and blocking period An unusually high number of half open sessions with the same destination host address indicates that a Denial of Service attack is being launched against the host Whenever the number of half open sessions with the same dest
288. l to which you want to apply this firewall rule Nortel Business Secure Router 252 Configuration Basics 180 Chapter 11 Firewall screens Table 37 Creating and editing a firewall rule Label Description Source Address Click SrcAdd to add a new address SrcEdit to edit an existing one or SrcDelete to delete one The source address can be a particular single IP a range of IP addresses for example 192 168 1 10 to 192 169 1 50 a subnet or any IP address See the next section for more information about adding and editing source addresses Destination Address Click DestAdd to add a new address DestEdit to edit an existing one or DestDelete to delete one The destination address can be a particular single IP a range of IP addresses for example 192 168 1 10 to 192 169 1 50 a subnet or any IP address See section Configuring source and destination addresses on page 181 for information about adding and editing destination addresses Services Available Selected Services For more information on services available see Table 40 on page 187 Highlight a service from the Available Services box on the left then click gt gt to add it to the Selected Services box on the right To remove a service highlight it in the Selected Services box on the right then click Custom Port Add Click this button to bring up the screen that you use to configure a new custom ser
289. lass button to open the screen shown in Figure 100 Nortel Business Secure Router 252 Configuration Basics 306 Chapter 15 Bandwidth management Figure 100 Bandwidth Manager Edit class BANDWIDTH MANAGEMENT EDIT CLASS Class Configuration Class Name WAN 2 Bandwidth Budget E 000 Kbps Filter Configuration M Enable Bandwidth Filter Service sP z Destination IP Address booo Destination Subnet Mask booo Destination Port D Source IP Address 92168133 Source Subnet Mask booo Source Port D Protocol ID boo Cancel Table 79 describes the labels in Figure 100 Table 79 Bandwidth Manager Edit class Label Description Class Configuration Class Name Use the autogenerated name or enter a descriptive name of up to 20 alphanumeric characters including spaces Bandwidth Budget Specify the maximum bandwidth allowed for the class in kb s The kbps recommendation is a setting between 20 kbps and 20 000 kbps for an individual class The bandwidth you specify cannot cause the total allocated bandwidths of this and all other subclasses to exceed the bandwidth for the interface NN47923 500 Chapter 15 Bandwidth management 307 Table 79 Bandwidth Manager Edit class Label Description Filter Configuration Enable Bandwidth Filter Select Enable Bandwidth Filter to have the Business Secure Router use this bandwidth filt
290. le rule summary FIREWALL The firewall protects against Denial of Service DoS attacks when it is enabled Iv Enable Firewall Bypass Triangle Route Firewall Rules Storage Space in Use ul 100 Packet Direction WAN to LAN Configured rules for this packet direction are displayed in the summary table below Action for packets that don t match firewall rules Block Forward M Log packets that don t match these rules TEE Destination Address Service Type aad Biss zm 0 0 10 10 0 0 15 x w Senice TCR UDP125 s gt My Sevice TCPJUDP 123 z Service TCP UDP123 v Forward Disabled No Insert New Rule Before fi Rule Number Move Selected Rule select an Index Number To fi Rule Number Edit Selected Rule Delete Selected Rule Apply Reset Predefined services The Available Services list box in the Edit Rule screen see Figure 53 displays all predefined services that the Business Secure Router already supports Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there can be more than one IP protocol NN47923 500 Chapter 11 Firewall screens 187 type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port 53 and TCP port 53 Custom services can also be
291. les move up by one when you take this action Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Configuring firewall rules Follow these directions to create a new rule In the Summary screen type the index number for where you want to put the rule For example if you type 1 your new rule becomes number 1 and the previous rule 1 if there is one becomes rule 2 Click Insert to display the screen shown in Figure 53 NN47923 500 Chapter 11 Firewall screens 179 Figure 53 Creating and editing a firewall rule FIREWALL EDIT RULE Packet Direction Active LAN to WAN Source Address Destination Address PUN Source IP Address SEIS Destination IP Address Sere Any Any SrcAdd SrcEdit SrcDelete DestAdd DestEdit DestDelete Available Services Selected Services AIM NEW ICQ TCP 5180 BOOTP_CLIENT UDP 68 BOOTP SERVER UDP 67 gt Custom Port Add Edit Delete Action for Matched Packets Forward Log Apply Cancel Table 37 describes the fields in Figure 53 Table 37 Creating and editing a firewall rule Label Description Active Check the Active check box to have the Business Secure Router use this rule Leave it unchecked if you do not want the Business Secure Router to use the rule after you apply it Packet Direction Use the drop down list to select the direction of packet trave
292. liary WAN backup The AUX port can be used in reserve as a traditional dial up connection when or if ever the broadband connection to the WAN port fails Time and date Using the Business Secure Router you can get the current time and date from an external server when you turn on your Business Secure Router You can also set the time manually Reset button The Business Secure Router reset button is built into the rear panel Use this button to restart the Business Secure Router or restore the factory default password to setup IP address to 192 168 1 1 subnet mask to 255 255 255 0 and DHCP server enabled with a pool of 126 IP addresses starting at 192 168 1 2 Nonphysical features IPSec VPN capability Establish Virtual Private Network VPN tunnels to connect home or office computers to your company network using data encryption and the Internet thus providing secure communications without the expense of leased site to site lines VPN is based on the IPSec standard and is fully interoperable with other IPSec based VPN products NN47923 500 Chapter 1 Getting to know your Business Secure Router 37 Nortel Contivity Client Termination The Business Secure Router supports VPN connections from computers using Nortel Contivity VPN Client 3 0 5 01 5 11 6 01 6 02 or 7 01 software Certificates The Business Secure Router can use certificates also called digital IDs to authenticate users Certificates are based on public
293. lishing a connection The method used to secure the data that is sent through an established connection depends on the type of connection For example a VPN tunnel can use the triple DES encryption algorithm The certification authority uses its private key to sign certificates Anyone can use the certification authority s public key to verify the certificates A certification path is the hierarchy of certification authority certificates that validate a certificate The Business Secure Router does not trust a certificate if any certificate on its path has expired or been revoked Certification authorities maintain directory servers with databases of valid and revoked certificates A directory of certificates that have been revoked before the scheduled expiration is called a CRL Certificate Revocation List The Business Secure Router can check a peer s certificate against a list of revoked certificates on a directory server The framework of servers software procedures and policies that handles keys is called PKI public key infrastructure Advantages of certificates Certificates offer the following benefits e The Business Secure Router only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate e Key distribution is simple and very secure because you can freely distribute public keys and you never need to transmit private keys Self signed ce
294. ll of your VPN rules Contivity Client Rule Setup Use these screens to configure simple VPN rules that have the Business Secure Router operate as a VPN client Branch Office Rule Setup Use these screens to manually configure VPN rules that have the Business Secure Router operate as a VPN router SA Monitor Use this screen to display and manage active VPN connections Global Setting Use this screen to configure the IPSec timer settings Client Termination Use these screens to use the Business Secure Router for encrypted connections from computers using Nortel Contivity VPN Client software NN47923 500 Chapter 13 VPN 201 Security Association A Security Association SA is a contract between two parties indicating which security parameters such as keys and algorithms they use Table 44 VPN Screens Overview Screens Description Summary This screen lists all of your VPN rules Contivity Client Use these screens to configure simple VPN rules that Rule Setup have the Business Secure Router operate as a VPN client Branch Office Use these screens to manually configure VPN rules Rule Setup that have the Business Secure Router operate as a VPN router SA Monitor Use this screen to display and manage active VPN connections Global Setting Use this screen to configure the IPSec timer settings Other terminology Encryption Encrypti
295. lowed to Address communicate with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 352 Chapter 18 Remote management screens Configuring FTP You can upload and download the Business Secure Router firmware and configuration files using FTP To use this feature your computer must have an FTP client To change your Business Secure Router FTP settings click REMOTE MANAGEMENT and then the FTP tab The screen appears as shown in Figure 129 Figure 129 FTP REMOTE MANAGEMENT FTP Server Port 21 Server Access Disable Secured ClientIP All C Address Selected Reset Table 92 describes the fields in Figure 129 Table 92 FTP Label Description Server Port You can change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Server Access Select the interfaces If any through which a computer can access the Business Secure Router using this service NN47923 500 Cha
296. lowing formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS27 e PEM Base 64 encoded PKCS 7 File Path Browse Apply Cancel Table 69 describes the labels in Figure 88 Table 69 Trusted CA import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload NN47923 500 Chapter 14 Certificates 281 Table 69 Trusted CA import Label Description Apply Click Apply to save the certificate on the Business Secure Router Cancel Click Cancel to quit and return to the Trusted CAs screen Trusted CA Certificate details Click CERTIFICATES Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CA Details screen shown in Figure 89 Use this screen to view in depth information about the certification authority certificate change the certificate name and set whether or not you want the Business Secure Router to check a certification authority list of revoked certificates before trusting a certificate issued by the certification authority Nortel Business Secure Router 252 Configuration Basics 282 Chapter 14 Certificates Figure 89 Trusted CA details CERTIFICATES TRUSTED CA DETAILS Name CHT SubCa Property Check incoming certificates issued by this CA against a CRL Cert
297. lready be configured see Chapter 21 Call scheduling screens on page 387 Nortel Business Secure Router 252 Configuration Basics 124 Chapter 7 WAN screens Table 21 Dial Backup Setup Label Description Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Advanced Modem Setup AT Command Strings For regular telephone lines the default Dial string tells the modem that the line uses tone dialing ATDT is the command for a switch that requires tone dialing If your switch requires pulse dialing change the string to ATDP For ISDN lines there are many more protocols and operational modes Consult the documentation of your TA You need additional commands in both Dial and Init strings DTR Signal The majority of WAN devices default to hanging up the current call when the DTR Data Terminal Ready signal is dropped by the DTE If the Drop DTR When Hang Up check box is selected the Business Secure Router uses this hardware signal to force the WAN device to hang up in addition to issuing the drop command ATH Response Strings The response strings tell the Business Secure Router the tags or labels immediately preceding the various call parameters sent from the WAN device The response strings have not been standardized consult the documentation of your WAN device to find the correct tags NN47923 500
298. matching ID Type and Content Configuration Example Business Secure Router A Business Secure Router B Local ID type IP Local ID type IP Local ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A My IP Address My IP Address is the WAN IP address of the Business Secure Router The Business Secure Router has to rebuild the VPN tunnel if the My IP Address changes after setup The following applies if this field is configured as 0 0 0 0 The Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel NN47923 500 Chapter 13 VPN 221 e If the WAN connection goes down the Business Secure Router uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See Chapter 7 WAN screens on page 107 for details about dial backup and traffic redirect Configuring Branch Office VPN Rule Setup Select one of the VPN rules in the VPN Summary screen and click Edit to configure the rule The VPN Branch Office Rule Setup screen is shown in Figure 71 Nortel Business Secure Router 252 Configuration Basics 222 Chapter 13 VPN Figure 71 VPN Branch Office rule setup VPN Branch Office Connection Type Branch Office V Active Nailed Up Name Key Ma
299. maximum security Advanced Click Advanced to go to a screen where you can configure detailed IKE Internet Key Exchange negotiation phase 1 Authentication and phase 2 Key Exchange settings for the rule Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to return to the VPN Summary screen without saving your changes Nortel Business Secure Router 252 Configuration Basics 230 Chapter 13 VPN Configuring an IP Policy Select one of the IP policies in the VPN Branch Office screen and click Add or Edit to configure the policy The Branch Office IP Policy setup screen is shown in Figure 72 NN47923 500 Chapter 13 VPN 231 Figure 72 VPN Branch Office IP Policy VPN Branch Office IP Policy Protocol Iv Enable Control Ping Control Ping IP Address M Active Branch Tunnel NAT Address Part Fonvarding Server Mapping Rule Type Private Starting IP Address Private Ending IP Address Virtual Starting IP Address Virtual Ending IP Address Local Address Type Starting IP Address Ending IP Address Subnet Mask Port Remote Address Type Starting IP Address Ending IP Address Subnet Mask Port One to One p 100 017 Range Address fi 0 0 0 36 fi0 0 0 45 o Cancel Nortel Business Secure Router 252 Configuration Basics 232 Chapter 13 VPN Table 55 describes the fields in Figur
300. membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to the permanent group of all IP hosts including gateways All hosts must join the 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The Business Secure Router supports both IGMP version 1 IGMP v1 and IGMP version 2 IGMP v2 At start up the Business Secure Router queries all directly connected networks to gather group membership After that the Business Secure Router periodically updates this information IP multicasting can be enabled or disabled on the Business Secure Router LAN WAN or both interfaces in the WebGUI LAN WAN Select None to disable IP multicasting on these interfaces Nortel Business Secure Router 252 Configuration Basics 100 Chapter 6 LAN screens Configuring IP Click LAN to open the IP screen Figure 22 LAN IP LAN DHCP Setup
301. mote secure gateway if it has one in the Secure Gateway Address field NN47923 500 Chapter 13 VPN 209 You can also enter the domain name of the remote secure gateway in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS The Business Secure Router has to rebuild the VPN tunnel each time the WAN IP address of the remote secure gateway changes there can be a delay until the DDNS servers are updated with the new WAN IP address of the remote secure gateway Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the address of the remote secure gateway In this case only the remote secure gateway can initiate SAs This is useful for telecommuters initiating a VPN tunnel to the company network Summary screen Figure 66 helps explain the main fields in the WebGUI Figure 66 IPSec summary fields Local Remote Network Network Remote IP Addresses Local IP Addresses Remote VPN Switch bee Secure Gateway My IP Address IPAddress Click VPN to open the Summary screen This is a read only menu of your IPSec rules tunnels Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus The firewall allows traffic to go through your VPN tunnels Nortel Business Secure Router 252 Configuration Basics 210 Chapter
302. mpiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Automatic Image Resizing x gt Restore Defaults Cancel Apply Netscape Pop up Blockers Note Netscape 7 2 screens are used here Screens for other Netscape versions vary Either disable the blocking of unrequested pop up windows enabled by default in Netscape or allow pop ups from Web sites by creating an exception for your device IP address Nortel Business Secure Router 252 Configuration Basics 424 Appendix A Troubleshooting Allowing Pop ups 1 In Netscape click Tools Popup Manager and then select Allow Popups From This Site Figure 179 Allow Popups from this site Tools Window Help Search gt Cookie Manager Form Manager b Manage Popups Password Manager gt Download Manager Web Development gt 2 Inthe Netscape search toolbar you can enable and disable pop up blockers for Web sites Figure 180 Netscape Search Toolbar 4E 4 amp Home My Netscape C Search S Customize 3 Netscape v Enter Search Terms Q Search Highlight PQ Ameen Ted D dE 43 Home My Netscape Qy Search Customize z m ee QD Netscape Enter Search Terms qQ Search gt Highliah 77 Pop Up Block Ofi You can also check if pop up blocking is disabled in the Popup
303. mported in the Trusted CAs screen When you select this option you must select the certification authority enrollment protocol and the certification authority certificate from the drop down list and enter the certification authority server address or URL You also need to fill in the Reference Number and Key if the certification authority requires it Enrollment Protocol Select the certification authority enrollment protocol from the drop down list Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the certification authority certificate from the CA Certificate drop down list You must have the certification authority certificate already imported in the Trusted CAs screen Click Trusted CAs to go to the Trusted CAs screen where you can view and manage the Business Secure Router s list of certificates of trusted certification authorities Request Authentication When you select Create a certification request and enroll for a certificate immediately online the certification authority can require you to include a ref
304. n Basics 428 Appendix A Troubleshooting 4 Click OK to close the window Figure 184 Advanced Preferences Helper Applications Smart Browsing Internet Search Tabbed Browsing D Composer D Mail amp Newsgroups D Instant Messenger D ICQ D Privacy amp Security 5 Click the Advanced directory and then select Scripts amp Plug ins 6 Make sure the Navigator check box is selected in the enable JavaScript section NN47923 500 Appendix A Troubleshooting 429 7 Click OK to close the window Figure 185 Scripts amp Plug ins Preferences Move or resize existing windows Raise or lower windows Hide the status bar D Mail amp Newsgroups Change status bar text D Instant Messenger Change images D ICQ Disable or replace context menus D Privacy amp Security Scripts amp Plug ins Nortel Business Secure Router 252 Configuration Basics 430 Appendix A Troubleshooting NN47923 500 431 Appendix B Log Descriptions This appendix provides descriptions of example log messages Table 123 System Error Logs Log Message Description s exceeds the max number of session per host This attempt to create a SUA NAT session exceeds the maximum number of SUA NAT session table entries allowed to be created per host Table 124 System Maintenance Logs Log Message Description Time calibration is successful The router h
305. n In this case you can have either a static or dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the Business Secure Router acts as a DHCP client on the WAN and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the Business Secure Router Private IP addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority LANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 e 192 168 0 0 192 168 255 255 NN47923 500 Chapter 3 Wizard setup 59 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more inf
306. n Basic Constraint Subject Type CA Path Length Constraint 1 MD5 Fingerprint 46 aa 75 Bc c5 cc 2c c2 05 06 c0 87 90 4d 38 cc SHA1 Fingerprint e6 56 15 e2 8c 4e 90 72 d7 ca 2b 87 db b7 d5 79 09 1b ca 8f Certificate in PEM Base 64 Encoded Format MIIBtjCCAWUCgAwIBAgIEOG1DgDANBgkdqghkiG9wOBAQUFADASMTswOQYDVQQODEzJC dXNpbriVzcyBTZWNicmUgUm9idGVyIEZhY3RvcnkgRGVmYXVsdCBDZXJOaWZzpY2FO0 ZTA eFwOwMDAxMDEwMDAwMDBaFwOzMDAxMDEwMDAwMDBaMDOxOzASBgGNVBAMTMKJ1 c21uZXNzIFNl1Y3VyZzSBSb3VOZzXIgRmFjdG9yeSBEZWZhdWxOIENlcnRpZmljYXRl MFwwDQYJKoZzIhvcNAQEBBQADSwAwSAJBANB1YebOCBx9tjUjVL2VOoIFvlWBrQM61 3TF1VQoHKQtSFywWUdFNnXX5LqXfXlYHFgoO8MnC6cJGUGGhd5pWAuGMCAwEAAaNI MEYwDgYDVROPAQEABAQDAgKKkMCAGA1UdEQOZMBeBFWZhY3RvcnlAYXVOby5nZzW4u Y2VydDASBgNVHRMBAQAECDAGAQH AGEBMADGCSqGS Ib3 DOEBBQUAAOEAGK DYk27 fNGo6iYSTbuXNEvqAiu99rSk4 ho77s8BG7WvHGvjgEK20nGs pgYiKOOZEzkIS3kF12 Export Apply Cancel NN47923 500 Chapter 14 Certificates 275 Table 67 describes the labels in Figure 86 Table 67 My Certificate details imported remote host certificates Label Description Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this certificate You can use any character not including spaces Property Select this check box to have the Business Secure Router use this Default certificate to sign the trusted remote host certificates that you import to self
307. n 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Private PPPoE and PPPoA only This parameter determines if the Business Secure Router includes the route to this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node is propagated to other hosts through RIP broadcasts Nortel Business Secure Router 252 Configuration Basics 116 Chapter 7 WAN screens Table 19 WAN IP Label Description RIP Direction With RIP Routing Information Protocol a router can exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Choose Both None In Only or Out Only When set to Both or Out Only the Business Secure Router broadcasts its routing table periodically When set to Both or In Only the Business Secure Router incorporates RIP information that it receives When set to None the Business Secure Router does not send any RIP packets and ignores any RIP packets received By default RIP Direction is set to Both RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving Choose RIP 1 RIP 2B or RIP 2M RIP 1 is universally supported but RIP 2 carries more i
308. nagement Negotiation Mode Encapsulation Mode NAT Traversal test IKE 7 Main Tunnel z Available IP Policy EE 100 17 10 0 02 10 0 0 36 10 0 0 45 Add Ecit Delete i 14 Selected IP Policy Private IP Address Local IP Address Remote IP Address De N A 192 168 2 33 192 168 1 33 Authentication Method C Pre Shared Key Retype to Confirm m m auto_generated_self_signed_cert z See My Certificates E mail factory auto gen cert fi Aie fi El ESP C AH Authentication Algorith Encryption Algorithm DES Bio gi ea MD5 E SHAI J Certificate Local ID Type Content Peer ID Type Content My IP Address Secure Gateway Address Authentication Algorithm Advanced Cancel NN47923 500 Chapter 13 VPN 223 Table 54 describes the fields in Figure 71 Table 54 VPN Branch Office rule setup Label Description Connection Type Select Branch Office to manually configure a VPN rule Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network using the Business Secure Router You can only configure one Contivity client rule If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive Active Select this check box to activate this VPN tunnel This option determines whether a VPN rule is applied
309. names for VPN DDNS and the time server First DNS Server Second DNS Server Third DNS Server Select From ISP if your ISP dynamically assigns DNS server information and the Business Secure Router WAN IP address The field to the right displays the read only DNS server IP address that the ISP assigns If you chose From ISP but the Business Secure Router has a fixed WAN IP address From ISP changes to None after you click Apply If you chose From ISP for the second or third DNS server but the ISP does not provide a second or third IP address From ISP changes to None after you click Apply Select User Defined if you have the IP address of a DNS server The IP address can be public or a private address on your local LAN Enter the DNS server s IP address in the field to the right A User Defined entry with the IP address set to 0 0 0 0 changes to None after you click Apply A duplicate User Defined entry changes to None after you click Apply Select None if you do not want to configure DNS servers If you do not configure a system DNS server you must use IP addresses when configuring VPN DDNS and the time server Select Private DNS if the DNS server has a private IP address and is located behind a VPN peer Enter the DNS server s IP address in the field to the right With a private DNS server you must also configure the first DNS server entry in the LAN IP screen to use DNS Relay You must also configure a VPN branc
310. nce Logs llsllsllele lees 431 UE HP LOU och Rua gue dReU eee Lees eoen en V PR ee aun Seats 432 Content Filtering Loge 24223444s066084 e Re RES REA ERROR RE 432 PESO LOU theca nied sc doen dd d ihe we rac d sm acd T dob d darts 432 aese AEs e qe rpm 434 BGL Senma IOS eouostberaceb ebbe TENNENT ERAS 439 CMR WOW uus eie Rohe weet eae Ea SES 439 v je e tere casw siete idan hee etacat her neecednanee ee 440 Sample IKE Key Exchange Logs 0020 eee ee eee eeeas 443 Sample IPSec Logs During Packet Transmission 445 RFC 2408 ISAKMP Payload Types 0000 cece eee eee 446 NN47923 500 Tables 27 Table 135 Table 136 Table 137 Table 138 Sse Shy Seek eee ese eg a ee nt ae ee Ge ee OEE 446 Certificate Path Verification Failure Reason Codes 448 IEEE G02 1X LOGS oi cigtccbaee wasu enc ac Rope desde d een even 449 Log categories and available settings sells 450 Nortel Business Secure Router 252 Configuration Basics 28 Tables NN47923 500 29 Preface Before you begin This guide assists you through the basic configuration of your Business Secure Router for its various applications Note This guide explains how to use the WebGUI to configure your Business Secure Router See Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for how to use the System Management Terminal SMT or the command interpreter int
311. nd ICMP TCP security The Business Secure Router uses state information embedded in TCP packets The first packet of any new connection has its SYN flag set and its ACK flag cleared these are initiation packets All packets that do not have this flag structure are called subsequent packets since they represent data that occurs later in the TCP stream If an initiation packet originates on the WAN someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper layer protocols on page 165 these packets are dropped and logged If an initiation packet originates on the LAN someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of the security policy as is the case with the default policy the connection is allowed A cache entry is added which includes connection information such as IP addresses TCP ports and sequence numbers After the Business Secure Router receives any subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connection that is if it is a response to a connection that originated on the LAN NN47923 500 Chapter 10 Firewalls 165 UDP ICMP security UDP and ICMP do not contain any connection information such as sequence numbers However at the very minimum
312. nd the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall default GRE access matched the default policy of the listed ACL policy GRE set d set and the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall default OSPF access matched the default policy of the listed ACL policy OSPF set d set and the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall default Access matched the default policy of the listed ACL set and policy set d the Business Secure Router blocked or forwarded it according to the configuration of the ACL set Firewall rule match TCP access matched the listed firewall rule and the TCP set d rule d Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match UDP access matched the listed firewall rule and the UDP set d rule d Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match ICMP access matched the listed firewall rule and the ICMP set d Business Secure Router blocked or forwarded it according rule d type 3 d to the configuration of the rule code d Firewall rule match IGMP access matched the listed firewall rule and the IGMP set d Business Secure Router blocked or forwarded it according rule d to the configuration
313. ndshake Once the queue is full the system ignores all incoming SYN requests making the system unavailable for legitimate users NN47923 500 Chapter 10 Firewalls 159 Figure 47 SYN flood Client Server is ne ee j Mau a A aae N SYN oo SYN ACK aui ae SYN ACK In a LAND Attack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 3 A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router broadcasts the ICMP echo request packet to all hosts on the network If there are numerous hosts this creates a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source IP address of the ICMP echo request packet the resulting ICMP traffic not only clogs up the intermediary network but also congests the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications im
314. ne a virtual circuit VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65 535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you Login Information PPPoA and PPPoE encapsulation only Service Name PPPoE only Type the name of your PPPoE service here User Name Enter the username exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name enter both components exactly as given Password Enter the password associated with the username above Retype to Confirm Enter the password again to confirm Nailed Up Select Nailed Up Connection if you want your connection up all the Connection time The Business Secure Router tries to bring up the connection automatically if it is disconnected Idle Timeout Specify an idle time out in the Idle Timeout The default setting is 0 which means the Internet session does not timeout NN47923 500 Chapter 7 WAN screens 113 Table 18 WAN WAN ISP continued Label Description PPPoE Pass This field is available when you select PPPoE encapsulation Through In addition to the Business Secure Router built in PPPoE client you PPPoE can enable PPPoE pass through to allow up to ten hosts on the LAN encapsulation only to use PPPoE client software on their computers to connect to
315. ne time A web remote management session is running with a Telnet session A web session is disconnected if you begin a Telnet session nor does it begin if a Telnet session is already running A firewall rule blocks access to device Remote management and NAT When NAT is enabled Use the Business Secure Router WAN IP address when configuring from the WAN Use the Business Secure Router LAN IP address when configuring from the LAN System timeout There is a system timeout of 5 minutes 300 seconds for either the console port or Telnet web or FTP connections Your Business Secure Router automatically logs you off if you do nothing in this timeout period except when it is continuously updating the status in menu 24 1 or when sys stdio was changed on the command line Use the System screen to change the timeout period in the Administrator Inactivity Timer field NN47923 500 Chapter 18 Remote management screens 331 Introduction to HTTPS HTTPS HyperText Transfer Protocol over Secure Socket Layer or HTTP over SSL is a web protocol that encrypts and decrypts Web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed HTTPS relies upon certificates public keys and private
316. ned the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the identification number of the certificate given by the certification authority or generated by the Business Secure Router Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O or Country C Nortel Business Secure Router 252 Configuration Basics 276 Chapter 14 Certificates Table 67 My Certificate details Label Description Issuer This field displays identifying information about the certification authority that issued the certificate such as Common Name Organizational Unit Organization or Country With self signed certificates this is the same as the Subject Name field Signature Algorithm This field displays the type of algorithm that was used to sign the certificate The Business Secure Router uses rsa pkcs1 sha1 RSA public private key encryption algorithm and the SHA1 hash algorithm Some certification authorities can use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certifica
317. need to create custom rules to allow it Nortel Business Secure Router 252 Configuration Basics 174 Chapter 11 Firewall screens Figure 51 WAN to LAN traffic LAN By default NO incoming connections VVAN to LAN are allowed unless you create rules allowing certain WAN users services access to your LAN Configuring firewall Click FIREWALL to open the Summary screen Enable or activate the firewall by selecting the Enable Firewall check box as seen in Figure 52 The Business Secure Router applies the firewall rules in order starting from the first rule for the direction of travel of a packet When the traffic matches a rule the Business Secure Router takes the action in the rule and stops checking the firewall rules For example you have one general rule that blocks all LAN to WAN IRC Internet Relay Chat And you have another rule that allows IRC traffic from your company president s LAN IP address to go to the WAN In order for the president s IRC traffic to get through the rule for the president s IP address must come before the rule that blocks all LAN to WAN IRC traffic If the rule that blocks all LAN to WAN IRC traffic comes first all LAN to WAN IRC traffic matches that rule and the Business Secure Router drops the president s connection and does not check any other firewall rules NN47923 500 Chapter 11 Firewall screens 175 If you list a general rule before a specific rule traffic that you w
318. nfigure a list of inside behind NAT on the LAN servers for example web or FTP The Business Secure Router makes these servers visible to the devices using the VPN branch NAT tunnel from behind the remote IPSec router even though NAT makes your inside network appear as a single machine This option applies when the Type field is configured to Many to One Active Enable this feature to have the Business Secure Router use a different virtual IP address for the VPN connection When you enable branch tunnel NAT address mapping you do not configure the local section NN47923 500 Chapter 13 VPN 233 Table 55 VPN Branch Office IP Policy Label Description Type Select one of the following port mapping types 1 One to One One to one mode maps one private IP address to one virtual IP address Port numbers do not change with one to one NAT mapping 2 Many to One Many to One mode maps multiple private IP addresses to one virtual IP address This is equivalent to SUA for example PAT port address translation Business Secure Router s Single User Account feature 3 Many One to one Many One to one mode maps each private IP address to a unique virtual IP address Port numbers do not change with many one to one NAT mapping Private Starting IP Address When the Type field is configured to One to one enter the static IP address of the computer on your Business Secure Router s LAN that
319. nformation RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so do not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default the RIP Version field is set to RIP 1 Multicast Choose None default IGMP V1 or IGMP V2 IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more detailed information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 Call Schedule PPPoE and PPPoA encapsulation Apply call schedule sets for this remote node Use the Call Schedule screens to configure call schedule sets see Chapter 21 Call scheduling screens on page 387 Windows Networking NetBIOS over TCP IP Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that en
320. nge Port Number E 23 Apply Cancel 8 The firewall rule configuration screen displays Use the arrows between Available Services and Selected Services to configure it as shown in Figure 59 Click Apply after you are done Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you have created your custom port NN47923 500 Chapter 11 Firewall screens 185 Figure 59 MyService rule configuration example FIREWALL EDIT RULE Packet Direction Active WAN to LAN Source Address Destination Address Destination IP Address ttt 10 0 0 10 10 0 0 15 PS Source IP Address flee Any SrcAdd SrcEdit SrcDelete DestAdd DestE dit DestDelete Available Services Selected Services My Service TCP UDP 123 Custom Port Add Edit Delete Action for Matched Packets Forward x Log Alert Apply Cancel After completing the configuration procedure for this Internet firewall rule the Rule Summary screen will look like the on illustrated in Figure 60 Rule 1 Allows a My Service connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN Remember to click Apply after you finish configuring your rules to save your settings to the Business Secure Router Nortel Business Secure Router 252 Configuration Basics 186 Chapter 11 Firewall screens Figure 60 My Service examp
321. nical issues sign up for automatic notification of new software and documentation for Nortel equipment e open and manage technical support cases Getting Help over the phone from a Nortel Solutions Center If you don t find the information you require on the Nortel Technical Support Web site and have a Nortel support contract you can also get help over the phone from a Nortel Solutions Center In North America call 1 800 4NORTEL 1 800 466 7835 Outside North America go to the following Web site to obtain the phone number for your region www nortel com callus Nortel Business Secure Router 252 Configuration Basics 32 Preface Getting Help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or service go to www nortel com erc Getting Help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller contact the technical support staff for that distributor or reseller NN47923 500 33 Chapter 1 Getting to know your Business Secure Router This chapter introduces the main features and applications of the Business Secure Router Introducing the Business Secure Router The Business Secure Router is an ideal
322. ns both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit 192 bit or 256 bit key with this implementation of AES AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Algorithm Select SHA1 or MD5 from the drop down list MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field It can range from 60 to 3 000 000 seconds almost 35 days A short SA life time increases security by forcing the two IPSec routers to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Encapsulation Select Tunnel mode or Transport mode from the drop
323. nt BCM50 ip dhcp enifO server m50mac clear 4 Login Requires Reboot Nortel Business Secure Router 252 Configuration Basics 72 Chapter 4 User Notes If the Administrator Timeout is set to 0 and an administration session is terminated without logging off the router needs to be rebooted in order for the administrator to log in to the WebGUI again Alternatively the administrator can log in using a TelNet session if TelNet access has been enabled in the Remote Management menu 5 Clicking Sound The Business Secure Router will click once every two minutes until an ADSL line is connected Firewall 1 Address Range Validation In the firewall rules the router does not confirm when given an address range that the second address is higher than the first If this type of address range is entered the range is ignored 2 Automatic Firewall Programming Configurations to various areas of the router such as remote management or adding a SUA Server do not automatically add the appropriate rules to the Firewall to enable the traffic to pass through the router These need to be added separately Note Firewall rules do not apply to IPSec tunnels NAT 1 Deleting NAT Rule Does Not Drop an Existing Connection If a NAT rule is deleted the router must be rebooted to apply the change to existing service connections This is already noted in the GUI 2 NAT Traversal Status If NAT Traversal is enabled but is not needed because
324. ntifiable information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker S Prevent most pop up windows from appearing Block pop ups 3 Type the IP address of your device the Web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 NN47923 500 Appendix A Troubleshooting 419 4 Click Add to move the IP address to the list of Allowed sites Figure 174 Pop up Blocker settings Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 4 192 168 1 1 Add Allowed sites Notifications and Filter Level Play a sound when a pop up is blocked Show Information Bar when a pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAQ 5 Click Close to return to the Internet Options screen 6 Click Apply to save this setting Internet Explorer JavaScript If pages of the WebGUI do not display properly in Internet Explorer check that JavaScript and Java permissions are enabled Nortel Business Secure Router 252 Configuration Basics 420 Appendix A Troubleshooting 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 175 Internet options Internet opti
325. ntivity VPN clients must also have NAT traversal enabled You also need to specify the UDP port that is used for the VPN traffic Disable Client IKE Source Port Switching With client IKE source port switching if the Business Secure Router detects that traffic is going through NAT it asks the client to use a UDP port higher than the standard of 500 such as port 1023 Turn off client source port switching if the NAT router requires IKE to use port 500 UDP Port Specifies the UDP port to use for the VPN traffic In order for a Contivity VPN client behind a NAT router to receive an initiating IPSec packet set the NAT router to forward this UDP port to the VPN Contivity client behind the NAT router Fail Over The fail over feature allows a Contivity VPN client to establish a VPN connection to a backup IPSec router when the Business Secure Router is not accessible The VPN fail over feature must also be set up in the Contivity VPN clients First Gateway Second Gateway Third Gateway Enter the IP addresses of the backup IPSec routers When the Business Secure Router is unreachable or fails to respond to IKE negotiation the Contivity VPN client tries to establish a VPN connection to a backup IPSec router Enable Failover Tuning Enable the VPN fail over feature to have the Business Secure Router keep sending keep alive packets to the Contivity VPN clients in order to check the connection and keep the connect
326. o upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click Upload to begin the upload process Note Do not turn off the device while configuration file upload is in progress After you see a configuration upload successful screen you must then wait one minute before logging on to the device again Figure 168 Configuration Upload Successful RESTORE CONFIGURATION Restore Configuration Successful The Router Is Rebooting Now Please Wait After the device finishes rebooting the login screen displays The device automatically restarts in this time causing a temporary network disconnect In some operating systems you see the icon shown in Figure 169 on your desktop Nortel Business Secure Router 252 Configuration Basics 408 Chapter 22 Maintenance Figure 169 Network Temporarily Disconnected d Local Area Connection Network cable unplugged If you uploaded the default configuration file you need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See your Nortel Business Secure Router 252 Fundamentals NN47923 301 guide for details about how to set up your computer IP address If the upload was not successful click Return to return to the Configuration screen Restart screen With system restart you can reboot the Business Secure Router without turning t
327. odels Click Replace to create a certificate using your Business Secure Router s MAC address that will be specific to this device Replace My Certificates Valid Valid CN Business CN Business Secure Secure 2000 2030 Router Router Jan 1st Jan 1st g a Factory Factory 00 00 00 on auto_generated_self_signed_cert SELF Default Default GMT GMT Certificate Certificate Import Create Refresh NN47923 500 Chapter 14 Certificates 265 Table 64 describes the labels in Figure 83 Table 64 My Certificates Label Description PKI Storage Space in Use This bar displays the percentage of the PKI storage space that is currently in use The bar turns from green to red when the maximum is being approached When the bar is red consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the Business Secure Router has the factory default certificate The factory default certificate is common to all Business Secure Routers that use certificates Nortel recommends that you use this button to replace the factory default certificate with one that uses your Business Secure Router s MAC address This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Nortel recommends that you give each certificate a unique name
328. of the rule Firewall rule match ESP access matched the listed firewall rule and the ESP set d rule d Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match GRE access matched the listed firewall rule and the GRE set d rule d Business Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule match OSPF access matched the listed a firewall rule and the OSPF set d rule d Business Secure Router blocked or forwarded it according to the configuration of the rule Nortel Business Secure Router 252 Configuration Basics 436 Appendix B Log Descriptions Table 128 Access Logs Log Message Description Firewall rule match Access matched the listed firewall rule and the Business set d rule d Secure Router blocked or forwarded it according to the configuration of the rule Firewall rule NOT TCP access did not match the listed firewall rule and the match TCP set d Business Secure Router logged it rule d Firewall rule NOT UDP access did not match the listed firewall rule and the match UDP set d Business Secure Router logged it rule d Firewall rule NOT ICMP access did not match the listed firewall rule and the match ICMP set d Business Secure Route
329. ol 254 Configuration 399 Content Filtering 38 195 Days and Times 195 Restrict Web Features 195 Contivity Client 214 Contivity VPN Client 211 Contivity VPN Client Software 37 248 conventions text 29 Cookies 197 copyright 2 CPU utilization 398 Custom Port 180 Custom Ports Creating Editing 182 D Data Terminal Ready 124 DDNS Type 86 Default 405 Default Policy Log 177 Default Server 138 Default Server IP Address 137 Denial of Service 155 156 190 191 DES 205 Destination Address 172 180 DHCP 65 85 97 98 399 DHCP Dynamic Host Configuration Protocol 40 DHCP Server 101 diagnostic 400 Dial 126 Dial Backup 119 Dial Backup Port Speed 121 Dial Timeout 126 DNS 81 357 DNS Relay 68 DNS Server For VPN Host 81 DNS server 68 DNS Servers 98 Domain Name 83 136 DoS Basics 156 Types 157 DoS Denial of Service 37 downstream noise margin 402 Drop 126 Drop DTR When Hang Up 126 Drop Timeout 126 DTE 124 DTR 124 DTR Signal 124 Dynamic DNS 85 Dynamic DNS Service Provider 86 Dynamic DNS Support 39 Dynamic Host Configuration Protocol 97 dynamic IP address 60 DYNDNS Wildcard 85 87 NN47923 500 Index 455 E ECHO 136 Enable Wildcard 87 Encapsulating Security Payload 204 Encapsulation 53 56 ENET ENCAP 53 PPP over Ethernet 54 PPPoA 54 RFC 1483 54 encapsulation 35 encapsulation method 53 ENET ENCAP 53 ESP 204 ESP Protocol 204 F Factory LAN Defaults 98 F
330. ombination of tunneling encryption authentication access control and auditing technologies or services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer Business Secure Router VPN functions You can use the Business Secure Router as either e A Contivity Client for an encrypted connection to a single VPN router Nortel Business Secure Router 252 Configuration Basics 200 Chapter 13 VPN or e Asa VPN router that can have encrypted connections to multiple remote VPN routers With this role it can also serve as a termination point for encrypted connections from computers using Nortel Contivity VPN Client 3 0 5 01 5 11 6 01 6 02 or 7 01 software See Table 1 on page 34 for details about the VPN specifications of the Business Secure Router VPN screens overview Table 44 summarizes the main functions of the VPN screens Table 43 VPN Screens overview Screens Description Summary This screen lists a
331. on is a mathematical operation that transforms data from plaintext readable to ciphertext scrambled text using a key The key and clear text are processed by the encryption operation which leads to the data scrambling that makes encryption secure Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key Figure 63 Encryption and decryption Plaintext an Ciphertext Decryption Plaintext Key Nortel Business Secure Router 252 Configuration Basics 202 Chapter 13 VPN Data confidentiality The IPSec sender can encrypt packets before transmitting them across a network Data integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data is not altered during transmission Data origin authentication The IPSec receiver can verify the source of IPSec packets This service depends on the data integrity service VPN applications The Business Secure Router supports the following VPN applications e Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites e Accessing Network Resources When NAT Is Enabled When NAT is enabled between the WAN and the LAN remote users are not able to access hosts on the LAN unless the hos
332. onfiguration Basics 324 Chapter 17 Authentication server Figure 108 Current split networks edit Current Split Networks Edit Network Name exemple IP Address 0 0 0 0 Netmask 0 0 0 0 Current Subsets for Network example 132 168 1 0 24 Add Delete Clear Apply Cancel Table 87 describes the labels in Figure 108 Table 87 Current split networks edit Label Description Network Enter a name to identify the split network Name IP Address Enter the IP address for the split network in dotted decimal notation Netmask Enter the netmask for the split network in dotted decimal notation NN47923 500 Chapter 17 Authentication server 325 Table 87 Current split networks edit Label Description Current This box displays the subnets that belong to this split network Subnets for Network Add Click Add to save your split network configuration Delete Select a network subset and click Delete to remove it Clear Click Clear to remove all of the configuration field and subnet settings Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving your changes Configuring RADIUS Use RADIUS if you want to authenticate users using an external server To set up RADIUS server settings click AUTH SERVER then the RADIUS tab The screen appears as shown in Figure 109 Nortel
333. onfiguration Basics 42 Chapter 1 Getting to know your Business Secure Router Figure 1 Secure Internet Access and VPN Application Remote Network L1 Hardware Setup Refer to Nortel Business Secure Router 252 Fundamentals NN47923 301 for hardware connection instructions Note To keep the Business Secure Router operating at optimal internal temperature keep the bottom sides and rear clear of obstructions and away from the exhaust of other equipment After installing your Business Secure Router continue with the rest of this guide for configuration instructions Caution Electro static Discharge can disrupt the router Use appropriate handling precautions to avoid ESD Avoid touching the connectors on the router particularly when it is in use NN47923 500 Chapter 1 Getting to know your Business Secure Router 43 Note Please use only No 26 AWG American Wire Gauge or larger telecommunication line cord Nortel Business Secure Router 252 Configuration Basics 44 Chapter 1 Getting to know your Business Secure Router NN47923 500 45 Chapter 2 Introducing the WebGUI This chapter describes how to access the Business Secure Router WebGUI and provides an overview of its screens WebGUI overview The WebGUI is an HTML based management interface that a user can use for easy setup and management of the Business Secure Router through an Internet browser
334. onfigure a custom port This displays the screen illustrated in Figure 55 Figure 55 Creating or editing a custom port FIREWALL EDIT RULE EDIT CUSTOM PORT Service Name Service Type TCP UDP Port Configuration Type Single C Range Port Number 0 S lo Cancel Table 39 describes the fields in Figure 55 Table 39 Creating Editing A Custom Port Label Description Service Name Enter a unique name to identify the service a service that is not predefined in the Business Secure Router Service Type Choose the IP port TCP UDP or Both that defines your customized port from the drop down list Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service Port Number Enter a single port number or the range of port numbers that define your customized service Apply Click Apply to save your changes to the Business Secure Router and exit this screen Cancel Click Cancel to exit this screen without saving NN47923 500 Chapter 11 Firewall screens 183 Example firewall rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet 1 Click the Firewall link and then the Summary tab 2 Inthe Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous
335. onnected to the LAN interface e LAN to WAN Nortel Business Secure Router 252 Configuration Basics 170 Chapter 11 Firewall screens By default the Business Secure Router stateful packet inspection blocks packets traveling in the following directions e WAN to LAN e WAN to WAN Business Secure Router This prevents computers on the WAN from using the Business Secure Router as a gateway to communicate with other computers on the WAN or to manage the Business Secure Router or both You can define additional rules and sets or modify existing ones but exercise extreme caution in doing so how they work you can inadvertently introduce security risks to the firewall and to the protected network Make sure you test your rules after you configure them Note If you configure firewall rules without a good understanding of gt For example you can create rules to e Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet e Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN e Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source IP address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your
336. ons both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES is a variation on DES that uses a 168 bit key Triple DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit key implementation of AES AES is faster than 3DES SHA1 Secure Hash Algorithm and MD5 Message Digest 5 are hash algorithms used to authenticate packet data SHA1 algorithm is generally considered stronger than MD5 but is slower IKE Encryption and Diffie Hellman Group Select the combinations of encryption algorithm and Diffie Hellman key group that the Business Secure Router is to use for phase 1 IKE setup with Contivity VPN clients The DES encryption algorithm uses a 56 bit key Triple DES is a variation on DES that uses a 168 bit key Triple DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput You can select a 128 bit key implementation of AES AES is faster than 3DES Diffie Hellman DH is a public key cryptography protocol that is used within IKE SA setup to establish session keys The larger the Diffie Hellman Group the higher the security Diffie Hellman Group 1 uses a 768 bit random number
337. ons M 04 General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings e oe Internet Local intranet Trusted sites Restricted sites Internet 4 This zone contains all Web sites you haven t placed in other zones Security level for this zone Move the slider to set the security level for this zone Medium Safe browsing and still functional Prompts before downloading potentially unsafe content Unsigned Activex controls will not be downloaded Appropriate for most Internet sites 4 Custom Level D Default Level Sa OK Cancel Apply Click the Custom Level button Scroll down to Scripting Under Active scripting make sure that Enable is selected the default a A o N Under Scripting of Java applets make sure that Enable is selected the default NN47923 500 Appendix A Troubleshooting 421 6 Click OK to close the window Figure 176 Security Settings Java Scripting Security Settings E Settings Scripting E Active scripting O Disable amp Allow paste operations via script Q Disable 9 Enable Q Prompt amp Scripting of Java applets Q Disable OQ Prompt Llenas Abano Sion Al xl of Reset to Medium w Reset te custom settings J Internet Explorer Java Permissions 1 From Internet Explorer click
338. or click Browse to find it Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process can take up to two minutes Note Do not turn off the device while firmware upload is in progress gt After you see the Firmware Upload in Process Figure 163 screen wait two minutes before logging on to the device again Nortel Business Secure Router 252 Configuration Basics 404 Chapter 22 Maintenance Figure 163 Firmware Upload In Process Firmware Upload In Progress Warning Do Not Turn Off the Device Please wait for the device to finish restarting This should take about two minutes To access the device after a successful firmware upload you need to log in again Check you new firmware version in the system status screen The device automatically restarts in this time causing a temporary network disconnect In some operating systems you can see the icon Shown in Figure 164 on your desktop Figure 164 Network Temporarily Disconnected D Local Area Connection Network cable unplugged After two minutes log on again and check your new firmware version in the System Status screen If the upload was not successful the screen shown in Figure 165 appears Uploading the wrong firmware file or a corrupted firmware file can cause this er
339. or local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces Protect against IP spoofing by making sure the firewall is active Keep the firewall in a secured locked room Packet filtering vs firewall Below are some comparisons between the filtering and firewall functions of the Business Secure Router Packet filtering The router filters packets as they pass through the router interface according to the filter rules you designed Packet filtering is a powerful tool yet can be complex to configure and maintain especially if you need a chain of rules to filter a service Packet filtering only checks the header portion of an IP packet NN47923 500 Chapter 10 Firewalls 167 When to use filtering 1 2 To block or allow LAN packets by their MAC addresses To block or allow special IP packets that are neither TCP nor UDP nor ICMP packets To block or allow both inbound WAN to LAN and outbound LAN to WAN traffic between the specific inside host or network A and outside host or network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters cannot distinguish traffic originating from an inside host or an outside host by IP address 4 To block or allow IP trace route Firewall The firewall inspects pack
340. order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the owner of the such as CN Common Name OU Organizational Unit or department O Organization or company or C Country Nortel recommends that each certificate have unique subject information NN47923 500 Chapter 14 Certificates 279 Table 68 Trusted CAs Label Description Issuer This field displays identifying information about the certification authority that issued the certificate such as a common name organizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired CRL Issuer This field displays Yes if the certification authority issues Certificate Revocation Lists for the certificates that it has issued and you have selected the Issues certificate revocation lists CRL check box in the certificate details screen to have the Business Secure Router check the CRL bef
341. ore trusting any certificates issued by the certification authority Otherwise the field displays No Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window appears asking you to confirm that you want to delete the certificates Note that subsequent certificates move up by one when you take this action You cannot delete a certificate that is currently in use Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the Business Secure Router Refresh Click this button to display the current validity status of the certificates Nortel Business Secure Router 252 Configuration Basics 280 Chapter 14 Certificates Importing a Trusted CA certificate Click CERTIFICATES Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen shown in Figure 88 Follow the instructions in this screen to save a trusted certification authority certificate to the Business Secure Router Note You must remove any spaces from the certificate filename before you can import the certificate Figure 88 Trusted CA import CERTIFICATES TRUSTED CA IMPORT Import Please specify the location of the certificate file to be imported The certificate file must be in one of the fol
342. orking 116 247 Wizard Setup 53 WWW 332 X Xmodem Upload 49 NN47923 500
343. ormation about address assignment refer to Address Allocation for Private Internets RFC 1597 and Guidelines for Management of IP Address Space RFC 1466 Nailed up connection only with PPP NAT A nailed up connection is a dial up line where the connection is always up regardless of traffic demand The Business Secure Router does two things when you specify a nailed up connection First idle timeout is disabled Second the Business Secure Router tries to bring up the connection when turned on and whenever the connection is down A nailed up connection can be expensive if you are billed by your Internet connection usage time Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern Network Address Translation NAT is the translation of the IP address of a host in a packet For example the source address of an outgoing packet used within one network to a different IP address known within another network Wizard setup configuration second screen The second wizard screen varies depending on which mode and encapsulation type you use All screens shown use the routing mode Configure the fields and click Next to continue Nortel Business Secure Router 252 Configuration Basics 60 Chapter 3 Wizard setup Figure 9 Internet connection with PPPoA Wizard Setup ISP Parameters for Internet Access User Name Password
344. ort Apply Cancel Nortel Business Secure Router 252 Configuration Basics 292 Chapter 14 Certificates Table 73 describes the labels in Figure 94 Table 73 Trusted remote host details Label Description Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You can use any character not including spaces Certification Path Click the Refresh button to have this read only text box display the end entity s own certificate and a list of certification authority certificates in the hierarchy of certification authorities that validate a the certification authority that issued the certificate For a trusted host the list consists of the certificate of the end entity and the default self signed certificate that the Business Secure Router uses to sign remote host certificates Since the Business Secure Router considers its own self signed certificate to be a certification authority the chain of certificates is complete and the Business Secure Router trusts the certificate Refresh Click Refresh to display the certification path Certificate These read only fields display detailed information about the Information certificate Type This field displays general information about the certificate With trusted remote host certificates this field always displays CA signed The Business Secure Router
345. ortel Business Secure Router 252 Configuration Basics 434 Appendix B Log Descriptions Table 127 Attack Logs Log Message Description teardrop ICMP type d code d The firewall detected an ICMP teardrop attack illegal command TCP The firewall detected a TCP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry TCP The firewall detected a TCP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry UDP The firewall detected an UDP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry IGMP The firewall detected an IGMP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry GR IE The firewall detected a GRE IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the Business Secure Router did not have a default route ip spoofing no routing entry ICMP type d code d The firewall detected an ICMP IP spoofing attack while the Business Secure Router
346. ost by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur The firewall can block any specific URL traffic that occurs in the future The URL can be saved in an Access Control List ACL database NN47923 500 169 Chapter 11 Firewall screens This chapter shows you how to configure your Business Secure Router firewall Access methods The WebGUI is by far the most comprehensive firewall configuration tool your Business Secure Router has to offer For this reason Nortel recommends that you configure your firewall using the WebGUI With SMT screens you can activate the firewall CLI commands provide limited configuration options and are only recommended for advanced users refer to Nortel Business Secure Router 252 Configuration Advanced NN47923 501 for firewall CLI commands Firewall policies overview Firewall rules are grouped based on the direction of travel of packets to which they apply LAN to LAN Business Secure Router WAN to LAN LAN to WAN WAN to WAN Business Secure Router By default Business Secure Router stateful packet inspection allows packets traveling in the following directions e LAN to LAN Business Secure Router This allows computers on the LAN to manage the Business Secure Router and communicate between networks or subnets c
347. ost s certificate SHA1 Fingerprint This is the message digest of the certificate that the Business Secure Router calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the Business Secure Router has signed the certificate thus causing this value to be different from that of the remote host s actual certificate See Verifying a certificate of a trusted remote host on page 287 for how to verify a remote host s certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution through floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen displays Browse to the location that you want to use and click Save Nortel Business Secure Router 252 Configuration Basics 294 Chapter 14 Certificates Table 73 Trusted remote host details Label Description Apply Click Apply to save your changes to the Business Secure Router You can only change the name of the certific
348. ot Nortel Business Secure Router 252 Configuration Basics 224 Chapter 13 VPN Table 54 VPN Branch Office rule setup Label Description Available Selected IP Policy The Available IP Policy table displays network routes Use the Add Edit and Delete buttons to configure this list Move the network routes that you want to use the VPN tunnel down into the Selected IP Policy table Select a network route s radio button in the Available IP Policy table then click the down arrows to move it into the Selected IP Policy table To remove a network route from the Selected IP Policy table select its radio button in the Selected IP Policy table and click the up arrows A network route that is already selected for a VPN tunnel does not display in the Available IP Policy table Private IP Address This field displays the IP address or a range of IP addresses of the computers on your Business Secure Router s local network for which you have configured this VPN rule For a range of addresses the starting and ending IP addresses are displayed separated by a dash This field applies when you configure the IP policy to use a branch tunnel NAT address mapping rule in the IP Policy screen This field displays a single static IP address when the IP policy s Branch Tunnel NAT Address Mapping Rule Type field is configured to One to One in the IP Policy screen This field displays the beginning and ending
349. ou want to use for example www yourhost dyndns org and still reach your host name Configuring Dynamic DNS E Note If you have a private WAN IP address you cannot use Dynamic DNS To change the DDNS settings click SYSTEM then the DDNS tab The screen illustrated in Figure 18 appears Nortel Business Secure Router 252 Configuration Basics 86 Chapter 5 System screens Figure 18 DDNS SYSTEM Active Service Provider WWW DynDNS ORG DDNS Type Dynamic DNS Host Name 1 Host Name 2 Host Name 3 Username Password Enable Wildcard I Off Line IP Address Update Policy DDNS Server Auto Detect IP Address Use Specified IP Address Use IP Address lo 0 0 0 Apply Reset Table 9 describes the fields in Figure 18 Table 9 DDNS Label Description Active Select this check box to use dynamic DNS Service Provider Select the name of your Dynamic DNS service provider DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider Host Names 1 3 Enter the host names in the three fields provided You can specify up to two host names in each field separated by a comma User Enter your username up to 31 characters NN47923 500 Chapter 5 System screens 87 Table9 DDNS Label Description Password Enter the password associated with your username up to 31 characters Enable Wildcard Sel
350. ou a fixed IP address This is the default selection Use fixed IP address Select this option if your ISP assigned a fixed IP address My WAN IP Address Enter your WAN IP address in this field if you selected Use Fixed IP Address Network Address Translation With Network Address Translation NAT the router translations an Internet protocol address used within one network for example a private IP address used in a local network to a different IP address known within another network for example a public IP address used on the Internet NAT is available when the device is in routing mode Choose None to disable NAT Choose SUA Only if you have a single public IP address SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server Choose Full Feature if you have multiple public IP addresses Full Feature mapping types include One to One Many to One SUA PAT Many to Many Overload Many One to One and Server After you select Full Feature you must configure at least one address mapping set Metric This field sets this route s priority among the routes the Business Secure Router uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be betwee
351. ource and destination addresses FIREWALL EDIT RULE EDIT IP Address Type Any Address Start IP Address End IP Address Subnet Mask Table 38 describes the fields in Figure 54 Table 38 Adding or editing source and destination addresses Label Description Address Type Select an option from the drop down list that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here Use a numerical IP address in dotted decimal notation for example 192 168 1 10 End IP Address Enter the ending IP address in a range here Use a numerical IP address in dotted decimal notation for example 192 168 1 10 Subnet Mask Enter the subnet mask here if applicable Apply Click Apply to save your changes to the Business Secure Router and exit this screen Cancel Click Cancel to exit this screen without saving Nortel Business Secure Router 252 Configuration Basics 182 Chapter 11 Firewall screens Configuring custom ports You can also configure customized ports for services not predefined by the Business Secure Router see Predefined services on page 186 for a list of predefined services For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority Web site Click the Add button under Custom Port while editing a firewall to c
352. ous VCs VPI and VCI Be sure to use the correct Virtual Path Identifier VPT and Virtual Channel Identifier V CI numbers assigned to you The valid range for the VPI is 0 to 255 and 32 to 65535 for the VCI 0 to 31 is reserved for local management of ATM traffic Wizard setup configuration first screen In the Site Map screen click Wizard Setup to display the first wizard screen Nortel Business Secure Router 252 Configuration Basics 56 Chapter 3 Wizard setup Figure 8 Wiza Mode VPI Vcl rd Screen 1 Wizard Setup ISP Parameters for Internet Access Routing Encapsulation ENET ENCAP Multiplex Luc Virtual Circuit ID Next Table 2 describes the fields in Figure 8 Table 2 Wizard Screen 1 Label Description Mode From the Mode drop down list box select Routing default if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit VPI Vir
353. outer uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect Secure Gateway Address Type the WAN IP address or the domain name up to 31 characters of the IPSec router with which you are making the VPN connection Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address the Key Management field must be set to IKE The remote address fields do not apply when the Secure Gateway Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the full IP address range of the LAN as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 NN47923 500 Chapter 13 VPN 229 Table 54 VPN Branch Office rule setup Label Description ESP Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as the services offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields described next AH Select AH if you want to use AH Aut
354. ovement over version 1 RFC 1112 but IGMP version 1 is still in wide use For more information about interoperability between IGMP version 2 and version 1 see sections 4 and 5 of Internet Group Management Protocol RFC 2236 Budget Always On Select this check box to have the dial backup connection on all of the time Configure Budget Select this check box to have the dial backup connection on during the time that you select Allocated Budget Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured in the Period field Period Type the time period in hours for how often the budget is reset For example to allow calls to this remote node for a maximum of 10 minutes every hour set the Allocated Budget to 10 minutes and the Period to 1 hour Idle Timeout Type the number of seconds of idle time when there is no traffic from the Business Secure Router to the remote node for the Business Secure Router to wait before it automatically disconnects the dial backup connection This option applies only when the Business Secure Router initiates the call The dial backup connection never times out if you set this field to 0 it is the same as selecting Always On Call Schedule Sets Specify call schedule sets to use on the dial backup connection The call schedule sets must a
355. packets traveling from the WAN to the LAN 7 LAN to LAN Business ACL set 7 for packets traveling from the Secure Router LAN to the LAN or the Business Secure Router 8 WAN to WAN Business ACL set 8 for packets traveling from the Secure Router WAN to the WAN or the Business Secure Router Table 130 ICMP Notes Type Code Description 0 Echo reply 0 Echo reply message 3 Destination unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because the packet was set to Don t Fragment DF 5 Source route failed 4 Source quench 0 A gateway discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of service and network Nortel Business Secure Router 252 Configuration Basics 440 Appendix B Log Descriptions Table 130 ICMP Notes Type Code Description 3 Redirect datagrams for the Type of service and host 8 Echo 0 Echo message 11 Time exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp reply 0 Timestamp reply message 15 Informa
356. ple 2 Log on ssh 1 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e 4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 RSA1 to the list of known hosts Administrator 192 168 1 1 s password 3 The SMT main menu displays Secure FTP using SSH example This section shows an example of file transfer using the OpenSSH client program The configuration and connection steps are similar for other SSH client programs For more information about using FTP refer to your SSH client program user s guide 1 Entersftp 1 192 168 1 1 This command forces your computer to connect to the Business Secure Router for secure file transfer using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message displays prompting you to save the host information of the Business Secure Router Type yes and press ENTER Enter the password to log on to the Business Secure Router Use the put command to upload a new firmware to the Business Secure Router Nortel Business Secure Router 252 Configuration Basics 350 Chapter 18 Remote management screens Telnet Figure 126 Secure FTP Firmware Upload Example sftp 1 192 168 1 1 Connecting to 192 168 1 1 The authenticity of host 192 168 1 1 192 168 1 1 can t be establish
357. port forwarding rule Start Port Enter a port number here To forward only one port enter it again in the End Port field To specify a range of ports enter the last port to be forwarded in the End Port No field End Port Server IP Enter the inside IP address of the server here Address Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to clear your changes Configuring Address Mapping Ordering your rules is important because the Business Secure Router applies the rules in the order that you specify When a rule matches the current packet the Business Secure Router takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule is pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and you configure rule number 9 In the set summary screen the new rule becomes rule 7 not 9 If you delete rule 4 rules 5 to 7 are pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change the NAT address mapping settings click SUA NAT then the Address Mapping tab The screen appears as shown in Figure 38 Nortel Business Secure Router 252 Configuration Basics 140 Chapter 8 Network Address Translation NAT Screens Figure 38 Address Mapping SUA NAT Note Change may not take effect on existing
358. possible Nortel Business Secure Router 252 Configuration Basics 160 Chapter 10 Firewalls Figure 48 Smurf attack Ping Responses Attacker broadcasts ping Every host on the packets with a spoofed source Intermediary network address to every host on responds by sending the intermediary network responses to every host on the victim network e ICMP vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Table 33 ICMP commands that trigger alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY e Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are shown in Table 34 all others are illegal Table 34 Legal NetBIOS commands MESSAGE REQUEST POSITIVE NEGATIVE RETARGET KEEPALIVE NN47923 500 Chapter 10 Firewalls 161 All SMTP commands are illegal except for those displayed in Table 35 Table 35 Legal SMTP commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY e Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall and gain knowledge of the
359. proportion to actual available bandwidth Application based bandwidth management You can create bandwidth classes based on individual applications like FTP H 323 and SIP Subnet based bandwidth management You can create bandwidth classes based on subnets Figure 97 shows LAN subnets You can configure one bandwidth class for subnet A and another for subnet B NN47923 500 Chapter 15 Bandwidth management 301 Figure 97 Subnet based bandwidth management example LAN WAN A 192 168 1 1 192 168 1 24 B 192 168 2 1 192 168 2 24 Application and subnet based bandwidth management You can also create bandwidth classes based on a combination of a subnet and an application Table 76 shows bandwidth allocations for application specific traffic from separate LAN subnets Table 76 Application and Subnet based Bandwidth Management Example Traffic Type From Subnet A From Subnet B FTP 64 Kb s 64 Kb s H 323 64 Kb s 64 Kb s SIP 64 Kb s 64 Kb s Reserving bandwidth for nonbandwidth class traffic If you want to allow bandwidth for traffic that is not defined in a bandwidth filter leave some of the bandwidth on the interface unbudgeted Nortel Business Secure Router 252 Configuration Basics 302 Chapter 15 Bandwidth management Configuring summary Click BW MGMT to open the Summary screen Enable bandwidth management on an interface and set the maximum allowed bandwidth for that inter
360. protocols are necessary to create a Security Association SA the foundation of an IPSec VPN An SA is built from the authentication provided by the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems After the SA is established the transport of data can commence AH Authentication Header protocol AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and nonrepudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but can be used for verification of the integrity of the information and authentication of the originator ESP Encapsulating Security Payload protocol The ESP protocol RFC 2406 provides encryption as well as the services offered by AH ESP authenticating properties are limited compared to the AH due to the exclusion of the IP header information during the authentication process However ESP is sufficient if only the upper layer protocols need to be authenticated NN47923 500 Chapter 13 VPN 205 An added feature of the ESP is payload padding which further protects communications by concealing the size of the packet being transmitted Table 45 AH and ESP
361. pter 18 Remote management screens 353 Table 92 FTP Label Description Secured Client IP_ A secured client is a trusted computer that is allowed to communicate Address with the Business Secure Router using this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh Configuring SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Business Secure Router supports SNMP agent functionality which allows a manager station to manage and monitor the Business Secure Router through the network The Business Secure Router supports SNMP version 1 SNMPv1 Figure 130 illustrates an SNMP management operation SNMP is only available if TCP IP is configured The default get and set communities are public Note SNMP is only available if TCP IP is configured gt Nortel Business Secure Router 252 Configuration Basics 354 Chapter 18 Remote management screens Figure 130 SNMP Management Model MANAGER SNMP AGENT AGENT AGENT Managed Device Managed Device
362. puters the computers on the LAN do not need PPPoE software installed since the Business Secure Router does that part of the task Furthermore with NAT all of the LAN computers will have access Configuring WAN ISP To configure the WAN ISP settings for your Business Secure Router click WAN then the WAN ISP tab The screen differs depending on the encapsulation NN47923 500 Chapter 7 WAN screens 111 Figure 26 WAN WAN ISP Nortel Business Secure Router 252 Configuration Basics 112 Chapter 7 WAN screens Table 18 describes the fields in Figure 26 Table 18 WAN WAN ISP Label Description Name Enter the name of your Internet Service Provider for example MyISP This information is for identification purposes only Mode Select Routing default from the drop down list box if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplex Select the method of multiplexing used by your ISP from the drop down list Choices are VC or LLC Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier defi
363. quests a file At this point the remote server opens a data connection from the Internet For FTP to work properly this connection must be allowed to pass through even though a connection from the Internet is normally rejected In order to achieve the above scenario the Business Secure Router inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipated data connection This can be done safely since the PORT command contains address and port information which can be used to uniquely identify the connection Nortel Business Secure Router 252 Configuration Basics 166 Chapter 10 Firewalls Any protocol that operates in this way must be supported on a case by case basis You can use the Custom Ports feature in the WebGUI to do this Guidelines for enhancing security with your firewall Change the default password through SMT or WebGUI Think about access control before you connect your device to the network in any way Access to the console port can give unauthorized individuals total control of the firewall even with access control configured Limit who can Telnet into your router Do not enable any local service such as SNMP or NTP that you do not use Any enabled service can present a potential security risk A determined hacker can find creative ways to misuse the enabled services to access the firewall or the network F
364. r Create Click Create to go to the screen where you can have the Business Secure Router generate a certificate or a certification request Refresh Click Refresh to display the current validity status of the certificates Certificate file formats The certification authority certificate that you want to import has to be in one of these file formats e Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates e PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form NN47923 500 Chapter 14 Certificates 267 e Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that can be encrypted The Business Secure Router currently allows the importation of a PKS 7 file that contains a single certificate e PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into a printable form Importing a certificate Click CERTIFICATES My Certificates and then Import to open the My Certificate Import screen Follow the instructions on the screen shown in Figure 84 to save an existing certificate to the Business Secure Router Note 1 You can only import a certificate that matches a corresponding certification request generated by the Business Secure Router Note 2 The certif
365. r IP address configured on the local router The log displays the configured local IP address type or IP address that the incoming packet did not match NN47923 500 Appendix B Log Descriptions 445 Table 132 Sample IKE Key Exchange Logs Log Message Description gt symbol The router sent a payload type of IKE packet Error ID Info The parameters configured for Phase 1 ID content do not match or the parameters configured for the Phase 2 ID IP address of single range or subnet do not match Check all protocols and settings for these phases Table 133 shows sample log messages during packet transmission Table 133 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION WAN IP changed to IP If the Business Secure Router WAN IP changes all configured My IP Addr change to 0 0 0 0 If this field is configured as 0 0 0 0 the Business Secure Router uses the current Business Secure Router WAN IP address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The Business Secure Router cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA for rule lt d gt The packet matches the rule index number std but Phase 1 or Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPLAY packet
366. r logged it rule d type d code d Firewall rule NOT IGMP access did not match the listed firewall rule and the match IGMP set d Business Secure Router logged it rule d Firewall rule NOT ESP access did not match the listed firewall rule and the match ESP set d Business Secure Router logged it rule d Firewall rule NOT GRE ac access did not match the listed firewall rule and match GRE set d the Business Secure Router logged it rule d Firewall rule NOT OSPF access did not match the listed firewall rule and the match OSPF set d Business Secure Router logged it rule d Firewall rule NOT Access did not match the listed firewall rule and the match set d Business Secure Router logged it rule d Filter default policy TCP access matched a default filter policy and the DROP Business Secure Router dropped the packet to block access Filter default policy UDP access matched a default filter policy and the DROP Business Secure Router dropped the packet to block access Filter default policy ICMP access matched a default filter policy and the DROP Business Secure Router dropped the packet to block access Filter default policy Access matched a default filter policy and the Business DROP Secure Router dropped the packet to block access NN47923 500 Appendix B Log Descriptions 437 Table 128 Access Logs Log Message Description
367. r match DROP Access matched the listed filter rule denied LAN IP and set d rule d gt the Business Secure Router dropped the packet to block access Filter match FORWARD TCP access matched the listed filter rule Access was set d rule d gt allowed and the router forwarded the packet Filter match FORWARD UDP access matched the listed filter rule Access was set d rule d gt allowed and the router forwarded the packet Filter match FORWARD ICMP access matched the listed filter rule Access was set d rule d gt allowed and the router forwarded the packet Filter match FORWARD Access matched the listed filter rule Access was allowed lt set d rule d gt and the router forwarded the packet Filter match FORWARD Access matched the listed filter rule denied LAN IP lt set d rule d gt Access was allowed and the router forwarded the packet Nortel Business Secure Router 252 Configuration Basics 438 Appendix B Log Descriptions Table 128 Access Logs Log Message Description set d With firewall messages this is the number of the ACL policy set and denotes the packet s direction see Table 129 With filter messages this is the number of the filter set rule d With firewall messages the firewall rule number denotes the number of a firewall rule within an ACL policy set With filter messages this is the number of an individual filter rule Router
368. r of simultaneous IPSec tunnels connected to it and they all have keep alive enabled then no other tunnels can take a turn connecting to the Business Secure Router because the Business Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic outbound traffic with no inbound traffic the Business Secure Router automatically drops the tunnel after two minutes Note No matter whether or not keep alive is set when there is gt Nailed up The nailed up feature is similar to the keep alive feature When you initiate an IPSec tunnel with nailed up enabled the Business Secure Router automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Configuring advanced Branch office setup on page 241 for more information about the IPSec SA lifetime The nailed up option is available with the branch NN47923 500 Chapter 13 VPN 213 office rules See the VPN Branch Office Rule Setup screen Figure 71 on page 222 Unlike keep alive any time the Business Secure Router restarts it also automatically renegotiates any nailed up tunnels In effect the IPSec tunnel becomes an always on connection after you initiate it Also different from keep alive the peer IPSec router does not have to have a Business Secure Router compatible nailed up feature enabled in order for this feature to work If the Business Secure Router has its maximum n
369. r received an ARL Authority Revocation List with size and issuer name as recorded from the LDAP server issuer name whose address and port are recorded in the Source field Failed to decode The router received a corrupted certification authority the received ca certificate from the LDAP server whose address and port are cert recorded in the Source field Failed to decode The router received a corrupted user certificate from the the received user LDAP server whose address and port are recorded in the cert Source field Failed to decode The router received a corrupted CRL Certificate Revocation the received CRL List from the LDAP server whose address and port are recorded in the Source field Failed to decode the received ARL The router received a corrupted ARL Authority Revocation List from the LDAP server whose address and port are recorded in the Source field Rcvd data size too large Max size allowed max size The router received directory data that was too large the size is listed from the LDAP server whose address and port are recorded in the Source field The maximum size of directory data that the router allows is also recorded Cert trusted gubject name The router has verified the path of the certificate with the listed subject name Due to reason codes cert not trusted subject name Due to the reasons listed the certificate with the listed s
370. re 3 Change password screen 5 Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Figure 4 Replace certificate screen Nortel Business Secure Router 252 Configuration Basics 48 Chapter 2 Introducing the WebGUI The MAIN MENU screen appears Note The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back on to the Business Secure Router if this happens to you Restoring the factory default configuration settings If you just want to restart the Business Secure Router press the rear panel RESET button for one to three seconds If you forget your password or cannot access the SMT menu you will need to reload the factory default configuration file or use the RESET button the back of the Business Secure Router to restore the factor default configuration Uploading this configuration file replaces the current configuration file with the factory default configuration file This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit no parity one stop bit and flow control set to none The password will be reset to PlsChgMe also Procedure to use the reset button Press the rear panel RESET button for long
371. reate screen Use this screen to have the Business Secure Router create a self signed certificate enroll a certificate with a certification authority or generate a certification request For more information see Figure 85 Nortel Business Secure Router 252 Configuration Basics 270 Chapter 14 Certificates Figure 85 My Certificate create CERTIFICATES MY CERTIFICATE CREATE Certificate Name Subject Information Common Name Host IP Address joo C Host Domain Name O C EMail D Organizational Unit 1 O Organization NENNEN Country CY Key Length 1024 v bits Enrollment Options Create a self signed certificate C Create a certification request and save it locally for later manual enrollment C Create a certification request and enroll for a certificate immediately online Enrollment Protocol Simple Certificate Enrollment Protocol SCEP CA Server Address CA Certificate E See Trusted CAs Request Authentication Key D ORELLI ALL Cancel NN47923 500 Chapter 14 Certificates 271 Table 66 describes the labels in the Figure 85 Table 66 My Certificate create Label Description Certificate Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do not have to fill in every field although the Common Name
372. remote host details CERTIFICATES TRUSTED REMOTE HOST DETAILS Name LA Office crt Certification Path CN Business Secure Router Factory Default Certificate CN Glenn Certificate Information Type Version Serial Number Subject Issuer Signature Algorithm Valid From Valid To Key Algorithm Subject Alternative Name Key Usage Basic Constraint MD5 Fingerprint SHA1 Fingerprint CA signed X 509 Certificate V3 105175496253 CN Glenn CN Business Secure Router Factory Default Certificate rsa pkcs1 sha1 2003 Apr 30th 02 09 22 GMT 2006 Apr 30th 02 09 22 GMT rsaEncryption 1024 bits DNS Glenn DigitalSignature Path Length Constraint 10 67 e0 c7 7c ef bf 99 b5 b3 53 a4 c8 e3 da 5e 58 09 85 41 d2 70 99 47 d6 b8 71 79 d9 70 af 3a bf c3 9f0F 23 Certificate in PEM Base 64 Encoded Format MIIBuzCCAWWgA wIBAgIFGHzytjOwDOYJKoZIhvcNAQEFBOA wPTE7MDKGA1UEAxMy QnVzall5slic3MgU2VjdXJlIFJvdXRlciBGYWNOb3JS5IERLlZrmFi1bHQgQ2VydGlmaWNh dGUwHhcNMDMwNDMwMDIwOTIyWhcNMDYwNDMwMDIwOTIyWjA QOQMOdwDAYDVOODEwVH bGVubjCBnzANBgkqhkiG9wOBAQEFAAOBjQAwgYkCgYEAg4705090j8mORVbrmzondqH zz7Rumqrqo8JNZPzZaoK8qfL6JiwSmdqOTmvAOuae01eWNj6wDirJCsHEDa8F8 ec TepKiyE2 GCM6nqMrb30uxjPS9wEIAtC27rUeah9ZSmuxLEAsbzpDbwHByNqBQAZ3 jjDBXLXo7SKoVLZFIqABpOSGCAvEA AaM1MDMwCwYDVROPBAQDAgGKEMBAGA1UdEQQJ M eCBUdsZWSuMBIGA1UdEWEBAAQIMAYBAQACAQowDQYJKOZIhvcNAQEFBOQADQQCP RYbuEEUeG6clXru3q rOvoUPRS 71n5Zk2MaScOCEjTzOTftOCPDSSN t8uZz7Gnk x Exp
373. rity certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority eo The security certificate date is valid A The name on the security certificate does not match the name of the site Do you want to proceed Yes j View Certificate Netscape Navigator warning messages When you attempt to access the Business Secure Router HTTPS server a Website Certified by an Unknown Authority screen shown in Figure 113 appears asking if you trust the server certificate Click Examine Certificate if you want to verify that the certificate is from the Business Secure Router If you select Accept this certificate temporarily for this session then click OK to continue in Netscape Nortel Business Secure Router 252 Configuration Basics 336 Chapter 18 Remote management screens Select Accept this certificate permanently to import the Business Secure Router certificate into the SSL client Figure 113 Figure 18 4 Security Certificate 1 Netscape Vebsite Certified by an Unknown Authority NN47923 500 Chapter 18 Remote management screens 337 Figure 114 Security Certificate 2 Netscape Security Error Domain Name Mismatch x You have attempted to establish a connection with 192 168 1 1 However the security certificate presented belongs to 3 Factory Default Certificate It is possible though unlikely
374. rmation 2 reinitialize the ADSL line 402 Remote Management and NAT 330 Remote Management Limitations 329 Reports 378 Reset 48 reset 402 Reset Button 36 Response Strings 124 Restore 407 Restrict Web Features 197 Retransmissions 257 Retry Count 126 Retry Interval 126 RFC 2516 54 RIP 98 99 122 RIP Direction 99 116 RIP Version 98 116 122 RIP 1 98 116 122 RIP 2 98 RIP 2B 99 116 122 RIP 2M 99 116 122 Root Class 303 Routing Information Protocol 98 Rule Summary 185 Rules 169 173 Checklist 171 Creating Custom 169 Key Fields 172 LAN to WAN 173 Logic 171 Predefined Services 186 Source and Destination Addresses 181 S SA Monitor 245 Saving the State 161 Schedule Sets Duration 390 Second DNS Server 84 Secondary Phone Number 121 Secure FTP Using SSH Example 349 Secure Telnet Using SSH Example 347 Security Ramifications 171 Server 92 133 134 141 142 Server Auto detect 87 Service 172 Service Type 177 182 Services 136 setup a schedule 389 SHAI 205 Single User Account 122 142 SMTP 136 Smurf 159 160 SNMP 39 136 353 Get 355 Manager 354 MIBs 355 Trap 355 SNMP Simple Network Management Protocol 39 Source amp Destination Addresses 181 Source Address 172 180 NN47923 500 Index 459 SSH 37 343 SSH Implementation 345 Start Port 146 Stateful Inspection 37 153 154 161 162 163 Process 162 Static DHCP 103 static IP address 60 Static Route 147 148 SUA 135 136 1
375. rnet Options Privacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen Figure 172 Internet Options Internet Options General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Intemet m zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing 3 Click Apply to save this setting Enabling Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab Nortel Business Secure Router 252 Configuration Basics 418 Appendix A Troubleshooting 2 Select Settings to open the Pop up Blocker Settings screen Figure 173 Internet options Internet Options General Security Privacy Content Connections Programs Advanced I Settings Move the slider to select a privacy setting for the Internet RE zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally ide
376. roduction to the Business Secure Router firewall 00 02 eee eee 155 Denial Gf SEIVIDE poo cacrcrebuctbe hes QUA HIEGGOUEEFKa ERE ar rd d 156 scr cem ee ee ee ee er ee ee 156 Wipes ot DoS GUsCkKs occ kek Rok Ree d HUES tiui eE nnne Ga RE a RE EE 157 NN47923 500 Contents 9 Sateu ns ecl 22542505 coke adersay gegen Y X CER weed tages ERR eds 5 161 Stateful inspection process uisacosa c pra c uS ERG ENERO RRUR ACA HUS bd Rees 162 Stateful inspection and the Business Secure Router 00 163 WEE SEIE attacks Rade cel ber helene e tated Du PUE E anti 164 BEPIOMP SECUI uaa apdaseshsb xud pe iciks eiddd e pbi gg gd dd e 165 Upper layer DIODORUS Lois eet orba EE PPRRRRRA YA ESTEE E I SERES 165 Guidelines for enhancing security with your firewall sls 166 Packet filtering vs firewall i22 2ssccszcces RR RR 9 RR UR RR dee ee eee ee eS 166 Packs WISI co xucveuxieXRAeRARAR GERA De RR ENG RERO x C A E RA 166 WEN to use Menno accusa ko 3 REG RARE GSCRRURG SOR EURO A CRdOLG ower 167 zr rm 167 When To use The firewall is aaca db o onde eee awe a RR re ces 167 Chapter 11 Firewall SCrGblG ssi reia saa n aaRaamkaauhddqoduaaaaumad saca d 169 Access methode 2 ccc sate ue doeet xig ek kisss eR SR iine ee 169 Firewall policies OVOIVIBW oesi secures ives ead Gaess RARE EG OR eaes denies eens 169 Mule ROCONI aso qe dq RN SGH WORK X SES boda qi d px aq ewes 171 Rule checklist iussus rc qe ive deen
377. ror Click Return to return to the F W Upload screen Figure 165 Firmware upload error Firmware upload error The uploaded file was not accepted by the router Please return to the previous page and select a valid upgrade file Click Help for more information Retum NN47923 500 Chapter 22 Maintenance 405 Configuration screen Click MAINTENANCE and then the Configuration tab Information related to factory defaults backup configuration and restoring configuration appears as shown in Figure 166 Figure 166 Configuration MAINTENANCE Status DHCP Table Diagnostic FAW Upload Configuration Restart Backup Configuration Click Backup to save the current configuration of your system to your computer Backup Restore Configuration To restore a previously saved configuration file to your system browse to the location of the configuration file and click Upload File Path Browse Upload Back to Factory Defaults Click Reset to clear all user entered configuration information and return to factory defaults After resetting the Password will be PIsChgMe LAN IP address will be 192 168 1 1 DHCP will be reset to server Reset Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information and returns the Business Secure Router to its factory defaults The warning screen will appear see Figure 167 Nortel Business
378. roup Password to the remote IPSec router for initial authentication After a successful initial authentication a RADIUS server associated with the remote IPSec router uses the User Name and Password to authenticate the Business Secure Router You must also configure the Group ID and Group Password fields when you enable Group Authentication After Group Authentication is not enabled the remote IPSec router uses the User Name and Password to authenticate the Business Secure Router Group ID Enter the group ID exactly as the IPSec router administrator gives it to you This field only applies when you enable Group Authentication Group Password Enter the group password exactly as the IPSec router administrator gives you This field only applies when you enable Group Authentication On Demand Client Select this check box to have any outgoing packets automatically Tunnel trigger a VPN connection to the remote IPSec router When On Demand Client Tunnel is not enabled you need to go to the VPN Summary screen and click the Connect button to create a VPN connection to the remote IPSec router Nortel Business Secure Router 252 Configuration Basics 218 Chapter 13 VPN Table 49 VPN Contivity Client advanced rule setup Label Description Apply Click Apply to temporarily save the settings and return to the VPN Contivity Client screen The Group Authentication settings are saved to the Business Secure Ro
379. route Active This field allows you to activate or deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the Business Secure Router LAN or WAN port The gateway helps forward packets to their destinations NN47923 500 Chapter 9 Static Route screens 151 Table 31 Edit IP Static Route Label Description Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This parameter determines if the Business Secure Router includes this route to a remote node in its RIP broadcasts Select this check box to keep this route private and not included in RIP broadcasts Clear this check box to propagate this route to other hosts through RIP broadcasts
380. rs the additional benefit of firewall protection With no servers defined your Business Secure Router filters out all incoming inquiries thus preventing intruders from probing your network For more information about IP address translation refer to The IP Network Address Translator NAT RFC 1631 NN47923 500 Chapter 8 Network Address Translation NAT Screens 131 How NAT works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Business Secure Router keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored as illustrated in Figure 33 Figure 33 How NAT works NAT Table Inside Local Inside Global IP Address IP Address LAN 192 168 110 IGA 1 WAN 192 168 1 11 IGA 2 192 168 1 12 IGA 3 Computer IP 192 168 1 13 IGA4 192 168 1 13 Computer IP 192 1
381. rst Sunday April and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you select Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the last Sunday of October Each time zone in the United States stops using Daylight Saving Time at 2 a m local time So in the United States select Last Sunday October and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 a m GMT or UTC So in the European Union select Last Sunday October The time you type in the o clock field depends on your time zone In Germany for instance type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring thi
382. rt can handle For example set the WAN interface speed to 1 000 kb s or less if the broadband device connected to the WAN port has an upstream speed of 1 000 kb s Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Configuring class setup The class setup screen displays the configured bandwidth classes by individual interface Select an interface and click the buttons to perform the actions described next Click to expand the class tree or click to collapse the class tree Each interface has a permanent root class The bandwidth budget of the root class is equal to the speed you configured on the interface see Configuring summary on page 302 to configure the speed of the interface Configure subclass layers for the root class To add or delete child classes on an interface click BW MGMT then the Class Setup tab The screen appears as shown in Figure 99 Nortel Business Secure Router 252 Configuration Basics 304 Chapter 15 Bandwidth management Figure 99 Bandwidth Manager Class setup BANDWIDTH MANAGEMENT Summary Class Setup Class Setup Interface WAN gt Bandwidth Management Active Root Class 100000 kbps i 7 C WAN 1 1000 kbps 1 t C WAN 2 1000 kbps Add Sub Class Eai Delete Statistics Filter List Filter Sanica Destination IP Destination Source IP Source Protocol Nam
383. rtificates Until public key infrastructure becomes more mature it is not available in some areas You can have the Business Secure Router act as a certification authority and sign its own certificates NN47923 500 Chapter 14 Certificates 263 Configuration summary This section summarizes how to manage certificates on the Business Secure Router Figure 82 Certificate configuration overview CERTIFICATES Use the My Certificate screens to generate and export self signed certificates or certification requests and import the CA signed certificates Use the Trusted CA screens to save CA certificates to the Business Secure Router Use the Trusted Remote Hosts screens to import self signed certificates Use the Directory Servers screen to configure a list of addresses of directory servers that contain lists of valid and revoked certificates My Certificates Click CERTIFICATES My Certificates to open summary list of certificates and certification requests stored on the Business Secure Router Certificates display in black and certification requests display in gray as shown in Figure 83 Nortel Business Secure Router 252 Configuration Basics 264 Chapter 14 Certificates Figure 83 My Certificates PKI Storage Space in Use v NN Replace Factory Default Certificate Factory Default Certificate Name auto generated self signed cert The factory default certificate is common to Business Secure Router m
384. rver usually a certification authority Password Type the password up to 31 ASCII characters from the entity maintaining the directory server usually a certification authority Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to quit configuring this screen and return to the Directory Servers screen 1 Atthe time of writing LDAP is the only choice for directory server access protocol Nortel Business Secure Router 252 Configuration Basics 298 Chapter 14 Certificates NN47923 500 299 Chapter 15 Bandwidth management This chapter describes the functions and configuration of bandwidth management Bandwidth management overview With bandwidth management you can allocate the outgoing capacity of an interface to specific types of traffic It can also help you make sure that the Business Secure Router forwards certain types of traffic especially real time applications with minimum delay With the use of real time applications such as Voice over IP VoIP increasing the requirement for bandwidth allocation is also increasing Bandwidth management addresses questions such as e Who gets how much access to specific applications e Which traffic must have guaranteed delivery e How much bandwidth is allotted to guarantee delivery With bandwidth management you can configure the allowed output for an interface to match what the network can handle
385. s Total disk space required 0 0 MB Space available on disk 260 9 MB Next gt Nortel Business Secure Router 252 Configuration Basics 368 Chapter 19 UPnP 5 In the Networking Services window select the Universal Plug and Play check box Figure 140 Windows XP networking services Networking Services To add or remove a component click the check box amp shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Networking Services O QI RIP Listener 0 0 MB C E Simple TCP IP Services 0 0 MB amp Universal Plug and Play 0 2 MB Description Allows your computer to discover and control Universal Plug and Play levices Total disk space required 0 0 MB Space available on disk 260 8 MB 6 Click OK to return to the Windows Optional Networking Component Wizard window and click Next Using UPnP in Windows XP example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the device Make sure the computer is connected to a LAN port of the device Turn on your computer and the Business Secure Router Autodiscover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon displays under Internet Gateway NN47923 500 Chapter 19 UPnP 369 2 Right click the icon and select Properties
386. s or times out the connection s state table entry is deleted and the connection s temporary inbound access list entries are deleted Stateful inspection and the Business Secure Router Additional rules can be defined to extend or override the default rules For example a rule can be created that will e Block all traffic of a certain type such as IRC Internet Relay Chat from the LAN to the Internet e Allow certain types of traffic from the Internet to specific hosts on the LAN e Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users on the LAN Nortel Business Secure Router 252 Configuration Basics 164 Chapter 10 Firewalls These custom rules work by evaluating the network traffic source IP address destination IP address IP protocol type and comparing these to rules set by the administrator Note The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test changes after creating them to make sure they work correctly Below is a brief technical description of how these connections are tracked Connections can either be defined by the upper protocols for instance TCP or by the Business Secure Router itself as with the virtual connections created for UDP a
387. s screen afresh Nortel Business Secure Router 252 Configuration Basics 94 Chapter 5 System screens ALG With Application Layer Gateway ALG an application can pass through NAT and the firewall You must also configure NAT and firewall rules depending upon the type of access you want to allow Note You must enable the FTP H 323 or SIP ALG in order to use bandwidth management on that application Configuring ALG To change the ALG settings of your Business Secure Router click SYSTEM and then ALG The screen appears as shown in Figure 21 Figure 21 ALG SYSTEM ALG Setting iv Enable FTP ALG Enable H 323 ALG Enable SIP ALG Apply NN47923 500 Chapter 5 System screens 95 Table 13 describes the labels in Figure 21 Table 13 ALG Label Description Enable FTP Select this check box to allow FTP File Transfer Protocol to send and ALG receive files through the Business Secure Router Enable H 323 Select this check box to allow applications using H 323 to go through ALG the Business Secure Router H 323 is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet H 323 is used in VoIP Voice over IP the sending of voice signals over the Internet Protocol The H 323 ALG does not support H 323 Gatekeeper Enable SIP ALG Select this check box to allow SIP Session Initiat
388. s the index number of the UPnP created NAT mapping rule entry Remote Host This field displays the source IP address on the WAN of inbound IP packets Because this is often a wildcard the field can be blank When the field is blank the Business Secure Router forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port When this field displays an external IP address the NAT rule has the Business Secure Router forward inbound packets to the Internal Client from that IP address only NN47923 500 Chapter 19 UPnP 365 Table 98 UPnP Ports Label Description External Port This field displays the port number that the Business Secure Router listens on on the WAN port for connection requests destined for the Internal Port and Internal Client of the NAT rule The Business Secure Router forwards incoming packets from the WAN with this port number to the Internal Client on the Internal Port on the LAN If the field displays 0 the Business Secure Router ignores the Internal Port value and forwards requests on all external port numbers that are otherwise unmapped to the Internal Client Protocol This field displays the protocol of the NAT mapping rule TCP or UDP Internal Port This field displays the port number on the Internal Client to which the Business Secure Router forwards incoming connection requests Internal Client Th
389. s to HTTPS clients Nortel Business Secure Router 252 Configuration Basics 338 Chapter 18 Remote management screens a Click REMOTE MGMT Write down the name of the certificate displayed in the Server Certificate field Click CERTIFICATES Find the certificate that was displayed in the Server Certificate field and check its Subject column CN stands for the common name of the certificate see Figure 118 on page 342 for an example Use this procedure to have the Business Secure Router use a certificate with a common name that matches the actual IP address of the Business Secure Router You cannot use this procedure if you need to access the WAN port and it uses a dynamically assigned IP address a Create a new certificate for the Business Secure Router that uses the IP address of the Business Secure Router port that you are trying to access as the common name of the certificate For example to use HTTPS to access a LAN port with IP address 192 168 1 1 create a certificate that uses 192 168 1 1 as the common name Go to the remote management WWW screen and select the newly created certificate in the Server Certificate field Click Apply Logon screen After you accept the certificate the Business Secure Router logon screen appears The lock displayed in the bottom right of the browser status bar denotes a secure connection NN47923 500 Chapter 18 Remote management screens 339 Figure 115 Logon screen In
390. s visited the most often Number of times the most visited Web sites were visited e The most used protocols or service ports e The amount of traffic for the most used protocols or service ports e The LAN IP addresses to and from which the most traffic has been sent NN47923 500 Chapter 20 Logs Screens 379 How much traffic has been sent to and from the LAN IP addresses to and from which the most traffic has been sent Note The Web site hit count not be 10096 accurate because sometimes when an individual Web page loads it can contain references to other Web sites that also get counted as hits The Business Secure Router records Web site hits by counting the HTTP GET packets Many Web sites include HTTP GET references to other Web sites and the Business Secure Router can count these as hits thus the Web hit count is not yet 100 accurate Figure 151 Reports LOGS Setup Iv Collect Statistics Send Raw Traffic Statistics to Syslog Server for Analysis Apply Reset Statistics Report Report Type Web Site Hits Refresh Flush C ume 1 ad doubleclick net 2 en wikipedia org 3 m2 2mdn net N 4 pagead2 googlesyndication com n N i 5 m3 doubleclick net A 6 7 8 www google com tw E www google com 1 www webopedia com mm 1 Note Enabling the reporting function decreases the overall throughput by about 1 Mb s Nortel Business Secure Router 25
391. scovering your Business Secure Router when unsupported ports are probed Note In order to allow Ping on the WAN you must also configure a WAN to WAN Business Secure Router rule that allows PING ICMP 0 traffic Figure 133 Security REMOTE MANAGEMENT SSH TELNET FTP SNMP DNS Security ICMP Respond to Ping on LAN amp WAN Iv Do not respond to requests for unauthorized services Apply Reset Table 96 describes the fields in Figure 133 Table 96 Security Label Description ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user Respond to Ping The Business Secure Router does not respond to any incoming Ping on requests when Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN amp WAN to reply to both incoming LAN and WAN Ping requests Nortel Business Secure Router 252 Configuration Basics 360 Chapter 18 Remote management screens Table 96 Security Label Description Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the Business Secure Router by probing for unused ports If you sel
392. se PPPoA or PPPoE encapsulation check the idle time out setting in the WAN screens Contact your ISP Nortel Business Secure Router 252 Configuration Basics 414 Appendix A Troubleshooting Problems accessing an Internet Web site Table 119 Troubleshooting Web Site Internet Access Problem Corrective Action Cannot connect to a Web site on the Internet Disable content filtering and clear your browser cache Try connecting to the Web site again If you can now connect to this site the content filter blocked original access Check your content filter settings if this was not your intention If you cannot connect to the site even after you disable content filtering check your device connections and Internet access settings Your username and password can be case sensitive If device connections and Internet access settings are correct contact your ISP Problems with the password Table 120 Troubleshooting the password Problem Corrective Action cannot access the Business Secure Router The administrator username is nnadmin The default password is PlsChgMe The Password and Username fields are case sensitive Make sure that you enter the correct password and username using the proper casing If you have changed the password and have now forgotten it you must reset the Business Secure Router to the default configuration file This restores all of the f
393. secure gateway for all data passing between the Internet and the Local Area Network LAN Your Business Secure Router integrates high speed 10 100 Megabits per second Mb s autonegotiating LAN interfaces and a high speed Asymmetrical Digital Subscriber Line Plus ADSL2 port into a single package The Business Secure Router is ideal for high speed Internet browsing and making LAN to LAN connections to remote networks By integrating Digital Subscriber Line DSL and Network Address Translation NAT the Business Secure Router provides easy installation and Internet access By integrating firewall and Virtual Private Network VPN capabilities the Business Secure Router is a complete security solution that protects your Intranet and efficiently manages data traffic on your network Using the embedded WebGUI you can easily set up and manage the Business Secure Router using an Internet browser Nortel Business Secure Router 252 Configuration Basics 34 Chapter 1 Getting to know your Business Secure Router Features This section lists the key features of the Business Secure Router Table 1 Feature specifications termination Feature Specification Number of static routes 12 Number of NAT sessions 4096 Number of SUA Single User Account servers 12 Number of address mapping rules 10 Maximum number of VPN IP Policies 60 Maximum number of VPN Tunnels Client and or Branch Office 10 Ma
394. sent blocked web site message Triangle route packet forwarded The firewall allowed a triangle route session to pass through Firewall sent TCP packet in response to DoS attack The firewall detected a DoS attack and sent a TCP packets in response Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding SUA NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out of order ICMP The Business Secure Router generates this log after it drops an ICMP packet due to one of the following two reasons 1 The Business Secure Router does not support the ICMP packet s protocol 2 The ICMP packet is an echo reply for which there was no corresponding echo request Router sent ICMP response packet type d code d The router sent an ICMP response packet This packet automatically bypasses the firewall NN47923 500 Appendix B Log Descriptions 439 For type and code details see Table 130 Table 129 ACL Setting Notes ACL Set Number Direction Description 1 LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN 2 WAN to LAN ACL set 2 for
395. sh to display the certification path Certificate These read only fields display detailed information about the Information certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the owner of the certificate signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field displays the certificate identification number given by the certification authority Subject This field displays information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O or Country C Issuer This field displays identifying information about the certification authority that issued the certificate such as Common Name Organizational Unit Organization or Country With self signed certificates this is the same information as in the Subject Name field Nortel Business Secure Router 252 Configuration Basics 284 Chapter 14 Certificates Table 70 Trusted CA details Label Description Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities
396. siness Secure Router you can also define time periods and days during which the Business Secure Router performs content filtering Nortel Business Secure Router 252 Configuration Basics 196 Chapter 12 Content filtering Configure Content Filtering Click Content Filter on the navigation panel to open the screen show in Figure 62 Figure 62 Content filter CONTENT FILTERING Restrict Web Features ActiveX Java Cookies Web Proxy Enable URL Keyword Blocking Keyword e Keyword List Add Delete Clear All Denied Access Message Day to Block Everyday Sun Mon Tuel Wed Thu Frif Sat Time of Day to Block 24 Hour Format All day Stat hou 0 min End 0 hou 0 min Apply Reset NN47923 500 Chapter 12 Content filtering 197 Table 42 describes the fields in Figure 62 Table 42 Content filter Label Description Restrict Web Select the boxes to restrict a feature When you download a page Features containing a restricted feature that part of the web page appears blank or grayed out Activex A tool for building dynamic and active Web pages and distributed object applications When you visit an ActiveX Web site Activex controls are downloaded to your browser where they remain in case you visit the site again Java A programming language and development environment for building downloadable Web components or Internet and intranet business applica
397. sing this service Select All to allow any computer to access the Business Secure Router using this service Choose Selected to just allow the computer with the IP address that you specify to access the Business Secure Router using this service Apply Click Apply to save your customized settings and exit this screen Reset Click Reset to begin configuring this screen afresh HTTPS example To change the default HTTPS port on the Business Secure Router in your browser enter https Business Secure Router IP Address as the Web site address where Business Secure Router IP Address is the IP address or domain name of the Business Secure Router you wish to access NN47923 500 Chapter 18 Remote management screens 335 Internet Explorer warning messages When you attempt to access the Business Secure Router HTTPS server a Windows dialog box appears asking if you trust the server certificate Click View Certificate if you want to verify that the certificate is from the Business Secure Router The Security Alert screen shown in Figure 112 appears in Internet Explorer Select Yes to proceed to the WebGUI logon screen if you select No then WebGUI access is blocked Figure 112 Security Alert dialog box Internet Explorer Security Alert xj Information you exchange with this site cannot be viewed or e changed by others However there is a problem with the site s security certificate The secu
398. ss Type your server IP address in this field Apply Click this button to save these settings and return to the VPN Branch Office IP Policy screen Reset Click this button to begin configuring this screen afresh Cancel Click this button to return to the VPN Branch Office IP Policy screen without saving your changes IKE phases There are two phases to every IKE Internet Key Exchange negotiation phase 1 Authentication and phase 2 Key Exchange A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec NN47923 500 Chapter 13 VPN 239 Figure 74 Two phases to set up the IPSec SA 9 Phase 2 IKE SA In Phase 1 you must e Choose a negotiation mode e Authenticate the connection by entering a preshared key e Choose an encryption algorithm e Choose an authentication algorithm e Choose a Diffie Hellman public key cryptography key group DH1 DH2 and DH5 e Set the IKE SA lifetime In this field you can determine how long an IKE SA will stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected In Phase 2 you must e Choose which protocol to use ESP or AH for the IKE key exchange e Choose an encryption algorithm e Choose an authentication algorithm e Choose whether to enable Perfect Forward Secrecy PFS using
399. ss connectivity and communication between Windows and intelligent appliances Details tees Installing UPnP in Windows XP Follow the steps below to install UPnP in Windows XP NN47923 500 Chapter 19 UPnP 367 1 Click Start and Control Panel Double click Network Connections In the Network Connections window click Advanced in the main menu and select Optional Networking Components The Windows Optional Networking Components Wizard window appears Figure 138 Network connections S Network Connections File Edit View Favorites Tools ESATE Help Operator Assisted Dialing Dial up Preferences Network Identification Bridge Connections Advanced Settings Optional Networking Components Network Tasks fl Create a neu connection 4 Select Networking Service in the Components selection box and click Details Figure 139 Windows optional networking components wizard Windows Optional Networking Components Wizard Windows Components You can add or remove components of Windows XP To add or remove a component click the checkbox 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Components 29 Management and Monitoring Tools 2 Networking Services Other Network File and Print Services Description Contains a variety of specialized network related services and protocol
400. ssage explanations Configuring View Log With the WebGUI you can look at all of the Business Secure Router logs in one location Click LOGS to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Configuring Log settings on page 375 Options include logs about system maintenance system errors access control allowed or blocked Web sites blocked Web features such as ActiveX controls Java and cookies attacks such as DoS and IPSec Log entries in red indicate system error logs The log wraps around and deletes the old entries after it fills Click a column heading to sort the entries A triangle indicates ascending or descending sort order Nortel Business Secure Router 252 Configuration Basics 374 Chapter 20 Logs Screens Figure 149 View Log LOGS View Log Display All Logs Email Log Now Refresh Clear Log fi Time A Message Source Destination Note a Mum Successful HTTP login 192 168 1 3 User admin gt 02 21 2006 06 33 46 4 02 21 2006 i EERE 3 06 33 37 Successful TELNET login 192 168 1 3 User admin 02 21 2006 ER ar ee 4 96 93 35 TELNET login failed 192 168 1 3 User admin HTTP login failed 192 168 1 3 User admin Table 99 describes the fields in Figure 149 Table 99 View Log Label Description Display The categories that you select in the Log Settings p
401. stream Speed 0 kbps Downstream Speed 0 kbps CO LE R L7 ILUNM E RBNUXI UAN 1 ENET N A 0 0 00 00 LAN Port Statistics E a E 100M Full 829 868 Poll Interval s 5 Set Interval Stop Table 109 describes the fields in Figure 159 Table 109 System Status Show Statistics Label Description System up Time This is the elapsed time the system has been up CPU Load This field specifies the percentage of CPU utilization LAN or WAN Port This is the WAN or LAN port Statistics Link Status This is the status of your WAN link Upstream Speed This is the upstream speed of your Business Secure Router Downstream Speed This is the downstream speed of your Business Secure Router Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Interface This field displays the type of port NN47923 500 Chapter 22 Maintenance 399 Table 109 System Status Show Statistics continued Label Description Status For the WAN port this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is down idle line ppp idle dial starting to trigger a call and drop dropping a call if you re using PPPoE encapsulation For a LAN port this shows the port speed and duplex setting TxPkts This field displays the number of packets transmitted on
402. t defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they often lack the granular application level access control or caching that some proxies support For more information see Stateful inspection on page 161 Firewalls of one type or another have become an integral part of standard security solutions for enterprises NN47923 500 Chapter 10 Firewalls 155 Introduction to the Business Secure Router firewall The Business Secure Router firewall is a stateful inspection firewall is designed to protect against Denial of Service attacks when activated in SMT menu 21 2 or in the WebGUI The Business Secure Router allows a private Local Area Network LAN to be securely connected to the Internet The Business Secure Router can be used to prevent theft destruction and modification of data as well as log events which is important to the security of your network The Business Secure Router also has packet filtering capabilities The Business Secure Router is installed between the LAN and a broadband modem connecting to the Internet so that it can allow it to act as a secure gateway for all data passing between the Internet and the LAN The Business Secure Router has one ADSL WAN port and four Ethernet LAN por
403. t lt ID gt lt ID gt Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Send lt HASH gt VPN Responder IPSec Log Figure 187 shows a typical log from the VPN connection peer Nortel Business Secure Router 252 Configuration Basics 442 Appendix B Log Descriptions Index Figure 187 Example VPN Responder IPSec Log Date Time 001 002 003 004 005 006 007 008 009 010 011 012 Clear IPSec Log y n 01 e e e e e e e e e e e I I I I n n I n I i Jan L Jan L Jan L Jan Jan L Jan L Jan L Jan Jan Jan L Jan Jan 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 1 08 1 08 1 08 1 08 1 08 1 08 1 08 1 07 07 08 08 D O eC O G Oo 6 Recv Recv Send Recv Send Recv Send Main Mode SA SA request from 192 168 100 100 KE NONC n gt lt KE gt lt NONC p lt ID gt lt HASH gt lt ID gt lt HASH gt Phase 1 IKE SA process done Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Recv lt HASH gt This menu is useful for troubleshooting your Business Secure Router A log index number the date and time the log was created and a log message are displayed Note Double exclamation marks denote
404. t Networks screen as shown in Figure 107 This screen displays a list of networks that are configured for use with split and inverse split VPN tunnels Figure 107 Current split networks Current Split Networks Return to Local User Database gt User Edit Page Current Split Networks Add Edit Delete NN47923 500 Chapter 17 Authentication server 323 Table 86 describes the labels in Figure 107 Table 86 Current split networks Label Description Return to Local User Database gt User Edit Page Click this link to return to the screen where you configure a local user database entry Current Split This is the list of names of split or inverse split networks Networks Add Click Add to open another screen where you can specify split or inverse split networks Edit Select the name of a split or inverse split network and click Edit to open a screen where you can change the network settings Delete Select the name of a split or inverse split network and click Delete to remove the network entry Current split networks edit In the Local User Database Edit screen click Configure Network to display the Current Split Networks screen Click Add or select a network and click Edit in order to display the Current Networks Edit screen Use this screen shown in Figure 108 to configure a set of subnets to use with split or inverse split VPN tunnels Nortel Business Secure Router 252 C
405. t is designated a public LAN server for that specific protocol Since the VPN tunnel terminates inside the LAN remote users can access all computers that use private IP addresses on the LAN e Unsupported IP Applications A VPN tunnel can be created to add support for unsupported emerging IP applications IPSec architecture The overall IPSec architecture is shown as follows in Figure 64 NN47923 500 Chapter 13 VPN 203 Figure 64 IPSec architecture IPSec Algorithms k ESP Protocol RFC 2406 DES gt Ce Encryption 3DES gt Algorithm te 1 AES None Manual gt IPSec algorithms IPSec IKE Key Management A AH Protocol RFC 2402 Cem sd HMAC MDS Authentication RF 2403 HMAC SHA 1 Algorithm RFE 2404 The ESP Encapsulating Security Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard AES Advanced Encryption Standard and Triple DES algorithms Nortel Business Secure Router 252 Configuration Basics 204 Chapter 13 VPN The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols The ESP and AH
406. t on the LAN A management session through NN47923 500 Chapter 11 Firewall screens 173 the LAN interface is an example of traffic destined for the Business Secure Router LAN interface itself You can also use LAN to LAN Business Secure Router rules with IP alias to control routing between two subnets on the LAN WAN to WAN Business Secure Router rules apply to packets coming in through the WAN interface that are destined for either the Business Secure Router WAN interface itself or a different subnet on the WAN A management session through the WAN interface is an example of traffic destined for the Business Secure Router WAN interface itself By default the Business Secure Router stops WAN computers from using the Business Secure Router as a gateway to communicate with other computers on the WAN You can configure one of these rules to allow a WAN computer to manage the Business Secure Router LAN to WAN rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed unrestricted access to the WAN When you configure a LAN to WAN rule you in essence want to limit some or all users from accessing certain services on the WAN Figure 50 LAN to WAN traffic LAN WAN By default all outgoing connections LAN to WAN are allowed WAN to LAN rules The default rule for WAN to LAN traffic blocks all incoming connections WAN to LAN If you want to allow certain WAN users to have access to your LAN you
407. t qud ba d ERE E dba ERES DRE dope A RUDI dod 334 Internet Explorer warning messages lseslseeeeeeleeeees 335 Netscape Navigator warning messages isses 335 Avoiding the browser warning messages l l 337 Logon BOB s 16r aaa Ee Ce X bree NU Ra ee d e d 338 DA QUI 2549 popese eng aneeen Gen REPRE ESQEE DQqdu ad Ed beamed 343 How SSH WORK saecaaneecomRE ranker A OREEE XR E OPER E RR Dead bere 344 SSH implementation on the Business Secure Router 00000e eee 345 Requirements for Using SSH isse esse hc RR Rh RR m RO R a REOR ka ewes 345 enpst Eo WC rr 345 Secure Telnet using SSH examples 000 0c eee 347 Example 1 Microsoft WINdOWS sicsses ce m ee eee kn esi ees 347 Example 2 DIONX uu eed RO reese SUG She ee IEEE bebe OR 348 Secure FIP Using SSH example acea spec n RR REDE Yd REOR C ORO R d ka 349 Ul m EDUUETTTUmTUTTTULTNM SE 350 Nortel Business Secure Router 252 Configuration Basics 14 Contents Copnigunng TELNET 6 icoscceas exe rEDERES ORDRE X WORK Y EY FACEHORURE HER Cd 351 DOMINO PEE acusa tides 19g dede Spi noe edid Vio ewe qe iibri me ded Rien 352 Comigurnng SNMP uias eee uier r SSS CSE ES eho ee aed x ERE Ed era dE 353 SUPPA a NIBE Loci qud Si ei ORE oh oA ee eek ES dca la ok oid ue 355 Shel ADS ossbeikdehbeskddoqiceiRXeaqup4rexedgxdsqOoxtE EIS ewes 355 REMOTE MANAGEMENT SNMP i 2slissac a bRRR RR REESE 356 COMMUNES a occa ee namie Gna a dogs ae dei Kb aro e
408. tatic This is the address assigned to your local Business Secure Router not the remote router Remote IP Subnet Mask Leave this field set to 0 0 0 0 default to have the ISP or other remote router dynamically send its subnet mask if you do not know it Type the remote gateway s subnet mask here if you know it static Remote Node IP Address Leave this field set to 0 0 0 0 default to have the ISP or other remote router dynamically automatically send its IP address if you do not know it Type the remote gateway s IP address here if you know it static Enable SUA Using Network Address Translation NAT the router translates an Internet protocol address used within one network to a different IP address known within another network SUA Single User Account is a subset of NAT that supports two types of mapping Many to One and Server When you select this option the Business Secure Router uses Address Mapping Set 255 Clear this option to disable NAT Enable RIP Select this check box to turn on RIP Routing Information Protocol which allows a router to exchange routing information with other routers RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving Choose RIP 1 RIP 2B or RIP 2M RIP 1 is universally supported but RIP 2 carries more information RIP 1
409. te becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the key pair the Business Secure Router uses RSA encryption of the certificate and the length of the key set in bits 1 024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This field displays for what functions the key of the certificate can be used For example DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text Basic Constraint This field displays general information about the certificate For example Subject Type CA means that this is a certification authority certificate and Path Length Constraint 1 means that there can only be one certification authority in the certification path of the certificate MD5 Fingerprint This is the message digest of the certificate that the Business Secure Router calculated using the MD5 algorithm SHA1 Fingerprint This is the message digest
410. ted remote host certificate must be a self signed certificate and you must remove any spaces from its file name before you can import it Figure 93 Trusted remote host import CERTIFICATES TRUSTED REMOTE HOST IMPORT Import Please specify the location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 e Binary PKCS 7 PEM Base 64 encoded PKCS File Path Browse Apply Cancel Nortel Business Secure Router 252 Configuration Basics 290 Chapter 14 Certificates Table 72 describes the labels in Figure 93 Table 72 Trusted remote host import Label Description File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certificate on the Business Secure Router Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen Trusted remote host certificate details Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host certificate and change the certificate name NN47923 500 Chapter 14 Certificates 291 Figure 94 Trusted
411. ternet Explorer Nortel Business Secure Router 252 Configuration Basics 340 Chapter 18 Remote management screens Figure 116 Login screen Netscape Click Login to proceed The screen shown in Figure 117 appears The factory default certificate is a common default certificate for all Business Secure Router models NN47923 500 Chapter 18 Remote management screens 341 Figure 117 Replace certificate Click Apply in the Replace Certificate screen to create a certificate using your Business Secure Router MAC address that is specific to this device Click CERTIFICATES to open the My Certificates screen You see information similar to that shown in Figure 118 Nortel Business Secure Router 252 Configuration Basics 342 Chapter 18 Remote management screens Figure 118 Device specific certificate CERTIFICATES PKI Storage Space in Use ov 100 My Certificates Valid Valid es soea moer Tiaa aT w CN Business CN Business 2000 2030 auto_generated_self_signed_cert SELF Ba BA sapik sai 01349000001 001349000001 GMT GMT Import Create Refresh Click Ignore in the Replace Certificate screen to use the common Business Secure Router certificate The My Certificates screen appears Figure 119 NN47923 500 Chapter 18 Remote management screens 343 Figure 119 Common Business Secure Router certificate PKI Storage Space in Use o ANN 1005
412. th the relevant data 3 If Group authentication or On Demand Client Tunnels are needed click the Advanced button to configure this Nortel Business Secure Router 252 Configuration Basics 78 Chapter 4 User Notes Allowing remote management of a LAN connected BCM50 1 Create the appropriate NAT server rules to add the BCM50 Go to SUA NAT SUA Server and create two server rules for HTTPS and Element Manager access One named BCM HTTPS with port number 443 and the IP address of the BCM50 One named BCM EM with the port number 5989 and the IP address of the BCM50 Note In DHCP Server mode the BCM50 IP address will be the lowest address in the pool 2 Create the appropriate Firewall rules to add BCM50 access Go to FIREWALL Summary and create two WAN to LAN firewall rules One rule allowing access from allowed remote computer IP addresses to the BCM50 IP address for service type HTTPS TCP 443 One rule allowing access from allowed remote computer IP addresses to the BCM50 IP address for custom port TCP 5989 Setting up the router for guest access The recommended approach to provide guest access is by creating an IP Alias and using static addressing for the corporate equipment to make it a member of the defined Alias subnet Then use firewall rules to restrict access of the guest equipment NOTE if a BCM50O is used it will also need to be assigned a static IP address 1 GotoLAN IP Alias and Enable
413. that someone may be trying to intercept your communication with this web site If you suspect the certificate shown does not belong to 192 168 1 1 please cancel the connection and notify the site administrator View Certificate Avoiding the browser warning messages The following section describes the main reasons that your browser displays warnings about the Business Secure Router HTTPS server certificate and what you can do to avoid seeing the warnings e The issuing certificate authority of the Business Secure Router HTTPS server certificate is not a trusted certificate authority in the browser The issuing certificate authority of the Business Secure Router s factory default certificate is the Business Secure Router itself since the certificate is a self signed certificate e For the browser to trust a self signed certificate import the self signed certificate into your operating system as a trusted certificate e To have the browser trust the certificates issued by a certificate authority import the certificate authority s certificate into your operating system as a trusted certificate e The actual IP address of the HTTPS server the IP address of the Business Secure Router port that you are trying to access does not match the common name specified in the Business Secure Router HTTPS server certificate that your browser received To check the common name specified in the certificate that your Business Secure Router send
414. that faster speed limits its negotiating power and it also does not provide identity protection It is useful in remote access situations where the address of the initiator is not known by the responder and both parties want to use preshared key authentication Preshared key A preshared key identifies a communicating party during a phase 1 IKE negotiation It is called preshared because you have to share it with another party before you can communicate with the party over a secure connection NN47923 500 Chapter 13 VPN 241 Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 1 024 bit Group 2 DH2 and 1 536 bit Group 5 DH5 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use preshared keys Perfect Forward Secrecy PFS Enabling PFS means that the key is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchan
415. the ISP using the Business Secure Router Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP Subnet Mask ENET ENCAP encapsulation only Enter a subnet mask in dotted decimal notation ENET ENCAP Gateway ENET ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Apply Click Apply to save the changes Reset Click Reset to begin configuring this screen afresh Configuring WAN IP To change the WAN IP settings of your Business Secure Router click WAN then the WAN IP tab This screen varies according to the type of encapsulation you select If your ISP did not assign you a fixed IP address click Get automatically from ISP Default otherwise click Use fixed IP Address and enter the IP address in the field My WAN IP Address Nortel Business Secure Router 252 Configuration Basics 114 Chapter 7 WAN screens Figure 27 WAN IP NN47923 500 Chapter 7 WAN screens 115 Table 19 describes the fields in Figure 27 Table 19 WAN IP Label Description Get automatically from ISP Select this option if your ISP did not assign y
416. this port RxPkts This field displays the number of packets received on this port Errors This field displays the number of error packets on this port Tx B s This field displays the number of bytes transmitted in the last second Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up Collisions This is the number of collisions on this port Poll Interval s Type the time interval for the browser to refresh system statistics Set Interval Click this button to apply the new poll interval you entered in the Poll Interval field above Stop Click this button to halt the refreshing of the system statistics DHCP Table screen With DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 individual clients can obtain TCP IP configuration at start up from a server You can configure the Business Secure Router as a DHCP server or disable it When configured as a server the Business Secure Router provides the TCP IP configuration for the clients If set to None DHCP service is disabled and you must have another DHCP server on your LAN or else the computer must be configured manually Click MAINTENANCE and then the DHCP Table tab Read only information here relates to your DHCP status The DHCP table shows current DHCP Client information including IP Address Host Name and MAC Address of all network clients using the DHCP server
417. tick stdtime gov tw tock stdtime gov tw time stdtime gov tw Configuring Time and Date To change the time and date of your Business Secure Router click SYSTEM and then Time and Date The screen in Figure 20 appears Use this screen to configure the time based on your local time zone NN47923 500 Chapter 5 System screens 91 Figure 20 Time and Date SYSTEM Current Time and Date Current Time 00 02 32 Current Date 2000 01 01 Time and Date Setup Manual New Time hh mm ss New Date yyyy mm dd Get from Time Server Time Protocol NTP RFC 1305 Time Server Address ze Optional There is apre defned NTP time server list Synchronize Now Time Zone Setup Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London v C Enable Daylight Saving Second 2000 03 12 at o cloc 2000 11 05 at o cloc Start Date End Date First Nortel Business Secure Router 252 Configuration Basics 92 Chapter 5 System screens Table 12 describes the fields in Figure 20 Table 12 Time and Date Label Description Current Time and Date Current Time This field displays the time on your Business Secure Router Each time you reload this page the Business Secure Router synchronizes the time with the time server Current Date This field displays the date on your Business Secure Router
418. tination 0 0 0 0 User Authentication User Name Password Advanced Apply Cancel Table 48 VPN Contivity Client rule setup Label Description Connection Type Select Branch Office to manually configure a VPN rule This has the Business Secure Router operate as a VPN router Select Contivity Client to use a simple VPN rule that lets you define and store connection information for accessing your corporate network through a IPSec router This has the Business Secure Router operate as a VPN client Active Select this check box to turn on this rule Clear this check box if you do not want to use this rule after you apply it If you want to set the Contivity Client rule to active you must set all other VPN rules to inactive To set a Contivity Client rule to active all of the other VPN rules must be disabled Keep Alive Select this check box to turn on the Keep Alive feature for this SA Turn on Keep Alive to have the Business Secure Router automatically reinitiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work Description Enter a brief description about this rule for identification purposes Nortel Business Secure Router 252 Configuration Basics 216 Chapter 13 VPN Table 48 VPN Contivity Client rule setup Label Description Destination
419. tion by clicking Cancel Do you want to save the new host key to the local database f No Cancel Help Enter the password to log on to the Business Secure Router The SMT main menu appears Nortel Business Secure Router 252 Configuration Basics 348 Chapter 18 Remote management screens Example 2 Linux This section describes how to access the Business Secure Router using the OpenSSH client program that comes with most Linux distributions 1 Test whether the SSH service is available on the Business Secure Router Enter telnet 192 168 1 1 22 ataterminal prompt and press ENTER The computer attempts to connect to port 22 on the Business Secure Router using the default IP address of 192 168 1 1 A message displays indicating the SSH protocol version supported by the Business Secure Router Figure 124 SSH Example 2 Test telnet 192 168 1 1 22 Trying 192 168 1 1 Connected to 192 168 1 1 Escape character is SSH 1 5 1 0 0 2 Enter ssh 1 192 168 1 1 This command forces your computer to connect to the Business Secure Router using SSH version 1 If this is the first time you are connecting to the Business Secure Router using SSH a message appears prompting you to save the host information of the Business Secure Router Type yes and press ENTER Enter the password to log on to the Business Secure Router NN47923 500 Chapter 18 Remote management screens 349 Figure 125 SSH Exam
420. tion request 0 Information request message 16 Information reply 0 Information reply message Table 131 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname This message is sent by the RAS when this syslog is src lt srclP srcPort gt generated The messages and notes are defined in this dst lt dstIP dstPort gt appendix msg lt msg gt note lt note gt VPN IPSec Logs To view the IPSec and IKE connection log type 3 in menu 27 and press ENTER to display the IPSec log as shown in Figure 186 which shows a typical log from the initiator of a VPN connection NN47923 500 Appendix B Log Descriptions 441 Index Figure 186 Example VPN Initiator IPSec Log Date Time 001 002 003 004 005 006 007 008 009 010 011 012 L Jan L Jan L Jan Jan L Jan L Jan L Jan Jan Jan L Jan L Jan 08 08 08 08 08 08 08 08 08 08 08 Jan 08 02 02 02 02 02 02 02 02 02 02 02 02 22 22 22 24 24 26 26 26 26 26 26 26 Clear IPSec Log y n Send Main Mode request to lt 192 168 100 101 gt Send SA Recv lt SA gt Send lt KE gt lt NONCE gt Recv lt KE gt lt NONCE gt Send lt ID gt lt HASH gt Recv lt ID gt lt HASH gt Phase 1 IKE SA process done Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE g
421. tions of all kinds Cookies Used by Web servers to track usage and provide service based on ID Web Proxy A server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server Enable URL The Business Secure Router can block Web sites with URLs that Keyword contain certain keywords in the domain name or IP address For Blocking example if the keyword bad was enabled all sites containing this keyword in the domain name or IP address will be blocked for example URL http www website com bad html is blocked Select this check box to enable this feature Keyword Type a keyword in this field You can use any character up to 64 characters Wildcards are not allowed You can also enter a numerical IP address Keyword List This list displays the keywords already added Add Click Add after you have typed a keyword Repeat this procedure to add other keywords Up to 64 keywords are allowed When you try to access a web page containing a keyword you will receive a message telling you that the content filter is blocking this request Delete Highlight a keyword in the lower box and click Delete to remove it The keyword disappears from the text box after you click Apply Clear All Click this button to remove all of th
422. tribution through floppy disk for example Export Click this button and then Save in the File Download screen The Save As screen displays browse to the location that you want to use and click Save Apply Click Apply to save your changes to the Business Secure Router You can only apply changes to the name set the Business Secure Router to check the CRL issued by the certification authority before trusting a certificate issued or both Cancel Click Cancel to quit and return to the Trusted CAs screen Trusted remote hosts Click CERTIFICATES Trusted Remote Hosts to open the Trusted Remote Hosts screen see Figure 90 This screen displays a list of the certificates of peers that you trust but which are not signed by one of the certification authorities on the Trusted CAs screen You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen because the Business Secure Router automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy Nortel Business Secure Router 252 Configuration Basics 286 Chapter 14 Certificates Figure 90 Trusted remote hosts CERTIFICATES Trusted Remote Directory My Certificates Trusted CAs Hosts Servers PKI Storage Space in Use Trusted Remote Host Certificates Issuer My Default Self signed Certificate CN Business Secure Router Factory Default Certificate
423. ts which are used to physically separate the network into two areas e The WAN Wide Area Network port attaches to the broadband modem cable or ADSL connecting to the Internet e The LAN Local Area Network port attaches to a network of computers which needs security from the outside world These computers have access to Internet services such as e mail FTP and the World Wide Web However inbound access is not allowed unless the remote host is authorized to use a specific service Nortel Business Secure Router 252 Configuration Basics 156 Chapter 10 Firewalls Figure 45 Business Secure Router firewall application X Y N er SE P O es P Business Secure Rout Denial of Service Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources The Business Secure Router is preconfigured to automatically detect and thwart currently known DoS attacks Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol and POP3 E mail For example Web traffic uses TCP port 80 by default NN47923
424. ts over at 0 if a Web site passes the hit count limit Nortel Business Secure Router 252 Configuration Basics 382 Chapter 20 Logs Screens Viewing Protocol Port In the Reports screen select Protocol Port from the Report Type drop down list to have the Business Secure Router record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports Figure 153 Protocol Port report example LOGS Viewlog LogSet ings Reports Setup Iv Collect Statistics Send Raw Traffic Statistics to Syslog Server for Analysis Apply Reset Statistics Report Report Type Protocol Porn x Refresh Flush 1 HTTP TCP 80 Incoming BEER 2610 bytes 2 HTTP TCP 80 Outgoing BERI 1217 bytes E cp Incoming il 255 bytes 4 Hr Outgoing ll 123 bytes NN47923 500 Chapter 20 Logs Screens 383 Table 103 describes the fields in Figure 153 Table 103 Protocol Port Report Label Description Protocol Port This column lists the protocols or service ports for which the most traffic has gone through the Business Secure Router The protocols or service ports are listed in descending order with the most used protocol or service port listed first Direction This column lists the direction of travel of the traffic belonging to each protocol or service port listed Incoming refers to traffic that
425. tual Circuit to the Internet Service Provider ISP DSLAM Digital Subscriber Line Access Multiplexer For more information about PPPoA refer to RFC 2364 For more information about PPP refer to RFC 1661 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 AALS Using the first method you can multiplex multiple protocols over a single ATM virtual circuit LLC based multiplexing The second method assumes that each protocol is carried over a separate ATM virtual circuit VC based multiplexing For more detailed information see RFC 1483 Multiplexing There are two conventions to identify which protocols the virtual circuit VC carries Be sure to use the multiplexing method required by your ISP NN47923 500 Chapter 3 Wizard setup 55 VC based multiplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual circuit for example VC1 carries IP VC based multiplexing can be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical LLC based multiplexing In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method can be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultane
426. tual Path Identifier and VCI Virtual Channel Identifier define a ID virtual circuit VPI Enter the VPI assigned to you This field can already be configured VCI Enter the VCI assigned to you This field can already be configured Next Click this button to go to the next wizard screen The next wizard screen you see depends on which encapsulation you chose above NN47923 500 Chapter 3 Wizard setup 57 IP address and subnet mask Similar to the way houses on a street share a common street name so too do computers on a LAN share one common network number Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number you most likely have a single user account and the ISP assigns you a dynamic IP address when the connection is established The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use do not use any other number unless you are told otherwise For example you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 0 and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that net
427. u Lu ga Table 30 describes the fields in Figure 42 Table 30 IP Static Route summary Label Description Number of an individual static route Name Name that describes or identifies this route Active This field shows whether this static route is active Yes or not No Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the Business Secure Router LAN or WAN port The gateway helps forward packets to their destinations Edit Click a static route index number and then click Edit to set up a static route on the Business Secure Router Nortel Business Secure Router 252 Configuration Basics 150 Chapter 9 Static Route screens Configuring Route entry Select a static route index number and click Edit The screen is illustrated in Figure 44 Fill in the required information for each static route Figure 44 Edit IP Static Route STATIC ROUTE EDIT Route Name Active Destination IP Address IP Subnet Mask Gateway IP Address Metric Private Apply Table 31 describes the fields in Figure 44 Table 31 Edit IP Static Route Label Description Route Name Enter the name of the IP static route Leave this field blank to delete this static
428. u enter your computer name in this field This name can be up to 30 alphanumeric characters long Spaces dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP assigns a domain name through DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session either through the WebGUI or SMT can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts can have security risks A value of 0 means a management session never times out no matter how long it has been left idle not recommended Apply Click Apply to save your changes to the Business Secure Router Reset Click Reset to begin configuring this screen afresh Nortel Business Secure Router 252 Configuration Basics 84 Chapter 5 System screens Table 8 System general setup Label Description System DNS DNS Domain Name System is for mapping a domain name to its Servers if corresponding IP address and vice versa The DNS server is applicable extremely important because without it you must know the IP address of a machine before you can access it The Business Secure Router uses a system DNS server in the order you specify here to resolve domain
429. ubject name did not pass the path verification The recorded reason codes are only approximate reasons for not trusting the certificate See Table 136 for the corresponding descriptions of the codes Nortel Business Secure Router 252 Configuration Basics 448 Appendix B Log Descriptions Table 136 Certificate Path Verification Failure Reason Codes Code Description Algorithm mismatch between the certificate and the search constraints Key usage mismatch between the certificate and the search constraints Certificate was not valid in the time interval Not used Certificate is not valid Certificate signature was not verified correctly Certificate was revoked by a CRL Certificate was not added to the cache WOlaolyII ni ny FP Ww l nS Certificate decoding failed Certificate was not found anywhere Certificate chain looped did not find trusted root Certificate contains critical extension that was not handled Certificate issuer was not valid CA specific information missing Not used CRL is too old CRL is not valid CRL signature was not verified correctly i L I IL I I IL H H H H H H H H oo Oo uo mB Ww N Fe o CRL was not found anywhere CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate
430. ule 24 Hour set to take effect Format Duration Time Enter the maximum length of time in hour minute format that the 24 Hour schedule set is to apply the action configured in the Action field The limit Format is 24 hours Action Select an action for the schedule set to take Forced On means that the connection is maintained whether or not there is a demand call on the line and persists for the time period specified in the Duration field Forced Down means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on the line Apply Click Apply to save your changes to the Business Secure Router Cancel Click Cancel to exit this screen without saving NN47923 500 Chapter 21 Call scheduling screens 391 Applying Schedule Sets to a remote node Once your schedule sets are configured you must then apply them Apply schedule sets in the WAN IP screen You can apply schedule sets for the dial backup connection refer to Configuring Dial Backup on page 119 Click WAN Dial Backup to display the Dial Backup screen as shown in Figure 157 Use the screen to apply up to four schedule sets Nortel Business Secure Router 252 Configuration Basics 392 Chapter 21 Call scheduling screens Figure 157 Applying Schedule
431. umber of simultaneous IPSec tunnels connected to it and they all have nailed up enabled no other tunnels can take a turn connecting to the Business Secure Router because the Business Secure Router does not drop the tunnels that are already connected unless there is outbound traffic with no inbound traffic Note No matter whether or not nailed up is set when there is outbound traffic with no inbound traffic the Business Secure Router automatically drops the tunnel after two minutes NAT Traversal NAT traversal allows you to set up a VPN connection when there are NAT routers between the Business Secure Router and the remote IPSec router Figure 68 NAT router between IPSec routers NAT Router Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet In the previous figure IPSec router A sends an IPSec packet in an attempt to initiate a VPN The NAT router changes the header of the IPSec packet so it does not match the header for which IPSec router B is checking Therefore IPSec router B does not respond and the VPN connection cannot be built Nortel Business Secure Router 252 Configuration Basics 214 Chapter 13 VPN NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet The NAT router forwards the IPSec packet with the UDP port 500 header unchanged IPSec router B checks the UDP port 50
432. up all the time The Business Secure Router tries to bring up the connection automatically if it is disconnected The schedule rules in SMT menu 26 has priority over your Connection settings Network This option is available if you select Routing in the Mode field Address Select None SUA Only or Full Feature from the drop down list box Translation For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the next wizard screen Figure 10 Internet connection with RFC 1483 Wizard Setup ISP Parameters for Internet Access IP Address 0 0 0 0 Network Address Translation SUA Only Back Next Table 4 describes the fields in Figure 10 Table 4 Internet connection with RFC 1483 Label Description IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Nortel Business Secure Router 252 Configuration Basics 62 Chapter 3 Wizard setup Table 4 Internet connection with RFC 1483 continued Network Address Select None SUA Only or Full Feature from the drop down list box Translation For more details see Chapter 8 Network Address Translation NAT Screens on page 129 Back Click Back to go back to the first wizard screen Next Click Next to continue to the n
433. uter 252 Configuration Basics 154 Chapter 10 Firewalls Packet filtering firewalls Packet filtering firewalls restrict access based on the source or destination computer network address of a packet and the type of application Application level firewalls Application level firewalls restrict access by serving as proxies for external servers Because they use programs written for specific Internet services such as HTTP FTP and Telnet they can evaluate network packets for valid application specific data Application level firewalls have a number of general advantages over the default mode of permitting application traffic directly to internal hosts 1 Information hiding prevents the names of internal systems from being made known through DNS to outside systems because the application gateway is the only host whose name must be made known to outside systems 2 Robust authentication and logging preauthenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than if the router needed to filter application traffic and direct it to a number of specific systems The router need only allow application traffic destined for the application gateway and reject the rest Stateful Inspection firewalls Stateful inspection firewalls restrict access by screening data packets agains
434. uter if you click Apply in the VPN Contivity Client screen Cancel Click Cancel to return to the VPN Contivity Client Rule Setup screen without saving your changes Note Click Apply in the VPN Contivity Client screen to save the gt Group Authentication settings ID Type and content With aggressive negotiation mode see Negotiation Mode on page 240 for more information the Business Secure Router identifies incoming SAs by ID type and content since this identifying information is not encrypted so that is can distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the Business Secure Router from IPSec routers with dynamic IP addresses Note Regardless of the ID type and content configuration you cannot save multiple active rules with overlapping local and remote IP addresses with the Business Secure Router With the main negotiation mode see Negotiation Mode on page 240 for more information the ID type and content are encrypted to provide identity protection In this case the Business Secure Router can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses The Business Secure Router can distinguish up to 12 incoming SAs because you can select between two encryption algorithms DES and 3DES
435. vice that is not in the predefined list of services Edit Select a custom service denoted by an from the Available Services list and click this button to edit the service Delete Select a custom service denoted by an from the Available Services list and click this button to remove the service Action for Matched Packets Use the drop down list to select whether to discard Block or allow the passage of Forward packets that match this rule Log This field determines if a log is created for packets that match the rule Match don t match the rule Not Match both Both or no log is created None Go to the Log Settings page and select the Access Control logs category to have the Business Secure Router record these logs Alert Check the Alert check box to determine that this rule generates an alert when the rule is matched Apply Click Apply to save your changes to the Business Secure Router and exit this screen Cancel Click Cancel to exit this screen without saving NN47923 500 Chapter 11 Firewall screens 181 Configuring source and destination addresses To add a new source or destination address click SreAdd or DestA dd from the previous screen To edit an existing source or destination address select it from the box and click SrcEdit or DestEdit from the previous screen Either action displays the screen shown in Figure 54 Figure 54 Adding or editing s
436. vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users can connect to computers with running FTP servers 4 Does this rule conflict with any existing rules Nortel Business Secure Router 252 Configuration Basics 172 Chapter 11 Firewall screens Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the WebGUI screens Key fields for configuring rules Action Set the action to either Block or Forward Note Block means the firewall silently discards the packet gt Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it For more information on predefined services see Predefined services on page 186 Source address What is the source address of the connection is it on the LAN or WAN Is ita single IP a range of IPs or a subnet Destination address What is the destination address of the connection is it on the LAN or WAN Is it a single IP a range of IPs or a subnet Connection direction examples This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN LAN to LAN Business Secure Router rules apply to packets coming in through the LAN interface that are destined for either the Business Secure Router LAN interface itself or a different subne
437. work After you select the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your Business Secure Router Make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your Business Secure Router computes the subnet mask automatically based on the IP address that you entered You do not need to change the subnet mask computed by the Business Secure Router unless you are instructed to do so IP address assignment A static IP is a fixed IP that your ISP gives you A dynamic IP is not fixed the ISP assigns you a different one each time The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway Nortel Business Secure Router 252 Configuration Basics 58 Chapter 3 Wizard setup IP assignment with PPPoA or PPPoE encapsulation If you have a dynamic IP the IP Address and ENET ENCAP Gateway fields are not applicable N A If you have a static IP then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field IP assignment with RFC 1483 encapsulation In this case the IP address assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above IP assignment with ENET ENCAP encapsulatio
438. ximum number of concurrent VPN IPSec Connections 60 Number of IP pools that can be used to assign IP addresses to remote 3 users for VPN client termination Number of configurable split networks for VPN client termination 16 Number of configurable inverse split networks for VPN client termination 16 Number of configurable subnets per split network for VPN client 64 Physical features High speed Internet access Your Business Secure Router supports ADSL2 Asymmetrical Digital Subscriber Line for high transmission speeds and long connection distances ADSL standards e Multimode standard ANSI American National Standards Institute T1 413 Issue 2 G dmt G 992 1 Discrete Multitone Modulation e EOC Embedded Operations Channel specified in ITU T Telecommunication Standardization Sector of the International Telecommunications Union G 992 1 e ADSL2 Gdmt bis G 992 3 e ADSL2 G992 5 NN47923 500 Chapter 1 Getting to know your Business Secure Router 35 e Extended reach ADSL ER ADSL e SRA Seamless Rate Adaptation e Autonegotiating rate adaptation e ADSL physical connection ATM Asynchronous Transfer Mode AALS Adaptation Layer type 5 e Multiprotocol over AALS Request For Comments RFC 2684 1483 e Support Point to Point Protocol over ATM AALS PPPoA RFC 2364 e PPP over Ethernet support for DSL Digital Subscriber Line connection RFC 2516 e Support Virtual Circuit VC based and LLC Log
439. y When set to Both or In Only it incorporates the RIP information that it receives when set to None it does not send any RIP packets and ignores any RIP packets received None is the default NN47923 500 Chapter 6 LAN screens 103 Table 14 LAN IP Label RIP Version Description The RIP Version field controls the format and the broadcasting method of the RIP packets that the Business Secure Router sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on nonrouter machines since they generally do not listen to the RIP multicast address and so does not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RIP 1 Multicast Select IGMP V 1 or IGMP V 2 or None IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you want to read more d
Download Pdf Manuals
Related Search