Netopia S9500 Security Appliance Firewall
Contents
1. B 110 Reference Guide get hostname Syntax get hostname Description Show the name of the 9500 device Example To show the name of the S9500 device ns gt get hostname See Also set unset hostname get hsa Syntax get hsa Description Show high availability group information The information shows which high availability group this S9500 participates in and whether it is currently a master or slave A group id of 0 turns off the high availability function Example To show the high availability group information ns gt get hsa See Also set unset hsa get ike Syntax get ike conn entry cookies ring Description Show current connections cookies and preshared keys ring for IKE Example To show all the current IKE connections ns gt get ike conn entry To show all IKE cookies ns gt get ike cookies To show all preshared keys in the IKE ring ns gt get ike ring See Also set unset ike clear ike Command Line Interface B 111 get interface Syntax get interface Description Show the network interface settings The System IP is the IP address that is used to administrate the system through the Web management interface or Telnet protocol The Web management interface port number is shown as well The Admin IP address specifies either a single machine or a network of machines where the administrator can bring up the Web manageme2. 6 Click OK Up to six services per Virtual IP can be configured To remove an existing Virtual IP Note The Virtual IP field is not editable or removable when there are existing policies using its definition 1 From the Web browser in the Web Administration Tools click the Network Virtual IP button The Virtual IP page appears with the Virtual IP 1 Virtual IP 2 IP Mapping and Dynamic IP tabs 2 Select either of the Virtual IP tabs and click the link at the top of the page The Virtual IP Configuration page appears 3 Select the IP address and click Clear or enter 0 0 0 0 as the IP address Configuration and Monitoring 3 39 Mapped IP Mapped IP is a direct one to one map of an IP address The S9500 can support up to 1000 entries Each entry represents only one IP address The 9500 will route IP addresses to the DMZ subnet if the DMZ has been defined All other IP addresses will be mapped to the Trusted IP network or Trusted IP Gateway if defined Note A policy must be defined allowing the mapped IP address to be assessed No address book entry is required for Mapped IP The Mapped IP address will automatically appear in the Policy Configuration Source selection pop up window To enable Mapped IP 1 From the Web browser in the Web Administration Tools click the Network Virtual IP button The Virtual IP page appears with the Virtual IP 1 Virtual IP 2 IP Mapping and Dynamic IP tabs Select the IP Mapping tab
3. See Also clear arp get arp B 86 Reference Guide auth set auth secret lt string gt set auth server ip lt ip addr gt f set auth timeout lt number gt ee set auth type lt auth type gt unset auth secret server ip timeout unset auth type 0 1 2 Description set auth is used to configure the method and parameter used by the 9500 for the user authentication method selected The methods available are the 9500 built in database or external Radius server The S9500 device configures the same secret string as the Radius server for protecting the message sent between them Default The S9500 Built in User database is used User idle timeout is 10 minutes Example To define the Radius shared secret to mysecret ns gt set auth secret mysecret To use the builtin user database of the S9500 device for user authentication ns gt set auth type 0 See Also clear auth get auth clock Syntax set clock lt mm dd yy hh mm gt Description Define the system time in the format of mm dd yy hh mm which stands for month day year hour and minute Specify the hour and minute in the 24 hour format Example To define the system time as November 11 2001 at 1 30PM ns gt set clock 11 03 2001 13 30 console Command Line Interface B 87 Syntax Description Default set console dbuf disable set console page timeout lt number gt unset console dbuf
4. E Mail Address 2 The e mail address of the second user to be notified 2 Click Apply to have your changes take effect Syslog Configuration The S9500 generates syslog messages for system events such as security alerts and system events Messages are sent to the syslog host over UDP Syslog messages may be used by the syslog host to create e mail alerts and log files or the messages may be displayed on the console of a designated host using UNIX syslog conventions Your Syslog server must be located on the Trusted side of the 9500 1 From the Web browser in the Web Administration Tools menu click the System Admin button The Administration page appears with the Admin and Sys Log tabs Select the Sys Log tab Configuration and Monitoring 3 31 2 To enable syslog select Enable Syslog Messages and enter the following information Field Information The IP address of the Syslog host Syslog Host IP Address The Syslog host must be located on the Trusted side of the S9500 The port number that the Syslog UDP packets will be Syslog Host Port sent on The default is 514 The level of security facility SSMS Ee The default is Localo The level of facility Facility The default is Localo Only log messages with a The minimum priority level of a message to be sent priority level ote or Select one of the following priority levels igher EMERGENCY System unusable message
5. 2 Click New Entry in the lower left hand corner of the screen The IP Mapping Configuration page appears 3 Enter the following information Field Information 9 Untrusted IP Address The IP address that is being configured Network NetMask The subnet mask of the mapped address Map to IP Address The IP address of the host to receive mapped traffic 4 Click OK Dynamic IP Dynamic IP allocates an IP address for those applications e g Rlogin which it is necessary to use more than one IP address when the S9500 is in NAT mode Configuring Dynamic IP creates an IP address pool that outgoing traffic can use for the IP source destination These configuration rules must be followed m P addresses must be in the same subnet as the Untrusted interface and must be part of the assigned IP address from the Internet service provider ISP m The S9500 can support up to 4 entries m Each entry can represent either a single IP address or a range of contiguous IP addresses with no more than 255 in a range m An IP address configured for Dynamic IP use cannot be used for Virtual IP or Mapped IP To enable Dynamic IP 1 From the Web browser in the Web Administration Tools click the Network Virtual IP button The Virtual IP page appears with the Virtual IP 1 Virtual IP 2 IP Mapping and Dynamic IP tabs Select the Dynamic IP tab 2 Click New Entry in the lower left hand corner of the screen Th
6. ALERT Take immediate action CRITICAL Critical condition ERROR Error message WARNING Warning message NOTICE Normal but significant condition INFO Information message DEBUG Debug message 3 Click Apply to have your changes take effect The SYSLOG reports can also be customized through WebTrends for Firewalls and VPNs an add on for the Netopia S9500 Security Appliance WebTrends manages monitors and reports on security issues and network traffic in real time For more information see the WebTrends CD included in your Netopia folio VPN Configuration With a virtual private network VPN you can access the S9500 remotely To support a VPN the S9500 also must support encryption So first you must set up an encryption policy and then you must set up a policy for VPN 3 32 Reference Guide Encryption Policy Configuration To set up an encryption policy you have to define its VPN tunnel and both ends of the tunnel must be configured the same From the Web browser in the Web Administration Tools menu click the Network VPN button The VPN Lists page with the Autokey IKE and Manual Key tabs appears The S9500 supports two types of key methods for VPNs Autokey IKE and Manual Key Select a tab to create encryption with Autokey IKE or Manual Key Create an Autokey IKE VPN Internet Key Exchange IKE provides a standard method to automatically negotiate keys between two security gateways i e the S9500
7. You will also need m A Windows 95 98 or NT based PC or a Macintosh with Ethernet connectivity for configuring the Netopia 9500 This may be built in Ethernet or an add on card with TCP IP installed Identify the connectors and attach the cables Install the S9500 on a clean dry level surface Identify the connectors and switches on the back panel and attach the cables Note Check your router hub or computer documentation to determine if the device needs to be reconfigured or if the power supply needs to be switched off when you are connecting the new equipment to the LAN G Power 1 LAN 2 Internet PELLET Hl TITEL III AAAA AAAI AALE ALA ALLA 1 Connect one of the RJ 45 cables to the Trusted port and the LAN Note See Cabling Requirements below 2 Connect the other RJ 45 cable to the Untrusted port and the Internet Note See Cabling Requirements below 3 Connect the mini DIN8 connector from the Power Adapter to the Power port and plug the other end into an electrical outlet 4 Optionally you can connect a cable to the DMZ port and other equipment such as a server or hub Note See Cabling Requirements below 5 Turn on the equipment connected to the 9500 if necessary If the cables are connected correctly the Link LED for each connection will be lit Making the Physical Connections 2 9 6 Insert your Netopia CD and follow the instructions to install an Internet brow
8. Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK Note A policy can be more selective by selecting individual services 5 Repeat the process for WS 2 Enter the following information Field Information WS 2 available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK Configuration Examples 4 57 Configure Virtual IP The next step is to allow Internet traffic to reach the internal mail server by defining a Virtual IP address on the Untrusted side of the 9500 Virtual IP allows a hole to be opened in the firewall allowing traffic to pass to the internal network Extreme caution should be taken when defining a Virtual IP 1 Inthe Web Administration Tools menu click the Network Virtual IP button The Virtual IP page appears 2 Select the Virtual IP 1 tab and click the link to configure Virtual IP The Virtual IP Configuration page appears 3 Define the Virtual IP Address by entering 192 168 1 3 4 Click OK and the Virtual IP page reappears 5 Select New Services i
9. neeesser 11 Accessing the S9500 via a Web DrowSel ccseseeseeeees 11 Web Administration Tools cccccccsssseeseeseeeeeeeeeeees Il Cenia DIS Oio Vrsi ia 14 Fel P A EPA AEA AE A AS 14 COUTURE Me SOSO sarsari E 14 Address BOOK SOUP aenaran E 14 Service Book SetUPeunsiesnnariiia 16 Sehedule Book SEUD erreira iia eirt enr rikr Etre Eti 17 POI COnngUraON saire 18 System COO IEG assis isinir ranri iEE NAFEA ANEA 22 Interface Configuration cccceseeseesceseeeseeeenseesess 24 Authentication Configuration cccscesseeseseeneseeees 26 ii User s Reference Guide Route Table Connora Osroenen 28 Administrative Configura HOM cc sciscscecrnsarcanedaceneimtenna 29 Syslog Connora aeaieie 30 YPN COUPON annii 31 PRETEEN I EE E E tern rrr tre 37 User Configuratii asirni 40 Monteno Bit Thc boi 0 1 sae re peins 42 Tiara AOC anire 42 C OUNEN 43 PGT IWS e EEE E EE E E E ATEA 43 Ea a E EE AOE NE 44 Chapter 4 Configuration Examples cccccccccssessseeseeeeeeeeeenes 45 Example 1 Transparent Mode cc c 07 sects cesasaseseeneeeecesavans 45 Verify Configuration of the S9500 cecer 46 eu Up Adress ES oiiire araa 46 Set Up the Outgoing POMC Yicictestinesecccdeuvssnieeuastenets 49 Setupthe incoming PONE sdra 50 Example 2 2 port Network Address Translation Mode 52 Configure the 59500 for NATrreirriiiiitrdanwn 53 Set Up AGRE ES eotacdredastienddntiniadsidaduomadaedentennte 54 SeT UP PONE
10. ns gt get mip See Also set unset mip get policy Syntax get policy all incoming outgoing todmz fromdmz id lt number gt Description Show policy configuration If a specific policy id is provided more detail information about the policy is shown Oth erwise the policy information is shown in the summary format Policies can be listed for a specific interface by specify the interface named with the get policy command The all parameter lists policies for all interfaces Example To show all policy configuration ns gt get policy all To show all incoming policy configuration ns gt get policy incoming To show detail information for a policy with id number 5 ns gt get policy id 5 See Also set unset policy Command Line Interface B 113 get route Syntax get route all cache ip lt a b c d gt Description Show the route configuration IP address Netmask Int Gateway Metric Flag Memory Get route with a specific IP address will display the route information as lt ip addr gt gt lt interface gt lt gateway gt lt hop count gt This can be used as a tool to find out if the packet with particular IP address get routed by the S9500 to the correct interface Example To show all the route configuration ns gt get route To show the route information for a machine with IP address of 24 1 60 1 ns gt get route ip 24 1 60 1 See Also set unset route get sa
11. unset vpn is used to delete a vpn definition The name of the vpn definitions can be up to 20 characters The manual VPN definition s local SPI and remote SPI have to be a hex number greater than 3000 Auto VPN definitions use SPI values between 1000 and 2fff The pre shared key used by the auto VPN definition can be up to 128 bytes long and it is defined by the set ike command Default Key lifetime is 3600 seconds The ESP authentication algorithm is NULL when not specified Example To create a manual VPN definition with name judy using DES for ESP encryption and MD5 for ESP authentication and keys are generated by password judyvpn The local and remote SPI are 00001111 and 00002222 and the gateway IP address is 170 45 33 2 ns gt set vpn judy manual 00001111 00002222 gateway 170 45 33 2 esp des pass word judyvpn auth md5 password judyvpn To create an auto VPN definition with name mytest using 3DES for ESP encryption and NULL for ESP authentication with keys lifetime of 200 seconds The gateway IP address is 170 45 33 2 and the preshared key used is mytest key ns gt set vpn mytest auto gateway 170 45 33 2 esp 3des second 200 ns gt set ike preshared mytest 170 45 33 2 mytestkey See Also get vpn set unset ike Command Line Interface B 101 Get commands Get commands are used to show various system configuration parameters and data get address Syntax get address
12. The Log Details page appears 3 Click Download to File in the lower left hand corner of the screen to save the data for review and analysis The data can be saved to your local C drive in a txt format The file contents are tab delimited 4 Click Clear Log to clear the log after downloading the most recent data available Configuration Examples 4 45 Chapter 4 Configuration Examples This chapter provides examples of four ways you can configure the 9500 Each example consists of step by step instructions on how to configure the unit as well as guidelines on how the hosts should be configured These examples assume you have already configured the S9500 for Transparent mode as shown in the Getting Started Guide included in your Netopia folio The four examples presented here are m Example 1 Transparent Mode on page 4 45 Best for simple firewall protection this configuration expands on the Quick Configuration explained in the Getting Started Guide included in your Netopia folio m Example 3 3 port Network Address Translation mode on page 4 58 Best for new Internet connections where the site will host public servers web e mail that require different security policies All 3 ports are used m Example 2 2 port Network Address Translation Mode on page 4 52 Best for new Internet connections where the ISP provides fewer IP addresses than existing or planned devices Only 2 ports Trusted Untrusted are u
13. appears Select the Users tab 2 Click New User in the lower left hand corner of the screen The User Configuration page appears 3 Enter the following information Field Information The name to be validated User Name The name must be unique and is limited to 20 charac ters type of user name VPN Dialup User Authentication User or VPN Dialup User User Group A dialup user group Security Index Local The local security index for this dialup user Security Index Remote The remote security index for this dialup user The encryption algorithm to be used ESP Encryption m NULL Algorithm a DES CBC m 40bit DES CBC An encryption key for the algorithm specified Each field of the key is 8 bytes long represented in HEX The key is 16 characters long with two charac ters used to describe one byte in HEX The value must be odd bit parity the sum of the 8 bits must be odd For DES only the left most value needs to be defined For 3DES all three values must be defined The 9500 will automatically change your key value to ensure the requirement Key A password to define the generation of the hex key Generated Key by i Password Note The use of the password feature is a convenience and may lead to similar keys Configuration and Monitoring 3 37 The algorithm to use for authentication ESP Authentication m NULL Algorithm g Mp5 m SHA 1
14. disable page timeout set console is used to define the console parameters When debug is enabled on the 9500 all debugging messages will be displayed to the console which may be too overwhelming Using the dbuf parameter those messages will be stored at a buffer where they can be later retrieved by the get dbuf command The buffer size is 256K Console access can be disabled with the disable parameter The action needs two con firmations Once the command is submitted the configuration is saved and the current login session exits The number of lines displayed at one time to the console is configurable by the page parameter After a period of idle time the 9500 will automatically log out the adminis trator from console access It is configurable by the time out parameter A value of 0 means the console will never timeout Displays 22 lines to the console Timeout is 10 minutes Example To redirect all debugging messages to the buffer ns gt set console dbuf To disable console access ns gt set console disable To define 20 lines per page displayed on the console ns gt set console page 20 To define console timeout value to 40 minutes ns gt set console timeout 40 See Also get console clear dbuf get dbuf B 88 Reference Guide dialup group Syntax set dialup group lt string gt lt string gt unset dialup group lt string gt Des
15. A descriptive name that must be unique from other address book entries IP Address 172 17 1 0 NetMask 255 255 255 0 Comment e g Chicago office network Location Untrusted Click OK to save the entry Configuration Examples 4 67 Set Up VPN Next configure the S9500 for VPN 1 Inthe Web Administration Tools menu click the Network VPN button The VPN Lists page appears Select the Manual Key tab 2 Click New VPN Entry in the lower left hand corner of the screen The Manual Key VPN Configuration page appears 3 Enter the following information Field Information VPN Name LACHI 201 186 1 251 Gateway IP This is the Untrusted IP address of the 9500 in Chi cago Security Index Local 16100 Security Index Remote 17100 ESP DES Algorithm 3DES CBC c2c4c70101010101 f8899b6e6d7c8f9e HEX Key 4f5b68b094a4b6c7 Generated Key by don t use Password ESP Authentication MD5 Algorithm HEX Key c8cbcd0101010101 and a4b6439e8c9faeb1l2 Senade e Key by don t use Passwor Click OK to save the entry Set Up Policy To support VPN the S9500 also must support encryption So now you must set up an encryption policy and then a policy to permit Web access 1 Inthe Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Select the Outgoing tab and click New P
16. Configure the S9500 for NAT 1 From the Web browser in the Web Administration Tool menu click the System Configure button and select the Interface tab The Interface page appears 2 Enter the following information Field Web Management Interface System IP Web Management Interface Port Information 0 0 0 0 80 Trusted Interface Inside IP 172 16 1 251 This IP will now be used to access the management IP Trusted Interface NetMask Trusted Interface Default Gateway 255 255 255 0 0 0 0 0 Untrusted Interface Outside IP 205 186 1 251 Untrusted Interface NetMask Untrusted Interface Default Gateway 255 255 255 0 205 186 1 254 DMZ Interface 0 0 0 0 3 Click Save and Reset In the confirmation screen click Yes 4 Inthe system warning message box click OK 5 Reconfigure the administration workstation so it is on the same subnet as the Trusted interface of the S9500 You may have to restart the workstation The Trusted interface IP is 172 16 1 251 and the subnet mask is 255 255 255 0 so the administration workstation IP must be in the range from 172 16 1 1 to 172 16 1 253 This example uses WS 1 as the administration workstation so change its IP address to 172 16 1 1 Note You will have to reconfigure all other workstations to be in same IP range and redefine all workstations to have the same default gateway as the S9500 s Trusted IP For more infor
17. Network Address Translation mode see Network Address Translation mode below To access the Interface Configuration page from the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears with the General Interface Authen URL Filtering and Route Table tabs Select the Interface tab Transparent mode Transparent mode allows users to access the Internet while denying access from the Internet This mode is the easiest to install as it requires no changes to network addresses or topology In Transparent mode the Trusted and Untrusted ports have IP addresses 0 0 0 0 See the Getting Started Guide included in your Netopia folio for configuration information on the Transparent mode Network Address Translation mode The Network Address Translation NAT mode enables NAT on your local network NAT provides anonymity to machines on the corporate LAN by connecting the entire network to the Internet using a few registered IP addresses Also if an IP address range has been arbitrarily selected on your LAN it is possible that those IP addresses are invalid and consequently will not be able to access some Internet sites that have been assigned that same IP address range For example if the address range 199 2 23 1 through 199 2 23 255 is used on the LAN a Web server on the Internet with the address of 199 2 23 20 will not be accessible Therefore if your LAN is using IP addresses that h
18. Trusted subnet mask 255 255 255 0 m CHI network 172 17 1 0 m CHI subnet mask 255 255 255 0 Then log on to the S9500 Web management page Configure the S9500 for NAT 1 From the Web browser in the Web Administration Tool menu click the System Configure button and select the Interface tab The Interface page appears 2 Enter the following information Field Information Web Management Interface System IP Web Management Interface Port Trusted Interface 172 17 1 251 Inside IP This IP will now be used to access the management IP Trusted Interface 255 255 255 0 NetMask Trusted Interface 0 0 0 0 Default Gateway Untrusted Interface 201 186 1 251 Outside IP Untrusted Interface 255 255 255 0 NetMask Untrusted Interface 201 186 1 254 Default Gateway DMZ Interface 0 0 0 0 4 70 Reference Guide 3 Click Save and Reset In the confirmation screen click Yes 4 Inthe system warning message box click OK 5 Reconfigure the administration workstation so it is on the same subnet as the Trusted interface of the S9500 You may have to restart the workstation The Trusted interface IP is 172 17 1 251 and the subnet mask is 255 255 255 0 so the administration workstation IP must be in the range from 172 17 1 1 to 172 17 1 253 This example uses WS 1 as the administration workstation so change its IP address to 172 17 1 1 Note You will have to reconfigure all other wo
19. address book entries IP Address 172 16 10 4 NetMask 255 255 255 255 Comment e g WS 2 Location Trusted 7 Click OK and the Address Book page reappears 8 Repeat the process for the Mail Server Click New Address The Address Configuration page appears Enter the following information Field Information Mail Server Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 10 2 NetMask 255 255 255 255 Comment e g Mail Server Location Trusted 9 Click OK Set Up Policy Next you must set up a policy to permit outside access to the Web site In this example you need to define policies to m Permit Internet access from WS 1 and WS 2 m Permit mail from and to the Internet 4 56 Reference Guide 1 Inthe Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Remove the old policy permitting any inside to outside traffic In the Configure column click Remove and a confirmation message will appear Select Yes 3 To add anew policy in the Access Policies page select the Outgoing tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears 4 Define a policy that permits Internet access from WS 1 Enter the following information Field Information WS 1 available in the pop up window
20. all dmz trust untrust Description Show address book entries flag name and comments Each address book entry is shown with these information id address subnet mask Example To get all the entries in the address book ns gt get address all To get only address book entries only for the DMZ interface ns gt get address dmz To get only address book entries only for the Trusted interface ns gt get address trust To get only address book entries only for the Untrusted interface ns gt get address untrust See Also set unset address get admin Syntax get admin Description Show administrative parameters Example To show all the administrative parameters of the S9500 ns gt get admin See Also set unset admin B 102 Reference Guide get alarm Syntax get alarm all event traffic policy lt id gt Description Show alarm entries Example To show all alarm entries ns gt get alarm all To show event alarm entries ns gt get alarm event To show all traffic alarm entries ns gt get alarm traffic To show traffic alarm entries for a policy with id number 4 ns gt get alarm policy 4 See Also set unset alarm get arp Syntax get arp net Description Show entries in the arp table The output lists all the arp entries existed in the table It shows the host s IP address its MAC address and the i
21. be defined The S9500 will automatically change your key value to ensure the requirement HEX Key A password to define the generation of the hex key Generated Key by f Password Note The use of the password feature is a convenience and may lead to similar keys 3 34 Reference Guide 3 The algorithm to use for authentication ESP Authentication m NULL Algorithm g MD5 m SHALL A security key used as an encryption key for the algo rithm specified MD5 uses 16 bytes and SHA 1 uses 20 bytes Each field of the key is 8 or 10 bytes long represented HEX Key in HEX The key is 16 or 20 characters long with two characters used to describe one byte in HEX The value must be odd bit parity the sum of the 8 bits must be odd The 9500 will automatically change your key value to ensure the requirement Generated Key by Password A password to define the generation of the hex key Note The use of the password feature is a convenience and may lead to similar keys Click OK to save the new entry VPN Policy Configuration Once you have defined a VPN in an encryption policy you must set up a policy for VPN 1 From the Web browser in the Web Administration Tools menu click the Network Policy button The Access Policies page with the Incoming Outgoing To DMZ and From DMZ tabs appears Select the Outgoing Policy tab and click New Policy in the lower left hand corner of
22. before it can be enabled m config Specify the logging mechanism for the configuration m webtrend Specify the configuration parameters for the communication with the Webtrends for Firewalls server Example set syslog enable See Also get syslog B 98 Reference Guide unset all Syntax Description Example unset all Undefined all system information unset all See Also all other set unset commands url Syntax Description set url config disable enable set url message lt string gt set url msg type lt number gt set url server lt ip addr gt lt port gt lt timeout gt unset url set url is used to define url blocking configuration URL blocking is provided via Web Sense product This feature can be turned on and off by the config parameter The origin of the mes sage that is sent to the HTTP client can be specified by the message parameter 0 from WebTrends and 1 from S9500 Default This feature is disabled The S9500 message S9500 and NetPartners WebSENSE have been set to block this site is used The communication port to WebTrends is 15868 with a timeout value of 10 seconds Example To enable the url blocking mechanism ns gt set url config enable To define the url blocking denied message to This site is blocked ns gt set url message This site is blocked To use the message from the WebSense server ns gt
23. log traffic To clear traffic entries for a policy with id 4 in the log table ns gt clear log traffic policy 4 See Also get log B 122 Reference Guide clear mac learn Syntax clear mac4earn Description Clear entries in MAC learning table Example ns gt clear maclearn See Also get mac learn clear session Syntax clear session all Description Clear entries in the session table Example To clear all entries in the session table ns gt clear session all See Also get session clear vpn Syntax clear vpn ike cookie all lt a b c d gt Description Clear entries in the IKE cookie table Example To clear all entries in the IKE cookie table ns gt clear vpn ike cookie all To clear entries for IP address 100 2 30 1 in the IKE cookies table ns gt clear vpn ike cookie all 100 2 30 1 See Also get vpn ike cookie Command Line Interface B 123 Miscellaneous Commands save Syntax save tftp lt ip addr gt lt filename gt Description save is used to save the running configuration to either the S9500 s flash memory or to a file at a TFTP server which is connected to the Trusted interface m tftp Allows saving the running configuration to a file at a TFTP server specified by the IP address m filename String with printable characters and contains no spaces Example To save running configuration to the flash memor
24. restart the workstation The Trusted interface IP is 172 16 10 3 and the subnet mask is 255 255 255 0 so the administration workstation IP must be in the range from 172 16 10 1 to 172 16 10 253 This example uses WS 1 as the administration workstation so change its IP address to 172 16 10 1 Note You will have to reconfigure all other workstations to be in same IP range and redefine all workstations to have the same default gateway as the S9500 s Trusted IP For more information see the discussion of NAT in Network Address Translation mode on page 3 24 Workstations on the DMZ port will have to use the DMZ 7 Change WS 2 s IP address to 172 16 10 4 8 Change the Mail Server s IP address to 192 168 2 2 Test the Configuration To confirm the configuration is correct use the Web browser to access an external web site e g www neto pia com You should be able to locate the site and access the available web pages Set Up Address The next step of this example is to define the workstations and servers that need to pass through the firewall 1 Log on to the S9500 Web management page by entering the new Trusted interface IP address http 172 16 10 3 into the Web browser In the Web Administration Tools menu click the Lists Address button The Address Book page with Trusted and Untrusted tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labelled Trusted These entrie
25. session port lt number gt Syntax Description Show all entries in the session table The output indicates whether the 9500 is running in NAT mode It displays the Trusted and Untrusted IP addresses along with the number of active sessions and the maximum number of simultaneous sessions supported The number is 4096 Example To get all entries in the session table ns gt get session To get all entries in the session table for an IP address ns gt get session ip 172 16 10 92 To get all entries in the session table for port 80 ns gt get session port 80 To get all entries in the session table for protocol 5 ns gt get session protocol 5 See Also clear session B 116 Reference Guide get syslog Syntax get syslog config enable port traffic webtrends Description Show syslog configuration Example To show all syslog configuration ns gt get syslog To show whether syslog mechanism has been configured ns gt get syslog config To show whether syslog mechanism is enabled ns gt get syslog enable To show the port that is used to communicated with the syslog server ns gt get syslog port To show if sending the traffic log through syslog is enabled ns gt get syslog traffic To show if communication with Webtrends is enabled ns gt get syslog webtrends See Also set unset syslog get system Syntax get system Description Show the general s
26. set url msg type 0 To specify communication with a WebSense server with IP address 209 44 150 6 at port 15868 and a timeout value of 10 seconds ns gt set url server 209 44 150 6 25868 10 See Also get url Command Line Interface B 99 user set user lt name gt lt password gt set user lt name gt dialup lt local spi gt lt remote spi gt esp null set user lt name gt dialup lt local spi gt lt remote spi gt Syntax esp 3des 40 bit des des key lt hex gt password lt string gt auth md5 sha 1 key set user timeout lt number gt unset user lt string gt Description set user is used to create entry in the user database unset user is used to delete existing user database entry There are two types of entries builtin user database and VPN dialup user The built in user database entries are used for authentication while the VPN dialup user entries are used by the IPSec VPN tunnel definition VPN dialup users having different IPSec parameters can be grouped together and speci fied by a single VPN policy Example To create a user definition for a user named Bill with password billp ns gt set user Bill billp See Also get user vip set vip lt a b c d gt port lt number gt lt string gt lt a b c d gt Syntax set vip lt a b c d gt port lt number gt lt string gt lt a b c d gt unset vip lt string gt port lt number
27. the screen The Policy Configuration page appears Note VPN polices are only defined for Outgoing traffic VPN policies assume bi directional traffic and assume that the destination address can originate VPN sessions Enter the following information Field Information The address for the host or network generating the connec Source Address tion Select an option from the drop down list Destination Address The address for the server receiving the connection request Select an option from the drop down list Service The service for the type of connection to be established Select an option from the drop down list Action Encrypt Configuration and Monitoring 3 35 Logging Enable to have the 9500 log all connections for this policy The VPN tunnel defined in the encryption policy See Encryp VPN Tunnel tion Policy Configuration on page 3 32 Select an option from the drop down list Enable to have the S9500 count the total number of bytes erlsulee for this policy and record the information in historical graphs The number of bytes per second the number of bytes per minute or both Alarm Threshold A value of 0 indicates that the alarm has been disabled Note You can only enter integer values in the Alarm Threshold fields The schedule for enforcing this policy None means the policy is always on For scheduling infor Schedule mation se
28. unique and is limited to 20 characters Comment Any additional information limited to 30 characters Recurring The frequency of the schedule recurring or once Recurring When the schedule starts and ends in a weekly period Start Date and Both start and stop times must be entered to be configured You Time can specify up to two time periods within the same day Stop Date and Time Once When the schedule starts and ends Both start and stop times must be entered to be configured Click OK to add the schedule Modify an existing schedule 1 Inthe Schedule page in the Configure column click Edit for the schedule that you want to modify The Schedule Configuration page appears 2 Enter the new schedule information in the fields Click OK to save the new schedule information Remove an existing schedule In the Schedule page in the Configure column click Remove for the schedule that you want to delete Note Schedules referenced by a policy cannot be removed until the underlying policy is removed Policy Configuration Using the Address Book Service Book and Schedules you have defined you can now define policies that allow the denial acceptance encryption and authentication of incoming and outgoing connections to Trusted Untrusted To DMZ and From DMZ servers All security entries on the S9500 are policies The action of the policy can be a simple firewall rule such as permit or deny which allows
29. use one key Note Currently Netopia S9500 VPN Client software only supports Manual Key Any VPNs defined for remote access must use Manual Keys 1 Click New VPN Entry in the lower left hand corner of the screen The Manual Key VPN Configuration page appears 2 Enter the following information Field Information The name to identify this VPN tunnel definition Choose a descriptive name to help you identify the VPN YEM Name tunnel The name must be unique and is limited to 20 characters The IP address of the remote LAN S9500 s Untrusted interface Gateway IP For information on remote client configuration see VPN and Remote Client on page 3 36 A unique security index number that will distinguish a particular encrypted tunnel from the others being used Security Index Local and at the same time Remote Only a HEX value greater than 3000 is accepted The Local Security Index will serve as the other end s Remote Security Index and vice versa The algorithm to use for encryption m NULL ESP DES Algorithm m DES CBC m 3DES CBC m 40bit DESCBC An encryption key for the algorithm specified Each field of the key is 8 bytes long represented in HEX The keyis 16 characters long with two charac ters used to describe one byte in HEX The value must be odd bit parity the sum of the 8 bits must be odd For DES only the left most value needs to be defined For 3DES all three values must
30. 0 characters long with two charac ters used to describe one byte in HEX The value must be odd bit parity the sum of the 8 bits must be odd The 9500 will automatically change your key value to ensure the requirement Generated Key by Password A password to define the generation of the hex key Note The use of the password feature is a convenience and may lead to similar keys 3 42 Reference Guide 5 If you enabled VPN Dialup User skip this step If you enabled Authentication User enter the following information Field Information Authentication The password for the user Password Confirm Password The password for the user Status Enable or Disable authentication 6 Click OK to save the addition To modify an existing user entry 1 From the User Lists page in the Configure column click Edit for the entry that you want to modify The User Configuration page appears 2 Enter the new information in the fields 3 Click OK to save the changes To remove an existing user configuration 1 From the User Lists page in the Configure column click Remove for the entry that you want to delete 2 A System Message window will ask for user confirmation to proceed with the deletion Click OK Monitoring the S9500 The S9500 helps you monitor your network traffic and connections activity to determine if there were any attempts to compromise the security of the network You can
31. 3 ns gt get config tftp 154 30 9 13 November to tftp 154 30 9 13 December To retrieve a configuration file named myconfig at a TFTP server with IP address 154 30 9 13 and save it as a file named yourconfig at a TFTP server with IP address 209 125 10 2 ns gt get config tftp 154 30 9 13 myconfig to tftp 209 125 10 2 yourconfig To get the size of the configuration file in the flash memory ns gt get config size saved To get the size of the configuration file named dec1019 from a tftp server with IP address 100 23 44 1 ns gt get config size tftp 100 23 44 1 dec1019 See Also save B 106 Reference Guide get console Syntax get console Description Show the console parameters The console idle timeout value and the number of lines displayed per screen is shown It also tells where debug messages are displayed The information also lists the number of active connections to the 9500 either through the console or by Telnet The duration of the connections is also displayed If itis a Telnet connection the client machine s IP address is shown whenever possible Example To show all the console parameters ns gt get console See Also set unset console get counter Syntax get counter all flow interface Description Display the total packet count for any firewall attacks or system network elated packets or the total packet count for each interface or network related informatio
32. 5023 Netopia Inc Customer Service 2470 Mariner Square Loop Alameda California 94501 USA Netopia Bulletin Board Service 1 510 865 1321 Troubleshooting 5 77 Online product information Product information can be found in the following Netopia World Wide Web server via http www netopia com Internet via anonymous FTP to ftp netopia com pub FAX Back This service provides technical notes which answer the most commonly asked questions and offer solutions for many common problems encountered with Netopia products FAX Back 1 510 814 5040 5 78 User s Reference Guide SNMP Support A 79 Appendix A SNMP Support You can use SNMP management software to administrate the Netopia S9500 Security Appliance The S9500 s SNMP agent currently supports all MIB II groups except EGP Exterior Gateway Protocol and can be monitored by any SNMP compatible manager The 9500 agent will generate two traps cold start and authentication failure The cold start trap is generated once the S9500 becomes operational following power on The authentication failure trap is triggered if the SNMP manager sends the incorrect community string To configure the S9500 to communicate with the SNMP manager 1 The SNMP manager must be on the Trusted interface side SNMP requests from the Untrusted or DMZ port will not be processed 2 From the Web browser set the Administration IP address needs to the IP address of the SNMP manager See the Getti
33. 55 255 0 NetMask Untrusted Interface 192 168 1 2 Default Gateway DMZ Interface 0 0 0 0 Note The 2 port NAT mode is automatically enabled if you enter a routable address on the Untrusted IP address and a private IP address on the Trusted IP address Click Save and Reset In the confirmation screen click Yes In the system warning message box click OK Exit the Web browser without clicking Yes Reconfigure the administration workstation so it is on the same subnet as the Trusted interface of the S9500 You may have to restart the workstation 4 54 Reference Guide The Trusted interface IP is 172 16 10 3 and the subnet mask is 255 255 255 0 so the administration workstation IP must be in the range from 172 16 10 1 to 172 16 10 253 This example uses WS 1 as the administration workstation so change its IP address to 172 16 10 1 Note You will have to reconfigure all other workstations to be in same IP range and redefine all workstations to have the same default gateway as the S9500 s Trusted IP For more information see the discussion of NAT in Network Address Translation mode on page 3 24 7 Change WS 2 s IP address to 172 16 10 4 8 Change the Mail Server s IP address to 172 16 10 2 Test the Configuration To confirm the configuration is correct use the Web browser to access an external web site e g www neto pia com You should be able to locate the site and access the available web pages
34. A security key used as an encryption key for the algo rithm specified MD5 uses 16 bytes and SHA 1 uses 20 bytes Each field of the key is 8 or 10 bytes long represented in HEX The key is 16 or 20 characters long with two characters used to describe one byte in HEX The value must be odd bit parity the sum of the 8 bits must be odd The S9500 will automatically change your key value to ensure the requirement HEX Key A password to define the generation of the hex key Generated Key by Password Note The use of the password feature is a convenience and may lead to similar keys 4 Click OK to save the addition IP Configuration The S9500 can be configured to respond to many different IP addresses on the Untrusted Interface Virtual IP functionality allows the S9500 to map different services to different IP addresses Mapped IP functionality allows for one to one mapping of internal hosts to the Untrusted Interface Dynamic IP functionality allows the S9500 to use additional IP addresses for Network Address Translation NAT Virtual IP The S9500 can configure up to two Virtual IP addresses and up to six services for each Virtual IP The two Virtual IP addresses can forward traffic to four different servers in the Trusted network Note Use this feature with caution If an attacker gains access to one of the internal servers then the whole network could be in jeopardy The Virtual IP feature provides
35. C Transform m RFC 1851 The ESP Triple DES Transform C 126 Reference Guide Agency approvals North America Safety Approvals m United States UL 1950 Third Edition EMI RFI m FCC Part 15 Class A Regulatory notices Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the user may be required to take adequate measures Adequate measures include increasing the physical distance between this product and other electrical devices No User Serviceable Parts Warning The Netopia 9500 Security Appliance contains no user serviceable parts and is housed in a tamper proof enclosure Therefore the chassis should never be opened under any circumstances Circuit Breaker 15A Warning This product relies on the building s installation for short circuit over current protection Ensure that a fuse or circuit breaker no larger than 120 VAC 15A U S 240 VAC 10A international is used on the phase conductor all current carrying conductors Index A Address Book configuration 14 19 administrative configuration 29 alarms 20 43 authentication configuration 26 40 41 B built in user database 26 configuration 40 c cables 8 9 capabilities 5 changing the login name and password 29 command line interface configuration 81 command line interface monitoring 81 configuration 14 Address Book 14 19 administrative 29 authentication 26 40 41 command
36. Contents Welcome to the Netopia 9500 Security Appliance Reference Guide This guide is designed to be your single source for information about your Netopia S9500 Security Appliance It is intended to be viewed onine using the powerful features of the Adobe Acrobat Reader The information display has been deliberately designed to present the maximum information in the minimum space on your screen You can keep this document open while you perform any of the procedures described and find useful information about the procedure you are performing This Table of Contents page you are viewing consists of hypertext links to the chapters and headings listed If you are viewing this on line just click any link below to go to that heading CONTENTS wiseisisivenccat thansidl naneta obdend ia Ea a waedad E aa EN Siamese i Chapter Introducthonerscsstsicia cs saictisiinnavesdedistadasardactiateies 5 USP TICW E PE EAEE E 5 Features and capabilllioS ciccicisersiccvedencduveredccuedsienenrerteenes 5 HOw touse this GUIE s ccereevscin ds ananteesamnncoasennicenieemeonsenandones 6 Chapter 2 Making the Physical COnnections cccccceceeseeeeeees 7 Enda NG ATAU ie 7 Hen VOU WEEE EE S E E I ET 7 Identify the connectors and attach the cables ance 8 Cabina REUE MENIS ccclscemwetirueerereminiiantenns 9 Netopia 9500 Security Appliance Ports necc 9 Netopia S9500 Security Appliance Status Lights 10 Chapter 3 Configuration and Monitoring
37. K Set up the Incoming Policy Now define policies that permit Mail and POP3 to the DMZ from the outside 1 Inthe Web Administration Tools menu click the Network Policy button Select the To DMZ tab and click New Policy in the lower left hand corner of the screen 2 To define the policy for mail enter the following information Field Information Inside Any available in the pop up window Source Address Destination Address Mail Server available in the pop up window Service MAIL available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK 3 Repeat the process for POP3 and for DNS Test the Configuration To confirm the configuration is correct use the Web browser at WS 1 to access an external web site e g www netopia com You should be able to locate the site and access the available web pages You have completed Example 3 4 64 Reference Guide Example 4 Virtual Private Network VPN Tunnel This configuration illustrates how to set up a Virtual Private Network VPN between two offices located in Los Angeles and Chicago Both 9500 units are configured for Network Address Translation NAT The function of the S9500 is to perform encryption decryption on each packet at either end of the tunnel This operation ensures the security and the privacy of communication over the public network backbo
38. Mail Server to receive and send mail to the Internet Permit a remote site to access the FTP Server Use WS 1 as the administration workstation This example assumes m The S9500 has been installed into the network m The S9500 was configured in Transparent mode Your network should resemble this diagram Workstation 1 Remote 192 168 1 2 Site a ef anA Netopia S9500 Security Appliance Workstation 2 192 168 1 3 E mail Server 192 168 1 4 FTP Server 19216815 Verify Configuration of the S9500 To begin this example first log on to the S9500 Web management page and verify that the 9500 is in Transparent mode by checking the interface settings 1 From the Web browser in the Web Administration Tool menu click the System Configure button and select the Interface tab The Interface page appears 2 Only the Web Management Interface field should have an IP value In Transparent mode all other interface IP address are 0 0 0 0 Set Up Addresses The next step of this example is to define the workstations and servers that need to pass through the firewall 1 To define these machines set up their addresses In the menu click on the Lists Address button The Address Book with Trusted and Untrusted tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labelled Trusted These entries appear in green on your screen Untrusted addresses are individual IP ad
39. Ports on page 2 9 m Netopia S9500 Security Appliance Status Lights on page 2 10 Find a location When choosing a location for the 9500 consider m Available space and ease of installation m Physical layout of the building and how to best use the physical space available in relation to connecting your S9500 to the LAN m Available wiring and jacks m Distance from the point of installation to the next device length of cable or wall wiring m Ease of access to the front of the unit for configuration and monitoring m Ease of access to the back of the unit for checking and changing cables m Cable length and network size limitations when expanding networks m Air circulation For small networks install the Netopia 9500 near one of the LANs For large networks you can install the Netopia 9500 in a wiring closet or a central network administration site What you need Locate all items that you need for the installation Included in your equipment package are m The Netopia 9500 Security Appliance A power adapter and cord with a mini DIN8 connector m Two Ethernet cables RJ 45 to connect to a hub router or server A dual DB 25 and mini DIN8 to DB 25 console cable to connect the 9500 to either a PC or a Macintosh m The Netopia CD containing this documentation an Internet browser Adobe Acrobat Reader for Windows and Macintosh ZTerm terminal emulator software and NCSA Telnet 2 6 for Macintosh 2 8 Reference Guide
40. Set Up Addresses The next step of this example is to define the workstations and servers that need to pass through the firewall 1 5 Log on to the S9500 Web management page by entering the new Trusted interface IP address http 172 16 10 3 into the Web browser In the Web Administration Tools menu click the Lists Address button The Address Book page with Trusted and Untrusted tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labelled Trusted These entries appear in green on your screen Untrusted addresses are individual IP addresses or subnets located behind the port labelled Untrusted These entries appear in red on your screen Click New Address in the lower left hand corner of the screen The Address Configuration page appears Enter the following information Field Information WS 1 Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 10 1 NetM ask 255 255 255 255 Comment e g Administration workstation Location Trusted Click OK and the Address Book page reappears Note If you made a mistake click Edit Configuration Examples 4 55 6 Repeat the process for WS 2 Click New Address The Address Configuration page appears Enter the following information Field Information WS 2 Address Name A descriptive name that must be unique from other
41. Syntax get sa all id lt number gt Description Show the IPSec security association entries Example To show all the IPsec security association entries ns gt get sa all To show a specific IPsec security association entry with id number 5 ns gt get sa id 5 See Also set unset sa B 114 Reference Guide get scheduler Syntax get scheduler all id lt number gt Description Show the scheduler definition Each schedule defined has been assigned with an id number Example To show all the scheduler definitions ns gt get scheduler all To show a specific scheduler definition with id number 0 ns gt get scheduler id 0 See Also set unset scheduler get service Syntax get service all system defined lt string gt user defined lt string gt Description Show one or all service entries Example To show all service definitions ns gt get service all To show all system defined service definitions ns gt get service system defined To show all user defined service definitions ns gt get service user To show a specific system defined service called ftp ns gt get service system defined ftp See Also set unset service Command Line Interface B 115 get session get session ip protocol lt number gt port lt number gt get session ip port lt number gt get session protocol lt number gt port lt number gt get
42. This example uses the following information m Internet Router IP 192 168 1 2 assigned by the ISP connected to the Untrusted port m Internet Router subnet mask 255 255 255 0 assigned by the ISP m S9500 Untrusted IP 192 168 1 1 must be on the same subnet as the Internet router m S9500 Untrusted subnet mask 255 255 255 0 must be on the same subnet as the Internet router m S9500 Trusted IP 172 16 10 3 all hosts must be on the same subnet m S9500 Trusted subnet mask 255 255 255 0 all hosts must be on the same subnet Configuration Examples 4 53 External Mail Server legal Internet address 192 168 1 3 must be on the same subnet as the Internet router Internal Mail Server NAT address 172 16 10 2 must be on the same subnet as the internal network Then log on to the S9500 Web management page Configure the S9500 for NAT 1 OUN A W From the Web browser in the Web Administration Tool menu click the System Configure button and select the Interface tab The Interface page appears Enter the following information Field Information Web Management Interface System IP 0 0 0 0 Web Management 80 Interface Port Trusted Interface 172 16 10 3 Inside IP This IP will now be used to access the management IP Trusted Interface 255 255 255 0 NetMask Trusted Interface 0 0 0 0 Default Gateway Untrusted Interface 192 168 1 1 Outside IP Untrusted Interface 255 2
43. Y airn 55 inn ee Viral IP rini cee wderen nares of Example 3 3 port Network Address Translation mode 58 Configure the 9500 for NAT eee eee 59 SCO PANES asc toa cs sede E 60 Set Up the Outgoing POMCY scccascwsssveevssenenassess 62 Set Up the Incoming PONUCY c cssceieuisnarieaiie 63 Example 4 Virtual Private Network VPN Tunnel 64 Configure the 9500 for NAT eee eee 65 Ser Up Pe Oe aia cates aids anicwtaraedes a 66 Ser a annie 67 SETUR PONE acta cs EA 67 Contents jii Configure the Second SIE sissvessicsneenissvessiisegeinass 68 Secure Remote Administration via VPN Tunnel is Chapter 5 Troubleshooting aes 75 The 59500 does not POWES ON iircsccveeiicerroiscveineruencces 75 Cannot connect to the MEnmet anisini 13 Link LED IS Di aisen 15 Cannot ping the SSSI caiano 76 Cannot ping unsecure hosts from secure hosts Or CE VETS E ensaiar E EAEAN A 76 TSI SURO E criara EEA 76 Before contacting NEtOPIA sn cccccsncecenenernrernntenenennens 76 How To get SUDDONE vicilimniirenleenioeedeiae 76 SNMP SUPPONE ssieisisiaeiinseiasananan inean n se in i 79 Command Line Interface 81 CG mmon teatures Of EMG CU cciccscssssemscenteneniatnndeiiaeneoths 81 COANA aisd 81 Set and Unset Commands seriiirarcoieisdastn 81 Gel OoMiNANOS issar ieii 101 Clear Commands sisiessisurenrcsientansivoreemetentasninawenons 119 Miscellaneous Commands ccvissviredeiecricevenoens 123 Technical Spe
44. Z addresses are individual IP addresses or subnets located behind the port labeled DMZ These entries appear in a rust color on your screen Individual hosts will have only a single IP address defined and will be represented with a single computer icon Networks will have an IP address along with a subnet mask and will be represented with multiple computer icons Click a tab to view the addresses defined for the Trusted Untrusted or DMZ port Add an address or range of addresses 1 2 In the Address Book page click the tab for the port you want to add an address to Click New Address The Address Configuration page appears Enter the information into these fields Field Information The name that will appear in the configuration window Address Name Choose a descriptive name to help you easily identify the address The name must be unique and is limited to 20 characters IP Address The IP address of the computer The subnet mask of the computer The subnet mask in combination with the IP address can specify a range of addresses For example for the IP address 201 2 3 4 a NetM ask subnet mask of 255 255 255 0 specifies a range of addresses from 201 2 3 0 to 201 2 3 255 On the other hand for an IP address 201 2 3 4 a subnet mask of 255 255 255 255 specifies just 201 2 3 4 Comment Any additional information is limited to 30 characters The location of the IP address relative to th
45. all hosts must be on the same subnet S9500 DMZ IP 192 168 2 1 must be on a separate subnet from the Untrusted hosts S9500 DMZ subnet mask 255 255 255 0 all DMZ hosts must be on the same subnet Mail Server legal Internet address 192 168 2 2 must be on the same subnet as the Internet router Then log on to the S9500 Web management page Configure the S9500 for NAT 1 From the Web browser in the Web Administration Tool menu click the System Configure button and select the Interface tab The Interface page appears Enter the following information Field Information Web Management Interface System IP 0 0 0 0 Web Management 80 Interface Port Trusted Interface 172 16 10 3 Inside IP This IP will now be used to access the management IP Trusted Interface 255 255 255 0 NetMask Trusted Interface 0 0 0 0 Default Gateway Untrusted Interface 192 168 1 1 Outside IP Untrusted Interface 255 255 255 0 NetMask Untrusted Interface 192 168 1 2 Default Gateway Internet Router IP address 4 60 Reference Guide DMZ Interface 192 168 2 1 DMZ NetMask 255 255 255 0 3 Click Save and Reset In the confirmation screen click Yes 4 Inthe system warning message box click OK 5 Exit the Web browser without clicking Yes 6 Reconfigure the administration workstation so it is on the same subnet as the Trusted interface of the S9500 You may have to
46. an be viewed with a Web browser on the Internet The usage data can also be downloaded and imported to a spreadsheet or database for Statistical analysis usage based accounting and billing 1 6 Reference Guide Easy integration The Netopia S9500 Security Appliance can be placed anywhere in a 10BaseT LAN Native support for IP ensures that the Netopia 9500 Security Appliance interoperates transparently with the broadest range of Intranet devices and other network applications NAT The use of network address translation NAT translates multiple IP addresses on the Trusted LAN to one public address that is sent out to the Internet Untrusted interface This adds a level of security since the addresses of hosts connected to the Trusted LAN are never provided to the Untrusted Network Also NAT preserves the use of IP addresses if not enough are provided by the ISP Web management The Netopia S9500 Security Appliance uses Web technology that provides a Web server interface to the configuration and management system Thus you may use a fast and easy utility to access monitor and control your firewall configurations with standard Web browsers You can also use the built in Web server for remote configuration and management SNMP and CLI management The Netopia 9500 Security Appliance is also SNMP compatible and therefore can be managed by network administration software Further the Netopia 9500 Security Appliance allows script manipulation an
47. ave not been assigned by an ISP it is a good idea to allocate a special IP address range for this purpose The following IP address ranges are reserved for private IP networks and do not get routed on the Internet m 10 0 0 0 10 255 255 255 m 172 16 0 0 172 31 255 255 m 192 168 0 0 192 168 255 255 NAT supports ICMP UDP and TCP based applications To enable NAT 1 From the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears Click the Interface tab The Interface page appears 2 Enter the following information Field Web Management Interface System IP Configuration and Monitoring 3 25 Information The IP address of the 9500 for central management Port The number of the port that will supply HTTP configura tion requests to the S9500 The default is 80 but you can change this to any secret number between 1024 to 32767 to discourage unauthorized access and modifications to the configu ration of your S9500 If you change the port number you need to enter it in your browser with the IP address for example http 172 168 10 157 port number Trusted Interface Physical Address Trusted Inside IP The unique address of the Ethernet network interface for the Trusted port The MAC value is reported for information purposes The current status of the interface is also reported This field is not modifiable The IP address used
48. cifications and Safety Information s e 125 DGS CHU a A A EAE EEE TE 125 Power reguirermnients sinsscsevesscrisssorsinsvrrsercessnabcievens 125 ENVrONMEME dirien AEA 125 Soare and BRONCOS cusna 125 PORE Apro rale srricrepiainndan aaan eee 126 Regulatory DOUCES correer 126 iv User s Reference Guide Introduction 1 5 Chapter 1 Introduction Overview Welcome to the Netopia S9500 Security Appliance the complete security solution for connecting your Ethernet local area network LAN to the Internet The Netopia 9500 Security Appliance is a LAN based product providing firewall Virtual Private Network VPN and traffic shaping services at line rates up to 10 Mbps The Netopia 9500 Security Appliance is a compact desktop or rack mountable platform providing a complete security solution for valuable data This chapter covers the following topics m Features and capabilities on page 15 m How to use this guide on page 1 6 Features and capabilities The Netopia S9500 Security Appliance provides the following features m Firewall The Netopia 9500 Security Appliance is a full featured firewall that combines the technologies from packet filters proxy servers and dynamic circuit level packet filters The firewall can screen TCP IP packets and deny or grant access based on criteria such as IP address and TCP IP protocol You can manipulate these policies so that for example only data from certain addresses is allowed t
49. configuration 34 W Web browser configuration 11 icons 19 tools 11 WebSense 27 WebTrends 31
50. cription set dialup group is used to create a group so that a few remote users can be grouped together A policy for a dialup group applies to all members in the group Example To define a dialup user group called telecommuters ns gt set dialup group telecommuters To add a remote VPN user named john home to the telecommuters group ns gt set dialup group telecommuters john home To delete a remote VPN user named amy home from the telecommuters group ns gt set dialup group telecommuters amy home To delete the telecommuters group ns gt unset dialup group telecommuters See Also get dialup group dip syntax Unset dip lt number gt Description set dip is used to dynamic IP range Dynamic IP allocates an IP address for those applications such as rlogin and talk that use more than one IP address when the 9500 is running in NAT mode See Also get dip ffilter Command Line Interface B 89 Syntax Description Example set ffilter dst ip lt a b c d gt dst port lt number gt set ffilter dst ip lt a b c d gt ip proto lt number gt dst port lt number gt set ffilter dst ip lt a b c d gt ip proto lt number gt src port lt number gt set ffilter dst ip lt a b c d gt src port lt number gt dst port lt number gt set ffilter dst port lt number gt set ffilter ip proto lt number gt dst port lt number gt set ffilter ip proto lt number gt src port lt nu
51. d Configuration in the lower left hand corner of the screen to start the download process and save the file to the administration workstation Follow the Web browser instructions to save the file To upload the configuration into a S9500 device 1 From the Web browser in the Web Administration Tools click the System Admin button The Administration page appears with the Admin and Sys Log tabs Select the Admin tab 2 Click the Browse button next to the Configure Script Upload field in the middle of the page Follow the Web browser instructions to locate the file and open it 3 The 9500 will upload the file and reset automatically If the administration IP is different then you will have to reconnect to the new IP address 3 24 Reference Guide Interface Configuration The S9500 has four interfaces Web Management Trusted Untrusted and DMZ Once those interfaces are configured that configuration is reported in the Interface Configuration page where you can also change the configuration The 9500 ships from the factory in Transparent mode with only the Trusted and Untrusted interfaces operational The Web Management interface becomes operational when you configure the 9500 VPN Client software for central management see the Netopia Remote Software IPSec Client Reference Guide included on the Netopia CD for more information Both the Web Management interface and the DMZ interface become operational when you configure the S9500 for
52. d modem control via a command line interface CLI How to use this guide In addition to the simple documentation contained in the accompanying documentation folio this guide is designed to be your single source for information about your Netopia S9500 Security Appliance It is intended to be viewed on line using the powerful features of the Adobe Acrobat Reader The information display has been deliberately designed to present the maximum information in the minimum space on your screen You can keep this document open while you perform any of the procedures described and find useful information about the procedure you are performing You can also print out all of the manual or individual sections if you prefer to work from hard copy rather than on line documentation The pages are formatted to print on standard 8 1 2 by 11 inch paper We recommend that you print on 3 hole punched paper so that you can put the pages in a binder for future reference For your convenience a printed copy is available from Netopia Order part number TER9500 Doc Making the Physical Connections 2 7 Chapter 2 Making the Physical Connections This chapter tells you how to make the physical connections to your Netopia 9500 Security Appliance This chapter covers the following topics m Find a location on page 2 7 m What you need on page 2 7 m Identify the connectors and attach the cables on page 2 8 m Netopia S9500 Security Appliance
53. define network monitors and view the results for m Traffic m Counters m Alarm m Log Traffic Allocation To view the policy traffic allocation 1 From the Web browser in the Web Administration Tools click the Monitor Traffic button The Traffic Table page with the Policy and Interface tabs appears Select the Policy tab All policies with traffic shaping turned on will be shown on this table Each policy is identified by source address destination address service type priority direction and traffic setting The Direction field indicates whether it is a policy from Trusted T to Untrusted U Trusted T to DMZ D Untrusted U to Virtual IP V or other combinations Configuration and Monitoring 3 43 The Traffic Setting field shows the guaranteed rate in blue and the maximum rate in red The ratio is proportional to its own maximum rate specified in the policy Service has bi directional traffic The top arrow specifies the amount of forward traffic i e from source address to destination address in kilobits per second kbps and the bottom arrow specifies the amount of backward traffic i e from destination address to source address in kilobits per second kbps 2 Click Update Now to get the current information To view the interface traffic 1 From the Web browser in the Web Administration Tools click the Monitor Traffic button The Traffic Table page with the Policy and Interface tabs appears Select
54. des fewer IP addresses than existing or planned devices require Only 2 ports are used the Trusted and Untrusted ports the DMZ port is not used This configuration enables Network Address Translation NAT and allows users to access the Internet This configuration would be required if you were adding a new Internet connection and did not plan to have public servers or were replacing a 2 port security solution and did not want to reconfigure the network Note For security reasons if you need to have public servers e g Web or mail you should place them on the DMZ port with their own security policy See Example 3 3 port Network Address Translation mode on page 4 58 The goals of this example are to m Permit outgoing Internet access for Workstation WS 1 and WS 2 m Permit the internal mail server to be accessed through its Virtual IP address m Use WS 1 as the administration workstation This example assumes m The S9500 has been installed into the network m The S9500 was configured in Transparent mode Your network should resemble this diagram TER s INTER A gt iali SY Workstation 1 172 16 10 1 Router 192 168 1 2 Workstation 2 Netopia S9500 172 16 10 4 Security Appliance E mail Server 172 16 10 2 To begin this example first gather all the information you will need to configure Network Address Translation NAT Determine what address range will be used for the Untrusted and Trusted addresses
55. ding to this policy will be controlled and shaped according to these parameters Guaranteed Bandwidth Guaranteed throughput in kilobits per second kbps Traffic below this threshold will be passed with highest priority without being subject to any traffic management shaping mechanism Maximum Bandwidth Secured bandwidth available to the type of connection being specified in kilobits per second kbps Traffic beyond this threshold will be dropped Note Rates less then 10 kbps should not be used Rates below this threshold will lead to dropped packets and excessive retries that defeat the purpose of traffic management Traffic Priority Traffic with higher priority will be passed first and lower priority traffic will be passed only if there is no other higher priority traffic for a certain period of time There are eight priority levels Click OK to add the policy View or modify a policy 1 4 From the Web browser in the Web Administration Tools menu click the Network Policy button The Access Policies page appears Select the Incoming Outgoing From DMZ or To DMZ policy tab to view those policies In the Configure column click Detail for the policy that you want to change The Policy Configuration page appears Specify the new information for the policy Click OK to save the changes Remove a policy 1 From the Web browser in the Web Administration Tools menu click the Network Policy b
56. documentation for full details WebSense Server IP 3 28 Reference Guide The time interval in seconds that the S9500 will wait Communications fora response from the WebSense filter Timeout If WebSense does not respond within the time interval the 9500 will ultimately block the request The status of the WebSense server Curent Sener Stalus this field is not modifiable The message the 9500 will return to the user after URL Block Return blocking the site Message You can enter a custom message of up to 220 charac ters 2 Click Apply to save the changes Note WebSense requires that its service be stopped and restarted before any changes in options will take affect Please refer to WebSense documentation for WebSense configuration Route Table Configuration The Route Table provides the 9500 with information to direct data to different subnets so the 9500 can support complex networks Defined routes are required when multiple Internet connections are installed and if multiple subnets are used on the Trusted network From the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears with the General Interface Authen URL Filtering and Route Table tabs Select the Route Table tab The Route Table tab in the Configuration page provides a read only summary of static routes defined by the S9500 if any of the three interfac
57. dresses or subnets located behind the port labelled Untrusted These entries appear in red on your screen 2 Click New Address in the lower left hand corner of the screen The Address Configuration page appears Configuration Examples 4 47 3 Enter the following information Field Information WS 1 Address Name A descriptive name that must be unique from other address book entries IP Address 192 168 1 2 NetM ask 255 255 255 255 Comment e g Administration workstation Location Trusted 4 Click OK and the Address Book page reappears Note If you made a mistake click Edit 5 Repeat the process for WS 2 Click New Address The Address Configuration page appears Enter the following information Field Information WS 2 Address Name A descriptive name that must be unique from other address book entries IP Address 192 168 1 3 NetM ask 255 255 255 255 Comment e g WS 2 Location Trusted 6 Click OK and the Address Book page reappears 7 Repeat the process for the Mail Server Click New Address The Address Configuration page appears Enter the following information Field Information Mail Server Address Name A descriptive name that must be unique from other address book entries IP Address 192 168 1 4 4 48 Reference Guide e 8 Click OK and the Address Book page reappears 9 Repeat the pr
58. e Schedule Book Setup on page 3 17 Note Policies will appear in green when they are not being enforced The specifications for controlling and shaping traffic eiTe a seeli The traffic shaping parameters include Guaranteed Bandwidth Guaranteed throughput in kilobits per second kbps Traffic below this threshold will be passed with highest priority without being subject to any traffic management shaping mechanism Maximum Bandwidth Secured bandwidth available to the type of connection being specified in kilobits per second kbps Traffic beyond this threshold will be dropped Note Rates less then 10 kbps should not be used Rates below this threshold will lead to dropped packets and excessive retries that defeat the purpose of traffic management Traffic Priority Traffic with higher priority will be passed first and lower priority traffic will be passed only if there is no other higher priority traffic for a certain period of time There are eight priority levels 4 Click OK to add the VPN policy 3 36 Reference Guide VPN and Remote Client VPNs can be configured to operate with Netopia S9500 VPN Client software VPNs for remote users are configured on a per user basis To configure the S9500 for VPN and a remote user create a policy 1 From the Web browser in the Web Administration Tools menu click the Lists Users button The User page with the Users and Dialup Group tabs
59. e 3 22 m Interface Configuration page 3 24 m Authentication Configuration page 3 26 m URL Filtering Configuration page 3 27 m Route Table Configuration page 3 28 m Administrative Configuration page 3 29 m Syslog Configuration page 3 30 m VPN Configuration page 3 31 m P Configuration page 3 37 m User Configuration page 3 40 Note Most of the configurations outlined in this chapter take effect on a real time basis as soon as you click the OK or Apply button Some configurations require an equipment reboot a dialog box will appear when rebooting is necessary Address Book Setup Before you can set up any of the other S9500 firewall features you need to define the Address Book The Address Book contains the IP addresses of hosts that can have their traffic allowed blocked encrypted or user authenticated Note The IP address 0 0 0 0 is predefined for all inside and all outside traffic Configuration and Monitoring 3 15 View the Address Book 1 2 From the Web browser in the Web Administration Tools menu click the Lists Address button The Address Book page with Trusted Untrusted and DMZ tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labeled Trusted These entries appear in green on your screen Untrusted addresses are individual IP addresses or subnets located behind the port labeled Untrusted These entries appear in red on your screen DM
60. e Configure column click Remove and a confirmation message will appear Select Yes 3 To add anew policy in the Access Policies page select the Outgoing tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears 4 Define a policy that permits Internet access from WS 1 Enter the following information Field Information WS 1 available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK Note A policy can be more selective by selecting individual services 5 Repeat the process for WS 2 Enter the following information Field Information WS 2 available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK 4 50 Reference Guide 6 Repeat the process for outgoing e mail from the Mail Server Enter the following information Field Information Mail Server available in the pop up window Source Address Destination Address Outside Any available in the pop up window S
61. e IP Mapping Configuration page appears 3 40 Reference Guide 3 Enter the following information Field Information The first IP address that will serve as the lowest value E Nettle Donn of the Dynamic IP address range The last IP address that will serve as the highest value IPP isee Rets eligi of the Dynamic IP address range 4 Click OK User Configuration The S9500 s Users List can either define users for authentication or for VPN access Authentication uses one of two methods to authenticate users internal database or external Radius server Authentication allows you to verify a connection before establishing it The client requesting the connection is required to provide a user name and password to prove his or her validity in accessing your network The authentication mechanism requires that the user respond to a prompt for a user name and password Authentication can be done via HTTP web browser FTP or Telnet No client software is required but users of Mail Gopher and other services need to authenticate first via a Web browser Telnet or FTP session For example users want to use Gopher but the access policy requires authentication They first open a Web browser and attempt to make a connection to the site they are trying to reach As soon as the S9500 sees the packet it will ask the users for authentication Once they enter a user name and password that matches an entry in the Users List they will b
62. e NetMask field The default address 0 0 0 0 allows administration from any address Note If you are using the Web interface to administer the S9500 and enter an invalid IP address and click OK the screen will revert back to a 0 0 0 0 default IP address 2 Click Apply to have your changes take effect Administration through the Untrusted Port You can configure the 9500 to allow administration of the device from both the Trusted and Untrusted side or just from the Trusted side To maintain the highest level of security you should allow only Trusted network access to the unit restricting administrative access from Untrusted port Note It is not possible to administrate the 9500 from the DMZ port 1 Inthe Admin Administration page to enable administration through the Untrusted port select Enable Untrusted Side Logon Unselecting this option allows administration through the Trusted port only 2 Click Apply to have your changes take effect E mail Alert Notification The S9500 can alert you via e mail whenever an alarm is triggered For more information on the Alarm feature see Alarms on page 3 43 1 Inthe Admin Administration page select Enable E Mail Alert Notification and enter the following information Field Information The IP address of the SMTP mail server SITS SIRE lle SMTP server names are not supported at this time E Mail Address 1 The e mail address of the first user to be notified
63. e S9500 port This field automatically defaults to Trusted Untrusted or DMZ depending upon which tab you chose to add the address to originally on the Address Book page Location Click OK to add the address 3 16 Reference Guide Modify an existing address entry 1 2 In the Address Book page click a tab to choose the Trusted Untrusted or DMZ port In the Configure column click Edit for the address that you want to modify The Address Configuration page appears Enter the new address information in the fields Note Remember that the address name must be unique Further once an address has been defined and referenced by a policy you can change the address name but not its port type To change its port type you must first modify the underlying policy Click OK to save the new address information Remove an existing address entry 1 Inthe Address Book page click a tab to choose the Trusted Untrusted or DMZ port 2 Inthe Configure column click Remove for the address that you want to delete Note Addresses referenced by a policy cannot be removed until they are removed from the underlying policy Service Book Setup In addition to addresses every policy has a service associated with it Services are IP traffic for which protocol standards exist Each service has a port number associated with it where the policy will accept a request for that service Over 30 popular services such as HTTP SNMP and FTP hav
64. e authenticated to pass through the S9500 That authentication lasts a default of 10 minutes when idle Then the packet will be processed through the S9500 If you do not actually have an HTTP server at that IP the Web browser will just spin Either way the user is now authenticated Once authenticated users can proceed to make any other connection be it FTP Telnet or whatever is allowed by the access policy When a packet comes to the 9500 it will check to see that the user must authenticate in order to pass It will then check its authentication cache table and see if this IP has already been authenticated and is currently enabled If so the S9500 will pass the packets without prompting The user s IP will be removed from the authentication cache table after the idle timeout has been reached If you have selected the internal user database follow the directions below If you have selected an external server see page 3 26 To enter a new user in the internal user database 1 From the Web browser in the Web Administration Tools click the Lists Users button The User Lists page appears with the Users and Dialup Group tabs Select the Users tab 2 Click New User in the lower left hand corner of the screen The User Configuration page appears 3 Enter the following information Field Information The name to be validated The name must be unique and is limited to 20 characters User Name type of user name Authent
65. e been predefined View the Service Book 1 From the Web browser in the Web Administration Tools menu click the Lists Service button The Service Book page with Predefined and Custom tabs appears The Predefined services are color coded to represent Remote Email Info Seeking Security and Other m Remote includes various remote connection utilities such as FTP RLOGIN and Telnet m Email includes services such as POP3 and Mail m Info Seeking includes information search engines such as HTTP gopher and DNS m Security includes services such as SHTIP m Other includes miscellaneous utilities such as ICMP SNMP TCP ANY and SYSLOG The Custom services are those you define by adding new services Select either tab to view the available services Configuration and Monitoring 3 17 Add a service 1 Inthe Service Book page select the Custom tab 2 Click New Service in the lower left hand corner of the screen and the Service Configuration page appears Enter the information into these fields Field Information A name to define the new service This name will be used in policies that include this service Service Name Source Port Range of internal port numbers valid for that service Range of external port numbers that will receive the service Destination Port request The protocol used by the service TCP UDP or Other for a pre Transport defined service s number The confirmatio
66. ecifying the firewall as the gateway for destination networks beyond the firewall Contact the router s administrator to verify this configuration Also if your secure network uses addresses that are not registered and routable on the unsecure network including private addresses as specified in RFC 1597 packets will not be routed back to the sender In this case use a Client with a registered address The firewall s Network Address Translation NAT feature may be used for TCP and UDP traffic but NAT will not translate addresses in ICMP packets like ping Technical Support Netopia Inc is committed to providing its customers with reliable products and documentation backed by excellent technical support on line and through our resellers and distributors Before contacting Netopia Look in this guide for a solution to your problem You may find a solution in this troubleshooting chapter or in other sections How to get support If you contact your local reseller or distributor by telephone please be ready to supply them with the information you used to configure the Netopia S9500 Security Appliance Also please be at the site of the problem and prepared to reproduce it and to try some troubleshooting steps You may also contact Netopia Technical Support directly by e mail telephone fax or post Internet techs ports netopia com for technical support info netopia com for general information Phone 1 800 782 6449 Fax 1 510 814
67. ed webserver with IP address 184 2 50 9 and subnet mask 255 255 255 0 connected to the DMZ interface ns gt set address dmz webserver 184 2 50 9 255 255 255 0 To define an address book entry for a desktop machine named odie with IP address 172 16 10 1 and subnet mask 255 255 255 192 connected to the trusted interface with a comment of Mary s desktop ns gt set address trust odie 172 16 10 1 255 255 255 192 Mary s desktop To delete a address book entry for a partner site named my partner which is con nected to the untrusted interface ns gt unset address dmz my partner See Also get address Command Line Interface B 83 admin set admin name password lt string gt set admin mng ip lt a b c d gt lt A B C D gt set admin sys ip lt a b c d gt set admin port lt number gt Synopsis set admin mail alert traffic log set admin mail mail addr1 mail addr2 lt string gt set admin mail server ip lt address gt unset admin mng ip name port sys ip unset admin mail alert mail addr1 mail addr2 server ip traffic log Description Set admin is used to configure the administrative parameters for the S9500 device The administrative user name is an alphanumeric string The administrative interface port number can be changed to any number between 1024 and 32 000 The traffic log has a maximum size of 16 Kbytes A copy of the log file is sent to the ema
68. ervice Mail available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click the OK button 7 Repeat the process for outgoing DNS from the Mail Server Enter the following information Field Information Mail Server available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service DNS available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK The Access Policies page appears The Outgoing tab now displays the four new policies Test the Configuration To confirm the outgoing policies work from WS 1 use a Web browser to access an external Web site e g www netopia com You should be able to locate the site and access the available Web pages Set up the Incoming Policy Now define a Policy that permits incoming access in this example for the Mail Server and the FTP Server 1 Inthe Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Select the Incoming tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears Configuration Examples 4 51 3 To define a policy that permits mail to the Mail Server enter the following information Field Information Outside An
69. es have been defined These static routes provide proper routing for packets passing through the S9500 unit The route tables are automatically configured once the Trusted Untrusted and DMZ interfaces are defined If the Trusted interface will have more than one subnet or if the Trusted and Untrusted network has more than one router then it is necessary to define static routes Define static routes 1 From the Static Route Table Configuration page click New Entry in the lower left hand corner of the screen The Route Table Configuration page appears 2 Enter the following information Field Information Network Address The IP address of the internal server Network NetMask The subnet mask of the internal network The IP address of the router that will forward the traffic Gateway IP Address oF the same subnet Configuration and Monitoring 3 29 The interface the network is connected to either the Interface Trusted or Untrusted A predefined parameter that defines the priority of the route Metric All predefined metrics are given a value of 0 and any user defined routes are given a value 1 This value is not user definable 3 Click OK to add the new route table configuration Modify an existing route table 1 From the Static Route Table Configuration page in the Configure column click Edit for the entry that you want to modify The Route Table Configuration page appear
70. et URL filtering and route tables The Configuration page has these tabs m General m Interface m Authen m URL Filtering Route Table Admin Admin allows you to set system administration options such as m username m password m e mail alert m sys log settings The Admin page has these tabs m Admin m Sys log Network The Network tools are Policy VPN and Virtual IP Policy Policy allows you to define policies to permit deny encrypt authenticate and shape traffic The Access Policies page has these tabs m Incoming m Outgoing m ToDMZ m From DMZ VPN VPN allows you to create a virtual private network The VPN Lists page has these tabs m Autokey IKE m Manual Key Configuration and Monitoring 3 13 Virtual IP Virtual IP allows you to configure virtual IP addresses This utility is available only in NAT mode The Virtual IP page has these tabs m Virtual IP1 m Virtual IP2 m IP Mapping m Dynamic IP Lists The Lists tools are Address Service Schedule and Users Address Address allows you to define IP addresses subnets and networks with user defined names The Address page has these tabs m Trusted m Untrusted m DMZ Service Service allows you to view and define the services available for use in a policy The Service page has these tabs m Predefined m Custom Schedule Schedule allows you to define schedules for use in a policy Users Users allows you to define user names and passw
71. friday y i saturday sunday start hh mm stop hh mm start hh mm stop hh mm unset scheduler lt string gt once recurrent Description set scheduler is used to create and modify scheduler definition Example To create a scheduler definition named mytime which starts from 1 1 1999 11 00AM to 2 2 1999 7 00PM ns gt set scheduler mytime once start 1 1 1999 11 00 stop 2 2 1999 19 00 To create a scheduler definition named weekend which starts from 8 00AM to 5 00PM every Saturday and Sunday ns gt set scheduler weekend recurrent saturday start 8 00 stop 17 00 ns gt set scheduler weekend recurrent sunday start 8 00 stop 17 00 See Also get scheduler service set service lt name gt clear set service lt name gt protocol lt number gt Syntax set service lt name gt protocol tcp src port lt number gt dst port lt number gt set service lt name gt protocol udp src port lt number gt dst port lt number gt unset service Description set service is used to add an user defined service unset service is used to delete user defined service The first format is used to add the first entry of the service while the second format is used to append up to 7 additional entries to the named services The lt string gt is the name of the defined service The src or dst keyword is used to define the source and destination port range where the range is defined as lt low number gt lt high number gt See Also get serv
72. ge 3 31 Logging Counting Select Enable to have the 9500 log all connections for this policy You can view a log of connections to which this access policy was applied For more information on logging see Logs on page 3 44 Select Enable to have the 9500 count the total number of bytes for this policy and record the information in historical graphs You can then view the graphs For more details see Counters on page 3 43 Alarm Threshold Counting must be enabled to configure alarm thresholds In the Alarm Threshold fields enter the number of bytes per second the number of bytes per minute or both Note You can only enter integer values in the Alarm Threshold fields A value of 0 indicates that the alarm has been disabled If the value is greater than 0 the alarm is enabled and you can view a log of alarms For more details see Alarms on page 343 Schedule If you would like this policy enforced at all times select None from the drop down list If you would like this policy enforced only during certain times select a schedule from the drop down list These are schedules you have already defined in the Schedule Book For more information on schedules see Schedule Book Setup on page 3 17 Note Policies will appear in green when they are not being enforced Configuration and Monitoring 3 21 Traffic Shaping If this function is enabled all traffic correspon
73. gt Description set vip is used to define virtual IP definition unset vip is used to delete virtual IP definition The service string after the port number can be any of the 6 services supported HTTP FTP MAIL POPS Telnet or HTTPS Example To create a virtual IP definition for an S9500 for Untrusted IP address 209 125 11 2 to Trusted IP address 10 1 1 2 for the FTP services running at port 21 ns gt set vip 209 125 11 2 port 21 FTP None 10 1 1 2 See Also get vip B 100 Reference Guide vpn set vpn lt string gt manual lt local spi gt lt remote spi gt gateway lt a b c d gt esp null auth md5 key lt 16 byte hex gt password lt string gt sha 1 key lt 20 byte hex gt password lt string gt set vpn lt string gt manual lt local spi gt lt remote spi gt gateway lt a b c d gt esp 40bit des key lt 64 bit hex gt password lt string gt des key lt 64 bit hex gt password lt string gt Syntax 3des key lt 192 bit hex gt password lt string gt auth null md5 key lt 16 byte hex gt password lt string gt sha 1 key lt 20 byte hex gt password lt string gt set vpn lt string gt auto gateway lt a b c d gt esp null auth set vpn lt string gt auto gateway lt a b c d gt esp 40bit des des 3des auth md5 sha 1 kbyte second lt number gt unset vpn lt string gt Description set vpn is used to create both manual and auto vpn definition
74. he S9500 in Los Angeles 1 Inthe Web Administration Tools menu click the System Admin button The Administration page appears with the Admin and Sys Log tabs Select the Admin tab 2 To restart administration from the remote address enter the IP address and subnet mask of the client doing the remote administration Field Information Management Client 172 17 1 10 IP Netmask 255 255 255 255 Enable Untrusted select to enable Side Logon 3 Click Apply You have completed Example 4 4 74 Reference Guide Troubleshooting 5 75 Chapter 5 Troubleshooting This chapter is intended to help you troubleshoot problems you may encounter while setting up and using the Netopia 9500 It also includes information on how to contact Netopia Technical Support This chapter covers the following topics m The S9500 does not power on on page 5 75 m Cannot connect to the Internet on page 5 75 m Link LED is off on page 5 75 Cannot ping the S9500 on page 5 76 m Cannot ping unsecure hosts from secure hosts or vice versa on page 5 76 m Technical Support on page 5 76 The S9500 does not power on When you power on the 9500 verify it has started successfully by confirming the green power supply LED lights and the status light is blinking The 9500 takes about 30 seconds to boot Please wait until the status LED is blinking Cannot connect to the Internet If you are n
75. hreshold Command Line Interface B 91 globall set global config port listen report port port set global enable Syntax set global ip address set global send network set global send resource summary unset global Description Define 9500 Global configuration Example ns gt set global enable See Also get global hostname set hostname Syntax unset hostname Description set hostname is used to define the S9500 s hostname which appears on the console prompt Default ns Example To change the S9500 s hostname to acme ns gt set hostname acme To reset the 9500 s hostname to the default value acme gt unset hostname See Also get hostname B 92 Reference Guide hsa Syntax set hsa group lt number gt unset hsa Description set hsa is used to define high system availability group id S9500 devices with the same group id will participate in the negotiation process of finding the master for the group A group id of 0 disables the high system availability feature Default group id equals to 0 Example To define the high system availability group to 3 ns gt set hsa group 3 See Also get hsa Note High availability is only available when the 9500 is running in NAT mode When an additional S9500 devices join an existing HA group the master is whichever S9500 device which has the lowest MAC address ike
76. ication User or VPN Dialup User 4 Configuration and Monitoring 3 41 If you enabled Authentication User skip to step 5 If you enabled VPN Dialup User enter the following information Field User Group Information A dialup user group Security Index Local The local security index for this dial up user Security Index Remote The remote security index for this dial up user The encryption algorithm to be used ESP Encryption NULL Algorithm pES CBC m 40bit DES CBC An encryption key for the algorithm specified Each field of the key is 8 bytes long represented in HEX The key is 16 characters long with two characters used to describe one byte in HEX Key The value must be odd bit parity the sum of the 8 bits must be odd For DES only the left most value needs to be defined For 3DES all three values must be defined The S9500 will automatically change your key value to ensure the requirement SEE Key b Passwor A password to define the generation of the hex key Note The use of the password feature is a convenience and may lead to similar keys ESP Authentication Algorithm The algorithm to use for authentication m NULL m MD5 m SHAL Key A security key used as an encryption key for the algorithm specified MD5 uses 16 bytes and SHA 1 uses 20 bytes Each field of the key is 8 or 10 bytes long represented in HEX The key is 16 or 2
77. ice Command Line Interface B 97 syn threshold set syn threshold lt number gt Syntax unset syn threshold Description set syn threshold is used to set the syn lood protection threshold The syn attack firewall protection starts to take effect after the amount of SYN requests to the same location has passed the specified threshold value within 1 second The 9500 checks this threshold in a one second interval Once the amount of SYN requests to the same location has fallen below the threshold the syn attack firewall pro tection is off When the problem situation happens again the syn attack firewall protection turns on again This parameter has no effect if the syn attack firewall protection is not enabled The default threshold value is 200 seconds The threshold value can be in the range of 0 to 65535 Default 200 per second Example To set the syn flood protection threshold to 1000 per second ns gt set synthreshold 1000 To reset the syn flood protection threshold to 200 per second ns gt unset synthreshold See Also get syn threshold get firewall set unset firewall syslog set syslog config lt a b c d gt auth sec local0 7 lt facility gt lt level gt set syslog enable traffic Syntax set syslog port lt number gt set syslog webtrend enable ip lt a b c d gt port lt number gt unset syslog Description The syslog mechanism has to be configured
78. il addresses specified whenever it is full or every 24 hours whichever comes first Default admin name and password are netopia mng ip is 0 0 0 0 with subnet mask 0 0 0 0 sysip is 209 125 148 254 admin port is 80 mail alert is off with mail server ip as 0 0 0 0 mail addresses are empty strings B 84 Reference Guide Synopsis Example set admin name password lt string gt set admin mng ip lt a b c d gt lt A B C D gt set admin sys ip lt a b c d gt set admin port lt number gt set admin mail alert traffic log set admin mail mail addr1 mail addr2 lt string gt set admin mail server ip lt address gt unset admin mng ip name port sys ip unset admin mail alert mail addr1 mail addr2 server ip traffic log To change the administrator user name to paul ns gt set admin name paul To change the administrator login password to build4 you ns gt set admin password build4 you To change the port number for the web administrative interface to 8000 ns gt set admin port 8000 To enable mail alert for administrative issues ns gt set admin mail alert To enable mail traffic log for administrative issues ns gt set admin mail traffic log To configure john abc com as an email address to receive administrative alert ns gt set admin mail mail addr1 john abc com To specify 209 12 34 100 as the mail server to receive administrative email alert ns gt set admi
79. istration Tools menu click the Network Policy button The Access Policies page appears 2 Select the Outgoing tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears 3 Define a policy for encryption Enter the following information Field Information CHI_LAN available in the pop up window Source Address Destination Address LA LAN available in the pop up window Service ANY available in the pop up window Action Encrypt available in the pop up window VPN Tunnel CHI_LA available in the pop up window Click OK Note A policy can be more selective by selecting individual services Configuration Examples 4 73 4 Define a policy for Internet Web access Enter the following information Field Information Inside Any available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service HTTP available in the pop up window Action Permit available in the pop up window VPN Tunnel CHI_LA available in the pop up window Click OK Now a tunnel is set up between the Los Angeles and Chicago offices Secure Remote Administration via VPN Tunnel After you have set up a VPN tunnel you can securely administrate a remote S9500 through that VPN tunnel For this example you can add a remote administration station at Chicago to access t
80. king yellow Activity on Trusted port Alarm is solid red Alarm has occurred Traffic Alert is blinking yellow Traffic is heavy VPN is solid green VPN tunnel is established Management is solid green S9500 is managed via the console Management is blinking green S9500 is managed via the Web browser Mode is solid green Transparent mode is in effect Mode is unlit Network Address Translation mode is in effect 20 is solid green CPU utilization is greater than 20 40 is solid green CPU utilization is greater than 40 60 is solid yellow CPU utilization is greater than 60 80 is solid red CPU utilization is greater than 80 Configuration and Monitoring 3 11 Chapter 3 Configuration and Monitoring The Netopia 9500 Security Appliance can be configured and monitored from a Web browser a command line interface an SNMP management program or Netopia 9500 VPN Client software This chapter will guide you through configuring the S9500 by using the Web Administration Tools of the Web browser For information on using SNMP see Appendix A SNMP Support For the commands for the command line interface see Appendix B Command Line Interface For information on Netopia 9500 VPN Client software see the NetopiaRemote Software IPSec Client Reference Guide included on the Netopia CD This chapter covers the following topics
81. lear entries in the arp table Example ns gt clear arp See Also get arp B 120 Reference Guide clear auth Syntax clear auth table Description Clear authentication information stored in memory Example To clear all entries in the authentication table ns gt clear auth table See Also get authentication set unset authentication clear dbuf Syntax clear dbuf Description Clear content of the debug buffer Example ns gt clear dbuf See Also get dbuf set unset console clear file Syntax clear file lt string gt Description Delete the file named lt string gt in the flash memory Example To delete a file named myconfig in the flash memory ns gt clear file myconfig See Also get file Command Line Interface B 121 clear ike Syntax clear ike lt a b c d gt cookies all Description Clear entries related to IKE Example To clear all existing IKE information for host 172 2 10 1 ns gt clear ike 172 2 10 1 To clear all existing IKE cookies ns gt clear ike cookies all See Also set unset ike get ike clear log Syntax clear log all event traffic policy lt id gt Example To clear all entries in the log table ns gt clear log To clear event entries in the log table ns gt clear log event To clear traffic entries for all policies in the log table ns gt clear
82. line interface 81 dynamic IP 39 example 1 45 example 2 52 example 3 58 example 4 64 interface 24 IP 37 mapped IP 39 NAT mode 24 policy 18 policy encryption 35 policy VPN 34 Index 1 route table 28 Schedule Book 17 20 35 Service Book 16 19 SNMP 79 SYSLOG 30 system 22 download 23 upload 23 Transparent mode 24 URL filtering 27 user 26 40 virtual IP 37 57 VPN 20 31 42 64 Web browser 11 Web browser tools 11 connections port 8 9 counters 20 43 D dynamic IP configuration 39 E encryption policy configuration 35 F features 5 find a location 7 installation items 7 interface configuration 24 IP configuration 37 Index 2 L LEDs 10 login name and password 29 logs 20 44 mapped IP configuration 39 monitoring 42 alarms 43 command line interface 81 counters 43 logs 44 traffic 42 Network Address Translation mode 24 45 52 58 64 P policy configuration 18 port connections 8 9 ports 9 R Radius server 26 route table configuration 28 S Schedule Book configuration 17 20 35 Service Book configuration 16 19 SNMP configuration 79 software update 22 status lights 10 SYSLOG configuration 30 system configuration 22 download 23 upload 23 T traffic shaping 42 Transparent mode 24 45 U URL filtering configuration 27 user configuration 26 40 V virtual IP configuration 37 57 VPN 19 VPN client 33 36 73 VPN configuration 20 31 42 64 VPN policy
83. m Accessing the 9500 via a Web browser on page 3 11 m Configuring the S9500 on page 3 14 m Monitoring the S9500 on page 342 Accessing the S9500 via a Web browser To access the S9500 via a Web browser you must have m Netscape Communicator V4 0 or later or Microsoft Internet Explorer V4 01 or later m a TCP IP network connection to the S9500 If you have not configured the administration IP of the S9500 see the Getting Started Guide included in your Netopia folio for the Quick Configuration information To start a network connection from your computer to the S9500 1 Inthe URL field of your Web browser enter the IP address of the S9500 The Enter Network Password dialog box appears 2 Type in the user name and the password Note that the user name and password are case sensitive 3 Click OK You are now logged on to the 9500 and the Netopia Web Administration page appears Web Administration Tools The main menu of the Web interface consists of the Web Administration Tools Laid out along the left hand side of the page there are four types of tools System Network Lists and Monitor Beneath each of these tools are buttons that offer the utilities listed below 3 12 Reference Guide System The System tools are Configure and Admin Configure Configure allows you to m set device options regarding the firewall user and authentication m perform system updates m define the IP address for each port m s
84. mation see the discussion of NAT in Network Address Translation mode on page 3 24 4 66 Reference Guide Set Up Addresses The next step of this example is to define the workstations and servers that need to pass through the firewall 1 Logon to the 9500 Web management page by entering the new Trusted interface IP address http 172 16 1 251 into the Web browser 2 Inthe Web Administration Tools menu click the Lists Address button The Address Book page with Trusted and Untrusted tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labelled Trusted These entries appear in green on your screen Untrusted addresses are individual IP addresses or subnets located behind the port labelled Untrusted These entries appear in red on your screen 3 Click New Address in the lower left hand corner of the screen The Address Configuration page appears 4 Enter the following information Field Information LA LAN Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 1 0 NetMask 255 255 255 0 Comment e g Los Angeles office network Location Trusted Click OK to save the entry 5 Repeat the procedure to add the Chicago office network address to the Untrusted side In the Address Configuration page enter the following information Field Information CHI_LAN Address Name
85. mation about a defined dialup group Information about member is shown its name SPI values SA values ESP encryption and authentication algorithms along with keys used Example To show all dialup group configuration ns gt get dialup up all To show a dialup group configuration with id number 4 ns gt get dialup up id 4 See Also set unset dialup group get dip Syntax get dip all id lt number gt Description get dip is used to show the dynamic IP configuration Example To show all dip configuration ns gt get dip all To show a dip configuration with id number 4 ns gt get dip id 4 See Also set unset dip Command Line Interface B 109 get file Syntax get file lt string gt Description Show information for files stored in flash memory It shows which device the file is stored to along with its file name Currently the only device supported is the flash memory Example To show information for file named corpnet from the flash memory ns gt get file corpnet See Also clear file save get firewall Syntax get firewall Description Show firewall attack protection settings Example To show the firewall attack protection settings ns gt get firewall See Also set unset firewall get global Syntax get global Description Show the global management settings Example To show the global management settings ns gt get global See Also set unset global
86. mber gt dst port lt number gt set ffilter src ip lt a b c d gt dst ip lt a b c d gt dst port lt number gt set ffilter src ip lt a b c d gt dst ip lt a b c d gt ip proto lt number gt dst port lt number gt set ffilter src ip lt a b c d gt dst ip lt a b c d gt ip proto lt number gt src port lt number gt dst port lt number gt set ffilter src ip lt a b c d gt dst ip lt a b c d gt src port lt number gt set ffilter src ip lt a b c d gt dst ip lt a b c d gt src port lt number gt dst port lt number gt set ffilter src ip lt a b c d gt dst port lt number gt set ffilter src ip lt a b c d gt ip proto lt number gt dst port lt number gt set ffilter src ip lt a b c d gt ip proto lt number gt src port lt number gt dst port lt number gt set ffilter src ip lt a b c d gt src port lt number gt dst port lt number gt set ffilter src port lt number gt dst port lt number gt unset ffilter set ffilter is used to create a filter for the debug flow output so that only traffic related to specific source address destination address source port and destination port will be shown To create a filter for all traffic from a host with IP address 172 16 10 1 ns gt set ffilter src ip 172 16 10 1 To create a filter for all SMTP traffic destined to a host with IP address 209 114 3 2 ns gt set ffilter dst ip 209 114 3 2 dst port 25 To erase all filter settings
87. n The count is cumulative from power up Example To display all counters ns gt get counter all To display counters for firewall attacks or system related packets ns gt get counter flow To display counters for the interfaces and network related information ns gt get counter int Command Line Interface B 107 get dbuf Syntax get dbuf info number mem number stream number Description get dbuf is used to display information and content of the debug buffer The buffer content can be displayed in raw data by the mem parameter A formatted out put can be retrieved by the stream parameter Example To display information about the debug buffer ns gt get dbuf info To obtain a memory dump of the debug buffer at offset 20 from the beginning ns gt get dbuf mem 20 To obtain a list of the messages in the debug buffer ns gt get dbuf stream See Also clear dbuf set console get debug Syntax get debug Description Show the current debug level settings Example To show the current debug level settings ns gt get debug See Also debug B 108 Reference Guide get dialup group Syntax get dialup group all id lt number gt Description get dialup group is used to show dialup up group configuration mall shows id name and total number of members of all defined dialup groups m id shows detailed infor
88. n in capital cost Multiple domains and web servers can be mapped to the same physical server thus reducing the cost of computer equipment as well as the associated administration tasks To configure for Virtual IP 1 From the Web browser in the Web Administration Tools click the Network Virtual IP button The Virtual IP page appears with the Virtual IP 1 Virtual IP 2 IP Mapping and Dynamic IP tabs Select either of the Virtual IP tabs 2 Click the link at the top of the page to configure that Virtual IP address The Virtual IP Configuration page appears 3 Inthe Virtual IP Address field enter the legal IP address that will be mapped from the Untrusted interface to the Trusted or DMZ port and click OK The Virtual IP page reappears Note Setting the IP address to 0 0 0 0 or clicking the Clear button on the configuration page will clear the Virtual IP address 4 Define the service to be mapped by clicking New Service in the lower left hand corner of the Virtual IP page The Virtual IP Service Configuration page appears 5 Enter the following information Field Information The port that the service should be mapped to You can use standard port numbers or use other port numbers If non standard port numbers are used reconfiguration of the server may be required Virtual Port Service The service that should be mapped to the port The IP address of the server on the Trusted or DMZ Server IP network
89. n kilobits per second kbps Bandwidth The unique address of the Ethernet network interface for the DMZ port The MAC value is reported for information purposes The current status of the interface is also reported This field is not modifiable DMZ Interface Physical Address A valid IP address that will be forwarded to the DMZ DMZ IP hosts to refer to the Trusted port interface DMZ Netmask The subnet mask of the DMZ IP address DMZ Traffic Bandwidth The actual line speed in kilobits per second kbps Note There is no Default Gateway IP address for the DMZ port because the 9500 supports a DMZ that has only one subnet 3 Click Save and Reset to have the new settings take effect and to restart your S9500 Authentication Configuration The S9500 policies can support user authentication before network access is allowed The S9500 supports a built in user database or can be linked to a Radius Server The Radius Server must be located on the Trusted network You can set up authentication in the Authentication Authen Configuration page From the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears with the General Interface Authen URL Filtering and Route Table tabs Select the Authen tab User Idle Timeout This setting determines how much time of user inactivity must elapse before the S9500 will end the user session The
90. n mail serverip 209 12 34 100 To disable mail alert for administrative issues ns gt unset admin mail alert See Also get admin Notes The email server that receives the administrative email alert has to be identified by its IP address The S9500 doesn t perform name resolution There is no way to unset the admin password Please contact Netopia for information Command Line Interface B 85 arp set arp lt a b c d gt lt A B C D gt lt number gt Syntax unset arp lt a b c d gt Description set arp is used to create entry in the arp table The S9500 supports a maximum of 256 entries The last parameter indicates which interface the arp entry belongs to Its value can be 0 1 or 2 where 0 is the trusted interface 1 is the untrusted interface and 2 is the DMZ interface Each entry will stay at the table for 960 seconds before it gets deleted Example To create an entry in the arp table for a machine with IP address 10 1 1 1 and MAC address 002090102345 connected to the trusted interface ns gt set arp 10 1 1 1 002090102345 0 To create an entry in the arp table for a machine with IP address 209 234 1 2 and MAC address 000010293847 connected to the untrusted interface ns gt set arp 209 234 1 2 000010293847 1 To create an entry in the arp table for a machine with IP address 192 1 9 23 and MAC address 00201034a98c connected to the DMZ interface ns gt set arp 192 1 9 23 00201034a98c 2
91. n method reverse communication or acknowledged Reverse Ack flag Click OK to save the addition Edit an existing service Note You can edit or delete existing Custom service entries but you cannot edit or delete any Predefined service entries 1 Inthe Service Book page click the Custom tab 2 Inthe Configure column click Edit for the service that you want to modify The Service Configuration page appears 3 Enter the new service information in the fields Click OK to save the new service information Remove an existing service Note You can edit or delete existing Custom service entries but you cannot edit or delete any Predefined service entries 1 Inthe Service Book page click the Custom tab 2 Inthe Configure column click Remove for the service that you want to delete Schedule Book Setup In addition to addresses and services every policy has a schedule associated with it View the Schedule Book From the Web browser in the Web Administration Tools menu click the Lists Schedule button The Schedule Book page appears displaying a table of defined schedules 3 18 Reference Guide Add a schedule In the Schedule Book page click New Schedule The Schedule Configuration page appears Enter the information into these fields Field Information The name that will appear in the configuration window Schedule Name Choose a descriptive name to help you identify the schedule The name must be
92. n the lower left hand corner of the screen The Virtual IP Service Configuration page appears 6 To define the Virtual IP Service for mail enter the following information Field Information A 25 Virtual Port for mail Service Mail available in the pop up window Server IP 1 172 16 10 2 Click OK 7 The defined service now appears in the table on the Virtual IP page Now define a policy that permits only incoming mail server access 1 In the Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Select the Incoming tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears 3 Enter the following information Field Information Outside Any available in the pop up window Source Address Destination Address VIP 192 168 1 3 available in the pop up window 4 58 Reference Guide Service Mail available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK You have completed Example 2 Example 3 3 port Network Address Translation mode This configuration is best for new Internet connections that will host public servers e g Web e mail requiring a different security policy The third port DMZ will be used This configuration enables NAT and allows all users to have access to the Inte
93. ne such as the Internet The goals of this example are to m Secure the VPN tunnel for all services to the Chicago office network m Permit outgoing Internet Web access for everybody in the office network This example assumes m The S9500 has been installed into the network m The S9500 was configured in Transparent mode Your network should resemble this diagram CHICAGO LOS ANGELES Netopia 9500 Security Appliance 205 186 1 251 Netopia S9500 Security Appliance 201 186 1 251 LAN LAN UT 172 16 1 0 To begin this example configure the Los Angeles site First gather all the information you will need to configure Network Address Translation NAT Determine what address range will be used for the Untrusted and Trusted addresses This example uses the following information m Internet Router IP 205 186 1 254 assigned by the ISP connected to the Untrusted port m Internet Router subnet mask 255 255 255 0 assigned by the ISP m S9500 Untrusted IP 205 186 1 251 must be on the same subnet as the Internet router m S9500 Untrusted subnet mask 255 255 255 0 must be on the same subnet as the Internet router m S9500 Trusted IP 172 16 1 251 all hosts must be on the same subnet m S9500 Trusted subnet mask 255 255 255 0 all hosts must be on the same subnet m LA network 172 16 1 0 m LA subnet mask 255 255 255 0 Then log on to the S9500 Web management page Configuration Examples 4 65
94. nformation in these fields Field Information Choose an address from the drop down list for the host or network generating the connection These are addresses you have already Source Address defined in the Address Book For more information on the Address Book see Address Book Setup on page 3 14 Choose an address from the drop down list for the server receiving PESEE the connection request These are addresses you have already estinatlon defined in the Address Book A 7 one For more information on the Address Book see Address Book Setup on page 3 14 Choose a service from the drop down list for the type of connection to be established Services define the type of traffic Core Internet Serica services are predefined in the Service Book or you can define cus tom services For more information on the Service Book see Service Book Setup on page 3 16 3 20 Reference Guide Action Choose Permit Deny Encrypt or Authenticate from the drop down list The 9500 will apply the action selected for this pol icy against traffic that matches the first three criteria Source Address Destination Address and Service VPN Tunnel If the Action is not Encrypt then leave None as the default for this field If the Action is Encrypt then select the appropriate VPN tunnel that matches the source and destination For more information on VPN tunnels see VPN Configuration on pa
95. ng Policy Next you must set up a policy to permit outside access to the Internet 1 Inthe Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Remove the old policy permitting any inside to outside traffic In the Configure column click Remove and a confirmation message will appear Select Yes 3 To add anew policy in the Access Policies page select the Outgoing tab and click New Policy in the lower left hand corner of the screen The Policy Configuration page appears 4 Define a policy that permits Internet access from WS 1 Enter the following information Field Information WS 1 available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK Note A policy can be more selective by selecting individual services Configuration Examples 4 63 5 Repeat the process for WS 2 Enter the following information Field Information WS 2 available in the pop up window Source Address Destination Address Outside Any available in the pop up window Service ANY available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click O
96. ng Started Guide included in your Netopia folio for information on changing the Administration IP 3 Configure the System IP and Trusted interface if you haven t already See the Getting Started Guide included in your Netopia folio for information on initial configuration 4 Reset the 9500 so the agent can initialize its SNMP manager list The SNMP manager should now be able to communicate with the 9500 s administration workstation Note Ethernet Interface information is reported as 1 Trusted 2 Untrusted and 3 DMZ Note The current implementation allows for only one SNMP manager the administration workstation to be defined Requests from any other IP address will be rejected but no trap will be generated The community string of public is the default and cannot be changed Note The MIB II system group variables sysContact sysName sysLocation and sysServices are read write objects All other variables are read only A 80 Reference Guide Command Line Interface B 81 Appendix B Command Line Interface The Netopia 9500 Security Appliance can be managed via the console with typed commands The Command Line Interface CLI communication requires 9600 bit rate 8 bits no parity 1 stop bit and no flow control Common features of the CLI m Backspace Delete and Control H can be used to remove one character Control U can be used to remove an entire line m Control F and Control B allows traversing command histo
97. ng this option would allow all traffic that is not denied by a policy This could be useful for other non network protocols that may be required for other services m Filter IP Source Route Option IP header information has an option to contain routing information that may specify a different source than the header source Source Route Option can allow an attacker to enter a network with a fake IP address and have data sent back to the real address The 9500 blocks all IP traffic that uses Source Route Option when this option is selected Synchronize System Clock The S9500 s system clock should be synchronized with real time so the logs will reflect the actual time of events To set the system clock of the 9500 select the Synchronize system clock with this client option and click Apply Note If you are managing the S9500 remotely across time zones the time of the 9500 will be the same as the administration workstation Download and Upload System Configuration The S9500 configuration can be downloaded and uploaded The configuration contains all the device s general admin interface policy user defined services and users database settings This data can be used to configure other devices or in case of failure to configure a new device 1 From the Web browser in the Web Administration Tools click the System Admin button The Administration page appears with the Admin and Sys Log tabs Select the Admin tab 2 Click Downloa
98. ns gt unset ffilter See Also get ffilter B 90 Reference Guide firewall set firewall default deny ip spoofing ping of death src route syn attack Syntax tear drop unset firewall Description set firewall is used to enable protection against various network attacks unset firewall is used to disable protection against various network attacks Options m default deny deny all traffic not specifically allowed by a network policy Disabled this would allow all traffic that is not denied m ip spoofing spoofing attacks occur when unauthorized agents attempt to bypass the firewall security by imitating valid client IP addresses m ping of death many ping implementations allow the user to specify a larger packet size if desired which can trigger a range of adverse system reactions including crashing freezing and rebooting m src oute IP header information has an option to contain routing information that may specify a different route m syn attack attacks occur when the connecting host continuously sends TCP syn requests without the corresponding ack response m tear drop attacks occur when TCP packets overlap rendering Windows 95 machines dead Default All enabled Example To enable the default deny firewall protection ns gt set firewall default deny To disable the ip spoofing firewall protection ns gt unset firewall ip spoofing See Also get firewall set syn t
99. nt interface User name is the login name used by the administrator to log on to the S9500 before performing any administrative work through the Web management interface or Telnet protocol Each interface is shown with its MAC address IP address and subnet mask The status of the interface is also shown along with the speed obtained through auto sensing The ping ability of each interface is displayed too The Manage IP address indicates the IP address used for performing Web management from a specific interface The Gateways used by the Trusted and Untrusted interface are shown by their IP addresses and subnet masks Example To show information for all network interfaces ns gt get interface See Also set unset interface get log Syntax get log all policy lt number gt Description Show all entries in the log table Example To show all entries in the log table ns gt get log all To show the entries in the log table for policy id 3 ns gt get log policy 3 See Also clear log B 112 Reference Guide get mac learn Syntax get mac learn Description Show all entries in the MAC learning table Example To show all entries in the mac learning table ns gt get mactearn See Also clear mac learn get mip Syntax get mip cache Description Show all the mapped IP configuration Example To show all mapped IP configuration
100. nterface where it connects to The if field can be 0 1 or 2 where 0 is the Trusted interface 1 is the Untrusted interface and 2 is the DMZ inter face Each entry has an age timer of 960 seconds When its age reaches 0 the entry gets deleted off the arp table Example To show all the entries in the arp table ns gt get arp See Also set unset arp Command Line Interface B 103 get auth Syntax get auth all queue settings table Description Show the user authentication settings A successful authentication attempt causes an entry to be created in the 9500 s authentication table Each entry has a timeout value Once it reaches the timeout value the entry is gone and any authentic traffic initiated from the same machine will require authentication An authentication queue contains a list of authentication requests that are waiting to be processed This parameter is valid only if the authentication type is the Radius server An authentication table contains a list of entries that shows where the user initiates the authentication request how much time is left before the entry gets deleted and whether the attempt is successful The S9500 supports a maximum number of 4096 entries in this table Further attempts will be rejected and retry is necessary The S 9500 s user authentication settings contain different information depends on the kind of mechanism being used When the built in user database i
101. o pass through the firewall m VPN A virtual private network VPN allows remote offices or employees access to your internal business LAN through means of encryption allowing the use of the public internet to look virtually like a private secure network Netopia S9500 s VPN conforms to the Internet Protocol Security IPSec standard ensuring that it is interoperable with other IPSec devices m IKE key management The Netopia S9500 Security Appliance uses the IKE key management protocol The IPSec and IKE protocol suites together provide everything you need for secure communications authentication integrity and confidentiality and make key exchange practical even in larger networks m Security The Netopia 9500 Security Appliance with VPN supports DES and Triple DES encryption and MD5 and SHA 1 authentication thus providing you with the highest level of security m Monitoring The Netopia 9500 Security Appliance provides a comprehensive monitoring tool to identify network traffic inefficiencies and to monitor traffic flow in real time The prioritization management utility allows not only the ranking of processes based on the type of function being performed by the user but also the limiting of users to a certain percentage of the global bandwidth available m Event reporting The Netopia 9500 Security Appliance performs real time event logging and alerting with unmatched reporting capabilities All graphs of the usage data c
102. ocess for the FTP Server Click New Address The Address Configuration page appears Enter the following information Field Information FTP Server Address Name A descriptive name that must be unique from other address book entries IP Address 192 168 1 5 NetMask 255 255 255 255 Comment e g FTP Server Location Trusted 10 Click OK and the Address Book page reappears It now shows the 5 defined Trusted ports 11 Repeat the process for the remote site Click New Address The Address Configuration page appears Enter the following information Field Information Remote Site Address Name A descriptive name that must be unique from other address book entries IP Address 209 45 8 201 NetM ask 255 255 255 255 Comment e g Remote Site Location Untrusted 12 Click OK and the Untrusted Address Book page appears It now shows the 1 defined Untrusted port Configuration Examples 4 49 Set Up the Outgoing Policy Next you must set up a policy to permit outside access to the Web site In this example you need to define policies to m Permit Internet access from WS 1 and WS 2 m Permit mail from and to the Internet 1 Inthe Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Remove the policy permitting any inside traffic to any outside address that you created in the initial configuration In th
103. olicy in the lower left hand corner of the screen The Policy Configuration page appears 4 68 Reference Guide 3 Define a policy for encryption Enter the following information Field Information LA LAN Uea NCES available in the pop up window Destination Address CHI_LAN available in the pop up window Service ANY available in the pop up window Action Encrypt available in the pop up window VPN Tunnel LA CHI available in the pop up window Click OK Note A policy can be more selective by selecting individual services 4 Define a policy for Internet Web access Enter the following information Field Information _ Inside Any Soue oek available in the pop up window Destination Address Outside Any available in the pop up window Service HTTP available in the pop up window Action Permit available in the pop up window VPN Tunnel LA CHI available in the pop up window Click OK Configure the Second Site Now configure the Chicago site Configuration Examples 4 69 Gather all the information needed to configure NAT Determine what address range will be used for the Untrusted and Trusted addresses This example uses the following IP address m Internet Router IP 201 186 1 254 m Internet Router subnet mask 255 255 255 0 m 9500 Untrusted IP 201 186 1 251 m 9500 Untrusted subnet mask 255 255 255 0 m S9500 Trusted IP 172 17 1 251 m 9500
104. on the Trusted side If the internal network consists of only one subnet then the default gateway of all computers must be set up to point to the Trusted NAT Inside IP address If the internal network consists of multiple subnets then the default gateway of the internal router must be set up to point to the Trust NAT Inside IP address Trusted Inside Netmask Trusted Default Gateway IP The subnet mask of the inside IP addresses The IP address of the default gateway for the Trusted interface which is generally the IP address of the router A Default Gateway IP of 0 0 0 0 indicates that the S9500 can transfer packets to only one subnet Trusted Traffic Bandwidth Untrusted Interface Physical Address The actual line speed in kilobits per second kbps The unique address of the Ethernet network interface for the Untrusted port The MAC value is reported for information purposes The current status of the interface is also reported This field is not modifiable Untrusted Outside IP A valid IP address that will be used by Untrusted hosts to refer to the Trusted port interface 3 26 Reference Guide Untrusted Outside The subnet mask of the outside IP address Netmask The IP address of the default gateway for the Untrusted interface which is generally the IP address of the internal router Untrusted Default Gateway IP Untrusted Traffic The actual line speed i
105. onnector port labelled Untrusted for your Internet connection Console port A DB 25 serial port connector for local configuration and administration Trusted port An RJ 45 connector port labelled Trusted for your LAN connection DMZ port An RJ 45 connector port labelled DMZ for other connections 2 10 Reference Guide Netopia S9500 Security Appliance Status Lights The figure below represents the Netopia 9500 status light LED panel Netopia S9500 Security Appliance front panel EKG D R Y we we UNTRUSTED TRUSTED A ON S PrP GO yv ee D O v poh amp S XN s UTILIZATION ae lt The following table summarizes the meaning of the various LED states and colors The LED Meaning Power is solid green Power is on Untrusted Link is solid green Untrusted port is connected to an active device Untrusted Link is blinking red Untrusted network has experienced a collision Untrusted Traffic is blinking yellow Activity on Untrusted port DMZ Link is solid green DMZ port is connected to an active device DMZ Link is blinking red DMZ network has experienced a collision DMZ Traffic is blinking yellow Activity on DMZ port Trusted Link is solid green Trusted port is connected to an active device Trusted Link is blinking red Trusted network has experienced a collision Trusted Traffic is blin
106. or a configuration from a specified location It also provides a mechanism to retrieve a configuration file from one location and save it to another location m saved Indicates the configuration is retrieved from the flash memory m tftp Allows retrieval of a specific configuration file from a TFTP server connected to the 9500 s Trusted interface m to Allows saving the retrieved configuration file either to the flash memory or to a TFTP server m size Shows the size of the configuration file Command Line Interface B 105 get config saved to tftp lt a b c d gt lt string gt get config tftp lt a b c d gt lt string gt to saved tftp lt a b c d gt lt string gt syntax get config to saved tftp lt a b c d gt lt string gt get config size saved tftp lt a b c d gt lt string gt Example To show the running configuration ns gt get config To show the configuration that has been saved in the flash memory ns gt get config saved To show a configuration file named myconfig from a TFTP server with IP address 154 30 9 13 ns gt get config tftp 154 30 9 13 myconfig To retrieve a configuration file named myconfig from a TFTP server with IP address 154 30 9 13 and save it to the flash memory ns gt get config tftp 154 30 9 13 myconfig to saved To retrieve a configuration file named November and save it as a file named Decem ber at a TFTP server with IP address 154 30 9 1
107. ords from an internal user database The Users page has the Define Users tab Monitor The Monitor tools are Traffic Counters Alarm and Log Traffic Traffic allows you to view traffic information for each encrypt policy and bandwidth usage for each interface The Traffic page has these tabs m Policy m Interface Counters Counters allows you to view graphs of bandwidth usage for each policy if you enabled counting in the policy The graphs can be displayed by last 60 seconds minutes hours days or months Alarm Alarm allows you to view information for each policy for which you set alarm thresholds Log Log allows you to view log details for each policy for which you enabled logging and to view system events The Log page has these tabs m Traffic Log m Event Log 3 14 Reference Guide Central Display The Central Display is the area of the screen where the tools and utilities list information and provide options for you to configure These displays generally link to their related screens through action buttons in the lower left hand corner of the screen Help At any time you can click the circled question mark in the upper right hand corner of the screen to access on line help Configuring the S9500 To configure the S9500 you can use these utilities m Address Book Setup page 3 14 m Service Book Setup page 3 16 m Schedule Book Setup page 3 17 m Policy Configuration page 3 18 m System Configuration pag
108. ot able to access the Internet double check m The Link lights on S9500 hosts hubs and router are lit m The Host IP and subnet mask are configured correctly for your configuration m The Host gateway is defined in the host and points to the correct destination i e the router if in Transparent mode the Trusted Interface if in Network Address Translation mode m The Host has a valid DNS entry m DNS service is available through the firewall Link LED is off The link LED indicates the connection status between the S9500 and the network hub If the link LED is off there is a problem with the network connection Verify the Ethernet cable is properly connected and the network hub is operational Try plugging the Ethernet cable into a different location on the hub or into a different hub If the link LED still does not light there may be a problem with the Ethernet adapter Contact your Netopia Customer Service representative 5 76 User s Reference Guide Cannot ping the S9500 If you cannot ping the S9500 from the Trusted side your network interface is not configured properly See your computer documentation If you cannot ping the S9500 from the Untrusted side you may not have an Untrusted configuration enabled The S9500 will not respond to ping request unless an Untrusted configuration is enabled Cannot ping unsecure hosts from secure hosts or vice versa Each router adjacent to the firewall must contain a static route sp
109. rkstations to be in same IP range and redefine all workstations to have the same default gateway as the S9500 s Trusted IP For more information see the discussion of NAT in Network Address Translation mode on page 3 24 Set Up Addresses The next step of this example is to define the workstations and servers that need to pass through the firewall 1 Logon to the 9500 Web management page by entering the new Trusted interface IP address http 172 17 1 251 into the Web browser 2 Inthe Web Administration Tools menu click the Lists Address button The Address Book page with Trusted and Untrusted tabs appears Trusted addresses are individual IP addresses or subnets located behind the port labelled Trusted These entries appear in green on your screen Untrusted addresses are individual IP addresses or subnets located behind the port labelled Untrusted These entries appear in red on your screen 3 Click New Address in the lower left hand corner of the screen The Address Configuration page appears 4 Enter the following information Field Information CHI_LAN Address Name A descriptive name that must be unique from other address book entries IP Address 172 17 1 0 NetMask 255 255 255 0 Comment e g Chicago office network Location Trusted Click OK to save the entry Configuration Examples 4 71 5 Repeat the procedure to add the Los Angeles office network address
110. rnet and allows outside access to the DMZ hosts only This configuration would be required if you were adding an Internet connection and security solution The goals of this example are to m Permit outgoing Internet access for Workstation WS 1 and WS 2 m Permit the DMZ mail server to be accessed from the Internet by assigning it a routable IP address m Use WS 1 as the administration workstation This example assumes m The S9500 has been installed into the network m The S9500 was configured in Transparent mode Your network should resemble this diagram Workstation 1 172 16 10 1 Router mu 192 168 1 2 Workstation 2 172 16 10 4 Netopia S9500 Security Appliance E mail Server 192 168 2 2 Configuration Examples 4 59 To begin this example first gather all the information you will need to configure Network Address Translation NAT Determine what address range will be used for the Untrusted and Trusted addresses This example uses the following information Internet Router IP 192 168 1 2 assigned by the ISP connected to the Untrusted port Internet Router subnet mask 255 255 255 0 assigned by the ISP 9500 Untrusted IP 192 168 1 1 must be on the same subnet as the Internet router 9500 Untrusted subnet mask 255 255 255 0 must be on the same subnet as the Internet router 9500 Trusted IP 172 16 10 3 all hosts must be on the same subnet 9500 Trusted subnet mask 255 255 255 0
111. ry buffer up to 16 lines forward and backward m Typing a question mark any time during the command provides the next available keywords input and a brief description of their usage m A parameter inside is an option and a parameter inside fis required m lt a b c d gt is an IP address m lt A B C D gt is a subnet mask m The console times out in 10 minutes if no keyword activity is detected Commands The CLI has four basic commands Set Unset Get and Miscellaneous Set and Unset Commands Set commands are used to define system parameters and are saved in non volatile memory All set commands have Unset counterparts that are used to remove the configured parameters or restore to default parameters B 82 Reference Guide address Syntax Description Default set address trust untrust dmz lt string gt lt a b c d gt lt A B C D gt lt string gt unset address trust untrust dmz lt string gt set address is used to define address book entry The first string is the name of the entry The second string is the comment which is optional There are 4 system defined address book entries m Inside Any any hosts connected to the Trusted interface m Outside Any any hosts connected to the Untrusted interface m DMZ Any any hosts connected to the DMZ interface m Dial Up VPN any dialup hosts to the Untrusted interface Example To define an address book entry for a web server nam
112. s 2 Enter the new information in the fields and click OK to save the changes Remove an existing route table 1 From the Static Route Table Configuration page in the Configure column click Remove for the entry that you want to delete 2 A System Message window will ask for user confirmation to proceed with the deletion Click OK Administrative Configuration You can restrict user access to the administration of the S9500 with these options m Admin Login Name and Password m Administration from One or Multiple Addresses Administration through the Untrusted Port m E Mail Alert Notification From the Web browser in the Web Administration Tools click the System Admin button The Administration page appears with the Admin and Sys Log tabs Select the Admin tab Modify the Admin Login Name and Password 1 Inthe Admin Administration page change the login name by entering a new login name in the Admin Login Name field You can then use the new user name with the old password You can use only one user name per S9500 device 2 Change the password by entering the current password in the Old Password field and then entering the new password in the New Password and Confirm New Password fields 3 Click Apply to have your changes take effect 3 30 Reference Guide Restrict Administration to One Address 1 Inthe Admin Administration page enter the specific IP address in the Admin Client IP field and its subnet mask in th
113. s Autokey IKE will allow new keys to be generated after a set amount of time has passed or a certain threshold of traffic has been exchanged 1 Click New VPN Entry in the lower left hand corner of the screen The IKE VPN Configuration page appears 2 Enter the following information Field Information The name to identify this VPN tunnel definition VPN Name Choose a descriptive name to help you identify the VPN tunnel The name must be unique and is limited to 20 characters The IP address of the remote LAN S 9500 s Untrusted interface Gateway IP or other IPSec device Check the manufacturer s documentation for the IP address Preshared Key The preshared Key The Key may be up to 128 bytes long ESP Encryption lent ir The algorithm to use for encryption m NULL m no encryption m 56bit DES CBC m 3DESCBC m 40bit DES CBC The algorithm to use for authentication ESP Authentication m NULL Method MD5 m SHAI1 The definition of how and at what threshold to rekey on New keys will be generated whenever the lifetime of the old key e 1 iS exceeded Select time seconds or size bytes to rekey on Key Life Time and define the threshold Selection of small values could lead to frequent rekeying which could affect performance The default is 3600 seconds one hour 3 Click OK to save Configuration and Monitoring 3 33 Create a Manual Key VPN Manual Key VPNs only
114. s appear in green on your screen Untrusted addresses are individual IP addresses or subnets located behind the port labelled Untrusted These entries appear in red on your screen Click New Address in the lower left hand corner of the screen The Address Configuration page appears Configuration Examples 4 61 4 Enter the following information Field Information WS 1 Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 10 1 NetMask 255 255 255 255 Comment e g Administration workstation Location Trusted 5 Click OK and the Address Book page reappears Note If you made a mistake click Edit 6 Repeat the process for WS 2 Click New Address The Address Configuration page appears Enter the following information Field Information WS 2 Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 10 4 NetMask 255 255 255 255 Comment e g WS 2 Location Trusted 7 Click OK and the Address Book page reappears 8 Repeat the process for the Mail Server Click New Address The Address Configuration page appears Enter the following information Mail Server Address Name A descriptive name that must be unique from other address book entries 4 62 Reference Guide IP Address 192 168 2 2 9 Click OK Set Up the Outgoi
115. s from that host could pass through the device without authentication since the S9500 records the IP address only m As most Web browsers cache user name and password it will authenticate the user again with the S9500 and reinitiate the timeout value URL Filtering Configuration The S9500 can block access to different sites based upon their URLs The 9500 has created a direct link to NetPartners WebSense URL blocking software WebSense is ranked as one of the top Internet access management tools Additional information about WebSense can be found at http www websense com WebSense needs to be installed on a separate NT workstation or server To set up URL filtering go to the URL Filtering Configuration page From the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears with the General Interface Authen URL Filtering and Route Table tabs Select the URL Filtering tab To configure URL filtering 1 Select the Enable URL Filtering via WebSense Server option to enable this feature and enter the following information Field Information The IP address of the computer running the WebSense server The WebSense server must be located on the Trusted side of the S9500 device The default port for WebSense is 15868 If you have changed the default port on the WebSense WebSense Server Port server you need to change it on the 9500 also Please see your WebSense
116. s used the settings contain only the timeout value for the authenticated entry With the Radius server authentication mechanism the settings also contain the Radius server IP address and shared secret The authentication table shows entries of those machines where the user authentica tion attempts are originated from Each entry is numbered and is listed along with the machine s IP address and the amount of time left before the entry gets deleted Example To show the user authentication settings ns gt get auth all To show the authentication queue ns gt get auth queue To show the authentication settings ns gt get auth settings To show the authentication table ns gt get auth table See Also clear auth set unset auth B 104 Reference Guide get clock Syntax get clock Description Show the system clock adjustment The display includes the current date in calendar format as well as the number of sec onds since 1 1 1970 GMT It also calculates the uptime since the last power up Example To show the system clock adjustment ns gt get clock get config get config saved to tftp lt a b c d gt lt string gt Syntax get config tftp lt a b c d gt lt string gt to saved tftp lt a b c d gt lt string gt y get config to saved tftp lt a b c d gt lt string gt get config size saved tftp lt a b c d gt lt string gt Description Show either the running configuration
117. sed the DMZ port is not used m Example 4 Virtual Private Network VPN Tunnel on page 4 64 Best for established Internet connections seeking to access the 9500 remotely Examples 2 3 and 4 use the Network Address Translation mode which is explained in Network Address Translation mode on page 3 24 Note When using NAT the IP address set for the Trusted Interface Inside IP Trusted Interface will be used as the default gateway for all hosts that need Internet access Therefore unless a separate router gateway system is set up inside your internal network all hosts must be located on the same subnet as the Trusted network in order to gain Internet access Also the DNS Domain Name Server must be defined on each host and should be supplied by the ISP if not run locally No DNS entry is required for the S9500 Example 1 Transparent Mode This configuration expands on the basics of the Transparent mode as described in the Getting Started Guide included in your Netopia folio Transparent mode uses 2 ports the Trusted and Untrusted ports the DMZ port is not used This configuration allows internal users to access the Internet and receive email and allows remote sites to access the FTP Server This configuration would be useful for a simple network requiring firewall protection 4 46 Reference Guide The goals of this example are to Permit outgoing Internet access for Workstation WS 1 and WS 2 Permit the internal
118. ser and the Adobe Acrobat Reader if you don t already have them Note If you are installing multiple S9500 devices you should install and configure them one at a time otherwise you will run into IP address conflicts Cabling Requirements The Ethernet cables provided in your Netopia equipment package are straight through cables You can use straight through cables to connect the ports of the S9500 to certain types of equipment however some ports with some equipment require a crossover cable Refer to the tables below for the correct cable for your connection Use a Straight Through cable to connect Use a Crossover cable to connect Hub with the uplink switch enabled this Port to this Equipment this Port to this Equipment Untrusted port Hub Untrusted port Workstation Trusted port Workstation Trusted port Hub without an uplink switch DMZ port Hub without an uplink switch DMZ port Workstation Hub with the uplink switch enabled Netopia S9500 Security Appliance Ports The figure below displays the ports of the Netopia S9500 Security Appliance Netopia S9500 Security Appliance back panel Trusted Console of o The following table describes all the Netopia S9500 Security Appliance ports Untrusted Power 0o00 o o Port Description Power port A mini DIN8 power adapter cable connection Untrusted port An RJ 45 c
119. server enter that address in this field Firewall Settings The S9500 is capable of detecting access based on the following features m Detect SYN Attack SYN Attacks occur when the connecting host continuously sends TCP syn requests without the corresponding ack response The 9500 prevents syn packets without ack responses when this option is selected Configuration and Monitoring 3 23 m Detect Tear Drop Attack Tear Drop Attacks occur when TCP packets overlap rendering Windows 95 machines dead The 9500 intercepts these illegal connection requests shielding valuable corporate computing resources on the internal network when this option is selected m Detect IP Spoofing Attack Spoofing attacks occur when unauthorized agents attempt to bypass the firewall security by imitating valid client IP addresses The 9500 invalidates these false IP address connections when this option is selected m Detect Ping of Death Attack The TCP IP specification requires a specific packet size for datagrams being transmitted Many ping implementations allow the user to specify a larger packet size if desired which can trigger a range of adverse system reactions including crashing freezing and rebooting The 9500 can be programmed to detect and reject such oversized and irregular packet sizes when this option is selected m Default Packet Deny The 9500 denies all traffic not specifically allowed by a defined policy when this option is selected Disabli
120. servers for each vip defined ns gt get vip See Also set unset vip get vpn Syntax Description get vpn all manual auto get vpn name lt string gt Show all VPN definitions All VPN definitions will be shown in regards of the kind of key management they use The auto IKE VPN entries are shown by name gateway encryption algorithm authenti cation algorithm and the key lifetime The manual VPN entries are shown by name local SPI remote SPI and encryp tion authentication algorithm Example To show all VPN definitions ns gt get vpn To show a VPN definition named mary home ns gt get vpn mary home To show all auto IKE VPN definitions ns gt get vpn auto To show all manual IKE VPN definitions ns gt get vpn manual See Also set unset vpn Command Line Interface B 119 Clear Commands clear alarm Syntax clear alarm all event traffic policy lt id gt Description Clear entries in the alarm table Example To clear all entries in the alarm table ns gt clear alarm all To clear event entries in the alarm table ns gt clear alarm event To clear traffic alarm for all policies in the alarm table ns gt clear alarm traffic To clear traffic alarm for a policy with id 4 in the alarm table ns gt clear alarm traffic policy 4 See Also get alarm clear arp Syntax clear arp Description C
121. set alarm thresholds for that policy See Define a policy on page 3 19 for more information You can also configure the 9500 to alert you via e mail whenever an alarm is triggered For more information see E mail Alert Notification on page 3 30 To view and save information on an alarm 1 From the Web browser in the Web Administration Tools click the Monitor Alarm button The Alarm page with Traffic Alarm and Event Alarm tabs appears Select either tab to view those alarms 2 Click Recent Alarm Time to view information about specific alarms The Alarm Details page appears 3 Click Download to File in the lower left hand corner of the screen to save the data for review and analysis The data can be saved to your local C drive in a txt format The file contents are tab delimited 3 44 Reference Guide 4 Click Clear Alarms to erase all the data 5 Click Next or Previous to move to the corresponding page Logs Two types of logs are maintained one for system events and one for traffic policies To have the S9500 keep logs you must enable logs for that policy See Define a policy on page 3 19 for more information To view and save information on a log 1 From the Web browser in the Web Administration Tools click the Monitor Log button The Log Table page with Traffic Log and Event Log tabs appears Select either tab to view that log 2 Inthe Action column click View Log Entries for that policy s log
122. set ike negotiate lt a b c d gt type as esp Syntax set ike preshared lt string gt lt a b c d gt lt string gt unset ike preshared lt number gt Description set ike is used to define the preshared key for VPN auto IKE definition Example To define an entry in the IKE preshared key ring for VPN auto definition autotest with gateway 172 66 50 1 as myautokey ns gt set ike preshared autotest 172 66 50 1 myautokey To delete a preshared key with id 1 in the IKE key ring ns gt unset ike preshared 1 See Also clear ike get ike interface Command Line Interface B 93 Syntax Description Default set interface dmz trust untrust bandwidth lt number gt set interface dmz trust untrust ip lt a b c d gt lt A B C D gt set interface dmz trust untrust ping set interface trust untrust gateway lt a b c d gt set interface trust untrust mng nset interface dmz trust untrust bandwidth unset interface dmz trust untrust ip unset interface dmz trust untrust ping unset interface trust untrust gateway unset interface trust untrust mng set interface is used to define the network interface settings unset interface is used to restore the default settings for the network interfaces The bandwidth specified is the maximum amount of guaranteed bandwidth available for all policies The Trusted and Untrusted interfaces use the gatewa
123. sub net to subnet mapped IP configuration is defined the subnet mask is applied to both the mapped IP subnet and the original IP subnet To define a one to one mapped IP configuration for a machine with IP address 172 16 10 92 to a valid external IP address 205 34 192 1 ns gt set mip 205 34 192 1 172 16 10 92 To define a subnet to subnet mapped IP configuration for a subnet with IP address start ing from 209 125 15 1 to an original subnet with IP address starting from 10 1 1 1 using a netmask of 255 255 255 252 ns gt set mip 209 125 15 1 10 1 1 1 255 255 255 252 To modify a mapped IP configuration created above to an original subnet address start ing from 10 1 1 65 using a netmask of 255 255 255 248 ns gt set mip 209 125 15 1 10 1 1 65 255 255 255 248 See Also get mip Command Line Interface B 95 policy set policy default permit all set policy incoming outgoing fromdmz todmz lt string gt lt string gt lt string gt auth permit deny encrypt count log alarm lt second threshold gt lt minute threshold gt schedule lt name gt traffic gow lt kbps gt priority lt number gt mbw lt kbps gt unset policy lt number gt Description Define a policy which will control traffic in one of 4 ways authenticate permit deny or encrypt Traffic from four directions can be specified There are three strings provided to the command The first string is the name of
124. t the General tab System Information In the General Configuration page you can see which mode your S9500 is operating in The two possible modes are Transparent and Network Address Translation m Transparent mode does not require any changes to routers or hosts at the time of installation and the 9500 is invisible m Network Address Translation mode will hide all Trusted IP addresses with all IP addresses appearing as one IP address In this mode the status of the DMZ port also is reported You can also see the software version running on your S9500 and its serial number Software Update The S9500 s firmware software can be upgraded by using your Web browser to upload the latest release to your S9500 device The latest firmware can be downloaded from the Netopia Web site Once the upgrade is downloaded and saved to your administration workstation return to the General Configuration page 1 Click the Browse button next to the Software Update field 2 Find the location of the new firmware on your computer s storage area and select the new firmware 3 Click the Save and Reset button in the lower right hand corner of the General Configuration page 4 The S9500 will reboot and then you can reconnect to it through the Web browser DNS IP Address This field s default value of 0 0 0 0 implies that the DNS address is defined in each host If all DNS requests passing through the 9500 should go to a specified address of the DNS
125. the Interface tab This page shows the physical bandwidth configured bandwidth guaranteed bandwidth and the total utilization bandwidth for the S9500 s Trusted Untrusted and DMZ interfaces 2 Click Update Now to get the current information Counters You can view counters and save the information after you include the counters in a policy See Define a policy on page 3 19 for information on including counters in a policy To view and save information on counters 1 From the Web browser in the Web Administration Tools click the Monitor Counters button The Counter Table page appears 2 Inthe Details column click View Count Details for the counter you want to view The Counter Details page appears 3 Click any line in the graph to view information at that interval The X axis represents time and the Y axis represents the number of bytes The X axis will be in seconds minutes hours days or months depending on which tab was selected The color of the bar will normally appear in blue but if an alarm threshold was set and exceeded then the bar will be in red 4 Click Update Now to refresh the screen based on the most recent data available 5 Click Download to File in the lower left hand corner of the screen to save the data for review and analysis The data can be saved to your local C drive in a txt format The file contents are tab delimited Alarms To set alarms for a policy you must enable counters and
126. the following advantages m Security In a Network Address Translation NAT environment host computers use non routable IP addresses inside the firewall while maintaining full Internet connection and functionality This feature gives network administrators flexibility to grow their networks without being constrained by the scarcity of legal IP addresses In addition NAT also provides better network security by hiding internal network topology and host information from the outside world However in order to maintain some Internet services e g e mail POP3 ftp a server with a legal IP address must be present to service the requests Virtual IP allows you to map routable IP addresses to internal servers therefore providing transparent connections for a NAT network to the Internet Scalability As Internet service demand increases companies need to improve servers performance in order to maintain the quality of their services While upgrading the server to a larger faster machine will 3 38 Reference Guide generally relieve the short term pressures the disruption to services and the prohibitive cost of upgrading quickly make this solution undesirable Virtual IP allows growth without disruption m High Availability With Virtual IP servers can be assigned to the same IP address and mirrored to provide high availability for network services Individual servers can also be taken off line for maintenance without disruption m Reductio
127. the source address The second string is the name of the destination address The last string is the name of the service Syntax Default No policy defined Example To define a policy ns gt set policy outgoing Inside Any Outside Any HTTP permit log count alarm 10 100 To delete a policy with id 4 ns gt unset policy 4 See Also get policy route set route lt a b c d gt lt A B C D gt interface trust untrust dmz gateway lt ip addr gt Syntax metric lt number gt unset route lt a b c d gt lt A B C D gt gateway lt a b c d gt Description Define a static route entry The gateway or next hop IP address is optional if absent then the interface default gateway IP address will be used The metric is optional if absent its value is 1 The default interface for all packets with network not specified is the S9500 s Untrusted interface Default One entry for each network interface defined Example To define a static route for an internal subnet with IP address 172 16 15 0 and subnet mask 255 255 255 0 using an internal router with IP address 172 16 10 4 ns gt set route 172 16 15 0 255 255 255 0 interface trust gateway 172 16 10 4 1 See Also get route B 96 Reference Guide scheduler set scheduler lt string gt once lt start gt Syntax set scheduler lt string gt recurrent monday tuesday wednesday thursday
128. to the Untrusted side In the Address Configuration page enter the following information Field Information LA LAN Address Name A descriptive name that must be unique from other address book entries IP Address 172 16 1 0 NetMask 255 255 255 0 Comment e g Los Angeles office network Location Untrusted Click OK to save the entry Set Up VPN Next configure the S9500 for VPN 1 In the Web Administration Tools menu click the Network VPN button The VPN Lists page appears Select the Manual Key tab 2 Click New VPN Entry in the lower left hand corner of the screen The Manual Key VPN Configuration page appears 3 Enter the following information Field Information VPN Name CHI LA 205 186 1 251 Gateway IP This is the Untrusted IP address of the S9500 in Los Angeles Security Index Local 17100 Security Index Remote 16100 ESP DES Algorithm 3DES CBC c2c4c70101010101 f8899b6e6d7c8f9e HEX Key a 65568b094a4b6c7 Generated Key by don t use Password 4 72 Reference Guide ESP Authentication MD5 Algorithm HEX Key c8cbcd0101010101 and a4b6439e8c9faeb12 Generated Key by don t use Password Click OK to save the entry Set Up Policy To support VPN the S9500 also must support encryption So now you must set up an encryption policy and then a policy to permit Web access 1 Inthe Web Admin
129. utton The Access Policies page appears Select the Incoming Outgoing From DMZ or To DMZ policy tab In the Configure column click Remove for the policy that you want to delete A System Message window will ask for user confirmation to proceed with the deletion Click OK Arrange policies All attempted access is checked against the policies beginning with the first policy listed on the Access Policies page and moving through the list Action is taken on the first matching policy Policies should be ordered from specific to general 3 22 Reference Guide 1 From the Web browser in the Web Administration Tools menu click the Network Policy button The Access Policies page appears 2 Select the Incoming Outgoing From DMZ or To DMZ policy tab 3 Select a policy and click the up or down arrows to move the policy up or down Note Scheduled policies will be green when they are not being enforced at that moment System Configuration You can view information on your S9500 and configure some of its system settings in the General Configuration page The information you can view includes the Operation Mode and the Software Version The settings you can configure include the DNS IP address firewall settings and clock synchronization From the Web browser in the Web Administration Tools click the System Configure button The Configuration page appears with the General Interface Authen URL Filtering and Route Table tabs Selec
130. value can be from 0 to 65 000 minutes A value of 0 would determine that the S9500 never ends an idle session The default is 10 and is highly recommended since shorter time intervals may be bothersome to normal user usage and longer intervals may leave the network open to unwanted access User Idle Timeout is the same no matter which database is used Authentication Method Settings You can select the Built in User Database or Radius Server to provide information for user authentication Built in User Database The 9500 builtin user database can be used if an external Radius Server is not available The user database can support up to 1 500 entries which are entered in the User Lists page See User Configuration on page 3 40 for more information Configuration and Monitoring 3 27 Radius Server If authentication will be confirmed from a Radius server the Radius server must be located on the Trusted network and you must enter the following information Field Information Server IP The IP address of the Radius server The shared secret must be the same as defined in the Shared Secret Radius setup See your Radius documentation for details Authentication Notes m Ifa policy is fora subnet of IP addresses for example inside any each IP address will have to authenticate If one of the hosts supports multiple user accounts for example Unix host running Telnet then once one user authenticates all user
131. y available in the pop up window Source Address Destination Address Mail Server available in the pop up window Service Mail available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK 4 Repeat the process to allow the Remote Site access to the FTP Server Enter the following information Field Information Remote Site available in the pop up window Source Address Destination Address FTP Server available in the pop up window Service FTP available in the pop up window Action Permit available in the pop up window Leave the rest of the options at their default values Click OK The Access Policies page appears The Incoming tab now displays the two new policies Test the Configuration To confirm the incoming policies work from the remote site try to access the FTP server The remote site should be able to connect Then from WS 1 use an e mail service to send e mail to your site You have completed this example of expanding the basic configuration of the Transparent mode For more information on configuration see the Netopia S9500 Security Appliance Reference Guide included on your Netopia CD You have completed Example 1 4 52 Reference Guide Example 2 2 port Network Address Translation Mode This configuration is best for new Internet connections where the ISP provi
132. y ns gt save To save running configuration as a file named myconfig to a TFTP server with IP address 184 23 11 9 ns gt save tftp 184 23 11 9 myconfig See Also get config exit Syntax exit Description Exit console re login required after that Example ns gt exit B 124 Reference Guide ping Syntax ping lt a b c d gt Description ping a remote host Example To ping a host with IP address 209 192 11 2 ns gt ping 209 192 11 2 reset Syntax reset Description Reset the system Example ns gt reset Technical Specifications and Safety Information C 125 Appendix C Technical Specifications and Safety Information Description Dimensions 124 0 cm w x 20 0 cm d x 5 3 cm h 9 4 w x 7 9 d x 2 1 h Communications interfaces The Netopia 9500 Security Appliance has three RJ 45 jacks for equipment connections and a DB 25 Console port Power requirements m 12 VDC input 1 Amp Environment Operating temperature 10 to 40 C Storage temperature 0 to 50 C Relative storage humidity 5 to 90 non condensing Software and protocols Standards Compliance IEEE 802 3 Ethernet IPsec Compliance m RFC 1825 Security Architecture for the Internet Protocol m RFC 1826 IP Authentication Header m RFC 1827 IP Encapsulating Security Payload m RFC 1828 IP Authentication using Keyed MD5 m RFC 1829 The ESP DES CB
133. y field to forward packets that don t belong to the network where the S9500 resides Web management of the 9500 is available by default to the Trusted interface Remote Web management is accessible to the Untrusted interface by using the mng parameter However Web management is not available through the DMZ interface The ping ability to the S9500 Untrusted interface is disabled by default Both the DMZ and the Trusted interfaces are pingable The ping parameter enables the ping ability of an interface Web management through the Trusted interface Ping ability to both the Trusted and DMZ interfaces IP addresses subnet masks and gateways are 0 0 0 0 Example To define bandwidth for the DMZ interface to 1000 Kilobits per second ns gt set interface dmz bandwidth 1000 To enable Web management on the Untrusted network interface ns gt set interface untrust mng To allow the Untrusted interface to be pingable ns gt set interface untrust ping See Also get interface unset interface B 94 Reference Guide mip Syntax Description Example set mip lt a b c d gt host lt a b c d gt netmask lt A B C D gt modify lt a b c d gt lt A B C D gt unset mip lt a b c d gt netmask lt A B C D gt set mip is used to define and modify mapped IP configuration unset mip is used to delete mapped IP configuration Mapping is allowed for a one to one or subnet to subnet relationship When a
134. you to determine what traffic passes through the firewall based on IP session details Policies can also protect the Trusted network from outsider attacks such as the scanning of Trusted hosts and monitor traffic attempting to cross your firewall For example you might want to restrict a particular subnet s access to the Internet You can use policies to control packet flows based on criteria such as the IP source or destination address range TCP ports UDP responses Internet Control Message Protocol ICMP responses and TCP responses Configuration and Monitoring 3 19 Further policies can define connections that must be encrypted thus forming a Virtual Private Network VPN You can define policies that specify what services should be permitted denied encrypted authenticated logged counted or trigger an alarm With policies enabled you also can view counters logs and alarms In the Web browser the following icons are used to identify policies P Permit Log E Deny T Count Encrypt disabled si Alarm a Encrypt enabled Traffic Authenticate gt Schedule Define a policy 1 From the Web browser in the Web Administration Tools menu click the Network Policy button The Access Policies page with the Incoming Outgoing To DMZ and From DMZ tabs appears 2 Click the tab for the port you want to create a policy for Click New Policy in the lower left hand corner The Policy Configuration page appears Enter the i
135. ystem information Example To show the general system information ns gt get system See Also set unset admin set unset interface Command Line Interface B 117 get tech support Syntax get tech support Description Show system information for technical support purpose Example ns gt tech Support get url Syntax get url Description Show the url blocking configuration The S9500 monitors the status of the WebSense server once a minute If the Web Sense server doesn t respond the situation is reported in the Web administration inter face and all URL requests are blocked All sessions waiting to be acknowledged by the WebSense server are listed by the order the request is received The waiting queue can have a maximum of 256 requests Example ns gt get url See Also set unset url get user Syntax get user all id lt number gt Description Show user database info Each user entry shows the ID assigned the user name and whether the account is enabled 1 or disabled 0 Example To show all the entries in the user database ns gt get user all To show a particular user entry with id 1 ns gt get user id 1 See Also set unset user B 118 Reference Guide get vip Syntax Description Example get vip all Show virtual IP info The algorithm for load balancing is shown along with the status of the
Download Pdf Manuals
Related Search