3COM 3CR858-91 User Manual

Size:
4.17 Mb
Download

Firewall 51

Special Applications — Special Applications allows you to specify ports to be open for specific applications to work properly with the Network Address Translation (NAT) feature of the Router. See “Special Applications” onpage 54.

Virtual Servers — This function enables you to route external (Internet) calls for services such as a web server, FTP server, or other applications through your Router to your internal network. See “Virtual Servers” onpage 56.

Client IP Filters — You can configure the Router to restrict access to the Internet, e-mailor other network services at specific days and times. Restriction can be set for a single computer, a range of computers, or multiple computers. See“Client IP Filters” onpage 57.

MAC Address Filtering — This is a powerful security feature that allows you to specify which computers are allowed on the network. See “MAC Address Filtering” onpage 62.

DMZ (De-MilitarizedZone) — If you have a client PC that cannot run an Internet application properly from behind the firewall, you can use DMZ to open the client up to unrestrictedtwo-wayInternet access.

See “DMZ” on page 63.

CAUTION: DMZ reduces network security, and 3Com recommends you only use it on a temporary basis.

SPI Stateful Packet Inspection (SPI) inspects, and if required blocks packets at the application layer. SPI also maintains TCP and UDP session information, including timeouts and the number of active sessions, and provides the ability to detect and prevent certain types of network attacks such as DoS attacks.

Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. The goal is not to steal information, but to disable a device or network so users no longer have access to network resources.

52 CHAPTER5: ROUTERCONFIGURATION

To configure SPI information on your Router:

1Select Firewall from the main menu, then selectSPI from thesub-menuto display the SPI screen (Figure 32 andFigure 33):

Figure 32 SPI Screen - upper section

Figure 33 SPI Screen - lower section

Intrusion Detection Feature

The Intrusion Detection feature limits access for incoming traffic at the

WAN ports.

2Check the SPI andAnti-DoSfirewall protectioncheck box to enable SPI. When this feature is enabled, all incoming packets will be blocked except for those types that you allow in the Stateful Packet Inspection section.

Firewall 53

3If required, check the RIP defect check box. This feature stops unacknowledged packets from accumulating in the input queue.

Stateful Packet Inspection

4The Stateful Packet Inspection section displays a list of traffic types. If you leave the check box for a traffic type blank, this traffic type is blocked. If you check the check box, the Router allows this type of incoming traffic, but only if the connection was initiated from the local LAN.

For example, if you check only the FTP Service check box, all incoming traffic is blocked except for FTP connections initiated from the local LAN.

Alert by E-mail

5In the Your E-mail Address text box, enter thee-mailaddress you want alerts to be sent in the event of a hacker attack.

6Enter your SMTP Server Address.

7Enter your SMTP Server User Name.

8Enter your SMTP Server Password.

Connection Policy

9In the Fragmentation half-open wait text box, enter the length of time, in seconds, that you want an unassembled packet to remain active before the Router drops it. The default is 10 seconds.

10In the TCP SYN wait text box, enter the length of time, in seconds, that you want the Router to wait for a TCP session to synchronize before it drops the session. The default is 30 seconds.

11In the TCP FIN wait text box, enter the length of time, in seconds, that you want a TCP session to remain active after the Router detects a FIN packet. The default is 5 seconds.

12In the TCP connection idle timeout text box, enter the length of time, in seconds, that you want a TCP session to remain active if there is no activity. The default is 3600 seconds (1 hour).

13In the UDP session idle timeout text box, enter the length of time, in seconds, that you want a UDP session to remain active if there is no activity. The default is 30 seconds.

14In the H.323 data channel idle timeout text box, enter the length of time, in seconds, that you want an H.323 session to remain active if there is no activity. The default is 180 seconds.

54 CHAPTER5: ROUTERCONFIGURATION

DoS Detect Criteria

15In the Total incomplete TCP/UDP sessions HIGHtext box, enter the number of unestablished sessions that will cause the software to start deleting half-open sessions. The defaiult is 300.

16In the Total incomplete TCP/UDP sessions LOWtext box, enter the number of unestablished sessions that must be reached before the software stops deleting half-open sessions. The default is 250.

17In the Incomplete TCP/UDP sessions (per min) HIGHtext box, enter the maximum number of incomplete TCP/UDP sessions allowed per minute. The default is 250 sessions.

18In the Incomplete TCP/UDP sessions (per min) LOWtext box, enter the minimum number of incomplete TCP/UDP sessions allowed per minute. The default is 200 sessions.

19In the Maximum incomplete TCP/UDP sessions number from the same hosttext box, enter the maximum number of incomplete sessions allowed from the same host. The default is 10 sessions.

20In the Incomplete TCP/UDP sessions detect sensitive time periodtext box, enter the length of time that msut elapse before an incomplete TCP/UDP session is detected as incomplete. The default is 300 msec.

21In the Maximumhalf-openfragmentation packet number from the same hosttext box, enter the maximum number of half-open fragmentation packets allowed from the same host. The default is 30 packets.

22In the Half-openfragmentation detect sensitive time periodtext box, enter the length of time that must elapse before a half-open fragmentation session is detected as half-open. The default is 10000 msec.

23In the Flooding cracker block time text box, enter the length of time that must elapse between detection of a flood attack and blocking the attack. The default is 300 seconds.

24Click Apply to save the settings.

Special Applications Special Applications let you choose specific ports, and for these ports to choose the specific applications that you want to work with the Network Address Translation (NAT) feature of the Router. You can either choose from a list of applications, or configure another application using information supplied by the application vendor.

Firewall 55

To set up one of the listed Special Applications on your Router, do the following:

1Select Firewall from the main menu, then selectSpecial Applications from thesub-menu.The Special Applications screen displays (Figure 34).

Figure 34 Special Application Screen

2Select an application from the Popular Applications drop-downlist.

3Select the row that you want to copy the settings to from the Copy To drop-downlist, and click onCopy To. The settings will be transferred to the row you specified.

4Click Apply to save the setting for that application.

If the application you want to configure is not listed, you will need to check with the application vendor to determine which ports need to be configured. You can then manually input this port information into the Router. To do this:

1Specify the trigger port (the one used by the application when it is initialized) in the Trigger Port column, and specify whether the trigger is TCP or UDP in theTrigger Type column.

2Specify the public ports used by the application in the Public Port column. These are the ports that will need to be opened up in the firewall for the application to work properly, . Also specify whether these ports are TCP or UDP in thePublic Type column.

3If required, temporarily enable or disable an entry in the table by checking or unchecking the Enabled checkbox.

56 CHAPTER5: ROUTERCONFIGURATION

4 ClickApply to save the setting for this application.

Virtual Servers This function will allow you to route external (Internet) calls for services such as a web server (port 80), FTP server (Port 21), or other applications through your Router to your internal network. Since your internal computers are protected by a firewall, machines from the Internet cannot get to them because they cannot be 'seen'.

If you need to configure the Virtual Server function for a specific application, you will need to contact the application vendor to find out which port settings you need.

To manually enter Virtual Server settings, do the following:

1Select Firewall from the main menu, then selectVirtual Servers from thesub-menu.The Virtual Servers screen displays (Figure 35)

Figure 35 Virtual Server Screen

2Click Add to configure a new Virtual Server entry, or clickEdit in the Configure column to edit an existing entry. The Virtual Server - Add/Edit screen displays (Figure 36).

You can delete an existing entry by clicking on delete in the Configure column.

Firewall 57

Figure 36 Virtual Server - Add/Edit Screen

3Enter the IP address of the internal machine in the LAN IP Address text box.

4Select a protocol type (TCP, UDP or both) from the Protocol Type drop-downlist.

5Enter the LAN Port which the traffic will be routed to in the LAN Port text box.

6Enter the Public port that will be seen by clients on the Internet in the

Public Port text box.

7Check the Enable check box to activate this Virtual Server.

8Click Apply to save this Virtual Server entry.

Client IP Filters Thissub-menuoption displays three tabs along the top of the main screen:Access Control,URL Filter, andSchedule Rule. Each of these tabs displays a screen that enables you to configure a client IP filter function.

Access Control

Access Control allows you to define the types of traffic permitted or not permitted to and from the Internet.

58 CHAPTER5: ROUTERCONFIGURATION

To configure Access Control, do the following:

1Select Firewall from the main menu, then selectClient IP Filters from thesub-menu,and make sure theAccess Control tab is selected. TheAccess Control screen displays (Figure 37).

Figure 37 Access Control Screen

2At the Enable Filtering Function radio buttons, select Enable orDisable to enable or disable all Access Control rules.

3Click Apply to save the settings.

Firewall 59

To control access to specific Internet services:

1Click on Add PC, or clickEdit in the Configure column to edit an existing entry. The Access Control - Add PC screen displays (Figure 38).

Figure 38 Access Control - Add PC Screen

2Enter a description for the filter you are defining in the Client PC Description field.

3Enter the IP address or IP address range into the Client IP Address fields.

4Select the services to be blocked. A list of popular services is given on this screen; to block a particular service place a check in the appropriate Blocking checkbox.

If the service to be restricted is not listed on the screen, you can enter a custom range of ports at the bottom of the page, under User Defined Blocked Ports.

5If you want the restriction to only apply at certain times, select the schedule rule to apply from the Schedule Rule drop down list.

Schedule Rules are defined on the Schedule Rule screen (see “Schedule Rule” onpage 60).

6Click Apply to save the settings.

URL Filter

Select the URL Filter tab to specify the web sites or keywords that you want to filter on your network. The URL Filter screen displays (Figure 39).

60 CHAPTER5: ROUTERCONFIGURATION

Figure 39 URL Filter Screen

To configure URL Filtering, do the following:

1Enter the URLs or keywords to be allowed or blocked in the URL/Keyword column.

2Select either Denied or Allowed from the Mode drop-downlist to deny or allow access to web site containing these words.

For example, entering a keyword of “sex” would block access to any URL that contains the string “sex”. However, this would also filter the following URLs:

www.sussex.com

www.thisexample.com

Therefore, choose the words and phrases to be blocked or allowed carefully.

3Click Apply to save the settings.

For URL Filtering to work, you will need to make sure that URL filtering is enabled for each client PC in the "Access Control" screen. To do this:

In the Access Control - Add PC screen (Figure 38), check theBlocking check box forEnable URL Filter to activate the URL filtering specified in the URL Filter table. See“Access Control”onpage 57.

Schedule Rule

You can configure the Router to restrict access to the Internet, e-mailor other network services at specific days and times. The schedule rules that