HiGuard SOHO User Manual

Download

HiGuard Wireless Router

For SOHO

Manual

www.higuard.com

Please feel free to contact us if you have any questions.

E-mail: help@higuard.com

Power By ShareTech

Index

Chapter 1: HiGuard

1-1、Features and Advantages ....................................................................................................................... 4

1-2、Protection ............................................................................................................................................... 5

1-3、Identify Components .............................................................................................................................. 6

1-3-1、Front Panal ...................................................................................................................................... 6

1-3-2、Back Panal ....................................................................................................................................... 7

1-3-3、Hardware Specification ................................................................................................................... 7

1-3-4、Environment ................................................................................................................................... 7

Chapter 2: Quick Installation

2-1、Before you begin .................................................................................................................................... 8

2-2、Hardware Installaion .............................................................................................................................. 9

2-3、Set up your computer ............................................................................................................................ 11

2-3-1、Windows XP .................................................................................................................................... 11

2-3-2、Windows 7 ...................................................................................................................................... 14

Chapter 3: Connect to HiGuard

3-1、Config. wizard ......................................................................................................................................... 17

3-2、Log-in HiGuard GUI ................................................................................................................................. 21

3-3、Firmware Upgrade ................................................................................................................................. 23

3-4、Restart Device ........................................................................................................................................ 24

3-5、Signature Update ................................................................................................................................... 25

3-6、Admin Password ..................................................................................................................................... 26

3-7、Web Access ............................................................................................................................................ 27

3-8、Time Settings .......................................................................................................................................... 28

3-9、Config. Manager ..................................................................................................................................... 29

3-9-1、Export HiGuard Setting ................................................................................................................... 29

3-9-2、Restore HiGuard Setting ................................................................................................................. 30

3-9-3、Multiple Profile Management ........................................................................................................ 31

3-9-4、Restore Factory Setting ................................................................................................................... 32

3-9-5、Restore Factory Setting from Hardware ......................................................................................... 33

Chapter 4: Protection

4-1、Anti-Virus ............................................................................................................................................. 34

4-1-1、Enable Anti-Virus ......................................................................................................................... 34

4-1-2、Signature ..................................................................................................................................... 35

4-1-3、Anti-Virus Setting ........................................................................................................................ 36

4-2、Application Guard ................................................................................................................................ 38

4-3、URL Keyword Filter .............................................................................................................................. 44

4-4、URL Category Filter .............................................................................................................................. 46

4-5、Internet Authentication ...................................................................................................................... 48

4-6、QoS ...................................................................................................................................................... 51

Chapter 5: Security

5-1、Port Forwarding ................................................................................................................................... 53

5-2、UPnP .................................................................................................................................................... 55

5-3、Access Control ..................................................................................................................................... 56

5-4、Firewall Protection .............................................................................................................................. 57

5-4-1、Firewall Setup ................................................................................................................................ 58

Chapter 6: Network

6-1、Wide Area Network (WAN) Setting .................................................................................................... 60

6-1-1、DHCP (Dynamic IP) ........................................................................................................................ 60

6-1-2、Static IP(Static IP) .......................................................................................................................... 61

6-1-3、PPPoE(ADSL Dial-up) ..................................................................................................................... 62

6-2、Local Area Network (LAN) Setting ....................................................................................................... 63

6-2-1、HiGuard Management IP ............................................................................................................. 63

6-2-2、DHCP Server Setting ...................................................................................................................... 63

6-2-3、DNS Server Setting ....................................................................................................................... 64

6-3、Wireless ............................................................................................................................................... 65

6-4、Dynamic DNS ...................................................................................................................................... 67

6-5、IPv6 ...................................................................................................................................................... 69

6-5-1、general setup ................................................................................................................................ 70

6-6、VPN IPSec............................................................................................................................................. 72

Chapter 7: Log & Report

7-1、Setup ............................................................................................................................................... 75

7-2、Anti-Virus ........................................................................................................................................ 77

7-3、Application Guard ........................................................................................................................... 78

7-4、URL Keyword Filter ......................................................................................................................... 79

7-5、URL Category Filter ......................................................................................................................... 80

7-6 、Access Control List ......................................................................................................................... 81

7-7 、Firewall Protection ........................................................................................................................ 82

7-8 、VPN IPSec ....................................................................................................................................... 83

Chapter 1 HiGuard

The HiGuard, Network Security Adaptor, is a powerful device that provides network layer seven (OSI Layer 7) security protections to the connected equipments after Internet accessed devices. Without additional host CPU resource or installation process, HiGuard provides transparent security features like anti-virus, instant message, peer-to-peer application control, and malicious drive-by download attacks prevention. Those security features are usually design-in an Unified Threat Management (UTM) network security equipment. Any network equipments or devices with standard 10/100 Mbps fast Ethernet ports can be connected to MiniGuard, or to the switching device under HiGuard gateway coverage for protection.

1-1. Features and Advantages

 The simplest and most cost effective security device HiGuard  No additional host-CPU resources consumption / No Installation needed  High throughput that provides rapid network Download and Access  Anti-Virus, IM / P2P, Anti-Malicious URL, URL Protocol filterer  Friendly graphic user interface control, inspection report and management   Support PPPoE, DHCP, NAT   Suitable for Home, SOHO and SMB users

1-2. Protection

Anti-Virus

 Packet-based Virus Scanning  Support HTTP / FTP / SMTP / POP3 / IMAP4/ TCP STREAM  Packet-Based Decoding for Base64 / UUencode / QP  Packet-Based Decompression for Zip / GZIP  Detect Viruses Across in Multi-Packets

Application Guard

 Detection for Well-Known Protocols  HTTP / FTP / SMTP / POP3  AOL / Jabber / MSN / QQ  eDonkey / Fasttrack / Thunder

Web Guard

 Website Hijacking Prevention  Concise URL Malicious Website Database  Smaller Database Size  URL Path Only and URL Host+Path Support

URL Filter

 High Speed Filtering  Category-Based Blacklist Function  Low Rates of Overblocking  World’s Best Site Coverage

1-3. Identify Components

The following sections describe the physical characteristics of the HiGuard.

1-3-1. Front Panel

The LEDs of the HiGuard indicate its operational status.

LED Color Condition Status

POWER Green

On Power on Off Power off

Wi-Fi

Green

On WIFI enabled

Blinking Transmitting

Off WiFi not ready or failed

Orange

On Firmware updating

Blinking Resetting to default

WAN Green

On Physical link ok

Blinking Transmitting

Off

Ethernet not ready or failed

LAN Green

On Physical link ok

Blicking Transmitting

Off

Ethernet not ready or failed

1-3-2. Back Panel

Feature Description

POWER The receptacle where you plug in the power adapter.

WAN Using this port to connect your modem to Higuard.

LAN Using those ports to connect your PC or NB to HiGuard.

RESET

Press to reset HiGuard. Press over five seconds to reset to default settings.

Wi-Fi Enable/disable WiFi function.

1-3-3. Hardware Specification

Feature Description

Network

10/100Mbps Fast Ethernet X 5 (LAN X 4, WAN X 1) IEEE 802.11b/g/n draft

Power

Switching Power Adapter Input: 100~240V ; Output: 12V / 1A Power Connector: +5V DC-in Lack

1-3-4. Environment

Feature Description

Operating

Temperature

0°C ~ 45°C ambient temperature

Storage

Temperature

-30°C ~ 70°C ambient temperature

Operating

Humidity

90% maximum (non-condensing)

Storage Humidity

90% maximum (non-condensing)

Chapter 2 Quick Installation

In this chapter, the installation and configuring network of HiGuard will be introduced.

2-1. Unboxing HiGuard

Please ensure you have all these components:

1. HiGuard Wireless Base Unit 2. RJ-45 Ethernet Cable

3. One Power Adapter 4. One User Manual and one CD

5. Quick Install Guide 6. Warranty Card

7. Two(2) detachable WiFi Antennas Please immediately contact your vendor if you find anything missing.

2-2. Hardware Installation

Depending on your home network set-up, you can connect HiGuard to the Internet by

refering to any of the following scenarios:

A. ADSL/Cable Modam

i. Connect the cable to the ADSL Router/ Cable Modem and plug it into the BLUE

socket (WAN port).

ii. Use the RJ-45 Ethernet cable provided with the HiGuard appliance to connect your

computer to any of the YELLOW sockes (LAN).

iii. Switch on your ADSL Modem/Cable Modem and wait till the Internet LED on the

ADSL modem turns green and remain steady.

iv. Switch on the HiGuard appliance. Wait till the Power LED and WAN LED turns

green.

v. Switch on your computer now. HiGuard’s LAN LED will turn green and remains

steady.

vi. Open your brower and start surfing the internet. You have installed HiGuard

successfully!

B. USB Modem

i. Plug a USB modem in the slot in the HiGuard appliance.

ii. Use the RJ-45 Ethernet cable provided with the HiGuard appliance to connect your

computer to any of the YELLOW sockes (LAN), and switch the HiGuard appliance.

OR, switch on the HiGuard appliance. If you are connecting to the Internet over

WiFi, start your laptop or any modile device.

iii. Open the browser and start surfing the Internet. You have installed HiGuard

successfully!

2-3. Set up your computer

In order to configure network quickly, please read the proper sections about Windows XP, and

Windows 7.

2-3-1.Windows XP

i. Click the “Control Panel” of the “Start Menu”.

ii. Double click the “Network Connection” in the control panel.

iii. Right click the “Load Area Connection” and the choose the “Properties”.

iv. Choose the “General” tab and select the “Internet Protocol”. And then click the

“properties” button.

v. Choose “Obtain an IP address automatically” and click OK.

For your reference. the default gateway is 192.168.1.1. As long as there is no conflict, you may enter IP from 192.168.1.2 to 192.168.1.254.

2-3-2.Windows 7

i. Right click the network icon in the right bottom corner of Windows 7. Choose “Open

Network and Share Center”. It will pop up a screen. In this screen, choose “Change Interface.”

ii. Right click on the “Local Area Connection” icon and select “Status”.

Automatically obtain IP address has not been set

iii. Click “Properties” of the “Local Area Connection”. Select “Internet Protocol v4

(TCP/IPv4) ” and then click “Properties”. Please check section 2-3-1 and set up the

automatically obtained IP.

Automatically obtain IP address to complete the setup

iv. Please click the "Detail" of "Local Area Connection" to check the IP is set up to obtain IP

automatically.

Chapter 3 Connect to HiGuard

HiGuard supports Internet Explorer 6,7,8, Firefox 3.x or above. To operate correctly, please

use supported browser to login.

A. Please open a browser and enter “http://192.168.1.1” in the address field to login into

the HiGuard.

(Figure 3-1)

Figure 3-1. Enter IP Address

B. If you can see the following Admin Screen, it means HiGuard is successfully connected.

Please select language at the bottom. Eenter “admin” as default username and “admin”

as default password and click the Login button.

(Figure 3-2)

Default Username:admin

Default Password: admin

Figure 3-2. Enter username and password

3-1. Configuration Wizard

The network configuration wizard will be enabled in the first login of HiGuard. And then It will

help you step by step set up the network. If you login at the first time but cancel the network configuration wizar. You may restart it manually by clicking the icon near to the “Logout” icon.

1. Please click on “Network Config Wizard” at the upper right corner and begin five steps.

2. Network Mode Setting: the picture shows the network mode: Router Mode. Select

“Next” button.

(Figure 3-3)

Figure 3-3. Router mode

3. Wide Area Networking (WAN) Setting: Set up WAN type. There are different parameters according to the WAN type.

i. Choose “DHCP” for IP address.

(Figure 3-4)

Figure 3-4. WAN Configuration DHCP

ii. Choose “Static” and key in IP address, Subnet Mask and Gateway.

(Figure 3-5)

Figure 3-5. WAN Configuration Static

iii. Or, choose “PPPoE.” Please key in username, password and confirm password. If

necessary, users can enter stactic DNS server.

(Figure 3-6)

Figure 3-6. WAN Configuration PPPoe

4. Local Area Networking (LAN) Setting: Set up the LAN. The LAN IP of HiGuard and its DHCP server setting can be assigned here.

(Figure 3-7)

Figure 3-7. LAN Setting

5. Wireless LAN Setting: Set up the wireless network. The enable/disable wireless and the SSID name can be assigned here. There is no any security mechanism by default. It is strongly recommended that set up the wireless security via “Network/Wireless” after this wizard.

(Figure 3-8)

Figure3-8. Enable Wireless Configuration

6. Summary: This is the final check of the network configuration wizard. If no, please click “Back” to adjust. If yes, please click “Done” to accept all the settings.

(Figure 3-9)

Figure 3-9. Done with the network configuration wizard.

When “Done” is clicked, all the network settings are saved and HiGuard will reboot to make

them effective. If there are other modifications need to be done, please login after new network settings are effective.

3-2. Log-in Higuard GUI

HiGuard provideS English, Traditional Chinese, Simplified Chinese and Japanese languages GUI. The default is English language GUI. You may switch language in the right bottom list box. The newly chosen language will be memorized. You will not need to choose language again next time. Please login with default user name and password.

(Figure 3-10)

Figure 3-10. HiGuard user interface login

If the user name and password are correct, it will show the following overview page.

(Figure 3-11)

Figure 3-11. HiGuard overview page

The HiGuard GUI can be divided into two areas: (Figure3-12, Figure3-13)

Figure 3-12. This is the menu bar of the HiGuard, you may check the detail by clicking every item in the menu.

Figure 3-13. The right area will show the detail according to the clicked items in the left menu.

3-3. Firmware Upgrade

If there is new version of HiGuard firmware, you may use the “System/Firmware Upgrade”

function to upgrade the firmware.

(Figure 3-14)

Figure 3-14. System/ Firmware Upgrade

To upgrade firmware, please select the firmware file name first. And then select either “Keep

Configuration” or “Reset Configuration”. If this is a major upgrade (from v1.1 to v1.2), you must

select “Reset Configuration”. After making sure everything, please click “Apply” button.

Tips: In the process of firmware upgrade, HiGuard will validate the firmware file first. If this

firmware is invalidate, it will be rejected.

In the process of firmware upgrade, the“WLAN/WPS” LED in the front panel is red and blinking

(as the following picture). Please do not power off at this moment. Otherwise, some damages

are possible.

(Figure3-15)

Figure 3-15.The status of “WLAN/WPS” LED in the process of firmware upgrade

After firmware upgrade is complete, HiGuard will reboot automatically. And you will be

asked to login again. After login, you may check the overview page to make sure the

firmware version is changed.

Tip: In order to ensure HiGuard device in normal operation, please do not forcefully detach

from power which results in unessasary damage.

3-4. Restart Device

To restart the HiGuard, just click the “System / Restart Device” on the left.

(Figure 3-16)

Figure 3-16. Restart Device menu

And, click the “reboot” in the right area.

(Figure 3-17)

Figure 3-17. Restart Device

Please wait until reboot completes.

After it completed, you will be asked to login to HiGuard again.

3-5. Signature Update

When the automatic updating is enabled, updates will download and install automatically. In

addition to that, you can update signature manually.

(Figure 3-18)

Figure 3-18.Details of Signature Update

Select “Check Period” and click apply to save the setting. If you use HTTP Proxy, please click

“enable”, and enter related information in the field. Click apply to save changes.

(Figure 3-19)

Figure 3-19. Signature Update

3-6. Admin Password

The default password of HiGuard is “admin”. It is highly recommend that you change the

default password. To change the password, please click the “Change Password” on the left.

(Figure 3-20)

Figure 3-20. Change Password

On the right, please enter old password and new password twice. And then click “Apply” to

save the password.

(Figure 3-21)

Figure 3-21. password configuration saved

Once saved, please login with new password again.

3-7. Web Access

It is not allowed to login HiGuard via WAN in router mode by default. To change that policy,

click the “System / Web Access” on the left. And make the proper modifications.

(Figure 3-22)

Figure 3-22. System/ WebAccess

To allow WAN web access, please check the “Enable WAN Web Access” check box. And then

adjust the HTTPS or HTTP parameters or just use the default values. Finally, click “Apply” to

save the parameters.

3-8. Time Settings

HiGuard enables NTP (Network Time Protocol) service by default. Therefore, it will

synchronize time if the Internet access is correct. For example, as you may see in this NTP

settings, it will adjust the time every 3600 seconds with the pre-defined NTP servers.

(Figure 3-23)

Figure 3-23. Time Setting

If these NTP servers are not reachable, you still can adjust time manually. That is, please click

the “Get” button to retrieve time from local computer, and then click “Apply” to accept the

time.

(Figure 3-23)

Figure 3-23. Manually Time Setting

3-9. Config Manager

You can use the “Config Manager” to manage several configuration profiles, back up/restore

the current profile or reset to default.

(Figure 3-25)

Figure3-25. Config Manager

3-9-1. Export HiGuard Setting

To export the current configuration profile, please click “Config Manager” on the left. And

click the “Export” button of “Download config file”.

(Figure 3-26)

Browser will prompt the path name.

Figure 3-26 Backup saved.

Once the saving completes, the configuration profile back up is done.

3-9-2. Restore HiGuard Setting from profile

To restore the configuration profile, just click “Config Manager” on the left. And then click

the “Browse” to select the file name of configuration profile. Finally, click “Upload”

button.

(Figure 3-27)

Figure 3-27. Restore Config. Manager

There will be a message box to ask you whether you want to replace the current

configuration profile or not. Please make sure and click “OK”. Otherwise, choose “Cancel”.

(Figure 3-28)

Figure 3-28. Success to restore profile to current config

Tips: HiGuard will check the uploaded files. If it is not the configuration profile generated by

HiGuard, it will be rejected.

(Figure 3-29)

Figure3-29. examine configuration profile

After the configuration profile is restored, HiGuard needs a reboot to make the new

configuration effective.

3-9-3. Multiple Profile Management

You may create several configuration profiles for fast switching among different environments.

1. This version of HiGuard allows you to create 3 profiles. Just name it with

meaningful words. For examples, “Bridge_Mode”.

(Figure 3-30)

Figure 3-30. Create Multiple Default Config

2. Just name it and click “Create”. The current configuration will be stored

with the name.

(Figure 3-31)

Figure 3-31. Success to save configuration.

After creation, there are three different functions:

 Restore

Restore the profile to the HiGuard, just like the section 3-5-4.

 Export

Export the profile outside the HiGuard, just like the section 3-5-1.

 Delete

Delete the configuration profile.

3-9-4. Restore Factory Settings

To restore to the factory default settings, please enter HiGuard GUI and take following steps

as your reference.

1. please click the “Config Manager” on the left.

2 . In the profile manager, click the “Restore” button of the “Default Profile.”

(Figure 3-32)

Figure 3-32 Config Manager

3. There will be a message box asking whether the configuration will be replaced with default

profile or not. Please make sure and Click “OK”. Otherwise, click “Cancel.”

(Figure 3-33)

Figure 3-33. Success to restore new config

4. After reboot, the configuration profile will be reset to default.

3-9-5. Restore Factory Settings from Hardware

This section introduces another method to restore to factory default setting without logging

in HiGuard. Sometimes you can not log into HiGuard. For example, the password is lost, but

you still need HiGuard to reset to default. Please follow the steps below

1. Power on the HiGuard.

2. In the back panel of HiGuard, use a pen to stick the “RESET” hole and hold still.

3. When the WLAN/WPS LED in front panel is blinking, please remove the pen.

4. If the blinking is over, the factory default settings are restored.

Chapter 4 Protection

HiGuard SOHO is not only a wireless router, but also a anti-virus, and malicious websites

blocking gateway. You can build a secured network with HiGuard easily. Its installation is

quick and no complex operation. In this section, all the security functions will be introduced.

4-1. Anti-Virus

HiGuard can prevent computer virus effectively, even if it is inside a compressed file.

4-1-1. Enable Anti-Virus

Click the “Anti Virus / Overview” on the left. And then click the “Enable Anti Virus” check

box and “Apply” to enable this function.

(Figure 4-1)

Figure 4-1. Enable Anti Virus

Tips: Some virus are hidden inside compressed file. It is recommend that you also turn on

the “Enable Zip File Scan”. ZIP and GZ files will be scanned for virus.

When Anti-virus is enabled, you may check “Packet Statistics” in the anti-virus overview

page. There are inspected packet, scanned files and infected file information.

(Figure 4-2)

Figure 4-2 Packet Statistics

4-1-2. Signature

In “Anti-Virus / Signature”, all the virus signatures are listed.

(Figure 4-3)

Figure 4-3. Anti-Virus/ Signature

There are several virus categories. For example, virus and spy. “Outbreak” means the

virus will prevail in large scale when it is infected.

If the packet passing through HiGuard is judged as a virus, then the file destroy

mechanism will be activated provided the action of “Destroy File” is set.

(Figure 4-4, Figure 4-5)

Figure 4-4. Before-Destroy

Figure 4-5. After-Destroy of the same file content. Every other byte of file content is modified to 'X'.

4-1-3. Anti-Virus Setting

After enabling the anti-virus function, it will scan FTP/HTTP/POP3/SMTP/IMAP4/TCP Stream

by default. You can adjusted here for individual protocol.

The settings of six protocols which HiGuard will scan.

(Figure 4-6)

Figure 4-6 Action Configuration

The settings of virus categories which HiGuard will scan.

(Figure 4-7)

Figure 4-7.Action to Spy and Virus

The settings of outbreak which HiGuard will scan.

(Figure 4-8)

Figure 4-8.Action to Outbreak Virus

The settings of severity which HiGuard will scan.

(Figure 4-9)

Figure 4-9. Action to Virus Severity

By default, all the actions are “Log” and “Destroy Virus” if virus occurs.

Anti-virus system will scan any type of files to prevent malwares interferes the normal

operation of a computer. If you want to ignore some file type, please check the “Ignore”

check box of the file type in the “Ignored File Type” tab.

(Figure 4-10)

Figure 4-10. Ignored File Type

4-2. Application Guard

Application Guard can manage the instant messager, peer to peer or social web sites. For

example, if you want to block the usage of SKYPE or MSN Messager chat, the application

guard is useful for this case. It can blocking specific application in the gateway.

(Figure 4-11)

Figure 4-11. Application Guard

All applications are pass by default. To change that, please check the “Enable Application

Guard” in the “Application Guard / Overview”. Application guard rule editing are in

“Application Guard / Configuration” section.

(Figure 4-12)

Figure 4-12. Application Guard / Configuration

Rule Setting

In “application guard / configuration”, rules can be viewed as category or specific application.

As the following example, all “Instant Messager” which in the signature file are blocked.

(Figure 4-13)

Figure 4-13 Specific Apllication Guard Configuration

If only a specific application should be blocked, then we should go to second level. For the

following example, IM is chosen first. And then all the IM are shown in second list box. And

then choose MSN and click “Search”.

(Figure 4-14)

Figure 4-14 IM application guard Configuration

As you may see in the following example, all MSN related rules are shown. And the you can

block any of the five behavior – Login, Message, Audio, Video and File Transfer.

(Figure 4-15)

Figure 4-15. Block all MSN behaviors

Schedule Setting

Assume a company only allows MSN for 12:00~13:00 everyday. We need two rules to describe

this situation. Please check the following example.

(Figure 4-16, 4-17)

Figure 4-16. schedule setup

Figure 4-17. schedule setup

After defined the schedule, please assign “Scheduled Block” to all the five MSN behaviors.

(Figure 4-18)

Figure 4-18. Application guard schedule setup

MAC White list

Sometimes there will be exceptions. For example, the CEO and secretary can use facebook

but not other people. In this case, we can add their MAC to the “MAC Whitelist” so that

application guard will bypass any rules for these MAC address.

(Figure 4-19, 4-20, 4-21)

Figure 4-19. MAC and IP Address List

Figure 4-20. Add Multiple to MAC Whitelist

Figure 4-21. MAC Whitelist added

4-3. URL Keyword Filter

Most malicious websites are injected with a small piece of code. When users surf webs,

some malwares are downloaded secretly and user do not know anything about it. As the

following example, a “iframe” will be downloaded when the retrieval of this HTML page and

siblings.

(Figure 4-22)

Figure 4-22. example of malicious websites

HiGuard keeps updating the Web Guard signatures. Once the URL matches a malicious

website, it will block this URL.

(Figure 4-23)

Figure 4-23. URL Keyword Filter Configuration

After the “Enable Web Guard” in “Web Guard / Overview” is on, you may know the URL and

malicious URL numbers in the statistics.

(Figure 4-24)

Figure 4-24. URL Inspected Statistics

If you do not want to block the malicious web sites, you may enable “Log only and not

blocking” check box in the “Web Guard / Configuration” page.

(Figure 4-25)

Figure 4-25. Keyword Filter Log only setup

Tips: Unless itis for test only to equip all the necessary protection, it is not recommended

to choose “Log only and not blocking”.

Besides malicious web sites, you may use user defined keywords to block the URL. In “Web

Guard / Keyword Filter”, you may enter “sex” word. It is estimated that the URL of adult

web site contained the “sex” word. This is a simple method to block some adult web sites.

4-4. URL Category Filter

HiGuard adopts a external web category database. You may block specific category of URL.

For example, the adult websites are blocked for child in home market. Most company does

not want to allow job websites for their employee.

(Figure 4-26)

Figure 4-26

You may “Enable URL Filter” in the “URL Filter / Overview”. And then choose the categories

which you want to block in the “URL Filter / Configuration”. For example, the job websites.

(Figure 4-27)

Figure 4-27

When users want to access this category of web sites, it will show “This website is blocked”

warning message.

(Figure 4-28)

Figure 4-28

It is possible that “Log only and not blocking” is selected. However, this is not

recommended.

(Figure 4-29)

Figure 4-29

After “Log only and not blocking” is chosen, employee will not feel any difference.

Administrator may check status in “URL Filter / Overview” or log. (Please check section 5-4)

4-5. Internet Authentication

Internet Authentication servers as a gateway to filter out unauthorizre users from accessing

the Internet. Configuring the Authentication provides an effective method of managing the

network’s use.

Click “Internet Authentication/ Overview ”, and check “Enable Internet Authentication” box,

and click “apply” button.

(Figure 4-30)

Figure 4-30. Add a new Internet Authentication

4-5-1 Network Users

Enter the user’s account and password, and click “Add”. The setting is completed, when you

see the user’s account is shown in the User List.

(Figue 4-31)

Figure 4-31. Ass user account and password

All the network users have to authenticate before login. There might be devices that IT

administrators want to exempt from Authentication. They can add IP address to the Whitelist,

and the device will be able to surf Internet without Authentication.

(Figure 4-32)

Figure 4-32. Success to set single device IP

Users will be permitted to log in with his/ her username and password.

(Figure 4-33)

Figure 4-33. Internet Authentication

When authentication username and password are confirmed, users can surf on the internet.

(Figure 4-34)

Figure 4-34. users can begin surfing on the internet

Device IP Whitelist

Device IP Whitelist means authorize access or grant membership such as boss excluded from the normal regulation.

(Figure 4-35)

Figure 4-35. Add Device IP to Whitelist

Device IP Whitelist setting is completed.

(Figure 4-36)

Figure 4-36. Success to add Device IP

4-6. QoS

By configuring the QoS, IT administrator can limit the up speed and download speed, and

apply the bandwidth configuration for each IP address. Configure QoS profile. IT

administrator is able to set up 5 different profiles.

(Figure 4-37)

Figre 4-37. QoS

If you want to control the bandwith, you can click “ QoS /User”. To add device IP and

apply QoS profile, please key in Device IP, Description and Qos. Click “Add” to ensure

settings after completing configuration.

(Figure 4-38, Figure 4-39)

Figure 4-38. Setup Single Device IP QoS

Figure 4-39. Success to save Single QoS

In additon, administrator can click on detected IP to create multiple device from network neighborhood.

(Figure 4-40)

Figure 4-40. Quick ly add Device IP QoS

Chapter 5 Security

If users want to set up a web server or similar things, the HiGuard firewall section

provides port forwarding, UPnP, Access Control List and is useful for these services.

5-1. Port Forwarding

In order to allow Internet connections to reach the internal servers, you must use pot

forwarding feature. For example, we want to set up a HTTP server and its default TCP port is

80.

(Figure 5-1)

Figure 5-1. Port Forwarding Configuration

You may set up a web server running on 192.168.1.13 first. And then a new port forwarding

rule is added to this service.

(Figure 5-2)

Figure 5-2. Add WEB_SITE service

Tips:

1. If you want to set up a port forwarding rule which includes the port 80, please make sure

you do not need “WAN Web Access” or your WAN web access does not use port 80.

2. The newly added port forwarding rules will be listed in “Port Forwarding Service List”. Its

maximum is 10.

To delete a single rule, just click the “Delete” check box in the right column and click

“Apply”. The rule then is deleted.

(Figure 5-3)

Figure 5-3. Delete Poert Forwarding Service List

To test this port forwarding rule is correct, just open a browser and connect to its Internet

IP. In the following example, it works.

(Figure 5-4)

Figure 5-4. Port Forwarding Exam

5-2. UpnP

UPnP means “Universal Plug and Play”. It is for primarily residential networks without

expert administrators that permits networked devices, such as personal computers, printers,

Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each

other's presence on the network and establish functional network services for data sharing,

communications, and entertainment.

(Figure 5-5)

Figure 5-5. Enable UPnP

5-3. Access Control

“Access Control List” is useful for allowing specific users to access a server. This enhances

the security and prevents the unauthorized users. To add a access control rule, please click

“Firewall / Access Control List” on the left.

(Figure 5-6)

Figure 5-6. Access Control Configuration

The newly added access control rule will be listed in “ACL”. Its maximum is 10. The priority

can be adjusted by click the up and down arrows on the left column of every rule.

(Figure 5-7)

Figure 5-7. ACL

5-4. Firewall Protection

HiGuard firewall performs stateful packet inspection which is configured to protect network from attacks, such as DOS, DDOS, UDP Flooding.

Also, HiGuard firewall is designed to defend network users and prevent the abuse of network bandwidth.

(Figure 5-8)

Attacks:

 SYN attack detection：SYN Flood is a popular attack way. DoS and DDoS are TCP

protocol. Hackers like using this method to make a counterfeit of connection,

and the CPU and memory, and so on resource is been consume.

 ICMP attack detection：ICMP is kind of a pack of TCP/IP; its important function is

for transfer simple signal on the Internet. There are two normal attack ways

which hackers like to use, Ping of Death and Smurf attack.

 UDP attack detection：Hackers use UDP Protocol to make a counterfeit of

connection, and the CPU and memory, and so on resource is been consume.

Figure 5-8. Enable Firewall Protection

5-4-1. Setup

When you enable SYN/ICMP/UDP/Port Scan Protection, all the configuration values are pre-filed. Administrator is able to change values according to each network situation.

(Figure 5-9)

Figure 5-9. SYN Attack Detection Setting

Chapter 6 Network

Overview can show the network status.

(Figure 6-1)

Figure 6-1. Network Overview

6-1. Wide Area Network (WAN) Setting

WAN(Wide Area Network) means the network which the ADSL modem connect to for home

or SOHO users. HiGuard is usually configured as “Router Mode” and ISP usually provide

PPPoE service.

For small to median enterprise or similar organization, there are a lot of PC. They usually

equipped with a more powerful router. The HiGuard is usually configured as “Bridge” mode

and static IP or DHCP are assigned by the organization IT staff.

HiGuard does not support PPPoE in Bridge Mode.

(Figure 6-2)

Figure 6-2. Bridge Mode v.s Router Mode

6-1-1 DHCP (Dynamic IP)

The WAN IP of HiGuard is assigned by upper level DHCP server.

(Figure 6-3)

Figure 6-3. WAN Configuration- DHCP

You may check the WAN IP in the network overview page if HiGuard is assigned to DHCP in

address type. If you want to re-assigned the WAN IP again, just click the “Renew” button.

(Figure 6-4)

Figure 6-4. Renew WAN IP Address

6-1-2 Static IP (Static IP)

If the ISP or network provider provides static IP, then we need IP, Netmask, Gateway,

Primary DNS and Secondary DNS to configure the network. The following is an example.

(Table

6-1)

Item Parameter

IP 192.168.195.164

Netmask 255.255.255.0

Gateway 192.168.195.254

Primary DNS 192.168.0.254

Secondary DNS 168.95.1.1

Table 6-1. Static IP network statistics

After all the static IP information is obtained, please switch to “Static” in WAN IP Setting

and enter the above parameters accordingly. Finally, click “Apply” button.

(Figure 6-5)

Figure 6-5. Static IP Configuration

Please check the status in “WAN” of “Network / Overview”.

(Figure 6-6)

Figure 6-6. Static Overview

6-1-3 PPPoE (ADSL Dial-up)

The following is a PPPoE example provided by a ISP.

(Figure 6-7)

Figure 6-7. ADSL Dial-up

Please switch to “PPPoE” in WAN IP Setting and enter the PPPoE parameters

accordingly, including user name, and password.

(Figure 6-8)

Figure 6-8. PPoE Information

Please check the status in “WAN” of “Network / Overview”.

(Figure 6-9)

Figure 6-9. PPoE Overview

6-2. Local Area Network (LAN) Setting

Adjust the LAN setting of HiGuard if necessary.

6-2-1 HiGurad Management IP

The default management IP of HiGuard is 192.168.1.1. You may adjust it in “LAN

Configuration” in “Network / Configuration”.

(Figure 6-10)

Figure 6-10. LAN Configuration

6-2-2 DHCP Server Setting

You may enable DHCP server only in “Router Mode”. If you intend to not enable DHCP

server, just select “NONE” in the DHCP server type.

(Figure 6-11)

Figure 6-11. change DHCP Server

If DHCP server is enabled, starting IP address and number of IP addresses must be

assigned.

(Figure 6-12)

Figure 6-11. DHCP Server Configuration

■ Start IP Address

The beginning of the DHCP server assigned IP. Its default is 192.168.1.10.

■ Number of IP Address

The amount of IP address. Its default values is 10.

■ Domain

This is optional. DHCP server can assign domain name, too.

6-2-3 DNS Server Setting

The HiGuard usually obtained the DNS info from its upper level network. To specify the

DNS server by ourselves, please choose the “Static DNS server” and then enter the

primary and secondary DNS server. Finally, click “Apply”.

(Figure 6-13)

Figure 6-13. DNS Server Configuration

If there are internal DNS server and users should query it first, please enter its IP as the

primary DNS. The DNS IP of ISP is a good choice of secondary DNS.

Tips:

The DNS ( Domain Name System) dispatches the IP or domain name. Users query a

domain name, the DNS return its IP. Or the users query a IP, the DNS return a domain

name if it has it.

6-3. Wireless

HiGuard disabled wireless by default because there is no default wireless password. To

enable wireless, please click the “Network / Wireless” on the left. And then configure

network mode and security. (

Figure 6-14)

Figure 6-14. Enable Wireless Network

■ Network Mode

The default is “802.11 B/G/N mixed mode”. That is, all the B/G/N clients can connect to HiGuard.

■ SSID Define the name of the wireless. This is for the identification of wireless clients. It can be allowed 1-32 characters. The default value is “Default_SSID”. Please adjust with a proper name.

■ Hide SSID If enabled, wireless clients can not find the name by searching. Users must add it manually to use this SSID.

■ Frequency The default is “Auto”.

■ Security Mode The default of wireless security is “Disable”. Any unauthorized people can connect to this wireless without any validation. Therefore, HiGuard provide three WPA algorithms. It is strongly recommended that users choose one of the WPA algorithms if wireless is enabled. (

Figure 6-15)

Figure 6-15. HiGuard Wireless Network Security Mode

WPA2_PSK /

WPA_PSK

WPA encrypts data with one 128 bit key. The WPA is superior than WEP because of TKIP(Temporal Key Integrity Protocol). This prevents the WEP key attack. WPA2 is most security so far. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security. Windows XP supports WPA2 since 2005/May/1. However, network driver may need to be updated.

For detail: http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access

WEP WEP, Wired Equivalent Privacy, is a deprecated

security algorithm for IEEE 802.11 wireless networks. Wireless transmission is susceptible to eavesdropping and, so, WEP was introduced as part of the original

802.11 protocol in 1997. It was intended to provide confidentiality comparable to that of a traditional wired network.

For detail: http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

To protect your wireless network, it is recommended that WEP should be set at least. Also, 10

characters key should be the minimum.

6-4. Dynamic DNS

Dynamic DNS allows the domain name bind to a dynamic IP of a PC or SOHO router. So that

we can easily connect to the PC or SOHO router without knowing its IP. To use this dynamic

DNS feature, you must register a domain name from DynDNS.org, TZO.com, NO-IP.COM or

ZoneEdit.com.

Dynamic DNS is usually adopted by various servers. Sometimes we want to set up a web

server. But ISP only provide dynamic IP. So we need to register a domain name and installed

the dynamic DNS scripts. When users want to connect to this web site, they connect to this

domain name without awareness of the real IP.

The following is the no-ip.org dynamic DNS example: a user is member of no-ip.org and

create “HiGuard.no-ip.org” domain name.

(Figure 6-16)

Figure 6-16. Apply for Dynamic DNS

Please click the “Network / Dynamic DNS” in the left. And then click “Enable Dynamic DNS

Client”. Enter the service type, user name and password accordingly.

(Figure 6-17)

Figure 6-17. Dynamic DNS Configuration

Click “Apply” to save all the parameters.

(Figure 6-18)

Figure 6-18. Success to Dynamic DNS Configuration

The completion of dynamic DNS may required several minutes. You may click “Check

Domain” button to check the status. If the status is still “Inactive”, you may need to check

whether the user name or password is incorrect.

(Figure 6-19)

Figure 6-19. Examine Dynamic DNS

When dynamic DNS works, you can refer to section 3-6 and allow users manage this

device from Internet. It will be more convenient that we manage HiGuard remotely. Also,

you can refer to section 5-1 and adjust the port forwarding properly. So that you can set

up some servers like web site.

(Figure 6-20)

Figure 6-20. Enter http://higuard.com in the address bar

6-5. IPv6

To browse IPv6 web sites, the ISP or network provider must provide IPv6 access. Please

check the following and set up your IPv6 network.

(Figure 6-21)

Figure 6-21. IPv6 Setup

Tips: Windows XP does not turn on IPv6 by default. Please type “ipv6 help” in command line

to check it is turn on or not.

(Figure 6-22)

Figure 6-22. IPv6 help

As above, it means the IPv6 is not existed. Please execute “ipv6 install” in your

Windows XP. Windows Vista/7 turn on the IPv6 by default.

6-5-1. General Setup

To enable IPv6, you have to configure WAN IP setting as “Static”in WAN Configuration.

(Figure 6-23)

Figure 6-23. IPv6 router mode

Enter WAN IP address, Gateway, and Lan IP address.

(Figure 6-24)

Figure 6-24. IPv6 router mode

Open Command Promt and excute the“ipconfig”command. There should be IPv6 address shown, if you have configured IPv6 sucessfully.

(Figure 6-25)

Figure 6-25. IPconfing

To test surfing IPv6 website, you can open an IE browser and enter “http:// ipv6.ntct.edu.tw/”in the addrss bar. If IPv6 works sucessfully, you will see the following picture.

(Figure 6-26)

Figure 6-26. IPv6 has connected to the network

6-6. VPN IPSec

To obtain a private and secure network link, HiGuard is capable of establishing VPN connections, allowing for secured connections to branch offices and the “on-the-go” mobile workforce. HiGuard not only allows continuous collaboration and exchange of information but also saves time and cost on access resources through a secure tunnel. IPSec is a generic standardized VPN solution which administrator can have an encrypted site-to-site VPN tunnel and data for transit encrypted by Des encryption algorithm.

 Enabled

Select it to start the connection.

 Remote IP Address

The IP or fully qualified domain name of the remote host.

 Remote Subnet

This is only available for net-to-net connections and specifies the remote subnet in

CIDR notation.

 Preshare Key

Enter a pass phrase to be used to authenticate the other side of the tunnel.

 ISAKMP

provides the way to create the SA between two PCs. The SA can access the encoding

between two PCs, and the IT administrator can assign of which key size or Preshare

Key and algorithm to use. The SA comes in many connection ways.

 IPSec

secures IP communication by authenticating and encrypting each IP paket of a

communication session.

 Data Encryption Standard (DES)

a widely-used method of data encrytion using a private key. NIST has indicated DES as

one of the advanced encryption standards . DES applies a 56-bit key to each 64-bit

block of data.

 MD5 Messade-Digest Algorithm

a widely used cryptographic hash function that produces a 128-bit hash value.

Eg. Assume that A branch (WAN IP 61.11.11.11/ LAN IP 192.168.188.0/24) wants to create a

VPN connection with B headquarter (WAN IP 211.22.22.22/ LAN IP 192.168.200.0/24) to access

data.

Example: Create IPSec connections between Company A and Company B (Headquarter)

Suppose Company A create a VPN connection with Company B for downloading the sharing file.

Company A

WAN IP: 61.11.11.11 LAN IP: 192.168.0/24

Company B(Headquarter)

WAN IP: 211.22.22.22 LAN IP: 192.168.200.0/24

(Figure 6-27)

Figure 6-27. IPSec VPN 架設環境

IPSec VPN Setting Steps

The default gateway of Company A is 192.168.1.1. Follow the steps below.

(Figure 6-28)

Figure 6-28. IPSec VPN Tunnel

Step 1. Company A connects to the HiGUard web UI. Click Network/ VPN IPSec.

Step 2. Add VPN. Enter VPN Tunnel Name, Remote VPN Server, and Preshared key.

Step 3. Select ISAKMP Algorithm, ENC Algorithm , AUTH Algorithm, and Group

Step 4. The VPN IPSec setting is completed. (Figure 6-29, Figure 6-30)

Figure 6-29. IPSec VPN Tunnel Name and WAN network configuration

Figure 6-30. Success to setup IPSec Tunnel

Chapter 7 Log and report

HiGuard logs all its security functions. So that you can analyze and do statistics. Also,

there is a search function in all these log pages. Some abnormal behaviors of network can be located and then help you to fix.

7-1. Set up

The log function is enabled by default. All logs are stored in the RAM, not the flash

memory. Therefore, all logs will be cleared after reboot.

(Figure 7-1)

Figure 7-1. System log

If you want to record all logs even if it reboots, an external syslog server is a good

choice. To enable HiGuard sends logs to the external syslog server, please click “Log and Report / Configuration”. Click “Enable Remote Syslog Server” radio button and enter the syslog server information.

(Figure 7-2)

Figure 7-2. Enable Remote Syslog Server

We use « Tftpd32 » as syslog server example. It is easy to use and friendly. As you can

see in the following picture, the syslog server is installed on 192.168.1.13 and it receive the logs.

(Figure 7-3)

Figure 7-3. Syslog Server

7-2. Anti-Virus

When “Enable Anti-Virus” is on in the “Anti-Virus/Overview” page, the anti-virus log is active

according to the log settings you defined in the “Anti-Virus/Configuration” page.

(Figure 7-4)

Figure 7-4. Enable Anti-Virus

Anti-virus system logs every protocols by default. The log is separate by protocols. This is

convenient for users to find specific category of log.

(Figure 7-5)

Figure 7-5. Anti-Virus Log

7-3. Application Guard

The settings in “Application Guard / Configuration” define the log behavior of application

guard. For example, if you define all the MSN behaviors as “Log”, then it will log when MSN

behaviors occurs.

(Figure 7-6, Figure 7-7)

Figure 7-6. Enable Application Guard

Figure 7-7. Application Guard Log

7-4. URL Keyword Filter

If “Enable Web Guard”in “Application Guard / Overview” is on, all the URL pass through

HiGuard will be checked. All occurrence will be logged if it matches the web guard signature

database or the user defined keywords. The following is the web guard log example.

(Figure 7-8)

Figure 7-8. URL Keyword Filter Log

7-5. URL Category Filter

If “Enable URL Filter” in “URL Filter / Overview” is on, all the URL matches your defined

category will be log and blocked.

(Figure 7-9)

For example, “Job” category is selected and

users still try the famous job web site – “104 Job Bank”. All the access is blocked and log

here. (For more detail, please check section 4-4)

Figure 7-9. Website Category Filter

7-6. Access Control

Rules in “Firewall / Access Control List” (Please check section 5-3) have a “Log” attribute. If

it is “Yes”, all occurrences of that rule will be logged.

(Figure 7-10)

Figure 7-10. Access Control Log

7-7. Firewall Protection

When Firewall Protection log is enabled, all the anomalous secessions and malicous attacked will be logged. Administrator can search logs according to date, time, source, destination, protocol, port, and attack type.

(Figure 7-11)

Figure 7-11. Firewall Protection Log

7-8. VPN IPSec

Rules in “Network / VPN IPSec” (Please check section 6-5) have a “Log” attribute.

(Figure 7-12)

If it is “Yes”, all occurrences of that rule will be logged.

Figure 7-12. VPN IP Sec Log

HiGuard SOHO User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual