Copyright HotBrick Incorporated, 2003. All rights reserved.
No part of this document may be copied, reproduced, or transmitted by any means, for any purpose
without prior written permission from HotBrick Incorporated.
Disclaimer
HotBrick Incorporated shall not be liable for technical or editorial errors or omissions contained herein;
nor for incidental or consequential damages resulting from furnishing this material, or the performance or
use of the product.
HotBrick Incorporated reserves the right to change the product specification without notice. Information
in this document may change without notice.
Trademarks
Microsoft, Windows 98, ME, 2000, NT, XP are registered trademarks of the Microsoft Corporation. All
other brand and product names mentioned herein may be registered trademarks of their respective
owners.
Customers should ensure that their use of this product does not infringe upon any patent rights.
Trademarks mentioned in this publication are used for identification purposes only and are properties of
their respective companies.
How to Use Port Triggering..................................................................................................... 56
How to Use Standard Transparent Mode ................................................................................... 58
APPENDIX A – Commonly Used Ports and Services..................................................................... 61
APPENDIX B – Common Services and Ports............................................................................... 63
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
4
Page 5
HotBrick Firewall VPN 600/2 - 1200/2
1. Initial Setup
The Firewall VPN 600/2 - 1200/2 is configurable for a variety of network environments, and will
automatically reconfigure itself, if possible, to avoid collision with your existing networks.
Each HotBrick box contains the following:
1 HotBrick 1200/2 Firewall VPN or 1 HotBrick 600/2 Firewall VPN
1 Power Cord
2 Patch Cables (1 red cross over cable, 1 blue straight-thru patch cable)
2 Mounting Brackets
4 Mounting Screws
Connect either a 568A or 568B standard straight-thru network patch cable plug from one of the LAN ports
of the Firewall VPN 600/2 - 1200/2 to the network card of a client computer.
1. Plug in the power cable into your Firewall VPN 600/2 - 1200/2.
2. Power on your client computer.
3. Verify you client computer has the following network setup.
Windows 2000 Professional
StartÆSettingsÆNetwork and Dial-up connectionsÆLocal Area Connection (Figure 1.1)
Don’t get hacked, get…
Windows 2000 Professional, Network configuration
Figure 1.1
Firewall VPN 600/2 - 1200/2 User Manual
5
Page 6
This will bring up a window like Figure 1.2.
Windows 2000 Professional, Local Area Connection Status, Properties button circled.
HotBrick Firewall VPN 600/2 - 1200/2
Figure 1.2
Click on the properties button to bring up a window like Figure 1.3. First click on Internet Protocol
(TCP/IP), then click the properties button.
Windows 2000 Professional, Local Area Connection Properties, TCP/IP marked, Properties button circled.
Don’t get hacked, get…
Figure 1.3
Firewall VPN 600/2 - 1200/2 User Manual
6
Page 7
HotBrick Firewall VPN 600/2 - 1200/2
This should bring up the Internet Protocol (TCP/IP) Properties page, please make sure that both “Obtain
an IP address automatically,” and “Obtain DNS server address automatically” are both selected.
Windows 2000 Professional, Internet Protocol (TCP/IP) Properties
Figure 1.4
The Firewall VPN 600/2 - 1200/2 will automatically assign your computer an IP address, netmask and
gateway.
You can verify this by opening a command or Ms-Dos prompt on your windows machine and typing
ipconfig into the command line. You should see something like Figure 1.5.
*Note: The default configuration for the Firewall VPN 600/2 - 1200/2 is to allocate a 192.168.1.1/24 IP
address with a gateway of 192.168.1.1. If that does not work use 172.16.0.1
Verify your setup using the command line and typing ipconfig
Figure 1.5
If you fail to receive an IP address, netmask, and gateway, the result from ipconfig may look something
like Figure 1.6. To remedy this, please reboot your client computer, and try the previous steps again.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
7
Page 8
Figure 1.6
If your computer fails to receive DHCP, this is what may appear when you type ipconfig
HotBrick Firewall VPN 600/2 - 1200/2
More advanced windows users can try typing ipconfig /renew as seen in Figure 1.7.
Renew your DHCP allocation using ipconfig /renew
Figure 1.7
If this should still fail, you can try manually configuring your client computer.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
8
Page 9
HotBrick Firewall VPN 600/2 - 1200/2
2. Logging In
Once you have physically connected the necessary network cables and powered up both the Firewall VPN
600/2 - 1200/2 and the client machine, and verified your network setup on the client computer, you need
to open a SSL enabled web browser that can handle forms and connect to the web GUI of the Firewall
VPN 600/2 - 1200/2
Using the gateway IP that is displayed when you type ipconfig, open up a browser, and type in (in the
case shown before) https://172.16.0.1:8443
192.168.1.1, type https://192.168.1.1:8443
Type https://172.16.0.1:8443
into the URL field. If you have some other gateway, such as
into the URL field.
Figure 2.1
or other gateway IP address shown when you type ipconfig
You will see a Security Alert popup dialog box (Figure 2.2) warning you that you are switching to a secure
connection, followed by a second Security popup dialog box warning about the details of the actual
security certificate (Figure 2.3). Click through these dialog boxes answering in the affirmative and you will
see the login interface (Figure 2.4).
Don’t get hacked, get…
Secure connection security alert with URL highlighted.
Figure 2.2
Firewall VPN 600/2 - 1200/2 User Manual
9
Page 10
HotBrick Firewall VPN 600/2 - 1200/2
Security certificate security alert with URL highlighted
Figure 2.3
Firewall VPN 600/2 - 1200/2 login interface
Figure 2.4
The default login is “admin” with a password “123456” (Figure 2.5). If you should enter any of the above
incorrectly, the Firewall VPN will let you know (Figure 2.6).
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
10
Page 11
HotBrick Firewall VPN 600/2 - 1200/2
Firewall VPN1200 login interface with default login entered
Figure 2.5
Don’t get hacked, get…
Incorrect account or password
Figure 2.6
11
Firewall VPN 600/2 - 1200/2 User Manual
Page 12
HotBrick Firewall VPN 600/2 - 1200/2
3. Changing the Administrator Account and Password
Once you have logged in, the first thing you should do is change the administrator password and/or the
administrator account name. To do this from the default login screen, click on the Advanced Setup button
on the left panel to access the advanced menus (Figure 3.1).
Default login screen with Advanced Setup button circled
Figure 3.1
The advanced menus are a series of links across the top in alphabetical order, matched with tabs specific
to the selected menu. The default page showing when you click on the Advanced Setup button will be the
Basic Setup menu with the Status tab selected (Figure 3.2).
Don’t get hacked, get…
Default Advanced Setup page with advanced menus circled
Figure 3.2
Firewall VPN 600/2 - 1200/2 User Manual
12
Page 13
HotBrick Firewall VPN 600/2 - 1200/2
From here, click on the System Service menu link to bring up the System Service tabs. The default tab
showing will be the Time tab which allows you to configure the Firewall VPN’s clock. You are looking for
the Administrator tab (Figure 3.3). Click on it to bring up Figure 3.4.
System Service tabs with Administrator tab circled.
Figure 3.3
Administrator tab with Administrator Status block marked.
Figure 3.4
Once on this tab, you can see immediately the first item on the page is the Administrator account
information (Figure 3.4). This should be fairly self-explanatory; Name is the current login name of the
administrator, Old Password is the old password, New Password is the password you want to change the
old password to, Verify is a second New Password field to be sure you have not mistyped it the first time,
and E-mail Address is the email address of the administrator, to which critical email messages from the
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
13
Page 14
HotBrick Firewall VPN 600/2 - 1200/2
Firewall VPN will be sent. Make any changes to these fields as you like. These changes are not final until
you scroll down and click on the Update button (Figure 3.5). The Firewall VPN will verify it has performed
the change (Figure 3.6). Click Exit to return to the Administrator tab. Note: You may change the
administrator login name and the email address without entering a password. Changing the password is
the only function that requires a reconfirmation of the old password. Additionally, the administrator login
name cannot have any slashes (“/” or “\”) or spaces and is limited to 16 characters, while the password
cannot have any spaces, backslashes (“\”), or periods and is limited to 12 characters.
Congratulations, you have performed your first Firewall VPN customization!
Administrator tab with Update button circled.
Figure 3.5
Figure 3.6
Password Updated Confirmation Screen
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
14
Page 15
HotBrick Firewall VPN 600/2 - 1200/2
4. Configuring the Firewall VPN for Your Network
To configure your Firewall VPN for the first time we recommend using the Setup Wizard, which can be
accessed at any time from a similarly named button on the left menu (figure 4.1).
System Service menu, Administrator tab with the Setup Wizard button circled.
Figure 4.1
Clicking on the Setup Wizard button will bring up the first of four major steps to configuring your Firewall
VPN, Network Mode (Figure 4.2). You might notice along the top there are different menus, Network
Setup, Network Policy, and Add VPN Tunnel. These menus lead to different wizards covering the major
aspects of your Firewall VPN; network configuration, Firewall rules, and adding new VPN tunnels
respectively.
This mode refers to the network configuration in which the Firewall VPN external IP and DMZ IP’s share
the same subnet, but the LAN uses a private addressing scheme for its IP’s. This is one of the most
common network configurations for fixed external IP’s on broadband connections; with the only major
difference between implementations is how LAN IP addresses are handled.
NAT with PPPoE Client:
This mode is similar to the NAT only network configuration except that your ISP configures the gateway
IP address and Firewall VPN external IP and netmask. There is no DMZ in this configuration, since PPPoE
only supports the auto-configuration of a single “dial-up” machine by the ISP. This is increasingly
becoming a common network configuration for the home user subscribing to ADSL.
NAT with DHCP Client:
This mode is similar to the NAT with PPPoE Client network configuration except that instead of using
PPPoE, the Firewall VPN obtains its gateway, external IP and netmask from a DHCP server. This is not to
be confused for using DHCP in your own LAN, but rather DHCP for configuring your external real IP of
the Firewall VPN. Like the PPP and PPPoE configurations, there is no DMZ.
Depending on the type of network mode you choose, your second step, the configuration of real IPs of
your Firewall VPN, will vary.
If you selected NAT only, your second step (Figure 4.3a) will again consist of filling in the blanks
corresponding to information given to you by your ISP.
The third step is for configuring the internal IP of the Firewall VPN. Naturally for Standard Transparent
mode, which has no internal IP, this step needs no configuration (Figure 4.4a). However for all NAT
modes, this step is the same. You may notice the Firewall VPN is already configured for a 192.168.0.1/16
network (Figure 4.4b). Simply change these values to match your internal network needs. All computers
connecting to the LAN ports of the Firewall VPN require the IP entered here as their gateway.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
17
Page 18
Figure 4.4a
Setup Wizard, Network Setup 3/4, Network Settings, Standard Transparent
HotBrick Firewall VPN 600/2 - 1200/2
Setup Wizard, Network Setup 3/4, Network Settings, all NAT modes
Figure 4.4b
The fourth and final step for configuring the network setup of the Firewall VPN is setting the Firewall VPN’s
hostname and primary DNS. The hostname cannot have any uppercase or otherwise non-alphanumeric
characters. Once you have filled in this information, click Finish to finalize your network configuration.
Setup Wizard, Network Setup 4/4, Network Settings, all modes.
Figure 4.5
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
18
Page 19
HotBrick Firewall VPN 600/2 - 1200/2
Clicking on finish will bring up a screen that shows text similar to Figure 4.6. You might notice there is a
thirty second countdown in the lower left hand status bar. When the countdown is finished, the Firewall
VPN will confirm what mode you have selected, and then will ask you to reconnect (Figure 4.7).
Congratulations, your Firewall VPN is now ready to be placed into your network!
By default, the Firewall VPN is completely open to minimize installation problems. However, this is not
optimal in terms of information security. To begin configuring the firewall, click on the Setup Wizard
button on the left menu. This will bring up the Network Settings Wizard (Figure 4.2). As noted before, the
menus along the top change to reflect the three major wizards for the Firewall VPN. In this case we are
interested in the Network Policy link (Figure 5.1).
Setup Wizard, Network Setup screen, Network Policy link circled.
Figure 5.1
After clicking on the Network Policy link, you will see a screen similar to Figure 5.2. This was designed for
quickly adding and removing services, critical for your network needs. Most of the common services can
be added via the Common Services radio button and pull down menu (Figure 5.3).
Don’t get hacked, get…
Setup Wizard, Network Policy.
Figure 5.2
20
Firewall VPN 600/2 - 1200/2 User Manual
Page 21
HotBrick Firewall VPN 600/2 - 1200/2
Setup Wizard, Network Policy, Common Services pull down menu
Figure 5.3
Adding services to the Firewall VPN becomes easy as you select the service and click on the Apply button.
As you add each service, the list under Delete & Modify Services will grow (Figure 5.4).
Setup Wizard, Network Policy, after adding services.
Figure 5.4
If a service you want to add is not listed under Common Services, you can add a Special Service. Select
the Special Service radio button; fill in a name, the port, and protocol it will use. By default all services
are rate limited to thirty initial packets per second. For a small to medium sized company this is more
than enough for normal usage (Figure 5.5). Click on Apply to add it to the list.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
21
Page 22
HotBrick Firewall VPN 600/2 - 1200/2
Setup Wizard, Network Policy, adding a special service.
Figure 5.5
After adding the services, you should decide that you no longer want that service, click on the delete
checkbox corresponding to the Service and click Apply. You can remove more than one service at a time
(Figure 5.6).
If you only want to modify some of the settings of a service, you can click on the name of the service
itself make the changes (Figure 5.7). This will bring you to a service modification page (Figure 5.8). Make
you modifications here, and click on Update to finish.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
22
Page 23
HotBrick Firewall VPN 600/2 - 1200/2
Setup Wizard, Network Policy, “Custom” service circled.
Figure 5.7
Advanced Setup, Modify Service, “Custom” service modification
Figure 5.8
Once you are finished, be sure to go to the Advanced Setup, Network Policy menu. The default tab
showing will be the Services tab. Then uncheck Others Services and Ports and click Update. This will close
the Firewall VPN and only allow the specified services through. (Figure 5.9)
Don’t get hacked, get…
Advanced Setup, Network Policy, Services, closing the Firewall VPN
Figure 5.9
Firewall VPN 600/2 - 1200/2 User Manual
23
Page 24
HotBrick Firewall VPN 600/2 - 1200/2
6. Adding a VPN tunnel
Adding a new tunnel can also be done through the Setup Wizard. Click on the Setup Wizard button on the
left and then click on the Add VPN Tunnel link along the top. This will bring up the first step of the wizard
for adding a new VPN Tunnel (Figure 6.1). This wizard is only for adding simple tunnels that do not
require X509 certificates.
Setup Wizard, Add VPN Tunnel, first step
Figure 6.1
Enter a tunnel name and click Next. This will take you to the second step (Figure 6.2). This step concerns
itself with the type of authentication you wish to use. Most simple tunnels use pre-shared keys in which
both sides of a VPN connection share the same secret key. More secure is the RSA signature, in which
both sides generate a RSA key pair, one private and one public. You share your public key with everyone
so that they can encrypt information intended for you with that public key and only your private key can
decrypt that information. So if you intend to use an RSA signature to authenticate the VPN you will need
the public key of the machine you will connect to and vice versa. Select the type you intend to use and
click on Next.
Don’t get hacked, get…
Setup Wizard Add VPN Tunnel, second step
Figure 6.2
24
Firewall VPN 600/2 - 1200/2 User Manual
Page 25
HotBrick Firewall VPN 600/2 - 1200/2
Selecting pre-shared key will bring up a screen to enter the pre-shared key (Figure 6.3a). Enter a preshared key, hopefully a big more devious than the example, and click Next to continue.
Selecting a RSA signature will bring up a screen to enter the RSA public key of the remote machine with
whom you intend to build a tunnel (Figure 6.3b). Copy and paste in the public key, and click Next to
continue. Be careful to watch for new line characters, as they also count as spaces and will cause the
Firewall VPN to complain about the key.
The Firewall VPN supports the gamut of VPN protocols; step three allows you to select what protocol you
intend to use for this connection. The remote site must support the same protocols you select here. Click
Next to continue.
The fourth step is the network configuration of the Firewall VPN you are currently performing
administrative functions upon. The Firewall VPN will attempt to fill in previously entered values; there
should be no problem in simply clicking Next to continue.
Setup Wizard, Add VPN Tunnel, step four, source city networking.
Figure 6.5
The fifth and last step of adding a new VPN tunnel is the network configuration of the remote site. Since
the Firewall VPN does not have any administrative access to the remote site, this information must be
completely entered by hand. (Figure 6.6) Click on Finish once you are done to finalize adding a new
tunnel. The tunnel will not be created until you hit finish.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
26
Page 27
HotBrick Firewall VPN 600/2 - 1200/2
Setup Wizard, Add VPN Tunnel, step five, destination city networking
Figure 6.6
For more information on how to configure the connection for your remote users to your corporate office,
please refer to page 43, sections “Configure a VPN Connection to Your Corporate Network in Windows
2000” or “Configure a VPN Connection to Your Corporate Network in Windows XP”
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
27
Page 28
HotBrick Firewall VPN 600/2 - 1200/2
7. Overview of Advanced Setup
Basic Network Setup
Status
This is the first page of the Firewall VPN web administration interface after logging in. This page displays
various pieces of information about your Firewall VPN and its current runtime performance. To return to
this page later, simply click on the “Basic Setup” menu button.
Figure 7.1
Setup
The next tab under the Basic Setup menu button is the Setup tab. This tab allows you to configure the
Firewall VPN to conform to your internal network. The first option is the Network Mode. Please refer to
section 4. “Configuring the Firewall VPN for Your Network” for more detail about each mode.
Figure 7.2
Network Modes
You might note that the network picture below changes from mode to mode, this is because of the
nature of each mode lends itself to different network configurations.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
28
Page 29
HotBrick Firewall VPN 600/2 - 1200/2
Don’t get hacked, get…
Figure 7.3
NAT Only Mode
Firewall VPN 600/2 - 1200/2 User Manual
29
Page 30
HotBrick Firewall VPN 600/2 - 1200/2
Don’t get hacked, get…
Figure 7.4
NAT with PPPoE Client
Firewall VPN 600/2 - 1200/2 User Manual
30
Page 31
HotBrick Firewall VPN 600/2 - 1200/2
Don’t get hacked, get…
Figure 7.5
NAT with DHCP Client
Firewall VPN 600/2 - 1200/2 User Manual
31
Page 32
HotBrick Firewall VPN 600/2 - 1200/2
Load Balance
This function allows you to setup network for “Load Balance”. The Firewall VPN’s “Load Balance” function
can select one of the Fixed IP, PPPoE or DHCP. The load balance in HotBrick works in the following way:
1. When you have both of your connections active, HotBrick will be constantly checking in which of the
connections is faster at that time. For example, if the link in the WAN1 is having a lot of traffic then
when the requests from your users will be directed preferably to the WAN2. It also works the other
way around.
2. If for whatever reason your connection in either of the WAN connections is down, then the remaining
connection will maintain your access to the Internet.
Figure 7.6
Load Balance
You can also specify in this tab the number of times HotBrick will try to reestablish the connection you
have for your PPPoE or DHCP connection if for any reason it goes down. By default number of attempts is
5.
Monitor
This function allows you to get a quick overview of the Firewall VPN’s status. By selecting which
summary report you want to display and then clicking “Update” you can view the current statistics for
the given report. You may select more than one at a time, and they will all be displayed in a single pop
up window sequentially. The reports will refresh in the pop up window every seven seconds. To close
this pop up window you can click the “Exit” button at the bottom of the page or click on the close
window icon for your browser.
Traffic Control
This summary report shows current bandwidth usage statistics for each service listed under the
Network Policy Services Tab (This is the default tab that is displayed when you click on the Network
Policy menu button).
VPN Tunnel
This summary report shows the current status of all VPN tunnels.
Don’t get hacked, get…
32
Firewall VPN 600/2 - 1200/2 User Manual
Page 33
HotBrick Firewall VPN 600/2 - 1200/2
DoS
This summary report shows all logged DoS attacks detected and stopped by the Firewall VPN.
Monitor with Traffic Control and DoS selected.
Figure 7.7
Network Policy
This menu button allows for configuration of the Firewall VPN to conform to your organization’s security
policies and information security needs.
Service
This is the default tab that is displayed when you click on the “Network Policy” menu button. This shows
a list of services currently known by the Firewall VPN.
Rules
This list of services known by your Firewall VPN allows for quick enabling and disabling of traffic flows in
any given direction through the Firewall VPN. To clarify, these flows, LAN to WAN/DMZ, WAN to
LAN/DMZ, and WAN to LAN refer to the capability of the source network to access a server in the
destination network. For example, DMZ/LAN to WAN is the direction of network traffic flowing from your
local network (DMZ/LAN) to the Internet, referred to as the WAN or wide area network. By clicking the
checkbox and thereby enabling this traffic flow for a given service, you allow users from your DMZ or
LAN to access that given Internet service from some Internet server. In many cases enabling this flow
alone is enough for the typical end-user, since by doing so you do not restrict flow back through the
firewall for established TCP connections to Internet servers. Likewise for WAN to DMZ and WAN to LAN,
this allows users from the Internet to access servers that you are providing in your DMZ and or LAN, but
does not restrict data flowing back to these Internet clients for established connections to your servers.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
33
Page 34
HotBrick Firewall VPN 600/2 - 1200/2
The final column, “One to One NAT Server,” will not show any servers for any services unless you are
using one of the NAT modes and add a server into your LAN. The latter of which can be done through
the “Add Service” tab, or by clicking on the “Intranet” menu button, then the “One to One NAT” tab. This
will be covered in more detail later.
To make changes to this page, and therefore to network policy through the Firewall VPN, simply click on
the checkbox desired and click “Update” at the bottom of the list.
Network Policy, Services tab
Figure 7.8
Add Service
This tab allows the administrator to add and remove services from the Firewall VPN. You might note that
under “Service List,” the Firewall VPN lists all of the known services by increasing port number order,
regardless if they are enabled or not. Common services, such as email and web access can be quickly
added and removed, since they are included by default into the Firewall VPN database of services. To
add such a service, simply click on the radio button for Common Services, select the service desired
from the pull down menu, and click on the “Update” button at the bottom of the screen.
In the event that the service you wish to add is unlisted, you can add the service manually clicking on
the Special Service radio button, filling in some name, the port, and the protocol that the service will
use. The name may not have any spaces or dashes. It might take some investigation to find the
correct settings to enable a custom service.
You might notice that the “Transmission Rate” and the “New Rule” fields are filled in with some default
values as you select what service or what protocol to use. The “Transmission Rate” field allows you to
control possible attacks over a given service by limiting the number of new connections per second. If
the value set for “Sync Packets/Sec” is exceeded, then those connections above the threshold will be
dropped and logged, under the “Log” menu button. The “New Rule” options allow you to configure the
service being added for the directions of traffic you want enabled for the new service.
After adding a new service, it will be added to the list below, for further modification. To modify an
existing service, click on the underlined name in this list, and it will bring up a window for changing the
port, protocol, and the “Sync Packets/Sec,” the number of new connections before the Firewall VPN
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
34
Page 35
HotBrick Firewall VPN 600/2 - 1200/2
begins dropping packets for that service. To delete a service from the Firewall VPN database, click on
the delete checkbox next to the desired service and click “Update” at the bottom of the screen.
Example: Let’s open MSN Messenger ports for file transfer. Per the product documentation you have to
open as many TCP ports between 6891 and 6900.
Click in “Special Service”, type the a name for it like MSN_Messenger, choose the “Protocol” to TCP, then
type the port range separating the lower and the higher ports using a colon, like Æ 6891:6900. Hit
Update and you will see the new service in the “Service List”.
Network Policy, Add Service tab
Figure 7.9
Special Rules
This tab allows the administrator to allow or deny a service from a user or group of users. This page is
closely linked with the first “Services” tab. This can be exemplified by enabling some of the traffic flows
for “Other Services and Ports” on the “Services” tab, then clicking back to the “Special Rules” tab to
view the changes.
To enable a service for a single user or group of users and deny the service to all other users, go back to
the “Services” tab, and disable all directions of traffic for the service in question. Then return to the
“Special Rules” tab, select the service from the pull down menu, select the “Allow” radio button, and
then configure the direction of the traffic. To do the last step requires knowledge from which part of your
network you will be attempting to access the service and to which part of the network the service is
being served, whether it is the LAN, DMZ, WAN. The character ‘*’, is a wildcard character meaning all
networks. Additionally you must know the IP addresses of both the source networks for which you would
like to have this service available too and the destination networks from which you expect will be serving
this service.
To disable a service for a single user or group of users, and allow the service for all other users, make
sure that the service has been enabled on the “Services” tab, and then return to the “Special Rules” tab.
Again, select the service from the pull down menu, select the “Deny” radio button, and then configure
the direction of the traffic.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
35
Page 36
HotBrick Firewall VPN 600/2 - 1200/2
To remove any such special rules for a service, simply click on the checkbox next to the specific rule you
want to remove and click “Update” at the bottom of the screen.
Network Policy, Special Rules
Figure 7.10
Session Control
This tab allows you to control how the Firewall VPN handles sessions. More specifically, how long the
Firewall VPN will wait for each part of a session’s lifespan before closing the connection. For your
reference, a simplified diagram of the TCP/IP handshake is provided (Figure 7.12).
• TCP SYN-SENT
The time you put into this field will be the length of time the Firewall VPN will wait for a
Don’t get hacked, get…
Figure 7.11
TCP/IP handshake diagram
36
Firewall VPN 600/2 - 1200/2 User Manual
Page 37
matching SYN-RECV from the remote server before dropping the connection.
HotBrick Firewall VPN 600/2 - 1200/2
• TCP SYN-RECV
This happens when a server in your network transmits a TCP SYN-RECV, Firewall VPN will wait
the length time entered here for a TCP ACK, or acknowledgement from the remote client.
•TCP ESTABLISHED
This is the data transfer phase of an establish TCP connection, the firewall will maintain an idle
session for only as long as the time entered here.
• TCP FIN-WAIT
The Firewall VPN will wait the time entered for a FIN ACK, or a connection termination
acknowledgement from a remote server.
• TCP CLOSE-WAIT
The Firewall VPN will wait the time entered to successfully send a TCP LAST-ACK, or connection
termination request to a remote client.
• TCP LAST-ACK
The Firewall VPN will wait the time entered to receive a TCP ACK, or a connection termination
acknowledgement, from a remote client.
• TCP TIME-WAIT
The Firewall VPN will wait the time entered to receive a TCP LAST-ACK, or a final connection
termination acknowledgement, from a remote server.
• TCP CLOSED
The Firewall VPN will wait the time entered to maintain the TCP connection in closed state.
• UDP session idle timeout
The length of time the firewall will maintain a UDP session with no activity.
Don’t get hacked, get…
Network Policy, Session Control
Figure 7.12
37
Firewall VPN 600/2 - 1200/2 User Manual
Page 38
HotBrick Firewall VPN 600/2 - 1200/2
Anti-DoS
This tab allows you to enable the Firewall VPN built-in defenses to common DoS attacks. Disabling is as
easy as clicking disable and then Update. You can disable and enable multiple attacks at once. Since the
last four attacks are not attacks based on flawed TCP/IP stacks, they are regulated instead by rate
limiters. To disable these, set the limit to zero.
Figure 7.13
Network Policy, Anti-DoS
IPS
This tab allows you to enable the Firewall VPN built-in defenses to common IPS (Intrusion Prevention
Systems) attacks. Disabling is as easy as clicking disable and then Update. You can disable and enable
multiple attacks at once. Also can select both Log and Drop or one.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
38
Page 39
Figure 7.14
Network Policy, IPS
HotBrick Firewall VPN 600/2 - 1200/2
Traffic Control
This tab shows current bandwidth usage for the three directions of traffic flow through the Firewall VPN.
It also allows the administrator to set traffic limiters for each individual service, to ensure quality of
service. Refer to the section above if you are still unclear about the directions of traffic.
Network Policy, Traffic Control
Figure 7.15
VPN
This menu allows the administrator to manage, add, and delete VPN tunnels that are routed through the
Firewall VPN.
Status
This tab allows for quick management of existing VPN tunnels. Selecting the tunnel type will show
tunnels corresponding to that type. If you disable the tunnel status, no VPN tunnel can be established
with your Firewall VPN and existing tunnels will be shutdown. This is a quick way to shutdown all
tunnels.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
39
Page 40
Figure 7.16
VPN, Status tab, two disabled VPN showing, and no refresh
Configure
This tab is for adding new L2TP/IPSec VPN tunnels.
HotBrick Firewall VPN 600/2 - 1200/2
Figure 7.17
VPN, Configure tab
Certificate
This tab is for managing, adding, and deleting certificates from third party certificate authorities.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
40
Page 41
HotBrick Firewall VPN 600/2 - 1200/2
VPN, Certificate tab, sample RSA public key
Figure 7.18
RADIUS
This tab is for configuring the Firewall VPN to dial into a RADIUS server, to configure the Firewall VPN to
be a RADIUS server itself, as well as management of any clients that will use the Firewall VPN as a
RADIUS server.
VPN, RADIUS tab, sample dial-up information for the Firewall VPN to dial another RADIUS server for remote
Figure 7.19
authentication.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
41
Page 42
HotBrick Firewall VPN 600/2 - 1200/2
Users
This tab is for managing, adding, and deleting of users for all VPN tunnels. You must tell what kind of
tunnels your users can access and their password. After you’re done creating them, go to the
“PPTP/L2TP” tab to configure the tunnel you wish to use if creating a tunnel of that kind.
Figure 7.20
VPN, Users tab
PPTP/L2TP
This tab is for management of the PPTP and L2TP settings. To create a PPTP or L2TP tunnel for your
remote users, click either in “PPTP Remote IP” or “L2TP Remote IP” and define the ranges that you want
to give your remote users when they gain access to your corporate network. Do not forget to change the
tunnel status to “Enable” when configuring your PPTP or L2TP tunnel.
Don’t get hacked, get…
Figure 7.21
VPN, PPTP/L2TP tab
Firewall VPN 600/2 - 1200/2 User Manual
42
Page 43
View Log
This tab is for viewing all logs related to the VPN.
VPN, View Log tab
HotBrick Firewall VPN 600/2 - 1200/2
Figure 7.22
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
43
Page 44
HotBrick Firewall VPN 600/2 - 1200/2
How to Configure the HotBrick Firewall VPN Server for Remote User access
The first thing you have to do is decide which kind of encryption you’re going to use in the VPN connection
you’re about to create. You have the option to use either PPTP or L2TP.
After you decide what kind of tunnel will be used, we need to create its users. Let’s create PPTP tunnels
for this example, but if you plan to use L2TP the steps are the same, just make sure to apply the patches
explained at the end of this section about your Windows clients’ connections.
1. Click in Advanced Setup
2. On the top menu choose VPN
3. In VPN, choose the tab Users.
4. In this tab you will give them a username, then click in the checkbox VPN, then create and
confirm the password. When you’re done hit Update.
Now let’s configure the tunnel:
1. On the top menu choose VPN
2. Click in the tab PPTP/L2TP.
3. In this tab go to the section IP Configure, click in the link PPTP Remote IP.
4. In the section Add PPTP/L2TP IP Range, choose the radio button PPTP and let’s use a range of
10 IPs for this example, so let’s type 230 to 239 (assuming that the IP schema you have in your
network is 192.168.1.X), when you’re done hit Update.
5. On the top menu choose VPN
6. Click in the tab PPTP/L2TP.
7. Under the section Status, choose the option Enable under PPTP
8. In the section PPTP Settings, keep all the authentications protocols and PPP encryptions checked.
In the Maximum Connect Time leave the as 0, and in the Primary DNS and Secondary DNS use
the information provided by your ISP.
9. Hit Update
You’re done configuring the HotBrick. Now it’s time to configure the client side, just follow the steps for
your windows client computer.
Configure a VPN Connection to Your Corporate Network in Windows 2000
To create a VPN connection under Windows 2000, you should:
1. Go to the Control Paneland then Network and Dial-up Connections
2. Select Make New Connection. This will open the Network Connection Wizard.
3. Select the option Connect to a private network through the Internet and click Next.
4. Because you are already connected to the Internet, click Do not dial the initial connection.
Click Next.
5. In the Host name field, enter the IP address for the HotBrick to which you are connecting
6. Select whether you want the connection to be available for all users/accounts on your machine, or
just for yourself. Click Next.
7. Finally choose a name for the connection and click Finish. You can specify for a shortcut to be
added to your desktop if required.
Configure a VPN Connection to Your Corporate Network in Windows XP
How to Create a New VPN Connection
1.To open the Network Connections folder, click Start, click Control Panel, click Network and
Internet Connections, and then double-click Network Connections.
2.Click Create a new connection, and then click Next. Click Connect to the network at my
workplace, and then click Next.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
44
Page 45
HotBrick Firewall VPN 600/2 - 1200/2
3. Click Virtual Private Network connection, click Next. Type a descriptive name for your
company, and click Next.
4. Because you are already connected to the Internet, click Do not dial the initial connection.
5. Type the host IP address for the HotBrick to which you are connecting, and then click Next.
6. Choose whether you want this connection to be shared by all users (Anyone's use) of this
computer, or only for yourself (My use only).
7. Click Next, and then click Finish to end the Setup process.
How to Modify the VPN Connection to use L2TP
1. To open an existing connection, click Start, click Control Panel, click Network and Internet
Connections, and then double-click Network Connections.
2. Click the connection, and then click Change settings of this connection.
3. On the General tab, you can change the IP address for the HotBrick to which you are connecting
if you want or need to.
4. On the Networking tab, you can change the type of secure protocol to L2TP IPSec VPN.
5. On the Security tab, click in the Advanced option, and click in the Settings button.
6. On the drop down menu choose, Requires Encryption (disconnect if the server declines).
7. In Logon Security, click in Allow These protocols:
a. Unencrypted Password (PAP)
b. Challenge Handshake Authentication Protocol (CHAP)
c. Microsoft CHAP
d. Microsoft CHAP Version 2
e. Click OK, and OK again.
Note: If you are creating a L2TP tunnel to your remote office from your client computer, Microsoft has
released an update package to enhance the current functionality of the Layer Two Tunneling Protocol
(L2TP) and Internet Protocol security (IPSec) on computers that are running Windows XP or Windows
2000. We strongly recommend that you apply these patches.
Please review the article number 818043: L2TP/IPSec NAT-T Update for Windows XP and Windows 2000:
Also it will be necessary to disable IPSec policy in order for the L2TP tunnel to work, go to the article
258261: Disabling IPSEC Policy Used with L2TP for the step-by-step on how to perform this procedure.
This menu is for filtering web content to conform to your organization’s policies. The rules for this can be
quite complex but are based on the regular expression engine used on *NIX systems. Additionally, the
web filter can support multi byte characters.
Character Matches Examples
\ Quote the next character \. => .
. any single character l.ve => love, live, l-ve, …
? 0 or 1 matches to the preceding
These regular expressions can be combined for maximum effect to block a range of possible URL and
content string matches. For example, foreignaffairs?\.c. can block:
foreignaffair.com, foreignaffairs.com, foreignaffairs.cc, foreignaffair.cx, foreignaffair.cc and so on…
URL
This tab is for filtering web content based on its URL, or universal resource locator. You can block a
specific domain or use fuzzy logic to block domains with similar names.
Don’t get hacked, get…
Web Filter, URL Filter tab, sample filters in place
Figure 7.23
Firewall VPN 600/2 - 1200/2 User Manual
46
Page 47
Schedule
This tab is for setting up a schedule to filter content.
Figure 7.24
Web Filter, Schedule tab, sample schedules in place
HotBrick Firewall VPN 600/2 - 1200/2
Access Forbidden when attempting to access a page that is screened out by the content filter.
Figure 7.25
Intranet
This menu is for configuring your Intranet, referred to earlier as the LAN, or local area network.
DHCP Information
This tab is for a quick overview and basic configuration of the Firewall VPN’s built-in DHCP server.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
47
Page 48
DHCP Add & Del
HotBrick Firewall VPN 600/2 - 1200/2
Figure 7.26
Intranet, DHCP Information tab, sample settings in place.
This tab is for configuring the Firewall VPN’s built-in DHCP server. More specifically, this page allows the
administrator to add new ranges to the dynamic IP allocation, or add fixed IP allocations for specific
machines.
Intranet, DHCP Add&Del tab
Figure 7.27
One to One NAT
This tab is for configuring the Firewall VPN to allow users from the DMZ or Internet (WAN), to access
servers in the Intranet (LAN).
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
48
Page 49
System Service
HotBrick Firewall VPN 600/2 - 1200/2
Figure 7.28
Intranet, One to One NAT tab
This menu is to configure the Firewall VPN’s system. Items such as system time, backup, and version are
included in this.
Time
This tab shows the current system time, and allows the administrator to synchronize the time or
schedule when they would like synchronization with a network timeserver to take place.
Figure 7.29
System Service, Time tab
Administrator
This tab allows the administrator to change information pertaining to the “Administrator” account. In
addition it allows for configuration of remote (Internet) administration of the Firewall VPN.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
49
Page 50
HotBrick Firewall VPN 600/2 - 1200/2
System Service, Administrator tab
Figure 7.30
Figure 7.31
Time out screen
Version
This tab shows the current version of the Firewall VPN, and allows the administrator to update the
Firewall VPN immediately.
Don’t get hacked, get…
System service, Version tab
Figure 7.32
50
Firewall VPN 600/2 - 1200/2 User Manual
Page 51
HotBrick Firewall VPN 600/2 - 1200/2
Backup
This tab allows the administrator to backup critical system configuration files, and then restore the
Firewall VPN from a backup.
System Service, Backup tab
Figure 7.33
Restore
This tab allows the administrator upload System Backup File.
Figure 7.34
System Service, Backup, restoring from a backup file
Diagnostic
This tab allows the administrator to execute standard diagnostic tools from the Firewall VPN.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
51
Page 52
HotBrick Firewall VPN 600/2 - 1200/2
System Service, Diagnostic tab
Figure 7.35
System Service, Diagnostic tab, sample ping data
Figure 7.36
Log
This menu summarizes all of the logs for the Firewall VPN, allowing the administrator to configure, search,
and save these logs.
View Log
This tab displays the main log for the Firewall VPN.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
52
Page 53
HotBrick Firewall VPN 600/2 - 1200/2
Log, View log, sample policy warnings
Figure 7.37
Log Settings
This tab allows the administrator to configure some of the log settings, such as where the logs will be
mailed to, when to send the log, and what should be logged.
Figure 7.38
Log, Log Setting tab
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
53
Page 54
HotBrick Firewall VPN 600/2 - 1200/2
Remote Log
This tab allows the administrator to configure remote log settings, such as setup the remote server IP or
FQDN.
Log, Remote Log Setting tab
Figure 7.39
Web Statistics
This tab allows the administrator to track the most visited web sites.
Figure 7.40
Log, Web Statistic tab
Search
This tab allows the administrator to search the main log.
Don’t get hacked, get…
Log, Search tab, sample search data
Figure 7.41
54
Firewall VPN 600/2 - 1200/2 User Manual
Page 55
HotBrick Firewall VPN 600/2 - 1200/2
Exit
This menu item exits the Firewall VPN web administration interface, returning to the login screen.
Quick Tips
How do I reset my HotBrick to factory defaults if everything else fails?
Press the reset button 5 times in a row (with a half second interval). The box will reboot; since it is a
master reboot, it will take approximately 5 minutes.
I have a cable modem and when I connect it to my HotBrick I have no link light. What can be
wrong?
Cable modems are characterized by storing the MAC address of the device they were attached previously.
What you have to do it to unplug the cable modem from the HotBrick wan port. Remove the power cable
of the cable modem for about 10 seconds. After that plug the power back into the cable modem and wait
until its lights go back to their normal behavior. Now, plug to cable modem into the HotBrick WAN port
again and it will start to work normally.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
55
Page 56
HotBrick Firewall VPN 600/2 - 1200/2
How to Use Port Triggering
Port Triggering
If a connection from LAN to Internet matches a rule range, then initiates another special rule mapping
wan port (range) to LAN host.
Here we get an example case:
Example case:
A web-based media server need to click movie via browser, then player will be initialized and “receive”
movie.
1. Select “Del” check box in front which item you want to delete.
2. Click update box, the entry and rules will be flushed after executing.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
56
Page 57
HotBrick Firewall VPN 600/2 - 1200/2
Note:
1. Trigger port will be blocked if there’s any blocking rule in firewall setting.
2. If trigger port is free to Internet, Incoming port will not be blocked even if the service is not in allow
list of firewall.
3. It doesn’t matter what IP address of Client host IP or remote server IP when setting.
But connection incoming will only match the source and destination of trigger connection.
Ex: LAN user 192.168.0.1 trigger TCP 80, Incoming a connection TCP 8100 from 61.62.30.251
Then only 192.168.0.1 receive incoming data, other packet from another server or to another LAN
user will not be send to 192.168.0.1
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
57
Page 58
HotBrick Firewall VPN 600/2 - 1200/2
How to Use Standard Transparent Mode
Standard Transparent mode
This mode means forwarding packets without NAT. This Network mode used on a topology which all in
real IP.
iMac
Ethernet
Example case:
1. Router IP 192.168.1.254
2. HotBrick IP 192.168.1.253
3. Client hosts stand behind of HotBrick, IP range start from 192.168.1.10
4. All hosts in this case in 192.168.1.0/16, go to Internet through HotBrick.
5. Admin login from 192.168.1.10
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
58
Page 59
HotBrick Firewall VPN 600/2 - 1200/2
Setting steps:
1. Login GUI management interface
2. Go to Advanced Æ Setup Æ Setup Æ Select “Standard Transparent”
3. Insert gateway and VPN WAN IP into setup screen
4. Insert Client IP in to setup screen
5. Click Update, apply setting.
6. All routing will be flushed but “Client IP” and “Gateway”
7. Move to “LAN IP range” Æ Build a LAN hosts list.
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
59
Page 60
8. Insert LAN IP which under HotBrick, by range.
9. Make sure LAN IP range exists.
HotBrick Firewall VPN 600/2 - 1200/2
Note:
1. Client IP = Admin IP, Admin login into management GUI only from this source IP.
2. Make sure all exist IP (range) is in LAN IP range or users will unable to access Internet
3. In this release so far (0_1_0471), Admin must modify LAN IP range after switching to Transparent
Mode.
Do not support setup LAN IP range before switching to Transparent Mode.
(Entry will be flushed after executing.)
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
.
60
Page 61
HotBrick Firewall VPN 600/2 - 1200/2
APPENDIX A – Commonly Used Ports and Services
Port No. Protocol Service Name Aliases Comment
7 TCP echo Echo
7 UDP echo Echo
9 TCP discard sink null Discard
9 UDP discard sink null Discard
13 TCP daytime Daytime
13 UDP daytime Daytime
17 TCP qotd quote Quote of the day
17 UDP qotd quote Quote of the day
19 TCP chargen ttytst source Character generator
19 UDP chargen ttytst source Character generator
20 TCP ftp-data File Transfer
21 TCP ftp FTP Control
23 TCP telnet Telnet
25 TCP smtp mail Simple Mail Transfer
37 TCP time Time
37 UDP time Time
39 UDP rlp resource Resource Location Protocol
42 TCP nameserver name Host Name Server
42 UDP nameserver name Host Name Server
43 TCP nicname whois Who Is
53 TCP domain Domain Name
53 UDP domain Domain Name Server
67 UDP bootps dhcps Bootstrap Protocol Server
68 UDP bootpc dhcpc Bootstrap Protocol Client
69 UDP tftp Trivial File Transfer
70 TCP gopher Gopher
79 TCP finger Finger
80 TCP http www, http World Wide Web
88 TCP kerberos krb5 Kerberos
88 UDP kerberos krb5 Kerberos
101 TCP hostname hostnames NIC Host Name Server
102 TCP iso-tsap ISO-TSAP Class 0
107 TCP rtelnet Remote Telnet Service
109 TCP pop2 postoffice Post Office Protocol - Version 2
110 TCP pop3 postoffice Post Office Protocol - Version 3
111 TCP sunrpc rpcbind
portmap
111 UDP sunrpc rpcbind
portmap
113 TCP auth ident tap Authentication Service
117 TCP uucp-path UUCP Path Service
119 TCP nntp usenet Network News Transfer Protocol
123 UDP ntp Network Time Protocol
135 TCP epmap loc-srv DCE endpoint resolution
135 UDP epmap loc-srv DCE endpoint resolution
137 TCP netbios-ns nbname NETBIOS Name Service
137 UDP netbios-ns nbname NETBIOS Name Service
138 UDP netbios-dgm nbdatagram NETBIOS Datagram Service
139 TCP netbios-ssn nbsession NETBIOS Session Service
143 TCP imap imap4 Internet Message Access Protocol
158 TCP pcmail-srv repository PC Mail Server
161 UDP snmp snmp SNMP
162 UDP snmptrap snmp-trap SNMP TRAP
170 TCP print-srv Network PostScript
179 TCP bgp Border Gateway Protocol
194 TCP irc Internet Relay Chat Protocol
213 UDP ipx IPX over IP
389 TCP ldap Lightweight Directory Access Protocol
SUN Remote Procedure Call
SUN Remote Procedure Call
Don’t get hacked, get…
Firewall VPN 600/2 - 1200/2 User Manual
61
Page 62
443 TCP https MCom
443 UDP https MCom
445 TCP Microsoft CIFS
445 UDP Microsoft CIFS
464 TCP kpasswd Kerberos (v5)
464 UDP kpasswd Kerberos (v5)
500 UDP isakmp ike Internet Key Exchange (IPSec)
512 TCP exec Remote Process Execution
512 UDP biff comsat Notifies users of new mail
513 TCP login Remote Login
513 UDP who whod Database of who's logged on, average load
514 TCP cmd shell Automatic Authentication
514 UDP syslog
515 TCP printer spooler Listens for incoming connections
517 UDP talk Establishes TCP Connection
518 UDP ntalk
520 TCP efs Extended File Name Server
520 UDP router router