HP SuperStack Firewall User Manual
SuperStack®3
Firewall
User Guide
SuperStack 3 Firewall 3CR16110-95
SuperStack 3 Firewall Web Site Filter 3C16111
http://www.3com.com/
Part No. DUA1611-0AAA02
Published August 2001
3Com Corporation
5400 Bayfront Plaza
Santa Clara, California
95052-8145
Copyright © 2001, 3Com Technologies. All rights reserved. No part of this documentation may be reproduced
in any form or by any means or used to make any derivative work (such as translation, transformation, or
adaptation) without written permission from 3Com Technologies.
3Com Technologies reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of 3Com Technologies to provide notification of such revision or
change.
3Com Technologies provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not
be registered in other countries.
3Com and SuperStack are registered trademarks of 3Com Corporation. The 3Com logo and CoreBuilder are
trademarks of 3Com Corporation.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows
NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of
Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company, Ltd.
Netscape Navigator is a registered trademark of Netscape Communications.
JavaScript is a trademark of Sun Microsystems
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is
fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and
the inks are vegetable-based with a low heavy-metal content.
C
ONTENTS
A
BOUTTHISGUIDE
How to Use This Guide 12
Conventions 12
Terminology 13
Feedback about this User Guide 15
Registration 16
ETTINGSTARTED
IG
I
NTRODUCTION
1
What is the SuperStack 3 Firewall? 19
Firewall and 3Com Network Supervisor 20
Firewall Features 21
Firewall Security 21
Web URL Filtering 23
High Availability 24
Logs and Alerts 24
User Remote Access (from the Internet) 24
Automatic IP Address Sharing and Configuration 24
Introduction to Virtual Private Networking (VPN) 25
Virtual Private Networking 25
I
NSTALLING THEHARDWARE
2
Before You Start 27
Positioning the Firewall 28
Rack Mounting the Units 28
Securing the Firewall with the Rubber Feet 29
Firewall Front Panel 29
Firewall Rear Panel 31
Redundant Power System (RPS) 31
Attaching the Firewall to the Network 32
3
II C
UICKSETUP FOR THEFIREWALL
Q
Introduction 35
Setting up a Management Station 36
Configuring Basic Settings 36
Setting the Password 37
Setting the Time Zone 38
Configuring WAN Settings 39
Automatic WAN Settings 39
Manual WAN Settings 40
Using a Single Static IP Address 41
Using Multiple Static IP Addresses 42
Using an IP Address provided by a PPPoE Server 44
Using a Static IP address provided by a DHCP Server 44
Configuring LAN Settings 44
Automatic LAN Settings 44
Entering information about your LAN 45
Configuring the DHCP Server 45
Confirming Firewall Settings 46
ONFIGURING THEFIREWALL
4
ASICSETTINGS OF THEFIREWALL
B
Examining the Unit Status 52
Setting the Administrator Password 53
Setting the Inactivity Timeout 54
Setting the Time 54
Changing the Basic Network Settings 56
Setting the Network Addressing Mode 56
Specifying the LAN Settings 57
Specifying the WAN/DMZ Settings 58
Specifying the DNS Settings 59
Specifying DMZ Addresses 59
Setting up the DHCP Server 60
Global Options 61
Dynamic Ranges 62
Static Entries 63
Viewing the DHCP Server Status 63
Using the Network Diagnostic Tools 64
Choosing a Diagnostic Tool 64
ETTING UPWEBFILTERING
5
S
Changing the Filter Settings 67
Restricting the Web Features Available 68
Setting Blocking Options 69
Specifying the Categories to Filter 69
Specifying When Filtering Applies 70
Filtering Web Sites using a Custom List 70
Setting up Trusted and Forbidden Domains 71
Changing the Message to display when a site is blocked 72
Updating the Web Filter 73
Checking the Web Filter Status 73
Downloading an Updated Filter List 74
Setting Actions if no Filter List is Loaded 74
Blocking Websites by using Keywords 75
Filtering by User Consent 75
Configuring User Consent Settings 76
Mandatory Filtered IP addresses 77
6
SING THEFIREWALLDIAGNOSTICTOOLS
U
Logs and Alerts 79
Viewing the Log 80
Changing Log and Alert Settings 82
Sending the Log 83
Changing the Log Automation Settings 84
Selecting the Categories to Log 85
Alert Categories 86
Generating Reports 87
Collecting Report Data 87
Viewing Report Data 88
Restarting the Firewall 89
Managing the Firewall Configuration File 90
Importing the Settings File 91
Exporting the Settings File 92
Restoring Factory Default Settings 92
Using the Installation Wizard to reconfigure the Firewall 92
Upgrading the Firewall Firmware 92
ETTING APOLICY
7
S
Changing Policy Services 97
Amending Network Policy Rules 98
Changing NetBIOS Broadcast Settings 99
Enabling Stealth Mode 100
Allowing Fragmented Packets 100
Adding and Deleting Services 101
Editing Policy Rules 103
Viewing Network Policy Rules 103
Adding a New Rule 106
Restoring Rules to Defaults 106
Updating User Privileges 106
Establishing an Authenticated Session 108
Setting Management Method 109
Selecting Remote Management 110
Using the Firewall with the NBX 100 Business Telephone System 110
8
9
DVANCEDSETTINGS
A
Automatic Proxy/Web Cache Forwarding 111
Deploying the SuperStack 3 Webcache as a Proxy of the Firewall 112
Specifying Intranet Settings 114
Installing the Firewall to Protect the Intranet 115
Configuring the Firewall to Protect the Intranet 115
Setting Static Routes 117
Setting up One-to-One NAT 119
ONFIGURINGVIRTUALPRIVATENETWORKSERVICES
C
Editing VPN Summary Information 123
Changing the Global IPSec Settings 124
Viewing the Current IPSec Security Associations 125
Configuring a VPN Security Association 125
Adding/Modifying IPSec Security Associations 126
Security Policy 127
Setting the Destination Network for the VPN Tunnel 131
Configuring the Firewall to use a RADIUS Server 132
Changing the Global RADIUS Settings 132
Changing RADIUS Server Details 133
Using the Firewall with Check Point Firewall-1 134
Configuring the IRE VPN Client 134
Configuring the Firewall 137
Configuring the IRE VPN Client for use with the Firewall 137
Setting up the GroupVPN Security Association 138
Installing the IRE VPN Client Software 139
Configuring the IRE VPN Client 139
10
III A
11
ONFIGURINGHIGHAVAILABILITY
C
Getting Started 141
Network Configuration for High Availability Pair 142
Configuring High Availability 142
Configuring High Availability on the Primary Firewall 143
Configuring High Availability on the Backup Firewall 144
Making Configuration Changes 145
Checking High Availability Status 146
High Availability Status Window 146
E-Mail Alerts Indicating Status Change 147
View Log 147
Forcing Transitions 148
DMINISTRATION ANDTROUBLESHOOTING
DMINISTRATION ANDADVANCEDOPERATIONS
A
Introducing the Web Site Filter 153
Activating the Web Site Filter 156
Using Network Access Policy Rules 157
Understanding the Rule Hierarchy 158
Examples of Network Access Policies 159
Resetting the Firewall 162
Resetting the Firewall 163
Reloading the Firmware 163
Direct Cable Connection 164
Direct Connection Instructions 165
12
ROUBLESHOOTINGGUIDE
T
Introduction 167
Potential Problems and Solutions 167
Power LED Not Lit 167
Power LED Flashes Continuously 168
Power and Alert LED Lit Continuously 168
Link LED is Off 168
Ethernet Connection is Not Functioning 168
Cannot Access the Web interface 168
LAN Users Cannot Access the Internet 169
Firewall Does Not Save Changes 169
Duplicate IP Address Errors Are Occurring 169
Machines on the WAN Are Not Reachable 170
Troubleshooting the Firewall VPN Client 170
The IKE Negotiation on the VPN Client 170
Restarting the Firewall with Active VPN Tunnel 171
Export the VPN Client Security Policy File 171
Import the VPN Client Security Policy File 171
Uninstall the VPN Client 171
Frequently Asked Questions about PPPoE 172
IV F
13
IREWALL ANDNETWORKINGCONCEPTS
YPES OFATTACK ANDFIREWALLDEFENCES
T
Denial of Service Attacks 175
Ping of Death 175
Smurf Attack 175
SYN Flood Attack 176
Land Attack 176
Intrusion Attacks 176
External Access 176
Port Scanning 177
IP Spoofing 177
Trojan Horse Attacks 177
14
VA
A
ETWORKINGCONCEPTS
N
Introduction to TCP/IP 179
IP and TCP 179
IP Addressing 179
Network Address Translation (NAT) 182
Limitations of Using NAT 182
Dynamic Host Configuration Protocol (DHCP) 183
Port Numbers 184
Well Known Port Numbers 184
Registered Port Numbers 184
Private Port Numbers 184
Virtual Private Network Services 184
Introduction to Virtual Private Networks 185
VPN Applications 185
Basic VPN Terms and Concepts 186
PPENDICES
AFETYINFORMATION
S
Important Safety Information 193
Wichtige Sicherheitshinweise 194
Consignes Importantes de Sécurité 195
ECHNICALSPECIFICATIONS ANDSTANDARDS
B
T
C
ABLESPECIFICATIONS
C
Cable Specifications 199
Pinout Diagrams 199
D
ECHNICALSUPPORT
T
Online Technical Services 201
World Wide Web Site 201
3Com Knowledgebase Web Services 201
3Com FTP Site 202
Support from Your Network Supplier 202
Support from 3Com 202
Returning Products for Repair 204
NDEX
I
EGULATORYNOTICES
R
A
BOUTTHIS
This guide describes the following products:
■
SuperStack 3 Firewall 3CR16110-95
■
SuperStack 3 Firewall 3CR16110-97 upgraded to v6.x firmware
■
SuperStack 3 Firewall Web Site Filter 3C16111
G
UIDE
Introduction This guide describes how to set up and maintain the SuperStack
Firewall and how to install and use the SuperStack 3 Web Site Filter.
The Firewall acts as a secure barrier to protect a private LAN from hacker
attacks from the Internet. It can also be used to control the access that
LAN users have to the Internet.
The Web Site Filter controls and monitors the access users have to web
sites. Sites can be blocked on a site-wide or individual basis and by the
features a web site uses or content it provides.
This guide is intended for use by the person responsible for installing or
managing the network. It assumes knowledge of the following:
■
Basic familiarity with Ethernet networks and the Internet Protocol.
■
Knowledge of how to install and handle electronically sensitive
equipment.
If release notes are shipped with your product and the information there
differs from the information in this guide, follow the instructions in the
release notes.
Most user guides and release notes are available in Adobe Acrobat
Reader Portable Document Format (PDF) or HTML on the 3Com
World Wide Web site:
http://www.3com.com/
®
3
12 ABOUT THIS GUIDE
How to Use This Guide
Table 1 shows where to look for specific information in this guide.
Ta b l e 1
If you are looking for... Turn to...
A description of the Firewall’s features and example
applications.
A description of the Firewall’s front and back panel displays and
connectors, and installation information.
A quick setup guide for the Firewall. Chapter 3
Information on how to configure the Firewall. Chapter 4 -
Information about installing and setting up the Web Site Filter. Chapter 11
Troubleshooting common Firewall problems. Chapter 12
Information about Denial of Service and other attacks. Chapter 13
An introduction to TCP/IP and VPN. Chapter 14
Important Safety Information. Appendix A
Technical Specifications of the Firewall. Appendix B
Cable Specifications. Appendix C
Information about obtaining Technical Support. Appendix D
Where to find specific information
Chapter 1
Chapter 2
Chapter 10
Conventions
Table 2 and Table 3 list conventions that are used throughout this guide.
Ta b l e 2
Icon Notice Type Description
Notice Icons
Information note Information that describes important features or
instructions.
Caution
Warning
Information that alerts you to potential loss of
data or potential damage to an application,
system, or device.
Information that alerts you to potential personal
injury.
Terminology 13
Ta b l e 3
Convention Description
Screen displays
Commands
The words “enter”
and “type”
Keyboard key names If you must press two or more keys simultaneously, the
Words in italics Italics are used to:
Text Conventions
This typeface represents information as it appears on
the screen.
The word “command” means that you must enter the
command exactly as shown and then press Return or
Enter. Commands appear in bold. Example:
To display port information, enter the following
command:
bridge port detail
When you see the word “enter” in this guide, you
must type something, and then press Return or Enter.
Do not press Return or Enter when an instruction
simply says “type.”
key names are linked with a plus sign (+). Example:
■
■
■
Press Ctrl+Alt+Del
Emphasize a point.
Denote a new term at the place where it is defined
in the text.
Identify menu names, menu commands, and
software button names. Examples:
From the Help menu, select Contents.
Click OK.
Terminology
This section lists terminology used in this guide.
DMZ — Demilitarized Zone port. The Firewall has an extra port. If you
connect publicly-accessible servers and workstations to this port, they are
accessible from the Internet but still protected from Denial of Service
attacks
DoS Attacks — Denial of Service Attacks. An attempt to stop one of
your services running, such as a Web or FTP server. There are several kinds
of DoS attacks.
IP address — The Internet Protocol address is the network layer address
of a device assigned by the user or network administrator of an IP
network. An IP address consists of 32 bits divided into two or three fields:
14 ABOUT THIS GUIDE
a network number and a host number, or a network number, a subnet
number, and a host number.
IP Spoof — AtypeofDoSattack.AnIPspoofusesafakeIPaddressto
bypass security settings which may bar access from the real IP address.
IRC — Internet Relay Chat. Provides a way of communicating in real time
with people from all over the world.
ISP — Internet Service Provider. A business that provides Internet access
to individuals or organizations.
Firewall — Used in this guide to refer to the SuperStack 3 Firewall.
Land Attack — A type of DoS attack. In a Land attack, a packet is sent
that appears to come from the same address and port that it is sent to.
Thiscanhangthemachinetowhichitissent.
Management Station — This is the workstation from which you run the
Web interface for the Firewall.
Web interface — This is the Web-based application which you use to set
up the Firewall to protect your network from attack and to control access
to the Internet for LAN users.
NAT — Network Address Translation. NAT refers to the process of
converting the IP addresses used within a private network to Internet IP
addresses.
NTP — Network Time Protocol. This allows the Firewall to automatically
set the local time, via an NTP server on the Internet
NNTP — Network News Transfer Protocol. This protocol is used to
distribute Usenet news articles over the Internet.
Ping of Death — A type of DoS attack. The Internet Protocol (IP) defines
the maximum size for a Ping packet. However, some Ping programs can
send packets that are larger than this size which can cause some systems
to crash.
PPPoE — PPPoE stands for Point-to-Point Protocol over Ethernet and is
based on two widely accepted standards, Point-to-Point Protocol (PPP)
and Ethernet. PPPoE is a method for personal computers to connect to a
broadband service (typically DSL).
Feedback about this User Guide 15
RADIUS — Remote Authentication Dial-in User Service. RADIUS enables
network administrators to effectively deploy and manage VPN Client
based remote users. The RADIUS server allows multiple users to share a
single Group Security Association but require an additional unique
password for accounting and access.
SYN Flood — A type of DoS attack. This is where a client opens a
connection with a server but does not complete it. If the server queue fills
up with partially-open connections, no other clients can make genuine
connections to that server.
UTC —stands for Universal Time Co-ordinated, and is the standard time
common to all places in the world. It is also commonly referred to as GMT
or World Time.
VPN — stands for Virtual Private Network, and is a method of
networking that uses data encryption and the public internet to provide
secure communications between sites without incurring the expense of
leased lines.
Feedback about this User Guide
Web Site Filter — Used in this guide to refer to the SuperStack 3 Web
Site Filter.
See Chapter 13, “Types of Attack and Firewall Defences” for further
information on types of attack and how the Firewall defends against
them.
Your suggestions are very important to us. They will help make our
documentation more useful to you. Please e-mail comments about this
document to 3Com at:
pddtechpubs_comments@3com.com
Please include the following information when commenting:
■
Document title
■
Document part number (on the title page)
■
Page number (if appropriate)
Example:
■
SuperStack 3 Firewall User Guide
16 ABOUT THIS GUIDE
Part Number DUA1611-0AAA02
■
Page 24
■
Do not use this e-mail address for technical support questions. For
information about contacting Technical Support, see Appendix A.
Registration
To register your Firewall point your web browser to
http://www.3com.com/ssfirewall
click on Hardware Registration and follow the instructions.
I
G
ETTING
Chapter 1 Introduction
Chapter 2 Installing the Hardware
Chapter 3 Quick Setup for the Firewall
S
TARTED
18
1
I
NTRODUCTION
This chapter contains the following:
■
What is the SuperStack 3 Firewall?
■
Firewall and 3Com Network Supervisor
■
Firewall Features
■
Introduction to Virtual Private Networking (VPN)
What is the
SuperStack 3
Firewall?
The SuperStack®3 Firewall is a dedicated firewall appliance which is
installed between a Private LAN and a Router. The Firewall is a complete
network security system with all hardware and software pre-installed.
This allows it to act as a secure gateway for all data passing between the
Internet and the LAN.
The purpose of the Firewall is to allow a private Local Area Network (LAN)
to be securely connected to the Internet. You can use the Firewall to:
■
Prevent theft, destruction, and modification of data.
■
Filter incoming data for unsafe or objectionable content.
■
Log events which may be important to the security of your network.
The Firewall has three Ethernet ports which are used to divide the
network into separate areas.
■
The Wide Area Network (WAN) port attaches to the Internet access
device, for example, Router or Cable Modem.
■
The Local Area Network (LAN) port attaches to the local network
through hubs and switches. LAN users have access to Internet services
such as e-mail, FTP, and the World Wide Web. However, all
workstations and data on the LAN are protected from hacker attacks
that might come through the WAN port.
20 C
HAPTER
1: I
NTRODUCTION
The Demilitarized Zone (DMZ) port is used for public servers, such as
■
Web or FTP servers. Machines attached to this port are visible from the
WAN port, but are still protected from hacker attacks. Users on the
secure LAN port can also access servers on the DMZ port.
Firewall and 3Com Network Supervisor
The Firewall is supplied with a copy of 3Com Network Supervisor.
Network Supervisor is a powerful, intuitive network management
application for small to medium enterprise networks.
Figure 1
3Com Network Supervisor display
Network Supervisor automatically discovers up to 1500 network devices
and shows devices and connections on a graphical display. Network
managers can view network activity, monitor stress and set thresholds
and alerts. This information helps to provide the most efficient,
cost-effective use of network resources.
Version 3.0 and later releases add significant extra functionality designed
to detect network inefficiency and optimize network performance.
Features include support for related and recurring events, user definable
reports, auto-alerting using pager or SMS messages and simple updates
from the 3Com web site.
Firewall Features 21
3Com Network Supervisor offers the following support to Firewall users:
■
If your 3Com Network Supervisor management station is located on
the LAN, it discovers the Firewall automatically and displays it on the
topology map.
■
The topology map indicates that the Firewall is a 3Com Firewall and
uses an appropriate icon to represent it.
■
Double-clicking on the Firewall icon launches the Web interface of the
Firewall.
If your 3Com Network Supervisor management station is located on the
WAN side of the Firewall you must follow the steps below before
Network Supervisor will detect your Firewall:
1 Access the Web interface from a Web browser connected to the LAN port
of the Firewall.
2 Click on the Policy button, after the Management screen appears.
3 Click on the User Privileges tab.
4 Add a user to the Current Privileges list. Enter the user name in the User
field.
5 Click on Remote Access and click Update Privileges.
Firewall Features
This section lists the features of the Firewall.
Firewall Security The Firewall is preconfigured to monitor Internet traffic, and detect and
block Denial of Service (DoS) hacker attacks automatically. Refer to
Figure 2.
22 C
STOP
HAPTER
1: I
NTRODUCTION
Figure 2 Firewall Security Functions - Default Firewall Policy
LAN
Uplink
Normal
LAN Port - Connected
to your internal
network e.g. network
servers, workstations.
Protected from DoS
attacks and invisible from
outside your network.
DMZ
Uplink
Normal
DMZ Port - Connected
to public servers e.g.
Web, E-mail
Protected from DoS
attacks but visible from
outside your network.
STOP
Internet Access Filtered (optional)
Unauthorised External Access Blocked
WAN
WAN Port - Connected to
an external network or
the Internet via an
Internet access device.
The other ports are
protected from DoS attacks
originating on this port.
DoS Attacks Blocked
STOP
Web Access Allowed
STOP
Uplink
Normal
Authorised External Access using VPN (Encrypted)
LAN DMZ WAN
The Firewall examines every packet that comes from outside the LAN and
discards any packet that has not been authorized from inside the LAN.
This is known as stateful packet inspection.
Users on the LAN have access to all resources on the Internet that are not
blocked by any of the filters.
Users on the Internet can access hosts on the DMZ, such as a Web server,
but cannot access any resources on the LAN unless they are authorized
remote users.
Firewall Features 23
The Firewall will protect your network against the following Denial of
Service attacks:
■
Ping of Death
■
Smurf Attack
■
SYN Flood
■
LAND Attack
■
IP Spoofing
■
Teardrop
To find more information on DoS and other attacks refer to Chapter 13,
“Types of Attack and Firewall Defences”
Advanced users can extend the security functions of the Firewall by
adding network access rules and user privileges. See “Examples of
Network Access Rules” on page 200 and “User Privileges” on page 205
for more information.
Web URL Filtering You can use the Firewall to monitor and restrict LAN users from accessing
inappropriate information on the Internet. You can block access to this
information or record attempts to access it in a log. See “Filter Settings”
on page 162 for more information.
You can create a list of all forbidden URLs to which you want to restrict
access. Alternatively, you can restrict access to the Internet to certain
trusted URLs. See “Setting up Trusted and Forbidden Domains” on
page 165 for more information.
Web site technologies such as cookies and Java and ActiveX applets give
enhancements to web pages, but hackers may use the technologies to
steal or damage data. The Firewall can block these potentially damaging
applications from being downloaded from the Internet, or allow them
only from trusted sites. See “Filter Settings” on page 162 for more
information.
You can also use the optional SuperStack 3 Web Site Filter to extend
these filtering capabilities of your Firewall. It provides a list of Web site
categories that might be considered inappropriate for business use. The
Web Site Filter updates the Firewall with the latest URLs matching the
selected categories. You can block access to these sites or log them. The
Firewall is supplied with a one-month free subscription. You can then
24 C
HAPTER
1: I
NTRODUCTION
purchase a twelve month Web Site Filter (3C16111) subscription. Both
the trial and the twelve month subscription are valid for an unlimited
number of users.
High Availability Given the mission critical nature of many Internet connections each
component involved in your connection must be highly reliable. The High
Availability function of your Firewall adds to the already reliable platform
eliminating downtime due to hardware failure.
To u s e t h e High Availability function, connect another SuperStack 3
Firewall to the first as a high availability pair and configure the backup
Firewall to monitor the primary Firewall. In the event of failure of the
primary Firewall, the backup Firewall will take over its functions. See
“Configuring High Availability” on page 141 for details.
Logs and Alerts The Firewall maintains a log of all events that could be seen as security
concerns. It can also track key events such as the top 25 most accessed
Web sites, or the top 25 users of Internet bandwidth. You can also set up
the Firewall to send an alert message through e-mail when a high-priority
concern, such as a hacker attack, is detected. See “Log/Alert Settings” on
page 177 for more information.
User Remote Access
(from the Internet)
Automatic IP Address
Sharing and
Configuration
For detailed logging 3Com recommends that you us a syslog server or a
syslog reporting tool. A free syslog server is available from 3Com. To
download it point your web browser to:
http://www.3com.com/ssfirewall
and follow the link to the Syslog Server.
Users can access intranet resources on the private LAN by successfully
logging into the Firewall from the Internet. Logging in requires a valid
user name and password, which are transmitted to the Firewall by the
remote user, using a Web browser, through an MD5-based encrypted
authentication mechanism. Once logged in, remote users are able to
access all IP resources on the LAN
The Firewall provides sharing of a single public IP address through
Network Address Translation (NAT). It also provides simplified IP address
administration using the Dynamic Host Configuration Protocol (DHCP).
Introduction to Virtual Private Networking (VPN) 25
NAT automatically translates multiple IP addresses on the private LAN to
one public address that is sent out to the Internet. It enables the Firewall
to be used with broadband modems such as the OfficeConnect Cable
Modem, and with low cost Internet accounts where only one IP address is
provided by the ISP. See “Network Addressing Mode” on page 149 for
more information.
The DHCP server automatically assigns all PCs on the LAN with the correct
IP information. The DHCP client allows the Firewall to acquire the correct
IP settings from the ISP. See “Setting up the DHCP Server” on page 155
for more information.
Introduction to Virtual Private Networking (VPN)
Virtual Private
Networking
The Firewall includes support for IPSec Virtual Private Networking. This
section provides an introduction to Virtual Private Networking (VPN).
Today’s business environment requires close, real-time collaboration with
trading partners, legal, and financial advisors, as well as remote workers
andbranchoffices.This“real-time” requirement often leads to the
creation of an “extranet” where branch offices and partners are
connected to a primary network in one of two ways:
■
Leasing dedicated data lines to connect all sites.
■
Using the public Internet to connect all sites and remote users
together.
Each of these methods has its benefits and drawbacks. Establishing a
leased line connection between the sites offers a dedicated, secure access
but at a very high cost.
The other option is to use an existing Internet connection to transmit data
unencrypted over the public Internet network. While this option is less
expensive and can provide higher performance, it is much less secure
than dedicated site-leased lines.
VPN uses data encryption and the public Internet to provide secure
communications between sites without incurring the huge expense of
site to site leased lines.
The Firewall embodies eight different levels of encryption that can be
used to create a VPN tunnel. For the tunnel to work correctly, the
26 C
HAPTER
1: I
NTRODUCTION
terminating device at the other end of the tunnel must be using the same
level and type of encryption. See “Configuring Virtual Private Network
Services” on page 123 for more details.
2
I
NSTALLING THE
This chapter contains the following:
■
Before You Start
■
Positioning the Firewall
■
Firewall Front Panel
■
Firewall Rear Panel
■
Redundant Power System (RPS)
■
Attaching the Firewall to the Network
WARNING: Before installing the Firewall, you must read the safety
information provided in Appendix A of this User Guide.
AVERTISSEMENT: Avant d’installer le Firewall, lisez les informations
relatives à la sécurité qui se trouvent dans l’Appendice A de ce guide.
H
ARDWARE
VORSICHT: Bevor Sie den Firewall hinzufügen, lesen Sie die
Sicherheitsanweisungen, die in Anhang A in diesem Handbuch
aufgeführt sind.
Before You Start Your SuperStack 3 Firewall (3CR-15110-95) comes with the following:
■
A power cord for use with the Firewall.
■
Four rubber feet.
■
Mounting Kit for a 19 in. rack mount cabinet comprising:
■
two mounting brackets.
■
four screws.
■
A SuperStack 3 Firewall User Guide (this guide).
■
A SuperStack 3 Firewall Quick Reference Guide (DQA1611-0AAA01)
28 C
HAPTER
2: I
NSTALLING THEHARDWARE
A SuperStack 3 Firewall CD.
■
Warranty Information.
■
Software License Agreement.
■
Positioning the Firewall
Rack Mounting the
Units
When installing the Firewall, make sure that:
It is out of direct sunlight and away from sources of heat.
■
Cabling is away from power lines, fluorescent lighting fixtures, and
■
sources of electrical noise such as radio transmitters and broadband
amplifiers.
Water or moisture cannot enter the case of the unit.
■
Air flow around the unit and through the vents in the side of the case
■
is not restricted. 3Com recommends that you provide a minimum of
25.4 mm (1 in.) clearance to each side of the unit.
The Firewall is 1U high and will fit a standard 19-inch rack.
Figure 3
Fitting the Rack Mounting Bracket
Firewall Front Panel 29
CAUTION: Disconnect all cables from the unit before continuing.
Remove the self-adhesive pads from the underside of unit, if already
fitted.
1 Place the unit the right way up on a hard, flat surface with the front
facing towards you.
2 Locate a mounting bracket over the mounting holes on one side of the
unit (refer to Figure 3).
3 Insert the two screws supplied in the mounting kit and fully tighten with
a suitable screwdriver.
4 Repeat the steps 2 and 3 for the other side of the unit.
5 Insert the unit into the 19-inch rack and secure with suitable screws (not
provided).
6 Reconnect all cables.
Securing the Firewall
with the Rubber Feet
Firewall Front Panel
LAN
1
The four self-adhesive rubber feet prevent the Firewall from moving
around on the desk. Only stick the feet to the marked areas at each
corner of the underside of the unit if you intend to place the unit directly
on top of the desk.
Figure 4 shows the front panel of the Firewall.
Firewall Front Panel
Uplink
Normal
2
WAN
Power/Self Test
8
Firewall
3CR16110-95
SuperStack 3
®
Status
green = full duplex
Packet
Uplink
Normal
3
4
Status
yellow = half duplex
green = 100 Mbps
yellow = 10 Mbps
5
6
Packet LAN/DMZ/WAN
Status LAN/DMZ/WAN
Alert
7
Uplink
Normal
Figure 4
DMZ
WARNING: RJ-45 Ports. These are shielded RJ-45 data sockets. They
cannot be used as standard traditional telephone sockets, or to connect
the unit to a traditional PBX or public telephone network. Only connect
RJ-45 data connectors, network telephony systems, or network
telephones to these sockets.
Either shielded or unshielded data cables with shielded or unshielded
jacks can be connected to these data sockets.
30 C
HAPTER
2: I
NSTALLING THEHARDWARE
The Firewall front panel contains the following components:
1LANPort- Use a Category 5 cable with RJ-45 connectors. Connect this
port to any workstation or network device that has a 10BASE-T or
100BASE-TX port.
2DMZPort- Use a Category 5 cable with RJ-45 connectors. Use this port
to connect the Firewall to any workstation, server, or network device that
has a 10BASE-T or 100BASE-TX port.
3WANPort- Use a Category 5 cable with RJ-45 connectors. Connect this
port to any Internet access device that has a 10BASE-T or 100BASE-TX
port.
4 Normal/Uplink Switches - The setting of these switches determines the
operation of each port. See “Attaching the Firewall to the Network” on
page 32 for more information about setting these switches.
5StatusLEDs- The WAN, LAN, and DMZ ports each have a Status LED
that indicates the following:
■
Green indicates that the link between port and the next network
device is operational at 100 Mbps.
■
Yellow indicates that the link between the port and the next network
device is operational at 10 Mbps.
■
Off indicates that nothing is operational or that the link to the port
has failed.
6 Packet LEDs - The WAN, LAN, and DMZ ports each have a Packet LED
that indicates the following:
■
Green indicates that data is being transmitted/received on this port in
full-duplex mode.
■
Yellow indicates that data is being transmitted/received on this port in
half-duplex mode.
■
Off indicates that no traffic is being passed.
7AlertLED- This LED shows orange to alert you of the following:
A failure in the self-test the Firewall runs when switched on.
■
No operational firmware is currently loaded.
■
Potential attacks on your network.
■
An attempt to access a restricted site.
■
A hacker attack or access to a restricted service.
■
Loading...