Netopia 3000 User Manual

Download

Software User Guide

Cayman Operating System

Version 6.3

Cayman 3000 series by Netopia

January 2002

Disclaimers

mendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for the applications of any products speciﬁed in this document.

Portions of this software are subject to the Mozilla Public License Version 1.1. Portions created by Netscape are copyright 1994-2000 Netscape Communications Corporation. You may obtain a copy of the license at http://www.mozilla.org/MPL/. Software distributed under the License is distributed on an “as is” basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the speciﬁc language governing rights and limitations under the License.

Portions of this software copyright 1988, 1991 by Carnegie Mellon University. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without speciﬁc, written prior permission.

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA, OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE, OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The information in this document is proprietary to Netopia, Inc.

Trademarks

Cayman Systems is a registered trademark of Cayman Systems, a division of Netopia, Inc. SWIFT-IP, SafetyNet, Zero Conﬁguration, SafeHarbour VPN IPsec Tunnel, and the Cayman Systems logo are trademarks of Netopia, Inc.

Ethernet is a registered trademark of Xerox Corporation. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. Mention of third-party products is for informational purposes only

and constitutes neither an endorsement nor a recommendation. Cayman assumes no responsibility with regard to the performance or use of these products.

Statement of Conditions

In the interest of improving internal design, operational function, and /or reliability, Netopia, Inc. reserves the right to make changes to the products described in this document without notice.

Netopia

, Inc. does not assume any liability that may occur due to the use or application of the product(s) or network con-

figurations described herein.

Netopia, Inc. Part Number: 6161103-PF-01

able of Contents

Disclaimers ...........................................................................................................2

Table of Contents ................................................................................................3

Introduction .........................................................................................................7

Section 1

About Cayman Documentation ............................................................................................ 7

Intended Audience .................................................................................................................7

Documentation Conventions ................................................................................................8

General ..............................................................................................................................8

Internal Web Interface .....................................................................................................8

Command Line Interface ................................................................................................8

Icons ...................................................................................................................................9

Text ....................................................................................................................................9

Organization ..........................................................................................................................10

About Cayman-series Gateways ....................................................................11

Section 2

Basic Product Structure ........................................................................................................11

What’s New in Version 6.3 ...................................................................................................12

New Embedded Web Server ........................................................................................12

Maintenance Enhancements .........................................................................................12

Computer Names ...................................................................................................12

Updater ....................................................................................................................12

802.11b Wireless Update ........................................................................................12

NIST UTC Reference Signal ..................................................................................12

Capabilities Roadmap for COS 6.3 .....................................................................................13

Overview of Major Capabilities ....................................................................14

Section 3

General ...................................................................................................................................14

Feature Keys ...................................................................................................................14

Management ...................................................................................................................15

Embedded Web Server ..........................................................................................15

Diagnostics ..............................................................................................................15

Local Area Network ......................................................................................................16

DHCP (Dynamic Host Configuration Protocol) Server ....................................16

DHCP (Dynamic Host Configuration Protocol) Relay Agent .........................16

DNS Proxy ............................................................................................................... 16

Wide Area Network ......................................................................................................17

DHCP (Dynamic Host Configuration Protocol) Client .....................................17

PPPoE (Point-to-Point Protocol over Ethernet) ..................................................17

Instant-On PPP ........................................................................................................17

Static IP Addresses .................................................................................................18

IPMaps .....................................................................................................................18

Security ............................................................................................................................19

Password Protection ...............................................................................................19

Network Address Translation (NAT) ..................................................................19

Cayman Advanced Features for NAT .................................................................20

Internal Servers .......................................................................................................20

Pinholes ....................................................................................................................21

Default Server .........................................................................................................21

Combination NAT Bypass Configuration ..........................................................22

Security Monitor .....................................................................................................22

Event Details ...........................................................................................................23

IP Source Address Spoofing ..........................................................................23

Source Routing .................................................................................................23

Subnet Broadcast Amplification ....................................................................23

Illegal Packet Size (Ping of Death) ................................................................23

Port Scan ...........................................................................................................24

Excessive Pings ................................................................................................24

MAC Address Spoofing .................................................................................25

BreakWater Basic Firewall ....................................................................................26

BreakWater Settings ........................................................................................26

ClearSailing .....................................................................................................26

SilentRunning .................................................................................................26

LANdLocked ...................................................................................................26

VPN IPSec Pass Through .......................................................................................27

SafeHarbour VPN IPSec Tunnel ...........................................................................28

Web-based User Interface ...............................................................................29

Section 4

Access the User Interface .....................................................................................................29

Open the Web Connection ...........................................................................................29

Home page .............................................................................................................................30

Home page - Information .............................................................................................31

Toolbar ....................................................................................................................................32

Navigating the Web Interface ..............................................................................................32

Restart .....................................................................................................................................33

Help .........................................................................................................................................35

Conﬁgure ................................................................................................................................36

Quickstart ........................................................................................................................36

How to Use the Quickstart Page ..........................................................................36

Setup Your Gateway using a DHCP Connection ..............................................37

Change Procedure ..................................................................................................38

Setup Your Gateway using a PPP Connection ...................................................40

Setup Your Gateway using a Static IP Address .................................................41

Configuration Procedure ................................................................................41

LAN .................................................................................................................................43

WAN ................................................................................................................................44

Advanced ........................................................................................................................45

Configure Specific Pinholes ..................................................................................47

Planning for Your Pinholes ............................................................................ 47

Example: A LAN Requiring Three Pinholes ...............................................47

Pinhole Configuration Procedure .................................................................49

Configure the IPMaps Feature ..............................................................................52

FAQs for the IPMaps Feature ........................................................................52

IPMaps Block Diagram ...................................................................................54

Configure a Default Server ...................................................................................56

Typical Network Diagram .............................................................................57

NAT Combination Application .....................................................................57

Security ............................................................................................................................66

Create and Change Passwords ............................................................................. 67

Use a Cayman Firewall ..........................................................................................69

BreakWater Basic Firewall .............................................................................69

Configure a SafeHarbour VPN .............................................................................73

VPN IPSec Tunnel at the Gateway ..............................................................73

Parameter Description and Setup .................................................................74

IPSec Tunnel Parameter Setup Worksheet ..................................................76

SafeHarbour Tunnel Setup ............................................................................77

Using the Security Monitoring Log .....................................................................80

Install ...............................................................................................................................83

Install Software .......................................................................................................84

Updating Your Gateway to COS Version 6.3 ..............................................84

Install Keys ..............................................................................................................93

Use Cayman Software Feature Keys ....................................................................93

Troubleshoot ..........................................................................................................................97

Perform Troubleshooting on Gateways .......................................................97

System Status .......................................................................................................................101

Manage a Restricted Number of WAN Users .........................................................101

User Status .............................................................................................................101

Disconnect Current WAN Users ...............................................................................102

Exceeding the WAN User Limit ................................................................................103

Tour: Command Line Interface ....................................................................104

Appendix A

Overview ..............................................................................................................................104

Starting and Ending a CLI Session ...................................................................................106

Connecting from telnet ...............................................................................................106

Connecting from the Maintenance Console Port ....................................................106

Logging In .....................................................................................................................106

Ending a CLI Session ...................................................................................................107

Saving Settings .............................................................................................................107

Using the CLI Help Facility ...............................................................................................107

About SHELL Commands .................................................................................................107

SHELL Prompt .............................................................................................................107

SHELL Command Shortcuts ......................................................................................107

Platform Convention ...................................................................................................108

SHELL Commands .............................................................................................................108

About CONFIG Commands .............................................................................................. 117

CONFIG Mode Prompt ...............................................................................................117

Navigating the CONFIG Hierarchy ..........................................................................117

Entering Commands in CONFIG Mode ...................................................................118

Guidelines: CONFIG Commands ..............................................................................118

Displaying Current Gateway Settings ......................................................................119

Step Mode: A CLI Configuration Technique ...........................................................119

Validating Your Configuration ..................................................................................120

CONFIG Commands ..........................................................................................................121

ATM Settings ................................................................................................................121

Bridging Settings ..........................................................................................................122

DHCP Settings ..............................................................................................................123

DMT Settings ...............................................................................................................124

Domain Name System Settings .................................................................................124

Ethernet MAC Address Settings ...............................................................................124

IP Settings .....................................................................................................................125

Basic Settings ..........................................................................................................125

DSL Settings ............................................................................................................125

Ethernet Settings ......................................................................................................126

Default IP Gateway Settings ...................................................................................128

WAN-to-WAN Routing Settings ............................................................................129

IP-over-PPP Settings ...............................................................................................129

Static ARP Settings .................................................................................................131

Static Route Settings ...............................................................................................132

WAN Settings ..........................................................................................................133

IPMaps Settings ............................................................................................................134

Network Address Translation (NAT) Default Settings .........................................135

Network Address Translation (NAT) Pinhole Settings .........................................135

PPPoE Settings .............................................................................................................136

Configuring Basic PPP Settings .............................................................................. 137

Configuring Port Authentication ............................................................................. 138

Configuring Peer Authentication .............................................................................140

Command Line Interface Preference Settings .........................................................141

Port Renumbering Settings ........................................................................................141

Security Settings ...........................................................................................................142

Firewall Settings (for BreakWater Firewall). ..........................................................142

SafeHarbour IPSec Settings ....................................................................................142

Internet Key Exchange (IKE) Settings ................................................................144

SNMP Settings ..............................................................................................................145

System Settings ............................................................................................................145

Traffic Shaping Settings ..............................................................................................147

Glossary ............................................................................................................148

Appendix B

Index ..................................................................................................................158

Section 1 About Cayman Documentation

Introduction

About Cayman Documentation

Netopia, Inc. provides a suite of technical information for its Cayman-series family of intelligent enterprise and consumer Gateways. It consists of:

•

Software User Guide

•

Hardware and Installation User Guide

•

Dedicated Quickstart booklets

•

Speciﬁc White Papers

The documents are available in electronic form as Portable Document Format (PDF) ﬁles. They are viewed (and printed) from Adobe Acrobat Reader, Exchange, or any other application that supports PDF ﬁles.

They are downloadable from Cayman’s website:

Intended Audience

Section 1

http://www.cayman.com/

This guide is targeted to the technical staffs of organizations such as:

•

Incumbent Local Exchange Carriers (ILEC)

•

Competitive Local Exchange Carriers (CLEC)

•

Multiple System Operators (MS0)

•

Internet Service Providers (ISP)

These professional staffs include:

•

System administrators

•

Installation and conﬁguration technicians

•

Customer support engineers

They are responsible for planning, deploying, and supporting the Customer Premise Equipment that are the key elements of small business or residential Local Area Networks.

Business and residential subscribers are encouraged to use this guide also.

Section 1 Documentation Conventions

Documentation Conventions

General

This manual uses the following conventions to present information:

Convention (Typeface)

bold italic monospaced

bold italic sans serif

terminal

bold terminal

Italic Italic type indicates the complete titles of

Internal Web Interface

Convention (Graphics) Description

dot-dot-dash rounded rectangle or line

solid rounded rectangle with an arrow

Command Line Interface

Description

Menu commands and button names

Web GUI page links Computer display text User-entered text

manuals.

Denotes an “excerpt” from a Web page or the visual truncation of a Web page

Denotes an area of emphasis on a Web page

Syntax conventions for the Cayman gateway command line interface are as follows:

Convention Description

straight ([ ]) brackets in cmd line Optional command arguments curly ({ }) brackets, with values

separated with vertical bars (|).

bold terminal type face

italic terminal type face

Alternative values for an argument are presented in curly ({ }) brackets, with values separated with vertical bars (|).

User-entered text Variables for which you supply your

own values

Section 1 Documentation Conventions

Icons

BOTH

DSL

ENET

Icons used in the guide are:

Icon

Description

NOTE Icon:

Requests that you pay particular attention to a speciﬁed procedure or piece of information in the text. The NOTE message has a regular type style.

Pointing to a CLI command, refers to both DSL and Ethernet WAN interfaces for Cayman Gateways

Pointing to a CLI command, refers only to DSL WAN interface (used with 3220H family)

Pointing to a CLI command, refers only to ENET WAN interface (used with 2E-H family)

Text

CAUTION Icon:

Suggest you review the referenced details and heed the instructions offered. The CAUTION message has a bold type style.

WARNING Icon:

Demands that you observe the actions given in the text. The WARNING message has a bold italic type style.

COMPASS Icon: Points the user to additional information concerning the topic under discussion. The COMPASS message has a regular type style. It is used also to denote a Roadmap table.

The words “Cayman Gateway” and “Gateway” refer to a standard unit from the Netopia Cayman 3000-Series product families.

Section 1 Organization

The expressions “Release 6.3.0” and “R 6.3.0” refer to the most recent generally available Cayman Operating System: COS 6.3.0R0.

Organization

This guide consists of six sections, three appendixes including a glossary, and an index. It is organized as follows:

• Section 1, “Introduction”

the purpose of, the audience for, and structure of this guide. It presents a table of conventions.

• Section 2, “About Cayman Gateways”

tion and overview of the extensive features of your Cayman gateway including a listing of new capabilities that are included with Cayman Operating System COS 6.3. A “Roadmap” of features and How To topics is shown.

• Section 3, “Overview of Major Capabilities,”

Network, Wide Area Network, Security, Management, and Software Feature Keys features and functionalities.

• Section 4, “Web-based User Interface,”

way as the web UI is organized. As you go through each section, functions and procedures are discussed in detail.

• Appendix A, “Tour of the Command Line Interface,”

the current text-based commands for both the SHELL and CONFIG modes. A summary table and individual command examples for each mode is provided.

• Appendix B, “Glossary”

— Describes the Cayman document suite,

— Presents a product descrip-

— Itemizes Local Area

— Organized in the same

— Describes all

• Index

Section 2 Basic Product Structure

About Cayman-series Gateways

Basic Product Structure

Units from the Netopia Cayman-series Gateway family are supplied in many conﬁgurations. This presents end-users with many alternatives for Wide Area Network (WAN) interfaces and Local Area Network (LAN) interfaces. This is the current product roster that supports COS 6.3:

Cayman Model No.

3220-H

3220-H-W11

3220-H-WRF

WAN Interface

Full-Rate Discrete MultiTone (DMT) Asynchronous Digital Subscriber Line (ADSL)

ADSL Four ports

LAN Wired Ethernet Hub

Four ports 10 BaseT

10 BaseT

LAN Wired Options

Section 2

LAN Wireless Option

802.11b Protocol

HomeRF Protocol

2E-H

2E-H-W11

2E-H-WRF

3445

3543

3485

3583

Ethernet One port

10 BaseT

Ethernet Eight ports

10 BaseT

Ethernet Eight ports

10 BaseT

Ethernet Eight ports

10 BaseT

ADSL Four ports 10/

100 Ethernet

ADSL Four ports 10/

100 Ethernet

Ethernet Four ports 10/

100 Ethernet

Ethernet Four ports 10/

100 Ethernet

802.11b Protocol

HomeRF Protocol

HPNA PCMCIA

802.11b Protocol

HPNA PCMCIA

802.11b Protocol

Section 2 What’s New in Version 6.3

What’s New in Version 6.3

The new features for COS 6.3 are:

New Embedded Web Server

Not only is the look and feel different, but the database and the web server engine are new and more ﬂexible.

The design of the new web server is geared to make navigation easier, providing the most commonly used items ﬁrst. Context-sensitive help is provided.

Maintenance Enhancements

The maintenance enhancements are:

Computer Names

In addition to the IP address, the computer name is now listed in the DHCP lease table and the WAN users table. This allows users to more easily identify the computers in these tables. The computer name is only known if using DHCP to get its IP address.

Updater

This application, Updater Version 1.1, prepares the Gateway for installation of COS 6.3

Updater V 1.1 is required for users running COS 5.6.2 or lower. For complete details see page 84 of this document.

802.11b Wireless Update

Improved software to support 802.11b wireless base stations response to client requests made after an extended period of LAN inactivity.

NIST UTC Reference Signal

Cayman Gateways acquire the Universal Coordinated Time reference signal from the National Institute of Standards and Technology. This provides date and time information for log entries.

Section 2 Capabilities Roadmap for COS 6.3

Capabilities Roadmap for COS 6.3

Cayman Gateways support a wide array of features and functionality. This roadmap points you to overview discussions and How To procedures.

Capabilities Roadmap:

Cayman Gateways with COS 6.3

General

Management

LAN

WAN

Feature New for COS

6.3

Software Feature Keys Yes

Embedded Web Server Changed Diagnostics

DHCP Server DHCP Relay-agent DNS Proxy

DHCP Client PPPoE Multiple PPPoE Sessions Yes Static IP Address

Outline Page

Details

14 93

15 29 15 99

16 59 16 59 16 124

17 123 17 136

18 41

IPMaps (Multiple Static IP Addresses) Yes Pinholes User Limits Yes

Security

Password Protection Network Address Translation (NAT) Instant-On PPP Security Monitoring Log Yes VPN IPSec Pass Through SafeHarbour VPN IPSec Tunnel Yes BreakWater Basic Firewall Yes

18 52 21 46

103

19 66 19 17 138 22 80 27 73 28 73 26 69

Section 3 General

Overview of Major Capabilities

General

Feature Keys

Section 3

This section describes the principal features of Cayman Operating System version 6.3. The information is grouped by usage area.

Certain functionality in this release is controlled through software feature keys. These keys are proprietary ﬁles with the following properties:

• They are speciﬁc to the serial number of the target unit.

• Once installed, and the Gateway restarted, the desired enhancement is

enabled, which then allows full access to: – Conﬁguration

– Operation – Maintenance – Administration

• They will not enable the desired feature on a unit with the wrong serial number.

– They are rejected upon “Restart”, not when the ﬁle is downloaded.

Enhanced capabilities requiring a feature key include:

• Tiered Operating System

• Security Monitoring Log

• BreakWater Basic Firewall

• SafeHarbour IPSec Tunnel Termination

Many Netopia Cayman-series Gateways ship with particular feature key sets pre-enabled. You can check the feature keys enabled on your Gateway in the System Status web page. See “System Status” on page 101.

Section 3 General

Management

Embedded Web Server

There is no specialized client software required to conﬁgure, manage, or maintain your Cayman Gateway. Web pages embedded in the operating system provide access to the following Gateway operations:

• Setup

• System and security logs

• Diagnostics functions

Once you have removed your Cayman Gateway from its packing container and powered the unit up, use any LAN attached PC or workstation running a common web browser application to conﬁgure and monitor the Gateway.

Diagnostics

In addition to the Gateway’s visual LED indicators, you access an extensive suite of diagnostic facilities by browsing to the unit.

Two of the facilities are:

• Automated “Multi-Layer” Test

The Run Diagnostics link initiates a sequence of tests. They examine the functionality of the Gateway, from the physical connections (OSI Layer 1) to the application trafﬁc (OSI Layer 7).

• Network Test Tools

Three test tools to determine network reachability are available:

– Ping - tests the “reachability” of a particular network destination by

sending an ICMP echo request and waiting for a reply.

– TraceRoute - displays the path to a destination by showing the

number of hops and the router addresses of these hops.

– NSLookup - converts a domain name to its IP address and vice

versa.

The system log also provides diagnostic information.

Your Service Provider may request information that you acquire from these various diagnostic tools. Individual tests may be performed at the command line. (See Appendix A).

Section 3 General

Local Area Network

DHCP (Dynamic Host Conﬁguration Protocol) Server

DHCP Server functionality enables the Gateway to assign your LAN computer(s) a “private” IP address and other parameters that allow network communication. The default DHCP Server conﬁguration of the Gateway supports up to 253 LAN IP addresses.

This feature simpliﬁes network administration because the Gateway maintains a list of IP address assignments. Additional computers can be added to your LAN without the hassle of conﬁguring an IP address.

DHCP (Dynamic Host Conﬁguration Protocol) Relay Agent

DHCP Relay functionality enables the Gateway to forward a DHCP client request to a speciﬁed DHCP Server . This assigned DHCP Server will reply to the request with an IP address and other network parameters.

DNS Proxy

Domain Name System (DNS) provides end users with the ability to look for devices or web sites through the use of names, rather than IP addresses. For websurfers, this technology allows a user to enter the URL (Universal Resource Locator) text string to access a desired website. Each text string identiﬁer has an associated IP address, a series of numbers in the format of xxx.xxx.xxx.xxx (e.g. 147.240.101.006). It is DNS servers that are responsible for this text-to-IP Address translation. DNS Servers, in most cases, are located at Internet Service Provider facilities. They translate domain names into the desired IP address for locating an Internet website by answering DNS requests.

The Cayman DNS Proxy feature allows the LAN-side IP address of the Gateway to be used for proxying DNS requests from hosts on the LAN to the DNS Servers conﬁgured in the gateway . This is accomplished by having the Gateway's LAN address handed out as the “DNS Server” to the DHCP clients on the LAN.

The Cayman DNS Proxy only proxies UDP DNS queries, not TCP DNS queries.

Section 3 General

Wide Area Network

DHCP (Dynamic Host Conﬁguration Protocol) Client

DHCP Client functionality enables the Gateway to request an IP address from your Service Provider. DHCP servers on your Service Provider’s network reply to DHCP Client requests and assign the network parameters.

PPPoE (Point-to-Point Protocol over Ethernet)

The PPPoE speciﬁcation, incorporating the PPP and Ethernet standards, allows your computer(s) to connect to your Service Provider’s network through your Ethernet WAN connection. The Netopia Cayman-series Gateway supports PPPoE, eliminating the need to install PPPoE client software on any LAN computers.

Service Providers may require the use of PPP authentication protocols such as Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP). CHAP and PAP use a username and password pair to authenticate users with a PPP server.

A CHAP authentication process works as follows:

1. The password is used to scramble a challenge string.

2. The password is a shared secret, known by both peers.

3. The unit sends the scrambled challenge back to the peer.

PAP, a less robust method of authentication, sends a username and password to a PPP server to be authenticated. PAP’s username and password pair are not encrypted, and therefore, sent “unscrambled”.

Instant-On PPP

You can conﬁgure your Gateway for one of two types of Internet connections:

• Always On

• Instant On

These selections provide either an uninterrupted Internet connection or an as-needed connection.

While an Always On connection is convenient, it does leave your network permanently connected to the Internet, and therefore potentially vulnerable to attacks.

Cayman's Instant On technology furnishes almost all the beneﬁts of an Always-On connection while providing two additional security beneﬁts:

• Your network cannot be attacked when it is not connected.

Section 3 General

• Your network may change address with each connection making it more difﬁcult to attack.

When you conﬁgure Instant On access, you can also conﬁgure an idle time-out value. Your Gateway monitors trafﬁc over the Internet link and when there has been no trafﬁc for the conﬁgured number of seconds, it disconnects the link.

When new trafﬁc that is destined for the Internet arrives at the Gateway, the Gateway will instantly re-establish the link.

Your service provider may be using a system that assigns the Internet address of your Gateway out of a pool of many possible Internet addresses. The address assigned varies with each connection attempt, which makes your network a moving target for any attacker.

Static IP Addresses

If your Service Provider requires the Cayman Gateway to use Static IP addressing, you must conﬁgure your Gateway for it. Dynamically assigned addresses allow a service provider’s customer to install their Gateway without WAN conﬁguration. Static addresses never time out; dynamic addresses time out and will be reassigned.

A static IP address is preferred for setting up and maintaining pinholes through the Cayman Gateway’s NAT security facility.

Your Service Provider may not offer a static IP address option.

IPMaps

IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or speciﬁc computers on the LAN side of the Cayman Gateway.

With IPMaps, a Service Provider-assigned static IP address is mapped to a speciﬁc internal device. This allows a LAN-located device to appear public without compromising other locally attached devices. The external IP addresses must be on the same subnet.

IPMaps is used for applications such as Web, email, and FTP servers.

See How To: Configure for IPMaps on page 52 for more information.

Section 3 General

Security

Password Protection

Access to your Cayman device is controlled through two access control accounts, Admin or User.

• The Admin, or administrative user , performs all conﬁguration, management or maintenance operations on the Gateway.

• The User account provides monitor capability only. A user may NOT change the conﬁguration, perform upgrades or invoke maintenance functions.

For the security of your connection, an Admin password must be set on the Cayman unit.

Network Address Translation (NAT)

The Cayman Gateway Network Address Translation (NAT) security feature lets you conceal the topology of a hard-wired Ethernet or wireless network connected to its LAN interface from routers on networks connected to its WAN interface. In other words, the end computer stations on your LAN are

invisible from the Internet.

Only a

single WAN IP address is required to provide this security support

for your entire LAN. LAN sites that communicate through an Internet Service Provider typically

enable NAT, since they usually purchase only one IP address from the ISP.

• When NAT is ON, the Cayman Gateway “proxies” for the end com- puter stations on your network by pretending to be the originating host for network communications from non-originating networks. The WAN interface address is the only IP address exposed.

The Cayman Gateway tracks which local hosts are communicating with which remote hosts. It routes packets received from remote networks to the correct computer on the LAN (Ethernet A) interface.

• When NAT is OFF, a Cayman Gateway acts as a traditional TCP/IP router, all LAN computers/devices are exposed to the Internet.

A diagram of a typical NAT-enabled LAN is shown below:

Section 3 General

Dual Ethernet Gateway

Internet

WAN

Ethernet Interface

LAN

Ethernet

Interface

NAT

Cable

Modem

NAT-protected LAN stations

Embedded Admin Services: HTTP-Web Server and Telnet Server Port

A similar conﬁguration applies to a DSL WAN interface (3220 family).

1. The default setting for NAT is ON.

2. Cayman uses Port Address Translation (PAT) to implement the NAT facility.

3. NAT Pinhole trafﬁc (discussed below) is always initiated from the WAN side.

Cayman Advanced Features for NAT

Using the NAT facility provides effective LAN security. However, there are user applications that require methods to selectively by-pass this security function for certain types of Internet trafﬁc.

Cayman Gateways provide special pinhole conﬁguration rules that enable users to establish NAT-protected LAN layouts that still provide ﬂexible bypass capabilities.

Some of these rules require coordination with the unit’s embedded administration services: the internal Web (HTTP) Port (TCP 80) and the internal Telnet Server Port (TCP 23).

Internal Servers

Related to the pinhole conﬁguration rules is an internal port forwarding facility that enables you to:

• Direct trafﬁc to speciﬁc hosts/computers on the LAN side of the Gateway.

• Eliminate conﬂicts with embedded administrative ports 80 and 23.

Section 3 General

Pinholes

This feature allows you to:

• Transparently route selected types of network trafﬁc using the port forwarding facility.

– FTP requests or HTTP (Web) connections are directed to a speciﬁc

host on your LAN.

• Setup multiple pinhole paths. – Up to 32 paths are supported

• Identify the type(s) of trafﬁc you want to redirect by port number.

Common TCP/IP protocols and ports are:

FTP (TCP 21) telnet (TCP 23) SMTP (TCP 25) HTTP (TCP 80)

SNMP (TCP 161, UDP 161)

See page 47 for How To instructions.

Default Server

This feature allows you to:

• Direct your Gateway to forward all externally initiated IP trafﬁc (TCP and UDP protocols only) to a default host on the LAN.

• Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol

an in-bound application might use. For example, some network games select arbitrary port numbers when a connection is opened.

– When you want all unsolicited trafﬁc to go to a speciﬁc LAN host.

Default Server is not available for trafﬁc inbound via a SafeHarbour IPsec tunnel.

See page 56 for How To instructions.

Section 3 General

Combination NAT Bypass Conﬁguration

Specific pinholes and Default Server settings, each directed to different LAN devices, can be used together.

Creating a pinhole or enabling a Default Server allows inbound access to the speciﬁed LAN station. Contact your Network Administrator for LAN security questions.

Security Monitor

The Security Monitor detects security related events including common types of malicious attacks and writes them to a dedicated security log ﬁle. You view this log ﬁle from either:

• Cayman Web interface

• Text-based command line interface using a telnet or serial port facility

The log provides information useful in identifying a speciﬁc type of attack and tracing its origin. The log maintains 100 entries, and requires a manual reset once full. This preserves for troubleshooting purposes the acquired information about speciﬁc attacks, their frequency and tracing information.

See page 80 for more information about the Security Monitoring Log.

COS 6.3 Security Monitor software reports the following eight event types:

• IP Source Address Spooﬁng

• Source Routing

• Subnet Broadcast Ampliﬁcation

• Illegal Packet Size (Ping of Death)

• Port Scan (TCP/UDP)

• Excessive Pings

• Admin Login Failure

• MAC Address Spooﬁng

Section 3 General

Event Details

Details on the eight speciﬁc event types and the information logged are:

IP Source Address Spooﬁng

The Gateway checks all incoming packets to see if the IP address attached is valid for the interface the packet is received through. If the address of the packet is not valid for the interface the packet is discarded.

Logged information includes:

IP source address Number of attempts IP interface

IP destination address Time at last attempt

Source Routing

IP source routing information packets will be received and accepted by the Cayman Gateway. Logging of this activity is provided in the event the source route information has been forged, but appears as valid data.

Logged information includes:

IP source address Number of attempts IP interface

IP destination address Time at last attempt

Subnet Broadcast Ampliﬁcation

Distributed DoS (Denial of Service) attacks often use a technique known as broadcast ampliﬁcation, in which the attacker sends packets to a router’s subnet broadcast address. This causes the router to broadcast the packet to each host on the subnet. These, in turn, become broadcast sources, thereby involving many new hosts in the attack. The Cayman unit detects and discards any packets that would otherwise be transmitted to a subnet broadcast address. The Security Monitoring logs the event.

Logged information includes:

IP source address Number of attempts IP broadcast address

Illegal Packet Size (Ping of Death)

The maximum size of an IP packet is 64K bytes, but large packets must usually be fragmented into smaller pieces to travel across a network. Each fragment contains some information that allows the recipient to reassemble all of the fragments back into the original packet. However, the frag-

IP destination address Time at last attempt

Section 3 General

mentation information can also be exploited to create an illegally sized packet. Unwary hosts will often crash when the illegal fragment corrupts data outside of the “normal” packet bounds. The Cayman unit will detect and discard illegal packet fragments, and the Security Monitoring software logs the event.

Logged information includes:

IP source address Number of attempts Illegal packer size

IP destination address Time at last attempt

Port Scan

Port scanning is the technique of probing to determine the list of TCP or UDP ports on which a host, or in our case, a Gateway is providing services. For example, the HTTP service is usually available on TCP port 80. Once hackers have your port list, they can reﬁne their attack by focusing attention on these ports. According to the TCP/IP/UDP standards, a host will return an ICMP (Internet Control Message Protocol) message stating “port unreachable” on all inactive ports. The Security Monitoring software monitors these circumstances, and will log an alert if it appears the cause is the result of someone running a port scan.

Logged information includes:

Protocol type Time at last attempt Highest port Port numbers of ﬁrst 10 ports scanned

IP source address Number of ports scanned Lowest port

Excessive Pings

The PING (Packet InterNet Groper) Utility is used by hackers to identify prospective targets that can be attacked. The Security Monitoring software will record instances where the router itself is pinged by the same host more than ten times.

Logged information includes:

IP source address Number of attempts

IP destination address Time at last attempt

Section 3 General

The Cayman software provides the means for assigning passwords to the Admin or User accounts to control access to the Gateway. Any attempts to login are given three chances to enter a valid password. The Security Monitoring software records instances where the user fails to enter a valid password.

Logged information includes:

IP source address Attempt count

Number of attempts Time at last attempt

MAC Address Spooﬁng

A MAC (Media Access Control) Address Spooﬁng Attack can be identiﬁed based on the IP-interface where the illegitimate packet came from. If the interface that the spoofed packet arrives on does not have the same MAC address as the legitimate entry in the routing table, then an attack is logged.

Logged information includes:

IP source address IP interface

Number of attempts Time at last attempt

Section 3 General

BreakWater Basic Firewall

BreakWater delivers an easily selectable set of pre-conﬁgured ﬁrewall protection levels. These settings are readily available for simple implementation through Cayman’s embedded web server interface.

BreakWater provides you and your network with:

• Protection for all LAN users.

• Elimination of ﬁrewall management software on individual PC’s.

• Immediate protection through three pre-conﬁgured ﬁrewall levels.

• Elimination of the complexity associated with developing ﬁrewall rules.

See page 69 for How To Configure BreakWater instructions includ- ing a table of user tips.

BreakWater Settings

BreakWater Basic Firewall’s three settings are:

ClearSailing

ClearSailing provides protection against network initiated inbound trafﬁc, while securely passing outbound trafﬁc through the Gateway. In conjunction with Network Address Translation, this setting allows authorized remote diagnostic support while protecting against undesired inbound trafﬁc.

SilentRunning

Using this level of ﬁrewall protection allows secure transmission of outbound trafﬁc, but disables any attempt for inbound trafﬁc to identify the Gateway. This is the Internet equivalent of having an unlisted number.

LANdLocked

The third option available turns off all inbound and outbound trafﬁc, isolating the LAN and disabling all WAN trafﬁc.

BreakWater Basic Firewall operates independent of the Gateway’s NAT functionality.

Section 3 General

VPN IPSec Pass Through

This Cayman service supports your independent VPN client software in a transparent manner. Cayman has implemented an Application Layer Gateway (ALG) to support multiple PCs running IP Security protocols.

This feature has three elements:

1. On power up or reset, the address mapping function (NAT) of the Gateway’s WAN conﬁguration is turned on by default.

2. When you use your third-party VPN application, the Gateway recognizes the trafﬁc from your client and your unit. It allows the packets to pass through the NAT “protection layer” via the encrypted IPSec tunnel.

3. The encrypted IPSec tunnel is established “through” the Gateway.

A typical VPN IPSec Tunnel pass through is diagrammed below:

Cayman Gateway

Typically, no special conﬁguration is necessary to use the IPSec pass through feature. This feature may need to be disabled for special VPN clients that are designed to be supported through NAT.

In the diagram, VPN PC clients are shown behind the Cayman Gateway and the secure server is at Corporate Headquarters across the WAN. You cannot have your secure server behind the Cayman Gateway.

When multiple PCs are starting IPSec sessions, they must be started one at atime to allow the associations to be created and mapped.

Section 3 General

SafeHarbour VPN IPSec Tunnel

SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LANconnected Users. This implementation offers the following:

• Eliminates the need for VPN client software on individual PC’s.

• Reduces the complexity of tunnel conﬁguration.

• Simpliﬁes the ongoing maintenance for secure remote access.

A VPN tunnel is a secure link between two networks interconnected over an IP network providing a secure, cost-effective alternative to dedicated leased lines.

SafeHarbour employs VPN standards, including:

• Internet Protocol Security (IPSec) suite, a series of protocols including encryption, authentication, integrity, and replay protection.

• Internet Key Exchange (IKE), a management protocol of IPSec.

Adherence to VPN standards allows seamless interoperability between a Cayman Gateway and another standards-based encryptor. SafeHarbour supports:

“HQNetOne”

• Symmetric encryption protocols DES, 3DES, Blowﬁsh, and CAST

• Hash algorithms MD5 and SHA1

• Difﬁe-Hellman groups 1, 2, and 5.

Terms are deﬁned in the Glossary and How To sections.

Encrypted IPSec Tunnel

“RemoteNetTwo”

IP Network

Tunnel Terminates at Standards-based Gateway

Tunnel Terminates at Cayman Gateway

SafeHarbour VPN IPSec Tunnel Termination

An important feature of the SafeHarbour VPN IPSec Tunnel is secure encryption of the conﬁgured circuit in both directions.

Section 4 Access the User Interface

Web-based User Interface

Section 4

Access the User Interface

Using the embedded Web-based user interface for the Netopia Caymanseries Gateway you can conﬁgure, troubleshoot, and monitor the status of your Gateway. For COS Version 6.3 the Web-based UI has been modiﬁed:

• To accomodate multiple new features of COS 6.3.

• To make using the entire facility easier.

Open the Web Connection

Once your Gateway is powered up, you can use any recent version of the best-known web browsers that support javascript and Cascading Style Sheets from any LAN-attached PC or workstation.

The procedure is:

Step 1 Enter the name or IP address of your Cayman Gateway in the Web browser's

window and click

For example, you would enter using its default IP address. You can enter period) or network conﬁguration from a DHCP server.

http://cayman-dsl.

Enter

http://192.168.1.254

http://cayman-2e.

if your computer has been conﬁgured to obtain its

if your Cayman Gateway is

(including the ﬁnal

Step 2 If an administrator or user password has been assigned to the Cayman

Gateway, enter password and click

The Cayman Gateway Home page opens.

If the Gateway is not conﬁgured, after logon you will see the Quickstart page.

Admin

User

as the username and the appropriate

Section 4 Home page

Home page

The Home page is the “dashboard” for your Cayman Gateway . The toolbar at the top provides links to controlling, conﬁguring, and monitoring pages. Critical conﬁguration and operational status is displayed in the center section. If you log on as Admin you see this page. This example screen is from the Dual Ethernet Gateway.

The Home page differs slightly between DSL and Dual Ethernet Gateways. Home page - User Mode, DSL Gateway

Section 4 Home page

Home page - Information

The Home page’s center section contains a summary of the Gateway’s conﬁguration settings and operational status.

Summary Information

Field Status and/or Description

General Information

Hardware Model number and summary speciﬁcation Serial Number Unique serial number, located on label attached to bottom of unit Software Ver-

sion Product ID Refers to internal circuit board series; useful in determining which software

Optional (Keyed)

- BreakWater Firewalll

WAN

Status Wide Area Network is either Up or Down IP Address IP address assigned to the WAN port. Default Gate-

way DHCP Client Default setting lets a WAN host conﬁgure the IP address and other network

NAT On or Off. ON if using Network Address Translation to share the IP address

Netmask Deﬁnes the IP subnet for the WAN DHCP Lease

Expires

Release and build number of running Cayman Operating System.

upgrade applies to your hardware type.

Indicates which BreakWater Basic Firewall protection level is enabled: ClearSailing, SilentRunning, or LANdLocked

IP address of the host to which your Gateway sends network trafﬁc when it can’t ﬁnd the destination host.

settings for the WAN interface of your Cayman Gateway.

across many LAN users.

Displays the amount of time remaining on current lease

WAN Users Displays the number of users allotted and the total number available for use.

LAN

IP Address Internal IP address of the Cayman Gateway. Netmask Deﬁnes the IP subnet for the LAN

Default is 255.255.255.0 for a Class C device DHCP Server On or Off. ON if using DHCP to get IP addresses for your LAN client machines. DNS IP address of the Domain Name Server. Leases in Use A “lease” is held by each LAN client that has obtained an IP address through

DHCP.

Section 4 Toolbar

Toolbar

The toolbar is the dark blue bar at the top of the page containing the major navigation buttons. These buttons are available from almost every page, allowing you to move freely about the site. The example toolbar shown below is displayed when you log on as Admin. If you log on as User, some buttons will not be shown.

Home Conﬁgure Troubleshoot Security Install Restart Help

Quickstart System Status Passwords Install Keys

LAN Network

Tools WAN Diagnostics IPSec Advanced Security Log

Firewall Install Soft-

Navigating the Web Interface

Link

Response

Comment

Breadcrumb Trail

The breadcrumb trail is built in the light brown area beneath the toolbar. As you navigate down a path within the site, the trail is built from left to right. To return anywhere along the path from which you came, click on one of the links.

ware

Section 4 Restart

Restart

Button

Response

Restart

Comment

The Restart button on the toolbar allows you to restart the Gateway at any time. You will be prompted to conﬁrm the restart before any action is taken. The Restart Conﬁrmation message explains the consequences of and reasons for restarting the Gateway

Section 4 Restart

Link

Response

Comment

Alert Symbol

The Alert symbol appears in the upper right corner under one of two circumstances:

1. a database change; one in which a change is made to the Gateway’s conﬁguration. The Alert serves as a reminder that you must Save the changes and Restart the Gateway before the change will take effect. You can make many changes on various pages, and even leave the browser for up to 8 minutes, but if the Gateway is restarted before the changes are applied, they will be lost. When you click on the Alert symbol, the Save Changes page appears. Here you can select various options to save or discard these changes.

2. a security event is logged. If you have Security Monitoring keyed, you receive Alerts whenever there is an event in the log that has not been viewed. When you click the Alert symbol the Security Log is displayed and the Alert clears.

If both types of Alert are triggered, you will need to take action to clear the ﬁrst type of Alert before you can see the second Alert.

Section 4 Help

Help

Button

Response

Help

Comment

Context-sensitive Help is provided in Release 6.3. The page shown above is displayed when you are on the Home page or other transitional pages. To see a context help page example, go to

Help

click

Security -> Passwords

, then

Section 4 Configure

Conﬁgure

Button

Comment

Quickstart

Conﬁgure

The Conﬁguration options are presented in the order of likelihood you will need to use them. Quickstart is typically accessed during the hardware installation and initial conﬁguration phase. Often, these settings

should be changed only in accordance with information from your

Service Provider. LAN and WAN settings are available to ﬁne-tune your

system. Advanced provides some special capabilities typically used for gaming or small ofﬁce environments, or where LAN-side servers are involved.

This button will not be available if you log on as User.

How to Use the Quickstart Page

Quickstart is normally used immediately after the new hardware is installed. When you are ﬁrst conﬁguring your Gateway, Quickstart appears after you log on.

(Once you have conﬁgured your Gateway, logging on displays the Home page. Thereafter, if you need to use Quickstart, choose it from the Conﬁgure menu.)

The Quickstart page you see depends on your type of Gateway and the type of connection to your service provider. You may have one of the following types of connection to your service provider:

• DHCP (without PPP) - see “Setup Your Gateway using a DHCP Connec-

tion” on page 37

• PPP - see “Setup Your Gateway using a PPP Connection” on page 40

• Static IP Address - “Setup Your Gateway using a Static IP Address” on

page 41

Section 4 Configure

Link

Response

Comment

Conﬁgure -> Quickstart

Setup Your Gateway using a DHCP Connection

This example screen is for a DHCP Quickstart conﬁguration. Your Service Provider will instruct you as to whether or not the Other Quickstart Options need to be conﬁgured. If they are not needed, you should be ready to access the Internet. If required, click the Options page.

Advanced

link to access the Other Quickstart

The Other Quickstart Options page allows you to change the System Name or your Gateway’s Ethernet MAC address.

System Name is your Gateway’s factory identiﬁer combined with its serial number. By default, this identiﬁer is automatically captured for this ﬁeld.

Section 4 Configure

Some broadband cable-oriented Service Providers use the System Name as an important identiﬁcation and support parameter. If your Gateway is part of this type of network, do NOT alter the System Name unless speciﬁcally instructed by your Service Provider

If you need to change either of these ﬁelds, use the following procedure.

Change Procedure

Step 1 Enter your selected System Name.

You can use the default System name or select your own. The System Name can be 1-32 characters long.

Step 2 Select the

A new ﬁeld is displayed.

Enter your 12-character Ethernet MAC override address as instructed by your service provider, for example: 12 34 AB CD 19 64

Step 3 Click

This turns on the Alert (“!”) button in the top right corner of the page.

Step 4 Click the

Step 5 Click on the

Enable MAC Override

Submit

Alert

checkbox.

button to go to the page to save your changes.

Save and Restart

link.

Section 4 Configure

You will be returned to the Home page. A warning is displayed on this page while the Gateway restarts.

Section 4 Configure

Setup Your Gateway using a PPP Connection

Response

Comment

This example screen is the for a PPP Quickstart conﬁguration. Your gateway authenticates with the Service Provider equipment using the ISP Username and Password. These values are given to you by your Service Provider.

Step 1 Enter your ISP Username and ISP Password.

Step 2 Click

Step 3 Click the

Step 4 Click on the

Submit

This turns on the Alert (“!”) button in the top right corner of the page.

Alert

button to go to the page to save your changes.

Save and Restart

link.

You will be returned to the Home page. A warning is displayed on this page while the Gateway restarts.

Section 4 Configure

Setup Your Gateway using a Static IP Address

If your service provider supplies you with a static IP address, your Gate-

way’s Quickstart page will offer the ﬁelds required to enter the appropri-

ate information for this type of conﬁguration.

Conﬁguration Procedure

The Quickstart page designed for a static IP address offers the following ﬁelds for you to supply the required information:

Step 1 Enter the values provided by your Internet Service Provider in the Quickstart

ﬁelds. Complete the following ﬁelds:

Field Description

WAN IP Address

WAN IP Netmask

The IP address assigned to your Cayman Gateway. Deﬁnes the IP subnet mask for the WAN network connected to your

Gateway.

Default Gateway

IP address of the host to which the Cayman Gateway should send network trafﬁc when it can't ﬁnd the destination host.

Domain Name

Primary DNS Server Address

Secondary DNS Server Address

Step 2 Click the

Step 3 The

The domain name supplied by your service provider. The IP address of the primary DNS name server for your network.

The IP address of the backup DNS name server for your network.

Submit

Alert

button appears. Click the

button to save the modiﬁed conﬁguration.

Alert

button.

Section 4 Configure

Step 4 When you see the Save Changes page, click the

Save and Restart

link to

restart your Cayman Gateway with its new conﬁguration settings.

You will be returned to the Home page. A warning is displayed on this page while the Gateway restarts.

Step 5 After your Cayman Gateway restarts, use your browser to verify that you

can access the Internet.

Your Cayman Gateway can now use the conﬁgured IP parameters

Do NOT confuse this procedure that establishes an IP address for the Gateway’s default IP trafﬁc with conﬁguring multiple static IP addresses used with the IPMaps feature

Section 4 Configure

LAN

Link

Response

Conﬁgure -> LAN

Comment

* Interface Enable: Enables all LAN-connected computers to shared resources and to connect to the WAN. The Interface should always be enabled unless you are instructed to disable it by your Service Provider during troubleshooting.

* IP Address: The LAN IP Address of the Gateway. The IP Address you assign to your LAN interface must not be used by another device on your LAN network.

* IP Netmask: Speciﬁes the subnet mask for the TCP/IP network connected to the virtual circuit. The subnet mask speciﬁes which bits of the 32-bit binary IP address represent network information. The default subnet mask for most networks is 255.255.255.0 (Class C subnet mask.)

* Restrictions: Speciﬁes whether an administrator can open a Telnet connection to the Gateway over the LAN interface in order to monitor and conﬁgure the Gateway. On the LAN Interface, you can enable or disable administrator access. By default, administrative restrictions are turned off, meaning an administrator can open a Telnet connection through the LAN Interface.

Section 4 Configure

WAN

Link

Response

Comment

Conﬁgure -> WAN

WAN IP Interfaces

Your IP interfaces are listed. Click on an interface to conﬁgure it.

IP Gateway

Enable Gateway: You can conﬁgure the Gateway to send packets to a

default gateway if it does not know how to reach the destination host.

Interface Type: If you have PPPoE enabled, you can specify that packets

destined for unknown hosts will be sent to the gateway being used by the remote PPP peer.. If you select ip-address, you must enter the IP address of a host on a local or remote network to receive the trafﬁc.

Default Gateway: The IP Address of the default gateway.

Other WAN Options

PPPoE: You can enable PPPoE and the number of PPPoE Sessions. The IP

Interface(s) should be reconﬁgured after changing this setting.

ATM: You can conﬁgure the A TM cir cuits and the number of Sessions. The IP

Interface(s) should be reconﬁgured after making changes here.

Section 4 Configure

Advanced

The following are links under Conﬁgure -> Advanced:

Link

Comment

Link

Response

Advanced

Selected Advanced options are discussed in the pages that follow . Many

are self-explanatory or are dictated by your service provider.

IP Static Routes

Description

A static route identiﬁes a manually conﬁgured pathway to a remote net-

work. Unlike dynamic routes, which are acquired and conﬁrmed peri-

odically from other routers, static routes do not time out. Consequently ,

static routes are useful when working with PPP, since an intermittent

PPP link may make maintenance of dynamic routes problematic.

You can conﬁgure as many as 16 static IP routes for the Gateway.

Section 4 Configure

Link

Response

Description

IP Static ARP

Your Gateway maintains a dynamic Address Resolution Protocol (ARP)

table to map IP addresses to Ethernet (MAC) addresses. It populates this

ARP table dynamically, by retrieving IP address/MAC address pairs only

when it needs them. Optionally, you can deﬁne static ARP entries to

map IP addresses to their corresponding Ethernet MAC addresses.

Unlike dynamic ARP table entries, static ARP table entries do not time

out. The IP address cannot be 0.0.0.0. The Ethernet MAC address entry

is in nn-nn-nn-nn-nn-nn (hexadecimal) format.

Link

Response

Description

Pinholes

Pinholes allow you to transparently route selected types of network traf-

ﬁc, such as FTP requests or HTTP (Web) connections, to a speciﬁc host

behind the Gateway . Creating a pinhole allows access trafﬁc originating

from a remote connection (WAN) to be sent to the internal computer

(LAN) that is speciﬁed in the Pinhole page.

Contact your Network Administrator for LAN security questions.

Pinholes are common for applications like multiplayer online games.

Refer to software manufacturer application documentation for speciﬁc

trafﬁc types and port numbers.

Section 4 Configure

Conﬁgure Speciﬁc Pinholes

Planning for Your Pinholes

Determine if any of the service applications that you want to provide on

your LAN stations utilize TCP or UDP protocols. If an application does, then you must conﬁgure an Internal Server to implement port forwarding. This is accessed from the Advanced -> Internal Servers page.

Example: A LAN Requiring Three Pinholes

The procedure on the following pages describes how you set up your NATenabled Cayman Gateway to support three separate applications. This requires passing three kinds of speciﬁc IP trafﬁc through to your LAN.

Application 1: You have a Web server located on your LAN behind your Cayman Gateway and would like users on the Internet to have access to it. With NAT “On”, the only externally visible IP address on your network is the Gateway’s WAN IP (supplied by your Service Provider). All trafﬁc intended for that LAN Web server must be directed to that IP address.

Application 2: You want one of your LAN stations to act as the “central repository” for all email for all of the LAN users.

Application 3: One of your LAN stations is specially conﬁgured for game applications. Again, you want this speciﬁc LAN station to be dedicated to games.

A sample table to plan the desired pinholes is:

WAN Trafﬁc Type Protocol Pinhole Name LAN Internal IP Address

Web TCP my-webserver 192.168.1.1

Email TCP my-mailserver 192.168.1.2

Games UDP my-games 192.168.1.3

For this example, Internet protocols TCP and UDP must be passed through the NAT security feature and the Gateway’s embedded Web (HTTP) port must be re-assigned by conﬁguring new settings on the Internal Servers page.

Section 4 Configure

TIPS for making Pinhole Entries

1. If the port forwarding feature is required for Web services, ensure that the embedded Web server’s port number is re-assigned PRIOR to any Pinhole data entry.

2. Enter data for one Pinhole at a time.

3. Use a unique name for each Pinhole. If you choose a duplicate name, it will overwrite the previous information without warning.

A diagram of this LAN example is:

Internet

Gateway

WAN Ethernet

Interface

210.219.41.20

NAT

Embedded Web Server

210.219.41.20:8100

NAT Pinholes

LAN Ethernet Interface

my-webserver

192.168.1.1

my-mailserver

192.168.1.2

my-games

192.168.1.3

Section 4 Configure

Pinhole Conﬁguration Procedure

Use the following steps:

Step 1 From the

Servers

Since Port Forwarding is required for this example, the Cayman embedded Web server is conﬁgured ﬁrst.

link.

The two text boxes, Web (HTTP) Server Port and Telnet Sever Port, on this page refer to the port numbers of the Cayman Gateway’s embedded admin- istration ports.

To pass Web trafﬁc through to your LAN station(s), select a Web (HTTP) Port number that is greater than 1024. In this example, you choose 8100.

Step 2 Type

Step 3

8100

Conﬁgure

toolbar button ->

Advanced

in the Web (HTTP) Server Port text box.

link, select the

Internal

Step 4 Click the

Step 5 Click

Advanced

Submit

button.

. Select the

Pinholes

link to go to the Pinhole page.

Section 4 Configure

Step 6 Click

Click

Add

. Type your speciﬁc data into the Pinhole Entries table of this page.

Submit

Step 7 Click on the

page. Click Pinhole.

Pinholes

Add

link in the Breadcrumb Trail to go to the Pinholes entry

. Add the next Pinhole. Type the speciﬁc data for the second

Step 8 Click on the

page. Click the third Pinhole.

Pinholes

Add

. Add the next Pinhole. Type the speciﬁc data for the

link in the Breadcrumb Trail to go to the Pinholes entry

Section 4 Configure

Note the following parameters for the “my-games” Pinhole:

1. The Protocol ID is UDP.

2. The external port is speciﬁed as a range.

3. The Internal port is speciﬁed as the lower range entry.

Step 9 Click on the

page. Review your entries to be sure they are correct.

Step 10 Click the

Step 11 Select the

Alert

Save and Restart

and ensure that the parameters are properly saved.

REMEMBER: When you have re-assigned the port address for the embedded Web server, you can still access this facility. Use the Gateway’s WAN address plus the new port number. In this example it would be <WAN Gateway address>:<new port number> or, in this case,

210.219.41.20:8100

Pinholes

button.

link in the Breadcrumb Trail to go to the Pinholes entry

link to complete the entire Pinhole creation task

Section 4 Configure

Link

Response

Comment

IPMaps

IPMaps supports one-to-one Network Address Translation (NAT) for IP addresses assigned to servers, hosts, or speciﬁc computers on the LAN side of the Cayman Gateway.

A single static or dynamic (DHCP) WAN IP address must be assigned to support other devices on the LAN. These devices utilize Cayman’s default NAT/PAT capabilities.

Conﬁgure the IPMaps Feature

FAQs for the IPMaps Feature

Before conﬁguring an example of an IPMaps-enabled network, review these frequently asked questions.

What are IPMaps and how are they used?

The IPMaps feature allows multiple static WAN IP addresses to be assigned to the Cayman Gateway.

Static WAN IP addresses are used to support speciﬁc services, like a web server, mail server, or DNS server . This is accomplished by mapping a separate static WAN IP address to a speciﬁc internal LAN IP address. All trafﬁc arriving at the Gateway intended for the static IP address is transferred to the internal device. All outbound trafﬁc from the internal device appears to originate from the static IP address.

Locally hosted servers are supported by a public IP address while LAN users behind the NAT-enabled IP address are protected.

IPMaps is compatible with the use of NAT, with either a statically assigned IP address or DHCP/PPP served IP address for the NAT table.

Section 4 Configure

What types of servers are supported by IPMaps?

IPMaps allows a Cayman Gateway to support servers behind the Gateway, for example, web, mail, FTP, or DNS servers. VPN servers are not supported at this time.

Can I use IPMaps with my PPPoE or PPPoA connection?

Yes. IPMaps can be assigned to the WAN interface provided they are on the same subnet. Service providers will need to ensure proper routing to

all IP addresses assigned to your WAN interface.

Will IPMaps allow IP addresses from different subnets to be assigned to my Gateway?

IPMap will support statically assigned WAN IP addresses from the same subnet.

WAN IP addresses from different subnets are not supported.

Section 4 Configure

IPMaps Block Diagram

The following diagram shows the IPMaps principle in conjunction with existing Cayman NAT operations:

Cayman Gateway

Static IP Addresses for IPMaps Applications

143.137.50.37

143.137.50.36

143.137.50.35 Static IP Addresses or DHCP/PPP Served IP Address for Cayman’s default NAT/P A T Capabilities

WAN Interface LAN Interface

IPMaps: One-to-One Multiple Address Mapping

NA T/P A T Tab le

143.137.50.37

143.137.50.36

143.137.50.35

LAN stations with WAN IP trafﬁc forwarded by Cayman’s IPMaps

LAN stations with WAN IP trafﬁc forwarded by Cayman’s NAT function.

...

192.168.1.1

192.168.1.2

192.168.1.3

...

192.168.1.n

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.n

Section 4 Configure

Link

Response

Description

Protocol Lifetimes

Each NAT Protocol map entry will time-out if there is no trafﬁc of that protocol for the speciﬁed number of minutes. For example, UDP entries time-out if there is no UDP trafﬁc after 6 (default) minutes.

Link

Response

Description

Default Server

This feature allows you to: * Direct your Gateway to forward all externally initiated IP trafﬁc (TCP and UDP protocols only) to a default host on the LAN. * Enable it for certain situations: – Where you cannot anticipate what port number or packet protocol an in-bound application might use. For example, some network games select arbitrary port numbers when a connection is opened. – When you want all unsolicited trafﬁc to go to a speciﬁc LAN host.

Section 4 Configure

Conﬁgure a Default Server

This feature allows you to direct unsolicited or non-speciﬁc trafﬁc to a designated LAN station. With NAT “On” in the Gateway, these packets normally would be discarded.

For instance, this could be application trafﬁc where you don’t know (in advance) the port or protocol that will be utilized. Some game applications ﬁt this proﬁle.

Use the following steps to setup a NAT default server to receive this information:

Step 1 Select the

Step 2 Check the

appears.

Step 3 Determine the IP address of the LAN computer you have chosen to receive

the unexpected or unknown trafﬁc. Enter this address in the NAT Server IP Address ﬁeld.

Step 4 Click the

Step 5 Click the

Step 6 Click the

Conﬁgure

toolbar button, then

Enable Default Server

Submit

Alert

Save and Restart

button.

link to conﬁrm.

Advanced

checkbox. The NAT Server IP Address ﬁeld

, then the

Default Server

link.

NAT Default Server capability is not available over SafeHarbour IPsec.

Section 4 Configure

Typical Network Diagram

A typical network utilizing the NAT Default Server looks like this:

Internet

Gateway

LAN STN #3

192.168.1.3

WAN

Ethernet

Interface

210.219.41.20

LAN

Ethernet

Interface

NAT

LAN STN #2

192.168.1.2

NAT protected

Embedded

NAT Pinhole

Web Server

210.219.41.20 (Port 80 default)

NAT Default Server

192.168.1.1

NAT Combination Application

Cayman’s NAT security feature allows you to conﬁgure a sophisticated LAN layout that uses both the Pinhole and Default Server capabilities.

With this topology, you conﬁgure the embedded administration ports as a ﬁrst task, followed by the Pinholes and, ﬁnally, the NAT Default Server.

When using both NAT pinholes and NAT Default Server the Gateway works with the following rules (in sequence) to forward trafﬁc from the Internet to the LAN:

1. If the packet is a response to an existing connection created by outbound traf-

ﬁc from a LAN PC, forward to that station.

2. If not, check for a match with a pinhole conﬁguration and, if one is found, for-

ward the packet according to the pinhole rule.

3. If there’s no pinhole, the packet is forwarded to the Default Server.

Section 4 Configure

Link

Response

Description

DNS

Your Service Provider may maintain a Domain Name server. If you have the information for the DNS servers, enter it on the DNS page. If your Gateway is conﬁgured to use DHCP to obtain its WAN IP address, the DNS information is automatically obtained from that same DHCP Server.

Section 4 Configure

Link

Response

Description

DHCP Server

Your Gateway can provide network conﬁguration information to com-

puters on your LAN, using the Dynamic Host Conﬁguration Protocol

(DHCP).

If you already have a DHCP server on your LAN, you should turn this

service off.

If you want the Gateway to provide this service, click the

Server Mode

pulldown menu, then conﬁgure the range of IP addresses that you

would like the Gateway to hand out to your computers.

You can also specify the length of time the computers can use the con-

ﬁguration information; DHCP calls this period the lease time.

Your Service Provider may, for certain services, want to provide conﬁgu-

ration from its DHCP servers to the computers on your LANs. In this

case, the Gateway will relay the DHCP requests from your computers to

a DHCP server in the Service Provider's network.

Click the relay-agent and enter the IP address of the Service Provider's

DHCP server in the Server Address ﬁeld. This address is furnished by the

Service Provider.

Section 4 Configure

Link

Response

SNMP

Description

The Simple Network Management Protocol (SNMP) lets a network

administrator monitor problems on a network by retrieving settings

on remote network devices. The network administrator typically runs

an SNMP management station program on a local host to obtain

information from an SNMP agent. In this case, the Cayman Gateway

is an SNMP agent.

You enter SNMP conﬁguration information on this page.

Your network administrator furnishes the SNMP parameters.

SNMP presents you with a security issue. The community facility of SNMP behaves somewhat like a password. The community “public” is a well-known community name. It could be used to examine the conﬁguration of your Gateway by your service provider or an uninvited reviewer. While Cayman's SNMP implementation does not allow changes to the conﬁguration, the information can be read from the Gateway.

If you are strongly concerned about security, you may delete the “public” community.

Section 4 Configure

Link

Response

Description

Ethernet Bridge

Bridges let you join two local area networks, so that they appear to be

part of the same physical network. As a bridge for protocols other than

TCP/IP, your Gateway keeps track of as many as 255 MAC (Media

Access Control) addresses, each of which uniquely identiﬁes an individ-

ual host on a network. Your Gateway uses this bridging table to identify

which hosts are accessible through which of its network interfaces. The

bridging table contains the MAC address of each packet it sees, along

with the interface over which it received the packet. Over time, the

Gateway learns which hosts are available through its WAN port, its LAN

port, and/or its wireless interface.

Section 4 Configure

Link

Response

Description

System

The System Name defaults to your Gateway's factory identiﬁer com-

bined with its serial number. Some cable-oriented Service Providers use

the System Name as an important identiﬁcation and support parame-

ter. If your Gateway is part of this type of network, do NOT alter the

System Name unless speciﬁcally instructed by your Service Provider.

The System Name can be 1-63 characters long; it can include embed-

ded spaces and special characters.

The Log Message Level alters the severity at which messages are col-

lected in the Gateway's system log. Do not alter this ﬁeld unless

instructed by your Support representative.

Section 4 Configure

Link

Response

Description

Internal Servers

Your Gateway ships with an embedded Web server and support for a

Telnet session, to allow ease of use for conﬁguration and maintenance.

The default ports of 80 for HTTP and 23 for Telnet may be reassigned.

This is necessary if a pinhole is created to support applications using

port 80 or 23. See “Pinholes” on page 46 for more information on Pin-

hole conﬁguration.

Web (HTTP) Server Port: To reassign the port number used to access

the Cayman embedded Web server , change this value to a value greater

than 1024. When you next access the embedded Cayman Web server,

append the IP address with <port number>, (e.g. Point your browser to

http://210.219.41.20:8080)

Telnet Server Port: To reassign the port number used to access your

Cayman embedded Telnet server, change this value to a value greater

than 1024. When you next access the Cayman embedded T elnet server ,

append the IP address with <port number>, (e.g. telnet

210.219.41.20:2323)

Section 4 Configure

Link

Response

Description

Link

Ethernet MAC Address Override

You can override your Gateway’s Ethernet MAC address with any neces-

sary setting. Some ISPs require your account to be identiﬁed by the

MAC address, among other things. For information on setting this

parameter , see “How to Use the Quickstart Page” on page 36.

Trafﬁc Shaping

Response

Description

Trafﬁc shaping controls how much trafﬁc can ﬂow through an Ethernet

interface by limiting the size of the Ethernet pipe. This function is most

suitable for Internet Service Providers.

Enable Traffic Shaping on Port: Each Ethernet port providing trafﬁc

shaping capability is listed. Enable the port to set the trafﬁc shaping

rate.

Rate: This value, in bits per second, indicates the approximate speed at

which trafﬁc will ﬂow.

Section 4 Configure

Link

Response

Description

Comment

Clear Options

To restore the factory conﬁguration of the Gateway, choose Clear Options. You may want to upload your conﬁguration to a ﬁle before

performing this function. Clear Options does not clear feature keys or affect the software image

or BootPROM. You must restart the Gateway for Clear Options to take effect.

Section 4 Configure

Security

Button

Response

Description

Security

The Security features are available by clicking on the Security toolbar

button. Some items of this category do not appear when you log on as

User.

Link

Description

Passwords

Access to your Gateway is controlled through two user accounts,

Admin and User. When you ﬁrst power up your Gateway, you create a

password for the Admin account. The User account does not exist by

default. As the Admin, a password for the User account can be entered

or existing passwords changed.

Section 4 Configure

Create and Change Passwords

You can establish different levels of access security to protect your Cay-

man Gateway settings from unauthorized display or modiﬁcation.

• Admin level privileges let you display and modify all settings in the Cayman Gateway (Read/Write mode). The Admin level password is created when you ﬁrst access your Gateway.

• User level privileges let you display (but not change) settings of the Cayman Gateway. (Read Only mode)

To prevent anyone from observing the password you enter, characters in the old and new password ﬁelds are not displayed as you type them.

To display the Passwords window, click the Home page.

Security

toolbar button on the

Use the following procedure to change existing passwords or add the User password for your Cayman Gateway:

Step 1 Select the password type from the

Choose from Admin or User.

Step 2 If you assigned a password to the Cayman Gateway previously, enter your

current password in the

Step 3 Enter your new password in the

Cayman’s rules for a Password are:

Password Level

Old Password

New Password

pull-down list.

ﬁeld.

Section 4 Configure

• It can have up to eight alphanumeric characters.

• It is case-sensitive.

Step 4 Enter your new password again in the

You conﬁrm the new password to verify that you entered it correctly the ﬁrst time.

Step 5 When you are ﬁnished, click the

Submit

conﬁguration in the Cayman unit’s memory.

Password changes are automatically saved, and take effect immediately.

Conﬁrm Password

ﬁeld.

button to store your modiﬁed

Section 4 Configure

Link

Firewall

Use a Cayman Firewall

BreakWater Basic Firewall

BreakWater delivers an easily selectable set of pre-conﬁgured ﬁrewall protection levels. For simple implementation these settings (comprised of three levels) are readily available through Cayman’s embedded web

server interface. BreakWater Basic Firewall’s three settings are:

ClearSailing

ClearSailing, BreakWater's default setting, supports both inbound and outbound trafﬁc. It is the only basic ﬁrewall setting that fully interoperates with all other Cayman software features.

SilentRunning

Using this level of ﬁrewall protection allows transmission of outbound trafﬁc on pre-conﬁgured TCP/UDP ports. It disables any attempt for inbound trafﬁc to identify the Gateway. This is the Internet equivalent of having an unlisted number.

LANdLocked

The third option available turns off all inbound and outbound trafﬁc, isolating the LAN and disabling all WAN trafﬁc.

BreakWater Basic Firewall operates independent of the NAT functionality on the Gateway.

Configuring for a BreakWater Setting

Use these steps to establish a ﬁrewall setting:

Step 1 Ensue that you have enabled the BreakWater basic ﬁrewall with the

appropriate feature key.

See “Use Cayman Software Feature Keys” on page 93 for reference.

Step 2 Click the

Step 3 Click

Security

Firewall

toolbar button.

Section 4 Configure

Step 4 Click on the radio button to select the protection level you want. Click

Submit

Changing the BreakWater setting does not require a restart to take effect. This makes it easy to change the setting "on the ﬂy,” as your needs change.

TIPS for making your BreakWater Basic Firewall Selection

Application Select this Level Other Considerations

Typical Internet usage (browsing, e-mail)

Multi-player online gaming ClearSailing Set Pinholes; once deﬁned, pinholes will

Going on vacation LANdLocked Protects your connection while your away. Finished online use for the

day Chatting online or using

instant messaging

SilentRunning

be active whenever ClearSailing is set. Restore SilentRunning when ﬁnished.

LANdLocked This protects you instead of disconnecting

your Gateway connection.

ClearSailing Set Pinholes; once deﬁned, pinholes will

be active whenever ClearSailing is set.

Restore SilentRunning when ﬁnished.

Section 4 Configure

Basic Firewall Background

As a device on the Internet, a Cayman Gateway requires an IP address in order to send or receive trafﬁc.

The IP trafﬁc sent or received have an associated application port which is dependent on the nature of the connection request. In the IP protocol standard the following session types are common applications:

ICMP • HTTP • FTP

•

• SNMP • telnet • DHCP

By receiving a response to a scan from a port or series of ports (which is the expected behavior according to the IP standard), hackers can identify an existing device and gain a potential opening for access to an internet-connected device.

To protect LAN users and their network from these types of attacks, BreakWater offers three levels of increasing protection.

The following tables indicate the state of ports associated with ses- sion types, both on the WAN side and the LAN side of the Gateway.

This table shows how inbound traffic is treated. Inbound means the traffic is coming from the WAN into the WAN side of the Gateway.

Gateway: WAN Side

BreakWater Setting >> ClearSailing SilentRunning LANdLocked

Port Session Type --------------Port State-----------------------

20 ftp data Enabled Disabled Disabled 21 ftp control Enabled Disabled Disabled 23 telnet external Enabled Disabled Disabled 23 telnet Cayman server Enabled Disabled Disabled 80 http external Enabled Disabled Disabled 80 http Cayman server Enabled Disabled Disabled 67 DHCP client Enabled Enabled Disabled 68 DHCP server Not Applicable Not Applicable Not Applicable 161 snmp Enabled Disabled Disabled

ping (ICMP) Enabled Disabled Disabled

Section 4 Configure

This table shows how outbound traffic is treated. Outbound means the traffic is coming from the LAN-side computers into the LAN side of the Gateway.

Gateway: LAN Side

BreakWater Setting >> ClearSailing SilentRunning LANdLocked

Port Session Type --------------Port State-----------------------

20 ftp data Enabled Enabled Disabled 21 ftp control Enabled Enabled Disabled 23 telnet external Enabled Enabled Disabled 23 telnet Cayman server Enabled Enabled Enabled 80 http external Enabled Enabled Disabled 80 http Cayman server Enabled Enabled Enabled 67 DHCP client Not Applicable Not Applicable Not Applicable 68 DHCP server Enabled Enabled Enabled 161 snmp Enabled Enabled Enabled

ping (ICMP) Enabled Enabled WAN - Disabled

LAN Local Address Only

The Gateway’s WAN DHCP client port in SilentRunning mode is enabled. This feature allows end users to continue using DHCP-served IP addresses from their Service Providers, while having no identifiable presence on the Internet.

Section 4 Configure

Link

Response

IPSec

Description

Your Gateway supports two mechanisms for IPSec tunnels:

1. IPSec PassThrough supports Virtual Private Network (VPN) clients running on LAN-connected computers. Normally , this feature is enabled. However, you can disable it if your LAN-side VPN client includes its own NAT interoperability option.

2. SafeHarbour VPN IPSec is a keyed feature that enables Gateway-terminated VPN support.

Conﬁgure a SafeHarbour VPN

VPN IPSec Tunnel at the Gateway

SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be terminated on the Gateway, making a secure tunnel available for all LAN- connected Users. This implementation offers the following:

• Eliminates the need for VPN client software on individual PC’s.

• Reduces the complexity of tunnel conﬁguration.

• Simpliﬁes the ongoing maintenance for secure remote access.

Section 4 Configure

A typical SafeHarbour conﬁguration is shown below:

Use these Best Practices in establishing your SafeHarbour tunnel.

1. Ensure that the conﬁguration information is complete and accurate

2. Use the Worksheet provided on page 76.

Parameter Description and Setup

The following table describes SafeHarbour’s parameters that are used for an IPSec VPN tunnel conﬁguration:

Auth Protocol Authentication Protocol for IP packet header. The three parameter values are

None, Encapsulating Security Payload (ESP) and Authentication Header (AH)

DH Group Difﬁe-Hellman is a public key algorithm used between two systems to determine

and deliver secret keys used for encryption. Groups 1, 2 and 5 are supported. Enable This toggle button is used to enable/disable the conﬁgured tunnel. Encrypt Protocol Encryption protocol for the tunnel session.

Parameter values supported include NONE or ESP. Hard MBytes Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security

Associations (SAs) at the conﬁgured Hard MByte value.

The value can be conﬁgured between 1 and 1,000,000 MB and refers to data traf-

ﬁc passed. Hard Seconds Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security

Associations (SAs) at the conﬁgured Hard Seconds value. The value can be conﬁg-

ured between 60 and 1,000,000 seconds Key Management The Key Management algorithm manages the exchange of security keys in the

IPSec protocol architecture. SafeHarbour supports the standard Internet Key

Exchange (IKE) Peer External IP Address The Peer External IP Address is the public, or routable IP address of the remote

gateway or VPN server you are establishing the tunnel with. Peer Internal IP NetworkThe Peer Internal IP Network is the private, or Local Area Network (LAN) address

of the remote gateway or VPN Server you are communicating with.

Section 4 Configure

Peer Internal IP NetmaskThe Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network. PFS DH Group Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS is

selected, a Difﬁe-Hellman key exchange is required. SafeHarbour supports PFS DH

Groups 1, 2 and 5. Pre-Shared Key The Pre-Shared Key is a parameter used for authenticating each side. The value

can be an ASCII or Hex and a maximum of 64 characters. ASCII is case-sensitive. Pre-Shared Key Type The Pre-Shared Key Type classiﬁes the Pre-Shared Key. SafeHarbour supports

ASCII or HEX types Name The Name parameter refers to the name of the conﬁgured tunnel. This is mainly

used as an identiﬁer for the administrator. The Name parameter is an ASCII value

and is limited to 31characters. The tunnel name is the only IPSec parameter that

does not need to match the peer gateway. Negotiation Method This parameter refers to the method used during the Phase I key exchange, or IKE

process. SafeHarbour supports Main or Aggressive Mode. Main mode requires 3

two-way message exchanges while Aggressive mode only requires 3 total mes-

sage exchanges. SA Encrypt Type SA Encryption Type refers to the symmetric encryption type. This encryption algo-

rithm will be used to encrypt each data packet. SA Encryption Type values sup-

ported include DES, 3DES, CAST and Blowﬁsh. SA Hash Type SA Hash Type refers to the Authentication Hash algorithm used during SA negoti-

ation. Values supported include MD5 and SHA1. N/A will display if NONE is cho-

sen for Auth Protocol. Soft MBytes Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security

Associations (SAs) at the conﬁgured Soft MByte value. The value can be conﬁg-

ured between 1 and 1,000,000 MB and refers to data trafﬁc passed. If this value is

not achieved, the Hard MBytes parameter is enforced. Soft Seconds Setting the Soft Seconds parameter forces the renegotiation of the IPSec Security

Associations (SAs) at the conﬁgured Soft Seconds value. The value can be conﬁg-

ured between 60 and 1,000,000 seconds.

Section 4 Configure

IPSec Tunnel Parameter Setup Worksheet

Parameter Cayman Peer Gateway

Name Peer External IP Address Peer Internal IP Network Peer Internal IP Netmask Enable Encrypt Protocol None

ESP

Auth Protocol None

ESP

AH Key Management IKE Pre-Shared Key Type HEX

ASCII Pre-Shared Key Negotiation Method Main

Aggressive DH Group 1

5 SA Encrypt Type DES

3DES

CAST

Blowﬁsh SA Hash Type N/A

MD5

SHA1 PFS DH Group Off

Soft MBytes 1 - 1000000 Soft Seconds 60 - 1000000 Hard MBytes 1 - 1000000 Hard Seconds 60 - 1000000

Section 4 Configure

SafeHarbour Tunnel Setup

Use the following tasks to conﬁgure an IPSec VPN tunnel on your Cayman Gateway.

Task 1: Ensure that you have SafeHarbour VPN enabled.

SafeHarbour is a keyed feature. See page 93 for information concerning installing Cayman Software Feature Keys.

Task2: Complete Parameter Setup Worksheet

IPSec tunnel conﬁguration requires precise parameter set between VPN devices. The Setup Worksheet facilitates setup and assures that the associated variables are identical.

Task 3: Enable IPSec

IPSec must be enabled on your Gateway to allow further VPN conﬁguration. Perform the following steps to enable IPSec:

Step 1 Browse to Gateway.

Step 2 Click the

Step 3 Click the

Step 4 Check the

Checking this box will automatically display the SafeHarbour IPSec Tunnel Entry parameters.

Security

IPSec

Enable SafeHarbour IPSec

toolbar button.

link.

checkbox.

Section 4 Configure

Leave the administrator instructs otherwise.

Enable NAT over Tunnel

Task 4: Make the IPSec Tunnel Entries

Enter the initial group of tunnel parameters. Refer to your Setup Worksheet and the Glossary of VPN Terms as required. Perform the following

steps:

Step 1 Enter tunnel

This is the only parameter that does not have to be identical to the peer/ remote VPN device

Step 2 Enter the

Step 3 Select

Step 4 Select

Step 5 Select

Encryption Protocol

Authentication Protocol

Key Management

Name

Peer External IP Address

from the pulldown menu.

choice as

Off

unless your network

Section 4 Configure

Step 6 Ensure that the toggle checkbox

On.

Step 7 Click

Add

The Tunnel Details page appears.

Enable

, which is On by default, remains

Task 5: Make the Tunnel Details entries

Use the following steps:

Step 1 Enter or select the required settings.

Step 2 Click

Step 3 Click the

Step 4 Click

Update

Save and Restart

Your SafeHarbour IPSec VPN tunnel is fully conﬁgured. Tunnel sessions can only be initiated from the LAN client side.

. The

Alert

button.

button appears.

Section 4 Configure

Link

Response

Description

Step 1 Click the

Step 2 Click the

Security Log

Security Monitoring detects security-related events, including common types of malicious attacks, and writes them to the security log ﬁle.

Using the Security Monitoring Log

You can view the Security Log at any time. Use the following steps:

Security toolbar button.

Security Log

link.

Step 3 Click the

An example of the Security Log is shown on the next page.

Step 4 When a new security event is detected, you will see the

The Security Alert remains until you view the information. Clicking the Alert button will take you directly to a page showing the log.

Show

link from the Security Log tool bar.

Alert

button.

Section 4 Configure

The capacity of the security log is 100 security alert messages. When the log reaches capacity, subsequent messages are not captured, but they are noted in the log entry count.

Remember that the “time stamp” is Universal Coordinated Time (UTC) which is the equivalent of Greenwich Mean Time. For your convenience, the table below lists the time offsets for various North American time zones. See Timestamp Background information on the next page for more details.

Table of Time Offsets (in hours) from GMT

Zone ->

Standard Time -10 -9 -8 -7 -6 -5 -4 0

Daylight Savings Time

Hawaii Alaska P aciﬁc Mountain Central Eastern Atlantic UTC/GMT

N/A -8 -7 -6 -5 -4 -3 0

Take the recorded UTC/GMT value and subtract the offset value to get the time that an event occurred in your system.

Reset

To reset this log, select

from the Security Monitor tool bar.

The following message is displayed.

When the Security Log contains no entries, this is the response

Timestamp Background

During bootup, to provide better log information and to support improved troubleshooting, a Cayman Gateway acquires the National Institute of Standards and Technology (NIST) Universal Coordinated Time (UTC) reference signal.

Once per hour, the Gateway attempts to re-acquire the NIST reference, for re-synchronization or initial acquisition of the UTC information. Once acquired, all subsequent log entries display this date and time information. UTC provides the equivalent of Greenwich Mean Time (GMT) information.

If the WAN connection is not enabled, the internal clocking function of the Gateway provides log timestamps based on “uptime” of the unit.

Section 4 Configure

Install

Button

Response

Description

Install

From the Install toolbar button you can:

• Install new Operating System Software

• Install new Feature Keys

Section 4 Configure

Install Software

Link

Response

Install Software

Comment

This page allows you to install an updated release of the Cayman Operating System (COS).

Updating Your Gateway to COS Version 6.3

Cayman Operating System Release 6.3 represents signiﬁcantly expanded functionality for your Cayman Gateway. To deliver these important features, the COS 6.3 image is larger than earlier versions and the updating process is different from earlier procedures. It requires careful attention to the instruction sequence.

Using the Web Page

You install a new operating system image in your unit from the Cayman embedded Web server’s Home page. For this process, the computer you are using to connect to the Cayman Gateway must be on the same local area network as the Cayman Gateway.

Section 4 Configure

Required Tasks

Task # Description Page #

Warnings:

COS 6.3 is NOT SUPPORTED on the following models: 2E with PID of 06xx 2E or 2E-H with internal memory of 2MBytes or less

1 Locate and confirm the required files. 2 Install and verify the Updater application code. 3 Install and verify the COS 6.3 image.

Depending on your particular subscriber agreement, you may need to install other feature key ﬁles.

COS 6.3 provides substantial new ﬂexibility and functionality for your Cayman Gateway. However, once you have upgraded to this version, you cannot revert back to a previous release.

Section 4 Configure

Task 1 Required Files

Upgrading to COS 6.3 requires THREE ﬁles:

1. Documentation -

2. Updater ﬁle

3. Cayman Operating System image

Software Upgrade Instructions

PDF ﬁle

Background

When you downloaded your operating system upgrade from the Cayman website you downloaded a ZIP ﬁle containing these ﬁles:

Software Upgrade Instructions

•

PDF ﬁle (the document you are reading

now)

• Updater ﬁle for your particular Gateway

• Cayman Operating System image for your particular Gateway

Confirm Updater and COS Image Files

The Updater and COS Image ﬁles are speciﬁc to the model and the product identiﬁcation (PID) number.

Step 1 Conﬁrm that you have received the appropriate Updater and COS Image

ﬁles using this table:

Model PID Updater File

COS 6.3.0R0 Image

3220-H 07xx u8a110R0.COS c8a630R0.COS 3220-H 08xx u8j110R0.COS c8j630R0.COS 3220-H-W11 08xx u8w110R0.COS c8w630R0.COS 3220-H-WRF 08xx u8w110R0.COS c8w630R0.COS 2E {see Warnings} 07xx u8e110R0.COS c8e630R0.COS 2E-H {see Warnings} 07xx u8e110R0.COS c8e630R0.COS 2E-H-W11 09xx u8ew110R0.COS c8ew630R0.COS 2E-H-WRF 09xx u8ew110R0.COS c8ew630R0.COS

Step 2 Copy the conﬁrmed Updater ﬁle to a convenient location on a computer on

your local area network. Be sure that you note the location.

Step 3 Copy the conﬁrmed COS 6.3 ﬁle to the same location.

Section 4 Configure

Contact Information

Contact Cayman Technical Support for questions concerning the upgrade process.

Contact Cayman Sales for speciﬁc advanced features. Use this contact information:

Web Access

Technical Support

Main Telephone

http://www.netopia.com/support 510-814-5000 ext 1 510-814-5100

Task 2 Updater File

Install Updater Application Code

If you are currently running a Cayman Operating System version COS 5.90 or higher, skip this Task and continue to page 89 for Task 3.

Use these steps to install the Updater software in your Gateway from the Home page:

Step 1 Open a web connection to your Gateway from a LAN computer.

From a web browser access the URL http://cayman-2E. or http://caymandsl. or http://192.168.1.254.

This Home page is from a Cayman 3220-H Gateway (DSL WAN access).

The Home page for a Cayman 2E-H Gateway (Ethernet WAN access) is similar.

Step 2 If necessary, save the LAN conﬁguration settings on your Cayman Gateway.

If you have not previously saved your conﬁguration (that is, if you are running the factory default conﬁguration your Cayman Gateway came with), click the

Section 4 Configure

Ethernet

window appears, click

button on the Cayman Gateway Home page. When the Ethernet

Save

If you have previously saved your Cayman Gateway conﬁguration, you can skip this step.

Step 3 Click the

Install Software

button on the Cayman Gateway Home page.

The Install New Cayman Software window opens.

This page is from a Cayman 3220-H Gateway (DSL WAN access).

The page for a Cayman 2E-H Gateway (Ethernet WAN access) is similar.

Step 4 Enter the Updater ﬁlename into the text window with one of these

techniques:

The Updater ﬁle name starts with the letter “u“ (for “Updater”). a. Click the

Browse

button, select the ﬁle you want, and click

Open

-orb. Enter the name and path of the update ﬁle you want to install in the text ﬁeld.

Step 5 Click the

Install

button.

The Cayman Gateway copies the Updater ﬁle from your computer and installs it into its memory storage. You see a series of dots appear on your screen as the image is copied and installed. You have the following visual guide from your unit:

3220-H

2E-H

DSL and Status LED indicators will blink. WAN LED indicator will blink.

When the image has been installed, the message “successful install of file” appears at the bottom of the screen.

Step 6 When the “Please Click Restart” message appears, click the

button and conﬁrm

Restart

Section 4 Configure

Your Cayman Gateway restarts with its new image. During this step you have the following visual guide from your unit:

3220-H 2E-H

DSL and Status LED indicators will blink for 30 seconds or more. WAN LED indicator will blink for 30 seconds or more.

Verify Updater Application Code

To verify that the Updater image has loaded successfully , use the following steps:

Step 7 Open a web connection to your Cayman Gateway from the computer on

your LAN; return to the Home page and select the

Step 8 Under the General toolbar, select the

Updater version 1.1

2002

Overview

2002

link.

Monitor

Verify

button.

This page is from a Cayman 3220-H Gateway (DSL WAN access).

The page for a Cayman 2E-H Gateway (Ethernet WAN access) is similar.

Step 9 Verify that the Cayman Gateway is running Updater version 1.1.

If the Updater is not running, the screen will show your COS version instead. If your COS version is earlier than 5.9, return to Task 1 and retry the installation.

Task 3 COS 6.3 Image File

Install the COS 6.3 Image

The COS installation process is similar to the Updater installation. To install the COS 6.3 software in your Cayman Gateway from the

use the following steps:

Page

Step 1 Open a web connection to your Cayman Gateway from the computer on

your LAN.

Step 2 Click the

The Install New Cayman Software window opens.

Install Software

button on the Cayman Gateway

Home

page.

Section 4 Configure

Step 3 Enter the ﬁlename into the text box by using one of these techniques:

The COS ﬁle name starts with the letter “c” (for “COS”). a. Click the Browse button, select the ﬁle you want, and click Open.

-orb. Enter the name and path of the software image you want to install in the text

ﬁeld and click

Open

Step 4 Click the

Install

button.

The Cayman Gateway copies the image ﬁle from your computer and installs it into its memory storage. You see a series of dots appear on your screen as the image is copied and installed. You have the following visual guide from your unit:

3220-H

2E-H

DSL and Status LED indicators will blink. WAN LED indicator will blink.

When the image has been installed, the message “successful install of file” appears at the bottom of the screen.

Step 5 When the “Please Click Restart” message appears, click the Restart

button and conﬁrm Restart.

Your Cayman Gateway restarts with its new image. During this step you receive the following visual guide from your unit:

3220-H

2E-H

DSL and Status LED indicators will blink for 30 seconds or more. WAN LED indicator will blink for 30 seconds or more.

Section 4 Configure

Verify the COS 6.3 Image

T o verify that the COS 6.3 image has loaded successfully, use the following steps:

Step 1 Open a web connection to your Cayman Gateway from the computer on

your LAN and return to the Home page.

The username admin (or user) is now a required ﬁeld for logging onto the web server. In earlier releases, only the password was required.

For COS 6.3 you now have a new layout. The screen shown below is from a Cayman 3220-H.

NOTES:

1. Extensive conﬁguration and status information is now available from the Home page.

2. Verify COS 6.3

Step 2 Verify that your Software Version is COS 6.3.

Section 4 Configure

If your admin password is not set, you will be prompted to set it before you reach the Home page.

This completes the UPGRADE process for COS 6.3.

Section 4 Configure

Install Keys

Link

Response

Comment

Install Keys

You can obtain advanced product functionality by employing a software Feature Key. Software feature keys are speciﬁc to a Gateway's serial number. Once the feature key ﬁle is installed and the Gateway is restarted, the new feature's functionality becomes enabled.

Use Cayman Software Feature Keys

Background

Cayman Gateway users obtain advanced product functionality by installing a software feature key . This concept utilizes a specially constructed and distributed ﬁle (referred to as a feature key) to enable additional capability

within the unit. Software feature key properties are:

Speciﬁc to a unit’s serial number

•

– They will not be accepted on a platform with another serial number.

Once installed, and the Gateway restarted, the new feature’s functionality becomes available. This allows full access to conﬁguration, operation, maintenance and administration of the new enhancement.

Software feature keys for COS 6.3 enable these enhancements:

Security Monitoring Log

•

Section 4 Configure

BreakWater Basic Firewall

•

• BarrierReef Advanced Firewall

• SafeHarbour IPSec Tunnel at the Gateway

Obtaining Software Feature Keys Contact your Service Provider to acquire a Software Feature Key.

Procedure - Install a New Feature Key File

With the appropriate feature key ﬁle resident on your LAN PC, use the steps listed below to enable a new function.

Step 1 From the Home page, click the

Step 2 Click

Step 3 Enter the feature key ﬁle name in the input Text Box.

Install Keys

The Install Key File page appears.

Install

toolbar button.

• Browse your drive for the ﬁle, or

• Type the full path and ﬁle name in the Text Box.

Step 4 Click the

Install Keys

button.

Section 4 Configure

Step 5 Click the

The Conﬁrmation screen appears.

Restart

toolbar button.

Step 6 Click the

Restart the Gateway

To check your installed features:

Step 1 Click the

Step 2 Click the

Install

List of Features

link to conﬁrm.

toolbar button.

link.

Section 4 Configure

The System Status page appears with the information from the features link displayed below. You can check that the feature you just installed is enabled.

Troubleshoot

Button

Troubleshoot

This section provides some speciﬁc procedures and tips for working with important features of Cayman OS 6.3.

request this information.

Automated Multi-Layer Diagnostics

Step 1 Click the

Step 2 Click the

Perform Tr oubleshooting on Gateways

There are three major T roubleshooting capabilities you can access via your Cayman Gateway’s web interface. The procedures for using them are discussed here. In the event of a problem with your system, your Service Provider may

Troubleshoot

Diagnostics

toolbar button.

link.

Step 3 Click the

Run Diagnostics

link.

Troubleshoot

Each test generates one of the following result codes:

CODE Description

PASS The test was successful. FAIL The test was unsuccessful. SKIPPED The test was skipped because a test on which it depended failed,

or it was not supported by the service provider equipment to which it is connected.

PENDING The test timed out without producing a result. Try running the

test again.

WARNING The test was unsuccessful. The Service Provider equipment your

Gateway connects to may not support this test.

Network Tools

Use these steps:

Troubleshoot

Step 1 Click the

Step 2 Click the

Three test tools are available from this page.

• NSLookup - converts a domain name to its IP address and vice versa.

Troubleshoot

Network Tools

toolbar button.

link.

• Ping - tests the “reachability” of a particular network destination by sending an ICMP echo request and waiting for a reply.

• TraceRoute - displays the path to a destination by showing the num-

ber of hops and the router addresses of these hops.

Step 3 To use the Ping capability, type a destination address (domain name or IP

address) in the text box and click the

Example: Ping to grosso.com.

Result: The host was reachable with four out of ﬁve packets sent.

Step 4 To use the TraceRoute capability, type a destination address (domain name

or IP address) in the text box and click the

Ping

button.

TraceRoute

button.

Example: Show the path to the grosso.com site.

Troubleshoot

Result: It took 20 hops to get to the grosso.com web site.

Step 5 To use the NSLookup capability, type an address (domain name or IP

address) in the text box and click the

NSLookup

button

Example: Show the IP Address for grosso.com

Result: The DNS Server doing the lookup is displayed in the Server: and Address: ﬁelds. If the Name Server can ﬁnd your entry in its table, it is displayed in the Name: and Address: ﬁelds.

100

Netopia 3000 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual