PLANET SG-1000 User Manual

VPN Security Gateway
SG-1000
User’s Manual
Copyright
Copyright (C) 2006 PLANET Technology Corp. All rights reserved. The products and programs described in this User’s Manual are licensed products of PLANET Technology, This User’s Manual contains proprietary information protected by copyright, and this User’s Manual and all accompanying hardware, software, and documentation are copyrighted. No part of this User’s Manual may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form by any means by electronic or mechanical. Including photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal use, and without the prior express written permission of PLANET Technology.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all environments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.
CE mark Warning
This is a class A device, in a domestic environment, this product may cause radio interference, in which case the user may be required to take adequate measures.
Trademarks
The PLANET logo is a trademark of PLANET Technology. This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.
To avoid the potential effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE
separately.
Customer Service
For information on customer service and support for the VPN Security Gateway, please refer to the following Website URL:
http://
www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
VPN Security Gateway serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET VPN Security Gateway Model: SG-1000 Rev: 1.0 (October, 2006) PartNo.EM-SG1000v1
Table of Contents
Chapter 1 Introduction .............................................................................. 6
1.1 Package Contents......................................................................... 7
1.2 Front View .................................................................................. 8
1.3 Rear View ................................................................................... 8
1.4 Specification ............................................................................... 8
System
Chapter 2 Administration ……………………………………………..... 10
2.1 Administrator ……………………………………………........ 12
2.2 Permitted IPs ……………………………………………......... 14
2.3 Logout ………………………………………………….…...... 15
2.4 Software Update …………………………………………....... 17
Chapter 3 Configure …………………………………………………..... 18
3.1 Setting ………………………………………………….…....... 23
3.2 Date/Time …………………………………………………...... 28
3.3 Multiple Subnet ………………………………...…………...... 29
3.4 Route Table ………………………………………………....... 33
3.5 DHCP ……………………………………………………….... 37
3.6 DDNS ……………………………………………...………..... 39
3.7 Host Table ……………………………………………….….... 41
3.8 Language ……………………………………………..……...... 42
Interface
Chapter 4 Interface …………………………………………………........ 43
4.1 LAN ………………………………….……………………..... 48
4.2 WAN ………………………………….……………………... 49
4.3 DMZ …………………………….………………………….... 57
Policy Object
Chapter 5 Address ……………………………………………………..... 59
5.1 Example ………………………………….…………………... 62
Chapter 6 Service ………………………………………………….…..... 69
6.1 Custom ………………………………….…………………..... 72
6.2 Group ………………………………….…………………....... 76
Chapter 7 Schedule …………………………………………………........ 79
Chapter 8 QoS ………………………………………………….……...... 82
8.1 Example ………………………………….………………....... 85
Chapter 9 Authentication ……………………………………………....... 87
9.1 Auth User and Group ……………………………………........ 93
9.2 RADIUS ………………………………….………………...... 97
9.3 POP3 Server ………………………………….…………........ 118
Chapter 10 Content Blocking …………………………………………...... 121
10.1 URL ………………………………….……………………..... 125
10.2 Script ……………………………….……………………....... 128
10.3 P2P ………………………….……………………………...... 130
10.4 IM …………………………….…………………………….... 132
10.5 Download …………………………….…………………........ 134
Chapter11 Virtual Server………………………………………………..... 136
11.1 Example ……………………………….…………………....... 140
Chapter12 VPN ………………………………………………………...... 155
12.1 Example……………………………………………………...... 163
Policy
Chapter13 Policy……………………………………………….………..... 187
13.1 Example ………………………………….………………....... 193
Web VPN / SSL VPN
Chapter14 Web VPN / SSL VPN ……………………………………....... 209
14.1 Example …………………………………………………........ 212
Anti-Attack
Chapter15 Alert Setting ………………………………………………...... 222
15.1 Internal Alert ………………………………………………..... 227
Chapter16 Atack Alarm ………………………………………………...... 231
16.1 Internal Alarm ……………………………………………....... 233
16.2 External Alarm ………………………………………………... 234
Monitor
Chapter17 LOG ……………………………………………….………...... 236
17.1 Traffic Log ……………………….…………………………... 238
17.2 Event Log ……………………….…………………………..... 242
17.3 Connection Log ……………………….…………………........ 245
17.4 Log Backup ……………………….………………………...... 248
Chapter18 Statistics …………………………………………….……....... 250
18.1 WAN ……………………….……………………………….... 252
18.2 Policy ……………………….………………………………... 254
Chapter19 Status …………………………………………….………….... 256
19.1 Interface ……………………….…………………………....... 257
19.2 Authentication ……………………….……………………..... 259
19.3 ARP Table ……………………….………………………........ 260
19.4 DHCP Clients ……………………….……………………....... 261
Chapter 1
Introduction
The innovation of the Internet has created a tremendous worldwide venue for E­business and information sharing, but it also creates network security problems. The security request will be the primary concerned for the enterprise. New model of Planet’s VPN Security Gateway SG-1000, a special designed of VPN security gateway, provides SSL, IPSec, and PPTP VPN. The SSL VPN function supports up to 50 SSL VPN connection tunnels. The IPSec VPN feature provides IPSec VPN Trunk and IKE, SHA­1, and MD5 Authentication. The PPTP VPN function supports PPTP server and client.
The SG-1000 provides Content Blocking feature to block specific URL, Script, IM, P2P, and download file. Also, it is built-in Anomaly Flow IP function. This function supports Hacker and Blaster Alert. An administrator could use this function to watch and track an attacker.
This product is built-in two WAN ports. It supports WAN Load Balance and Fail-Over Feature. Also, the QoS function provides Guaranteed Bandwidth and Priority Bandwidth Utilization.
Product Features
VPN Connectivity: The VPN security gateway supports SSL VPN, IPSec VPN,
and PPTP server/client. The SSL VPN function supports up to 50 SSL VPN connection tunnels. The IPSec VPN has DES, 3DES, and AES encryption and SHA-1 / MD5 authentication. The network traffic over public Internet is secured.
VPN Trunk: VPN trunk function provides VPN load balance and VPN fail-over
feature to keep the VPN connection more reliable.
Content Filtering: The security gateway can block network connection based on
URLs, Scripts (The Pop-up, Java Applet, cookies and Active X), P2P (eDonkey, Bit Torrent and WinMX), Instant Messaging (MSN, Yahoo Messenger, ICQ, QQ and Skype) and Download. If there are new updated version of P2P or IM
software in client side, SG-1000 will detect the difference and update the Content Filtering pattern to renew the filtering mechanism.
Policy-based Firewall: The built-in policy-based firewall prevent many known
hacker attack including SYN attack, ICMP flood, UDP flood, Ping of Death, etc. The access control function allowed only specified WAN or LAN users to use only allowed network services on specified time.
QoS: Network packets can be classified based on IP address, IP subnet and
TCP/UDP port number and give guarantee and maximum bandwidth with three levels of priority.
Authentication: Web-based authentication allows users to be authenticated by
web browser. User database can be configured on the devices or through external RADIUS server.
WAN Backup: The SG-1000 can monitor each WAN link status and
automatically activate backup links when a failure is detected. The detection is based on the configurable target Internet addresses.
Outbound Load Balancing: The network sessions are assigned based on the
user configurable load balancing mode, including “Auto”, “Round-Robin”, “By Traffic”, “By Session” and “By Packet”. User can also configure which IP or TCP/UDP type of traffic use which WAN port to connect.
Multiple NAT: Multiple NAT allows local port to set multiple subnet works and
connect to the Internet through different WAN IP addresses.
1.1 Package Contents
SG-1000 x 1 Power Cord x 1 Quick Installation Guide x 1 User’s Manual CD x 1 Console cable x 1 RJ-45 cable Rack-mount ear
1.2 Front View
- LED definition
LED Description PWR Power is supplied to this device. STATUS Blinks to indicate this devise is being turned
WAN1, WAN2, LAN, DMZ
1.3 Rear View
on and booting. After one minute, this LED indicator will stop blinking, it means this device is now ready to use. Green Steady on indicates the port is
connected to other network device. Blink to indicates there is traffic on the port
Orange Steady on indicates the port is
connected at 100Mbps speed
1.4 Specification
Product VPN Security Gateway Model SG-1000 Recommend concurrent
30 ~ 50 user Hardware Ethernet
LAN WAN DMZ
1 x 10/100 Based-TX RJ-45
2 x 10/100 Based-TX RJ-45
1 x 10/100 Based-TX RJ-45 Software
Management Network Connection Routing Mode Concurrent Sessions New session / second WAN to LAN Throughput VPN Throughput VPN 3DES Throughput VPN Function
SSL VPN IPSec VPN Trunk
VPN Connection Tunnels / Allow to Configure Content Filtering
Firewall QoS
User authentication Logs
Accounting Report Statistics Others
Web
Transparent mode, NAT, Multi-NAT
Static Route, RIPv2
110,000
10,000
100Mbps
18Mbps
17Mbps
SSL, IPSec, PPTP server and client
DES, 3DES, and AES encrypting
SHA-1 / MD5 authentication algorithm
Remote access VPN (Client-to-Site) and Site to Site VPN
VPN Trunk
Internal Subnet of Server: 10
Connection Tunnels: 50
50
IPSec: 100 / 200
PPTP Serve: 32 / 32
PPTP Client: 16 / 16
URL Blocking
Blocks Popup, Java Applet, cookies and Active X
P2P Application Blocking
Instant Message Blocking
Download Blocking
Policy-based Firewall rule with schedule
NAT/ NAPT, SPI Firewall
Policy-based bandwidth management
Guarantee and maximum bandwidth with 3 priority levels
Classify traffics based on IP, IP subnet, TCP/UDP port
Built-in user database with up to 200 entries
Support local database, RADIUS and POP3 authentication
Log and alarm for event and traffic
Log can be saved from web, sent by e-mail or sent to syslog
server
Record inbound and outbound traffic’s utilization by Source
IP, Destination IP and Service
Traffic statistic for WAN interface and policies
Graphic display
Dynamic DNS, NTP, DHCP server, Virtual server,
Chapter 2
Administration
“System” is the managing of settings such as the privileges of packets that pass through the SG-1000 and monitoring controls. The System Administrators can manage, monitor, and configure SG-1000 settings. But all configurations are “read-only” for all users other than the System Administrator; those users are not able to change any setting of the SG-1000.
10
Define the required fields of Administrator
Administrator Name:
The username of Administrators and Sub Administrator for the SG-1000. The
admin user name cannot be removed; and the sub-admin user can be removed or configure.
The default Account: admin; Password: admin
Privilege:
The privileges of Administrators (Admin or Sub Admin). The username of the
main Administrator is Administrator with reading / writing privilege. Administrator also can change the system setting, log system status, and to increase or delete sub-administrator. Sub-Admin may be created by the Admin by clicking
New Sub Admin
. Sub Admin have only read and monitor privilege and cannot
change any system setting value.
Configure:
Click Modify to change the “Sub-Administrator’s” password or click Remove to
delete a “Sub Administrator.”
11
2.1 Adding a new Sub Administrator
STEP 1In the Admin Web UI, click the New Sub Admin button to create a new
Sub Administrator.
STEP 2In the Add New Sub Administrator Web UI and enter the following setting:
Sub Admin Name: sub_admin Password: 12345 Confirm Password: 12345
STEP 3﹒Click OK to a
dd the user or click Cancel to cancel it.
Add New Sub Admin
12
Modify the Administrator’s Password
STEP 1In the Admin Web UI, locate the Administrator name you want to edit, and
click on Modify in the Configure field.
STEP 2﹒The Modify Administrator Password Web UI will appear. Enter the
following information:
Password: admin New Password: 52364 Confirm Password: 52364
STEP 3Click OK to confirm password change.
Modify Admin Password
13
2.2 Add Permitted IPs
STEP 1Add the following setting in Permitted IPs of Administration:
Name: Enter master IP Address: Enter 163.173.56.11 Netmask: Enter 255.255.255.255 Service: Select Ping, HTTP, and HTTPS. Click OK Complete add new permitted IPs
Setting Permitted IPs Web UI
Complete Add New Permitted Ips
To make Permitted IPs be effective, it must cancel the Ping, HTTP, and HTTPS
selection in the Web UI of SG-1000 that Administrator enter. (LAN, WAN, or DMZ Interface) Before canceling the HTTP and HTTPS selection of Interface, must set up the Permitted IPs first, otherwise, it would cause the situation of cannot enter Web UI by appointed Interface.
14
2.3 Logout
STEP 1﹒Click Logout which locate in Browser’s above right to protect the system
while Administrator are away.
Confirm Logout Web UI
15
STEP 2Click OK and the logout message will appear in Web UI.
Logout Web UI Message
16
2.4 Software Update
STEP 1Select Software Update in System, and follow the steps below:
To obtain the version number from Version Number and obtain the
latest version from Internet. And save the latest version in the hardware of the PC, which manage the SG-1000
Click Browse and choose the latest software version file. Click OK and the system will update automatically.
It takes 3 minutes to update software. The system will reboot after update. During the
updating time, please don’t turn off the PC or leave the Web UI. It may cause some unexpected mistakes. (Strong suggests updating the software from LAN to avoid unexpected mistakes.)
17
Chapter 3
Configure
The Configure is according to the basic setting of the SG-1000. In this chapter the definition is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table, and Language settings.
18
Define the required fields of Settings
SG-1000 Configuration:
The Administrator can import or export the system settings. Click OK to import
the file into the SG-1000 or click Cancel to cancel importing. You also can revive to default value here.
Email Settings: Select Enable E-mail Alert Notification under E-mail Settings. This function will
enable the SG-1000 to send e-mail alerts to the System Administrator when the network is being attacked by hackers or when emergency conditions occur. (It can be set from Settings-Hacker Alert in System to detect Hacker Attacks)
Web Management (WAN Interface): The System Manager can change the port number used by HTTP port anytime.
(Remote Web UI management)
After HTTP port has changed, if the administrator want to enter Web UI from WAN, will
have to change the port number of browser. (For example: http://61.62.108.172:8080)
MTU Setting: It provides the Administrator to modify the networking package length anytime. Its
default value is 1500 Bytes.
Link Speed / Duplex Mode:
By this function can set the transmission speed and mode of WAN Port when
connecting other device.
19
Administration Packet Logging:
After enable this function; the SG-1000 will record packet which source IP or
destination address is SG-1000. And record in Traffic Log for System Manager to inquire about.
Define the required fields of Time Settings
Synchronize Time/Date:
Synchronizing the SG-1000 with the System Clock. The administrator can
configure the SG-1000’s date and time by either syncing to an Internet Network Time Server (NTP) or by syncing to your computer’s clock.
GMT:
International Standard Time (Greenwich Mean Time)
Define the required fields of Multiple Subnet
Forwarding Mode:
To display the mode that Multiple Subnet use. (NAT mode or Routing Mode)
WAN Interface Address:
The IP address that Multiple Subnet corresponds to WAN.
LAN Interface Address/Subnet Netmask:
The Multiple Subnet range
20
NAT Mode:
It allows Internal Network to set multiple subnet address and connect with the
Internet through different WAN IP Addresses. For exampleThe lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into R&D department, service, sales department, procurement department, accounting department, the company can distinguish each department by different subnet for the purpose of managing conveniently. The settings are as the following
1. R&D department subnet:192.168.1.1/24(LAN) ÅÆ 168.85.88.253(WAN)
2. Service department subnet 192.168.2.1/24(LAN) ÅÆ 168.85.88.252(WAN)
3. Sales department subnet 192.168.3.1/24(LAN) ÅÆ 168.85.88.251(WAN)
4. Procurement department subnet
192.168.4.1/24(LAN) ÅÆ 168.85.88.250(WAN)
5. Accounting department subnet
192.168.5.1/24(LAN) ÅÆ 168.85.88.249(WAN)
The first department (R&D department) had set while setting interface IP; the other four ones have to be added in Multiple Subnet. After completing the settings, each department uses the different WAN IP Address to connect to the Internet. The settings of each department are as following:
Service Sales Procurement Accounting IP Address 192.168.2.2~254 192.168.3.2~254 192.168.4.2~254 192.168.5.2~254 Subnet Netmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway 192.168.2.1 192.168.3.1 192.168.4.1 192.168.5.1
Routing Mode: It is the same as NAT mode approximately but does not have to correspond to the
real WAN IP address, which let internal PC to access to Internet by its own IP. (External user also can use the IP to connect with the Internet)
21
Define the required fields of DHCP
Subnet:
The domain name of LAN
NetMask: The LAN Netmask
Gateway: The default Gateway IP address of LAN
Broadcast IP:
The Broadcast IP of LAN
Define the required fields of DDNS
Domain Name: The domain name that provided by DDNS
WAN IP Address:
The WAN IP Address, which the domain name corresponds to.
Define the required fields of Host T able
Domain Name:
It can be set by System Manager. To let the internal user to access to the
information that provided by the host by this domain name
Virtual IP Address: The virtual IP address respective to Host Table. It must be LAN or DMZ IP
address.
22
System Settings- Exporting
STEP 1In System Setting Web UI, click on button next to Export
System Settings to Client.
STEP 2When the File Download pop-up window appears, choose the destination
place where to save the exported file and click on Save. The setting value of SG-1000 will copy to the appointed site instantly.
Select the Destination Place to Save the Exported File
23
3.1 System Settings- Importing
STEP 1In System Setting Web UI, click on the Browse button next to Import
System Settings from Client. When the Choose File pop-up window
appears, select the file to which contains the saved SG-1000 Settings, then click OK.
STEP 2Click OK to import the file into the SG-1000
Enter the File Name and Destination of the Imported File
Upload the Setting File Web UI
24
Restoring Factory Default Settings
STEP 1Select Reset Factory Settings in SG-1000 Configuration Web UI
STEP 2Click OK at the bottom-right of the page to restore the factory settings.
Reset Factory Settings
25
Enabling E-mail Alert Notification
STEP 1Select Enable E-mail Alert Notification under E-Mail Settings.
STEP 2Device Name: Enter the Device Name or use the default value.
STEP 3Sender Address: Enter the Sender Address. (Required by some ISPs.)
STEP 4SMTP Server IP: Enter SMTP server’s IP address.
STEP 5E-Mail Address 1: Enter the e-mail address of the first user to be notified.
STEP 6E-Mail Address 2: Enter the e-mail address of the second user to be notified.
(Optional)
STEP 7﹒Click OK on the bottom-right of the screen to enable E-mail Alert
Notification.
Enable E-mail Alert Notification
Click on Mail Test to test if E-mail Address 1 and E-mail Address 2 can receive the Alert
Notification correctly.
26
Reboot SG-1000
STEP 1Reboot SG-1000Click Reboot button next to Reboot SG-1000 Appliance.
STEP 2A confirmation pop-up page will appear.
STEP 3Follow the confirmation pop-up page; click OK to restart SG-1000.
Reboot SG-1000
27
3.2 Date/Time Settings
STEP 1Select Enable synchronize with an Internet time Server
STEP 2Click the down arrow to select the offset time from GMT.
STEP 3Enter the Server IP / Name with which you want to synchronize.
STEP 4Set the interval time to synchronize with outside servers.
System Time Setting
Click on the Sync button and then the SG-1000’s date and time will be synchronized to the
Administrator’s PC.
The value of Set Offset From GMT and Server IP / Name can be looking for from
Assist.
28
3.3 Multiple Subnet
Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address that set by the LAN user’s network card
Preparation
SG-1000 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that provided by ISP is 162.172.50.0/24 To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.
29
Loading...
+ 232 hidden pages