How it Works
Planet Technology
Loading...
GRT-504
User Manual
20 pgs1.62 Mb0
User Manual
152 pgs4.33 Mb0
Table of contents
Loading...

Planet Technology GRT-504 User Manual

Download
4-Wire G.SHDSL.bis
Firewall Router
GRT-504
User’s Manual
Copyright
Copyright© 2008 by PLANET Technology Corp. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise, without the prior written permission of PLANET. PLANET makes no representations or warranties, either expressed or implied, with respect to the contents hereof and specifically disclaims any warranties, merchantability or fitness for any particular purpose. Any software described in this manual is sold or licensed "as is". Should the programs prove defective following their purchase, the buyer (and not this company, its distributor, or its dealer) assumes the entire cost of all necessary servicing, repair, and any incidental or consequential damages resulting from any defect in the software. Further, this company reserves the right to revise this publication and to make changes from time to time in the contents hereof without obligation to notify any person of such revision or changes. All brand and product names mentioned in this manual are trademarks and/or registered trademarks of their respective holders.
Disclaimer
PLANET Technology does not warrant that the hardware will work properly in all enviro nments and applications, and makes no warranty and representation, either implied or expressed, with respect to the quality, performance, merchantability, or fitness for a particular purpose. PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred. Information in this User’s Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User’s Manual. PLANET makes no commitment to update or keep current the information in this User’s Manual, and reserves the right to make improvements to this User’s Manual and/or to the products described in this User’s Manual, at any time without notice. If you find information in this manual that is incorrect, misleading, or incomplete, we would appreciate your comments and suggestions.
Trademarks
The PLANET logo is a trademark of PLANET Technology. This documentation may refer to numerous hardware and software products by their trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies.
CE mark Warning
This is a class B device, in a domestic environment; this product may cause radio interference, in which case the user may be required to take adequate measures.
Federal Communication Commission Interference Statement
This equipment has been tested and found to comply with the limits for a Class B digital device, pursu ant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequ ency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio technician for help.
1
FCC Caution:
To assure continued compliance (example-use only shielded interface cables when connec ting to computer or peripheral devices). Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the Following two conditions: (1) This device may not cause harmful interference, and (2) this Device must accept any interference received, including interference that may cause undesired operation.
R&TTE Compliance Statement
This equipment complies with all the requirements of DIRECTIVE 1999/5/EC OF THE EUROPEAN PARLIAMENT AND THE COUNCIL OF 9 March 1999 on radio equipment and telecommunication terminal Equipment and the mutual recognition of their conformity (R&TTE) The R&TTE Directive repeals and replaces in the directive 98/13/EEC (Telecommunications Terminal Equipment and Satellite Earth Station Equipment) As of April 8, 2000.
WEEE Caution
To avoid the potential ef fect s on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment, end users of electrical and electronic equipment should understand the meaning of the crossed-out wheeled bin symbol. Do not dispose of WEEE as unsorted municipal waste and have to collect such WEEE separately.
Safety
This equipment is designed with the utmost care for the safety of those who install and use it. However, special attention must be paid to the dangers of electric shock and static electricity when working with electrical equipment. All guidelines of this and of the computer manufacture must therefore be allowed at all times to ensure the safe use of the equipment.
Customer Service
For information on customer service and support for the Multi-Homing Security Gateway, please refer to the following Website URL:
http://www.planet.com.tw
Before contacting customer service, please take a moment to gather the following information:
The GRT-504 serial number and MAC address Any error messages that displayed when the problem occurred Any software running when the problem occurred Steps you took to resolve the problem on your own
Revision
User’s Manual for PLANET 4-Wire G.SHDSL.bis Firewall Router Model: GRT-504 Rev: 1.0 (Sep. 2008) Port No. EM-GRT504v1
2
Table of Contents
DESCRIPTIONS.................................................................................................................................7
1
1.1 FEATURES .....................................................................................................................................7
1.2 SPECIFICATION..............................................................................................................................9
1.3 APPLICATIONS.............................................................................................................................11
2 GETTING TO KNOW ABOUT THE ROUTER............................................................................12
2.1 FRONT PANEL..............................................................................................................................12
2.2 REAR PANEL ...............................................................................................................................13
2.3 SHDSL.BIS LINE CONNECTOR....................................................................................................14
2.4 CONSOLE CABLE.........................................................................................................................14
3 GETTING TO KNOW FIREWALL FEATURE.............................................................................15
3.1 INTRODUCTION ...........................................................................................................................15
3.2 TYPES OF FIREWALL....................................................................................................................16
3.2.1 Packet Filtering.....................................................................................................................16
3.2.2 Circuit Gateway.....................................................................................................................17
3.2.3 Application Gateway.............................................................................................................18
3.3 DENIAL OF SERVICE ATTACK.......................................................................................................19
4 GETTING TO KNOW VLAN FEATURE ......................................................................................21
4.1 SPECIFICATION............................................................................................................................21
4.2 FRAME SPECIFICATION................................................................................................................21
4.3 APPLICATIONS.............................................................................................................................22
5 CONFIGURA TION TO THE ROUTER.........................................................................................25
5.1 CHECK LIST ................................................................................................................................25
5.2 INST A LL THE SHDSL.BIS ROUTER ..............................................................................................27
6 CONFIGURATION VIA WEB BROWSER ...................................................................................28
6.1 BASIC SETUP...............................................................................................................................32
6.1.1 Bridge Mode..........................................................................................................................32
6.1.2 Routing Mode........................................................................................................................35
6.1.3 Reference diagram.................................................................................................................44
6.2 ADVANCED SETUP.......................................................................................................................46
6.2.1 SHDSL.bis .............................................................................................................................46
6.2.1.1 Annex Type................................................................................................................................46
6.2.1.2 Line Type ................................................................................................................................... 47
6.2.1.3 TCPAM Type .............................................................................................................................48
3
6.2.1.4 Data Rate.................................................................................................................................... 48
6.2.1.5 SNR Margin...............................................................................................................................49
6.2.2 WAN.......................................................................................................................................50
6.2.3 Bridge....................................................................................................................................53
6.2.4 VLAN.....................................................................................................................................55
6.2.4.1 802.1Q Tag-Based VLAN..........................................................................................................56
6.2.4.2 Port-Based VLAN......................................................................................................................56
6.2.5 STP........................................................................................................................................58
6.2.6 Route .....................................................................................................................................59
6.2.7 NAT/DMZ..............................................................................................................................6 2
6.2.7.1 Multi-DMZ.................................................................................................................................64
6.2.7.2 Mutli-NAT..................................................................................................................................64
6.2.8 Virtual Server ........................................................................................................................65
6.2.9 Firewall.................................................................................................................................67
6.2.9.1 Basic Firewall Security..............................................................................................................68
6.2.9.2 Automatic Firewall Security.......................................................................................................69
6.2.9.3 Advanced Firewall Security.......................................................................................................70
6.2.10 IP QoS ..............................................................................................................................74
6.3 STATUS........................................................................................................................................77
6.3.1 SHDSL.bis .............................................................................................................................78
6.3.2 LAN .......................................................................................................................................79
6.3.3 WAN.......................................................................................................................................80
6.3.4 ROUTE..................................................................................................................................81
6.3.5 INTERFACE ..........................................................................................................................82
6.3.6 FIREWALL ............................................................................................................................83
6.3.7 IP QoS...................................................................................................................................84
6.3.8 STP........................................................................................................................................85
6.4 ADMINISTRATION........................................................................................................................87
6.4.1 Security..................................................................................................................................87
6.4.2 SNMP ....................................................................................................................................89
6.4.2.1 Community pool.........................................................................................................................89
6.4.2.2 Trap host pool.............................................................................................................................90
6.4.3 Time Sy nc...............................................................................................................................91
6.4.3.1 Synchronization with PC............................................................................................................ 91
6.4.3.2 SNTP v4.0.................................................................................................................................. 92
6.5 UTILITY ......................................................................................................................................93
6.5.1 System Info ............................................................................................................................93
6.5.2 Config Tool............................................................................................................................94
6.5.2.1 Load Factory Default ................................................................................................................. 95
4
6.5.2.2 Restore Configuration................................................................................................................95
6.5.2.3 Backup Configuration................................................................................................................95
6.5.3 Upgrade.................................................................................................................................96
6.5.4 Logout....................................................................................................................................97
6.5.5 Restart ...................................................................................................................................97
6.6 EXAMPLE....................................................................................................................................99
6.6.1 LAN-to-LAN connection with bridge Mode...........................................................................99
6.6.1.1 CO side.......................................................................................................................................99
6.6.1.2 CPE Side..................................................................................................................................100
6.6.2 LAN to LAN connection with routing mode.........................................................................101
6.6.2.1 CO Side....................................................................................................................................101
6.6.2.2 CPE side................................................................................................................................... 102
7 CONFIGURA TION VIA SERIAL CONSOLE OR TELNET WITH MANU DRIVEN
INTERFACE .............................................................................................................................................105
7.1 INTRODUCTION .........................................................................................................................105
7.1.1 Serial Console.....................................................................................................................105
7.1.2 Telnet ...................................................................................................................................105
7.1.3 Operation Interface.............................................................................................................106
7.1.4 Window structure.................................................................................................................106
7.1.5 Menu Driven Interface Commands......................................................................................107
7.2 MAIN MENU BEFORE ENABLE....................................................................................................108
7.3 ENABLE.....................................................................................................................................109
7.4 STATUS......................................................................................................................................110
7.4.1 Shdsl.bis...............................................................................................................................110
7.4.2 Wan...................................................................................................................................... 111
7.4.3 Route ................................................................................................................................... 111
7.4.4 Interface ..............................................................................................................................112
7.4.5 Firewall...............................................................................................................................112
7.4.6 IP_QoS................................................................................................................................113
7.4.7 STP......................................................................................................................................114
7.5 SHOW........................................................................................................................................115
7.5.1 System information..............................................................................................................115
7.5.2 Configuration information................................................................................................... 115
7.5.3 Configuration with Script format ........................................................................................ 119
7.6 WRITE.......................................................................................................................................122
7.7 REBOOT ....................................................................................................................................123
7.8 PING..........................................................................................................................................124
7.9 ADMINISTRATION......................................................................................................................125
7.9.1 User Profile.........................................................................................................................125
5
7.9.2 Security................................................................................................................................126
7.9.3 SNMP ..................................................................................................................................127
7.9.4 Supervisor Password and ID...............................................................................................128
7.9.5 SNTP ...................................................................................................................................129
7.10 UTILITY ....................................................................................................................................131
7.10.1 Upgrade..........................................................................................................................131
7.10.2 Backup............................................................................................................................131
7.10.3 Restore............................................................................................................................132
7.11 EXIT..........................................................................................................................................133
7.12 SETUP .......................................................................................................................................134
7.12.1 Mode...............................................................................................................................134
7.12.2 SHDSL.bis ......................................................................................................................134
7.12.3 WAN................................................................................................................................135
7.12.4 Bridge.............................................................................................................................137
7.12.5 VLAN..............................................................................................................................138
7.12.6 802. 11Q VLAN................................................................................................................138
7.12.7 STP.................................................................................................................................139
7.12.8 Route...............................................................................................................................139
7.12.9 LAN.................................................................................................................................141
7.12.10 IP share...........................................................................................................................141
7.12.10.1 NAT.......................................................................................................................................... 141
7.12.10.2 PAT ........................................................................................................................................... 143
7.12.10.3 DMZ.........................................................................................................................................144
7.12.11 Firewall ..........................................................................................................................145
7.12.11.1 Firewall security level..............................................................................................................145
7.12.11.2 Packet Filtering ........................................................................................................................ 145
7.12.11.3 DoS Protection ......................................................................................................................... 146
7.12.12 IPQoS .............................................................................................................................148
7.12.13 DHCP.............................................................................................................................149
7.12.14 DNS proxy.......................................................................................................................150
7.12.15 Host name.......................................................................................................................150
7.12.16 Default............................................................................................................................150
6

1 Descriptions

The Planet new SHDSL family member GRT-504 is the G.SHDSL.bis router that complies with ITU-T G.991.2 standard and provides affordable, flexible, efficient Internet access solution for SOHO and Small Medium Business environment. The GRT-504 supports business-class, multi-range from 384 Kbps to 11.4 Mbps (4-wire) symmetric data rates and also can be connected as the LAN-to-LAN network connection at the distance up to 6.7km (4.2 miles) by using existing telephone copper wires.
The Planet GRT-504 is integrated high-end Bridging/Routing capabilities with advanced functions of Firewall, QoS, DMZ, Virtual Server, and VPN pass-through. And because of the network environment growing rapidly, Virtual LAN has become more and more important feature in internetworking industry. The GRT-504 supports IEEE 802.1Q and port-based VLAN over ATM network.
With the built-in Simple Network Management Protocol (SNMP) and web-based management, the GRT-504 offers an easy-to-use, platform-independent management and configuration facility. And the GRT-504 also provides Command-Line Interface; it can be accessed via Telnet and the console port. The network administrator can manage the device by proper way.

1.1 Features

High Speed Symmetric Data TransmissionThe GRT-504 supp orts the latest
G.SHDSL.bis technology, provides the higher symmetric data rate up to 11.4 Mbps on 4 wires.
CO and CPE side SupportProvide the back-to-back connection. ♦ Firewall: It supports Natural NAT firewall and Advanced Stateful packet Inspection (SPI)
firewall functions.
QoS (Quality of Service): The GRT-504 supports ATM QoS and IP QoS. The ATM QoS
includes UBR (Unspecified bit rate), CBR (Constant bit rate), VBR-rt (Variable bit rate real-time), and VBR-nrt (Variable bit rate non-real-time). Also, the traffic classification based on IP, IP range, port, protocol, and precedence.
VLAN SupportIt supports the IEEE 802.1Q Tagged and port-based VLAN. It offers
significant benefit in terms with efficient use of bandwidth, flexibility, performance, and security.
Bridge and Router ModesThe GRT-504 supports two connection modes. Currently, it
comes pre-configured with routing mode. Note that, routing mode and bridging mode cannot be used simultaneously.
Virtual Server:This feature allows Internet users to access Internet serve rs on your LAN.
The required setup is quick and easy.
VPN Pass through SupportPCs with VPN (Virtual Private Networking) software
using PPTP, L2TP, and IPSec are transparently supported - no configuration is required.
DMZ Support:The GRT-504 can translate public IP address to private IP address to allow
unrestricted 2-way communication with Servers or individual users on the Internet. This provides the most flexibility to run programs, which could be incompatible in NAT environment.
RIPv1/v2 RoutingIt supports RIPv1/v2 routing protocol for routing capability.
7
Simple Network Management Protocol (SNMP)It is an easy way to remotely manage
the router via SNMPv1/v2.
Fully ATM protocol stack implementation over G.SHDSL.bis PPPoA and PPPoE support user authentication with PAP/CHAP/MS-CHAP
8

1.2 Specification

Product 4-Wire G.SHDSL.bis Firewall Router Model GRT-504 Hardware
Standard
Protocol
AAL and ATM Support Support up to 8 PVCs
LAN Port 4 x 10Base-T/100Base-TX ( Auto-Negotiation, Auto MDI/MDI-X) Console 1 x RS-232 (DB9) Button 1 x Reset Button LED Indicators PWR, WAN LNK/ACT, LAN 1/2/3/4, ALM Software Maximum Concurrent
Sessions Protocol and Advanced
Functions
Security
VPN Management
Environment Specification Dimension (W x D x H) 145 x 188 x 33mm Power 9V DC, 1A Temperature: Humidity Emission FCC, CE
Compliant with ITU-T G.991.2 Standard Annex A/B Compliant with G.SHDSL.bis Annex A/B/F/G
TC-PAM Line Code Symmetric data transmission speed up to 11.4 Mbps on 4-wire Multi-range from 384 Kbps to 11.4 Mbps RFC 1577 - Classical IP over ATM (RFC 1577) RFC 2364 - PPP over ATM RFC 1483/2684 - Ethernet over ATM RFC 2516 - PPP over Ethernet (fixed and dynamic IP) RFC 2364 - PPP over ATM (fixed and dynamic IP)
ATM Forum UNI 3.1/4.0 PVC Support OAM F4 / F5 AIS/RDI and loopback VC multiplexing and SNAP/LLC Integrated ATM QoS support (UBR,CBR,VBR-rt, and VBR-nrt)
1024 IEEE 802.1D transparent learning bridge
IEEE 802.1Q VLAN Support IP/TCP/UDP/ARP/ICMP/IGMP protocols IP routing with static routing and RIPv1/RIPv2 IP multicast and IGMP proxy Network address translation (NAT/PAT) DMZ host/Multi-DMZ/Multi-NAT function Virtual Server (RFC1631) DNS relay and caching DHCP server, client and relay IP QoS
Built-in NAT and SPI Firewall PPP over PAP (RFC1334) PPP over CHAP (RFC1994) Password protection for system management VPN (PPTP/L2TP/IPSec) pass-through
Web-based configuration Command-line Interpreter(CLI) via Console Command-line Interpreter(CLI) via Telnet Software upgrade via web-browser/TFTP server SNMPv1 and v2
Operating: 0~45 degree C, 0%~ 90% (non-condensing), Storage: -10~70 degree C, 0~95% (non-condensing)
9
Package Contents
The following items should be included. If any of these items are damaged or missing, please contact your dealer immediately.
4-Wire G.SHDSL.bis Firewall Router x 1  Power Adapter x 1  Quick Installation Guide x 1  User’s manual CD x 1  Console Cable x 1  RJ-45 to RJ-11 Cable x 1
10

1.3 Applications

11

2 Getting to know about the router

This section will introduce hardware of the router.

2.1 Front Panel

The front panel contains LEDs which show status of the router.
LEDs Color Active Description
PWR Green ON The power adaptor is connected to GRT-504
LNK
WAN
ACT Green Blink
1 / 2 / 3 / 4 Green ON LAN Port connect with Ethernet link
LAN
1 / 2 / 3 / 4 Green Blink LAN Port Transmit or receive data
ALM
Green ON G.SHDSL.bis connection is established Green Blink G.SHDSL.bis is handshaking
Transmit data or receive data over G.SHDSL.bis link
Red ON Red Blink
G.SHDSL.bis line connection is dropped G.SHDSL.bis self test
12

2.2 Rear Panel

The rear panel of SHDSL.bis router is where all of the connections are made.
Port Description
DC-IN Power connector with 9V DC 1.0A LAN (1 / 2 / 3 / 4) Ethernet 10/100Base-TX for LAN port (RJ-45) CONSOLE RS- 232C (DB9) for system configuration and maintenance LINE G.SHDSL.bis interface for WAN Port RST The reset button, the router restore the default settings when press
this button until reboot.
!
The reset button can be used only in one of two ways. (1) Press the Reset Button for one second will cause system reboot. (2) Pressing the Reset Button for four seconds will cause the product loading the factory default
setting and losing all of yours configuration. When you want to change its configuration but
forget the user name or password, or if the product is having problems connecting to the
Internet and you want to configure it again clearing all configurations, press the Reset Button
for four seconds with a paper clip or sharp pencil.
13

2.3 SHDSL.bis Line Connector

Below figure show the SHDSL.bis line cord plugs pin asignment:

2.4 Console Cable

Below figure show the cosole cable pins asignment:
Pin Number Description Figure
1 No connection 2 RxD (O) 3 TxD (I) 4 No connection 5 GND 6
7 CTS (O) 8 RTS (I) 9 No connection
No connection
12345
6789
14
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3 Getting to know Firewall feature

3.1 Introduction

A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet.
A firewall examines all traffic routed between the networks. The traffic is routed between the networks if it meets certain criteria; otherwise, it is filtered. A firewall filters both inbound and outbound traffic. Except managing the public access to private networked resources such as host applications, the firewall is capable of log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their IP addresses of source and destination. This is known as address filtering. Firewalls can also filter specific types of network traffic by port numbers, which is also known as protocol filtering because the decision of traffic forwarding is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
An Internet firewall cannot prevent the damage from the individual users with router dialing into or out of the network, which bypass the firewall altogether. The misconduct or carelessness of employee is not in the control of firewalls either. Authentication Policies, which is involved in the use and misuse of passwords and user accounts, must be strictly enforced. The above management issues need to be settled during the planning of security policy, but cannot be solved with Internet firewalls alone.
Local User
Firewall
Access to Specific
Destination
Allowed Traffic Out to Internet
Restricted Traffic
Unknown Traffic
Specified Allowed Traffic
Internet
Internet
Internet
15
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3.2 Types of Firewall

There are three types of firewall:

3.2.1 Packet Filtering

In packet filtering, firewall will examine the protocol and the address information in the header of each packet and ignore its contents and context (its relation to other packets and to the intended application). The firewall pays no attention to applications on the host or local network and it "knows" nothing about the sources of incoming data. Filtering includes the examining on incoming and outgoing packets, and determines the packet dropping or not by a set of configurable rules. Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering.
Level 5: Application
Protocol
Level 4: TCP
Level 3: IP
Source/Destination address Source/destination port IP options connection status
Level 2: Data Link
Level 1: Physical
Stateful Inspection
Filter remember this
information
192.168.0.5 SP=3264 SA=192.168.0.5 DP=1525 DA=172.16.3.4
Matches outgoing so allows in
UDP SP=1525 SA=172.16.3.4 DP=3264 DA=192.168.0.5
Nomatches so disallows in
UDP SP=1525 SA=172.168.3.4 DP=2049 DA=192.168.0.5
172.16.3.4UDP
16
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
NAT (Network Address Translation)
Firewall
192.168.0.10
192.168.0.11 Internal/Protected Network External/Unprotected Network
192.120.8.5
Internal IP External IP
192.168.0.10
192.168.0.11
192.120.8.5
192.120.8.5
Internet
PAT (Port Address Translation)
Firewall
192.168.0.10:1025
192.120.8.5
192.120.8.5:2205
192.120.8.5:2206
Internet
Client IP Internal Port External Port
192.168.0.11:4406 Internal/Protected Network External/Unprotected Network
192.168.0.10
192.168.0.11
1025 4406
2205 2206

3.2.2 Circuit Gateway

Also called a "Circuit Level Gateway," this is a firewall approach, which validates connections before allowing data to be exchanged. What this means is that the firewall doesn't simply allow or disallow packets but also determines whether the connection between both ends is valid according to configurable rules, then opens a session and permits traffic only from the allowed source and possibly only for a limited period of time.
Level 5: Application
destination IP address and/or port
Level 4: TCP
Level 3: IP
Level 2: Data Link
source IP address and/or port time of day protocol user password
Level 1: Physical
17
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

3.2.3 Application Gateway

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall invisible to the remote system. It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system; furthermore can often be instructed to sound alarms or notify an operator under defined conditions. Application-level gateways are generally regarded as the most secure type of firewall. They certainl y have the most sophisticated capabilities.
Level 5: Application
Level 4: TCP
Level 3: IP
Level 2: Data Link
Level 1: Physical
Internal
Host PC
Request Page
Return Page
Interface
Proxy Application
External
Interface
Proxy Server
Check URL
Filter Content
Telnet FTP Http SMTP
Public Server
Request Page
Return Page
18

3.3 Denial of Service Attack

GRT-504 4-Wire G.SHDSL.bis Firewall Router User’ s Manual
Inturruption
Typically, Denial of Service (DoS) attacks result in two flavors: resource starvation and system overloading. DoS attacks happen usually when a legitimate resource demanding is greater than the supplying (ex. too many web requests to an already overloaded web server). Software weakness or system incorrect configurations induce DoS situations also. The difference bet ween a malicious denial of service and simple system overload is the requirement of an individual with malicious intent (attacker) using or attempting to use resources specifically to deny those resources to other users.
Ping of death- On the Internet, ping of death is a kind of denial of service (DoS) attack caused by deliberately sending an IP packet which size is larger than the 65,536 bytes allowed in the IP protocol. One of the features of TCP/IP is fragmentation, which allows a single IP packet to be broken down into smaller segments. Attackers began to take advantage of that feature when they found that fragmented packets could be added up to the size more than the allo wed 65,536 bytes. Many operating systems don’t know what to do once if they received an oversized packet, then they freeze, crash, or reboot. Other known variants of the ping of death in clude teard rop, bonk an d nestea.
Ping of Death Packet (112,000 bytes)
Hacker 's
System
Normal IP Packet (Maximun 65,536 bytes)
Target
System
Normal reassembled Packets
bytes from 1~1500 bytes from 1501~3000 bytes from 3000~4500
Reassembled teardrop packets
bytes from 1~1700
bytes from 1300~3200 bytes from 2800~4800
SYN Flood- The attacker sends TCP SYN packets, which start connections very fast, leaving the victim waiting to complete a huge number of connections, causing it to run out of resources and dropping legitimate connections. A new defense against this is the “SYN cookies”. Each side of a connection has its own sequence number. In response to a SYN, the attacked machine creates a special sequence number that is a “cookie” of the connection then forgets everything it knows about the connection. It can then recreate the forgotten information about the connection where the next packets come in from a legitimate connection.
19
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
TCP SYN
requests
Hacker 's
System
Internet
Backing
quene
TCP SYN-ACK
Packets
Target
System
ICMP Flood- The attacker transmits a volume of ICMP request packets to cause all CPU resources to be consumed serving the phony requests.
UDP Flood- The attacker transmits a volume of requests for UDP diagnostic services, which cause all CPU resources to be consumed serving the phony requests.
Land attack- The attacker attempts to slow your network down by sending a packet with identical source and destination addresses originating from your network.
IP Spoofing- IP Spoofing is a method of masking the identity of an intrusion by making it appeared that the traffic came from a different computer. This is used by intruders to keep their anonymity and can be used in a Denial of Service attack.
Smurf attack- The source address of the intended victim is forged in a broadcast ping so that a huge number of ICMP echo reply back to victim indicated by the address, overloadin g it.
Broadcast ping
request from spoofed
IP address
Hacker 's
System
Internet
Target Router
Ping response
Multiple network
Subnet
Fraggle Attack- A perpetrator sends a large amount of UDP echo packets at IP broadcast addresses, all of it having a fake source address.
20
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

4 Getting to know VLAN feature

Virtual Local Area Network (VLAN) is defined as a group of devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLAN is based on logical instead of physical connections, it is extremely flexible.
The IEEE 802.1Q defines the operation of VLAN bridges that permit the definition, operation, and administration of VLAN topologies within a bridged LAN infrastructure. VLAN architecture benefits include:
1. Increased performance
2. Improved manageability
3. Network tuning and simplification of software configurations
4. Physical topology independence
5. Increased security options
As DSL (over ATM) links are deployed more and more extensively and popularly, it is rising progressively to implement VLAN (VLAN-to-PVC) over DSL links and, hence, it is possible to be a requirement of ISPs.
We discuss the implementation of VLAN-to-PVC only for bridge mode operation, i.e., the VLAN spreads over both the COE and CPE sides, where there is no layer 3 routing involved.

4.1 Specification

1. The unit supports up to 8 active VLANs with shared VLAN learning (SVL) bridge out of 4096 possible VLANs specified in IEEE 802.1Q.
2. Each port always belongs to a default VLAN with its port VID (PVID) as an untagged member. Also, a port can belong to multiple VLANs and be tagged members of these VLANs.
3. A port must not be a tagged member of its default VLAN.
4. If a non-tagged or null-VID tagged packet is received, it will be assigned with the default PVID of the ingress port.
5. If the packet is tagged with non-null VID, the VID in the tag will be used.
6. The look up process starts with VLAN look up to determine whether the VID is valid. If the VID is not valid, the packet will be dropped and its address will not be learned. If the VID is valid, the VID, destination address, and source address lookups are p erformed.
7. The VID and destination address lookup determines the forwarding ports. If it fails, the packet will be broadcasted to all members of the VLAN, except the ingress port.
8. Frames are sent out tagged or untagged depend on if the egress port is a tagged or untagged member of the VLAN that frames belong.
9. If VID and source address look up fails, the source address will be learned.

4.2 Frame Specification

An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs. Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving port. Also, priority tagged frames, which, by definition, carry no VLAN identification information, are treated the same as untagged frames. A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a tag header that carries a non-null VID. This results in a minimum tagged frame length of
21
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
68 octets. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included in the tag header. The presence of the tag header carrying a non-null VID means that some other device, either the originator of the frame or a VLAN-aware bridge, has mapped this frame into a VLAN and has inserted the appropriate VID.
The following figure shows the difference between a untagged frame and VLAN tagged frame, where the Tag Protocol Identifier (TPID) is of 0x8100 and it identifies the frame as a tagged frame. The Tag Control Information (TCI) consists of the following elements: 1) User priority allows the tagged frame to carry user priority information across bridged LANs in which individual LAN segments may be unable to signal priority information (e.g., 802.3/Ethernet segments). 2) The Canonical Format Indicator (CFI) is used to signal the presence or absence of a Routing Information Field (RIF) field, and, in combination with the Non-canonical Format Indicator (NCFI) carried in the RIF, to signal the bit order of address information carried in the encapsulated frame.
3) The VID uniquely identifies the VLAN to which the frame belongs.

4.3 Applications

22
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
23
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
24
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

5 Configuration to the Router

This guide is designed to let users through Web Configuration or serial console with G.shdsl.bis Router in the easiest and quickest way possible. Please follow the instructions carefully.
Note: There are three methods to configure the router: serial console, Telnet and Web Browser.
Only one configuration application is used to setup the Router at any given time. Users have
to choose one method to configure it. For Web configuration, you can skip item 3. For Serial Console Configuration, you can skip item 1 and 2.

5.1 Check List

(1) Check the Ethernet Adapter in PC or NB
Make sure that Ethernet Adapter had been installed in PC or NB used for configuration of the router. TCP/IP protocol is necessary for web configuration, so please check the TCP/IP protocol whether it has been installed.
(2) Check the Web Browser in PC or NB
According to the Web Configuration, the PC or NB need to install Web Browser, IE or Netscape. Note: Suggest to use IE5.0, Netscape 6.0 or above and 800x600 resolutions or above.
(3) Check the Terminal Access Program
For Serial Console and Telnet Configuration, users need to setup the terminal access program with VT100 terminal emulation.
(4) Determine Connection Setting
Users need to know the Internet Protocol supplied by your Service Provider and determine the mode of setting.
Protocol Selection
RFC1483 Ethernet over ATM RFC1577 Classical Internet Protocol over ATM RFC2364 Point-to-Point Protocol over ATM RFC2516 Point-to-Point Protocol over Ethernet
25
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
The difference Protocols need to setup difference WAN pa rameters. After knowing the Protocol provided by ISP, you have to ask the necessary WAN parameters to setup it.
Bridge EoA
IPoA
262626262626262626262626ó26 2626262626262626262626ó2626
Route EoA
2626下午 06:08:09Wed2626WWed 2626¾Wed2626 Wednesday2626
PPPoA
2626262626262626262626ê2626 26262626262626262626ó262626
øWed2626b
ÈWednesday2626
PPPoE
26262626262626ó262626262626 262626262626ó26262626262626
26
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

5.2 Install the SHDSL.bis Router

!
To avoid possible damage to this Router, do not turn on the router before Hardware Installation.
y Connect the power adapter to the port labeled DC-IN on the rear panel of the product. y Connect the Ethernet cable.
Note: This router supports auto-M DIX switching so both straight through and cross-over Ethernet cable can be used.
y Connect the phone cable to the router and the other side of phone cable to wall jack. y Connect the power adapter to power source inlet. y Turn on the PC or NB, which is used for configuration the Router.
4-port router with complex network topology
27
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual

6 Configuration via Web Browser

Step. 1 Click the start button. Select setting and control panel.
Step. 2 Double click the network icon.
28
GRT-504 4-Wire G.SHDSL.bis Firewall Router User’s Manual
In the Configuration window, select the TCP/IP protocol line that has been associated with your network card and then click property icon.
Choose IP address tab. Select Obtain IP address automatically. Click OK button.
29
+ 122 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use