41

Figure: Access Filter

Settings – Access Filter

Access Group

The Group that the current rule is applied to. To apply the

restrictions to everyone, select the Default group. All users (Hosts)

are in the default group unless moved to another group on the Host

IP screen

Filter Setting

•

No Filtering

–To allow all Internet access by LAN users.

•

Block All Access

–To prohibit all Internet access by LAN

users.

•

Allow Selected Items

– To apply the rules for permitting

Internet access defined in User-Defined Filter

.

•

Block Selected Items

– To apply the rules for blocking

Internet access defined in User-Defined Filter.

ICMP Filter

To limit the ICMP activities initialized from the LAN.

•

Selected Packet Types

–To prohibit the selected types of

ICMP packets from the LAN to be passed through the device.

•

Packet Types

–The types of ICMP packets that could be

blocked

User-defined

Filter

This lets you define custom ports to be blocked.

•

Enable

– To activate or deactivate the current rule.

•

Name

– A unique name to identify the current rule.

•

Protocol Type

– The protocol to be blocked.

•

Port No. Range

– The port number range to be blocked. (For

TCP and UDP only) If only one port number is used, enter the

same port number in both fields.

User- Defined

Filter List

List all enabled and disabled filters which have been defined.

6.3

Session Limit

This new feature allows to dropping the new sessions from both WAN and LAN side, if the

new session numbers are exceed the maximum sessions in a sampling time.

42

Figure: Session Limit

Settings – Session Limit

Outgoing New

Session

•

Session Limit

– Check this to enable limiting sessions.

•

Sampling Time

– The period to count the new sessions. Only

those new sessions which occurred in the most recently

Sampling Time are counted for limit checking. (Default: 400

mili-sec., maximum: 500 mili-sec., step: 50 mili-sec.)

•

Maximum of Total New session

– If the number of new

sessions for the system exceeds the Maximum in the

Sampling Time, any new session in the system will be

dropped. (Default: 65535 sess./sec., maximum: 65535

sess./sec.)

•

Maximum of New Sessions for Host

– If the number of new

sessions for the host exceeds the Maximum in the Sampling

Time, any new session of the host will be dropped. (Default:

100 sess./sec., maximum: 999 sess./sec.)

•

Maximum of Dropped New Sessions for Host

–If the

number of dropped new sessions for the host exceeds the

Maximum in the Sampling Time, any new session of the host

will be dropped for the Pause Time. (Default: 25 sess./sec.,

maximum: 999 sess./sec.)

•

Pause Time for Host while exceeding limits on dropped

new sessions

– Within the Pause Time, no new session of

the suspended host will be served by the system. (Default: 5

min., maximum: 65535 min.)

6.4

SysFilter Exception

System Filter Exception Rules: Any unrecognized packet to the device itself will be

43

rejected. If you want the device to accept the specific packets, you should build the

corresponding exception rules here.

Figure: SysFilter Exception

Settings – SysFilter Exception

System Filter

Exception Rules

•

Enable

–To activate or deactivate this rule.

•

Interface

– The port that the packets enter the device on.

•

Protocol

– The protocol of the packets to be accepted.

•

Foreign Port Range

–The source port range of the packets

to be accepted.

•

Device Port Range

– The destination port range of the

packets to be accepted.

System Filter

Exception Rule

List

List all system rules that have been defined.

44

7. VPN Configuration

Overview

Virtual Private Network (VPN) is a connection between two end points. It allows private data

to be sent securely over a public network, such as Internet. VPN establishes a private

network that can send data securely between two networks by creating a “tunnel”. A VPN

tunnel connects the two PCs or networks

Note:

The SP880B VPN Router uses industry standard VPN protocol. However, due to

variations in how manufactures interpret these standards, many VPN products are not

interoperable. Although the SP880B VPN Router can interoperate with many other VPN

products, it is not possible for SP880B VPN Router to provide specific technical support for

every other product.

Planning the VPN:

When planning your VPN, you must make sure of the following items first.

1.

If the remote end was a network, the two-endpoint network must have different LAN IP

address ranges. If the remote endpoint is a single PC running a VPN client, its

destination address must be a single IP address, with subnet mask of

255.255.255.255

2.

If you will be using the Internet Key Exchange (IKE) setup, or Manual Key, in which you

must specify each phase of the connection.

3.

At least one side must have a fixed IP address. The other side with a dynamic IP

address must always be the initiator of the connection.

4.

The encryption level you are planning to use (DES or 3DES)?

7.1

IKE Global Setup

The following web page management will guide you on how to setup IKE (Internet Key

Exchange) and make VPN work.

45

Figure: IKE Global Setup

Settings – IKE Global Setup.

IP Global

Setting

•

Enable Setting

– If you checked the box, this will start VPN

global setting.

•

ISAkmp Port

– Internet Security Association and Key Protocol

Management (ISAkmp) is designed to negotiate, establish,

modify and delete security associations and their attributes. In

particular, it was assigned UDP port 500 by the IANA.

•

Phase 1 DH Group

–

Use DH Group 1(768-bits), DH Group

2(1024-bits), Group 5 (1536-bits) to generate IPSec SA keys.

•

Phase 1 Encryption Method

– There are three data

encryption methods available, DES, 3DES and AES.

•

Phase 1 Authentication Method

– There are two

authentication available. MD5 and SHA1 (Secure Hash

Algorithm)

•

Phase 1 SA Life Time

– By default the Security Association

lifetime is 28800 Sec

.