Page 341 / 351
Scroll up to view Page 336 - 340
341
Security
☛
NOTE:
1. The default setting for NAT is
ON
.
2. Netopia uses Port Address Translation (PAT) to implement the NAT facility.
3. NAT Pinhole traffic (discussed below) is always initiated from the WAN side.
Netopia Advanced Features for NAT
Using the NAT facility provides effective LAN security. However, there are user applications
that require methods to selectively by-pass this security function for certain types of Inter-
net traffic.
Netopia Gateways provide special pinhole configuration rules that enable users to estab-
lish NAT-protected LAN layouts that still provide flexible by-pass capabilities.
Some of these rules require coordination with the unit’s embedded administration ser-
vices: the internal Web (HTTP) Port (TCP 80) and the internal Telnet Server Port (TCP 23).
Internal Servers
The internal servers are the embedded Web and Telnet servers of the Gateway. You would
change the internal server ports for Web and Telnet of the Gateway if you wanted to have
these services on the LAN using pinholes or the Default server.
Pinholes
This feature allows you to:
•
Transparently route selected types of network traffic using the port forwarding facility.
FTP requests or HTTP (Web) connections are directed to a specific host on your LAN.
•
Setup multiple pinhole paths.
Up to 32 paths are supported
•
Identify the type(s) of traffic you want to redirect by port number.
Page 342 / 351
342
Common TCP/IP protocols and ports are:
See
page 75
for How To instructions.
Default Server
This feature allows you to:
•
Direct your Gateway to forward all externally initiated IP traffic (TCP and UDP protocols
only) to a default host on the LAN.
•
Enable it for certain situations:
Where you cannot anticipate what port number or packet protocol an in-bound applica-
tion might use.
For example, some network games select arbitrary port numbers when a connection is
opened.
When you want all unsolicited traffic to go to a specific LAN host.
Combination NAT Bypass Configuration
Specific pinholes and Default Server settings, each directed to different LAN devices, can
be used together.
☛
WARNING:
Creating a pinhole or enabling a Default Server allows inbound access to the
specified LAN station. Contact your Network Administrator for LAN security
questions.
FTP (TCP 21)
telnet (TCP 23)
SMTP (TCP 25)
HTTP (TCP 80)
SNMP (TCP 161, UDP 161)
Page 343 / 351
343
Security
IP-Passthrough
Netopia OS now offers an IP passthrough feature. The IP passthrough feature allows a sin-
gle PC on the LAN to have the Gateway’s public address assigned to it. It also provides PAT
(NAPT) via the same public IP address for all other hosts on the private LAN subnet.
VPN IPSec Pass Through
This Netopia service supports your independent VPN client software in a transparent man-
ner. Netopia has implemented an Application Layer Gateway (ALG) to support multiple PCs
running IP Security protocols.
This feature has three elements:
1.
On power up or reset, the address mapping function (NAT) of the Gate-
way’s WAN configuration is turned on by default.
2.
When you use your third-party VPN application, the Gateway recognizes
the traffic from your client and your unit. It allows the packets to pass
through the NAT “protection layer” via the encrypted IPSec tunnel.
3.
The encrypted IPSec tunnel is established “through” the Gateway.
A typical VPN IPSec Tunnel pass through is diagrammed below:
Netopia
Gateway
Page 344 / 351
344
☛
NOTE:
Typically, no special configuration is necessary to use the IPSec pass through
feature.
In the diagram, VPN PC clients are shown behind the Netopia Gateway and the
secure server is at Corporate Headquarters across the WAN. You cannot have
your secure server behind the Netopia Gateway.
When multiple PCs are starting IPSec sessions, they must be started one at a
time to allow the associations to be created and mapped.
VPN IPSec Tunnel Termination
This Netopia service supports termination of VPN IPsec tunnels at the Gateway. This per-
mits tunnelling from the Gateway without the use of third-party VPN client software on your
client PCs.
Stateful Inspection Firewall
Stateful inspection is a security feature that prevents unsolicited inbound access when
NAT is disabled. You can configure UDP and TCP “no-activity” periods that will also apply to
NAT time-outs if stateful inspection is enabled on the interface.
Technical details are discussed in
“
Exper
t Mode
” on page
39
.
SSL Certificate Support
On selected models, you can also install a Secure Sockets Layer (SSL V3.0) certificate
from a trusted Certification Authority (CA) for authentication purposes. If this feature is
available on your Gateway, an additional link will appear in the Install page.
See
“
Install Cer
tifi
cate
” on page
188
.
Page 345 / 351
345
Index
Symbols
!! command
226
A
Access the GUI
39
Address resolution table
232
Administrative
restrictions
255
Administrator password
39
,
123
,
224
Arguments, CLI
239
ARP
Command
226
,
236
Authentication
266
Authentication trap
282
auto-channel mode
290
AutoChannel Setting
58
,
290
B
Bridging
244
Broadcast address
250
,
252
C
CLI
221
!! command
226
Arguments
239
Command shortcuts
225
Command truncation
238
Configuration mode
237
Keywords
239
Navigating
237
Prompt
225
,
237
Restart command
226
SHELL mode
225
View command
240
Command
ARP
226
,
236
Ping
229
Telnet
235
Command line interface (see
CLI)
Community
282
Compression, protocol
265
Concurrent
Bridging/
Routing
104
,
244
CONFIG
Command List
223
Configuration mode
237
D
D. port
160
Default IP address
39
denial of service
324
designing a new filter set
163
DHCP
245
DHCP lease table
230
Diagnostic log
231
,
234
Level
284
Diagnostics
338
DNS
248
DNS Proxy
337
Documentation
conventions
15
Domain
Name
System
(DNS)
248
19216811.live