Protecting Your Network

5-1

May 2004, 202-10030-02

Chapter 5

Protecting Your Network

This chapter describes how to use the firewall features of the FVL328 Prosafe High Speed VPN

Firewall to protect your network.

Firewall Protection and Content Filtering Overview

The FVL328 Prosafe High Speed VPN Firewall provides you with Web content filtering options,

plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators

can establish restricted access policies based on time-of-day, Web addresses, and Web address

keywords. You can also block Internet access by applications and services, such as chat or games.

A firewall is a special category of router that protects one network (the “trusted” network, such as

your LAN) from another (the “untrusted” network, such as the Internet), while allowing

communication between the two. A firewall incorporates the functions of a NAT (Network

Address Translation) router, while adding features for dealing with a hacker intrusion or attack,

and for controlling the types of traffic that can flow between the two networks. Unlike simple

Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect

your network from attacks and intrusions. NAT performs a very limited stateful inspection in that

it considers whether the incoming packet is in response to an outgoing request, but true Stateful

Packet Inspection goes far beyond NAT.

To configure these features of your router, click on the subheadings under the Content Filtering

heading in the Main Menu of the browser interface. The subheadings are described below:

Using the Block Sites Menu to Screen Content

The FVL328 allows you to restrict access based on the following categories:

•

Use of a proxy server

•

Type of file (Java, ActiveX, Cookie)

•

Web addresses

•

Web address keywords

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

5-2

Protecting Your Network

May 2004, 202-10030-02

Many Web sites will not function correctly if these components are blocked.

These options are discussed below.

The Keyword Blocking menu is shown here.

Figure 5-1:

Block Sites menu

To enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering

choices are:

•

Proxy: blocks use of a proxy server

•

Java: blocks use of Java applets

•

ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Protecting Your Network

5-3

May 2004, 202-10030-02

•

Cookies: blocks all cookies

To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.

To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.

To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.

Keyword application examples:

•

If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,

as is the newsgroup alt.pictures.XXX.

•

If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or

.gov) can be viewed.

•

If you want to block all Internet browsing access, enter the keyword “.”.

Up to 255 entries are supported in the Keyword list.

Apply Keyword Blocking to Groups

Select the Groups you wish to apply the Keyword Blocking to.

•

To manage these groups, use the Network Database screen on the Maintenance menu.

•

The Web Components settings always apply to all PCs.

Services and Rules Regulate Inbound and Outbound Traffic

The FVL328 Prosafe High Speed VPN Firewall firewall lets you regulate what ports are available

to the various TCP/IP protocols. Follow these two steps to configure inbound or outbound traffic:

1.

Define a Service

2.

Set up an Inbound or Outbound Rule that uses the Service

These steps are discussed below.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

5-4

Protecting Your Network

May 2004, 202-10030-02

Defining a Service

Services are functions performed by server computers at the request of client computers. For

example, Web servers serve Web pages, time servers serve time and date information, and game

hosts serve data about other players’ moves. When a computer on the Internet sends a request for

service to a server computer, the requested service is identified by a service or port number. This

number appears as the destination port number in the transmitted IP packets. For example, a packet

that is sent with destination port number 80 is an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task

Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other

applications are typically chosen from the range 1024 to 65535 by the authors of the application.

Although the FVL328 already holds a list of many service port numbers, you are not limited to

these choices. Use the Services menu to add additional services and applications to the list for use

in defining firewall rules. The Services menu shows a list of services that you have defined.

To define a new service, first you must determine which port number or range of numbers is used

by the application. This information can usually be determined by contacting the publisher of the

application or from user groups of newsgroups. When you have the port number information, go

the Services menu and click on the Add Custom Service button. The Add Services menu will

appear.

To add a service:

1.

Enter a descriptive name for the service so that you will remember what it is.

2.

Select whether the service uses TCP or UDP as its transport protocol.

If you can’t determine which is used, select both.

3.

Enter the lowest port number used by the service.

4.

Enter the highest port number used by the service.

If the service only uses a single port number, enter the same number in both fields.

5.

Click Apply.

The new service will now appear in the Services menu, and in the Service name selection box in

the Rules menu.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

Protecting Your Network

5-5

May 2004, 202-10030-02

Using Inbound/Outbound Rules to Block or Allow Services

Firewall rules are used to block or allow specific traffic passing through from one side of the

firewall to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources,

selectively allowing only specific outside users to access specific resources. Outbound rules (LAN

to WAN) determine what outside resources local users can have access to.

A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of

the FVL328 are:

•

Inbound: Block all access from outside except responses to requests from the LAN side.

•

Outbound: Allow all access from the LAN side to the outside.

These default rules are shown here:

Figure 5-2:

Rules menu