1. Home
    2. /
  2. Manuals
    3. /
  3. Netopia
    4. /
  4. Netopia-3000
    5. /
  5. 15
Page 71 / 161 Scroll up to view Page 66 - 70
71
Section 4
Configure
Basic Firewall Background
As a device on the Internet, a Cayman Gateway requires an IP address in
order to send or receive traffic.
The IP traffic sent or received have an associated application port which is
dependent on the nature of the connection request. In the IP protocol
standard the following session types are common applications:
By receiving a response to a scan from a port or series of ports (which is the
expected behavior according to the IP standard), hackers can identify an
existing device and gain a potential opening for access to an internet-con-
nected device.
To protect LAN users and their network from these types of attacks, Break-
Water offers three levels of increasing protection.
The following tables indicate the
state of ports associated with ses-
sion types
, both on the WAN side and the LAN side of the Gateway.
This table shows how inbound traffic is treated.
Inbound
means the traffic is
coming from the WAN into the WAN side of the Gateway.
ICMP
HTTP
FTP
SNMP
telnet
DHCP
Gateway: WAN Side
BreakWater Setting >>
ClearSailing
SilentRunning
LANdLocked
Port
Session Type
--------------Port State-----------------------
20
ftp data
Enabled
Disabled
Disabled
21
ftp control
Enabled
Disabled
Disabled
23
telnet external
Enabled
Disabled
Disabled
23
telnet Cayman server
Enabled
Disabled
Disabled
80
http external
Enabled
Disabled
Disabled
80
http Cayman server
Enabled
Disabled
Disabled
67
DHCP client
Enabled
Enabled
Disabled
68
DHCP server
Not Applicable
Not Applicable
Not Applicable
161
snmp
Enabled
Disabled
Disabled
ping (ICMP)
Enabled
Disabled
Disabled
Downloaded from
www.Manualslib.com
manuals search engine
Page 72 / 161
72
Section 4
Configure
This table shows how outbound traffic is treated.
Outbound
means the traf-
fic is coming from the LAN-side computers into the LAN side of the Gate-
way.
Gateway: LAN Side
BreakWater Setting >>
ClearSailing
SilentRunning
LANdLocked
Port
Session Type
--------------Port State-----------------------
20
ftp data
Enabled
Enabled
Disabled
21
ftp control
Enabled
Enabled
Disabled
23
telnet external
Enabled
Enabled
Disabled
23
telnet Cayman server
Enabled
Enabled
Enabled
80
http external
Enabled
Enabled
Disabled
80
http Cayman server
Enabled
Enabled
Enabled
67
DHCP client
Not Applicable
Not Applicable
Not Applicable
68
DHCP server
Enabled
Enabled
Enabled
161
snmp
Enabled
Enabled
Enabled
ping (ICMP)
Enabled
Enabled
WAN
- Disabled
LAN
-
Local Address Only
The Gateway’s WAN DHCP client port in SilentRunning mode is
enabled
. This
feature allows end users to continue using DHCP-served IP addresses from their
Service Providers, while having no identifiable presence on the Internet.
Downloaded from
www.Manualslib.com
manuals search engine
Page 73 / 161
73
Section 4
Configure
Configure a SafeHarbour VPN
VPN IPSec Tunnel at the Gateway
SafeHarbour VPN IPSec Tunnel provides a single, encrypted tunnel to be
terminated
on
the Gateway, making a secure tunnel available for
all
LAN- connected Users. This implementation offers the following:
Eliminates the need for VPN client software on individual PC’s.
Reduces the complexity of tunnel configuration.
Simplifies the ongoing maintenance for secure remote access.
Link
IPSec
Response
Description
Your Gateway supports two mechanisms for IPSec tunnels:
1. IPSec PassThrough
supports Virtual Private Network (VPN) clients
running on LAN-connected computers. Normally, this feature is enabled.
However, you can disable it if your LAN-side VPN client includes its own
NAT interoperability option.
2. SafeHarbour VPN IPSec
is a keyed feature that enables Gateway-ter-
minated VPN support.
Downloaded from
www.Manualslib.com
manuals search engine
Page 74 / 161
74
Section 4
Configure
A typical SafeHarbour configuration is shown below:
Use these Best Practices in establishing your SafeHarbour tunnel.
Parameter Description and Setup
The following table describes SafeHarbour’s parameters that are used for
an IPSec VPN tunnel configuration:
1. Ensure that the configuration information is complete and accurate
2. Use the Worksheet provided on
page 76
.
Auth Protocol
Authentication Protocol for IP packet header. The three parameter values are
None, Encapsulating Security Payload (ESP) and Authentication Header (AH)
DH Group
Diffie-Hellman is a public key algorithm used between two systems to determine
and deliver secret keys used for encryption. Groups 1, 2 and 5 are supported.
Enable
This toggle button is used to enable/disable the configured tunnel.
Encrypt Protocol
Encryption protocol for the tunnel session.
Parameter values supported include NONE or ESP.
Hard MBytes
Setting the Hard MBytes parameter forces the renegotiation of the IPSec Security
Associations (SAs) at the configured Hard MByte value.
The value can be configured between 1 and 1,000,000 MB and refers to data traf-
fic passed.
Hard Seconds
Setting the Hard Seconds parameter forces the renegotiation of the IPSec Security
Associations (SAs) at the configured Hard Seconds value. The value can be config-
ured between 60 and 1,000,000 seconds
Key Management
The Key Management algorithm manages the exchange of security keys in the
IPSec protocol architecture. SafeHarbour supports the standard Internet Key
Exchange (IKE)
Peer External IP Address The Peer External IP Address is the public, or routable IP address of the remote
gateway or VPN server you are establishing the tunnel with.
Peer Internal IP NetworkThe Peer Internal IP Network is the private, or Local Area Network (LAN) address
of the remote gateway or VPN Server you are communicating with.
Downloaded from
www.Manualslib.com
manuals search engine
Page 75 / 161
75
Section 4
Configure
Peer Internal IP NetmaskThe Peer Internal IP Netmask is the subnet mask of the Peer Internal IP Network.
PFS DH Group
Perfect Forward Secrecy (PFS) is used during SA renegotiation. When PFS is
selected, a Diffie-Hellman key exchange is required. SafeHarbour supports PFS DH
Groups 1, 2 and 5.
Pre-Shared Key
The Pre-Shared Key is a parameter used for authenticating each side. The value
can be an ASCII or Hex and a maximum of 64 characters. ASCII is case-sensitive.
Pre-Shared Key Type
The Pre-Shared Key Type classifies the Pre-Shared Key. SafeHarbour supports
ASCII or HEX types
Name
The Name parameter refers to the name of the configured tunnel. This is mainly
used as an identifier for the administrator. The Name parameter is an ASCII value
and is limited to 31characters. The tunnel name is the only IPSec parameter that
does not need to match the peer gateway
.
Negotiation Method
This parameter refers to the method used during the Phase I key exchange, or IKE
process. SafeHarbour supports Main or Aggressive Mode. Main mode requires 3
two-way message exchanges while Aggressive mode only requires 3 total mes-
sage exchanges.
SA Encrypt Type
SA Encryption Type refers to the symmetric encryption type. This encryption algo-
rithm will be used to encrypt each data packet. SA Encryption Type values sup-
ported include DES, 3DES, CAST and Blowfish.
SA Hash Type
SA Hash Type refers to the Authentication Hash algorithm used during SA negoti-
ation. Values supported include MD5 and SHA1. N/A will display if NONE is cho-
sen for Auth Protocol.
Soft MBytes
Setting the Soft MBytes parameter forces the renegotiation of the IPSec Security
Associations (SAs) at the configured Soft MByte value. The value can be config-
ured between 1 and 1,000,000 MB and refers to data traffic passed. If this value is
not achieved, the Hard MBytes parameter is enforced.
Soft Seconds
Setting the Soft Seconds parameter forces the renegotiation of the IPSec Security
Associations (SAs) at the configured Soft Seconds value. The value can be config-
ured between 60 and 1,000,000 seconds.
Downloaded from
www.Manualslib.com
manuals search engine

Rate

4 / 5 based on 1 vote.

Popular Netopia Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top