46

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

1. Open your Network Connections window from Window

®

’s Control Panel (see Figure 5.67).

Figure 5.67 Network Connections

2. Double-click the wireless connection icon. The ‘Wireless Network Connection’ screen will appear, displaying all available

wireless networks in your vicinity. If your gateway is connected and active, you will see GlobeSurfer

®

II’s wireless connection

(see Figure 5.68). Note that the connection’s status is ‘Not connected’ and defined as “Unsecured wireless network”.

Figure 5.68 Available Wireless Networks

3. Click the connection once to mark it and then press the ‘Connect’ button at the bottom of the screen. After the connection is

established, its status will change to ‘Connected’:

Figure 5.69 Connected Wireless Network

An icon will appear in the notification area, announcing the successful initiation of the wireless connection (see Figure 5.70).

Figure 5.70 Wireless Network Information

47

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

You can now use GlobeSurfer

®

II’s wireless network from the configured PC. However, so can any other user with a wireless

PC, which happens to be in your network’s radio range. Such a user has access to any disk shares available in your network.

To prevent this scenario, the next logical step is to secure your wireless network, allowing only specific users to connect. To

learn more about securing your Wireless Network, see section 5.2.4.3.

5.3

Security

The GlobeSurfer

®

II includes comprehensive and robust security services: Stateful Packet Inspection Firewall, user authentication

protocols and password protection mechanisms. These features together allow users to connect their computers to the Internet and

simultaneously be protected from the security threats of the Internet.

The firewall, the cornerstone of the GlobeSurfer

®

II security services, has been exclusively tailored to the needs of the residential/office

user and has been pre-configured to provide optimum security.

The GlobeSurfer

®

II firewall provides both the security and flexibility that home and office users seek. It provides a managed,

professional level of network security while enabling the safe use of interactive applications, such as Internet gaming and

videoconferencing.

The GlobeSurfer

®

II firewall supports advanced filtering, designed to allow comprehensive control over the firewall’s behavior. You can

define specific input and output rules, control the order of logically similar sets of rules and make a distinction between rules that apply

to WAN and LAN network devices.

•

The General tab allows you to choose the security level for the firewall (see section 5.3.1)

•

The Access control tab can be used to restrict access from the local network to the Internet (see section 0).

•

The Port forwarding tab can be used to enable access from the Internet to specified services provided by computers in the local

network and special Internet applications (see section 5.3.3).

•

The DMZ host tab allows you to configure a LAN host to receive all traffic arriving at your GlobeSurfer

®

II, which does not belong

to a known session (see section 0).

•

The Port triggering tab allows you to define port triggering entries, to dynamically open the firewall for some protocols or ports.

(see section 0).

•

The Website Restrictions tab allows you to block LAN access to a certain host or Web site on the Internet (see section 5.3.6).

•

Advanced filtering tab allows you to implicitly control the firewall setting and rules (see section 5.3.7).

•

Security log tab allows you to view and configure the firewall Log (see section 5.3.8)

5.3.1

General

Use the ‘General’ screen to configure the gateway’s basic security settings.

Figure 5.71 General overview

48

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

The firewall regulates the flow of data between the home network and the Internet. Both incoming and outgoing data are

inspected and then either accepted (allowed to pass through GlobeSurfer

®

II) or rejected (barred from passing through

GlobeSurfer

®

II) according to a flexible and configurable set of rules. These rules are designed to prevent unwanted intrusions

from the outside, while allowing home users access to the Internet services that they require.

The firewall rules specify what types of services available on the Internet may be accessed from the home network and what

types of services available in the home network may be accessed from the Internet. Each request for a service that the firewall

receives, whether originating in the Internet or from a computer in the home network, is checked against the set of firewall

rules to determine whether the request should be allowed to pass through the firewall. If the request is permitted to pass, then

all subsequent data associated with this request (a “session”) will also be allowed to pass, regardless of its direction.

For example, when you point your Web browser to a Web page on the Internet, a request is sent out to the Internet for this

page. When the request reaches GlobeSurfer

®

II the firewall will identify the request type and origin, HTTP and a specific PC in

your home network, in this case. Unless you have configured access control to block requests of this type from this computer,

the firewall will allow this request to pass out onto the Internet (see section 5.3.2 for more on setting access controls). When

the Web page is returned from the Web server the firewall will associate it with this session and allow it to pass, regardless of

whether HTTP access from the Internet to the home network is blocked or permitted.

The important thing to note here is that it is the origin of the request, not subsequent responses to this request, that

determines whether a session can be established or not.

You may choose from among three pre-defined security levels for GlobeSurfer

®

II: Minimum, Typical and Maximum. The table

below summarizes the behavior of GlobeSurfer

®

II for each of the three security levels.

SECURITY LEVEL

REQUESTS ORIGINATING IN THE

WAN (INCOMING TRAFFIC)

REQUESTS ORIGINATING IN THE LAN

(OUTGOING TRAFFIC)

Maximum Securityww

Blocked: No access to home network

from Internet, except as configured in

the Port Forwarding, DMZ host and

Remote Access screens

Limited: By default, Only commonly-

used services, such as Webbrowsing

and e-mail, are permitted *

Typical Security

Blocked: No access to home network

from Internet, except as configured in

the Port Forwarding, DMZ host and

Remote Access screens

Blocked: No access to home network

from Internet, except as configured in

the Port Forwarding, DMZ host and

Remote Access screens

Minumum Security

Unrestricted: Permits full access

from Internet to home network; all

connection attempts permitted

Blocked: No access to home network

from Internet, except as configured in

the Port Forwarding, DMZ host and

Remote Access screens

* These services include Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3 and SMTP. The list of allowed services at ‘Maximum

Security’ mode can be edited in the Access Control page.

Attention

: Some applications (such as some Internet messengers and Peer-To-Peer client applications) tend to use these

ports, if they cannot connect with their own default ports. When applying this behavior, these applications will not be blocked

outbound, even at Maximum Security Level.

To configure GlobeSurfer

®

II’s security settings:

1.

Choose from among the three predefined security levels described in the table above.

Using the Minimum Security setting may expose the home network to significant security risks, and thus should only be

used, when necessary, for short periods of time.

2.

Check the ‘Block IP Fragments’ box in order to protect your home network from a common type of hacker attack that could

make use of fragmented data packets to sabotage your home network.

Note that VPN over IPSec and some UDP-based services make legitimate use of IP fragments. You will need to allow IP

fragments to pass into the home network in order to make use of these select services.

3.

Click the ‘OK’ button to save your changes.

49

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

5.3.2

Access control

You may want to block specific computers within the home network (or even the whole network) from accessing certain

services on the Internet. For example, you may want to prohibit one computer from surfing the Web, another computer from

transferring files using FTP, and the whole network from receiving incoming e-mail.

Access Control defines restrictions on the types of requests that may pass from the home network out to the Internet, and

thus may block traffic flowing in both directions. It can also be used for allowing specific services when maximum security

is configured. In the e-mail example given above, you may prevent computers in the home network from receiving e-mail by

blocking their outgoing requests to POP3 servers on the Internet.

There are numerous services you should consider blocking, such as popular game and file sharing servers. For example, if you

want to make sure that your employees do not put your business at risk from illegally traded copyright files, you may want to

block several popular P2P and file sharing applications.

To allow or restrict services:

1.

Select the ‘Access Control’ tab in the ‘Security’ management screen. The ‘Access Control’ screen will appear (see Figure 5.72).

Figure 5.72 Access Control

2.

Click the ‘New Entry’ link. The ‘Add Access Control Rule’ screen will appear (see Figure 5.73).

Figure 5.73 Access Control Add Rule

3.

The Address combo box provides you the ability to specify the computer or group of computers for which you would like

to apply the access control rule. You can select between any or a specific computer address in your LAN. If you choose

the ‘User defined’ option, the screen will refresh, and you will be directed to the ‘Edit Network Object’ page where you can

specify a network object. To learn more about network objects, see chapter 6.6.8.

4.

The Protocol combo box lets you select or specify the type of protocol that will be used. In addition to the list of popular

protocols it provides, you may also choose any or a specific protocol. If you choose the ‘User defined’ option, the screen

will refresh, and you will be redirected to the ‘Edit Service’ page where you can specify a protocol. To learn more about

defining protocols, see chapter 6.6.15.

5.

The Schedule combo box allows you to define the time period during which this rule will take effect. You can select

between ‘Always’ or a specific schedule. If you choose the ‘Specify Schedule’ option, the screen will refresh, and you will

be directed to the ‘Edit Scheduler rule’ page where you can define your own rule. To learn more about defining scheduler

rules, see section 6.6.4.

50

GlobeSurfer

®

II 1.8 - 7.2 - 7.2 S

REFERENCE MANUAL

6.

Click the ‘OK’ button to save your changes. The ‘Access Control’ screen will display a summary of the rule that you just

added (see Figure 5.74).

Figure 5.74 Access control Rule Summary

5.3.3

Port forwarding

In its default state, GlobeSurfer

®

II blocks all external users from connecting to or communicating with your network. Therefore

the system is safe from hackers who may try to intrude on the network and damage it. However, you may want to expose

your network to the Internet in certain limited and controlled ways in order to enable some applications to work from the LAN

(game, voice and chat applications, for example) and to enable Internet-access to servers in the home network. The Port

Forwarding feature supports both of these functionalities. If you are familiar with networking terminology and concepts, you

may have encountered this topic referred to as “Local Servers”.

The ‘Port Forwarding’ tab lets you define the applications that require special handling by GlobeSurfer

®

II. All you have to do is

select the application’s protocol and the local IP address of the computer that will be using or providing the service. If required,

you may add new protocols in addition to the most common ones provided by GlobeSurfer

®

II.

For example, if you wanted to use a File Transfer Protocol (FTP) application on one of your PCs, you would simply select

‘FTP’ from the list and enter the local IP address or host name of the designated computer. All FTP-related data arriving at

GlobeSurfer

®

II from the Internet will henceforth be forwarded to the specified computer.

Similarly, if you want to grant Internet users access to servers inside your home network, you must identify each service that

you want to provide and the PC that will provide it. For example, if you want to host a Web server inside the home network you

must select ‘HTTP’ from the list of protocols and enter the local IP address or host name of the computer that will host the

Web server. When an Internet user points her browser to the external IP address of GlobeSurfer

®

II, the gateway will forward

the incoming HTTP request to the computer that is hosting the Web server.

Additionally, port forwarding enables you to redirect traffic to a different port instead of the one to which it was designated.

Lets say, that you have a Web server running on your PC on port 8080 and you want to grant access to this server to anyone

who accesses GlobeSurfer

®

II via HTTP. To accomplish this, do the following:

•

Define a port forwarding rule for the HTTP service, with the PC’s IP or host name.

•

Specify 8080 in the ‘Forward to Port’ field.

All incoming HTTP traffic will now be forwarded to the PC running theWeb server on port 8080. When setting a port forwarding

service, you must ensure that the port is not already in

use by another application, which may stop functioning. A common example is when using SIP signaling in Voice over IP - the

port used by the gateway’s VoIP application (5060) is the same port on which port forwarding is set for LAN SIP agents.

Note: Some applications, such as FTP, TFTP, PPTP and H323, require the support of special specific Application Level Gateway

(ALG) modules in order to work inside the home network. Data packets associated with these applications contain information

that allows them to be routed correctly. An ALG is needed to handle these packets and ensure that they reach their intended

destinations. GlobeSurfer

®

II is equipped with a robust list of ALG modules in order to enable maximum functionality in the

home network.

Note:

The ALG is automatically assigned based on the destination port.