Page 71 / 182 Scroll up to view Page 66 - 70
PRG AV4202N
© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.
64
OGU 930500275-A1
Security Section
ACCESS CONTROL
You may want to block specific computers within the home network (or even the
whole network) from accessing certain services on the Internet. For example,
you may want to prohibit one computer from surfing the Web, another computer
from transferring files using FTP, and the whole network from receiving incom-
ing e-mail.
Access Control defines restrictions on the types of requests that may pass from
the home network out to the Internet, and thus may block traffic flowing in both
directions. It can also be used for allowing specific services when maximum se-
curity is configured. In the e-mail example given above, you may prevent com-
puters in the home network from receiving e-mail by blocking their outgoing re-
quests to POP3 servers on the Internet.
There are numerous services you should consider blocking, such as popular
game and file sharing servers. For example, if you want to make sure that your
employees do not put your business at risk from illegally traded copyright files,
you may want to block several popular P2P and file sharing applications.
FIGURE 2.
Access Control panel
To allow or restrict services:
1.
Select the 'Access Control' tab in the 'Security' management screen. The
'Access Control' screen will appear.
2.
Click the 'New Entry' link. The 'Add Access Control Rule' screen will appear
3.
The Address combo-box provides you the ability to specify the computer or
group of computers for which you would like to apply the access control rule.
You can select between any, a specific computer in your LAN, or 'User De-
Page 72 / 182
PRG AV4202N
© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.
Security Section
OGU 930500275-A1
65
fined'. If you choose the 'User Defined' option, the 'Edit Network Object'
screen will appear. Specifying an address is done by creating a 'Network
Object';
4.
The Protocol combo-box lets you select or specify the type of protocol that
will be used. Selecting the 'Show All Services' option will expand the list of
available protocols. Select a protocol or add a new one using the 'User De-
fined' option. This will commence a sequence that will add a new service,
representing the protocol.
5.
Select the 'Reply an HTML page to the blocked client' check-box to display
the following message to the client: “Access Denied - this computer is not al-
lowed to surf the WAN. Please contact your admin.”. When this check-box is
unselected, the client's packets will simply be ignored and he/she will not re-
ceive any notification.
6.
The Schedule combo-box allows you to define the time period during which
this rule will take effect. By default, the rule will always be active. However,
you can configure scheduled rules by selecting 'User Defined'.
7.
Click the 'OK' button to save your changes. The 'Access Control' screen will
display a summary of the rule that you just added.
PORT FORWARDING
In its default state, PRG AV4202N blocks all external users from connecting to
or communicating with your network.
Therefore the system is safe from hackers who may try to intrude on the net-
work and damage it. However, you may want to expose your network to the
Internet in certain limited and controlled ways in order to enable some applica-
tions to work from the LAN (game, voice and chat applications, for example)
and to enable Internet-access to servers in the home network. The Port For-
warding feature supports both of these functionalities. If you are familiar with
networking terminology and concepts, you may have encountered this topic re-
ferred to as “Local Servers”.
The 'Port Forwarding' screen lets you define the applications that require spe-
cial handling by the Router.
All you have to do is select the application's protocol and the local IP address of
the computer that will be using or providing the service. If required, you may
add new protocols in addition to the most common ones provided by the Router.
For example, if you wanted to use a File Transfer Protocol (FTP) application on
one of your PCs, you would simply select 'FTP' from the list and enter the local
IP address or host name of the designated computer.
All FTP-related data arriving at the Router from the Internet will henceforth be
forwarded to the specified computer. Similarly, you can grant Internet users ac-
cess to servers inside your home network, by identifying each service and the
PC that will provide it. This is useful, for example, if you want to host a Web
server inside your home network. When an Internet user points his/her browser
Page 73 / 182
PRG AV4202N
© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.
66
OGU 930500275-A1
Security Section
to the Router's external IP address, the gateway will forward the incoming HTTP
request to your Web server.
With one external IP address (Router's main IP address), different applications
can be assigned to your LAN computers, however each type of application is
limited to use one computer. For example, you can define that FTP will use ad-
dress X to reach computer A and Telnet will also use address X to reach com-
puter A, but attempting to define FTP to use address X to reach both computer
A and B will fail. The Router therefore provides the ability to add additional pub-
lic IP addresses to port forwarding rules, which you must first obtain from your
ISP, and enter into the 'NAT IP Addresses Pool'. You will then be able to define
FTP to use address X to reach computer A and address Y to reach computer B.
Additionally, port forwarding enables you to redirect traffic to a different port in-
stead of the one to which it was designated.
Lets say, that you have a Web server running on your PC on port 8080 and you
want to grant access to this server to anyone who accesses the Router via
HTTP. To accomplish this, do the following:
Define a port forwarding rule for the HTTP service, with the PC's IP or host
name.
Specify 8080 in the 'Forward to Port' field.
All incoming HTTP traffic will now be forwarded to the PC running the Web
server on port 8080.
When setting a port forwarding service, you must ensure that the port is not al-
ready in use by another application, which may stop functioning. A common ex-
ample is when using SIP signaling in Voice over IP - the port used by the gate-
way's VoIP application (5060) is the same port on which port forwarding is set
for LAN SIP agents.
Page 74 / 182
PRG AV4202N
© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.
Security Section
OGU 930500275-A1
67
FIGURE 3.
Port Forwarding panel
To add a new port forwarding service:
1.
Select the 'Port Forwarding' tab in the 'Security' management screen. The
'Port Forwarding' screen will appear
2.
Click the 'New Entry' link. The 'Add Port Forwarding Rule' screen will appear
3.
Select the 'Specify Public IP Address' check-box if you would like to apply
this rule on a specific external IP address. The screen will refresh
4.
Enter the additional external IP address in the 'Public IP Address' field.
5.
Enter the host name or IP address of the computer that will provide the ser-
vice (the “server”) in the 'Local Host' field. Note that unless an additional ex-
ternal IP address has been added, only one LAN computer can be assigned
to provide a specific service or application.
6.
The Protocol combo-box lets you select or specify the type of protocol that
will be used. Selecting the 'Show All Services' option will expand the list of
available protocols. Select a protocol or add a new one using the 'User De-
fined' option. This will commence a sequence that will add a new service,
representing the protocol.
7.
By default, the Router will forward traffic to the same port as the incoming
port. If you wish to redirect traffic to a different port, select the 'Specify' op-
tion. The screen will refresh, and an additional field will appear enabling you
to enter the port number.
8.
The Schedule combo-box allows you to define the time period during which
this rule will take effect. By default, the rule will always be active. However,
you can configure scheduled rules by selecting 'User Defined'.
9.
Click the 'OK' button to save your changes. The 'Port Forwarding' screen will
display a summary of the rule that you just added.
Page 75 / 182
PRG AV4202N
© (2007) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.
68
OGU 930500275-A1
Security Section
DMZ HOST
The DMZ (Demilitarized) Host feature allows one local computer to be exposed
to the Internet.
Designate a DMZ host when:
You wish to use a special-purpose Internet service, such as an on-line game
or video-conferencing program, that is not present in the Port Forwarding list
and for which no port range information is available.
You are not concerned with security and wish to expose one computer to all
services without restriction.
A DMZ host is not protected by the firewall and may be vulnerable to attack. Designating a DMZ host
may also put other computers in the home network at risk. When designating a DMZ host, you must
consider the security implications and protect it if necessary.
An incoming request for access to a service in the home network, such as a
Web-server, is handled by the Router. PRG AV4202N will forward this request
to the DMZ host (if one is designated) unless the service is being provided by
another PC in the home network (assigned in Port Forwarding), in which case
that PC will receive the request instead.
FIGURE 4.
DMZ Host panel
To designate a local computer as a DMZ Host:
1.
Select the 'DMZ Host' tab in the 'Security' management screen. The 'DMZ
Host' screen will appear
2.
Enter the local IP address of the computer that you would like to designate
as a DMZ host, and select the check-box. Note that only one LAN computer
may be a DMZ host at any time.
3.
Click 'OK' to save the settings.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top