Router User’s Guide

38

Chapter 8

Configuring Security Features

The Router provides broad security measures against unwanted users. Security also allows for the

configuration of the firewall, administrator password, (NAT) Network Address Translation, and DMZ

(Demilitarized Zone) configuration. The security options are listed below.

Admin User

Manage administrator login name and password.

Time Client

Configure network-based date and time functionality. An accurate date and time is of use

when logging system and firewall events, and is a requirement for some firewall

functionality (e.g., ICSA-compliant firewall operation).

NAT/NAPT

Configure and control IP addressing on the Local Area Network through either NAT or

NAPT.

Firewall

Configure and control the internal firewall. Many of these features require a thorough

understanding of networking principles and firewall operations. The firewall options are

listed below.

8

Router User’s Guide

Monitoring Network Health

Admin User

The Administrator profile controls the requirements for logging into the Web interface and accessing

configuration pages, as well as defining the administrator login name and password.

To configure administrator settings:

1. Select

Setup>Admin User

from the left navigation pane of the Web interface. This displays the

“Gateway Administrator Setup” window.

2.

Specify a user name for the administrator. You may accept the default user name, admin, or enter a

new user name in

User Name

. The user name is case-sensitive.

3.

Enter a password in

New Password

; then enter the same password in

Confirm New Password

. The

password field is case-sensitive.

4.

Select a login security level from one of the following:

•

Require admin login to access entire Web site

Before you can access any screen in the Web interface, you must log in with your network user

name and password. (Security level = High)

•

Require admin login to access configuration pages

Before you can access any screen in the Web interface that allows you to make configuration

changes, you must log in with your network user name and password. (Security level = Medium)

•

Do not require admin login

After you log in for the first time, you will not be required to log in again at any screen. (Security

level = Low)

5. Click

Save Settings

.

39

Router User’s Guide

Monitoring Network Health

Time Client

An accurate log timestamp is one of the requirements of the ICSA Labs firewall criteria (ver 3.0a). In order

to maintain accurate timestamps in each log message, the firewall implements a Simple Network Time

Protocol (SNTP) client. This allows the system to automatically synchronize its date and time with

Coordinated Universal, the international time standard. The system date and time are set and corrected

automatically via the designated server(s).

To configure the time client:

1. Select

Setup>Time Client

from the left navigation pane of the Web interface. This displays the “Time

Client Configuration” window.

2. Select

Enable

from

Enable Time Client

.

3. In

Primary Server IP Address

, enter the IP address of the primary server to use as the time server

(a “well-known” Network Time Protocol Server).

4. In

Secondary Server IP Address

enter the IP address of the secondary server to use as the time

server if the router does not receive a response from the primary server.

5. In

Select Time Zone

, enter the time zone in minutes from UTC.

6. Click

Apply

.

40

Router User’s Guide

Monitoring Network Health

NAT/NAPT Server

Hosts located on a Local Area Network (LAN) are often required to use private IP addresses as opposed

to public IP addresses. Private IP addresses, however, are not known on the public Wide Area Network

(WAN). In order to expose LAN-side hosts assigned private IP addresses to the public WAN, the Router

can be configured to use one of two methodologies: Network Address Translation (NAT) or Network

Address Port Translation (NAPT). NAT can expose a single LAN-side host to the WAN; NAPT can

expose multiple LAN-side hosts. NAT/NAPT functionality can be individually configured for each WAN

connection.

To configure NAT/NAPT functionality:

1. Select

Setup>NAT/NAPT

from the left navigation pane of the Web interface. This displays the

“NAT/NAPT Configuration” window showing the WAN Interface connections.

2.

Select one of the following for the desired connection:

•

NAT & NAPT Disabled

Disable both NAT and NAPT in order, for example, to set up static routes assigned by your ISP.

•

NAT Only Enabled

Enable NAT and specify the destination IP address for incoming packets. Depending on your

configuration, NAT is sometimes enabled by default.

•

NAPT Only Enabled

Use NAPT only to handle multiple addresses based on port forwarding rules.

•

NAT&NAPT Enabled

Some service providers support a concurrent NAT/NAPT. Under this configuration, a single WAN

interface may support multiple NAT connections with each NAT connection again exposing a

single LAN-side host through a single WAN-side public IP address. Through either NAT or NAPT,

the Router ensures that the LAN-side host is known to the WAN side only through the public IP

address of the Router’s WAN-side connection. The host’s actual private IP address remains

unknown to any WAN-side hosts or servers.

3. Click

Apply

when you have finished configuring all desired connections.

41

Router User’s Guide

Monitoring Network Health

Firewall

A firewall is a system designed to prevent unauthorized access to or from a private network. The firewall

is designed to protect hosts located on the

Local Area Network

(LAN) from attacks initiated on the

Wide

Area Network

(WAN). Protection is not provided for attacks initiated from the LAN. Due to the nature of

firewall operations and the system resources required to service these operations, firewall operations may

degrade the performance of the Router – especially under heavy network traffic loads.

The firewall menu item accessible from the left navigation pane of the Web interface expands to provide a

list of options to be enabled or disabled as well as links to configure the more complex details of each

security feature.

Level

Set the firewall security level.

Snooze

Temporarily disable the firewall. It is important to note that when the firewall is snoozing

all protection provided by the firewall is disabled.

DMZ

Configure firewall DMZ for controlling a virtual DMZ on the Local Area Network. The

purpose of the DMZ is to redirect suspicious network traffic received from a public WAN

to a secured LAN-side host dedicated to this purpose.

Filter Rules

Add and delete custom inbound and outbound firewall rules.

Log

View log listing of firewall activity including records of denial of access, reason codes,

and descriptions.

ADS

Configure what events the internal Attack Detection System (ADS) will protect against

and log from a list of well-known attacks initiated on the Wide Area Network.

42