Page 106 / 249
Scroll up to view Page 101 - 105
DHCP Server
101
DHCP Proxy
The DHCP proxy allows the CyberGuard SG appliance to forward DHCP requests from
the LAN to an external server for resolution.
This allows both static and dynamic
addresses to be given out on the LAN just as running a DHCP server would.
To enable this feature, specify the server which is to receive the forwarded requests in
Relay Host
.
This server must also be configured to know and accept requests from the
CyberGuard SG appliance's LAN.
Then check
Enable DHCP Relay
and click
Apply
.
Page 107 / 249
Firewall
102
6. Firewall
The CyberGuard SG appliance is equipped with a fully featured, stateful firewall.
The
firewall allows you to control both incoming and outgoing access, so that PCs on the LAN
can have tailored Internet access facilities and are shielded from malicious attacks.
By
default the firewall is active, and allows all outgoing connections and blocks all incoming
connections.
The CyberGuard SG appliance’s stateful firewall keeps track of outgoing connections
(e.g. a PC on your LAN requesting content from a server on the Internet) and only allows
corresponding incoming traffic (e.g. the server on the Internet sending the requested
content to the PC).
Sometimes it may be useful to allow some incoming connections, e.g. if you have a mail
or web server on your LAN that you want to be accessible from the Internet.
These
situations are catered for by configuring Packet Filtering rules.
Generally, the majority of customizations to the default firewall ruleset will be done
through Packet Filtering, see the
Packet Filtering
section later in this chapter for details.
Incoming Access
The Incoming Access section allows you to control access to the CyberGuard SG
appliance itself, e.g. for remote administration.
Click
Incoming Access
on the
Firewall
menu to show the
Incoming Access
configuration page.
Page 108 / 249
Firewall
103
Administration services
The following figure shows the Administration Services page:
Figure 6-1
By default the CyberGuard SG appliance runs a web administration server and a telnet
service.
Access to these services can be restricted to specific interfaces.
For example,
you generally want to restrict access to the
Web Management Console
web
administration pages (
Web Admin
) to machines on your local network.
Disallowing all
services is not recommended, as this will make future configuration changes impossible
unless your CyberGuard SG appliance is reset to the factory default settings.
Warning
If you do want to allow administrative access on interfaces other than the LAN, there are
several security precautions you should take.
See the note in the next section for details.
Also consider remote administration using a VPN connection as an alternative to opening
a hole in the firewall, PPTP in particular is well suited to this task.
You can also select to accept ICMP messages on the Internet port.
For example, if you
disallow echo requests (the default for increased security), your CyberGuard SG
appliance will not respond to pings on its Internet port.
Destination unreachable ICMP
messages are always accepted.
Page 109 / 249
Firewall
104
CyberGuard SG Administrative Web Server
Clicking the
CyberGuard SG Web Server
tab takes you to the page to configure the
administrative web server.
This web server is responsible for running the Web
Management Console.
Here you can change the port on which the server runs.
Additionally, the SG550, SG570
and SG575 models support SSL encryption to establish secure connections to the
Web
Management Console
web administration pages from SSL enabled browsers.
Figure 6-2
Note
Changing the web server port number is strongly recommended if you are allowing
Internet access to the Management Console.
This will help hide the Management
Console from casual web surfers who type your CyberGuard SG appliance’s Internet IP
address into a web browser.
Ideally, you should use Packet Filtering rules (see the
Packet Filtering
section later in this chapter) to restrict who has access for remote
administration (i.e. allow connections on the administrative web server port from trusted
originating IP addresses only).
Page 110 / 249
Firewall
105
The Web Management Console
is usually accessed on the default HTTP port (i.e. 80).
After changing the web server port number, you must include the new port number in the
URL to access the pages.
For example, if you change the web administration to port
number 88, the URL to access the web administration will be similar to
:
SSL/HTTPS (Secure HTTP)
Note
Web administration using secure HTTP is not available on the SG300, SG530 or SG630.
The current status of the SSL (secure HTTP) support is indicated by
Active
/
Inactive
.
Figure 6-3
19216811.live