030-300613 Rev A

56

August 2009

User Guide

VersaLink Wireless Gateway (Model 7500)

13.

SECURITY

This section explains the security features of your Gateway and guides you through the configurable settings.

13.1

Security Level

The following screen will appear if you select

Security > Security Level

from the main menu. This screen allows

you to change your firewall security levels by selecting from the available options. If you change the settings in this

screen, click

save

and then

OK

. If you click

Cancel

, the screen will return to its previous settings.

IMPORTANT

: It is recommended that you do not change the settings in the

Custom Rules

screen. If you need to

reset your Gateway to factory default settings, push the reset button on the top of Gateway.

Security Level

Select these options to control outbound traffic initiated within the local network. By

default, the Security Level is set to None. Note: Only the most advanced users should

select the

Custom

option.

•

High: Select this option to allow only basic Internet functionality. Only

Mail, News, Web, FTP, and IPSEC are allowed. All other traffic is

prohibited.

•

Medium: Select this option to allow only basic Internet functionality by

default; however, Medium security allows customization through NAT

configuration so that you can enable the traffic that you want to pass.

•

Low: Select this option to allow all traffic except for known attacks. With

Low security, your Gateway is visible to other computers on the Internet.

•

None: Select this option to disable security and allow all traffic. (All traffic

is passed.)

•

Custom: Select this option to edit the firewall configuration directly. When

Custom is selected, the

edit

button will be clickable. Clicking

edit

will open

the

Custom Rules

screen, which allows for user customization of Gateway

security settings.

030-300613 Rev A

57

August 2009

User Guide

VersaLink Wireless Gateway (Model 7500)

Remote Logging

Note: The syslog server must be configured to listen on udp port 514, which is usually the default port. In order

for the logs to be saved to the syslog server, the server should be configured to save the logs to a file. Some of the

free syslog servers available on the Internet are kiwisyslog, MT_syslog and 3Csyslog.

Enable

Click this check box to enable the Gateway to send firewall logs to a syslog server.

By default, remote logging is disabled (unchecked).

Remote IP Address

Displays the IP address of the syslog server machine to which the diagnostics logs to

be sent.

13.1.1

Custom Rules

The following screen will appear if you select

Custom

and then

OK

from the

Security Level

screen and click the

edit

button (

Security > Security Level > Custom Rules

).

The

Custom Rules

screen allows you to configure the

security parameters on your Inbound and Outbound traffic. Inbound rules will restrict inbound traffic from the WAN

to the LAN. Outbound rules will restrict outbound traffic from the LAN to WAN. If you change the settings in this

screen, click

save

. If you click

cancel

, the screen will return to its previous settings.

IMPORTANT

: Custom security is an advanced configuration option that allows you to edit the firewall

configuration directly. Only expert users should attempt this. It is recommended that you do not change the settings

in this screen. If you need to reset your Gateway to factory default settings, push the reset button on the rear of the

Gateway; or follow the instructions in section 14.2.1, “Backup/Restore,” to restore the Gateway to default settings.

NOTE:

The default security setting is applied if a packet does not match any defines rules. Clicking

Save

allows the

firewall rules to be saved to flash (a temporary storage area in your Gateway).

030-300613 Rev A

58

August 2009

User Guide

VersaLink Wireless Gateway (Model 7500)

Security Default

Select the option to allow or deny default action to be taken if no rule is found to

match the given packet.

•

Allow: Allow the packet if no rule matches it.

•

Deny:

Block the packet if no rule matches it.

Rule Name

Displays the name of the new rule.

Type

Select the option to allow or deny the packet matching this rule.

•

Allow: Allow the packet matching this rule.

•

Deny: Block the packet matching this rule.

Protocol

Click this drop-down menu to select the protocol for the new rule: TCP, UDP,

Protocol Number, ICMP Type, or All.

Source Address

Displays the source address of the packet to check the rule against.

Destination Address

Displays the destination address of the packet to check the rule against.

Source Port

Displays the source port of the packet to check the rule against.

Destination Port

Displays the destination port of the packet to check the rule against.

Mode

Click this drop-down menu to specify whether or not packets need to be logged: Log

or No Log.

Direction

Click this drop-down menu to select the traffic direction for which the rule is applied:

Inbound, Outbound, or Both.

13.2

Security Services

This section discusses the

Security Services

screens (ALG, Port Forwarding, and Port Triggering) of your Gateway

and guides you through the configurable settings.

030-300613 Rev A

59

August 2009

User Guide

VersaLink Wireless Gateway (Model 7500)

13.2.1

ALG

The following screen will appear if you select

Security > Services > ALG

from the main menu. This screen enables

you to configure application-layer gateway (ALG) services for your Gateway by clicking on the check box of each

service that you want to enable (a check mark will appear in the box). If you change the settings in this screen, click

apply

and then

OK

. If you click

Cancel

, the screen will return to its previous settings.

Enabling an ALG service opens the IP ports associated with the corresponding service. For example, if you have an

IPSec client running on a LAN-side PC attached to the Gateway, it is necessary to enable the IPSec ALG. Enabling

IPSec opens the default ports used by IPSec, 500 and 1500, so that traffic to and from the IPSec client may pass

through.

NOTE:

When the firewall level is set to “High,” some services may not be configurable.

FTP

Click this check box to enable the FTP ALG.

H323

Click this check box to enable the H323 ALG.

TFTP

Click this check box to enable the TFTP ALG.

PPTP

Click this check box to enable the PPTP ALG.

IPSec

Click this check box to enable the IPSec ALG.

SIP

Click this check box to enable the SIP ALG.

030-300613 Rev A

60

August 2009

User Guide

VersaLink Wireless Gateway (Model 7500)

13.2.2

Port Forwarding

The following screen will appear if you select

Security > Services > Port Forwarding

from the main menu. This

screen allows you to forward incoming traffic from the outside network to a range of WAN ports on an IP address

on the LAN. You can also enable traffic from a local network (to a specified port range) to be allowed to go outside

of the network in medium firewall settings. Displayed are currently active port forwarding services. You can add

more pre-defined services (or create your own services) by selecting the appropriate entry in the

Service Name

drop-down menu.

Current Profile

Click this drop-down menu to display the NAT (Network Address Translation)

services available. All of the settings on this screen are associated with a Service

Profile. The service profile is selected from the

Current Profile

drop-down menu. If

no profile has been created, the settings chosen are applied to the default profile.

The

Service Profile

drop-down menu located in the

Home > Connection Overview

> Edit

screen (on the

Home

screen, click the

Add/Edit Connection

link) associates a

service profile with one or more of your “Connection Profiles.” This means different

connections can allow different services to be associated with them. Use the

Current

Profile

drop-down menu to select a profile to edit. However the profile will be

activated from the

Home > Connection Overview > Edit

screen.

•

To create a new service profile, click the

new

button.

•

To remove a service profile, click the

delete

button (not available for the

Default profile).

•

To change the name of a service profile, click the

edit

button.