USR8200 Firewall/VPN/NAS User Guide
The USR8200 Firewall/VPN/NAS's Security Suite includes comprehensive, robust security services: Stateful Packet Inspection Firewall, user authentication protocols, and password protection mechanisms. These features taken together allow users to connect their computers to the Internet and simultaneously be protected from the security threats of the Internet.
The firewall is the cornerstone of your USR8200 Firewall/VPN/NAS's security suite. The firrewall has been exclusively tailored to the needs of the residential user and has been pre-configured to provide optimum security. In addition, the firewall has many advanced features which allow you to further customise it to your needs. Using the management screens in the Security section, you can:
Security Level Settings
Use the Security Settings screen to configure the USR8200 Firewall/VPN/NAS's basic security settings. The firewall regulates the flow of data between the home network and the Internet. Both incoming and outgoing data are inspected and then accepted or rejected according to a flexible and configurable set of rules. These rules are designed to prevent unwanted intrusions from the outside while allowing home users access to the Internet services that they require.
The firewall rules specify what types of services available on the Internet may be accessed from the home network and what types of services available in the home network may be accessed from the Internet. Each request for a service that the firewall receives, whether originating in the Internet or from a computer in the home network, must be checked against the set of firewall rules to determine whether the request should be allowed to pass through the firewall. If the request is permitted to pass, then all subsequent data associated with this request (a "session") will also be allowed to pass, regardless of its direction.
For example, when you point your Web browser to a Web page on the Internet, a request is sent out to the Internet for this page. When the request reaches the USR8200 Firewall/VPN/NAS, the firewall will identify the request type and origin-HTTP and a specific computer in your home network, in this case. Unless you have configured access control to block requests of this type from this computer, the firewall will allow this request to pass out onto the Internet. When the Web page is returned from the Web server, the firewall will associate it with this session and allow it to pass, regardless of whether HTTP access from the Internet to the home network is blocked or permitted.
The important thing to note is that it is the origin of the request, not subsequent responses to this request, that determines whether a session can be established or not.
You may choose from among three predefined security levels for the USR8200 Firewall/VPN/NAS : Minimum, Typical (the default setting), and Maximum. The table below summarizes the behavior of USR8200 Firewall/VPN/NAS for each of the three security levels. Note that the Access Control, Local Servers, and Remote Access screens may be used to further customise the gateway's security settings.
† These services include Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3, and SMTP.
To configure the USR8200 Firewall/VPN/NAS's security settings:
Note: VPN over IPSec and some UDP-based services make legitimate use of IP fragments. You will need to allow IP fragments to pass into the home network in order to make use of these select services.
Note: Using the minimum security setting may expose the home network to significant security risks, and thus should only be used, when necessary, for short periods of time.
You may want to block specific computers within the home network (or even the whole network) from accessing certain services on the Internet. For example, you may want to prohibit one computer from surfing the Web, another computer from transferring files using FTP, and the whole network from receiving incoming e-mail.
Access Controls work by placing restrictions on the types of requests that may pass from the home network out to the Internet, and thus may block traffic flowing in both directions. In the e-mail example given above, you may prevent computers in the home network from receiving incoming e-mail by blocking their outgoing requests to POP3 servers on the Internet.
Click the Access Control button to view a list of services that have been restricted.
To add a new service or services to the Access Control table:
You may change the computer (or computers) prohibited from accessing a particular service by modifying the appropriate entry in the Access Control table.
To modify an entry in the Access Control table:
You may disable an access control and make the service available without having to remove the service from the Access Control table. This may be useful if you want to make the service available only temporarily and expect that you will want to reinstate the restriction in the future.
The tables that appear on the Add Access Control Rules and Add Local Servers screens are pre-configured to include most of the services that users may want to block or activate. Sometimes, however, the need arises to add on a predefined service. The USR8200 Firewall/VPN/NAS provides the User-Defined Services list for this purpose. All of the services in this list also appear at the top of the Add Access Control Rules and Add Local Servers screens. When a service is added to one list, it automatically appears in the others. In this way, user-defined services never need to be entered twice.
To add a new service to the list:
You have now completed defining this service and may go to the Add Access Control Rules or Add Local Servers screen to block or activate the service.
To modify a user-defined service already in the list:
To remove a service from the list, click the Remove button for the service. The service will be removed from the list.
In its default state, the USR8200 Firewall/VPN/NAS blocks all external users from connecting to or communicating with your network. Therefore, the system is safe from hackers who may try to intrude on the network and damage it. However, you may need to expose your network to the Internet in certain limited and controlled ways in order to enable some applications to work from the LAN (game, voice, and chat applications, for example) and to establish servers in the home network. The Local Servers feature supports both of these functionalities.
The Local Servers screen in the Management Console provides a list of the most commonly used applications that require special handling by the USR8200 Firewall/VPN/NAS. All you have to do is identify which of them you want to use and the local IP address of the computer that will be using the service. For example, if you wanted to use the Net2Phone voice application on one of your computers, you would simply select Net2Phone from the list and enter the local IP address of that computer in the right column. All Net2Phone-related data arriving at the USR8200 Firewall/VPN/NAS from the Internet will henceforth be forwarded to the specified computer.
Similarly, if you want to grant Internet users access to servers inside your home network, you must identify each service that you want to provide and the computer that will provide it. For example, if you want to host a Web server inside the home network, you must select HTTP Web Server from the list and enter the local IP address of the computer that will host the Web server in the right column. Then when an Internet user points a browser to the external IP address of the USR8200 Firewall/VPN/NAS, the Gateway will forward the incoming http request to the computer that is hosting the Web server. If an Internet application that you want to use or a service that you want to provide is not already in the list, you can easily add it.
Click the Local Servers button to view the list of special services and local servers that are currently enabled in the home network.
To add a new service to the list of active local servers:
To add a service that is not included in the list, click the User Defined Services button. The Edit Service screen will appear. Define the service, then click OK to save your changes. The service will then be automatically added to the top section of the Add Local Servers screen. You may now select the service, just as you would a predefined service.
The DMZ Host feature allows one local computer to be exposed to the Internet. Designate a DMZ host when:
Warning: A DMZ host is not protected by the Firewall and may be vulnerable to attack. Designating a DMZ host may also put the other computers in the home network at risk. When designating a DMZ host, you must consider the security implications and protect it if necessary.
An incoming request for access to a service in the home network, such as a Web-server, is fielded by the USR8200 Firewall/VPN/NAS. The USR8200 Firewall/VPN/NAS will forward this request to the DMZ host (if one is designated) unless the service is being provided by another computer in the home network (assigned in Local Servers), in which case that computer will receive the request instead.
To designate a local computer as a DMZ Host:
Port triggering can be used for dynamic port forwarding configuration. By setting port triggering rules, you can allow inbound traffic to arrive at a specific LAN host, using ports different than those used for the outbound traffic. This is called port triggering since the outbound traffic triggers that allow inbound traffic to direct back to the LAN host.
For example, if you have a gaming server that you access using the TCP protocol on port 2222. The gaming server then responds by connecting you using TCP on port 3333 in order to start your gaming session. In such a case you must use port forwarding, since this scenario conflicts with the following default Firewall settings:
In order to solve this you need to define a Port Triggering entry, which allows inbound traffic on port 3333 TCP, only after a LAN host generated traffic to port 2222 TCP. This will result in accepting the inbound traffic from the gaming server and sending it back to the LAN Host that originated the outgoing traffic to port 2222.
Defining Port Triggering
This section describes how to define a port triggering entry. The entry values are relevant to the gaming example provided in the previous section.
1. Click the Security icon on the sidebar.
2. Click the Port Triggering tab on the security screen and the Port Triggering screen will appear. This screen will list all of the port triggering entries.
3. Click New Entry to add an entry.
4. Click New User-Defined Service to add an entry.
5. Specify the following port triggering entries in the New Triggering Ports and New Incoming Ports, respectively, and click OK:
After specifying both entries, click OK. Select the checkbox for the new service in the Add Port Triggering Rule screen and click OK.
6. Make sure the checkbox for the new service is selected in the general Port Triggering screen to enable port redirection.
There may be a few default port triggering rules listed when you first access the port triggering screen. Please note that disabling these rules may result in impaired USR8200 Firewall/VPN/NAS functionality.
Controlling Remote Access to the USR8200 Firewall/VPN/NAS
It is possible to access and control the USR8200 Firewall/VPN/NAS not only from within the home network, but also from the Internet. This allows you to view or change settings while traveling. It also enables your ISP to change settings or help you troubleshoot functionality or communication issues from a remote location. Remote access to the USR8200 Firewall/VPN/NAS is blocked by default to ensure the security of your home network. However, remote access is supported by the following services, and you may use the Remote Access Configuration screen to selectively enable these services if they are needed.
To allow remote access to the USR8200 Firewall/VPN/NAS services:
You may configure USR8200 Firewall/VPN/NAS to block specific Internet Web sites so that they can't be accessed from computers in the home network. Moreover, restrictions can be applied to a comprehensive automatically updated list of sites to which access is not recommended.
To add a new Web site to the list:
The Restricted IP Address or Hostname screen will appear.
2. Enter the Web site address (IP or URL) that you would like to make inaccessible from your home network (all web pages within the site will also be blocked). If the Web site address has multiple IP addresses, the USR8200 Firewall/VPN/NAS will resolve all additional addresses and automatically add them to the restrictions list. Select if you want this restriction to be applied to the entire Lan or to an individual computer on the network. You can also click New on the Schedule line and enter specific times for the rule to be applied.
When you are finished creating a restriction, click OK.
3. You will be returned to the previous screen while the USR8200 Firewall/VPN/NAS attempts to find the site. Resolving... will appear in the Status column while the site is being located (the URL is being resolved into one or more IP addresses).
4. If the site is successfully located, then Resolved will appear
in the status bar, otherwise, Error will appear. Click Refresh
to update the status, if necessary. In case the USR8200 Firewall/VPN/NAS
fails to locate the web site, do the following:
To modify a Web site address currently in the list, perform the following:
1. Click Edit in the Action column. The Restricted IP Address or Hostname screen will appear.
2. Modify the Web site address, as necessary. If it is long and/or complicated, you may want to copy the address from the address bar to the management console. Be sure to remove the http:// at the beginning and the / at the end of the address.
3. Click OK to save your changes.
To ensure that all current IP addresses corresponding to Web sites in the list are blocked, click Resolve Now. The USR8200 Firewall/VPN/NAS will check each of the Web site addresses in the list and ensure that all IP addresses at which this Web site can be found are included in the IP addresses column.
You may disable a restriction and make the Web site available again without having to remove the site from the Restrictions List. This may be useful if you wish to make the Web site available only temporarily and expect that you will want to block it again in the future.
Advanced filtering is designed to allow comprehensive control over the Firewall's behavior. You can define specific input and output rules, control the order of logically similar sets of rules, and make a distinction between rules that apply to WAN and LAN network devices. To access the Advanced Filtering screen, click the Security icon on the sidebar to display the security features, and then click the Advanced Filtering button. The Advanced Filtering screen will appear.
You can configure two sets of rules, input Rules and Output rules. Each set of rules is composed of three subsets: Initial rules, Network devices rules, and Final rules. These subsets determine the sequencing by which the rules will be applied. To configure Advanced Filtering rules, click the Edit button next to the rule title, or click the title directly. The Configure Rules screen will appear, displaying the entries currently constituting the rule subset you selected. Click the Edit button next to an entry, click the entry directly, or click New Entry to go to the Add Advanced Filter screen.
Adding an Advanced Filtering Rule
To add an advanced Filtering rule, carefully define the following rule parameters:
The Security log displays a list of Firewall-related events, including attempts to establish inbound and outbound connections, attempts to authenticate at an administrative interface (Web-based Management or Telnet terminal), Firewall configuration, and system startup.
To view the Firewall Log, click the Firewall Log button which appears on the Security Settings screen.
The following are the events and event-types that are automatically recorded in the Firewall log:
† Appears only with regard to inbound traffic.
You can choose additional activities to be recorded in the Firewall log using the Firewall Log Settings screen. For each activity type, you may choose to view messages associated with successful attempts (Accepted), failed attempts (Blocked), or both.
To view/change the Firewall Log settings:
Secure Local Administration
You can connect directly to the USR8200 Firewall/VPN/NAS in order to perform local administration tasks. In order to do this, you must establish a PPP over Serial (PPPoS) connection between the administration host and the USR8200 Firewall/VPN/NAS.
To perform local administration via a PPPoS connection, perform the following steps:
Running PPP Clients on Linux
To run a PPP client on a Linux host, enter the following line:
In the previous line, the following information should be entered:
SERIAL_DEV_NAME The name of the serial device on the LInux machine,
Running PPP Clients on Windows
To run a PPP client on Windows XP, you will need to install a NULL modem driver. Perform the following steps: