Secure Computing SG550 Manual de usuario

Secure Computing SG User Manual Secure Computing 4810 Harwood Road San Jose, CA 95124-5206 Email: [email protected]

Introduction 6 Specifications Internet link • Two 10/100baseT Ethernet ports (C, D) • Two GbE ports (E, F – SG710+ only) • Serial port • Online s

Network Setup 96 Refer to the section entitled Tagged and untagged VLANs earlier in this chapter for further discussion of these settings. Click Updat

Network Setup 97 Ensure Enable is checked and enter a descriptive GRE Tunnel Name for this tunnel. Enter the address of the remote GRE endpoint in Re

Network Setup 98 6. Modify the firewall. In this example we use a dummy alias network of 10.254.0.0 / 255.255.0.0 to bridge two example local network

Network Setup 99 Create an IPSec tunnel between Brisbane and Slough. Select IPSec from the VPN section of the main menu and click New. For a complet

Network Setup 100 At the Brisbane end, click Packet Filtering, the Custom Firewall Rules tab and add this custom firewall rule: iptables -I OUTPUT ! -

Network Setup 101 Route management Note Route management does not have full GUI configuration support. We recommend that only advanced users familiar

Network Setup 102 password zebra!password In these examples,! denotes a descriptive comment, and # indicates a configuration line that is currently co

Network Setup 103 #network eth2 ! Define neighbor routers to exchange RIP with if disabling multicast above in zebra.conf, or neighbors don't hav

Network Setup 104 OSPF Note This example is adapted from the LARTC (Linux Advanced Routing & Traffic Control) dynamic routing howto, available fro

Network Setup 105 The SG is configured to exchange routes with the routers named Atlantis, Legolas and Frodo. Ensure you have enabled OSPF under Rout

Introduction 7 SG PCI Appliances (SG6xx Series) Note The SG PCI appliance range includes models SG630 and SG635. The SG PCI appliance is a hardware ba

Network Setup 106 ! Uncomment and set telnet/vty passwords to enable telnet access on port 2604 #password changeme #enable password changeme ! Instru

Network Setup 107 Note The AS numbers used in this example are reserved, please get your own AS from RIPE if you set up official peerings. Ensure you

Network Setup 108 access-list local_nets deny any ! Our AS number router bgp 1 ! Our IP address bgp router-id 192.168.0.1 ! Announce our own network

Network Setup 109 Workgroup/domain Note SG565 only. The Workgroup/Domain is the Windows workgroup or domain with which to share printers or network sh

Network Setup 110 Check Enable DNS proxy to enable this feature. If you are using the SG unit’s DHCP server, you may also check Update DNS with loca

Network Setup 111 DHCP Server Note To configure your SG unit as a DHCP server, you must set a static IP address and netmask on the network interface o

Network Setup 112 • Enter the DNS Address to issue the DHCP clients. If this field is left blank, the SG unit's IP address is used. Leave this

Network Setup 113 There is an icon to Delete the address from the list of addresses to manage. You may also Free addresses that have been leased by

Network Setup 114 Reserving IP addresses You may also reserve IP addresses for particular hosts, identifying them by hostname and MAC address. To res

Network Setup 115 The Subnet is the network on which DHCP server is handing out addresses. Free Addresses displays the number of remaining available

Introduction 8 The other is the host PC's IP address, which is configurable through the host operating system, identically to a regular NIC. Thi

Network Setup 116 A proxy-cache server implements Internet object caching. This is a way to store requested Internet objects (i.e., data available vi

Network Setup 117 Local storage Note Network Storage and Local Storage cannot be used at the same time. Enabling one will automatically disable the ot

Network Setup 118 Note We recommend that you create a special user account to be used by the SG unit for reading and writing to the network share. If

Network Setup 119 Next, share the folder. Right click on the folder and select Sharing and Security. Select Share this folder and note the Share nam

Network Setup 120 Note The SG unit’s web cache uses port 3128 by default. Enter 3128 in Port, select Bypass proxy for local addresses and click OK. Pe

Network Setup 121 Check Enable ICAP functionality to enable the ICAP features of the SG unit's web cache. ICAP REQMOD server is the URL for an I

Network Setup 122 Objects larger than the Maximum cached object size in memory (KB) are NOT kept in the memory cache. This should be set high enough

Network Setup 123 Select Packet Filtering from the Firewall menu, and click the Custom Firewall Rules tab. Add the following Custom Firewall Rules: i

Network Setup 124 Click Enable and enter the Outbound Speed (upstream speed) of this interface’s network connection in megabits per second. Click Fi

Network Setup 125 Check Enable Traffic Shaping, select a Default priority and click Submit to enable this feature. The Default priority is assigned t

Introduction 9 Location Activity Description Top right (Power) On Power is supplied to the SG unit (top right). Bottom right (Heart beat) Flashing

Network Setup 126 SIP (Session Initiation Protocol, RFC3261) is the protocol of choice for most VoIP (Voice over IP) phones to initiate communication.

Firewall 127 4. Firewall The SG unit is equipped with a fully featured, stateful firewall. The firewall allows you to control both incoming and outg

Firewall 128 Administration services The following figure shows the Administration Services page: By default the SG unit runs a web administration se

Firewall 129 You can also select to Accept echo request (incoming port) on Internet interfaces. The default is to disallow echo requests, so your SG

Firewall 130 After changing the web server port number, you must include the new port number in the URL to access the pages. For example, if you chan

Firewall 131 Upload SSL certificates If you have purchased or created SSL certificates for a web server, you can upload them to the SG unit under Uplo

Firewall 132 A typical use of NAT rules is to forward packets destined for your Internet IP address to an internal web server or email server on your

Firewall 133 A service group can be used to group together similar services. For example, you can create a group of services that you wish to allow,

Firewall 134 Adding or modifying an address is shown in the following figure: You may either add a Single Address or Range or DNS Hostname. You may

Firewall 135 Packet Filtering Packet filter rules match traffic based on a combination of the source and destination address, incoming and outgoing i

Introduction 10 Document Conventions This document uses different fonts and typefaces to show specific actions. Warning/Note Text like this highlights

Firewall 136 Note The first matching rule determines the action for the network traffic, so the order of the rules is important. You can use the Move

Firewall 137 • Input means filter packets destined for this unit. You can only select the incoming interface. • Output means filter packets genera

Firewall 138 Rate limiting Note Rate Limit settings are only available when modifying rules. They cannot be specified when creating a new rule. Once y

Firewall 139 • Reject: Disallow the rate limited packet, but also send an ICMP protocol unreachable message to the source IP address. • Drop: Silentl

Firewall 140 Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address. This is the type of NAT used by

Firewall 141 Note The example shown in the screenshot above forwards the SSH (secure shell) protocol to an internal server (barry’s server). SSH all

Firewall 142 This rule is applied to packets that match the critera described by the next four fields. Destination Address The destination address of

Firewall 143 Warning Precautions must be taken when configuring the mail server, otherwise you become susceptible to such abuse as unauthorized relayi

Firewall 144 Enter smtp in Other TCP Ports. This is the protocol remote clients use for sending mail via the server. Click Finish. Click NAT, the Po

Firewall 145 Select E-Mail from Services. Enter your internal email server’s IP address in To Destination Address. Click Finish. Configure mail clien

Getting Started 11 2. Getting Started This chapter provides step-by-step instructions for installing your SG unit. These instructions are identical

Firewall 146 The following fields are displayed: Enable Uncheck to temporarily disable this rule Descriptive Name An arbitrary name for this

Firewall 147 When adding a rule, you may either use Predefined addresses or services that have been added under Definitions, or click New to manually

Firewall 148 Descriptive Name An arbitrary name for this rule Enable Uncheck to temporarily disable this rule Private Address The privat

Firewall 149 Note The displayed options apply to the firewall classes, not to the ports with these names. That is, the LAN interface options apply to

Firewall 150 The port forwarding rules set up via the UPnP Gateway are temporary. The list of configured UPnP port forwarding rules is cleared should

Firewall 151 Enter an arbitrary Description of service, the Name or IP address of the computer hosting this service on your network, the External Por

Firewall 152 Note Implementations of protocols such as H.323 can vary, so if you are experiencing problems then you can try disabling the module. Ch

Firewall 153 Read on to find out how using an IDS can benefit your network’s security, or skip ahead to the Basic or Advanced Intrusion Detection sect

Firewall 154 IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempti

Firewall 155 Trigger count before blocking specifies the number of times a host is permitted to attempt to connect to a monitored service before being

Getting Started 12 SG Gateway Appliance Quick Setup Unpack the SG unit Check that the following items are included with your SG unit:  Power adapter

Firewall 156 Warning The list of network ports can be freely edited, however adding network ports used by services running on the SG unit (such as tel

Firewall 157 Check Enabled. Select the network Interface to monitor (Snort IDS only). This is typically Internet, or possibly DMZ. Check Use less me

Firewall 158 Log results to database to use a remote analysis server. If it is left unchecked, results are output to the device's system log (Ad

Firewall 159 MySQL database http://www.mysql.com/downloads/mysql-4.0.html http://www.mysql.com/doc/en/index.html Apache web server http://httpd.apache

Firewall 160 Additionally, you can set up global block/allow lists for web sites that you always want to be accessible/inaccessible (Web Lists), or fo

Firewall 161 The Enable Access Control checkbox enables/disables the entire access control subsystem. This box must be checked for any access contro

Firewall 162 Note To add or remove access controls user accounts, select Users from the main menu and click the Local Users tab. Access controls use

Firewall 163 Browser setup The example given is for Microsoft Internet Explorer 6. Instructions for other browsers should be similar, refer to their

Firewall 164 In the row labeled HTTP, enter your SG unit’s LAN IP address in the Proxy address to use column, and 81 in the Port column. Leave the o

Firewall 165 Web lists Access is be denied to any web address (URL) that contains text Added under URL Block List, e.g. entering xxx blocks access to

Getting Started 13 LAN subnet mask: 255.255.255.0 The SG unit needs an IP address suitable for your LAN before it is connected. You may choose to us

Firewall 166 In addition to enforcing the services aspect of security groups, it is possible to include a number of NASL (Nessus Attack Scripting Lang

Firewall 167 Content filtering allows you to limit the types of web based content accessed. Note Content filtering is not performed for addresses spec

Firewall 168 Content Check Enable Content Filtering enter your License key then continue on to set reporting options and which categories to block.

Firewall 169 Select which categories you wish to block. Selecting Unratable blocks pages that the central content filtering database has not yet cat

Firewall 170 Unchecking Allow access to newly defined categories restricts access to the categories you did not block when configuring content filteri

Firewall 171 The Enable ZoneAlarm Pro support checkbox specifies if the ZoneAlarm Pro enforcement section of access control is active or not. Turning

Firewall 172 Enable antivirus Select Antivirus from the Firewall section of the main menu. Check Enable. The Database mirror is the host from which t

Firewall 173 Storage It is recommended that you use a network or local share to provide storage for the virus database and temporary space for the sca

Firewall 174 Launch Windows Explorer (Start -> (All) Programs -> Accessories -> Windows Explorer) and open up a folder or drive to dedicate

Firewall 175 Under the Storage -> Network Storage tab, check Use share. Enter the location of the network share in the format: \\HOSTNAME\shar

Getting Started 14 Note If there is more than one existing network connection, select the one corresponding to the network interface card to which the

Firewall 176 Under the Storage -> Local Storage tab, select the partition or device to use from the Device pull down menu, and click Submit. POP em

Firewall 177 If most, but not all, of your internal email clients are retrieving email from a single mail server, enter this as the Default POP serve

Firewall 178 Scan POP email for specific clients only Check Virus check POP based email. Uncheck Translucent. Leave Default POP server blank and ch

Firewall 179 Enter your LAN’s SMTP mail server address as the Destination SMTP server. Check Send keep alive bytes to requesting server to send keep

Firewall 180 Check Virus check web downloads. Check Reject overly large downloads to have the SG unit treat oversized downloads as potential viruses

Firewall 181 You may specify the Maximum connections for one host to allow. This is the number of FTP connections allowed from a single PC. Once thi

Virtual Private Networking 182 5. Virtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely

Virtual Private Networking 183 PPTP and L2TP The SG unit includes a PPTP and an L2TP VPN server. These allow remote Windows clients to securely conne

Virtual Private Networking 184 Check Enable PPTP Server. Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of

Virtual Private Networking 185 Select the Required Encryption Level, access is denied to remote users attempting to connect not using this encryption

Getting Started 15 Note If you wish to retain your existing IP settings for this network connection, click Advanced and Add the secondary IP address o

Virtual Private Networking 186 Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must se

Virtual Private Networking 187 Select Connect to a private network through the Internet and click Next. This displays the Destination Address window:

Virtual Private Networking 188 Enter an appropriate name for your connection and click Finish. Your VPN client is now set up and ready to connect. Wi

Virtual Private Networking 189 Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Nex

Virtual Private Networking 190 If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connectio

Virtual Private Networking 191 Enter a username and password added in the Configuring user accounts for VPN server section and click Connect. L2TP VP

Virtual Private Networking 192 Check Enable L2TP Server. Enter the IP Addresses to give to remote hosts, this must be a free IP address, or range of

Virtual Private Networking 193 • Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication,

Virtual Private Networking 194 Note Only one shared secret tunnel may be added. The one shared secret is used by all remote clients to authenticate.

Virtual Private Networking 195 If adding an x.509 Certificate Tunnel, select the Local Certificate that you have uploaded to the SG unit. Enter the C

Contents 1. Introduction...1 SG Gateway Appliances (SG3x

Getting Started 16 Note The new password takes effect immediately. You are prompted to enter it when completing the next step. The quick setup wizard

Virtual Private Networking 196 Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Nex

Virtual Private Networking 197 If you have set up your computer to connect to your ISP using dial up, select Automatically dial this initial connectio

Virtual Private Networking 198 • To authenticate using an x.509 Certificate Tunnel, you must first install the local certificate. The distinguished n

Virtual Private Networking 199 Select PPTP VPN Client or L2TP VPN Client from the VPN section of the main menu. Any existing client tunnels are displ

Virtual Private Networking 200 A PPTP status icon appears in the system tray on the bottom right hand side of your computer, informing you that you ar

Virtual Private Networking 201 To combine the Headquarters and Branch Office networks together, an IPSec tunnel must be configured on both SG units.

Virtual Private Networking 202 Warning It may be necessary to reduce the MTU of the IPSec interface if large packets of data are not being transmitted

Virtual Private Networking 203 Note Select an interface other than the default gateway when you have more than one Internet connection or have configu

Virtual Private Networking 204 3. DNS hostname address to static IP address 4. DNS hostname address to DNS hostname address 5. DNS hostname address

Virtual Private Networking 205 • Manual Keys establishes the tunnel using predetermined encryption and authentication keys. This authentication metho

Getting Started 17  Select Skip: LAN already configured if you wish to use the SG unit’s initial network settings (IP address 192.168.0.1 and subnet

Virtual Private Networking 206 It becomes optional if the SG unit has a static IP address and is using Preshared Secrets for authentication. If it is

Virtual Private Networking 207 • SPI Number is the Security Parameters Index. It is a hexadecimal value and must be unique. It is used to establish

Virtual Private Networking 208 Enter the Internet IP address of the remote party in The remote party's IP address field. In this example, enter

Virtual Private Networking 209 OU Organizational Unit CN Common Name N Name G Given name S Surname I Initials T Personal title E E-mai

Virtual Private Networking 210 • Authentication Key field is the ESP Authentication Key. However, this applies to the remote party. It must be of t

Virtual Private Networking 211 The Rekeyfuzz value refers to the maximum percentage by which the Rekeymargin should be randomly increased to randomize

Virtual Private Networking 212 • Local Certificate pull down menu contains a list of the local certificates that have been uploaded for x.509 authent

Virtual Private Networking 213 Select a Phase 2 Proposal. Any combination of the ciphers, hashes and Diffie Hellman groups that the SG unit supports

Virtual Private Networking 214 Select the Internet interface the IPSec tunnel is to go out on. In this example, select default gateway interface opti

Virtual Private Networking 215 Phase 1 settings page Set the length of time before Phase 1 is renegotiated in the Key lifetime (s) field. In this exa

Getting Started 18 Set up the SG unit’s Internet connection settings First, attach the SG unit to your modem device or Internet connection medium. If

Virtual Private Networking 216 Tunnel List Connection Once a tunnel has been configured, an entry with the tunnel name in the Connection field is sho

Virtual Private Networking 217 • Down indicates that the tunnel is not being negotiated. This may be due to the following reasons: o IPSec is disab

Virtual Private Networking 218 Phase 1 Hashes Loaded lists the authentication hashes that tunnels can be configured with for Phase 1 negotiations. T

Virtual Private Networking 219 • The Phase 2 proposal wanted. The line ESP algorithms wanted reads 3_000-2; pfsgroup=2. The 3_000 refers to cipher

Virtual Private Networking 220 Some certificate authorities (CA) distribute certificates in a PKCS12 format file. This format combines the CA certifi

Virtual Private Networking 221 When the application prompts you to Enter Import Password, enter the password used to create the certificate. If none

Virtual Private Networking 222 .. or under Linux: touch rootCA/index.txt Create the CA certificate, omit the –nodes option if you want to use a passwo

Virtual Private Networking 223 Windows IPSec requires the certificates to be in a PKCS12 format file. This format combines the CA certificate, local

Virtual Private Networking 224 Click Browse to locate the certificate file or files. If you are adding a Local Certificate, enter the Public Key certi

Virtual Private Networking 225 Setup an IPSec tunnel between the primary Internet IP Addresses (192.168.1.0/24 - 209.0.0.1 <-> 210.0.0.1 – 192.1

Getting Started 19 Set up the SG unit’s switch Note This page will only display if you are setting up the SG560, SG565 or SG580. Otherwise skip to th

Virtual Private Networking 226 Setup an IPSec tunnel between the secondary Internet IP Addresses (192.168.1.0/24 - 209.0.1.1 <-> 210.0.1.1 – 19

Virtual Private Networking 227 Alias subnet mask: 24 Setup a Primary Link Test IPSec tunnel between the primary Internet IP Addresses (192.168.11.0/32

Virtual Private Networking 228 connection primarylinktest parent conn-eth1 start ipsec auto --add PrimaryLinkTest start ipsec auto --up Primary

Virtual Private Networking 229 The following scenario assumes that the Headquarters SG and Branch Office SG each have two static Internet IP addresses

Virtual Private Networking 230 Setup an IPSec tunnel between the secondary Internet IP Addresses (209.0.1.1 <-> 210.0.1.1). Default values are

Virtual Private Networking 231 GRE tunnel name: SecondaryLink Remote address: 210.0.1.1 Local address: 209.0.1.1 Firewall class: LAN Branch Office SG

Virtual Private Networking 232 connection secondary_route parent secondary_ping start route add -net 192.168.2.0 netmask 255.255.255.0 dev gre2

Virtual Private Networking 233 stop route del -net 192.168.1.0 netmask 255.255.255.0 dev gre1 maximum_retries 2147483647 retry_delay 5 test

Virtual Private Networking 234 IPSec Troubleshooting • Symptom: IPSec is not running and is enabled. Possible Cause: The SG unit has not been assigne

Virtual Private Networking 235 Solution: Ensure that the tunnel settings for the SG unit and the remote party are configured correctly. • Symptom: T

Getting Started 20 Connect the SG unit to your LAN Review your configuration changes. Once you are satisfied, click Finish to activate the new config

Virtual Private Networking 236 The remote party's settings are incorrect. Solution: Confirm that the certificates are valid. Confirm also that t

Virtual Private Networking 237 Port Tunnels Port tunnels are point to point tunnels similar to regular VPNs, but only offer transport for a TCP servic

Virtual Private Networking 238 If necessary, you may specify the Content Length to use in HTTP PUT requests. You may also set Strict Content Length t

Virtual Private Networking 239 Otherwise, either the Proxy Server IP address and the Proxy Port. If the proxy server requires authentication, enter t

USB 240 6. USB Note SG565 only. The SG565 has two USB (Universal Serial Bus) ports to which you can attach USB storage devices (e.g. hard drives, fl

USB 241 This section describes how to set up the SG unit for network attached storage. For information on using a USB mass storage device as a print

USB 242 Browsable: Display an icon for the network when browsing the network from a Windows PC. To access the network share when this is unchecked,

USB 243 Join a Windows workgroup The next step is to configure your SG unit to join your Window workgroup or domain. Select Network Setup from the Ne

USB 244 Partitioning a USB mass storage device Warning This procedure is intended for experts and power users only. The standard Linux command line to

USB 245 Command (m for help): p Disk /dev/sda: 5 heads, 50 sectors, 1024 cylinders Units = cylinders of 250 * 512 bytes Device Boot Start

Getting Started 21  If you do not want to use a DHCP server, proceed to Manual configuration of your LAN. Automatic configuration of your LAN By sele

USB 246 Repeat the process for each partition to want to create. For the last partition, the default last cylinder is generally be fine. Command (m f

USB 247 mkfs.vfat –F 32 /dev/sda1 then mkfs.vfat –F 32 /dev/sda2 From the web management console, select Advanced from the System menu, and click Rebo

USB 248 Select Shares from the Networking section of the main menu. Click the Printing tab. Locate the printer to share and click its Edit icon. En

USB 249 Otherwise, attach the USB mass storage device and select the device or device partition on which to store the print spool from the Spool pull

USB 250 Select A network printer, or a printer attached to another computer and click Next. Select Browse for a printer and click Next. Locate the

USB 251 You may receive a warning about the SG unit automatically installing print drivers on your PC. Ignore it, the SG does not install print drive

USB 252 Select your printer model and click OK. If your printer model is not listed, click Have Disk and Browse again. Drivers for several different

USB 253 LPR / LPD setup Note This information is generally not relevant for Windows network environments. Once the print server has been set up, the S

USB 254 Disable Advanced Printing Features by clicking Control Panel -> Printers and Faxes -> right click printer -> Properties -> Advance

System 255 7. System Date and Time We recommend setting the SG unit’s clock to the correct date and time, otherwise system log message time stamps do

Getting Started 22 Quick setup is now complete. Automatic configuration of your LAN using an existing DHCP server  If you chose to have the SG unit O

System 256 Locality Select your local Region and click Submit. The system clock subsequently displays local time. By default, the system clock displ

System 257 To back up your configuration, enter and confirm a Password with which to protect this file and click Submit. Save the file in a safe pla

System 258 Note Each configuration snapshot stores a single configuration only, existing configuration snapshots on the SG unit are not saved inside a

System 259 Users This section details adding administrative users, as well as local users for PPTP, L2TP or dialin access, or access through the acces

System 260 You may specify the following access controls for each administrative user. • The Login control provides the user with telnet and ssh ac

System 261 • The Change Password control provides the user with the ability to change their password. Click Finish to apply your changes. Local Users

System 262 • The Dialin Access control provides the user with the authority to connect to the SG unit's dialin server. • The PPTP Access contr

System 263 Click Submit to apply your changes. Management The SG unit may be management remotely using Secure Computing Global Command Center (GCC), S

System 264 Note Ensure that you have network access and have the Global Command Center server configured appropriately before enabling central managem

System 265 Note Local SNMP Port should be changed if you have enabled the SNMP agent under Management -> SNMP. Administrative Contact is the SNMP s

Getting Started 23  IP address is an IP address that is part of the same subnet range as the SG unit’s LAN connection (if using the default settings,

System 266 Warning The community name is equivalent to a password, and is sent in plain text in every SNMP packet. Anyone who knows the community nam

System 267 Warning Altering the advanced configuration settings may render your SG unit inoperable. System log The system log contains debugging infor

System 268 Enter the IP address or DNS hostname for the remote syslog server in Remote Host. Enter the Remote Port on which the remote syslog server

System 269 Enter the address of an Email Server (SMTP server) that accepts email for forwarding. Enter the Email Address(es) to which to send the sys

System 270 Warning Before restoring your SG unit to its default factory settings via the web management console or reset button, it is strongly recomm

System 271 Disabling the reset button on your SG PCI appliance For convenience, the SG unit ships with the rear panel Reset button enabled. This allo

System 272 Netflash The first is to download the netflash.exe for the appropriate model and version to which you are upgrading. This is a Windows pro

System 273 Configuration Files To manually edit, view, or upload new configuration files, select Advanced from the System section of the main menu and

System 274 Upload file Click Browse to locate the file on your local PC that you want to upload. You may upload it to an alternative file name on the

Appendix A – Terminology 275 Appendix A – Terminology This section explains some of the terms that are commonly used in this document. Term Meaning A

Getting Started 24 Note Power is ON when power is applied. H/B (heart beat) flashes when the SG unit is running. Each of the network ports has two L

Appendix A – Terminology 276 Certificates A digitally signed statement that contains information about an entity and the entity's public key, th

Appendix A – Terminology 277 Extranet A private network that uses the public Internet to securely share business information and operations with supp

Appendix A – Terminology 278 IPSec with Dynamic DNS Dynamic DNS can be run on the IPSec endpoints thereby creating an IPSec tunnel using dynamic IP ad

Appendix A – Terminology 279 NTP Network Time Protocol (NTP) used to synchronize clock times in a network of computers. Oakley Group See Diffie-Hell

Appendix A – Terminology 280 SHA Secure Hash Algorithm, a 160 bit hash. It is one of two message digest algorithms available in IPSec. Security Para

Appendix B – System Log 281 Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the SG unit. The on

Appendix B – System Log 282 Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port pppX e.g

Appendix B – System Log 283 A typical Default Deny: looks similar to the following: Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:

Appendix B – System Log 284 To log permitted inbound access requests to services hosted on the SG unit, the rule should look something like this: ipta

Appendix B – System Log 285 This results in log output similar to: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7

Getting Started 25 Connect one of the ports of network switch A (A1 – A4) directly to your PC’s network interface card using the supplied network cabl

Appendix B – System Log 286 If we just wanted to look at traffic that went out to the IPSec world, we could use: iptables -I FORWARD -j LOG -o ipsec+

Appendix B – System Log 287 Administrative Access Logging When a user tries to log onto the web management console, one of the following log messages

Appendix C – Firmware Upgrade Practices and Precautions 288 Appendix C – Firmware Upgrade Practices and Precautions Prior performing any firmware upgr

Appendix C – Firmware Upgrade Practices and Precautions 289 If you encounter any problems, reset the device to its factory default settings and reconf

Appendix D – Recovering From a Failed Upgrade 290 Appendix D – Recovering From a Failed Upgrade If the Heart beat (or H/B) LED is not flashing 20 – 30

Appendix D – Recovering From a Failed Upgrade 291 Note If you are using an older LITE(2)/LITE(2)+, you may have to attach the unit's WAN port di

Appendix D – Recovering From a Failed Upgrade 292 Wait for the recovery procedure to complete and the SG unit to finish reprogramming. Note It takes

Appendix D – Recovering From a Failed Upgrade 293 (Re)start the BOOTP server. Attach the SG unit's LAN port or switch directly to your PC using a

DHCP Server ...111 Web Cache ...

Getting Started 26 Preferred DNS server: 192.168.0.1 Note If you wish to retain your existing IP settings for this network connection, click Advanced

Getting Started 27 Note The new password takes effect immediately. You are prompted to enter it when completing the next step. The quick setup wizard

Getting Started 28  You may choose to Obtain LAN IP address from a DHCP server on LAN if you have an existing DHCP server, and wish to rely on it to

Getting Started 29 Note If you have changed the SG unit’s LAN connection settings, it may become uncontactable at this point. This step describes how

Getting Started 30 Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> [your network card name] if there are multiple

Getting Started 31 Note The purpose of restarting the computers is to force them to update their automatically configured network settings. Alternati

Getting Started 32 Note If you have changed the SG unit’s LAN connection settings, browse to the new LAN IP address. Select Network Setup from the Net

Getting Started 33 SG PCI Appliance Quick Setup Unpack the SG unit Check that the SG CD is included with your appliance: On the SG unit is a single 10

Getting Started 34 Set up your PC to connect to the web management console Note The following steps assume you want to set up your SG unit in bridged

Getting Started 35 IP address: 192.168.0.100 Subnet mask: 255.255.255.0 Leave the Default gateway and DNS server addresses blank. Set up the SG u

6. USB...240 USB Mass Storage Devices ...

Getting Started 36 In the row labeled Bridge, click the Modify icon. Note The purpose of this step is to configure the IP address for the web manageme

Getting Started 37 Check DHCP assigned. Anything in the IP Address and Subnet Mask fields is ignored. Click Update. Click Start -> (Settings ->

Getting Started 38 Note Contact your network administrator if you are unsure of any of these settings. The first IP address is used by the web managem

Getting Started 39 Select Internet Protocol (TCP/IP) and click Properties. Enter the following details:  IP address is the second free IP addresses

Getting Started 40 From a network security standpoint, it may be desirable to disable the Reset switch after initial setup has been performed. This i

Network Setup 41 3. Network Setup This chapter describes the Network Setup sections of the web management console. Here you can configure each of yo

Network Setup 42 A network interface is configured by selecting a connection type from the Change Type pull down menu. The current configuration can

Network Setup 43 Note The switches’ ports can not be configured individually; a switch is configured with a single function only (e.g., LAN switch, DM

Network Setup 44 Direct Connection A direct connection is a direct IP connection to a network, i.e. a connection that does not require a modem to be e

Network Setup 45 To have your SG unit obtain its LAN network settings from an active DHCP server on your local network, check DHCP assigned. Note tha

Introduction 1 1. Introduction This manual describes the features and capabilities of your SG unit, and provides you with instructions on how to best

Network Setup 46 If an Ethernet port is experiencing difficulties auto-negotiating with another device, Ethernet Speed and duplex may be set manually

Network Setup 47 For aliases on interfaces that have the DMZ or Internet firewall class, you must also setup appropriate Packet Filtering and/or Port

Network Setup 48 Select the connection method to use in establishing a connection to your ISP: PPPoE, PPTP, DHCP, or Manually Assign Settings. Note U

Network Setup 49 PPPoE To configure a PPPoE or PPPoA connection, enter the user name and password provided by your ISP. You may also enter a descript

Network Setup 50 The Local IP address is used to connect to the PPTP server and is not typically your real Internet IP address. You may also enter a

Network Setup 51 The latter two settings are optional, but are generally required for normal operation. Multiple DNS addresses may be entered separa

Network Setup 52 Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Alia

Network Setup 53 Ethernet configuration See the section entitled Ethernet configuration under Direct Connection. Aliases See the section entitled Alia

Network Setup 54 By default, Dialout/ISDN connections are treated as “always on” and is kept up continuously. Alternatively, you may choose to only b

Network Setup 55 If you wish, you may enter a descriptive Connection Name. Enter a free IP Address for Dial-In Clients, this must be a free IP addres

Introduction 2 The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ (demilitarized zone) network. A DMZ is a separate local network typ

Network Setup 56 • Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client pa

Network Setup 57 Click Next to continue. Select Dial-up to private network as the connection type and click Next to continue.

Network Setup 58 Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in ano

Network Setup 59 Enter a name for the connection and click Finish to complete the configuration. Check Add a shortcut to my desktop to add an icon f

Network Setup 60 The SG unit supports a wide range of configurations through which you can utilize multiple Internet connections, and even multiple

Network Setup 61 Once the Internet connections have been configured, specify the conditions under which the Internet connections are established. Inte

Network Setup 62 Edit connection parameters The first step of configuring failover is to set failover parameters for each connection. These parameter

Network Setup 63 • Custom (advanced users only) allows you to enter a custom console command to run to determine whether the connection is up. This i

Network Setup 64 Ping Interval is the time to wait in between sending each ping, Failed Pings is the number of missed ping replies before this connec

Network Setup 65 First, configure the Primary connection level. If you have a single Internet connection only, setting it to Enabled or Required has

Introduction 3 WAN Activity Flashing Network traffic on the Internet network interface WLAN Flashing Network traffic on the Wireless network interf

Network Setup 66 Note If you have configured your SG560, SG565 or SG580’s switch as separate ports, and are establishing multiple PPPoE ADSL Internet

Network Setup 67 Check Load Balance for each connection to enable for load balancing. Click Finish. Note Load balancing settings are not specified

Network Setup 68 Load balancing is not performed for incoming traffic. This scenario can be addressed using other solutions such as round robin DNS t

Network Setup 69 Enabling high availability On each of the devices, select the Failover & H/A, then the High Availability tab. You may use either

Network Setup 70 Advanced configurations The supplied script is intended as a starting point for more advanced High Availability configurations. By de

Network Setup 71 DMZ Network Note Not available on the SG300, SG530, SG550 or SG PCI appliances. A DMZ (de-militarized zone) is a physically separate

Network Setup 72 Configuring a Direct Connection is described in detail in the section entitled Direct Connection towards the beginning of this chapt

Network Setup 73 Not available on the SG300, SG530, SG550 or SG PCI appliances. The intended usage of Guest connections is for connecting to a Guest n

Network Setup 74 Configuring a Direct Connection is described in detail in the section entitled Direct Connection towards the beginning of this chapt

Network Setup 75 Wireless Note SG565 only. The SG unit’s wireless interface may be configured as a wireless access point, accepting connections from 8

Introduction 4 • 10/100BaseT LAN port (SG530, SG550) • 10/100BaseT 4 port LAN switch (SG300) • 10/100BaseT DMZ port (SG570, SG575) • 10/100BaseT 4

Network Setup 76 Warning We strongly recommend that the wireless interface be configured as a LAN connection only if wireless clients are using WPA-PS

Network Setup 77 ESSID: (Extended Service Set Identifier) The ESSID is a unique name that identifies a wireless network. This value is case sensitiv

Network Setup 78 If Security Method is set to None, any client is allowed to connect, and there is no data encryption. Warning If you use this setti

Network Setup 79 WEP Key Length: This sets the length of the WEP keys to be entered below. It is recommended to use 128 bit keys if possible. WEP Key

Network Setup 80 When the Access Control List is disabled (Disable Access Control List), any wireless client with the correct ESSID (and encryption k

Network Setup 81 Advanced To edit access control list settings, click the Edit icon alongside the Wireless network interface, click the Wireless Confi

Network Setup 82 Preamble Type: The preamble is part of the physical wireless protocol. Using a short preamble can give higher throughput. However,

Network Setup 83 Connecting wireless clients The following steps detail how to configure your SG unit to bridge between its wireless and LAN interface

Network Setup 84 Select Allow authentication for MACs in the Access Control List and click Apply. Add the MAC address of each wireless client you wi

Network Setup 85 Under the main table, select Bridge and click Add. Select your wired LAN connection from the Existing Interface Configuration pull

Introduction 5 Label Activity Description Power On Power is supplied to the SG unit Flashing The SG unit is operating correctly H/B (Heart Beat)

Network Setup 86 Alongside the wireless interface, check Bridged and select LAN from the Firewall Class pull down menu. Click Finish. Note If your L

Network Setup 87 Another advantage is that network traffic not usually routed by unbridged interface, such as broadcast packets, multicast packets, an

Network Setup 88 If you wish to transfer the IP address settings of an existing network connection to the bridge interface, select it from the Existin

Network Setup 89 You may want to Enable Spanning Tree Protocol if you have multiple bridges on your network. It allows the bridges to exchange infor

Network Setup 90 A guide to bridging across an IPSec tunnel using GRE is provided in the section entitled GRE over IPSec in the Virtual Private Networ

Network Setup 91 Note Additionally, switch A on the SG560, SG565 and SG580 (but not the SG710 or SG710+) supports port based VLANs. One benefit of th

Network Setup 92 Removing VLANs To remove a VLAN, click the Delete icon alongside the VLAN interface in the main Network Setup -> Connections table

Network Setup 93 Typically, a tagged VLAN interface is used when you want to join an existing VLAN on the network, and an untagged VLAN interface is u

Network Setup 94 The following settings pertain to port based VLANs: • Enable port based VLANs: Check to enable port based VLANs. • Default port base

Network Setup 95 The following settings are displayed: • Interface: The port based VLAN capable interface on which to add the VLAN. • VLAN ID: If you