3Com OfficeConnect 3C16771 User manual
http://www.3com.com/
OfficeConnect®
Internet Firewall
User Guide
OfficeConnect Internet Firewall 25 3C16770
OfficeConnect Internet Firewall DMZ 3C16771
OfficeConnect Web Site Filter 3C16772
Part No. DUA1677-0AAA03
Published June 2000
3Com Corporation ■5400 Bayfront Plaza ■Santa Clara, California ■95052-8145
Copyright © 2000, 3Com Technologies. All rights reserved. No part of this documentation may be
reproduced in any form or by any means or used to make any derivative work (such as translation,
transformation, or adaptation) without written permission from 3Com Technologies.
3Com Technologies reserves the right to revise this documentation and to make changes in content
from time to time without obligation on the part of 3Com Technologies to provide notification of such
revision or change.
3Com Technologies provides this documentation without warranty, term, or condition of any kind,
either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make
improvements or changes in the product(s) and/or the program(s) described in this documentation at
any time.
If there is any software on removable media described in this documentation, it is furnished under a
license agreement included with the product as a separate document, in the hard copy documentation, or
on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to
locate a copy, please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described
herein are provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private
expense. Software is delivered as “Commercial Computer Software” as defined in DFARS
252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is
provided with only such rights as are provided in 3Com’s standard commercial license for the Software.
Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR
52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any
legend provided on any licensed program or documentation contained in, or delivered to you in
conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or
may not be registered in other countries.
3Com, the 3Com logo, and OfficeConnect are registered trademarks of 3Com Corporation.
Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Netscape
Navigator is a registered trademark of Netscape Communications. Novell and NetWare are registered
trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company, Ltd. CyberNOT is a registered trademark of Learning
Company Properties Inc.
All other company and product names may be trademarks of the respective companies with which they
are associated.
CONTENTS
ABOUT THIS GUIDE
How to Use This Guide 10
Conventions 11
Termi nology 12
Year 2000 Compliance 14
Feedback about this User Guide 14
1INTRODUCTION
What is the Internet Firewall? 17
Internet Firewall Security Functions 18
Internet Firewall Features 19
Firewall Security 19
Internet Filtering 21
Logs and Alerts 21
User Remote Access (from the Internet) 22
Automatic IP Address Sharing and Configuration 22
2INSTALLING THE HARDWARE
Important Safety Information 23
Wichtige Sicherheitshinweise 24
Consignes Importantes de Sécurité25
Before You Start 26
Stacking the Units Together 27
Securing the Internet Firewall with the Rubber Feet 27
Stacking the Internet Firewall with the Clip 27
Positioning the Internet Firewall 28
Securing the Internet Firewall 28
Internet Firewall Front Panel 29
Internet Firewall Rear Panel 30
Attaching the Internet Firewall to the Network 31
3QUICK SETUP FOR THE INTERNET FIREWALL
Checklist for Setting up the Internet Firewall 35
Cable Modem Users 35
Initial Configuration 35
Required Information for the Internet Firewall Wizard 36
Setting up the Internet Firewall 38
4COMMAND REFERENCE
Status Messages 46
Setting the Clock 47
Setting the Administrator Password 49
Network Settings 50
Network Addressing Mode 50
Specifying DMZ Addresses (Internet Firewall DMZ only) 58
Setting up the DHCP Server 60
Viewing the DHCP Server Status 63
Diagnostic Tools 63
DNS Name Lookup 64
Find Network Path 65
Ping 66
Packet Trace 67
Technical Support Report 68
Filter Settings 69
Restricting the Web Features Available 70
Blocking Options 71
The OfficeConnect Web Site Filter 71
Specifying When Filtering Applies 72
Update Filter 73
Keywords 75
Custom List 76
Setting up Trusted and Forbidden Domains 77
Setting Other Custom List Options 77
Consent 79
Logs and Alerts 82
Viewing the Log 82
Log/Alert Settings 85
Reports 90
Restarting the Internet Firewall 92
Saving and Restoring Configuration Settings 93
Specifying the Export File 94
Reloading the Settings 94
Restore Factory Defaults 95
Upgrading the Software 96
Policy 99
Services 99
Adding a Service 101
Policy Rules 103
Network Access Rule Logic List 104
Understanding the Network Access Rule Hierarchy 106
Examples of Network Access Rules 107
User Privileges 108
User Settings 108
Establishing an Authenticated Session 110
Automatic Proxy Forwarding 111
Example of Installing a Proxy Server 112
Specifying Intranet Settings 113
Installing the Internet Firewall to Protect the Intranet 114
Configuring the Internet Firewall to Protect the
Intranet 115
Intranet Window Boxes and Controls 116
Static Routes 117
Static Routes Window Boxes and Controls 117
Setting up One-to-One NAT 118
5THE OFFICECONNECT WEB SITE FILTER ACTIVATION
What is the Web Site Filter? 121
Activating the Web Site Filter 124
6TROUBLESHOOTING GUIDE
Introduction 127
Potential Problems 127
Power LED Not Lit 127
Power LED Flashes Continuously 128
Power and Alert LED Lit Continuously 128
Link LED is Off 128
Ethernet Connection is Not Functioning 128
Cannot Access the Management Interface 128
LAN Users Cannot Access the Internet 129
Internet Firewall Does Not Save Changes 130
Duplicate IP Address Errors Are Occurring 130
Machines on the WAN Are Not Reachable 130
ACABLE SPECIFICATIONS AND PINOUT DIAGRAM
Cable Specifications 131
Pinout Diagrams 131
BTECHNICAL SPECIFICATIONS AND STANDARDS
COPTIONAL DIRECT CONNECTION
Introduction 135
Direct Connection Instructions 135
DIP PORT NUMBERS
Introduction 137
Well Known Port Numbers 137
Registered Port Numbers 137
EEXAMPLE CONFIGURATIONS
Introduction 139
Protecting an Existing Network with the Internet
Firewall 25 140
Increasing the number of IP addresses available using NAT 146
Setting up the Internet Firewall 25 with an OfficeConnect 56K
LAN Modem 152
FINTRODUCTION TO
IP ADDRESSING
Network Protocols 159
IP and TCP 159
IP Addressing 159
IP Address 160
Subnet Mask 161
Default Gateway 162
GRESETTING THE INTERNET FIREWALL
Introduction 163
Resetting the Internet Firewall 163
Reloading the Firmware 164
HTECHNICAL SUPPORT
Online Technical Services 167
World Wide Web Site 167
3Com Knowledgebase Web Services 168
3Com FTP Site 168
3Com Facts Automated Fax Service 168
Support from Your Network Supplier 168
Support from 3Com 169
Returning Products for Repair 170
INDEX
3COM CORPORATION LIMITED WARRANTY
ELECTROMAGNETIC COMPATIBILITY
ABOUT THIS GUIDE
This guide describes the following products:
■The two variants of the OfficeConnect®Internet
Firewall:
■OfficeConnect Internet Firewall 25 3C16770
■OfficeConnect Internet Firewall DMZ 3C16771
■OfficeConnect Web Site Filter 3C16772 —software for
use with either variant of the Internet Firewall, available
as an optional extra.
Introduction
The OfficeConnect Internet Firewall acts as a secure barrier
to protect a private LAN from hacker attacks from the
Internet. It can also be used to control the access that LAN
users have to the Internet.
The OfficeConnect Internet Firewall 25 supports up to 25
users on the LAN.
The OfficeConnect Internet Firewall DMZ supports up to
100 users on the LAN. In addition, the OfficeConnect
Internet Firewall DMZ has a Demilitarized Zone (DMZ) port.
Servers and workstations attached to this port are publicly
accessible from the Internet, but remain secure from
Denial-of-Service (DoS) hacker attacks from the Internet. If
an Internet Firewall feature described in this guide applies
only to the DMZ version, a note tells you this.
The OfficeConnect Web Site Filter is an optional extra that
can be used with either variant of the Internet Firewall. You
can use it to prevent LAN users accessing Web sites that fit
into categories that are considered inappropriate for
business use. The Web Site Filter updates the Internet
Firewall automatically with the latest URLs matching
selected categories. It is available as a 12-month
10 ABOUT THIS GUIDE
subscription. The Internet Firewall has a one-month free
subscription for the Web Site Filter.
This guide is intended for use by the person responsible for
installing or managing the network. It assumes knowledge
of the following:
■Basic familiarity with Ethernet networks and the
Internet Protocol.
■Knowledge of how to install and handle electronically
sensitive equipment.
If release notes are shipped with your product and the
information there differs from the information in this
guide, follow the instructions in the release notes.
Most user guides and release notes are available in Adobe
Acrobat Reader Portable Document Format (PDF) or HTML
on the 3Com World Wide Web site:
http://www.3com.com/
How to Use This Guide
Table 1 shows where to look for specific information in this
guide.
Tabl e 1 Where to find specific information
If you are looking for... Turn to...
A description of the Internet Firewall’s features and example
applications.
Chapter 1
A description of the Internet Firewall’s front and back panel displays
and connectors, and installation information.
Chapter 2
A quick setup guide for the Internet Firewall. Chapter 3
How to configure the Internet Firewall. Chapter 4
Information about installing and setting up the Web Site Filter. Chapter 5
Solutions to commonly encountered problems. Chapter 6
Information about cables and pinout diagrams for all connectors on
the Internet Firewall.
Appendix A
A list of the Internet Firewall technical specifications. Appendix B
Information about how to connect the Internet Firewall directly to a
PC with a Web browser for initial configuration.
Appendix C
(continued)
Conventions 11
Conventions
Ta bl e 2 and Ta ble 3 list conventions that are used
throughout this guide.
Information about IP port numbering. Appendix D
Step by step examples of how you can configure your Internet
Firewall.
Appendix E
A non-technical overview of IP addressing. Appendix F
Information on resetting the Internet Firewall. Appendix G
Information about obtaining Technical Support. Appendix H
Table 1 Where to find specific information (continued)
If you are looking for... Turn to...
Table 2 Notice Icons
Icon Notice Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of data
or potential damage to an application, system, or
device.
Warning Information that alerts you to potential personal
injury.
12 ABOUT THIS GUIDE
Terminology
This section lists terminology used in this guide.
DHCP —Dynamic Host Configuration Protocol. This is a
protocol that lets network administrators manage centrally
and automate the assignment of Internet Protocol
addresses in an organization's network from a server on
the network.
DMZ —Demilitarized Zone port. The OfficeConnect
Internet Firewall DMZ has an extra port. If you connect
publicly-accessible servers and workstations to this port,
they are accessible from the Internet but still protected
from DoS attacks
Tabl e 3 Text C onventi o ns
Convention Description
Screen displays This typeface represents information as it appears on the
screen.
Commands The word “command”means that you must enter the
command exactly as shown and then press Return or
Enter. Commands appear in bold. Example:
To remove the IP address, enter the following
command:
SETDefault !0 -IP NETaddr = 0.0.0.0
The words “enter”
and “type”
When you see the word “enter”in this guide, you must
type something, and then press Return or Enter. Do not
press Return or Enter when an instruction simply says
“type.”
Keyboard key names If you must press two or more keys simultaneously, the
key names are linked with a plus sign (+). Example:
Press Ctrl+Alt+Del
Words in italics Italics are used to:
■Emphasize a point.
■Denote a new term at the place where it is defined in
the text.
■Identify menu names, menu commands, and software
button names. Examples:
From the Help menu, select Contents.
Click OK.
Te rm i n olo gy 13
DoS Attacks —Denial of Service Attacks. An attempt to
stop one of your services running, such as a Web or FTP
server. There are several kinds of DoS attacks.
IP address —The Internet Protocol address is the network
layer address of a device assigned by the user or network
administrator of an IP network. An IP address consists of 32
bits divided into two or three fields: a network number and
a host number or a network number, a subnet number, and
a host number.
IP Spoof —A type of DoS attack. An IP spoof uses a fake
IP address to bypass security settings which may bar access
from the real IP address.
IRC —Internet Relay Chat. Provides a way of
communicating in real time with people from all over the
world.
ISP —Internet Service Provider. A business that provides
Internet access to individuals or organizations.
Internet Firewall —Used in this guide to refer to both the
OfficeConnect Internet Firewall 25 and the OfficeConnect
Internet Firewall DMZ.
LAND Attack —A type of DoS attack. In a LAND attack, a
packet is sent that appears to come from the same address
and port that it is sent to. This can hang the machine to
which it is sent.
Management Station —This is the workstation from
which you run the Web-based management interface for
the Internet Firewall.
Management Interface —This is the Web-based
application which you use to set up the Internet Firewall to
protect your network from attack and to control access to
the Internet for LAN users.
NAT —Network Address Translation. NAT refers to the
process of converting the IP addresses used within a private
network to Internet IP addresses.
NNTP —Network News Transfer Protocol. This protocol is
used to distribute Usenet news articles over the Internet.
14 ABOUT THIS GUIDE
Ping of Death —A type of DoS attack. The Internet
Protocol (IP) defines the maximum size for a Ping packet.
However, some Ping programs can send packets that are
larger than this size which can cause some systems to
crash.
PPPoE —Point to Point Protocol over Ethernet. PPP is the
Internet Standard for transmission of IP packets over serial
lines. PPPoE is a version of this protocol that operates over
Ethernet.
SYN FLood —A type of DoS attack. This is where a client
opens a connection with a server but does not complete it.
If the server queue fills up with partially-open connections,
no other clients can make genuine connections to that
server.
UTC —stands for “Universal Time Co-ordinated”, and is
the standard time common to all places in the world. It is
also commonly referred to as GMT or World Time.
Web Site Filter —Abbreviation for the OfficeConnect
Web Site Filter.
Year 2000 Compliance
For information on Year 2000 compliance and 3Com
products, visit the 3Com Year 2000 Web page:
http://www.3com.com/products/yr2000.html
Feedback about this User Guide
Your suggestions are very important to us. They will help
make our documentation more useful to you. Please e-mail
comments about this document to 3Com at:
pddtechpubs_comments@3com.com
Please include the following information when
commenting:
■Document title
■Document part number (on the title page)
■Page number (if appropriate)
Feedback about this User Guide 15
Example:
■OfficeConnect Internet Firewall User Guide
■Part Number DUA1677-1AAA02
■Page 24
Do not use this e-mail address for technical support
questions. For information about contacting Technical
Support, see Appendix H.
16 ABOUT THIS GUIDE
1INTRODUCTION
This chapter contains the following:
■What is the Internet Firewall?
■Internet Firewall Security Functions
■Internet Firewall Features
What is the Internet Firewall?
The Internet Firewall is a firewall appliance which is
installed between the LAN and the Internet access device,
such as an OfficeConnect®LAN Modem. The Internet
Firewall is a complete network security system with all
hardware and software pre-installed. This allows it to act as
a secure gateway for all data passing between the Internet
and the LAN.
The purpose of the Internet Firewall is to allow a private
Local Area Network (LAN) to be securely connected to the
Internet. You can use the Internet Firewall to:
■Prevent theft, destruction, and modification of data.
■Filter incoming data for unsafe or objectionable
content.
■Log events which may be important to the security of
your network.
The Internet Firewall has either two or three Ethernet ports
(depending on the model) which are used to divide the
network into separate areas.
■The Wide Area Network (WAN) port attaches to the
Internet access device, for example, OfficeConnect LAN
Modem, Cable Modem or SDSL Router.
■The Local Area Network (LAN) port attaches to the local
network through hubs and switches. LAN users have
access to Internet services such as e-mail, FTP, and the
World Wide Web. However, all workstations and data
18 CHAPTER 1: INTRODUCTION
on the LAN are protected from hacker attacks that
might come through the WAN port.
■On the OfficeConnect Internet Firewall DMZ, there is a
third port. The Demilitarized Zone (DMZ) port is used for
public servers, such as Web or FTP servers. Machines
attached to this port are visible from the WAN port, but
are still protected from hacker attacks. Users on the
secure LAN port can also access servers on the DMZ
port.
Internet Firewall Security Functions
Figure 1 and Figure 2 illustrate security functions on the
Internet Firewall.
Users on the LAN have access to all resources on the
Internet that are not blocked by any of the filters. In
Figure 2, computers on the LAN also have full access to
devices on the DMZ.
Users on the Internet can access hosts on the DMZ, such as
a Web server, but cannot access any resources on the LAN
unless they are authorized remote users.
Internet Firewall Features 19
Figure 1 Internet Firewall 25 Security Functions
Internet Firewall Features
This section lists the features of the Internet Firewall.
Firewall Security
The OfficeConnect Internet Firewall is preconfigured to
monitor Internet traffic, and detect and thwart Denial of
Service (DoS) hacker attacks automatically.
DoS attacks include:
■Ping of Death
■SYN Flood
■LAND Attack
■IP Spoofing
20 CHAPTER 1: INTRODUCTION
■Teardrop —a DoS hacker tool which is widely available
on the Internet.
Figure 2 Internet Firewall DMZ Security Functions
The Internet Firewall uses stateful packet inspection to
determine if a data packet from the Internet is allowed
through to the private LAN. This is similar to algorithms
implemented in more costly firewalls commonly used in
large enterprises.
Other manuals for OfficeConnect 3C16771
1
This manual suits for next models
2
Table of contents
Other 3Com Firewall manuals
3Com
3Com 3CRFW102 User manual
3Com
3Com 3CR3MFA-92 User manual
3Com
3Com OfficeConnect 3C16771 User manual
3Com
3Com H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET... User manual
3Com
3Com SUPERSTACK 3CR16110-95 User manual
3Com
3Com 3C16792 - OfficeConnect Dual Speed Switch 16 User manual
3Com
3Com AirProtect Enterprise Engine 6100 User manual
3Com
3Com 3C16772 - OfficeConnect Web Site Filter User manual
3Com
3Com X5 User manual
3Com
3Com 3CR3MFA-92 User manual
