Funkwerk R3000w User manual
Copyright ©January 26, 2006 Funkwerk Enterprise Communications GmbH
Version 1.0
User's Guide
bintec R3000w / R3400 / R3800
Security
Purpose This document is part of the user’s guide to the installation and configuration of bintec gateways run-
ning software release 7.3.1 or later. For up-to-the-minute information and instructions concerning the
latest software release, you should always read our Release Notes, especially when carrying out a
software update to a later release level. The latest Release Notes can be found at www.funkwerk-
ec.com.
Liability While every effort has been made to ensure the accuracy of all information in this manual, Funkwerk
Enterprise Communications GmbH cannot assume liability to any party for any loss or damage caused
by errors or omissions or by statements of any kind in this document and is only liable within the scope
of its terms of sale and delivery.
The information in this manual is subject to change without notice. Additional information, changes and
Release Notes for bintec gateways can be found at www.funkwerk-ec.com.
As multiprotocol gateways, bintec gateways set up WAN connections in accordance with the system
configuration. To prevent unintentional charges accumulating, the operation of the product should be
carefully monitored. Funkwerk Enterprise Communications GmbH accepts no liability for loss of data,
unintentional connection costs and damages resulting from unsupervised operation of the product.
Trademarks bintec and the bintec logo are registered trademarks of Funkwerk Enterprise Communications GmbH.
Other product names and trademarks mentioned are usually the property of the respective companies
and manufacturers.
Copyright All rights are reserved. No part of this publication may be reproduced or transmitted in any form or by
any means – graphic, electronic, or mechanical – including photocopying, recording in any medium,
taping, or storage in information retrieval systems, without the prior written permission of Funkwerk En-
terprise Communications GmbH. Adaptation and especially translation of the document is inadmissible
without the prior consent of Funkwerk Enterprise Communications GmbH.
Guidelines and standards bintec gateways comply with the following guidelines and standards:
R&TTE Directive 1999/5/EG
CE marking for all EU countries and Switzerland
You will find detailed information in the Declarations of Conformity at www.funkwerk-ec.com.
How to reach Funkwerk
Enterprise Communications
GmbH
Funkwerk Enterprise Communications GmbH
Suedwestpark 94
D-90449 Nuremberg
Germany
Telephone: +49 180 300 9191 0
Fax: +49 180 300 9193 0
Internet: www.funkwerk-ec.com
Bintec France
6/8 Avenue de la Grande Lande
F-33174 Gradignan
France
Telephone: +33 5 57 35 63 00
Fax: +33 5 56 89 14 05
Internet: www.bintec.fr
Security bintec User’s Guide 3
1Security Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2Cobion Orange Filter Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Configure White List Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Configure Filters Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 View History Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3Access Lists Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1 Filter Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Rules Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3 Interfaces Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4Stateful Inspection Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.1 Edit Filters Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2 Edit Services Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.3 Edit Addresses Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.4 Advanced Settings Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5SSH Daemon Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.1 Static Settings Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2 Timer Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.3 Authentication Algorithms Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.4 Supported Ciphers Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.5 Message Authentication Codes Submenu . . . . . . . . . . . . . . . . . . . . . . . . 47
5.6 Certification Management Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.7 Monitoring Submenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6Local Services Access Control Submenu . . . . . . . . . . . . . . . . . . . 53
4 bintec User’s Guide Security
Index: Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Security bintec User’s Guide 5
Security Menu 1
1 Security Menu
The SECURITY menu is described below.
The SECURITY menu is for configuring your gateway’s security features.
It provides access to the following submenus:
■COBION ORANGE FILTER
■ACCESS LISTS
■STATEFUL INSPECTION
■SSH DAEMON
■LOCAL SERVICES ACCESS CONTROL
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY]: Security Configuration MyGateway
Cobion Orange Filter >
Access Lists >
Stateful Inspection >
SSH Daemon >
Local Services Access Control >
EXIT
1
6 bintec User’s Guide Security
Security Menu
Security bintec User’s Guide 7
Cobion Orange Filter Submenu 2
2 Cobion Orange Filter Submenu
The COBION ORANGE FILTER submenu is described below.
The SECURITY ➜ COBION ORANGE FILTER menu is used for configuring a ➤➤
URL-based content filtering service, which accesses the OrangeFilter (previ-
ously a product of Cobion AG) from Internet Security Systems (www.iss.net)
during operation and checks how a requested Internet page has been classified
by the OrangeFilter. The action resulting from the classification is configured on
the gateway.
The SECURITY ➜ COBION ORANGE FILTER menu permits the configuration of ba-
sic parameters and access to other configuration menus:
■CONFIGURE WHITE LIST
■CONFIGURE FILTERS
■VIEW HISTORY.
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ORANGE FILTER]: Static Settings MyGateway
Admin Status : disable
Orange Filter Ticket: B1BT
Ticket Status :
Filtered Interface : none
History Entries : 64
Configure White List >
Configure Filters >
View History >
SAVE CANCEL
2
8 bintec User’s Guide Security
Cobion Orange Filter Submenu
The COBION ORANGE FILTER menu consists of the following fields:
Field Description
Admin Status Here you can activate the filter. Possible set-
tings:
■disable (default value): Content filtering is
deactivated.
■enable: Content filtering is activated.
■enable 30 day demo ticket: Activates a 30-
day demo license for the OrangeFilter.
Orange Filter Ticket Here you enter the number of the OrangeFilter
license purchased. The preset code assigned
by ISS designates the device type.
This entry is only necessary for ADMIN STATUS =
enable.
Expiring Date This field is only shown if a license has been
entered and checked. It shows the expiry date
of the license (relative to the time set on the
gateway) and cannot be edited.
Ticket Status Shows the result of the last validity check of the
license. The validity of the license is checked
every 23 hours.
Filtered Interfaces Here you select for which of the existing Ether-
net interfaces content filtering is to be activated.
Only one interface can be specified. Internet
pages called up via this interface are then mon-
itored by content filtering.
You can select one of the physical interfaces.
The default value is none.
History Entries Here you define the number of entries to be
saved in the content filtering history.
Possible values are between 1and 512 and the
default value is 64.
Security bintec User’s Guide 9
Cobion Orange Filter Submenu 2
Table 2-1: COBION ORANGE FILTER menu fields
2.1 Configure White List Submenu
The CONFIGURE WHITE LIST submenu is described below.
The SECURITY ➜COBION ORANGE FILTER ➜CONFIGURE WHITE LIST menu con-
tains a list of all URLs and IP addresses that can still be called up even if they
are blocked as a result of the filter configuration and the classification in the Or-
angeFilter (the example contains arbitrary values; the default configuration con-
tains no entries).
You can add other URLs or IP addresses to the list using the ADD button. The
length of an entry is limited to 60 characters. Addresses listed in the White List
are allowed automatically. It is not necessary to configure a suitable filter.
2.2 Configure Filters Submenu
The CONFIGURE FILTERS submenu is described below.
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ORANGE FILTER][WHITE LIST]: Url List MyGateway
White List:
Url / Address
www.funkwerk-ec.com
www.heise.de
ADD DELETE EXIT
2
10 bintec User’s Guide Security
Cobion Orange Filter Submenu
The SECURITY ➜COBION ORANGE FILTER ➜CONFIGURE FILTERS menu is for con-
figuring which categories of Internet pages are to be handled and how. You con-
figure the relevant filters for this purpose. A list of the filters already configured
is shown (the example contains arbitrary values; the default configuration con-
tains no filters). There are basically different approaches for configuring the fil-
ters:
■First a filter list can be created that only contains entries for those address-
es that are to be blocked. In this case it is necessary to make an entry at
the end of the filter list that allows all accesses that do not match a filter.
(Setting for this: CATEGORY = Default behaviour, ACTION = logging or allow)
■If you only create entries for those addresses that are to be allowed or
logged, it is not necessary to change the default behavior (= all other calls
are blocked).
The filters are added or edited in the SECURITY ➜COBION ORANGE FILTER ➜
CONFIGURE FILTERS ➜ ADD/EDIT menu.
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ORANGE FILTER][FILTER]: Filter List MyGateway
Content Filter List:
Category Day Start Stop Action Prio
Anonymous Proxies Everyday 00:00 23:59 block 1
Criminal Activities Everyday 00:00 23:59 block 11
Pornography/Nudity Everyday 00:00 23:59 block 12
Unknown URL Monday - Friday 00:00 23:59 logging 20
Ordering Monday - Friday 00:00 23:59 logging 1
default behaviour Everyday 00:00 23:59 allow 30
ADD DELETE EXIT
Security bintec User’s Guide 11
Cobion Orange Filter Submenu 2
The menu consists of the following fields:
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ORANGE FILTER][FILTER][ADD] MyGateway
Category : Anonymous Proxies
Day : Everyday
From : [0 :0 ] To : [23:59]
Action : block
Priority : 0
SAVE CANCEL
Field Description
Category Here you select which category of
addresses/URLs the filter is to be used on.
The options are first the standard categories of
the Cobion OrangeFilter (default value:
Anonymous Proxies). Actions can also be
defined for the following special cases:
■Default behaviour: This category applies to
all Internet addresses.
■No valid license ticket: If the Cobion Or-
angeFilter license is invalid, this category
applies to all Internet addresses.
2
12 bintec User’s Guide Security
Cobion Orange Filter Submenu
Category (cont.) ■Orange Server not reachable: If the Cobion
OrangeFilter servers are not reachable, the
action associated with this category is used.
■Other Category: Some addresses are al-
ready known to the Cobion OrangeFilter,
but not yet classified. The action associated
with this category is used for such address-
es.
■Unknown URL: If an address is not known
to the Cobion OrangeFilter, the action asso-
ciated with this category is used.
Day Here you select the days on which the filter is to
be active.
Possible settings:
■Everyday: The filter is used every day of the
week.
■<Workday>: The filter is used on a certain
day of the week. Only one day can be se-
lected per filter; several filters must be con-
figured if several individual days are to be
covered.
■Monday-Friday: The filter is used from
Monday to Friday.
The default setting is Everyday.
From Here you enter the time at which the filter is to
be activated. The time is entered in the form
hh:mm.
The default setting is 0:0.
Field Description
Security bintec User’s Guide 13
Cobion Orange Filter Submenu 2
Table 2-2: CONFIGURE FILTERS ➜ADD/EDIT menu fields
2.3 View History Submenu
The VIEW HISTORY submenu is described below.
To Here you enter the time at which the filter is to
be deactivated. The time is entered in the form
hh:mm.
The default setting is 23:59.
Action Here you select the action to be executed if the
filter matches a call.
Possible settings:
■block: The call of the requested page is pre-
vented.
■logging: The call is permitted, but logged.
The logged events can be viewed in the
SECURITY ➜COBION ORANGE FILTER ➜VIEW
HISTORY menu.
■allow: The call is permitted, but not logged.
The default setting is block.
Priority Here you assign the filter a priority. The filters
are used in accordance with this priority.
Possible values are between 0and 999 and a
value of 1is the highest priority.
The value 0indicates an entry without priority,
which is placed at the end of the filter list.
The default value is 0.
Field Description
2
14 bintec User’s Guide Security
Cobion Orange Filter Submenu
You can view the recorded history of the content filter in the SECURITY ➜COBION
ORANGE FILTER ➜VIEW HISTORY menu: The history logs all calls that are marked
for logging by a relevant filter (ACTION = logging), likewise all rejected calls.
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ORANGE FILTER][HISTORY]: History List MyGateway
History List:
Date Time Client Url Category Action
11/12 16:09.52 192.168.0.1 www.xxx.de/ Pornography/Nudity block
11/12 16:09.52 192.168.0.2 www.droge.de/ Drugs block
EXIT
Security bintec User’s Guide 15
Access Lists Submenu 3
3 Access Lists Submenu
The ACCESS LISTS submenu is described below.
The SECURITY ➜ACCESS LISTS menu is for defining ➤➤ filters for IP packets to
allow or deny access to or from the various hosts in the connected networks.
This enables you to prevent undesired connections being set up via the gate-
way.
Access lists define the type of IP traffic the gateway is to accept or deny. The
access decision is based on information contained in the IP packets, e.g.:
■source and/or destination IP address
■packet protocol
■source and/or destination port (port ranges are supported)
Access lists are an effective means if, for example, sites with LANs intercon-
nected over a Bintec gateway wish to deny all incoming FTP requests or only
allow Telnet sessions between certain hosts.
IP filters (➤➤ access lists) in the gateway are based on the combination of fil-
ters and actions for filter rules (= rules) and the linking of these rules to form rule
chains. They act on the incoming data packets to allow or deny access to the
gateway for certain data.
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ACCESS]: IP Access Lists MyGateway
Filter
Rules
Interfaces
EXIT
3
16 bintec User’s Guide Security
Access Lists Submenu
Filter A filter describes a certain part of the IP data traffic based on the source and/or
destination IP address, ➤➤ netmask, protocol, source and/or destination port.
Rule You use a rule to tell the gateway what to do with the filtered data packets, i.e.
whether it should allow or deny them. You can also define several rules, which
you arrange in the form of a chain to obtain a certain sequence.
Chain There are various approaches for the definition of rules and rule chains:
■Allow all packets that are not explicitly denied, i.e.:
– Deny all packets that match Filter 1.
– Deny all packets that match Filter 2.
–...
– Allow the rest.
■Allow all packets that are explicitly allowed, i.e.:
– Allow all packets that match Filter 1.
– Allow all packets that match Filter 2.
–...
– Deny the rest.
■Combination of the two possibilities described above.
A number of separate rule chains can be created. The same filter can also be
used in different rule chains.
Interface You can also assign a rule chain individually to each interface.
The ACCESS LISTS menu consists of the following submenus:
■FILTER
■RULES
■INTERFACES
Attention!
Make sure you don’t lock yourself out when configuring filters.
If possible, access your gateway for filter configuration over the serial
console interface or ISDN Login.
If you still access your gateway over your LAN (e.g. with telnet over ETH1),
before you start filter configuration select the menu SECURITY
➜
ACCESS
LISTS
➜
INTERFACES
➜
EDIT (e.g. for en0-1): First rule = none.
Security bintec User’s Guide 17
Access Lists Submenu 3
3.1 Filter Submenu
The FILTER submenu is described below.
The SECURITY ➜ ACCESS LISTS ➜FILTER menu is used for configuring filters.
Each filter describes a certain part of the IP traffic and defines, for example, the
IP addresses, the protocol, the source port or the destination port.
This menu lists all the IP access filters configured and shows the index number,
description and conditions for every single filter. The abbreviations used in the
Conditions column are explained in the field above the list.
The ADD/EDIT menu is used for configuration of the filters:
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ACCESS][FILTER]: Configure IP MyGateway
Access Filter
Abbreviations: sa (source IP address) sp (source port)
da (destination IP address) dp (destination port)
it (icmp type) estab (TCP established)
Index Descr Conditions
1 ToNetbiosPorts dp 137-139
ADD DELETE EXIT
3
18 bintec User’s Guide Security
Access Lists Submenu
It consists of the following fields:
R3000w Setup Tool Funkwerk Enterprise Communications GmbH
[SECURITY][ACCESS][FILTER][EDIT] MyGateway
Description
Index 1
Protocol any
Source Address
Source Mask
Destination Address
Destination Mask
Type of Service (TOS) 00000000 TOS Mask 00000000
SAVE CANCEL
Field Description
Description Designation of the filter. Note that only the first
10 or 15 characters are visible in other menus.
Index Cannot be changed here. The gateway assigns
a number to newly defined filters automatically.
Protocol Defines a protocol. Possible values:
tcp/udp-port, any, tcp/udp-port, icmp, ggp, ip,
tcp, egp, igp, pup, chaos, udp, hmp, xns_idp,
rdp, rsvp, gre, esp, ah, tlsp, skip, kryptolan,
iso-ip, igrp, ospf, ipip, ipx-in-ip, vrrp, l2tp.
any matches any protocol.
The default value is any.
Security bintec User’s Guide 19
Access Lists Submenu 3
Type Only if PROTOCOL = icmp. Possible values:
any, echo reply, destination unreachable,
source quench, redirect, echo, time exceeded,
param problem, timestamp, timestamp reply,
address mask, address mask reply.
The default value is any.
See RFC 792.
Connection State If PROTOCOL = tcp, you can define a filter based
on the status of the TCP connection. Possible
values:
■established: All TCP packets that would not
open any new TCP connection on routing
over the gateway match the filter.
■any (default value): All TCP packets match
the filter.
Source Address Defines the source IP address of the data pack-
ets.
Source Mask Netmask for SOURCE ADDRESS.
Source Port Only for PROTOCOL = tcp/udp-port, tcp, udp
Source port number or range of source port
numbers.
For possible values see table “Selection
options of SOURCE PORT and DESTINATION
PORT,” on page 20.
The default value is any.
Specify Port
.. to Port
If SOURCE PORT or DESTINATION PORT = specify
or specify range: Port numbers or range of port
numbers.
Destination Address Defines the destination IP address of the data
packets.
Destination Mask Netmask for DESTINATION ADDRESS
Field Description
3
20 bintec User’s Guide Security
Access Lists Submenu
Table 3-1: FILTER menu fields
The SOURCE PORT and DESTINATION PORT contain the following selection op-
tions:
Table 3-2: Selection options of SOURCE PORT and DESTINATION PORT
Destination Port Only for PROTOCOL = tcp/udp-port, tcp, udp
Destination port number or range of destination
port numbers that matches the filter.
For possible values see table “Selection
options of SOURCE PORT and DESTINATION
PORT,” on page 20.
The default value is any.
Type of Service <TOS> Identifies the priority of the IP packet, cf. RFC
1349 and RFC 1812 (shown in binary format).
TOS Mask Bitmask for Type of Service (shown in binary
format).
Description Meaning
any (default value) The route is valid for all ➤➤ port numbers.
specify Enables the entry of a port number.
specify range Enables the entry of a range of port numbers.
priv (0...1023) Privileged port numbers: 0 ... 1023.
server (5000....32767) Server port numbers: 5000 ... 32767.
clients 1 (1024....4999) Client port numbers: 1024 ... 4999.
clients 2 (32768....65535) Client port numbers: 32768 ... 65535.
unpriv (1024...65535) Unprivileged port numbers: 1024 ... 65535.
Field Description
Other manuals for R3000w
2
This manual suits for next models
2
Table of contents
Other Funkwerk Network Router manuals
Funkwerk
Funkwerk bintec R4100 User manual
Funkwerk
Funkwerk bintec R1200 User manual
Funkwerk
Funkwerk bintec R230a User manual
Funkwerk
Funkwerk bintec R230a User manual
Funkwerk
Funkwerk bintec R4100 User manual
Funkwerk
Funkwerk bintec R1200 User manual
Funkwerk
Funkwerk R3400 User manual
Funkwerk
Funkwerk bintec R230a User manual
Funkwerk
Funkwerk bintec R230a User manual
Funkwerk
Funkwerk bintec R230a Instruction manual
