Secure Computing SG300 User manual
Secure Computing SG
User Manual
Secure Computing
4810 Harwood Road
San Jose, CA 95124-5206
Web: www.securecomputing.com
Revision 3.1.3
March 1st, 2006
Contents
1. Introduction...............................................................................................1
SG Gateway Appliances (SG3xx, SG5xx Series)..................................................1
SG Rack Mount Appliances (SG7xx Series) .........................................................4
SG PCI Appliances (SG6xx Series).......................................................................7
Document Conventions .......................................................................................10
2. Getting Started........................................................................................11
SG Gateway Appliance Quick Setup...................................................................12
SG Rack Mount Appliance Quick Setup..............................................................23
SG PCI Appliance Quick Setup...........................................................................33
The SG Management Console............................................................................40
3. Network Setup.........................................................................................41
Configuring Connections .....................................................................................41
Multifunction vs. Fixed-function Ports..................................................................42
Direct Connection................................................................................................44
ADSL ...................................................................................................................47
Cable Modem ......................................................................................................52
Dialout and ISDN.................................................................................................53
Dialin....................................................................................................................54
Failover, Load Balancing and High Availability....................................................59
Internet Failover...................................................................................................61
Internet Load Balancing.......................................................................................65
High Availability ...................................................................................................68
DMZ Network.......................................................................................................71
Guest Network.....................................................................................................72
Wireless...............................................................................................................75
Bridging................................................................................................................86
VLANs..................................................................................................................90
Port Based VLANs...............................................................................................92
GRE Tunnels.......................................................................................................96
Routes ...............................................................................................................100
System...............................................................................................................108
DNS...................................................................................................................109
DHCP Server.....................................................................................................111
Web Cache........................................................................................................115
QoS Traffic Shaping ..........................................................................................123
IPv6....................................................................................................................125
SIP.....................................................................................................................125
4. Firewall..................................................................................................127
Incoming Access................................................................................................127
Web Server........................................................................................................129
Customizing the Firewall....................................................................................131
Definitions..........................................................................................................132
Packet Filtering..................................................................................................135
Network Address Translation (NAT)..................................................................139
Connection Tracking..........................................................................................151
Intrusion Detection.............................................................................................152
Basic Intrusion Detection and Blocking (IDB)....................................................153
Advanced Intrusion Detection and Prevention (Snort and IPS).........................156
Access Control and Content Filtering ................................................................159
Antivirus.............................................................................................................171
5. Virtual Private Networking...................................................................182
PPTP and L2TP.................................................................................................183
PPTP VPN Server .............................................................................................183
L2TP VPN Server ..............................................................................................191
PPTP and L2TP VPN Client ..............................................................................198
IPSec.................................................................................................................200
Set Up the Branch Office...................................................................................201
Configuring the Headquarters............................................................................213
Tunnel List.........................................................................................................216
NAT Traversal Support......................................................................................219
Dynamic DNS Support.......................................................................................219
Certificate Management.....................................................................................219
IPSec Failover ...................................................................................................224
IPSec Troubleshooting ......................................................................................234
Port Tunnels ......................................................................................................237
6. USB........................................................................................................240
USB Mass Storage Devices ..............................................................................240
USB Printers......................................................................................................247
Printer Troubleshooting .....................................................................................253
USB Network Devices and Modems..................................................................254
7. System...................................................................................................255
Date and Time...................................................................................................255
Backup/Restore Configuration...........................................................................256
Users .................................................................................................................259
Management......................................................................................................263
Diagnostics........................................................................................................266
Advanced...........................................................................................................266
Reboot and Reset..............................................................................................269
Flash upgrade....................................................................................................271
Configuration Files.............................................................................................273
Support..............................................................................................................274
Appendix A – Terminology...........................................................................275
Appendix B – System Log............................................................................281
Access Logging .................................................................................................281
Creating Custom Log Rules...............................................................................283
Rate Limiting......................................................................................................286
Administrative Access Logging..........................................................................287
Boot Log Messages...........................................................................................287
Appendix C – Firmware Upgrade Practices and Precautions ...................288
Appendix D – Recovering From a Failed Upgrade.....................................290
Introduction 1
1. Introduction
This manual describes the features and capabilities of your SG unit, and provides you
with instructions on how to best take advantage of them.
This includes setting up network connections (in the chapter entitled Network
Connections), tailoring the firewall to your network (Firewall), and establishing a virtual
private network (Virtual Private Networking). It also guides you through setting up the SG
unit on your existing or new network using the web management console (Getting
Started).
This chapter provides a high level overview to familiarize you with your SG unit’s features
and capabilities.
SG Gateway Appliances (SG3xx, SG5xx Series)
Note
The SG gateway appliance range includes models SG300, SG530, SG550, SG560,
SG565, SG570, SG575 and SG580.
The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and
branch offices. It simply and securely connects your office to the
Internet, and with its robust stateful firewall, shields your computers
from external threats.
With the SG unit’s masquerading firewall, hosts on your LAN (local area network) can
see and access resources on the Internet, but all outsiders see is the SG unit’s external
address.
You may tailor your SG unit to disallow access from your LAN to specific Internet sites or
categories of content, give priority to specific types of network traffic, and allow controlled
access to your LAN from the outside world. You may also choose to enable intrusion
detection and prevention services on your SG unit, to further bolster the security of your
local network.
Introduction 2
The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ
(demilitarized zone) network. A DMZ is a separate local network typically used to host
servers accessible to the outside world. It is separated both physically and by the
firewall, in order to shield your LAN from external traffic.
The SG unit allows you to establish a virtual private network (VPN). A VPN enables
remote workers or branch offices to connect securely to your LAN over the public
Internet. The SG unit can also connect to external VPNs as a client. The SG550,
SG560, SG565, SG570, SG575 and SG580 utilize onboard cryptographic acceleration to
ensure excellent VPN throughput.
The SG unit may be configured with multiple Internet connections. These auxiliary
connections may be kept on stand-by should the primary connection become
unavailable, or maintained concurrently with the primary connection for spreading
network load.
The SG565, SG570, SG575 and SG580 incorporate a powerful web proxy cache to
improve web page response time and reduce link loads. It is designed to integrate
seamlessly with upstream proxy caches provided by ISPs.
Front panel LEDs
The front and rear panels contain LEDs indicating status. An example of the front panel
LEDs are illustrated in the following figure and detailed in the following table.
Note
Not all the LEDs described below are present on all SG unit models. Labels vary from
model to model.
Label Activity Description
Power On Power is supplied to the SG unit
Flashing The SG unit is operating correctly
Heart Beat
On If this LED is on and not flashing, an operating
error has occurred.
LAN Activity
Flashing Network traffic on the LAN network interface
Introduction 3
WAN Activity
Flashing Network traffic on the Internet network interface
WLAN Flashing Network traffic on the Wireless network interface
DMZ Activity Flashing Network traffic on the DMZ network interface
Serial
Activity
Flashing For either of the SG unit COM ports, these LEDs
indicate receive and transmit data
HA On The SG unit has switched to a backup device
Online On An Internet connection has been established
VPN On Virtual private networking is enabled
Online On An Internet connection has been established
Note
If Heart Beat does not begin flashing shortly after power is supplied, refer to Appendix D,
Recovering From a Failed Upgrade.
Rear panel
The rear panel contains Ethernet and serial ports, the Reset/Erase button and power
inlet. If network status LEDs are present, the lower or left LED indicates the link
condition, where a cable is connected correctly to another device and the upper or right
LED indicates network activity.
Specifications
Internet link
•10/100baseT Ethernet
•Serial (for dial-up/ISDN)
•Front panel serial status LEDs (for TX/RX)
•Online status LEDs (for Internet/VPN)
•Rear panel Ethernet link and activity status LEDs
Local network link
Introduction 4
•10/100BaseT LAN port (SG530, SG550)
•10/100BaseT 4 port LAN switch (SG300)
•10/100BaseT DMZ port (SG570, SG575)
•10/100BaseT 4 port VLAN-capable switch (SG560, SG565, SG580)
•Rear panel Ethernet link and activity status LEDs
Enviromental
•External power adaptor (voltage/current depends on individual model)
•Front panel operating status LEDs: Power, Heart Beat
•Operating temperature between 0°C and 40°C
•Storage temperature between -20°C and 70°C
•Humidity between 0 to 95% (non-condensing)
SG Rack Mount Appliances (SG7xx Series)
Note
The SG rack mount appliance range includes models SG710 and SG710+.
The SG7xx series is the flagship of Secure Computing’s SG
family. It features multi-megabit throughput, rack-optimized
form factor, two fast Ethernet ports and two 4 port fast Ethernet
switches as standard, and the option for two additional gigabit
ports (SG710+).
In addition to providing all of the features described in SG Gateway Appliances earlier in
this chapter, it equips central sites to securely connect hundreds of mobile employees
and branch offices.
Front panel LEDs
The front panel contains LEDs indicating status. An example of the front panel LEDs are
illustrated in the following figure and detailed in the following table.
Introduction 5
Label Activity Description
Power On Power is supplied to the SG unit
Flashing The SG unit is operating correctlyH/B (Heart
Beat) On If this LED is on and not flashing, an operating
error has occurred.
Failover On The SG unit has switched to the backup Internet
connection
High Avail On The SG unit has switched to a backup device
Online On An Internet connection has been established
Note
If H/B does not begin flashing 20 – 30 seconds after power is supplied, refer to Appendix
E, Recovering From a Failed Upgrade.
Front panel
The front panel contains two 10/100 Ethernet four port switches (Aand B), two 10/100
Ethernet ports (Cand D) and analog/ISDN modem (Serial) as well as operating status
LEDs and the configuration reset button (Erase).
On the front panel Ethernet ports, the right hand LED indicates the link condition, where a
cable is connected correctly to another device. The left hand LED indicates network
activity.
Rear panel
The rear panel contains a power switch and a power inlet for an IEC power cable.
Additionally, the SG710+ has two gigabit Ethernet ports (Eand F).
Introduction 6
Specifications
Internet link
•Two 10/100baseT Ethernet ports (C, D)
•Two GbE ports (E, F – SG710+ only)
•Serial port
•Online status LEDs (Online, Failover)
•Ethernet link and activity status LEDs
LAN/DMZ link
•Two 10/100BaseT 4 port LAN switches
•Ethernet link and activity status LEDs
Enviromental
•Front panel operating status LEDs: Power, H/B
•Operating temperature between 0°C and 40°C
•Storage temperature between -20°C and 70°C
•Humidity between 0 to 95% (non-condensing)
Introduction 7
SG PCI Appliances (SG6xx Series)
Note
The SG PCI appliance range includes models SG630 and SG635.
The SG PCI appliance is a hardware based firewall and VPN
server embedded in a 10/100 Ethernet PCI network interface
card (NIC). It is installed into the host PC like a regular NIC,
providing a transparent firewall to shield the host PC from
malicious Internet traffic, and VPN services to allow secure
remote access to the host PC.
Unlike other SG gateway and rack mount appliances, a single SG PCI appliance is not
intended as a means for your entire office LAN to be connected to, and shielded from, the
Internet. Installing a SG PCI appliance in each network connected PC gives it its own
independently manageable, enterprise-grade VPN server and firewall, running in isolation
from the host operating system.
This approach offers an increased measure of protection against internal threats as well
as conventional Internet security concerns. You can update, configure and monitor the
firewall and VPN connectivity of a workstation or server from any web browser. In the
event of a breach, you have complete control over access to the host PC independent of
its operating system, even if the host PC has been subverted and is denying normal
administrator access.
All network filtering and CPU intensive cryptographic processing is handled entirely by
the SG unit. This has the advantage over the traditional approach of using a host-based
personal software firewall and VPN service by not taxing the host PC's resources.
Bridged mode
By default, the SG PCI appliance operates in bridged mode. This is distinctly different
from the masquerading behavior of SG gateway and rack mount appliances.
In bridged mode, the SG PCI appliance uses two IP addresses. Note that these
addresses are both in the same subnet as the LAN, as no masquerading is being
performed (refer to the Masquerading section of the chapter entitled Firewall for further
details).
One IP address is used to manage the SG unit via the web management console.
Introduction 8
The other is the host PC's IP address, which is configurable through the host operating
system, identically to a regular NIC. This is the IP address that other PCs on the LAN
see. It should be dynamically (DHCP) or statically configured to use the same gateway,
DNS, etc. settings as a regular PC on the LAN.
Note
It is possible to configure the SG PCI appliance to run in masquerading mode. This is
discussed in the chapter entitled Firewall.
Secure by default
By default, all SG units run a fully secured stateful firewall. This means from the PC that
it is plugged into, most network resources are freely accessible. However, any services
that the PC provides, such as file shares or web services (e.g. IIS) are not be accessible
by other hosts on your LAN without further configuration of the SG unit. This is
accomplished using packet filter rules, for details refer to the Packet Filtering section of
the chapter entitled Firewall.
LEDs
The rear panel contains LEDs indicating status. The two LEDs closest to the network
port are network activity (upper) and network link (lower). The two other LEDs are power
(upper) and heart beat (lower).
Introduction 9
Location Activity Description
Top right
(Power) On Power is supplied to the SG unit (top right).
Bottom right
(Heart beat) Flashing The SG unit is operating correctly (bottom right).
Top left
(Network
activity)
Flashing Data is being transmitted or received (top left).
Bottom left
(Network
link)
On The SG unit is attached to the network
Note
If Heart beat does not begin flashing shortly after power is supplied, refer to Appendix D,
Recovering From a Failed Upgrade.
Specifications
Network link
•10/100baseT Ethernet port
•Ethernet LEDs (link, activity)
Environmental
•Status LEDs: Power, Heart Beat
•Operating temperature between 0°C and 40°C
•Storage temperature between -20°C and 70°C
•Humidity between 0 to 95% (non-condensing)
Introduction 10
Document Conventions
This document uses different fonts and typefaces to show specific actions.
Warning/Note
Text like this highlights important issues.
Bold text in procedures indicates text that you type, or the name of a screen object (e.g.
a menu or button).
Getting Started 11
2. Getting Started
This chapter provides step-by-step instructions for installing your SG unit. These
instructions are identical to those in the printed Quick Install Guide that shipped with your
SG unit.
Upon completing the steps in this chapter, your
SG gateway or rack mount appliance is installed
in a network configuration similar that depicted in
the figure to the right. If you are setting up a SG
PCI appliance, upon completing the steps in this
chapter, your host PC is connected securely to
your existing LAN.
These instructions assume you have a PC
running Microsoft Windows (95/98/Me/2000/XP
for SG gateway and rack mount appliances,
2000/XP only for SG PCI appliances). If you are
installing a SG gateway or rack mount appliance, you must have an Ethernet network
interface card installed. You may need to be logged in with administrator privileges.
Instructions are not given for other operating systems; refer to your operating system
documentation on how to configure your PCs’ network settings using the examples given
for Windows PCs as a guide.
Note
Installing your SG unit into a well-planned network is easy. However, network planning is
outside the scope of this manual. Please take the time to plan your network before
installing your SG unit.
•If you are setting up a SG gateway appliance (SG3xx, SG5xx series) proceed to SG
Gateway Appliance Quick Setup.
•If you are setting up a SG rack mount appliance (SG7xx series) proceed to SG Rack
Mount Appliance Quick Setup.
•If you are setting up a SG PCI appliance (SG6xx series), proceed to SG PCI
Appliance Quick Setup.
Getting Started 12
SG Gateway Appliance Quick Setup
Unpack the SG unit
Check that the following items are included with your SG unit:
Power adapter
SG CD
Network cable
On the rear panel of the SG unit you will see network, serial and possibly USB ports, a
Reset/Erase button, and a power inlet.
The front panel of the SG unit contains activity LEDs (lights) that vary slightly between
models. These provide information on the operating status of the SG unit.
Note
Power is ON when power is applied (use only the power adapter packaged with the unit).
System/Heart Beat/TST flashes when the SG unit is running.
Initially, all appliance models except for the SG300 also have all other front panel LEDs
flashing.
If these LEDs do not behave in this manner before your SG unit is attached to the
network, perform a factory reset. Press the black Reset/Erase button on rear panel
twice within two seconds to restore factory default settings. If the LEDs are still not
flashing after 30 seconds, you may need to contact customer support.
Set up a single PC to connect to the SG unit
The SG unit ships with initial network settings of:
LAN IP address: 192.168.0.1
Getting Started 13
LAN subnet mask: 255.255.255.0
The SG unit needs an IP address suitable for your LAN before it is connected. You may
choose to use the SG unit’s initial network settings above as a basis for your LAN
settings.
Connect the supplied power adapter to the SG unit.
If you are setting up the SG300, attach your PC’s network interface card directly to
any network port on its LAN switch using the supplied network cable.
If you are setting up the SG560, SG565 or SG580, attach your PC’s network interface
card directly any network port on switch A(A1 –A4) using the supplied network
cable.
Otherwise, connect the SG unit’s LAN network port directly to your PC’s network
interface card using the supplied network cable.
Note
At this point, if you attach the SG unit directly to a LAN with an existing DHCP server, or
a PC running a DHCP service, it will automatically obtain an additional address. The SG
unit will still be reachable at 192.168.0.1.
However, we strongly recommend that you do not connect the SG unit to your LAN until
instructed to do so by this guide.
All other network ports are by default inactive, i.e. they are not running any network
services such as DHCP, and they are not configured with an IP address.
Next, modify your PC’s network settings to enable it to communicate with the SG unit.
Click Start -> (Settings ->) Control Panel and double click Network Connections (or in
95/98/Me, double click Network).
Right click on Local Area Connection and select Properties.
Getting Started 14
Note
If there is more than one existing network connection, select the one corresponding to the
network interface card to which the SG unit is attached.
Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP -> your
network card name if there are multiple entries) and click Properties.
Select Use the following IP address and enter the following details:
IP address: 192.168.0.100
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1
Select Use the following DNS server addresses and enter:
Preferred DNS server: 192.168.0.1
Getting Started 15
Note
If you wish to retain your existing IP settings for this network connection, click Advanced
and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.
Set up the SG unit’s password and LAN connection settings
Launch your web browser and navigate to 192.168.0.1.
Select Quick Setup Wizard from the center of the page.
A log in prompt is displayed. Enter the initial user name and password for the SG unit:
User name: root
Password: default
Note
If you are unable to browse to the SG unit at 192.168.0.1, or the initial username and
password are not accepted, press the black Reset/Erase button on the SG unit’s rear
panel twice, wait 20 – 30 seconds, then try again.
Pressing Reset/Erase twice within 2 seconds resets the SG unit to its factory default
settings.
Enter and confirm a password for your SG unit. This is the password for the user root,
the main administrative user account on the SG unit. It is therefore important that you
choose a password that is hard to guess, and keep it safe.
Getting Started 16
Note
The new password takes effect immediately. You are prompted to enter it when
completing the next step.
The quick setup wizard is displayed.
Changing the Hostname is not typically necessary.
Select how you would like to set up your LAN connection then click Next.
Note
You must select Manual configuration in order to enable the SG unit’s built-in DHCP
server. The SG unit’s DHCP server automatically configures the network settings of PCs
and other hosts on your LAN.
Changes to the SG unit’s LAN configuration do not take effect until the quick setup wizard
has completed.
Select Manual configuration to manually specify the SG unit’s LAN connection
settings (recommended).
Other manuals for SG300
1
This manual suits for next models
7
Table of contents
Other Secure Computing Gateway manuals
Popular Gateway manuals by other brands
Juniper
Juniper SRX3400 Hardware guide
Philips
Philips Dynalite DDNG-KNX installation instructions
SSS Siedle
SSS Siedle FPM 611-02 operating instructions
Nortech Security
Nortech Security NANOQUEST user guide
GreaTEL
GreaTEL GT8 user manual
Bin Master
Bin Master BINCLOUD BCGW E-NCR-DAI Series Quick setup guide
