1. Manuals
  2. Brands
  3. Planet Manuals
  4. Gateway
  5. SG-1000
  6. User manual

Planet SG-1000 User Manual

Vpn security gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
VPN Security Gateway
SG-1000
User's Manual

Advertisement

Table of Contents
loading

Related Manuals for Planet SG-1000

Summary of Contents for Planet SG-1000

  • Page 1 VPN Security Gateway SG-1000 User’s Manual...
  • Page 2 PLANET has made every effort to ensure that this User’s Manual is accurate; PLANET disclaims liability for any inaccuracies or omissions that may have occurred.

  • Page 3: Customer Service

    Any error messages that displayed when the problem occurred ♦ Any software running when the problem occurred ♦ Steps you took to resolve the problem on your own Revision User’s Manual for PLANET VPN Security Gateway Model: SG-1000 Rev: 1.0 (October, 2006) PartNo.EM-SG1000v1 2...

  • Page 4: Table Of Contents

    Table of Contents Chapter 1 Introduction ................6 Package Contents................. 7 Front View .................. 8 Rear View ................... 8 Specification ................8 System Chapter 2 Administration ……………………………………………..10 Administrator ……………………………………………..12 Permitted IPs ……………………………………………..14 Logout ………………………………………………….…..15 Software Update …………………………………………..17 Chapter 3 Configure …………………………………………………..
  • Page 5 Chapter 7 Schedule …………………………………………………..79 Chapter 8 QoS ………………………………………………….……..82 Example ………………………………….………………..85 Chapter 9 Authentication ……………………………………………..87 Auth User and Group ……………………………………..93 RADIUS ………………………………….………………..97 POP3 Server ………………………………….…………..118 Chapter 10 Content Blocking …………………………………………..121 10.1 URL ………………………………….……………………..125 10.2 Script ……………………………….……………………..
  • Page 6 Monitor Chapter17 LOG ……………………………………………….………..236 17.1 Traffic Log ……………………….…………………………... 238 17.2 Event Log ……………………….…………………………..242 17.3 Connection Log ……………………….…………………..245 17.4 Log Backup ……………………….………………………..248 Chapter18 Statistics …………………………………………….……..250 18.1 WAN ……………………….………………………………..252 18.2 Policy ……………………….………………………………... 254 Chapter19 Status …………………………………………….…………..256 19.1 Interface ……………………….…………………………..

  • Page 7: Chapter 1 Introduction

    The innovation of the Internet has created a tremendous worldwide venue for E- business and information sharing, but it also creates network security problems. The security request will be the primary concerned for the enterprise. New model of Planet’s VPN Security Gateway SG-1000, a special designed of VPN security gateway, provides SSL, IPSec, and PPTP VPN.

  • Page 8: Package Contents

    SG-1000 will detect the difference and update the Content Filtering pattern to renew the filtering mechanism. ♦ Policy-based Firewall: The built-in policy-based firewall prevent many known hacker attack including SYN attack, ICMP flood, UDP flood, Ping of Death, etc.

  • Page 9: Front View

    Orange Steady on indicates the port is connected at 100Mbps speed 1.3 Rear View 1.4 Specification Product VPN Security Gateway Model SG-1000 Recommend concurrent 30 ~ 50 user Hardware Ethernet 1 x 10/100 Based-TX RJ-45 2 x 10/100 Based-TX RJ-45...
  • Page 10 Management Transparent mode, NAT, Multi-NAT Network Connection Static Route, RIPv2 Routing Mode 110,000 Concurrent Sessions 10,000 New session / second 100Mbps WAN to LAN Throughput 18Mbps VPN Throughput VPN 3DES Throughput 17Mbps SSL, IPSec, PPTP server and client VPN Function DES, 3DES, and AES encrypting SHA-1 / MD5 authentication algorithm Remote access VPN (Client-to-Site) and Site to Site VPN...

  • Page 11: Chapter 2 Administration

    “System” is the managing of settings such as the privileges of packets that pass through the SG-1000 and monitoring controls. The System Administrators can manage, monitor, and configure SG-1000 settings. But all configurations are “read-only” for all users other than the System Administrator; those users are not able to change any setting of the SG-1000.

  • Page 12: Administrator

    Define the required fields of Administrator Administrator Name: The username of Administrators and Sub Administrator for the SG-1000. The admin user name cannot be removed; and the sub-admin user can be removed or configure. The default Account: admin; Password: admin Privilege: The privileges of Administrators (Admin or Sub Admin).
  • Page 13 2.1 Adding a new Sub Administrator STEP 1﹒In the Admin Web UI, click the New Sub Admin button to create a new Sub Administrator. STEP 2﹒In the Add New Sub Administrator Web UI and enter the following setting: Sub Admin Name: sub_admin Password: 12345 Confirm Password: 12345 STEP 3﹒Click OK to a...
  • Page 14 Modify the Administrator’s Password STEP 1﹒In the Admin Web UI, locate the Administrator name you want to edit, and click on Modify in the Configure field. STEP 2﹒The Modify Administrator Password Web UI will appear. Enter the following information: Password: admin New Password: 52364 Confirm Password: 52364 STEP 3﹒Click OK to confirm password change.

  • Page 15: Permitted Ips

    To make Permitted IPs be effective, it must cancel the Ping, HTTP, and HTTPS selection in the Web UI of SG-1000 that Administrator enter. (LAN, WAN, or DMZ Interface) Before canceling the HTTP and HTTPS selection of Interface, must set up the Permitted IPs first, otherwise, it would cause the situation of cannot enter Web UI by appointed Interface.

  • Page 16: Logout

    2.3 Logout STEP 1﹒Click Logout which locate in Browser’s above right to protect the system while Administrator are away. Confirm Logout Web UI 15...
  • Page 17 STEP 2﹒Click OK and the logout message will appear in Web UI. Logout Web UI Message 16...

  • Page 18: Software Update

    To obtain the version number from Version Number and obtain the latest version from Internet. And save the latest version in the hardware of the PC, which manage the SG-1000 Click Browse and choose the latest software version file. Click OK and the system will update automatically.

  • Page 19: Chapter 3 Configure

    Chapter 3 Configure The Configure is according to the basic setting of the SG-1000. In this chapter the definition is Setting, Date/Time, Multiple Subnet, Route Table, DHCP, Dynamic DNS, Hosts Table, and Language settings. 18...

  • Page 20: Setting

    Define the required fields of Settings SG-1000 Configuration: The Administrator can import or export the system settings. Click OK to import the file into the SG-1000 or click Cancel to cancel importing. You also can revive to default value here. Email Settings: Select Enable E-mail Alert Notification under E-mail Settings.
  • Page 21 Administration Packet Logging: After enable this function; the SG-1000 will record packet which source IP or destination address is SG-1000. And record in Traffic Log for System Manager to inquire about. Define the required fields of Time Settings Synchronize Time/Date: Synchronizing the SG-1000 with the System Clock.
  • Page 22 NAT Mode: It allows Internal Network to set multiple subnet address and connect with the Internet through different WAN IP Addresses. For example:The lease line of a company applies several real IP Addresses 168.85.88.0/24, and the company is divided into R&D department, service, sales department, procurement department, accounting department, the company can distinguish each department by different subnet for the purpose of managing conveniently.
  • Page 23 Define the required fields of DHCP Subnet: The domain name of LAN NetMask: The LAN Netmask Gateway: The default Gateway IP address of LAN Broadcast IP: The Broadcast IP of LAN Define the required fields of DDNS Domain Name: The domain name that provided by DDNS WAN IP Address: The WAN IP Address, which the domain name corresponds to.
  • Page 24 STEP 2﹒When the File Download pop-up window appears, choose the destination place where to save the exported file and click on Save. The setting value of SG-1000 will copy to the appointed site instantly. Select the Destination Place to Save the Exported File...
  • Page 25 STEP 1﹒In System Setting Web UI, click on the Browse button next to Import System Settings from Client. When the Choose File pop-up window appears, select the file to which contains the saved SG-1000 Settings, then click OK. STEP 2﹒Click OK to import the file into the SG-1000...

  • Page 26: Restoring Factory Default Settings

    Restoring Factory Default Settings STEP 1﹒Select Reset Factory Settings in SG-1000 Configuration Web UI STEP 2﹒Click OK at the bottom-right of the page to restore the factory settings. Reset Factory Settings 25...
  • Page 27 Enabling E-mail Alert Notification STEP 1﹒Select Enable E-mail Alert Notification under E-Mail Settings. STEP 2﹒Device Name: Enter the Device Name or use the default value. STEP 3﹒Sender Address: Enter the Sender Address. (Required by some ISPs.) STEP 4﹒SMTP Server IP: Enter SMTP server’s IP address. STEP 5﹒E-Mail Address 1: Enter the e-mail address of the first user to be notified.
  • Page 28 Reboot SG-1000 STEP 1﹒Reboot SG-1000:Click Reboot button next to Reboot SG-1000 Appliance. STEP 2﹒A confirmation pop-up page will appear. STEP 3﹒Follow the confirmation pop-up page; click OK to restart SG-1000. Reboot SG-1000 27...

  • Page 29: Date/Time

    STEP 4﹒Set the interval time to synchronize with outside servers. System Time Setting Click on the Sync button and then the SG-1000’s date and time will be synchronized to the Administrator’s PC. The value of Set Offset From GMT and Server IP / Name can be looking for from Assist.

  • Page 30: Multiple Subnet

    Connect to the Internet through Multiple Subnet NAT or Routing Mode by the IP address that set by the LAN user’s network card Preparation SG-1000 WAN1 (10.10.10.1) connect to the ISP Router (10.10.10.2) and the subnet that provided by ISP is 162.172.50.0/24 To connect to Internet, WAN2 IP (211.22.22.22) connects with ATUR.
  • Page 31 Adding Multiple Subnet Add the following settings in Multiple Subnet of System function: Click on New Entry Alias IP of LAN Interface: Enter 162.172.50.1 Netmask:Enter 255.255.255.0 WAN1: Enter Interface IP 10.10.10.1, and choose Routing in Forwarding Mode WAN2:Enter Interface IP 211.22.22.22, and choose NAT in Forwarding Mode Click OK Complete Adding Multiple Subnet...
  • Page 32 WAN1 and WAN2 Interface can use Assist to enter the data. After setting, there will be two subnet in LAN: 192.168.1.0/24 (default LAN subnet) and 162.172.50.0/24. So if LAN IP is: ˙192.168.1.xx, it must use NAT Mode to access to the Internet. (In Policy it only can setup to access to Internet by WAN2.
  • Page 33 The SG-1000’s Interface Status: WAN1 IP: 10.10.10.1 WAN2 IP:211.22.22.22 LAN Port IP:192.168.1.1 LAN Port Multiple Subnet:162.172.50.1 32...

  • Page 34: Route Table

    3.4 Route Table To connect two different subnet router with the SG-1000 and makes them to connect to Internet through SG-1000. Preparation Company A: WAN1 (61.11.11.11) connects with ATUR to Internet WAN2 (211.22.22.22) connects with ATUR to Internet LAN subnet: 192.168.1.1/24 The Router1 which connect with LAN (10.10.10.1, support RIPv2) its LAN subnet is...
  • Page 35 Route Table STEP 1﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.10.1 【Netmask】: Enter 255.255.255.0。 【Gateway】: Enter 192.168.1.252 【Interface】: Select LAN Click OK Add New Static Route1 STEP 2﹒Enter the following settings in Route Table in System function: 【Destination IP】: Enter 192.168.20.1 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter 192.168.1.252...
  • Page 36 STEP 3﹒Enter the following setting in Route Table in System function: 【Destination IP】: Enter 10.10.10.0 【Netmask】: Enter 255.255.255.0 【Gateway】: Enter 192.168.1.252 【Interface】: Select LAN Click OK Add New Static Route3 35...
  • Page 37 STEP 4﹒Adding successful. At this time the computer of 192.168.10.1/24, 192.168.20.1/24 and 192.168.1.1/24 can connect with each other and connect to Internet by NAT. Route Table Setting 36...

  • Page 38: Dhcp

    3.5 DHCP STEP 1﹒Select DHCP in System and enter the following settings: Domain Name:Enter the Domain Name DNS Server 1: Enter the distributed IP address of DNS Server1. DNS Server 2: Enter the distributed IP address of DNS Server2. WINS Server 1: Enter the distributed IP address of WINS Server1. WINS Server 2: Enter the distributed IP address of WINS Server2.
  • Page 39 DHCP Web UI When selecting Automatically Get DNS, the DNS Server will lock it as LAN Interface IP. (Using Occasion: When the system Administrator starts Authentication, the users’ first DNS Server must be the same as LAN Interface IP in order to enter Authentication Web UI) 38...

  • Page 40: Ddns

    3.6 Dynamic DNS Settings STEP 1﹒Select Dynamic DNS in System function. Click New Entry button Service providers:Select service providers. Automatically fill in the WAN 1/2 IP:Check to automatically fill in the WAN 1/2 IP.。 User Name:Enter the registered user name. Password:Enter the password Domain name:Enter Your host domain name Click OK to add Dynamic DNS.
  • Page 41 Chart Meaning Update Incorrect Connecting Unknown error successfully username or to server password If System Administrator had not registered a DDNS account, click on Sign up then can enter the website of the provider. If you do not select Automatically fill in the WAN IP and then you can enter a specific IP in WAN IP.

  • Page 42: Host Table

    Click OK to add Host Table. Add New Host Table To use Host Table, the user PC’s first DNS Server must be the same as the LAN Port or DMZ Port IP of SG-1000. That is, the default gateway. 41...

  • Page 43: Language

    3 . 8 Language Select the Language version (English Version/ Traditional Chinese Version or Simplified Chinese Version) and click OK. Language Setting Web UI 42...

  • Page 44: Chapter 4 Interface

    Chapter 4 Interface In this section, the Administrator can set up the IP addresses for the office network. The Administrator may configure the IP addresses of the LAN network, the WAN 1/2 network, and the DMZ network. The netmask and gateway IP addresses are also configured in this section.

  • Page 45: Lan

    Ping: Select this function to allow the user to ping the Interface IP Address. HTTP: Select to enable the user to enter the Web UI of SG-1000 from Interface IP through HTTP protocol. HTTPS: Select to enable the user to enter the Web UI of SG-1000 from Interface IP through HTTPS protocol.
  • Page 46 PPPoE (ADSL user) Dynamic IP Address (Cable Modem User) Static IP Address Saturated Connections: Set the number for saturation whenever session numbers reach it, the SG-1000 switches to the next agent on the list. Priority: Set priority of WAN for Internet Access.

  • Page 47: Dmz

    DMZ: The Administrator uses the DMZ Interface to set up the DMZ network. The DMZ includes: NAT Mode:In this mode, the DMZ is an independent virtual subnet. This virtual subnet can be set by the Administrator but cannot be the same as LAN Interface.
  • Page 48 We set up four Interface Address examples in this chapter: Suitable Example Situation Modify LAN Interface Settings Setting WAN Interface Address Setting DMZ Interface Address (NAT Mode) Setting DMZ Interface Address (Transparent Mode) 47...
  • Page 49 IP Address on the computer , he/she have to restart the System to make the new IP address effective. (when the computer obtain IP by DHCP) Do not cancel Web UI selection before not setting Permitted IPs yet. It will cause the Administrator cannot be allowed to enter the SG-1000’s Web UI from LAN. 48...
  • Page 50 4.2 Setting WAN Interface Address STEP 1﹒Select WAN in Interface and click Modify in WAN1 Interface. The setting of WAN2 Interface is almost the same as WAN1. The difference is that W has a selection of Disable. The System Administrator can close WAN2 Interface by this selection.
  • Page 51 ICMP Connection DNS Service Connection test is used for SG-1000 to detect if the WAN can connect or not. So the Alive Indicator Site IP, DNS Server IP Address, or Domain Name must be able to use permanently. Or it will cause judgmental mistakes of the device.
  • Page 52 STEP 3﹒Select the Connecting way: PPPoE (ADSL User): 1. Select PPPoE 2. Enter User Name as an account 3. Enter Password as the password 4. Select Dynamic or Fixed in IP Address provided by ISP. If you select Fixed, please enter IP Address, Netmask, and Default Gateway. 5.
  • Page 53 PPPoE Connection Complete PPPoE Connection Setting If the connection is PPPoE, you can choose Service-On-Demand for WAN Interface to connect automatically when disconnect; or to set up Auto Disconnect if idle (not recommend) 52...
  • Page 54 Dynamic IP Address (Cable Modem User): 1. Select Dynamic IP Address (Cable Modem User) 2. Click Renew in the right side of IP Address and then can obtain IP automatically. 3. If the MAC Address is required for ISP then click on Clone MAC Address to obtain MAC IP automatically.
  • Page 55 Complete Dynamic IP Connection Setting 54...
  • Page 56 Static IP Address 1. Select Static IP Address 2. Enter IP Address, Netmask, and Default Gateway that provided by 3. Enter DNS Server1 and DNS Server2 In WAN2, the connecting of Static IP Address does not need to set DNS Server 4.
  • Page 57 When selecting Ping and Web UI on WAN network Interface, users will be able to ping the SG-1000 and enter the Web UI WAN network. It may influence network security. The suggestion is to Cancel Ping and Web UI after all the settings have finished. And if the System Administrator needs to enter UI from WAN, he/she can use Permitted IPs to enter.
  • Page 58 4.3 Setting DMZ Interface Address (NAT Mode) STEP 1﹒Click DMZ Interface STEP 2﹒Select NAT Mode in DMZ Interface Select NAT in DMZ Interface Enter IP Address and Netmask STEP 3﹒Select Ping, HTTP, and HTTPS. STEP 4﹒Click OK Setting DMZ Interface Address (NAT Mode) Web UI 57...
  • Page 59 Setting DMZ Interface Address (Transparent Mode) STEP 1﹒Select DMZ Interface STEP 2﹒Select Transparent Mode in DMZ Interface Select DMZ_Transparent in DMZ Interface STEP 1﹒Select Ping, HTTP, and HTTPS. STEP 2﹒Click OK Setting DMZ Interface Address (Transparent Mode) Web UI In WAN, the connecting way must be Static IP Address and can choose Transparent Mode in DMZ.

  • Page 60: Chapter 5 Address

    Chapter 5 Address The SG-1000 allows the Administrator to set Interface addresses of the LAN network, LAN network group, WAN network, WAN network group, DMZ and DMZ group. An IP address in the Address Table can be an address of a computer or a sub network.
  • Page 61 Define the required fields of Address Name: The System Administrator set up a name as IP Address that is easily recognized. IP Address: It can be a PC’s IP Address or several IP Address of Subnet. Different network area can be: Internal IP Address, External IP Address, and DMZ IP Address. Netmask: When correspond to a specific IP, it should be set as: 255.255.255.255.

  • Page 62: Example

    We set up two Address examples in this chapter: Suitable Example Situation Under DHCP circumstances, assign the specific IP to static users and restrict them to access FTP net service only through policy. LAN Group Set up a policy that only allows partial users to connect with specific IP (External Specific IP) 61...
  • Page 63 5.1 Under DHCP situation, assign the specific IP to static users and restrict them to access FTP net service only through policy STEP 1﹒Select LAN in Address and enter the following settings: Click New Entry button Name: Enter Rayearth IP Address: Enter 192.168.3.2 Netmask: Enter 255.255.255.255 MAC Address : Enter the user’s MAC Address(00:B0:18:25:F5:89)...
  • Page 64 STEP 2﹒Adding the following setting in Outgoing Policy: Add a Policy of Restricting the Specific IP to Access to Internet STEP 3﹒Complete assigning the specific IP to static users in Outgoing Policy and restrict them to access FTP net service only through policy: Complete the Policy of Restricting the Specific IP to Access to Internet 63...
  • Page 65 SG-1000 to fill out the user’s MAC Address automatically. In LAN of Address function, the SG-1000 will default an Inside Any address represents the whole LAN network automatically. Others like WAN, DMZ also have the Outside Any and DMZ Any default address setting to represent the whole subnet.
  • Page 66 Setup a policy that only allows partial users to connect with specific IP (External Specific IP) STEP 1﹒Setting several LAN network Address. Setting Several LAN Network Address 65...
  • Page 67 STEP 2﹒Enter the following settings in LAN Group of Address: Click New Entry Enter the Name of the group Select the users in the Available Address column and click Add Click OK Add New LAN Address Group Complete Adding LAN Address Group The setting mode of WAN Group and DMZ Group of Address are the same as LAN Group.
  • Page 68 STEP 3﹒Enter the following settings in WAN of Address function: Click New Entry Enter the following data (Name, IP Address, Netmask) Click OK Add New WAN Address Complete the Setting of WAN Address 67...
  • Page 69 STEP 4﹒To exercise STEP1~3 in Policy To Exercise Address Setting in Policy Complete the Policy Setting The Address function really take effect only if use with Policy. 68...

  • Page 70: Chapter 6 Service

    TCP and UDP protocols support varieties of services, and each service consists of a TCP Port or UDP port number, such as TELNET (23), SMTP (21), SMTP (25), POP3 (110), etc. The SG-1000 includes two services: Pre-defined Service and Custom Service.
  • Page 71 Define the required fields of Service Pre-defined Web UI’s Chart and Illustration: Chart Illustration Any Service TCP Service, For example : FTP, FINGER, HTTP, HTTPS , IMAP, SMTP, POP3, ANY, AOL, BGP, GOPHER, Inter Locator, IRC, L2TP, LDAP, NetMeeting, NNTP, PPTP, Real Media, RLOGIN, SSH, TCP ANY, TELNET, VDO Live, WAIS, WINFRAME, X-WINDOWS, …etc.
  • Page 72 We set up two Service examples in this chapter: Suitable Example Situation Custom Allow external user to communicate with internal user by VoIP through policy. (VoIP Port: TCP 1720, TCP 15325-15333, UDP 15325-15333) Group Setting service group and restrict the specific users only can access to service resource that provided by this group through policy.
  • Page 73 6.1 Allow external user to communicate with internal user by VoIP through policy. (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328- 15333) STEP 1﹒Set LAN and LAN Group in Address function as follows: Setting LAN Address Book Web UI Setting LAN Group Address Book Web UI 72...
  • Page 74 STEP 2﹒Enter the following setting in Custom of Service function: Click New Entry Service Name: Enter the preset name VoIP Protocol#1 select TCP, need not to change the Client Port, and set the Server Port as: 1720:1720 Protocol#2 select TCP, need not to change the Client Port, and set the Server Port as: 15328:15333 Protocol#3 select UDP, need not to change the Client Port, and set the Server Port as: 15328:15333...
  • Page 75 Under general circumstances, the range of port number of client is 1024-65535. Change the client range in Custom of is not suggested. If the port numbers that enter in the two spaces are different port number, then enable the port number under the range between the two different port numbers (for example: 15328:15333).
  • Page 76 STEP 3﹒Compare Service to Virtual Server. Compare Service to Virtual Server STEP 4﹒Compare Virtual Server to Incoming Policy. (Figure5-6) Complete the Policy for External VoIP to Connect with Internal VoIP STEP 5﹒In Outgoing Policy, complete the setting of internal users using VoIP to connect with external network VoIP: Complete the Policy for Internal VoIP to Connect with External VoIP Service must cooperate with Policy and Virtual Server that the function can take effect...

  • Page 77: Group

    6.2 Setting service group and restrict the specific users only can access to service resource that provided by this group through policy (Group: HTTP, POP3, SMTP, DNS) STEP 1﹒Enter the following setting in Group of Service: Click New Entry Name: Enter Main_Service Select HTTP, POP3, SMTP, DNS in Available Service and click Add Click OK Add Service Group...
  • Page 78 Complete the setting of Adding Service Group If you want to remove the service you choose from Selected Service, choose the service you want to delete and click Remove. 77...
  • Page 79 STEP 2﹒In LAN Group of Address function, Setting an Address Group that can include the service of access to Internet. Setting Address Book Group STEP 3﹒Compare Service Group to Outgoing Policy. Setting Policy 78...

  • Page 80: Chapter 7 Schedule

    Chapter 7 Schedule In this chapter, the SG-1000 provides the Administrator to configure a schedule for policy to take effect and allow the policies to be used at those designated times. And then the Administrator can set the start time and stop time or VPN connection in Policy or VPN.
  • Page 81 To configure the valid time periods for LAN users to access to Internet in a day STEP 1﹒Enter the following in Schedule: Click New Entry Enter Schedule Name Set up the working time of Schedule for each day Click OK Setting Schedule Web UI Complete the Setting of Schedule 80...
  • Page 82 STEP 2﹒Compare Schedule with Outgoing Policy Complete the Setting of Comparing Schedule with Policy 81...

  • Page 83: Chapter 8 Qos

    QoS Priority:To configure the priority of distributing Upstream/Downstream and unused bandwidth. The SG-1000 configures the bandwidth by different QoS, and selects the suitable QoS through Policy to control and efficiently distribute bandwidth. The SG-1000 also makes it convenient for the administrator to make the Bandwidth to reach the best utility.
  • Page 84 The Flow After Using QoS (Max. Bandwidth: 400Kbps, Guaranteed Bandwidth: 200Kbps) 83...
  • Page 85 Define the required fields of QoS WAN: Display WAN1 and WAN2 Downstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you apply from ISP Upstream Bandwidth: To configure the Guaranteed Bandwidth and Maximum Bandwidth according to the bandwidth range you apply from ISP Priority: To configure the priority of distributing Upstream/Downstream and unused...
  • Page 86 8.1 Setting a policy that can restrict the user’s downstream and upstream bandwidth STEP 1﹒Enter the following settings in QoS: Click New Entry Name: The name of the QoS you want to configure. Enter the bandwidth in WAN1, WAN2 Select QoS Priority Click OK QoS Web UI Setting Complete the QoS Setting...
  • Page 87 STEP 2﹒Use the QoS that set by STEP1 in Outgoing Policy. Setting the QoS in Policy Complete Policy Setting When the administrator are setting QoS, the bandwidth range that can be set is the value that system administrator set in the WAN of Interface. So when the System Administrator sets the downstream and upstream bandwidth in WAN of Interface, he/she must set up precisely.

  • Page 88: Chapter 9 Authentication

    VPN and IPSec) connection authority. The user has to pass the authentication to access to Internet. The SG-1000 configures the authentication of LAN’s user by setting account and password to identify the privilege. Or by the RADIUS that set by yourself. The system administrator can use this two mode to manage the Authentication.
  • Page 89 Define the required fields of Authentication Authentication Management Provide the Administrator the port number and valid time to setup SG-1000 authentication. (Have to setup the Authentication first) Authentication Port: The internal user have to pass the authentication to access to the Internet when enable SG-1000.
  • Page 90 When the user connect to external network by Authentication, the following page will be displayed: Authentication Login Web UI 89...
  • Page 91 It will connect to the appointed website after passing Authentication. If the user ask for authentication positively, can enter the LAN IP by the Authentication port number. And then the Authentication Web UI will be displayed. 90...
  • Page 92 The user account for Authentication you want to set. Password: The password when setting up Authentication. Confirm Password: Enter the password that correspond to Password Shared Secret: The password for authentication of the SG-1000 and RADIUS Server 802.1xRADIUS: The Authentication to RADIUS Server of wireless network 91...

  • Page 93: Auth User And Group

    We set up four Authentication examples in this chapter: Suitable Example Situation Auth User Setting a specific user to connect with external Auth Group network only before passing the authentication of policy. (Adopt the built-in Auth User and Group Function) Setting the users to connect with external network RADIUS only before passing the authentication of policy.
  • Page 94 Group Function) STEP 1﹒Enter the following setting in Auth User of Authentication: Auth User Setting Web UI To use Authentication, the DNS Server of the user’s network card must be the same as the LAN Interface Address of SG-1000. 93...
  • Page 95 STEP 2﹒Enter the following setting in Auth Group of Authentication: Click New Entry. Name: Enter laboratory. Select Available Authentication User Add to Selected Authentication User. Click OK. Complete Auth Group Setting Auth Group Setting Web UI 94...
  • Page 96 STEP 3﹒Add a policy in Outgoing Policy and input the Authentication setting of STEP1, 2 Auth-User Policy Setting Complete the Policy Setting of Auth-User 95...
  • Page 97 STEP 4﹒When user_01 is going to access to Internet through browser, the authentication UI will appear in Browser. After entering the correct user name and password, click OK to access to Internet. STEP 5﹒ If the user does not need to access to Internet anymore and is going to logout, he/she can click LOGOUT Auth-User to logout the system.
  • Page 98 9.2 Setting the users to connect with external network only before passing the authentication of policy. (Adopt external RADIUS Server built-in Windows 2003 Server Authentication) ※ Windows 2003 RADIUS Server Setting Way STEP 1﹒Click [Start] [Control Panel] [Add/Remove Program], Choose [Add/Remove Windows] and then you can see [Window Component Wizard] STEP 2﹒Choose Networking Services and click Details Add Windows Components Web UI...
  • Page 99 STEP 3﹒Choose Internet Authentication Service (IAS) Add New Internet Authentication Services Web UI 98...
  • Page 100 STEP 4﹒Click [Start] [Control Panel] [Administrative Tools], Choose [Internet Authentication Service] Choose Internet Authentication Service 99...
  • Page 101 STEP 5﹒Press right button on RADIUS Clients and choose New RADIUS Client Add New RADIUS Client 100...
  • Page 102 STEP 6﹒Enter the Name and Client Address (also the SG-1000 IP) Add New RADIUS Client Name and Address 101...
  • Page 103 STEP 7﹒Choose RADIUS Standard; enter Shared Secret and Confirm Shared Secret. (The settings must be the same as RADIUS of SG-1000) Add New RADIUS Client and Password Web UI 102...
  • Page 104 STEP 8﹒Press the right button on Remote Access Policies and select to add New Remote Access Policy. Add New Remote Access Policy 103...
  • Page 105 STEP 9﹒Select Use the wizard to set up a typical policy for a common scenario and enter the Policy name. Add Remote Access Policy and Name 104...
  • Page 106 STEP 10﹒Select Ethernet Add New Remote Access Policy Method 105...
  • Page 107 STEP 11﹒Choose User Add New Remote Access Policy of User or Group Access 106...
  • Page 108 STEP 12﹒Select MD5-Challenge Authentication Methods of Adding New Remote Access Policy 107...
  • Page 109 STEP 13﹒Press the right button on Radius and choose Properties. Internet Authentication Service Setting Web UI 108...
  • Page 110 STEP 14﹒Select Grant remote access permission and Remove the original setting, click Add to add a new one. RADIUS Properties Settings 109...
  • Page 111 STEP 15﹒Add Service-Type Add New RADIUS Attribute 110...
  • Page 112 STEP 16﹒Add Authenticate Only from the left side. Add RADIUS Service-Type 111...
  • Page 113 STEP 17﹒Press Edit Profile button and select Authentication and select Unencrypted authentication (PAP, SPAP) Edit DADIUS Dial-in Property 112...
  • Page 114 STEP 18﹒Add Auth User. Click [Start] [Setting] [Control Panel] [Administrative Tools], Choose [Computer Management] Enter Computer Management 113...
  • Page 115 STEP 19﹒Press the right button on the Users and select New User. Add New User STEP 20﹒Complete the setting of Windows 2003 RADIUS Server. 114...
  • Page 116 STEP 21﹒Enter IP, Port and Shared Secret (The setting must be the same as RADIUS Server) in RADIUS of Authentication Setting RADIUS Server STEP 22﹒Add Radius User in Auth User Group of Authentication. Add New RADIUS Auth Group 115...
  • Page 117 STEP 23﹒Add a policy of Auth User Group (RADIUS) that set by STEP 22 in Outgoing Policy. RADIUS Authentication Policy Setting Web UI Complete RADIUS Authentication of Policy Setting 116...
  • Page 118 STEP 24﹒When the user is going to connect with Internet through browser, the Authentication windows will appear in browser. After entering the correct account and password can connect with Internet through SG-1000. Access to Internet by Authentication Web UI 117...

  • Page 119: Pop3 Server

    9.3 Setting the users to connect with external network only before passing the authentication of policy. (Adopt the external POP3 Server Authentication) STEP 1﹒Enter the following setting in POP3 in Authentication POP3 Server Setting Web UI STEP 2﹒Add POP3 User in New Authentication Group. Add New POP3 User Web UI 118...
  • Page 120 STEP 3﹒Add a policy of Authentication User Group that set in STEP2 in Outgoing Policy. POP3 Server Authentication Policy Setting Complete POP3 Server Authentication Policy Setting 119...
  • Page 121 STEP 4﹒When the user is going to access to Internet by browser, the Authentication Web UI will display in the browser. After entering correct account and password, click on OK and then can access to Internet by SG-1000: The Authentication Web UI...

  • Page 122: Content Filtering

    Chapter 10 Content Filtering Content Filtering includes「URL」,「Script」,「P2P」,「IM」,「Download」. 【URL Blocking】: The administrator can set up to “Allow” or “Restrict” entering the specific website by complete domain name, key words, and metacharacter (~and *). 【Script Blocking】: The access authority of Popup, ActiveX, Java, Cookies 【P2P Blocking】:...

  • Page 123: Chapter 10 Content Blocking

    Define the required fields of Content Blocking URL String: The domain name that restricts to enter or only allow entering. Popup Blocking: Prevent the pop-up Web UI appearing ActiveX Blocking: Prevent ActiveX packets Java Blocking: Prevent Java packets Cookies Blocking: Prevent Cookies packets eDonkey Blocking: Prevent users to deliver files by eDonkey and eMule...
  • Page 124 Sub-name file Blocking: Prevent users to deliver specific sub-name file by http All Type: Prevent users to send the Audio, Video types, and sub-name file…etc. by http protocol. 123...
  • Page 125 We set up five Content Blocking examples in this chapter: Suitable Situation Example URL Blocking Restrict the Internal Users only can access to some specific Website Script Blocking Restrict the Internal Users to access to Script file of Website. P2P Blocking Restrict the Internal Users to access to the file on Internet by P2P.

  • Page 126: Url Blocking

    10.1 Restrict the Internal Users only can access to some specific Website ※URL Blocking: Symbol: ~ means open up; * means metacharacter Restrict not to enter specific website: Enter the 「complete domain name」 or 「key word」of the website you want to restrict in URL String. For example: www.kcg.gov.tw or gov.
  • Page 127 STEP 1﹒Enter the following in URL of Content Filtering function: Click New Entry URL String: Enter ~yahoo, and click OK Click New Entry URL String: Enter ~google, and click OK Click New Entry URL String: Enter *, and click OK Complete setting a URL Blocking policy Content Filtering Table 126...
  • Page 128 STEP 2﹒Add a Outgoing Policy and use in Content Blocking function: URL Blocking Policy Setting STEP 3﹒Complete the policy of permitting the internal users only can access to some specific website in Outgoing Policy function: Complete Policy Settings Afterwards the users only can browse the website that include “yahoo” and “google” in domain name by the above policy.

  • Page 129: Script

    10.2 Restrict the Internal Users to access to Script file of Website STEP 1﹒Select the following data in Script of Content Blocking function: Select Popup Blocking Select ActiveX Blocking Select Java Blocking Select Cookies Blocking Click OK Complete the setting of Script Blocking Script Blocking Web UI 128...
  • Page 130 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: New Policy of Script Blocking Setting STEP 3﹒Complete the policy of restricting the internal users to access to Script file of Website in Outgoing Policy: Complete Script Blocking Policy Setting The users may not use the specific function (like JAVA, cookie…etc.) to browse the website through this policy.
  • Page 131 10.3 Restrict the Internal Users to access to the file on Internet by P2P STEP 1﹒Select the following data in P2P of Content Blocking function: Select eDonkey Blocking Select BitTorrent Blocking Select WinMX Blocking Click OK Complete the setting of P2P Blocking P2P Blocking Web UI 130...
  • Page 132 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: Add New Policy of P2P Blocking STEP 3﹒Complete the policy of restricting the internal users to access to the file on Internet by P2P in Outgoing Policy: Complete P2P Blocking Policy Setting P2P Transfer will occupy large bandwidth so that it may influence other users.
  • Page 133 10.4 Restrict the Internal Users to send message, files, video and audio by Instant Messaging STEP 1﹒Enter as following in IM Blocking of Content Blocking function: Select MSN Messenger, Yahoo Messenger, ICQ Messenger, QQ Messenger and Skype. Click OK Complete the setting of IM Blocking. IM Blocking Web UI 132...
  • Page 134 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: Add New IM Blocking Policy STEP 3﹒Complete the policy of restricting the internal users to send message, files, audio, and video by instant messaging in Outgoing Policy: Complete IM Blocking Policy Setting 133...

  • Page 135: Download

    10.5 Restrict the Internal Users to access to video, audio, and some specific sub-name file from http or ftp protocol directly STEP 1﹒Enter the following settings in Download of Content Blocking function: Select All Types Blocking Click OK Complete the setting of Download Blocking. Download Blocking Web UI 134...
  • Page 136 STEP 2﹒Add a new Outgoing Policy and use in Content Blocking function: Add New Download Blocking Policy Setting STEP 3﹒Complete the Outgoing Policy of restricting the internal users to access to video, audio, and some specific sub-name file by http protocol directly: Complete Download Blocking Policy Setting 135...

  • Page 137: Chapter11 Virtual Server

    The SG-1000’s Virtual Server function can solve this problem. A Virtual Server has set the real IP address of the SG-1000’s WAN network interface to be the Virtual Server IP. Through the Virtual Server function, the SG-1000 translates the Virtual Server’s IP address into the private IP address in the LAN network.
  • Page 138 The user must connect to the SG-1000’s WAN subnet’s Real IP and then map Real IP to Private IP of LAN by the SG-1000. It is a one-to-one mapping. That is, to map all the service of one WAN Real IP Address to one LAN Private IP Address.
  • Page 139 Define the required fields of Virtual Server WAN IP: WAN IP Address (Real IP Address) Map to Virtual IP: Map the WAN Real IP Address into the LAN Private IP Address Virtual Server Real IP: The WAN IP address which mapped by the Virtual Server. Service name (Port Number):...
  • Page 140 We set up four Virtual Server examples in this chapter: Suitable Example Situation Mapped IP Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy. Virtual Server Make several servers that provide a single service, to provide service through policy by Virtual Server.
  • Page 141 11.1 Make a single server that provides several services such as FTP, Web, and Mail, to provide service by policy STEP 1﹒Setting a server that provide several services in LAN, and set up the network card’s IP as 192.168.1.100. DNS is External DNS Server. STEP 2﹒Enter the following setting in LAN of Address function: Mapped IP Settings of Server in Address STEP 3﹒Enter the following data in Mapped IP of Virtual Server function:...
  • Page 142 STEP 4﹒Group the services (DNS, FTP, HTTP, POP3, SMTP…) that provided and used by server in Service function. And add a new service group for server to send mails at the same time. Service Setting STEP 5﹒Add a policy that includes settings of STEP3, 4 in Incoming Policy. Complete the Incoming Policy STEP 6﹒Add a policy that includes STEP2, 4 in Outgoing Policy.
  • Page 143 STEP 7﹒Complete the setting of providing several services by mapped IP. A Single Server that Provides veral Services by Mapped IP Strong suggests not to choose ANY when setting Mapped IP and choosing service. Othe rwise the Mapped IP will be exposed to Internet easily and may be attacked by Hacke 142...
  • Page 144 Make several servers that provide a single service, to provide service through policy by Virtual Server (Take Web service for example) STEP 1﹒Setting several servers that provide Web service in LAN network, which IP Address is 192.168.1.101, 192.168.1.102, 192.168.1.103, and 192.168.1.104 143...
  • Page 145 STEP 2﹒Enter the following data in Server 1 of Virtual Server function: Click the button next to Virtual Server Real IP (“click here to configure”) in Server 1 Virtual Server Real IP: Enter 211.22.22.23 (click Assist for assistance) Click OK Virtual Server Real IP Setting Click New Entry Service: Select HTTP (80)
  • Page 146 STEP 3﹒Add a new policy in Incoming Policy, which includes the virtual server, set by STEP2. Complete Virtual Server Policy Setting In this example, the external users must change its port number to 8080 before entering the Website that set by the Web server. STEP 4﹒Complete the setting of providing a single service by virtual server.
  • Page 147 The external user use VoIP to connect with VoIP of LAN (VoIP Port: TCP 1720, TCP 15328-15333, UDP 15328-15333) STEP 1﹒Set up VoIP in LAN network, and its IP is 192.168.1.100 STEP 2﹒Enter the following setting in LAN of Address function: Setting LAN Address Web UI STEP 3﹒Add new VoIP service group in Custom of Service function.
  • Page 148 STEP 4﹒Enter the following setting in Server1 of Virtual Server function: Click the button next to Virtual Server Real IP (“click here to configure”) in Server1 Virtual Server Real IP: Enter 61.11.11.12 (click Assist for assistance) (Use WAN) Click OK Virtual Server Real IP Setting Web UI Click New Entry Service: Select (Custom Service) VoIP_Service...
  • Page 149 STEP 5﹒Add a new Incoming Policy, which includes the virtual server that set by STEP4: Complete the Policy includes Virtual Server Setting STEP 6﹒Enter the following setting of the internal users using VoIP to connect with external network VoIP in Outgoing Policy: Complete the Policy Setting of VoIP Connection 148...
  • Page 150 STEP 7﹒Complete the setting of the external/internal user using specific service to communicate with each other by Virtual Server. Complete the Setting of the External/Internal User us g specific service to communicate with each other by Virtual Server 149...
  • Page 151 Make several servers that provide several same services, to provide service through policy by Virtual Server. (Take HTTP, POP3, SMTP, and DNS Group for example) STEP 1﹒Setting several servers that provide several services in LAN network. Its network card’s IP is 192.168.1.101, 192.168.1.102, 192.168.1.103, 192.168.1.104 and the DNS setting is External DNS server.
  • Page 152 STEP 3﹒Group the service of server in Custom of Service. Add a Service Group for server to send e-mail at the same time. Add New Service Group 151...
  • Page 153 STEP 4﹒Enter the following data in Server1 of Virtual Server: Click the button next to Virtual Server Real IP (“click here to configure”) in Server1 Virtual Server Real IP: Enter 211.22.22.23 (click Assist for assistance) Click OK Virtual Server Real IP Setting Click New Entry Service: Select (Group Service) Main_Service External Service Port: From-Service (Group)
  • Page 154 STEP 5﹒Add a new Incoming Policy, which includes the virtual server that set by STEP 3: Complete Incoming Policy Setting STEP 6﹒Add a new policy that includes the settings of STEP2, 3 in Outgoing Policy. It makes server can send e-mail to external mail server by mail service. Complete Outgoing Policy Setting 153...
  • Page 155 STEP 7﹒Complete the setting of providing several services by Virtual Server. Complete the Setting of Providing Sev al Services by Several Virtual Server 154...
  • Page 156 Chapter 12 The SG-1000 adopts VPN to set up safe and private network service. And combine the remote Authentication system in order to integrate the remote network and PC of the enterprise. Also provide the enterprise and remote users a safe encryption way to have best efficiency and encryption when delivering data.
  • Page 157 Define the required fields of VPN: RSA: A public-key cryptosystem for encryption and authentication. Preshared Key: The IKE VPN must be defined with a Preshared Key. The Key may be up to 128 bytes long. ISAKMP (Internet Security Association Key Management Protocol): An extensible protocol-encoding scheme that complies to the Internet Key Exchange (IKE) framework for establishment of Security Associations (SAs).
  • Page 158 DES (Data Encryption Standard): The Data Encryption Standard developed by IBM in 1977 is a 64-bit block encryption block cipher using a 56-bit key. Triple-DES (3DES): The DES function performed three times with either two or three cryptographic keys. AES (Advanced Encryption Standard): An encryption algorithm yet to be decided that will be used to replace the aging DES encryption algorithm and that the NIST hopes will last for the next 20 to 30 years.
  • Page 159 Define the required fields of IPSec Function To display the VPN connection status via icon。 Chart Meaning Not be applied Disconnect Connecting Name: The VPN name to identify the IPSec Autokey definition. The name must be the only one and cannot be repeated. WAN: The WAN interface of the local Gateway.
  • Page 160 Define the required fields of PPTP Server Function PPTP Server: To select Enable or Disable Client IP Range: Setting the IP addresses range for PPTP Client connection To display the VPN connection status via icon。 Chart Meaning Not be applied Disconnect Connecting User Name: Display the PPTP Client user’s name when connecting to PPTP Server.
  • Page 161 Define the required fields of PPTP Client Function To display the VPN connection status via icon。 Chart Meaning Not be applied Disconnect Connecting User Name: Displays the PPTP Client user’s name when connecting to PPTP Server. Server IP or Domain Name: Display the PPTP Server IP addresses or Domain Name when connecting to PPTP Server.

  • Page 162: Vpn

    Define the required fields of Trunk Function To display the VPN connection status via icon。 Chart Meaning Not be applied Disconnect Connecting Name: The VPN name to identify the VPN Trunk definition. The name must be the only one and cannot be repeated. Source Subnet: Displays the Source Subnet.
  • Page 163 We set up two VPN examples in this chapter: No. Suitable Situation Example Ex1 IPSec Autokey Setting IPSec VPN connection between two SG-1000 Ex2 PPTP Setting PPTP VPN connection between two SG-1000 162...
  • Page 164 VPN connection with Company B 192.168.20.100 downloading the sharing file. The Default Gateway of Company A is the LAN IP of the SG-1000 192.168.10.1. Follow the steps below: STEP 1﹒Enter the default IP of Gateway of Company A’s SG-1000, 192.168.10.1 and select IPSec Autokey in VPN.
  • Page 165 STEP 3﹒ Select Remote Gateway-Fixed IP or Domain Name In To Destination li and enter the IP Address. IPSec To Destination Setting STEP 4﹒ Select Preshare in Authentication Method and enter the Preshared Key (max: 100 bits) IPSec Authentication Method Setting STEP 5﹒Select ISAKMP Algorithm in Encapsulation list.
  • Page 166 STEP 6﹒You can choose Data Encryption+Authentication or Authentication Only to communicate in IPSec Algorithm list: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1 Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for data transmission IPSec Algorithm Setting STEP 7﹒After selecting GROUP1 in Perfect Forward Secrecy, enter 3600 seconds in ISAKMP Lifetime, enter 28800 seconds in IPSec Lifetime, and selecting Main...
  • Page 167 STEP 9﹒Enter the following setting in Trunk of VPN function: Enter a specific Trunk Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. Tunnel: Add VPN_A.
  • Page 168 STEP 10﹒Enter the following setting in Outgoing Policy: Authentication User: Select All_NET. Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select IPSec_VPN_Trunk. Click OK. Setting the VPN Trunk Outgoing Policy Complete the VPN Trunk Outgoing Policy Setting 167...
  • Page 169 STEP 11﹒Enter the following setting in Incoming Policy: Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select IPSec_VPN_Trunk. Click OK. Setting the VPN Trunk Incoming Policy Complete the VPN Trunk Incoming Policy Setting 168...
  • Page 170 The Default Gateway of Company B is the LAN IP of the SG-1000 192.168.20.1. Follow the steps below: STEP 1. Enter the default IP of Gateway of Company B’s SG-1000, 192.168.20.1 an select IPSec Autokey in VPN. Click New Entry.
  • Page 171 STEP 3. Select Remote Gateway-Fixed IP or Domain Name In To Destination list and enter the IP Addre IPSec To Destination Setting STEP 4. Select Preshare in Authentication Method and enter the Preshared Key (max: 100 bits) IPSec Authentication Method Setting STEP 5.
  • Page 172 STEP 6. You can choose Data Encryption+Authentication or Authentication Only to communicate in IPSec Algorithm list: ENC Algorithm: 3DES/DES/AES/NULL AUTH Algorithm: MD5/SHA1 Here we select 3DES for ENC Algorithm and MD5 for AUTH Algorithm to make sure the encapsulation way for data transmission. IPSec Algorithm Setting STEP 7.
  • Page 173 STEP 9. Enter the following setting in Trunk of VPN function Enter a specific Trunk Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. Tunnel: Add VPN_B.
  • Page 174 STEP 10. Enter the following setting in Outgoing Policy Authentication User: Select All_NET. Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select IPSec_VPN_Trunk. Click OK. Setting the VPN Trunk Outgoing Policy Complete the VPN Trunk Outgoing Policy Setting 173...
  • Page 175 STEP 11. Enter the following setting in Incoming Policy: Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select IPSec_VPN_Trunk. Click OK. Setting the VPN Trunk Incoming Policy Complete the VPN Trunk Incoming Policy Setting 174...
  • Page 176 STEP 12. Complete IPSec VPN Connection. IPSec VPN Connection Deployment 175...
  • Page 177 Preparation Company A WAN IP: 61.11.11.11 LAN IP: 192.168.10.X Company B WAN IP: 211.22.22.22 LAN IP: 192.168.20.X This example takes two SG-1000 as flattop. Suppose Company B 192.168.20.100 going to have VPN connection with Company A 192.168.10.100 and download the resource.
  • Page 178 The Default Gateway of Company A is the LAN IP of the SG-1000 192.168.10.1. Follow the steps below: STEP 1. Enter PPTP Server of VPN function in the SG-1000 of Company A. Select Modify and enable PPTP Server: Select Encryption.
  • Page 179 STEP 2. Add the following settings in PPTP Server of VPN function in the SG-1000 of Company A: Select New Entry. User Name: Enter PPTP_Connection. Password: Enter 123456789. Client IP assigned by: Select IP Range. Click OK. PPTP VPN Server Setting Complete PPTP VPN Server Setting 178...
  • Page 180 STEP 3. Enter the following setting in Trunk of VPN function: Enter a specific Trunk Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. Tunnel: Add PPTP_Server_PPTP_Connection.
  • Page 181 STEP 4. Enter the following setting in Outgoing Policy: Authentication User: Select All_NET. Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select PPTP_VPN_Trunk. Click OK. Setting the VPN Trunk Outgoing Policy Complete the VPN Trunk Outgoing Policy Setting 180...
  • Page 182 STEP 5. Enter the following setting in Incoming Policy: Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select PPTP_VPN_Trunk. Click OK. Setting the VPN Trunk Incoming Policy Complete the VPN Trunk Incoming Policy Setting 181...
  • Page 183 The Default Gateway of Company B is the LAN IP of the SG-1000 192.168.20.1. Follow the steps below: STEP 1. Add the following settings in PPTP Client of VPN function in the SG-1000 of Company B Click New Entry Button.
  • Page 184 STEP 2. Enter the following setting in Trunk of VPN function: Enter a specific Trunk Name. From Source: Select LAN From Source Subnet / Mask: Enter 192.168.20.0 / 255.255.255.0. To Destination: Select To Destination Subnet / Mask. To Destination Subnet / Mask: Enter 192.168.10.0 / 255.255.255.0. Tunnel: Add PPTP_Client_PPTP_Connection.
  • Page 185 STEP 3. Enter the following setting in Outgoing Policy: Authentication User: Select All_NET. Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select PPTP_VPN_Trunk. Click OK. Setting the VPN Trunk Outgoing Policy Complete the VPN Trunk Outgoing Policy Setting 184...
  • Page 186 STEP 4. Enter the following setting in Incoming Policy: Schedule: Select Schedule_1. QoS: Select QoS_1. Trunk: Select PPTP_VPN_Trunk. Click OK. Setting the VPN Trunk Incoming Policy Complete the VPN Trunk Incoming Policy Setting 185...
  • Page 187 STEP 5. Complete PPTP VPN Connection PPTP VPN Connection Deployment 186...

  • Page 188: Chapter13 Policy

    Every packet has to be detected if it corresponds with Policy or not when it passes the SG-1000. When the conditions correspond with certain policy, it will pass the SG-1000 by the setting of Policy without being detected by other policy. But if the packet cannot correspond with any Policy, the packet will be intercepted.
  • Page 189 The system manager can set all the policy rules of DMZ to WAN packets in this function All the packets that go through SG-1000 must pass the policy permission (except VPN). Therefore, the LAN, WAN, and DMZ network have to set the applicable policy when establish network connection.
  • Page 190 Define the required fields of Policy Source and Destination: Source IP and Destination IP is according to the SG-1000’s point of view. The active side is the source; passive side is destination. Service: It is the service item that controlled by Policy. The user can choose default value or the custom services that the system manager set in Service function.
  • Page 191 Option: To display if every function of Policy is enabled or not. If the function is enabled and then the chart of the function will appear (See the chart and illustration below) Chart Name Illustration Traffic Log Enable traffic log Statistics Enable traffic statistics Authentication User...
  • Page 192 Policy) Move: Every packet that passes the SG-1000 is detected from the front policy to the last one. So it can modify the priority of the policy from the selection.

  • Page 193: Example

    We set up six Policy examples in this chapter: No. Suitable Example Situation Outgoing Set up the policy that can monitor the internal users. (Take Logging, Statistics, Alarm Threshold for example) Outgoing Forbid the users to access to specific network. (Take specific WAN IP and Content Blocking for example) Outgoing Only allow the users who pass Authentication to...
  • Page 194 13.1 Set up the policy that can monitor the internal users. (Take Logging, Statistics, and Alarm Threshold for example) STEP 1﹒Enter the following setting in Outgoing Policy: Click New Entry Select Logging Select Statistics Click OK Setting the different Policies 193...
  • Page 195 STEP 2﹒Complete the setting of Logging and Statistics in Outgoing Policy: Complete Policy Setting STEP 3﹒Obtain the information in Traffic of Log function if you want to monitor all the packets of the SG-1000. Traffic Log Monitor Web UI 194...
  • Page 196 STEP 4﹒To display the traffic record that through Policy to access to Internet in Policy Statistics of Statistics function. Statistics Web UI 195...
  • Page 197 Forbid the users to access to specific network. (Take specific WAN IP and Content Blocking for example) STEP 1﹒Enter the following setting in URL Blocking, Script Blocking, P2P Blocking, IM Blocking, and Download Blocking in Content Blocking function: URL Blocking Setting Script Blocking Setting P2P Blocking Setting 196...
  • Page 198 IM Blocking Setting Download Blocking Setting 1. URL Blocking can restrict the Internal Users only can access to some specific Website. 2. Script Blocking can restrict the Internal Users to access to Script file of Website. (Java, Cookies…etc.) 3. P2P Blocking can restrict the Internal Users to access to the file on Internet by P2P. (eDonkey, BT) 4.
  • Page 199 STEP 2﹒Enter as following in WAN and WAN Group of Address function: Setting the WAN IP that going to block WAN Address Group The Administrator can group the custom address in Address. It is more convenient when setting policy rule. 198...
  • Page 200 STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Destination Address: Select WAN_Group that set by STEP 2. (Blocking by IP) Action, WAN Port: Select Deny Click OK Setting Blocking Policy 199...
  • Page 201 STEP 4﹒Enter the following setting in Outgoing Policy: Click New Entry Select Content Blocking Click OK Setting Content Blocking Policy STEP 5﹒Complete the setting of forbidding the users to access to specific network. Complete Policy Setting Deny in Policy can block the packets that correspond to the policy rule. The System Administrator can put the policy rule in the front to prevent the user connecting with specific IP.
  • Page 202 Only allow the users who pass Authentication to access to Internet in particular time STEP 1﹒Enter the following in Schedule function: Add New Schedule STEP 2﹒Enter the following in Auth User and Auth User Group in Authentication function: Setting Auth User Group The Administrator can use group function the Authentication and Service.
  • Page 203 STEP 3﹒Enter the following setting in Outgoing Policy: Click New Entry Authentication User: Select laboratory Schedule: Select WorkingTime Click OK Setting a Policy of Authentication and Schedule STEP 4﹒Complete the policy rule of only allows the users who pass authentication to access to Internet in particular time.
  • Page 204 The external user control the internal PC through remote control software (Take pcAnywhere for example) STEP 1﹒Set up a Internal PC controlled by external user, and Internal PC’s IP Address is 192.168.1.2 STEP 2﹒Enter the following setting in Virtual Server1 of Virtual Server function: Setting Virtual Server 203...
  • Page 205 STEP 3﹒Enter the following in Incoming Policy: Click New Entry Destination Address: Select Virtual Server1 (61.11.11.12) Service: Select PC-Anywhere (5631-5632) Click OK Setting the External User Control the Internal PC Policy STEP 4﹒Complete the policy for the external user to control the internal PC through remote control software.
  • Page 206 Set a Mail Server to allow the internal and external users to receive and send e-mail under DMZ Transparent Mode STEP 1﹒Set a Mail Server in DMZ and set its network card’s IP Address as 61.11.11.12. The DNS setting is external DNS Server. STEP 2﹒Add the following setting in DMZ of Address function: The Mail Server’s IP Address Corresponds to Name Setting in Address Book of Mail Server STEP 3﹒Add the following setting in Group of Service function:...
  • Page 207 STEP 4﹒Enter the following setting in WAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK Setting a Policy to access Mail Service by WAN to DMZ STEP 5﹒Complete the policy to access mail service by WAN to DMZ. Complete the Policy to access Mail Service by WAN to DMZ 206...
  • Page 208 STEP 6﹒Add the following setting in LAN to DMZ Policy: Click New Entry Destination Address: Select Mail_Server Service: Select E-mail Click OK Setting a Policy to access Mail Service by LAN to DMZ STEP 7﹒Complete the policy to access mail service by LAN to DMZ Complete the Policy to access Mail Service by LAN to DMZ 207...
  • Page 209 STEP 8﹒Add the following setting in DMZ to WAN Policy: Click New Entry Source Address: Select Mail_Server Service: Select E-mail Click OK Setting the Policy of Mail Service by DMZ to WAN STEP 9﹒Complete the policy access to mail service by DMZ to WAN. Complete the Policy access to Mail Service by DMZ to WAN 208...

  • Page 210: Web Vpn / Ssl Vpn

    Chapter 14 Web VPN / SSL VPN As a result of the Internet universal application, the demand which the enterprise security about remote login also grows day by day. The most convenient security solution to user is nothing better than in SSL VPN, the user does not need to install any software or the hardware, and just use standard browser to transmit data through SSL safe encryption agreement.
  • Page 211 Define the required fields of Setting: VPN IP of Client: Can set client and SG-1000 establish SSL VPN connection’s authentication account, IP range, encryption algorithm, protocol, server port, and idle time. SSL VPN IP range can not the same with internal(LAN, Multiple Subnet, DMZ), external(WAN), and PPTP Server’s subnet.
  • Page 212 Display authentication account which is used by client. Real IP: Display the real IP which is used by client. VPN IP: Display the IP which is distributed to client by SG-1000. Uptime: Display the connection time between Server and Client. Configure: Can disconnect the SSL VPN connection.
  • Page 213 14.1 Setting Web VPN / SSL VPN Connection between External Client and SG-1000 STEP 1. Enable HTTPS in WAN of Interface function: WAN Interface Setting STEP 2. Enter the following setting in Auth User of Authentication: Auth User Setting STEP 3. Enter the following setting in Auth Group of Authentication: Auth Group Setting 212...
  • Page 214 STEP 4. Enter the following setting in Setting of Web VPN / SSL VPN: Click Modify. Enable Web VPN function. VPN IP Range: Enter 192.168.222.0 / 255.255.255.0. Encryption Algorithm: Select 3DES. Protocol: Select TCP. Server Port: Enter default setting1194. Authentication User or Group: Select laboratory. Idle time: Enter 0.
  • Page 215 Complete Enable Web VPN 214...
  • Page 216 STEP 5. Enter the following setting in Browser: Address: Enter http://61.11.11.11/sslvpn or http://61.11.11.11/webvpn. (It means to add “sslvpn” or “webvpn” character string to SG-1000’s Web UI login IP.)。 Click Enter. Click Yes in Security Alert window. Click Yes in Warning - Security window.
  • Page 217 Security Alert Window Warning – Security Window 216...
  • Page 218 Warning – HTTPS Window Warning – Security Window 217...
  • Page 219 Authentication Window SSL VPN Connecting 218...
  • Page 220 Complete SSL VPN Connection 219...
  • Page 221 STEP 6. Display the following connection message in Satus of Web VPN / SSL VPN: SSL VPN Connection Status 220...
  • Page 222 If client PC not install SUN JAVA Runtime Environment, when login SSL VPN connection Web UI, it will download anf install this software automatically. Install Java Runtime Environment Plug-in CA Authenticity Installing Java Runtime Environment Plug-in 221...

  • Page 223: Chapter15 Alert Setting

    Chapter 15 Alert Setting When the SG-1000 had detected attacks from hackers and the internal PC sending large DDoS attacks. The Internal Alert and External Alert will start on blocking these packets to maintain the whole network. In this chapter, we will have the detailed illustration about Internal Alert and External Alert: 222...
  • Page 224 【SYN Flood Threshold(Total) Pkts/Sec】: The system Administrator can enter the maximum number of SYN packets per second that is allowed to enter the network/SG-1000. If the value exceeds the setting one, and then the device will determine it as an attack.
  • Page 225 IP Address that is allow to enter the network / SG-1000. If the value exceeds the setting one, and then the device will determine it as an attack. 【ICMP Flood Threshold Blocking Time(Per Source IP)Seconds】:When the SG-1000 determines as being attacked, it will block the attacking source IP address in the blocking time you set.
  • Page 226 Select this option to detect spoof attacks. Hackers disguise themselves as trusted users of the network in Spoof attacks. They use a fake identity to try to pass through the SG-1000 System and invade the network. Detect Port Scan Attack:...
  • Page 227 TCP header is marked. Enable this function to detect such abnormal packets. After System Manager enable External Alert, if the SG-1000 has detected any abnormal situation, the alarm message will appear in External Alarm in Attack Alarm. And if the system manager starts the E-mail Alert Notification in Settings, the device will send e-mail to alarm the system manager automatically.

  • Page 228: Internal Alert

    15.1 SG-1000 Alarm and to prevent the computer which being attacked to send DDoS packets to LAN network STEP 1﹒Select Internal Alert in Alert Setting and enter the following settings: Enter The threshold sessions of infected Blaster (per Source IP) (the...
  • Page 229 DDoS attack packets and then the alarm message will appear in the Internal Alarm in Attack Alarm or send NetBIOS Alert notification to the infected PC Administrator’s If the Administrator starts the E-Mail Alert Notification in Setting, the SG-1000 will send e-mail to Administrator automatically.
  • Page 230 NetBIOS Alert Notification to Administrator’s PC 229...
  • Page 231 E-mail Virus Alert 230...

  • Page 232: Internal Alarm

    Attack Alarm SG-1000 has two alarm forms: Internal Alarm, and External Alarm. Internal Alarm: When the SG-1000 had detected the internal PC sending large DDoS attacks and then the Internal Alarm will start on blocking these packets to maintain the whole network.
  • Page 233 We set up two Alarm examples in the chapter: Suitable Example Situation Ex 1 Internal To record the DDoS attack alarm from internal PC Alarm Ex 2 External To record the attack alarm about Hacker attacks the Alarm SG-1000 and Intranet 232...
  • Page 234 16.1 To record the DDoS attack alarm from internal PC STEP 1﹒Select Internal Alarm in Attack Alarm when the device detects DDoS attacks, and then can know which computer is being affected. Internal Alarm Web UI 233...
  • Page 235 16.2 To record the attack alarm about Hacker attacks the SG-1000 and Intranet STEP 1﹒Select the following settings in External Alert in Alert Setting function: External Alert Setting Web UI 234...
  • Page 236 STEP 2﹒When Hacker attacks the SG-1000 and Intranet, select External Alarm in Attack Alarm function to have detailed records about the hacker attacks. External Alarm Web UI 235...

  • Page 237: Chapter17 Log

    Chapter 17 Log records all connections that pass through the SG-1000’s control policies. The information is classified as Traffic Log, Event Log, and Connection Log. Traffic Log’s parameters are setup when setting up policies. Traffic logs record the details of packets such as the start and stop time of connection, the duration of connection, the source address, the destination address and services requested, for each control policy.

  • Page 238: Log Backup

    Situation Ex 1 Traffic Log To detect the information and Protocol port that users use to access to Internet or Intranet by SG-1000. Ex 2 Event Log To record the detailed management events (such as Interface and event description of SG-1000) of the...
  • Page 239 17.1 To detect the information and Protocol port that users use to access to Internet or Intranet by SG-1000 STEP 1﹒Add new policy in DMZ to WAN of Policy and select Enable Logging: Logging Policy Setting STEP 2﹒Complete the Logging Setting in DMZ to WAN Policy: Complete the Logging Setting of DMZ to WAN 238...
  • Page 240 STEP 3﹒Click Traffic Log. It will show up the packets records that pass this policy. Traffic Log Web UI 239...
  • Page 241 STEP 4﹒Click on Download Logs and select Save in File Download Web UI. And then choose the place to save in PC and click OK; the records will be saved instantly. Download Traffic Log Records Web UI 240...
  • Page 242 STEP 5﹒Click Clear Logs and click OK on the confirm Web UI; the records will be deleted from the SG-1000 instantly. Clearing Traffic Log Records Web UI 241...
  • Page 243 17.2 To record the detailed management events (such as Interface and event description of SG-1000) of the Administrator STEP 1﹒Click Event log of LOG. The management event records of the administrator will show up. Event Log Web UI 242...
  • Page 244 STEP 2﹒Click on Download Logs and select Save in File Download Web UI. And then choose the place to save in PC and click OK; the records will be saved instantly. Download Event Log Records Web UI 243...
  • Page 245 STEP 3﹒Click Clear Logs and click OK on the confirm Web UI; the records will be deleted from the SG-1000. Clearing Event Log Records Web UI 244...
  • Page 246 17.3 To Detect Event Description of WAN Connection STEP 1﹒Click Connection in LOG. It can show up WAN Connection records of the SG-1000. Connection records Web UI 245...
  • Page 247 STEP 2﹒Click on Download Logs and select Save in File Download Web UI. And then choose the place to save in PC and click OK; the records will be saved instantly. Download Connection Log Records Web UI 246...
  • Page 248 STEP 3﹒Click Clear Logs and click OK on the confirm Web UI, the records will be deleted from the SG-1000 instantly. Clearing Connection Log Records Web UI 247...
  • Page 249 To save or receive the records that sent by the SG-1000 17.4 STEP 1﹒Enter Setting in System, select Enable E-mail Alert Notification function and set up the settings. E-mail Setting Web UI STEP 2﹒Enter Log Backup in Log, select Enable Log Mail Support and click OK...
  • Page 250 STEP 3﹒Enter Log Backup in Log, enter the following settings in Syslog Settings: Select Enable Syslog Messages Enter the IP in Syslog Host IP Address that can receive Syslog Enter the receive port in Syslog Host Port Click OK Complete the setting Syslog Messages Setting Web UI 249...

  • Page 251: Chapter18 Statistics

    Downstream/Upstream traffic record that pass Policy In this chapter, the Administrator can inquire the SG-1000 for statistics of packets and data that passes across the SG-1000. The statistics provides the Administrator with information about network traffics and network loads.
  • Page 252 Define the required fields of Statistics: Statistics Chart: Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute) Source IP, Destination IP, Service, and Action: These fields record the original data of Policy. From the information above, the Administrator can know which Policy is the Policy Statistics belonged to. Time: To detect the statistics by minutes, hours, days, months, or years.

  • Page 253: Wan Statistics

    18.1 WAN Statistics STEP 1﹒Enter WAN in Statistics function, it will display all the statistics of Downstream/Upstream packets and Downstream/Upstream record that pass WAN Interface. WAN Statistics function Time: To detect the statistics by minutes, hours, days, months, or years. WAN Statistics is the additional function of WAN Interface.
  • Page 254 STEP 3﹒Statistics Chart Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute) To Detect WAN Statistics 253...
  • Page 255 18.2 Policy Statistics STEP 1﹒If you had select Statistics in Policy, it will start to record the chart of that policy in Policy Statistics. Policy Statistics Function If you are going to use Policy Statistics function, the System Manager has to enable the Statistics in Policy first.
  • Page 256 STEP 3﹒Statistics Chart Y-Coordinate:Network Traffic(Kbytes/Sec) X-Coordinate:Time(Hour/Minute/Day) To Detect Policy Statistics 255...

  • Page 257: Chapter19 Status

    The users can know the connection status in Status. For example: LAN IP, WAN IP, Subnet Netmask, Default Gateway, DNS Server Connection, and its IP…etc. Interface: Display all of the current Interface status of the SG-1000 Authentication: The Authentication information of SG-1000...

  • Page 258: Interface

    Tx Pkts, Err. Pkts: To display the sending packets and error packets of the Interface Ping, Web UI: To display whether the users can Ping to the SG-1000 from the Interface or not; or enter its Web UI Forwarding Mode: The connection mode of the Interface...
  • Page 259 Interface Status 258...

  • Page 260: Authentication

    19.2 Authentication STEP 1﹒Enter Authentication in Status function, it will display the record of login status: IP Address: The authentication user IP Auth-User Name: The account of the auth-user to login Login Time: The login time of the user (Year/Month/Day Hour/Minute/Second) Authentication Status Web UI 259...

  • Page 261: Arp Table

    19.3 ARP Table STEP 1﹒Enter ARP Table in Status function; it will display a table about IP Address, MAC Address, and the Interface information which is connecting to the SG- 1000: NetBIOS Name: The identified name of the network IP Address: The IP Address of the network MAC Address: The identified number of the network card Interface: The Interface of the computer ARP Table Web UI...

  • Page 262: Dhcp Clients

    19.4 DHCP Clients STEP 1﹒In DHCP Clients of Status function, it will display the table of DHCP Clients that are connected to the SG-1000: IP Address: The dynamic IP that provided by DHCP Server MAC Address: The IP that corresponds to the dynamic IP...

Table of Contents