1. Manuals
  2. Brands
  3. Funkwerk Manuals
  4. Network Router
  5. R3000w
  6. User manual

Funkwerk bintec R3000w User Manual

Hide thumbs Also See for bintec R3000w:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference, Manual
User's Guide
bintec R3000w / R3400 / R3800
Security
©
Copyright
January 26, 2006 Funkwerk Enterprise Communications GmbH
Version 1.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the bintec R3000w and is the answer not in the manual?

Questions and answers

Related Manuals for Funkwerk bintec R3000w

Summary of Contents for Funkwerk bintec R3000w

  • Page 1 User's Guide bintec R3000w / R3400 / R3800 Security © Copyright January 26, 2006 Funkwerk Enterprise Communications GmbH Version 1.0...
  • Page 2 Liability While every effort has been made to ensure the accuracy of all information in this manual, Funkwerk Enterprise Communications GmbH cannot assume liability to any party for any loss or damage caused by errors or omissions or by statements of any kind in this document and is only liable within the scope of its terms of sale and delivery.

  • Page 3: Table Of Contents

    Security Menu ......... . 5 Cobion Orange Filter Submenu .
  • Page 4 Index: Security .........59 bintec User’s Guide Security...

  • Page 5: Security Menu

    Security Menu Security Menu The S ECURITY menu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY]: Security Configuration MyGateway Cobion Orange Filter > Access Lists > Stateful Inspection > SSH Daemon > Local Services Access Control >...
  • Page 6 Security Menu bintec User’s Guide Security...

  • Page 7: Cobion Orange Filter Submenu

    Cobion Orange Filter Submenu Cobion Orange Filter Submenu The C OBION RANGE ILTER submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ORANGE FILTER]: Static Settings MyGateway Admin Status : disable Orange Filter Ticket: B1BT Ticket Status Filtered Interface...
  • Page 8 Cobion Orange Filter Submenu The C OBION RANGE ILTER menu consists of the following fields: Field Description Admin Status Here you can activate the filter. Possible set- tings: ■ disable (default value): Content filtering is deactivated. ■ enable: Content filtering is activated. ■...

  • Page 9: Configure White List Submenu

    RANGE ILTER menu fields Configure White List Submenu The C ONFIGURE HITE submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ORANGE FILTER][WHITE LIST]: Url List MyGateway White List: Url / Address www.funkwerk-ec.com www.heise.de DELETE EXIT The S ➜...
  • Page 10 Cobion Orange Filter Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ORANGE FILTER][FILTER]: Filter List MyGateway Content Filter List: Category Start Stop Action Prio Anonymous Proxies Everyday 00:00 23:59 block Criminal Activities Everyday 00:00 23:59 block Pornography/Nudity Everyday 00:00 23:59 block...
  • Page 11 Cobion Orange Filter Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ORANGE FILTER][FILTER][ADD] MyGateway Category : Anonymous Proxies Everyday From [0 :0 ] To : [23:59] Action block Priority : SAVE CANCEL The menu consists of the following fields: Field...
  • Page 12 Cobion Orange Filter Submenu Field Description ■ Orange Server not reachable: If the Cobion Category (cont.) OrangeFilter servers are not reachable, the action associated with this category is used. ■ Other Category: Some addresses are al- ready known to the Cobion OrangeFilter, but not yet classified.

  • Page 13: View History Submenu

    Cobion Orange Filter Submenu Field Description Here you enter the time at which the filter is to be deactivated. The time is entered in the form hh:mm. The default setting is 23:59. Action Here you select the action to be executed if the filter matches a call.
  • Page 14 Cobion Orange Filter Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ORANGE FILTER][HISTORY]: History List MyGateway History List: Date Time Client Category Action 11/12 16:09.52 192.168.0.1 www.xxx.de/ Pornography/Nudity block 11/12 16:09.52 192.168.0.2 www.droge.de/ Drugs block EXIT You can view the recorded history of the content filter in the S ➜...

  • Page 15: Access Lists Submenu

    Access Lists Submenu Access Lists Submenu The A CCESS ISTS submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS]: IP Access Lists MyGateway Filter Rules Interfaces EXIT The S ➜ ➤➤ ECURITY CCESS ISTS menu is for defining...
  • Page 16 Access Lists Submenu Filter A filter describes a certain part of the IP data traffic based on the source and/or ➤➤ destination IP address, netmask, protocol, source and/or destination port. Rule You use a rule to tell the gateway what to do with the filtered data packets, i.e. whether it should allow or deny them.

  • Page 17: Filter Submenu

    Access Lists Submenu Filter Submenu The F ILTER submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS][FILTER]: Configure IP MyGateway Access Filter Abbreviations: sa (source IP address) sp (source port) da (destination IP address) dp (destination port)
  • Page 18 Access Lists Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS][FILTER][EDIT] MyGateway Description Index Protocol Source Address Source Mask Destination Address Destination Mask Type of Service (TOS) 00000000 TOS Mask 00000000 SAVE CANCEL It consists of the following fields: Field...
  • Page 19 Access Lists Submenu Field Description Only if P ROTOCOL Type = icmp. Possible values: any, echo reply, destination unreachable, source quench, redirect, echo, time exceeded, param problem, timestamp, timestamp reply, address mask, address mask reply. The default value is any. See RFC 792.
  • Page 20 Access Lists Submenu Field Description Only for P ROTOCOL Destination Port = tcp/udp-port, tcp, udp Destination port number or range of destination port numbers that matches the filter. For possible values see table “Selection options of S and D OURCE ESTINATION ,”...

  • Page 21: Rules Submenu

    Access Lists Submenu Rules Submenu The R ULES submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS][RULE]: Configure IP Access Rules MyGateway Abbreviations: (Rule Index) (Action if filter matches) (Filter Index) (Action if filter does not match)
  • Page 22 Access Lists Submenu The R ➜ ADD/EDIT menu consists of the following fields: ULES Field Description Appears only for EDIT. Cannot be changed. Index Shows the I NDEX of existing rules. The gateway assigns a number to newly defined rules auto- matically.

  • Page 23: Interfaces Submenu

    Access Lists Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS][RULE][REORG]: Reorganize Rules MyGateway Index of Rule that gets Index 1 none REORG CANCEL The rule chain that starts with rule I NDEX 1 is always applied as standard to the interface of the gateway (e.g.
  • Page 24 Access Lists Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][ACCESS][INTERFACES][EDIT] MyGateway Interface en0-1 First Rule RI 1 FI 1 (to-netbios-ports) Deny Silent Reporting Method info SAVE CANCEL Here the configured rule chains are assigned to the individual interfaces and the gateway’s behavior is defined for denying IP packets.
  • Page 25 Access Lists Submenu Field Description Reporting Method Defines whether a syslog message is to be generated if a packet is denied. Possible val- ues: ■ none: No syslog message. ■ info (default value): A syslog message is generated with the protocol number, source IP address and source port number.
  • Page 26 Access Lists Submenu bintec User’s Guide Security...

  • Page 27: Stateful Inspection Submenu

    Stateful Inspection Submenu Stateful Inspection Submenu The S TATEFUL NSPECTION submenu is described below. The Stateful Inspection Firewall (SIF) provided for bintec gateways is a powerful security feature. The SIF with dynamic packet filtering has a decisive advantage over static pack- et filtering (see “Access Lists Submenu”...
  • Page 28 Stateful Inspection Submenu To illustrate the differences in packet filtering, a list of the individual security in- stances and their method of operation is given below: One of the basic functions of NAT is the translation of the local IP addresses of ➤➤...
  • Page 29 Stateful Inspection Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION]: Static settings MyGateway Stateful Inspection Firewall global settings: Adminstatus enable Local Filter disable Full Filtering : enable Logging level Edit Filters > Edit Services > Edit Addresses >...
  • Page 30 Stateful Inspection Submenu Field Description Full Filtering Here you define whether packets are only to be filtered if they are sent to an interface other than the interface that created the connection. Possible settings: ■ enable: All packets are filtered (default val- ue).

  • Page 31: Edit Filters Submenu

    Edit Filters Submenu The E ILTERS submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION][FILTERS]: Configuration MyGateway Stateful Inspection Filter List: Press 'u' to move Filter up or press 'd' to move Filter down. Pos. Source...
  • Page 32 Stateful Inspection Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION][ADD] MyGateway Source Destination Edit Addresses > Service KaZaA Edit Services > Action accept SAVE CANCEL The E ➜ ADD/EDIT menu consists of the following fields: ILTERS Field Description...
  • Page 33 Stateful Inspection Submenu Field Description Service Here you can select one of the preconfigured services, to which the packet to be filtered must be assigned. The extensive range of services configured ex works includes the following: ■ ■ telnet ■ smtp ■...

  • Page 34: Edit Services Submenu

    You can also access this menu via S ➜ ECURITY ➜ ➜ ➜ ➜ ADD/EDIT. TATEFUL NSPECTION ILTERS ERVICES R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION][SERVICES][ADD] MyGateway Alias Protocol SAVE CANCEL The E ➜ ADD/EDIT menu consists of the following fields: ERVICES Field Description...

  • Page 35: Edit Addresses Submenu

    Stateful Inspection Submenu Field Description Only if you have set P ROTOCOL Port to tcp, udp/tcp or udp. Here you enter the port over which the service runs. Possible values are 1 to 65535. The default value is 1. Only if you have set P Range ROTOCOL to tcp, udp/tcp...
  • Page 36 Stateful Inspection Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION][ADDRESSES][ADD] MyGateway Alias Mode interface Interface en0-1 SAVE CANCEL The E ➜ ADD/EDIT menu consists of the following fields: DDRESSES Field Description Alias Here you enter the alias name you want to con- figure.

  • Page 37: Advanced Settings Submenu

    Advanced Settings Submenu The A DVANCED ETTINGS submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][STATEFUL INSPECTION][ADVANCED]: Settings MyGateway Stateful Inspection session expiration: inactivity Timeout : 180 inactivity Timeout : 3600 PPTP inactivity Timeout : 86400...
  • Page 38 Stateful Inspection Submenu The A DVANCED ETTINGS menu consists of the following fields: Field Description UDP inactivity Timeout Here you can enter the inactivity time, after ➤➤ which a session is regarded as expired (in seconds). Possible values are 30 to 86400. The default value is 180.

  • Page 39: Ssh Daemon Submenu

    SSH Daemon Submenu SSH Daemon Submenu The SSH D AEMON submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD]: SSH Daemon Configuration MyGateway SSH Daemon running Static Settings > Timer > Authentication Algorithms > Supported Ciphers >...

  • Page 40: Static Settings Submenu

    SSH Daemon Submenu Static Settings Submenu The S TATIC ETTINGS submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][STATIC]: SSHD Static Options MyGateway Max. # of Clients Port # used for Connections Compression disabled Verify Reverse Mapping...
  • Page 41 SSH Daemon Submenu Field Description Compression Here you can activate (enabled) or deactivate (disabled) the use of data compression. The default value is disabled. Verify Reverse Mapping Here you select whether the SSH Daemon exe- cutes a reverse lookup of the client IP address. This verifies that the host name belonging to the IP address is correct, i.e.

  • Page 42: Timer Submenu

    All messages are recorded. TATIC ETTINGS Table 5-1: menu fields Timer Submenu The T IMER submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][TIMER]: SSHD Timer Options MyGateway Login Grace Time TCP Keepalives enabled ClientAliveCountMax ClientAliveInterval SAVE CANCEL bintec User’s Guide...
  • Page 43 SSH Daemon Submenu You can configure the timing behavior of the SSH Daemon in the S ➜ ECURITY SSH D ➜ AEMON IMER menu. The T IMER menu consists of the following fields: Field Description Login Grace Time Here you enter the time interval within which a client must authenticate before the SSH con- nection is cleared.

  • Page 44: Authentication Algorithms Submenu

    10. Table 5-2: IMER menu fields Authentication Algorithms Submenu The A UTHENTICATION LGORITHMS submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][AUTH]: SSHD Authentication Options MyGateway Protocol Version Public Key enabled Password enabled Challenge Response enabled...

  • Page 45: Supported Ciphers Submenu

    SSH Daemon Submenu The A UTHENTICATION LGORITHMS menu consists of the following fields: Field Description Protocol Version This shows which SSH version the SSH Dae- mon uses. This field cannot be edited, as only version 2 is currently supported. Public Key Here you select whether or not public key authentication of the client is allowed.
  • Page 46 SSH Daemon Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][AUTH]: SSHD Cipher Options MyGateway aes128 enabled 3des enabled blowfish enabled cast128 enabled arc4 enabled aes192 disabled aes256 disabled SAVE CANCEL The S ➜ SSH D ➜ ECURITY AEMON UPPORTED...

  • Page 47: Message Authentication Codes Submenu

    SSH Daemon Submenu Message Authentication Codes Sub- menu The M ESSAGE UTHENTICATION ODES submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][MACS]: SSHD Message Authentication Codes MyGateway enabled sha1 enabled ripemd160 enabled sha1-96 enabled md5-96 disabled SAVE...

  • Page 48: Certification Management Submenu

    Certification Management Submenu The C ERTIFICATION ANAGEMENT submenu is described below. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][KEYS]: SSHD Certification Management MyGateway CAUTION: Key generation may take some minutes depending on your router’s CPU speed Generate DSA Key Generate RSA Key...
  • Page 49 SSH Daemon Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][SSHD][SESSIONS]: SSH Daemon active Sessions MyGateway User IP-Address State Connect-Time admin 192.168.1.1:2013 active Thu Jan 1 4:51:07 2005 EXIT If you select the connection by pressing Return, the following details are shown:...
  • Page 50 SSH Daemon Submenu Field Value Negotiated Cipher The cipher negotiated with this client. Negotiated MAC The MAC (message authentication code) negotiated with this client. Negotiated Compression The compression algorithm negotiated with this client. Established Time Duration of the SSH connection. Total Bytes IN The number of bytes received from this client.
  • Page 51 SSH Daemon Submenu Security bintec User’s Guide...
  • Page 52 SSH Daemon Submenu bintec User’s Guide Security...

  • Page 53: Local Services Access Control Submenu

    The menu displays a list with all local services for which rules have been de- fined. R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][LOCALSRV]: Local Services Access Control MyGateway Services for which no entry exists are NOT access restricted...
  • Page 54 Local Services Access Control Submenu R3000w Setup Tool Funkwerk Enterprise Communications GmbH [SECURITY][LOCALSRV][ADD] MyGateway Service snmp(udp) Verify IP Address don't verify Verify Interface don't verify SAVE CANCEL bintec User’s Guide Security...
  • Page 55 Local Services Access Control Submenu The menu consists of the following fields: Field Description Service Defines the local service on the gateway, to which access is to be controlled with this entry. Possible values: ■ snmp(udp) (default value) ■ rip(udp) ■...
  • Page 56 Local Services Access Control Submenu Field Description Only if V IP A ERIFY DDRESS IP Address = verify Defines a host or network IP address from which incoming requests are allowed for the service selected under S ERVICE . If a request has a different source address, the next entry is checked.
  • Page 57 Local Services Access Control Submenu Security bintec User’s Guide...
  • Page 58 Local Services Access Control Submenu bintec User’s Guide Security...
  • Page 59 Index: Security Numerics 3des Access restrictions 13, 22, 33 Action 8, 29 Admin status Adminstatus aes128 aes192 aes256 34, 36 Alias arc4 blowfish cast128 Category Chain Challenge response Classification ClientAliveCountMax ClientAliveInterval Compression Connection state Deny Silent Description Destination Destination address Destination mask Destination port Dynamic packet filtering...
  • Page 60 Expiring date 15, 16, 22 Filter Filter list Filtered interfaces First rule From Full filtering History entries ICMP type 18, 22 Index Insert behind Rule 16, 24, 37, 56 Interface IP access lists 36, 56 IP address IP mask IP range Local filter 30, 42 Logging level...
  • Page 61 Other inactivity timeout Password Port Port # used for Connections PPTP inactivity Timeout Print LastLog Print Motd Priority 18, 34 Protocol Protocol version Public key Range Reporting method ripemd160 Rule chains Safety feature 33, 55 Service shal shal-96 20, 32 Source Source address Source mask...
  • Page 62 UDP inactivity Timeout URL-based content filtering service Verify interface Verify IP address Verify reverse mapping bintec User’s Guide Security...

This manual is also suitable for:

Bintec r3800Bintec r3400

Table of Contents