- DL manuals
- 3Com
- Other
- 3C16772 - OfficeConnect Web Site Filter
- User Manual
3Com 3C16772 - OfficeConnect Web Site Filter User Manual
Summary of 3C16772 - OfficeConnect Web Site Filter
Page 1
Http://www.3com.Com/ officeconnect ® internet firewall user guide officeconnect internet firewall 25 3c16770 officeconnect internet firewall dmz 3c16771 officeconnect web site filter 3c16772 part no. Dua1677-0aaa03 published june 2000
Page 2
3com corporation ■ 5400 bayfront plaza ■ santa clara, california ■ 95052-8145 copyright © 2000, 3com technologies. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation)...
Page 3: Ontents
C ontents a bout t his g uide how to use this guide 10 conventions 11 terminology 12 year 2000 compliance 14 feedback about this user guide 14 1 i ntroduction what is the internet firewall? 17 internet firewall security functions 18 internet firewall features 19 firewall security 19 internet filteri...
Page 4
3 q uick s etup for the i nternet f irewall checklist for setting up the internet firewall 35 cable modem users 35 initial configuration 35 required information for the internet firewall wizard 36 setting up the internet firewall 38 4 c ommand r eference status messages 46 setting the clock 47 setti...
Page 5
Saving and restoring configuration settings 93 specifying the export file 94 reloading the settings 94 restore factory defaults 95 upgrading the software 96 policy 99 services 99 adding a service 101 policy rules 103 network access rule logic list 104 understanding the network access rule hierarchy ...
Page 6: Ip P
Cannot access the management interface 128 lan users cannot access the internet 129 internet firewall does not save changes 130 duplicate ip address errors are occurring 130 machines on the wan are not reachable 130 a c able s pecifications and p inout d iagram cable specifications 131 pinout diagra...
Page 7
G r esetting the i nternet f irewall introduction 163 resetting the internet firewall 163 reloading the firmware 164 h t echnical s upport online technical services 167 world wide web site 167 3com knowledgebase web services 168 3com ftp site 168 3com facts automated fax service 168 support from you...
Page 9: Bout
A bout t his g uide this guide describes the following products: ■ the two variants of the officeconnect ® internet firewall: ■ officeconnect internet firewall 25 3c16770 ■ officeconnect internet firewall dmz 3c16771 ■ officeconnect web site filter 3c16772 — software for use with either variant of t...
Page 10: How To Use This Guide
10 a bout t his g uide subscription. The internet firewall has a one-month free subscription for the web site filter. This guide is intended for use by the person responsible for installing or managing the network. It assumes knowledge of the following: ■ basic familiarity with ethernet networks and...
Page 11: Conventions
Conventions 11 conventions table 2 and table 3 list conventions that are used throughout this guide. Information about ip port numbering. Appendix d step by step examples of how you can configure your internet firewall. Appendix e a non-technical overview of ip addressing. Appendix f information on ...
Page 12: Terminology
12 a bout t his g uide terminology this section lists terminology used in this guide. Dhcp — dynamic host configuration protocol. This is a protocol that lets network administrators manage centrally and automate the assignment of internet protocol addresses in an organization's network from a server...
Page 13
Terminology 13 dos attacks — denial of service attacks. An attempt to stop one of your services running, such as a web or ftp server. There are several kinds of dos attacks. Ip address — the internet protocol address is the network layer address of a device assigned by the user or network administra...
Page 14: Year 2000 Compliance
14 a bout t his g uide ping of death — a type of dos attack. The internet protocol (ip) defines the maximum size for a ping packet. However, some ping programs can send packets that are larger than this size which can cause some systems to crash. Pppoe — point to point protocol over ethernet. Ppp is...
Page 15
Feedback about this user guide 15 example: ■ officeconnect internet firewall user guide ■ part number dua1677-1aaa02 ■ page 24 do not use this e-mail address for technical support questions. For information about contacting technical support, see appendix h ..
Page 16
16 a bout t his g uide.
Page 17: Ntroduction
1 i ntroduction this chapter contains the following: ■ what is the internet firewall? ■ internet firewall security functions ■ internet firewall features what is the internet firewall? The internet firewall is a firewall appliance which is installed between the lan and the internet access device, su...
Page 18
18 c hapter 1: i ntroduction on the lan are protected from hacker attacks that might come through the wan port. ■ on the officeconnect internet firewall dmz, there is a third port. The demilitarized zone (dmz) port is used for public servers, such as web or ftp servers. Machines attached to this por...
Page 19: Internet Firewall Features
Internet firewall features 19 figure 1 internet firewall 25 security functions internet firewall features this section lists the features of the internet firewall. Firewall security the officeconnect internet firewall is preconfigured to monitor internet traffic, and detect and thwart denial of serv...
Page 20
20 c hapter 1: i ntroduction ■ teardrop — a dos hacker tool which is widely available on the internet. Figure 2 internet firewall dmz security functions the internet firewall uses stateful packet inspection to determine if a data packet from the internet is allowed through to the private lan. This i...
Page 21
Internet firewall features 21 advanced users can extend the security functions of the internet firewall by adding network access rules and user privileges. See “examples of network access rules” on page 107 and “user privileges” on page 108 for more information. Internet filtering you can use the in...
Page 22
22 c hapter 1: i ntroduction when a high-priority concern, such as a hacker attack, is detected. See “log/alert settings” on page 85 for more information. User remote access (from the internet) users can access intranet resources on the private lan by successfully logging into the internet firewall ...
Page 23: Nstalling
2 i nstalling the h ardware this chapter contains the following: ■ important safety information ■ before you start ■ stacking the units together ■ positioning the internet firewall ■ securing the internet firewall ■ internet firewall front panel ■ internet firewall rear panel ■ attaching the interne...
Page 24
24 c hapter 2: i nstalling the h ardware ■ only stack the officeconnect internet firewall with other officeconnect units. ■ to ensure compliance with international safety standards, only use the power adapter that is supplied with the unit. ■ the socket outlet must be near to the unit and easily acc...
Page 25
Consignes importantes de sécurité 25 kann nur durch herausziehen des gerätenetzkabels aus der netzsteckdose unterbrochen werden. ■ der betrieb dieses geräts erfolgt unter den selv-bedingungen (sicherheitskleinstspannung) gemäß iec 950. Diese bedingungen sind nur gegeben, wenn auch die an das gerät a...
Page 26: Before You Start
26 c hapter 2: i nstalling the h ardware l’appareil hors circuit qu'en débranchant son cordon électrique au niveau de cette prise. ■ l’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme cei 950. Ces conditions ne sont maintenues que si l'équipement auquel il ...
Page 27
Stacking the units together 27 the unit if you intend to place the unit directly on top of the desk. If you are going to use the clip (see “stacking the internet firewall with the clip” ), do not attach the feet to the unit. Stacking the internet firewall with the clip use the clip to stack the inte...
Page 28
28 c hapter 2: i nstalling the h ardware positioning the internet firewall when installing the internet firewall, make sure that: ■ it is out of direct sunlight and away from sources of heat. ■ cabling is away from power lines, fluorescent lighting fixtures, and sources of electrical noise such as r...
Page 29
Internet firewall front panel 29 you can now connect the internet firewall to the network and set it up. Internet firewall front panel figure 4 shows the front panel of the internet firewall dmz. Figure 4 internet firewall dmz front panel the internet firewall 25 does not have dmz leds. The internet...
Page 30: Internet Firewall
30 c hapter 2: i nstalling the h ardware ■ transmit yellow — indicates that data is being transmitted on the port. ■ link green — indicates that the link between the port and the next piece of network equipment is ok. Off — indicates that nothing is connected to the port or that the link has failed....
Page 31
Attaching the internet firewall to the network 31 use a 10base-t cable with rj-45 connectors. You can connect this port to any ethernet port on the internet access device, such as an officeconnect lan modem. ■ uplink/normal switch this switch affects the operation of the port. See “attaching the int...
Page 32
32 c hapter 2: i nstalling the h ardware if you are installing the internet firewall 25, there is no dmz port, so you cannot connect publicly-accessible servers to it. Caution: do not switch the internet firewall off and on quickly. After switching it off, wait approximately five seconds before swit...
Page 33
Attaching the internet firewall to the network 33 using standard 10base-t cable, make sure that the uplink/normal switch is in the uplink position. 5 turn on or restart the internet access device. 6 plug the internet firewall power supply into an ac power outlet, and then plug the power supply outpu...
Page 34
34 c hapter 2: i nstalling the h ardware.
Page 35: Uick
3 q uick s etup for the i nternet f irewall this chapter contains the following: ■ checklist for setting up the internet firewall ■ setting up the internet firewall checklist for setting up the internet firewall this section lists the information that you need to set up the internet firewall. Cable ...
Page 36
36 c hapter 3: q uick s etup for the i nternet f irewall ■ automatically assigns ip addresses to all of the pcs on the network. You need to restart all the pcs on your network so that they use the new ip addresses after completing the internet firewall configuration. Router/modem not acting as dhcp ...
Page 37
Checklist for setting up the internet firewall 37 the internet firewall has a default ip address of 192.168.1.254 (my.3com.Com), which you use to access it when you set it up initially. During this initial set up, your pc must have an ip address in the same subnet as the internet firewall (192.168.1...
Page 38
38 c hapter 3: q uick s etup for the i nternet f irewall setting up the internet firewall this section describes the setup of the internet firewall using the management interface viewed with a web browser. It includes information on: ■ setting up a management station ■ changing the administrator pas...
Page 39
Setting up the internet firewall 39 2 launch the web browser application. A enter http://192.168.1.254 or http://my.3com.Com (the internet firewall default address) into the box at the top of the browser window. The login dialog box is displayed. Figure 7 login dialog box b in the user name field, t...
Page 40
40 c hapter 3: q uick s etup for the i nternet f irewall figure 8 internet firewall home screen 3 configure network information. A select network settings (lan & wan). B from the network addressing mode drop-down list, select the addressing mode that you want to use. There are four modes ■ choose na...
Page 41
Setting up the internet firewall 41 ■ choose nat with pppoe client if you obtain your nat public ip addresses, wan router address and wan and dmz subnet masks from your dsl operator using pppoe. You will need to know your user name and password for the pppoe server. This information can be obtained ...
Page 42
42 c hapter 3: q uick s etup for the i nternet f irewall d click update to send the configuration data to the internet firewall. 5 set the date and time. A from the main screen (see figure 8 ), select set date & time. A window similar to the following is displayed. Figure 10 set date and time dialog...
Page 43
Setting up the internet firewall 43 the internet firewall is now functioning and protecting the lan from internet-based attacks and break-ins. Internet filtering is not yet enabled. 7 reset the management station. Change the ip settings for the management station back to their original values. You m...
Page 44
44 c hapter 3: q uick s etup for the i nternet f irewall general operation status messages, such as enabled hacker attack protection, web site filter status, and log settings are listed in black text. The unit status window also shows if the internet firewall is registered. 9 to register the interne...
Page 45: Ommand
4 c ommand r eference this chapter describes management commands and functions of the officeconnect ® internet firewall. You access these command functions using a web browser to launch the management interface. This chapter is divided into sections dedicated to the major windows and functions withi...
Page 46: Status Messages
46 c hapter 4: c ommand r eference status messages to display the current status of internet firewall dmz, click the home button. Then click the part of the image labelled unit status. A window similar to the following will be displayed. Figure 13 unit status window the status window displays the cu...
Page 47: Setting The Clock
Setting the clock 47 setting the clock from the home screen, select set date & time. A window similar to that in figure 14 is displayed. Figure 14 set date & time window your internet firewall has the ability to obtain its time settings from the internet via ntp protocol. The time obtained will be a...
Page 48
48 c hapter 4: c ommand r eference you should also select your time zone from the drop-down list box at the top of the screen. If you cannot find your city in the list, you should set this to the one with the same offset from gmt as is used at your location. If you want the internet firewall to auto...
Page 49
Setting the administrator password 49 setting the administrator password from the home screen, select set password. A window similar to that in figure 15 is displayed figure 15 set password window to keep the internet firewall secure, change the administrator password: 1 in the old password box, typ...
Page 50: Network Settings
50 c hapter 4: c ommand r eference network settings from the button bar, click network to select the network settings menu. Alternatively you can use the network settings icon on the home screen graphic. Basic settings click the settings tab to display the network settings window. A window similar t...
Page 51
Network settings 51 an ip address allocated by your isp for each machine that requires access to the internet. ■ choose nat with dhcp client if you obtain the natpublic ip address from a remote dhcp server. ■ choose nat with pppoe client if you obtain your nat public ip addresses, wan router address...
Page 52
52 c hapter 4: c ommand r eference for the other settings, specify the dns servers. Up to three dns servers can be specified, although not all have to be used. The internet firewall uses these servers to look up the addresses of machines used to download the web site filter and for the built-in dns ...
Page 53
Network settings 53 figure 17 network settings window, nat enabled for the lan settings, specify: ■ internet firewall web address this is the ip address that is given to the internet firewall lan interface and used to access it for configuration and monitoring. Choose a unique ip address from the la...
Page 54
54 c hapter 4: c ommand r eference for the wan settings, specify: ■ wan router address wan router address, also called the default gateway, is the address of the router that attaches the lan to the internet. ■ public address this is the ip address used to access the internet. It will be the only add...
Page 55
Network settings 55 figure 18 network settings window, nat with dhcp client for the lan settings, specify: ■ internet firewall web address this is the ip address that is given to the internet firewall lan interface and used to access it for configuration and monitoring. Choose a unique ip address fr...
Page 56
56 c hapter 4: c ommand r eference ■ lease expires this value shows when the ip address lease obtained from the isp dhcp server expires. ■ public address this is the ip address used to access the internet. It is the only address seen by internet users and all activity on the internet from the lan se...
Page 57
Network settings 57 figure 19 network settings window, nat with pppoe client for the lan settings, specify: ■ internet firewall web address this is the ip address that is given to the internet firewall lan interface and used to access it for configuration and monitoring. Choose a unique ip address f...
Page 58
58 c hapter 4: c ommand r eference the wan/dmz and dns settings are specified by the isp’s pppoe server. The wan/dmz settings show the wan router ip address and the wan ip (nat public) ip addresses allocated to the internet firewall. The dns servers are used by the internet firewall to look up the a...
Page 59
Specifying dmz addresses (internet firewall dmz only) 59 figure 20 dmz addresses window alternatively you can select dmz port settings from the home screen graphic. Each of the servers on the dmz needs a public ip address. Obtain these ip addresses from your isp. Usually, the isp can also supply inf...
Page 60
60 c hapter 4: c ommand r eference setting up the dhcp server click network, and then select the dhcp server setup tab. A window similar to that in figure 21 is displayed. Figure 21 dhcp server setup window dynamic host configuration protocol (dhcp), is a means for computers on a network to obtain t...
Page 61
Setting up the dhcp server 61 client the use of that ip address for the same amount of time. If the client no longer requires the ip address, the address is freed and returned to the pool of available addresses to be used again. The default value is 60 minutes. ■ default gateway enter the ip address...
Page 62
62 c hapter 4: c ommand r eference ■ dynamic ranges when a client makes a request for an ip address, the internet firewall’s dhcp server leases an address from the dynamic ranges. Prior to offering an address from the dynamic range to a requesting client, the internet firewall first verifies that th...
Page 63: Diagnostic Tools
Viewing the dhcp server status 63 viewing the dhcp server status click network and then select the dhcp server status tab. A window similar to that in figure 22 is displayed. The scrolling window shows the details on the current bindings: ■ ip and mac address of the bindings ■ type of binding (dynam...
Page 64
64 c hapter 4: c ommand r eference dns name lookup the internet has a service called the domain name service (dns) which allows users to enter an easily remembered host name, such as www.3com.Com , instead of numerical ip addresses to access internet resources. The internet firewall has a dns lookup...
Page 65
Diagnostic tools 65 find network path use the find network path tool to show on which port, lan, wan or dmz where appropriate, an ip host is located. This is helpful to determine if the internet firewall is properly configured. For example, if the internet firewall thinks that a machine known to be ...
Page 66
66 c hapter 4: c ommand r eference if the network path is incorrect, check the intranet, static route, and dmz settings. Find network path requires an ip address. Use the internet firewall’s dns name lookup tool to find the ip address of a host. Ping the pingtool bounces a packet off a machine on th...
Page 67
Diagnostic tools 67 type the ip address of the device being pinged and click go. The test takes a few seconds to complete. Ping requires an ip address. Use the internet firewall’s dns name lookup tool to find the ip address of a host. Packet trace use the packet trace tool to track the status of a d...
Page 68
68 c hapter 4: c ommand r eference packet trace requires an ip address. Use the internet firewall’s dns name lookup tool to find the ip address of a host. 1 enter the ip address of the remote host in the trace on ip address box, and click start. 2 initiate an ip session with the remote host using an...
Page 69: Filter Settings
Filter settings 69 figure 27 tech support report window click save report to save the report as a text file to the local disk. Filter settings click filter,and then select the settings tab. A window similar to that in figure 28 is displayed..
Page 70
70 c hapter 4: c ommand r eference figure 28 filter settings window content filtering only applies to nodes on the lan port. Select the options in the settings window, described below, to tailor the content filtering to meet the needs of the organization. Restricting the web features available the f...
Page 71
The officeconnect web site filter 71 choose to filter out java since there have been instances of bugs in these safety mechanisms. ■ cookies cookies are used by web servers to track usage. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that v...
Page 72
72 c hapter 4: c ommand r eference ■ full nudity ■ sexual acts ■ gross depictions ■ intolerance ■ satanic/cult ■ drugs/drug culture ■ militant/extremist ■ sex education ■ questionable/illegal & gambling ■ alcohol & tobacco specifying when filtering applies use the time of day setting to define time ...
Page 73: Update Filter
Update filter 73 update filter since content on the internet is constantly changing, make sure you update the web site filter used by the internet firewall on a regular basis. When you subscribe to the web site filter, you can specify that it is updated automatically every week for one year. It is i...
Page 74
74 c hapter 4: c ommand r eference click filter, and then select the filter update tab at the top of the window. A window similar to that in figure 29 is displayed. ■ website filter status shows the status of the web site filter and the date it was last downloaded. ■ download now click this button t...
Page 75: Keywords
Keywords 75 once loaded, the creation date of the current active list is displayed at the top of the window. Because of the rapid changes on the internet, the web site filter expires 30 days after it is downloaded. Once expired, the internet firewall operates as determined by the radio buttons descr...
Page 76: Custom List
76 c hapter 4: c ommand r eference it is important to use caution when enabling this feature. For example, blocking the word breast may stop access to sites on breast cancer as well as objectionable or pornographic sites. To enable this function click the enable keyword blocking check box and click ...
Page 77
Custom list 77 you can add or remove web sites from the custom list. For example, if a local radio station runs a contest on its web site that is disrupting normal classroom internet use, a school’s technology coordinator can easily add that site to the forbidden domains list. Setting up trusted and...
Page 78
78 c hapter 4: c ommand r eference ■ disable all web traffic except for trusted domains click the disable web traffic except for trusted domains check box to make the internet firewall allows web access only to sites on the trusted domains list. With careful screening, this can block almost all obje...
Page 79: Consent
Consent 79 consent this page must reside on a web server and be accessible as a url by users on the lan. Use the consent function to specify which computers are always filtered and which are filtered only when such protection is requested by the user. You can also configure consentto require users t...
Page 80
80 c hapter 4: c ommand r eference the page defined in the consent page url box. Type the time limit, in minutes, in the maximum web usage box. Specify the default value of zero (0) to disable this feature. ■ user idle timeout after a period of inactivity, the internet firewall requires the user to ...
Page 81
Consent 81 ■ “consent accepted” url (filtering on) when users accept the terms outlined in the consent page and choose to access the internet with the protection of filtering, they are shown a page to confirm their selection. Type the url of this page in the “consent accepted” (filtering on) box. ■ ...
Page 82: Logs And Alerts
82 c hapter 4: c ommand r eference logs and alerts the internet firewall maintains an event log, which contains events that may be security concerns. You can view this log with a browser using the internet firewall management interface or you set up an a tab-delimited text file to be sent automatica...
Page 83
Logs and alerts 83 figure 33 view log window the log is displayed as a list in a table, but may appear differently when viewed with various browsers. You may have to adjust the browser’s font size and other viewing characteristics to display the log data most efficiently. Depending on the browser, y...
Page 84
84 c hapter 4: c ommand r eference parentheses is the icmp code. The address information is usually preceded by the name of the service described by either the tcp or udp port, or the icmp type in quotation marks. ■ web, ftp, gopher, or newsgroup blocked the lan ip and ethernet addresses of a machin...
Page 85
Logs and alerts 85 appears in the packet are shown. In these attacks, the source address shown is usually fake and usually cannot be used to determine the source of the attack. Varying conditions on the internet can produce conditions which may cause the appearance of an attack, even when no-one is ...
Page 86
86 c hapter 4: c ommand r eference ■ mail server to enable sending log or alert messages via e-mail, you must specify the numerical ip address of the smtp server. You can obtain this information from the internet service provider that you use to connect the network to the internet or use the dns loo...
Page 87
Logs and alerts 87 ■ syslog server in addition to the standard screen log, the internet firewall can write extremely detailed event log information to an external syslog server. Syslog is an industry standard protocol used for capturing log information for devices on a network. The internet firewall...
Page 88
88 c hapter 4: c ommand r eference log categories click this check box to enable or disable the generation of the following log message categories. ■ system maintenance when enabled, log messages showing general system maintenance activity, such as administrator logins, automatic loading of web site...
Page 89
Logs and alerts 89 ■ dropped icmp when enabled, log messages showing blocked incoming icmp packets are generated. This is enabled by default. ■ network debug when enabled, log messages showing ethernet broadcasts, arp resolution problems, icmp redirection problems, and nat resolution problems are ge...
Page 90: Reports
90 c hapter 4: c ommand r eference reports the internet firewall can analyze the event log to show the following: ■ top 25 most accessed web sites ■ top 25 users of bandwidth by ip address ■ top 25 services that consume the most bandwidth click log and then select the reports tab. A window similar t...
Page 91
Reports 91 ■ current sample period displays the current sample period shown in the reports. ■ display report select the desired report from the display report popup menu. The options are web site hits, bandwidth usage by ip address, and bandwidth usage by service. These reports are explained as foll...
Page 92
92 c hapter 4: c ommand r eference restarting the internet firewall to restart the internet firewall: 1 click tools and select the restart tab. A window similar that in figure 36 is displayed. Figure 36 restart window 2 click restart internet firewall. 3 click yes to confirm the restart and send the...
Page 93
Saving and restoring configuration settings 93 saving and restoring configuration settings click toolsand then select the configuration tab. A window similar to that in figure 37 is displayed. Figure 37 configuration window use the configuration tab to specify where the settings for the internet fir...
Page 94
94 c hapter 4: c ommand r eference specifying the export file you can save the internet firewall configuration settings to a file on a local system and then reload those settings. Click export. A window similar to that in figure 38 is displayed. Figure 38 export window choose the location to save th...
Page 95
Saving and restoring configuration settings 95 figure 39 import window click browseto find a file which was previously saved using export. You may need to set file type to *.* to be able to see the .Exp file you exported. Once you have selected the file, click import. Restart the internet firewall f...
Page 96: Upgrading The Software
96 c hapter 4: c ommand r eference upgrading the software the internet firewall has flash memory and can be easily upgraded with new software. When upgrading the software, all settings may be reset to factory default. 3com recommends that you export the internet firewall’s settings before uploading ...
Page 97
Upgrading the software 97 to be notified automatically when new firmware is available: 1 click the send email when new firmware is available check box 2 click update. To load the new firmware: 1 click upload firmware now. A window similar to that in figure 41 is displayed. Figure 41 save settings wi...
Page 98
98 c hapter 4: c ommand r eference figure 42 firmware upload window 3 click browse... And select the software file you have downloaded from the 3com ftp site to a local hard drive or server on the lan. 4 click upload to begin the upload. Make sure that your web browser supports http uploads. When up...
Page 99: Policy
Policy 99 policy this section covers which network services are blocked by the firewall and which are allowed to pass through. Services click policy, and then select the servicestab. A window similar to that in figure 43 is displayed. Figure 43 services window the serviceswindow contains a table sho...
Page 100
100 c hapter 4: c ommand r eference ■ lan out when the check box is clicked for a specific protocol, users on the lan can access servers of that type on the internet. When the check box is cleared, users on the lan cannot access servers of that type on the internet. The default value is enabled. Whe...
Page 101
Policy 101 ■ inactivity timeout if a connection to a server outside the lan remains idle for more than 5 minutes (default value), the internet firewall closes the connection. This is done for security purposes. Without this timeout, it is possible that connections could stay open indefinitely, creat...
Page 102
102 c hapter 4: c ommand r eference the scroll list on the right side of the screen displays all ip protocols that are currently defined and that appear in the serviceswindow. Next to the name of the protocol, two numbers appear in brackets. The first number indicates the ip port number which define...
Page 103: Policy Rules
Policy rules 103 you can disable logging of events which are usually written to the internet firewall’s internal screen log. For example, if linux’s authentication protocol is filling the log with useless entries, you can configure the screen log to ignore all activity for this service. To disable s...
Page 104
104 c hapter 4: c ommand r eference figure 45 policy rules window it is important to fully consider logic behind the new rule before you add it. Use the list in “network access rule logic list” to help you create logical rules. Network access rule logic list use this list to help you create rules. ■...
Page 105
Policy rules 105 the more specific, the better. For example, if traffic is being allowed from the internet to the lan, it is better to allow only certain machines on the internet to access the lan. Once you have defined the logic of the rule, it is critical to consider the security ramifications cre...
Page 106
106 c hapter 4: c ommand r eference c source there are three parameters to configure for the source item. ■ select the network access rule’s source port, lan, wan, or dmz, if appropriate, from the ethernet menu. ■ if there are ip address restrictions on the source of the traffic, such as keeping com...
Page 107
Policy rules 107 ■ a single ip address is more specific than an ip address range. Rules are listed in the web management interface window from most specific to the least specific, and rules at the top override rules listed below. Examples of network access rules the following examples illustrate met...
Page 108: User Privileges
108 c hapter 4: c ommand r eference 6 since the intent is to block access to all servers, enter * in the destination addr. Range begin box. 7 click add rule. Enabling the isp to ping the internet firewall by default, the internet firewall does not respond to pings from the internet. However, ping is...
Page 109
User privileges 109 figure 46 user privileges window ■ user inactivity timer this sets the maximum period of inactivity, in minutes, before a user is required to re-establish an authenticated session. This applies to remote access and bypass filters. ■ user list the user list is a scrollable box whi...
Page 110
110 c hapter 4: c ommand r eference ■ using random letters and numbers, such as a7fe2j42 ■ including non-alphanumeric ascii characters in words, such as so#n&c passwords are case sensitive. 4 choose the privileges to be enabled for the user by selecting one or both check boxes. Two options are avail...
Page 111: Automatic Proxy Forwarding
Automatic proxy forwarding 111 clicking login, the password is verified using md5 authentication. The password is never sent ”in the clear” over the internet, preventing password theft and replay attacks. Once authenticated, remote users can access all ip resources on the lan, and users on the lan c...
Page 112
112 c hapter 4: c ommand r eference the proxy server must be located on the wan; it may not be located on the lan. Click advanced, and then select the proxy relay tab. A window similar to that in figure 47 is displayed. Figure 47 proxy relay window enter the ip address of the proxy in the proxy web ...
Page 113
Specifying intranet settings 113 intranet settings to allow lan users to access the proxy. If you do not do this, users cannot access the proxy. 1 install the proxy server. A install and configure the proxy server software using a valid ip address. B plug the proxy server into an ethernet hub connec...
Page 114
114 c hapter 4: c ommand r eference (referred to as the intranet), you must specify intranet settings for the internet firewall. The following describes how to install and configure the internet firewall to provide intranet firewalling. To achieve intranet firewalling, connect the internet firewall ...
Page 115
Specifying intranet settings 115 configuring the internet firewall to protect the intranet click advanced, and then select the intranet tab. A window similar to that in figure 49 is displayed. Figure 49 intranet window to enable intranet firewalling, it is necessary to identify which machines are pr...
Page 116
116 c hapter 4: c ommand r eference using the exclusive method, you specify the ip addresses of the machines connected to the internet firewall’s wan port. Use this method in cases such as a large school district with a small student computer lab where it would be easier to specify the small number ...
Page 117: Static Routes
Static routes 117 static routes if the lan has internal routers, you must specify their addresses and network information. Click advanced and then select the static routes tab. A window similar to that in figure 50 is displayed. Figure 50 static routes window use static routes if the lan is segmente...
Page 118: Setting Up One-to-One Nat
118 c hapter 4: c ommand r eference ■ dmz/wan the ip addresses of the dmz, if appropriate, and wan ports are shown. These differ from that of the lan port if nat is enabled. Configure these in the network settings window (see figure 16 ). You can specify the subnet mask, if it is different from the ...
Page 119
Setting up one-to-one nat 119 . You cannot include the nat public ip address in a range. Click advanced, and then select the one-to-one nat tab. A window similar to that in figure 51 is displayed. Figure 51 one-to-one nat window table 4 address correspondence in one-to-one nat lan address correspond...
Page 120
120 c hapter 4: c ommand r eference ■ enable one-to-one nat click this check box to enable one-to-one nat. ■ private range begin type the beginning ip address of the private address range being mapped in the private range begin box. This is the ip address of the first machine being made accessible f...
Page 121: Ffice
5 t he o ffice c onnect w eb s ite f ilter a ctivation this chapter contains the following: ■ what is the web site filter? ■ activating the web site filter what is the web site filter? The 3com officeconnect ® web site filter provides the officeconnect internet firewall with enhanced internet filter...
Page 122
122 c hapter 5: t he o ffice c onnect w eb s ite f ilter a ctivation searching the internet unaccompanied by a parent or educator. Any easily accessible pages with graphics, text or audio which fall within the definition of the categories below will be considered sufficient to place the source in th...
Page 123
What is the web site filter? 123 ■ intolerance: pictures or text advocating prejudice or discrimination against any race, color, national origin, religion, disability or handicap, gender, or sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes ...
Page 124
124 c hapter 5: t he o ffice c onnect w eb s ite f ilter a ctivation category will include discussion sites on how to talk to your partner about diseases, pregnancy and respecting boundaries. The sex education category is uniquely assigned; sites classified as sex education are not classified in any...
Page 125
Activating the web site filter 125 they appear) you will need to purchase the annual web site filter subscription. To activate your annual subscription perform the following steps: 1 using a web browser, go to the web site filter registration page http://www.3com.Com/internetfirewall/ 2 click the ac...
Page 126
126 c hapter 5: t he o ffice c onnect w eb s ite f ilter a ctivation.
Page 127: Roubleshooting
6 t roubleshooting g uide this chapter contains the following: ■ introduction ■ potential problems introduction the officeconnect ® internet firewall has been designed to help you detect and solve possible problems with the network. If you cannot find the solution to the problem in this chapter, ple...
Page 128
128 c hapter 6: t roubleshooting g uide power led flashes continuously if the power led continues to flash after 120 seconds, please contact technical support (see appendix h for information about contacting technical support). Power and alert led lit continuously if the power and alert leds are bot...
Page 129
Potential problems 129 internet firewall. Netscape navigator 4 or internet explorer 4 or higher versions are supported. ■ during the initial configuration, make sure that you change the ip address for the management station to one in the same subnet as the internet firewall, such as 192.168.1.200 . ...
Page 130
130 c hapter 6: t roubleshooting g uide ■ if you are using the internet firewall with a cable modem, you may need to register the mac address of the unit with your cable service provider before connecting the internet firewall to your network. You can find the mac address of the internet firewall on...
Page 131: Able
A c able s pecifications and p inout d iagram this appendix contains the following: ■ cable specifications ■ pinout diagrams cable specifications the officeconnect ® internet firewall supports the following cable types and maximum lengths: ■ 10base-t twisted pair ■ maximum cable length of 100 m (327...
Page 132
132 a ppendix a: c able s pecifications and p inout d iagram figure 52 twisted pair pinouts.
Page 133: Echnical
B t echnical s pecifications and s tandards this appendix lists the technical specifications for the officeconnect ® internet firewall. Interfaces 10base-t — two for the internet firewall, three for the internet firewall dmz. Power 11w officeconnect power adapter dimensions 228 x 185 x 54 mm (9.12 x...
Page 134
134 a ppendix b: t echnical s pecifications and s tandards *see “electromagnetic compatibility” on page 182 for conditions of operation..
Page 135: Ptional
C o ptional d irect c onnection this appendix contains the following: ■ introduction ■ direct connection instructions introduction the security of the officeconnect ® internet firewall is ensured by the use of a secret administrator password. Once the password is set, it is used to authenticate the ...
Page 136
136 a ppendix c: o ptional d irect c onnection to do this, connect a cable from the ethernet port on the management station to the lan port of the internet firewall. 3 switch on the internet firewall. To do this, connect the power adapter to the port on the back labeled power. Do not use a power ada...
Page 137: Ip P
D ip p ort n umbers this appendix contains the following: ■ introduction ■ well known port numbers ■ registered port numbers introduction the port numbers are divided into three ranges: ■ well known ports — those from 0 to 1023 ■ registered ports — those from 1024 to 49151 ■ dynamic or private ports...
Page 138
138 a ppendix d: ip p ort n umbers the registered ports are in the range 1024–65535. Visit http://www.Normos.Org/ietf/rfc/rfc1700.Txt for a list of ip port numbers..
Page 139: Xample
E e xample c onfigurations this appendix contains the following: ■ introduction ■ protecting an existing network with the internet firewall 25 ■ increasing the number of ip addresses available using natsetting up the internet firewall 25 with an officeconnect 56k lan modem ■ setting up the internet ...
Page 140: Firewall 25
140 a ppendix e: e xample c onfigurations connections related to this cannot be used on an internet firewall 25. All other parts of this example will work the same, however. Protecting an existing network with the internet firewall 25 in this example, all your pcs are networked together, and there i...
Page 141
Protecting an existing network with the internet firewall 25 141 ■ purchase an additional ip address. ■ use nat: it is possible that only some of the pcs will require their own ip address to be presented to the internet. The example “expanding the number of ip addresses available using nat” describe...
Page 142
142 a ppendix e: e xample c onfigurations subnet for your management station – here we will change it to 192.168.1.200. B refer to the user guide for your operating system on changing the ip address of your management station. Be sure to specify a static address as given above, with a subnet mask of...
Page 143
Protecting an existing network with the internet firewall 25 143 c here, you want to use ntp to set the firewall time so that the date and time are set by an atomic clock, and are hence highly accurate. Check the box marked “use ntp to set time automatically”. D type in the current date and time, in...
Page 144
144 a ppendix e: e xample c onfigurations override the fact that it is enabled under the heading “default”). B to block nntp access, clear the lan out check box next to nntp in the list, and click update. C to block irc access, first click on the add service tab. Then, from the add a known service d...
Page 145
Protecting an existing network with the internet firewall 25 145 subscription). This enables your web site filter subscription. 12 enter the registration code. A load management interface again and log in as described in step 4, except use the new web address you assigned to the internet firewall ht...
Page 146: Nat
146 a ppendix e: e xample c onfigurations messages that the internet firewall sends out. This is not a valid e-mail address, and so no e-mails can be returned to it. However, you can change this e-mail address if you want. 15 load the web site filter list. A click filter, and then select the filter ...
Page 147
Increasing the number of ip addresses available using nat 147 172.20.54.212 to 172.20.54.214 must be visible on the internet. The remaining pcs are the workstations. All ip addresses are statically configured on the pcs. The isp’s internet router has an ip address of 172.20.54.1 , and there is a dns...
Page 148
148 a ppendix e: e xample c onfigurations 2 assuming that you are managing the internet firewall dmz from the pc with address 172.20.54.215 (either by direct connection, or through a hub/switch), switch on the internet firewall dmz and check the leds. A wait for the power led to stop flashing (appro...
Page 149
Increasing the number of ip addresses available using nat 149 5 when you have logged in successfully, the home screen of the user interface is displayed. From here, configure the internet firewall dmz. A click set password. B in the old password box, type passwor d. Then type the new password twice....
Page 150
150 a ppendix e: e xample c onfigurations d set wan/dmz subnet mask to the one provided by the isp 255.255.255.0 . E set the nat public address to one of the available ip addresses 172.20.54.217. Click update. 8 switch on the cable modem, make sure that it is online, and restart the internet firewal...
Page 151
Increasing the number of ip addresses available using nat 151 once complete, users of all these machines can access the internet through the internet firewall dmz. For the pcs that need to be visible on the wan side of the internet firewall dmz, set their ip addresses, for example, to 192.168.1.212 ...
Page 152
152 a ppendix e: e xample c onfigurations b type the registration code you were given into the text box next to the message, and click update. The internet firewall dmz is now registered. Setting up the internet firewall 25 with an officeconnect 56k lan modem in this example the officeconnect 56k la...
Page 153
Setting up the internet firewall 25 with an officeconnect 56k lan modem 153 configure the officeconnect lan modem and check that you can access the internet. 1 connect the lan modem to the internet firewall 25. A disconnect the power from the lan modem, and also disconnect the ethernet cable from th...
Page 154
154 a ppendix e: e xample c onfigurations a enter http://192.168.1.254 to load the password authentication screen. B in the user name box, type admi n . C in the password box, type the default password, password in the password box. Click login. Passwords are case sensitive. 5 when you have logged i...
Page 155
Setting up the internet firewall 25 with an officeconnect 56k lan modem 155 internet firewall 25 can use the default ip address ( 192.168.1.254 ) and subnet mask ( 255.255.255.0 ). B click update. 8 switch on the lan modem and restart the internet firewall 25. A to restart, click tools. B click rest...
Page 156
156 a ppendix e: e xample c onfigurations b find out the ethernet address of the network card. In windows 95 or 98, this is done by selecting run from the start menu, and then typing winipcfg . Note down the value in the adapter address box (this may also be known as the mac address, and consists of...
Page 157
Setting up the internet firewall 25 with an officeconnect 56k lan modem 157 14 register the internet firewall 25, over the internet. A in the web browser, enter: http://www.3com.Com/internetfirewall b complete the registration form, and make a note of the registration code. C on the home screen, sel...
Page 158
158 a ppendix e: e xample c onfigurations.
Page 159: Ntroduction
F i ntroduction to ip a ddressing this appendix contains the following: ■ network protocols ■ ip and tcp ■ ip addressing network protocols protocols are rules that networking hardware and software follow to communicate with one another. The internet firewall uses the tcp/ip protocol. Ip and tcp ip s...
Page 160
160 a ppendix f: i ntroduction to ip a ddressing separated with dashes, for example, 1-408-555-1212 , ip address number components are separated by decimal points or dots (called dotted decimal notation), for example, 123.45.67.89 . Because computers use a binary number system, each number in the se...
Page 161
Ip addressing 161 class c networks use ip addresses between 192.0.0.0 and 223.0.0.0 . Just as you obtain a phone number from the phone company, there are controlling bodies for ip addresses. The overall controlling body for ip addresses worldwide is internic. Businesses or individuals can request on...
Page 162
162 a ppendix f: i ntroduction to ip a ddressing address is class a, use a subnet mask of 255.0.0.0 . Class b addresses use a subnet mask of 255.255.0.0 , and class c ip addresses use a subnet mask of 255.255.255.0 . Default gateway a default gateway is like a long distance operator — users can dial...
Page 163: Esetting
G r esetting the i nternet f irewall this appendix contains the following: ■ introduction ■ resetting the internet firewall introduction you cannot retrieve a lost administrator password from the officeconnect ® internet firewall. If you want to reset your internet firewall to factory default settin...
Page 164: Reloading The Firmware
164 a ppendix g: r esetting the i nternet f irewall 4 continue holding the reset button in until the alert led starts flashing. This should be approximately 20 seconds. 5 when the alert led stops flashing, the reset is complete. You can now release the reset button. When the reset is complete, the i...
Page 165
Reloading the firmware 165 figure 53 firmware upload window make sure that you are using the browser that supports html uploads, otherwise you cannot upload the firmware. 2 in the box labeled please select a firmware file, type in the full file and path name of the firmware image that you want to up...
Page 166
166 a ppendix g: r esetting the i nternet f irewall figure 54 firmware upload complete the self-test cycle should now complete successfully. If the entire process has been successful, the power led should light up and remain on after 90 seconds, and the alert led should remain off. You can now acces...
Page 167: Echnical
H t echnical s upport 3com provides easy access to technical support information through a variety of services. This appendix describes these services. Information contained in this appendix is correct at time of publication. For the most recent information, 3com recommends that you access the 3com ...
Page 168
168 a ppendix h: t echnical s upport 3com knowledgebase web services this interactive tool contains technical product information compiled by 3com expert technical engineers around the globe. Located on the world wide web at http://knowledgebase.3com.Com , this service gives all 3com customers and p...
Page 169: Support From 3Com
Support from 3com 169 ■ a list of system hardware and software, including revision levels ■ diagnostic error messages ■ details about recent configuration changes, if applicable if you are unable to contact your network supplier, see the following section on how to contact 3com. Support from 3com if...
Page 170
170 a ppendix h: t echnical s upport returning products for repair before you send a product directly to 3com for repair, you must first obtain an authorization number. Products sent to 3com without authorization numbers will be returned to the sender unopened, at the sender’s expense. Europe from a...
Page 171
Returning products for repair 171 to obtain an authorization number, call or fax: country telephone number fax number asia, pacific rim +65 543 6500 +65 543 6348 europe, south africa, and middle east +31 30 6029900 +31 30 6029999 latin america 1 408 326 2927 1 408 326 3355 from the following countri...
Page 173: Ndex
I ndex 173 i ndex numbers 0.0.0.0 162 10base-t cable 31 dmz connection 33 lan connection 33 wan connection 32 10base-t port 30 192.168.1.254 38 255.255.255.0 162 3com knowledgebase web services 168 3com url 167 3comfacts 168 a acceptable use policy 78, 79, 80, 91 access to urls, restricting 21 activ...
Page 174
174 i ndex disable web proxy 71 display report 91 dmz addresses, specifying 58 dmz led 30 dmz port 18, 31 attaching internet servers to 33 dns name lookup tool 64 dns server 36 domain name system. See dns dos attacks 19 e electromagnetic compatibility 182 emc information 182 events 82 example config...
Page 175
I ndex 175 j java blocking 84 defined 70 k keyword 75 field 76 l lan led 30 port 17, 30 static route settings 117 users 18 leds alert 29 dmz 30 lan 30 power 30 status 30 wan 30 liability information 181 limited warranty information 179 location for internet firewall 28 logs 82 and alerts 21 buffer 8...
Page 176
I ndex 176 ports (continued) wan 17 positioning the internet firewall 28 power adapter socket 30 power led 30 protecting an existing network 140 protocols 159 proxy server, installing on wan 112 proxy web server 112 public servers, dmz port 18 q quick configuration 38 r registration 44 remote access...
Page 177
I ndex 177 troubleshooting (continued) ethernet connection 128 internet access for lan users 129 link led 128 log contents 127 machines on wan not reachable 130 management interface 128 power led 127, 128 trusted domains 77 u udp packets 83 updating users for authentication 109 upgrading software 96...
Page 178
178 i ndex.
Page 179: 3Com Corporation L
3com corporation l imited w arranty officeconnect ® internet firewall 25 officeconnect internet firewall dmz officeconnect web site filter the duration of the warranty for the officeconnect internet firewall 25 (3c16770) and internet firewall dmz (3c16771) is lifetime, including the power adapter. A...
Page 180
Any software update or replaced or repaired product will carry a year 2000 warranty for ninety (90) days after purchase or until april 1, 2000, whichever is later. O btaining w arranty s ervice customer must contact a 3com corporate service center or an authorized 3com service center within the appl...
Page 181
L imitation of l iability to the full extent allowed by law, 3com also excludes for itself and its suppliers any liability, whether based in contract or tort (including negligence), for incidental, consequential, indirect, special, or punitive damages of any kind, or for loss of revenue or profits, ...
Page 182
E lectromagnetic c ompatibility fcc s tatement this equipment has been tested and found to comply with the limits for a class b digital device, pursuant to part 15 of the fcc rules, and the canadian department of communications equipment standards entitled, “digital apparatus,” ices-003. These limit...