SnapGear 1.7.8 manual

SnapGear  VPN Appliance Family User Manual Rev: 1.7.8 May 2nd, 2003 SnapGear, Inc. 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@snapgear.com Web: www.snapgear.com Introduction[...]

T able of content s 1. Introducti on ............................................................................................... 1 Document conventions .......................................................................................... 4 Installing and configuring your SnapGear appliance ............................................. 5 Yo[...]

6. Firewall .................................................................................................... 58 Incoming access .................................................................................................. 58 Outgoing access .................................................................................................. 6[...]

1. Introduction This chapter provides an overview of your SnapGear appliance’s features and capabilities, and explains how to install and configure your SnapGear appliance. The SnapGear appliance enables small to m edium-sized businesses to securely interconnect computers on your office network to the Internet. The SnapGear appliance has all the [...]

Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscriber Line. A technology allowing high- speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data. BOOTP Bootstrap Proto[...]

Term Meaning millions of people worldwide. The Internet is technically distinguished because it uses the TCP/IP set of protocols. Intranet A private TCP/IP network within an enterprise. IPSec Internet Protocol Security. IPSec provides interoperable, high quality, cryptographically-based security at the IP layer and offers protection for network com[...]

Term Meaning not a full router, a switch partically understands how to route Internet packets. A switch increases LAN efficiency by utilizing bandwidth more effectively. TCP/IP Transmission Control Protocol/Internet Protocol. The basic protocol for Internet communication. TCP/IP address Fundamental Internet addressing method that uses the form nnn.[...]

Installing and configuring your SnapGear appliance This manual contains instructions for installing and configuring your SnapGear appliance on your network. The basic steps and related chapters are: Step Chapter 1. Interconnect the SnapGear appliance and PCs on a local area network. Chapter 2, Getting started 2. Connect the telecommunications hardw[...]

Your SnapGear appliance The following items are included with your SnapGear appliance: • Power adapter • Installation CD • Printed Quick Install guide • Cabling including o 1 normal “straight through” UTP cable (blue color). o 1 “cross-over” UTP cable (either gray or red color) . If you have the LITE+ or LITE2+ you will receive two [...]

The rear panel contains the connector ports for the LAN ( LAN ) and modem ( COM1 , COM2 ), LAN 10BaseT status LEDs, WAN 10BaseT status LEDs, the reset button and power inlet. For units with LAN/Internet status LEDs, one LED represents the link condition (upper on SME530, SME550 and PRO+, lower on PRO and SOHO+), where a cable is connected correctly[...]

Figure 1.3 Netw ork interconnections Introduction 8[...]

SnapGear appliance features • Software features • Network Address Translation (NAT) firewall that isolates the LAN from the Internet and offers network access control and filtering. Usually a simple form of NAT called masquerading is used. • DHCP server and client that ensure simple and flexible IP network configuration. • PPTP VPN server t[...]

Internet link features • Connect to the Internet using an external cable modem, DSL, dial-up or ISDN modem. • Serial ports connect to the Internet using an external modem or ISDN T/A. The LITE2, LITE2+, SME530 and SME550 models have a single serial port. • 10baseT Ethernet port ( Internet ) that connect to the Internet using a cable or ADSL m[...]

Environmental features • External power adaptor (voltages/current depend on individual models). • Front panel status LEDs: Power Test. • Operating temperature between 0° C and 40° C. • Storage temperature between -20° C and 70° C. • Humidity between 0 to 95% (non-condensing). Introduction 11[...]

2. Getting st arted Your SnapGear appliance provides a secure, simple gateway to connect PCs and other devices on your local network to the outside world. This chapter provides step-by-step instructions for connecting the SnapGear appliance to your LAN. The procedures in this section expand on the steps in the SnapGear Quick Install Guide , which y[...]

Note The following steps detail the initial setup procedure for networks with at least one Windows workstation. If you wish to perform the setup procedure using a Linux box, skip to the section called later in this chapter. New Networks If you do not have an existing LAN, you need to configure one networked PC to get started: 1. Install an Ethernet[...]

6. If you have chosen to use the static IP reset feature of the SnapGear appliance, choose an address in the range: 192.168.0.0 - 192.168.0.255 (192.168.0/24 prefix) Enter the value into the IP Address field followed by a number (1-254) to identify your PC (e.g. 192.168.0.2 ). You may have to reboot at this point. 7. Connect the SnapGear appliance [...]

Configuring the SnapGear appliance on your network Below is an overview of the steps in initial setup of the SnapGear appliance on your network: 1. Apply power to the SnapGear appliance. When the SnapGear appliance is powered on in factory default mode, it has no LAN IP address. This state is indicated by all front panel LEDs except Power flashing [...]

Note The front of the SnapGear appliance contains activity LEDs that vary slightly between models. These provide information on the operating status of your SnapGear appliance. In particular you should note: The Power/PWR LED is on when power is applied (use only the SnapGear Power Adapter packaged with the unit). The System/TST/Heart Beat LED blin[...]

Set up IP addresses To communicate on your network the SnapGear appliance will need an IP address. This is accomplished using the SnapGear Setup Wizard application that ships with your SnapGear CD. If the SnapGear appliance has already been assigned an IP address Note The WAN interface is by factory default inactive in that there are no network ser[...]

A. Your SnapGear appliance was found on the network. This means either your network is DHCP enabled and another PC on the network has already given it an IP address, or you hav e chosen to boot the SnapGear appliance with an initial, static IP address. If this is the case, skip to Administrative Password further on in this chapter. B. Multiple Snap[...]

C. Your SnapGear appliance needs an IP address. This means your network is not DHCP enabled and you must perform the following steps: Enter the IP address that you want to assign to your SnapGear appliance. SnapGear Setup Wizard will already have auto-completed the IP address. Verify that this address is acceptable and not already in use, and click[...]

Administrative password After an IP address is allocated or the SnapGear appliance has been located, the SnapGear Setup Wizard will prompt you to change the SnapGear appliance administrative password. This password controls access to the SnapGear Management Console web administration pages. SnapGear recommends that you select a new pa ssword that i[...]

Initial setup using Linux By default, your SnapGear appliance as shipped does not have any IP addresses configured. When the SnapGear appliance is powered on, if it has no LAN IP address all the front panel LEDs except Power will flash (except on LITE+ and LITE2+). The LEDs remain flashing until a LAN IP address is acquired. The first setup task is[...]

Using an existing local DHCP or BOOTP server If your local network is configured with a DHCP server, the SnapGear appliance will automatically acquire an address when attached to the network. Check your local DHCP server logs to find the address assigned to your SnapGear appliance. If you are unable to access your local DHCP server logs, you can fi[...]

Configuring a new local DHCP or BOOTP server If your network has no DHCP or BOOTP server , you can temporarily configure a local Linux system as a bootp server using the following steps: 1. Edit the /etc/inetd.conf file. 2. Search for the bootpd line. Most distributions ship with this feature disabled (i.e. the line is commented out with " # &[...]

SnapGear Quick Setup The SnapGear Quick Setup Wizard will guide you through the basic steps for configuring the LAN port for your SnapGear appliance and connecting to the Internet. To start the wizard, click the Quick Setup Wizard link on the SnapGear Appliance Configuration page. To modify the configuration, you need to enter the administrator use[...]

LAN port quick setup The following figure shows the LAN port quick setup: Figure 2.3 LAN port quick setup 1. Enter the name for your SnapGear appliance on the LAN. 2. Select the method for setting the LAN port network address configuration (either DHCP or manual). 3. If you select DHCP or Skip , the Next button will take you to the ISP Connection c[...]

ISP connection quick setup The following figure shows the ISP connection quick setup: Figure 2.4 ISP connection quick setup Select Cable Modem, Modem, ADSL, or Direct as the method for connecting to your ISP. Direct connections are where the SnapGear Internet Port is connected to a LAN with another gateway to the Internet. For cable modems, you nee[...]

• The DNS server for your ISP. If you use ADSL (Asymmetric Digital Subscriber Line) to connect to your ISP, you must specify the ADSL connection type. This can be done in one of the following ways: • Allow your SnapGear appliance to autom atically detect your ADSL connection type. This is the best choice in most cases. • Use PPPoE to connect.[...]

Configuring the PCs on your network To access the Internet, all PCs on your network must have: • The IP address of the SnapGear appliance defined as their default gateway, and • Must use the DNS server provided by the ISP or the DNS proxy on the SnapGear appliance. You can enter these details manually (i.e. stat ically), or they can be dynamica[...]

If you are using Windows 2000, click Start , Settings , Network and Dial-up Connections , right-click Local Area Connection , click Properties , select Internet Protocol and then click Properties to display the following screen: Figure 2.3 TCP/IP properties You can also manually configure the PCs on your network. For each non-configured Windows 200[...]

3. Connecting to the Internet This chapter provides step-by-step instruct ions for connecting your SnapGear appliance to your Internet Service Provider (ISP). The SnapGear appliance provides secure Internet access using its robust embedded firewall. The SnapGear appliance has an IP masquerading feature, which means that users on your local network [...]

Select Internet connection The next step is to select the method for connecting your SnapGear appliance to the Internet. From the SnapGear appliance Config Pages, in the Networking menu, select Connect to Internet and select the method to connect to your local ISP. You can connect using a cable, ISDN, DSL or analog modem connection. Select the conn[...]

Connect to Internet – direct Choosing Direct Connection to the Internet shows the IP Configuration page. See the section called IP configuration. Connect to Internet – modem The following figure shows the Setup modem Internet connection: Connecting to the Internet 32 Figure 3.2 Setup modem Internet connection If you are connecting to the Intern[...]

Field Description Serial port to dial-out on Select the SnapGear appliance COM (serial) port you will use for the modem that will dial your ISP. This port will be dedicated for the Internet connection; any attempt to dial-in using this COM port will be blocked. Note: If a port was previously setup for dial-in and is later enabled for Internet acces[...]

Internet failover SnapGear appliances are designed with the real Internet in mind, which may mean downtime due to ISP equipment or telecommunications network failure. Failures can be caused by removing the wrong plug from the wall, typing in the wrong ISP password or many other reasons. Regardless of the cause of a failure it can potentially be ver[...]

The following figure shows the failover configuration screen: Figure 3.4 Failover configuration screen The following fields can be configured for the failover connection. Field Description IP Address to ping IP address the SnapGear appliance will ping to determine if the Internet connection is up or down. Ping Interval How often to ping the remote [...]

Failed connection An Internet connection is considered failed if the SnapGear appliance tests the Internet connection the specified number of times, and fails each time. The SnapGear appliance can test the Internet connection by ensuring that the physical connection was made correctly (i.e. an IP address was received from the ISP), and then pinging[...]

Configure PCs to use SnapGear appliance Internet gateway The PCs on your network must be configured to use the SnapGear appliance as the default gateway for Internet access. See the section called Configuring the PCs on your network for more information. Establishing the connection If you are connecting to your ISP using a modem or ISDN connection,[...]

4. Dial-in server configuration SnapGear appliance enables remote and secure access to your office network. This chapter shows how to set up the dial-in features. Your SnapGear appliance can be configured to receive dial-in calls from remote users/sites. Remote users are individual users (e.g. telecommuters) who connect directly from their client w[...]

To configure the SnapGear appliance for a dial-in connection: 1. Attach external modems to the relevant SnapGear appliance serial ports. Refer to Chapter 7, Serial Ports and Modem Devices for modem configuration details. 2. Enable and configure the selected SnapGear appliance COM port for dial-in as detailed in Dial-in Setup . 3. Set up and configu[...]

Dial-in setup The following figure shows the dial-in setup: Dial-in server configuration 4 0 Figure 4.1 Dial-in setup To enable and configure Dial-In server for the SnapGear appliance, select Dial-In Setup from the Networking menu. The following table describes the fields in the Dial-In Setup screen and explains how to enable and configure dial-in [...]

Field Description Enable Dial-in To enable and configure dial-in, check the relevant COM port box. The selected port is now available for dial-in access. If no COM port is selected, all dial-in attempts will be blocked. The current dial-in status of all COM ports is displayed. If dial- in is already enabled, the checkbox displays a bold or shaded c[...]

Dial-in user accounts User accounts must be set up before remote users can dial-into the SnapGear appliance. The following figure shows the Dial-in user account creation: Dial-in server configuration 42 Figure 4.2 Dial-in user account creation The field options in Add New Account are shown in the following table: Field Description Username Username[...]

The following figure shows the user maintenance screen: Figure 4.3 User maintenance screen Dial-in server configuration 43[...]

Account list As new dial-in user accounts are added, they are displayed on the updated Account List. To modify a password for an existing account, select the account in the Account List and enter the new password in the New Password and Confirm fields. Click Apply under the Delete or Change Password for the Selected Account heading, or click Reset [...]

Remote user configuration Remote users can dial-in using the SnapGear appliance using the standard Windows Dial-Up Networking software. Set up a new dial-out connection on the remote PC to dial the phone number of the modem connected to the SnapGear appliance COM port. After the dial-in is connected, users can access all network resources as if the[...]

An icon is displayed in Dial-Up Networking with your Connection Name. Right click the icon once, and then click File and Properties and click the Server Types tab as shown in the following figure: Figure 4.6 Server ty pes Check the Log on to network and Enable software compression checkboxes. If your SnapGear appliance dial-in server requires MSCHA[...]

Dial-in and log on to the remote SnapGear appliance by double-clicking the Connection Name icon. You need to enter the Username and the Password that was set up for the SnapGear appliance dial-in account as shown in the following figure: Figure 4.7 Connect to dialogue box Windows 2000 To configure a remote access connection on a Windows 2000 comput[...]

Click Next to continue. Figure 4.9 Connection type Select Dial-up to private network as the connection type and click Next to continue. Figure 4.10 Phone number to dial Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas. Dial-in server configu[...]

Click Next to continue. Figure 4.11 Connection availability Select the option Only for myself to make the connection only available for you. This is a security feature that will not allow any other users who log onto your machine to use this remote access connection: Figure 4.12 Connection name Enter a name for the connection and click Finish to co[...]

To launch the new connection, double-click on the new icon on the desktop, and the remote access login screen will appear as in the next figure. If you did not create a desktop icon, click Start, Settings, Network and Dial-up Connections and select the appropriate connection and enter the username and password set up for the SnapGear appliance dial[...]

5. Network configuration IP configuration Users can set the IP address configuration for both the LAN and Internet interfaces by selecting IP Configuration from the Networking menu as shown in the following figure: Figure 5.1 IP configuration To configure the LAN Interface of the SnapGear appliance, select either a dynamically or statically assigne[...]

If your SnapGear appliance is configured for a Direct Connection to the Internet, you must also set the IP address for the Internet Interface. Check DHCP assigned if the IP address of the Internet Interface is set via a DHCP server, or enter the IP Address and Netmask if you have a static address for the Internet interface. Enter the IP address of [...]

Advanced IP configuration The following figure shows the advanced IP configuration: Figure 5.2 Advanced IP configuration The Hostname is a descriptive name for the SnapGear appliance on the network. Network configuration 53[...]

The SnapGear appliance can utilize IP Masquerading (a simple form of Network Address Translation, or NAT) where users on the local network effectively share a single external IP address. Masquerading allows insiders to get out, without allowing outsiders in. By default, the Internet interface is setup to Masquerade. Masquerading has the following a[...]

DHCP server The following figure shows the DHCP server configuration: Figure 5.3 DHCP server configuration To help keep your network design as simple as possible, your SnapGear appliance can act as a DHCP server for machines on your local network. To configure your SnapGear appliance as a DHCP server, you must set a static IP address and netmask on[...]

Click Configure the server settings on the DHCP Server Configuration screen to: • Check the Enable DHCP server checkbox. • Enter the Gateway Address to be distributed to DHCP clients. This is normally the IP address of the LAN interface of the SnapGear appliance. • Enter the DNS Address to be distributed to DHCP clients. Leave this field blan[...]

Advanced networking Users can perform the following diagnostic tasks on the Advanced Networking screen: • Perform a Ping Test. • Perform a Trace Route Test (not available on LITE and LITE+ due to memory constraints). • View the Interface Configuration. • View the Kernel Route Table. The advanced networking configuration tasks Traffic Shapin[...]

6. Firewall The SnapGear appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access and to detect intrusion attempts, so that PCs on the office network can have tailored Internet access facilities and be shielded from malicious attacks. The SnapGear Firewall filters packets at the network[...]

Incoming access – administration services The following figure shows the incoming access configuration page: Figure 6.1 Incoming access configuration By default the SnapGear appliance runs a web adm inistration server and a telnet service. Access to these services can be restricted to specific interfaces. For example, you may want to restrict acc[...]

The SnapGear appliance’s Web Admin pages are usually accessed on the default HTTP port (i.e. port 80). Change the port number if you are allowing Internet access to the web administration page. This will hide your web administration pages from casual web surfers who finds your SnapGear appliance on the Internet. After changing the web server port[...]

Port forwarding The following figure shows the port forwarding configuration: Figure 6.3 Port forw arding configuration Port forwarding allows the SnapGear appliance to control access to services provided by machines on your private network from users on the Internet. Requests coming into the SnapGear appliance on the specified Incoming Port(s) are[...]

Outgoing access Your SnapGear appliance can be configured to restrict network traffic going out the Internet interface. These restrictions can be applied to specific hosts or networks (defined by IP address), or globally across all hosts on your internal LAN. Outgoing Access restrictions are applied by denying a group of services (e.g. web and emai[...]

Use the Add Hosts or Networks section to specify the specific machines or networks to restrict outgoing access as shown in the following figure: Figure 6.5 Outgoing access settings Firewall rules The Firewall Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules. To access this page, click[...]

Intrusion detection and blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Figure 6.6 Intrusion detection and blocking configuration IDB operates by offering a number of services to the outside world that are monitored for connection attempts. Remote machines attempting to connect to these services generat[...]

The list of monitored network ports can be freely edited. Several shortcut buttons also provide pre-selected lists of services to monitor. The basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans. The standard option extends this coverage by introducing additional m[...]

Content filtering The SnapGear Content Filtering system limits the types of web-based content accessed. Web-based content featuring profanity, sexually explicit or other objectionable material can be limited or blocked from the following screens. The following figure shows content filtering: Firewall 6 6[...]

Firewall 6 7 Figure 6.7 Content filtering[...]

In the Block List , specify text that will block access to any URL containing that text. For example, if access to websites containing references to “widgets” is a violation, entering that text will block any URL containing “widgets” including http://www.widgets.example.com or www.test.com/widgets/index.html . Warning This list only refers [...]

7. V irtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.g. the Internet) and has the following key traits: • Privacy - no one else can see what you are communicating • Authentication - you know who you are communicating with • Int[...]

PPTP client setup The SnapGear PPTP client enables the SnapGear appliance to establish a VPN to a remote network running a PPTP server (usually a Microsoft Windows server). To set up a SnapGear PPTP VPN Client, select PPTP VPN Client from the VPN menu and create a new VPN connection by entering: • A descriptive name for the VPN connection. This m[...]

If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the following figure: Figure 7.2 PPTP client configuration The SnapGear appliance supports multiple VPN client connections. Additional connections can be added by following these steps. To set a VPN connection as the default route for al[...]

PPTP server setup The SnapGear appliance includes a PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels (depending on your SnapGear appliance model). The SnapGear PPTP Server allows remote Windows clients to securely connect to the local network. To setup a VPN connection: • Enable and configure the PP[...]

Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 7.3 PPTP server setup To enable and configure your SnapGear appliance’s VPN server, select PPTP VPN Server from the VPN menu in the SnapGear appliance Config Pages . Virtual Private Networking 73[...]

The following table describes the fields in the VPN Setup screen and the options available when enabling and configuring VPN access. Field Description Enable PPTP Server Check this box to enable PPTP connections to be established to your SnapGear appliance. IP Addresses for the Tunnel End Points Enter the IP addresses for the tunnel end-points. You[...]

Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Server Accounts screen as shown in the following figure: Figure 7.4PPTP VPN server accounts screen Before remote users can set up a VPN tunnel to the SnapGear appliance PPTP server, they must have a user accounts set up. The field opti[...]

To delete an existing account, Select the account in the Account List and then check Delete in the Delete or Change Password for the Selected Account field. If a requested change to a user account is successful, the PPTP VPN Setup screen is shown with the change noted. An error is displayed if the change request is unsuccessful. Virtual Private Net[...]

Configuring the remote VPN client After setting up the SnapGear PPTP VPN server, the remote VPN clients can be configured to securely access the local network. You need to enter the VPN client username and password that your remote users will use to access the SnapGear PPTP VPN from the remote site. The names may or may not be the same as your norm[...]

To determine the current SnapGear appliance’s PPTP server IP address, select Diagnostics from the System menu in the main menu bar. The IP address is displayed in the VPN field. Your remote users must know this PPTP IP address to setup a VPN tunnel to the SnapGear appliance. Check that the remote PC has a modem installed and that you have a local[...]

Windows 95 and Windows 98 From the Dial-Up Networking folder, double-click Make New Connection . Type SnapGear appliance or a similar descriptive name for your new VPN connection. From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next . Enter the PPTP IP address of the SnapGear appliance VPN server in the VPN Serve[...]

Click TCP/IP Settings . Confirm that the Server Assigned IP Address , Server Assigned Name Server Address , Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK . Figure 7.7 VPN client server settings Your VPN client is now set up correctly. Virtual Private Networking 8 0[...]

Windows NT From the Dial-Up Networking dialog, click New and select the Basic tab. In the Entry name field, enter SnapGear appliance or a similar descriptive name and click Next . Enter the SnapGear appliance’s PPTP IP address into the Phone Number field. Warning Note that this IP address may change if your ISP uses dynamic IP assignm ent. In the[...]

Windows 2000 To set up VPN access, first setup a Dial Up Networking account to access the Internet. Once you have done this, you are ready to begin. The first thing you need to do is log in as Administrator on your PC. After logging in, from the Start menu, select Settings and then Network and Dial-up Connections as shown in the following figure: F[...]

This displays the Destination Address window: Figure 7.10 Destination address Enter the SnapGear PPTP server’s IP address and click Next . Select the Connection Availability you require on the next window and click Next to display the final window: Figure 7.11 Completing the netw ork connection w izard Enter an appropriate name for your connectio[...]

Connecting the remote VPN client Firstly, connect to the Internet using the network connection to your ISP. After authenticating the connection to your ISP, select the connection for the SnapGear appliance VPN. For Windows 95/98/2000 , enter the username and password allocated by your SnapGear appliance’s VPN administrator and click Connect . For[...]

IPSec setup The SnapGear appliance supports IPSec tunnels as well as PPTP tunnels. To setup your VPN using IPSec, select IPSec from the VPN menu to display the following screen: Figure 7.12 IPSec setup Enable IPSec by clicking the Enable IPSec box underneath the IPSec Setup title and then click Submit . Enable the interface where you want to use IP[...]

To add a new IPSec connection click on Add under Add New IPSec Connection to show the following screen: Virtual Private Networking 8 6 Figure 7.13 Add new IPSec connection Enter a descriptive name for the connection in the Connection Name field. Choosing to connect with Aggressive Mode increases interoperability with third party IPSec servers that [...]

Enter the local gateway settings. Internal subnet/netmask is the private network behind the SnapGear appliance. External IP is the public-network interface that the SnapGear appliance will use for IPSec. The Authentication Identifier is required when using RSA key signatures for multiple Road Warriors and is used to identify the other participant d[...]

Click Add to complete the IKE setup as shown in the following screen: Figure 7.14 Automatic keying setup Virtual Private Networking 8 8[...]

Click Submit to add the new IPSec tunnel after selecting the appropriate Automatic Startup , Authorization , Authentication , and Key Configuration . Warning The pre-shared secret must be entered identically at each end of the tunnel. The IPSec tunnel will fail to connect if the pre-shared secret is not identical at both ends. The pre-shared secret[...]

Checking the Enable Perfect Forward Secrecy of keys checkbox means that an attacker who acquires the SnapGear appliance’s long-term key (i.e. the pre-shared secret or RSA Signature Key Private Section ) cannot: • Read previous messages which they may have archived, or • Read future messages without performing additional successful attacks Per[...]

8. System Time server The SnapGear appliance can synchronize its system time with a remote time server using the Network Time Protocol (NTP). Configuring the NTP time server ensures that the SnapGear appliance's clock (in UTC) will be accurate soon after the Internet connection is established. If NTP is not used, the system clock will be set r[...]

Diagnostics If you are experiencing problems with your SnapGear appliance, diagnostic information is provided on the SnapGear appliance’s Configuration web pages. To access this information, from the System menu, click Diagnostics . Advanced network diagnostics can be viewed by selecting the Networking menu, then Advanced Networking . Advanced Th[...]

Flash upgrade The SnapGear appliance firmware can be updated with newer versions available from the SnapGear web site (http://www.SnapGear.c om/downloads.html). The firmware is in binary image files ( .bin ) that can be transferred from a PC on the local network directly into the SnapGear appliance’s flash memory. To perform flash upgrades, the S[...]

9. T echnical support The System menu contains an option detaili ng support information for your SnapGear appliance. This page provides basic troubleshooting tips, contact details for SnapGear Support, and links to the SnapGear Knowledge Base as shown in the following figure: Figure 9.1 Technical support The Technical Support Report page is an inva[...]

Appendix A – LED st atus p atterns The following table shows the different LED illumination combinations that can indicate possible error conditions. In each case, the LEDs indicated will be on and steady, unless otherwise noted, and all other LEDs will be off. The Power and System LEDs are not part of the LEDs indicating status. Where the action[...]

Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the SnapGear appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default. All rules in the [...]

Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port ppp X e g . ppp0 or ppp1 – a PPP session ipsec X e g . ipsec0 , an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar. Any traffic that does not m[...]

Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 That is, a packet arriving from the WAN ( IN=eth1 ) and bound for the SnapGear appliance itself ( OUT=<noth[...]

iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix> This will log any TCP ( -p tcp ) session initiations ( --syn ) that arrive from the IP address/netmask X.X.X.X/XX ( -s ... ) and are going to Y.Y.Y.Y/YY , destination port Z ( -- dport ). For example, to log all inbound ac[...]

iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output something like this: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 [...]

Clearly there are many more combinations possible. It is therefore possible to write rules which log inbound and outbound traffic, or to construct several rules which differentiate between the two. Rate Limiting iptables has the facility for rate-limiting the log messages that are generated, in order to avoid denial of service issues arising out of[...]

Appendix B – System Log 102 This message shows the date/time, whether the authentication succeeded or failed, the user attempting authentication (in this case root ) and the IP address from which the attempt was made. Telnet (Command Line Interface) login attempts appear as: Jan 30 03:18:37 2000 login: Authentication attempt failed for root from [...]