3Com 3CR16110-95-US User Guide

3Com 3CR16110-95-US - SuperStack 3 Firewall Manual

Get 3Com 3CR16110-95-US - SuperStack 3 Firewall PDF manuals and user guides
UPC - 662705415543
View all 3Com 3CR16110-95-US manuals
Add to My Manuals
Save this manual to your list of manuals

3Com 3CR16110-95-US manual content summary:

  • 3Com 3CR16110-95-US | User Guide - Page 1
    SuperStack® 3 Firewall User Guide SuperStack 3 Firewall 3CR16110-95 SuperStack 3 Firewall Web Site Filter 3C16111 http://www.3com.com/ Part No. DUA1611-0AAA02 Published August 2001
  • 3Com 3CR16110-95-US | User Guide - Page 2
    Guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com and SuperStack are registered trademarks of 3Com Corporation. The 3Com and other countries, licensed exclusively through X/Open Company, Ltd
  • 3Com 3CR16110-95-US | User Guide - Page 3
    12 Conventions 12 Terminology 13 Feedback about this User Guide 15 Registration 16 I GETTING STARTED 1 INTRODUCTION What is the SuperStack 3 Firewall? 19 Firewall and 3Com Network Supervisor 20 Firewall Features 21 Firewall Security 21 Web URL Filtering 23 High Availability 24 Logs and Alerts 24
  • 3Com 3CR16110-95-US | User Guide - Page 4
    FOR THE FIREWALL Introduction 35 Setting up a Management Station 36 Configuring Basic Settings 36 Setting the Password 37 Setting the Time Zone 38 Configuring WAN Settings 39 Automatic WAN Settings 39 Manual WAN Settings 40 Using a Single Static IP Address 41 Using Multiple Static IP Addresses 42
  • 3Com 3CR16110-95-US | User Guide - Page 5
    Global Options 61 Dynamic Ranges 62 Static Entries 63 Viewing the DHCP Server Status 63 Using the Network Diagnostic Tools 64 Choosing a Diagnostic Tool 64 5 SETTING UP WEB FILTERING Changing the Filter Settings 67 Restricting the Web Features Available 68 Setting Blocking Options 69 Specifying the
  • 3Com 3CR16110-95-US | User Guide - Page 6
    Settings File 91 Exporting the Settings File 92 Restoring Factory Default Settings 92 Using the Installation Wizard to reconfigure the Firewall 92 Upgrading the Firewall Firmware 92 7 SETTING A POLICY Changing Policy Services 97 Amending Network Policy Rules 98 Changing NetBIOS Broadcast Settings
  • 3Com 3CR16110-95-US | User Guide - Page 7
    146 High Availability Status Window 146 E-Mail Alerts Indicating Status Change 147 View Log 147 Forcing Transitions 148 III ADMINISTRATION AND TROUBLESHOOTING 11 ADMINISTRATION AND ADVANCED OPERATIONS Introducing the Web Site Filter 153 Activating the Web Site Filter 156 Using Network Access Policy
  • 3Com 3CR16110-95-US | User Guide - Page 8
    163 Reloading the Firmware 163 Direct Cable Connection 164 Direct Connection Instructions 165 12 TROUBLESHOOTING GUIDE Introduction 167 Potential Problems and Solutions 167 OF ATTACK AND FIREWALL DEFENCES Denial of Service Attacks 175 Ping of Death 175 Smurf Attack 175 SYN Flood Attack 176 Land Attack
  • 3Com 3CR16110-95-US | User Guide - Page 9
    (DHCP) 183 Port Numbers 184 Well Known Port Numbers 184 Registered Port Numbers 184 Private Port Numbers 184 Virtual Private Network Services 184 Introduction to Virtual Private Networks 185 VPN Applications 185 Basic VPN Terms and Concepts 186 V APPENDICES A SAFETY INFORMATION Important Safety
  • 3Com 3CR16110-95-US | User Guide - Page 10
    D TECHNICAL SUPPORT Online Technical Services 201 World Wide Web Site 201 3Com Knowledgebase Web Services 201 3Com FTP Site 202 Support from Your Network Supplier 202 Support from 3Com 202 Returning Products for Repair 204 INDEX REGULATORY NOTICES
  • 3Com 3CR16110-95-US | User Guide - Page 11
    3CR16110-95 I SuperStack 3 Firewall 3CR16110-97 upgraded to v6.x firmware I SuperStack 3 Firewall Web Site Filter 3C16111 This guide web site uses or content it provides. This guide is intended for use by the person responsible guide, follow the instructions in the release notes. Most user guides
  • 3Com 3CR16110-95-US | User Guide - Page 12
    . A quick setup guide for the Firewall. Chapter 3 Information on how to configure the Firewall. Chapter 4 Chapter 10 Information about installing and setting up the Web Site Filter. Chapter 11 Troubleshooting common Firewall problems. Chapter 12 Information about Denial of Service and other
  • 3Com 3CR16110-95-US | User Guide - Page 13
    "enter" in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says "type." still protected from Denial of Service attacks DoS Attacks - Denial of Service Attacks. An attempt to stop one of your services running, such as a
  • 3Com 3CR16110-95-US | User Guide - Page 14
    way of communicating in real time with people from all over the world. ISP - Internet Service Provider. A business that provides Internet access to individuals or organizations. Firewall - Used in this guide to refer to the SuperStack 3 Firewall. Land Attack - A type of DoS attack. In a Land attack
  • 3Com 3CR16110-95-US | User Guide - Page 15
    User Guide 15 RADIUS - Remote Authentication Dial-in User Service. RADIUS enables network administrators to effectively deploy and manage VPN Client based remote users. The RADIUS server allows multiple users to share a single Group Security Association but require an additional unique password for
  • 3Com 3CR16110-95-US | User Guide - Page 16
    DUA1611-0AAA02 I Page 24 Do not use this e-mail address for technical support questions. For information about contacting Technical Support, see Appendix A. To register your Firewall point your web browser to http://www.3com.com/ssfirewall click on Hardware Registration and follow the instructions.
  • 3Com 3CR16110-95-US | User Guide - Page 17
    I GETTING STARTED Chapter 1 Introduction Chapter 2 Installing the Hardware Chapter 3 Quick Setup for the Firewall
  • 3Com 3CR16110-95-US | User Guide - Page 18
    18
  • 3Com 3CR16110-95-US | User Guide - Page 19
    I What is the SuperStack 3 Firewall? I Firewall and 3Com Network Supervisor I Firewall Features I Introduction to Virtual Private to the local network through hubs and switches. LAN users have access to Internet services such as e-mail, FTP, and the World Wide Web. However, all workstations and
  • 3Com 3CR16110-95-US | User Guide - Page 20
    servers on the DMZ port. Firewall and 3Com The Firewall is supplied with a copy of 3Com Network Supervisor. Network Supervisor Network Supervisor is detect network inefficiency and optimize network performance. Features include support for related and recurring events, user definable reports, auto
  • 3Com 3CR16110-95-US | User Guide - Page 21
    support to Firewall users: I If your 3Com Network Supervisor management station is located on the LAN, it discovers the Firewall automatically and displays it on the topology map. I The topology map indicates that the Firewall is a 3Com Service (DoS) hacker attacks automatically. Refer to Figure 2.
  • 3Com 3CR16110-95-US | User Guide - Page 22
    22 CHAPTER 1: INTRODUCTION Figure 2 Firewall Security Functions - Default Firewall Policy LAN Uplink Normal DMZ Uplink Normal WAN Uplink Normal LAN Port - Connected to your internal network e.g. network servers, workstations. Protected from DoS attacks
  • 3Com 3CR16110-95-US | User Guide - Page 23
    Firewall Features 23 The Firewall will protect your network against the following Denial of Service attacks: I Ping of Death I Smurf Attack I SYN Flood I LAND Attack I IP Spoofing I Teardrop To find more information on DoS and other attacks refer to Chapter
  • 3Com 3CR16110-95-US | User Guide - Page 24
    events that could be seen as security concerns. It can also track key events such as the top 25 most accessed Web sites, or 3Com recommends that you us a syslog server or a syslog reporting tool. A free syslog server is available from 3Com. To download it point your web browser to: http://www.3com
  • 3Com 3CR16110-95-US | User Guide - Page 25
    up the DHCP Server" on page 155 for more information. Introduction to Virtual Private Networking (VPN) The Firewall includes support for IPSec Virtual Private Networking. This section provides an introduction to Virtual Private Networking (VPN). Virtual Private Networking Today's business
  • 3Com 3CR16110-95-US | User Guide - Page 26
    26 CHAPTER 1: INTRODUCTION terminating device at the other end of the tunnel must be using the same level and type of encryption. See "Configuring Virtual Private Network Services" on page 123 for more details.
  • 3Com 3CR16110-95-US | User Guide - Page 27
    read the safety information provided in Appendix A of this User Guide. AVERTISSEMENT: Avant d'installer le Firewall, lisez les informations relatives A in diesem Handbuch aufgeführt sind. Your SuperStack 3 Firewall (3CR-15110-95) comes with the following: I A power cord for use with the Firewall.
  • 3Com 3CR16110-95-US | User Guide - Page 28
    such as radio transmitters and broadband amplifiers. I Water or moisture cannot enter the case of the unit. I Air flow around the unit and through the vents in the side of the case is not restricted. 3Com recommends that you provide a minimum of 25.4 mm (1 in.) clearance to each side of the unit
  • 3Com 3CR16110-95-US | User Guide - Page 29
    duplex yellow = half duplex green = 100 Mbps yellow = 10 Mbps Packet LAN/DMZ/WAN Status LAN/DMZ/WAN 5 6 Firewall Alert Power/Self Test 3CR16110-95 SuperStack® 3 78 WARNING: RJ-45 Ports. These are shielded RJ-45 data sockets. They cannot be used as standard traditional telephone sockets, or to
  • 3Com 3CR16110-95-US | User Guide - Page 30
    Alert LED - This LED shows orange to alert you of the following: I A failure in the self-test the Firewall runs when switched on. I No operational firmware is currently loaded. I Potential attacks on your network. I An attempt to access a restricted site. I A hacker attack or access to a restricted
  • 3Com 3CR16110-95-US | User Guide - Page 31
    31 To diagnose faults see "Troubleshooting Guide" on page 167. 8 Power/Self Test LED - This LED shows green to indicate that the unit is switched on. This LED flashes for about 90 seconds while self-test is running, and also when restarting. If you have installed a 3Com RPS unit with the Firewall
  • 3Com 3CR16110-95-US | User Guide - Page 32
    32 CHAPTER 2: INSTALLING THE HARDWARE Attaching the Firewall to the Network I SuperStack 3 - Advanced RPS (3C16071) I and 60W RPS Power Module - (3C16072) Figure 6 illustrates one possible network configuration. Figure 6 Network Connection Diagram Showing Sample Network S N F S R C SLB W
  • 3Com 3CR16110-95-US | User Guide - Page 33
    before switching it on again. 7 Make sure that the Link LEDs are on for all ports that are connected. If not, see Chapter 12 for troubleshooting information.
  • 3Com 3CR16110-95-US | User Guide - Page 34
    now attached to the network. By default, no traffic that originates from the chapters for more information: I Chapter 3 for a quick setup guide for the Firewall. I Chapters 4 to 8 for full information lit - if it is, there are problems on your network. I The case vents are not obstructed. I The cabling
  • 3Com 3CR16110-95-US | User Guide - Page 35
    to configure the Firewall you can activate the Installation Wizard manually. To start the Installation Wizard manually, click on the Tools menu, followed by the Configuration .1.254 to browse the Firewall. 3 Follow the instructions supplied by the Installation Wizard and answer the questions it asks.
  • 3Com 3CR16110-95-US | User Guide - Page 36
    Installation Wizard. 2 Change the IP address to a value within the Firewall's default subnet. This will be a value between 192.168.1.1 and 192.168.1.254 browser window. The Installation Wizard is displayed on screen and will guide you through the configuration described in the sections below. 4
  • 3Com 3CR16110-95-US | User Guide - Page 37
    the Next button to start configuring your Firewall using the Installation Wizard. The Set Your Password screen will be displayed as shown in Figure 8 below. If you want to configure your Firewall manually, click the Cancel button. You will then be returned to the Web interface. See "Configuring
  • 3Com 3CR16110-95-US | User Guide - Page 38
    38 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Figure 8 Set Password Screen Click the Next button to continue. Setting the Time Select the Time Zone appropriate to your location and click the Next Zone button to
  • 3Com 3CR16110-95-US | User Guide - Page 39
    IP address then it will prompt you for the settings it requires. See "Manual WAN Settings" on page 40. Automatic WAN Settings The Installation Wizard checks - The Installation Wizard prompts you to enter the User Name and Password supplied by your ISP. See Figure 10 below. Figure 10 Configuring
  • 3Com 3CR16110-95-US | User Guide - Page 40
    5 seconds. 3 Reconnect the power cord. 4 Point your browser at the Firewall. 5 Follow the instructions supplied by the Installation Wizard. If you want to configure the WAN settings of the Firewall manually then click the Next button to continue. The Installation Wizard will display its Connecting
  • 3Com 3CR16110-95-US | User Guide - Page 41
    Configuring WAN Settings 41 I Using a Single Static IP Address - This address must be taken by the Firewall's WAN port to allow devices connected to the LAN port to communicate with devices connected to the WAN port. Network Address Translation (NAT) will be enabled. I Using Multiple Static IP
  • 3Com 3CR16110-95-US | User Guide - Page 42
    42 CHAPTER 3: QUICK SETUP FOR THE FIREWALL To configure the WAN networking of your Firewall enter the following 1 In the Firewall WAN IP Address field enter the single address which has been allocated to your Firewall. Enter the subnet mask for the above IP address in the WAN/DMZ Subnet Mask field.
  • 3Com 3CR16110-95-US | User Guide - Page 43
    Configuring WAN Settings 43 Click the Next button to proceed to the Getting to the Internet screen shown in Figure 14 below. Figure 14 Setting the Firewall WAN configuration The Getting to the Internet screen contains the following fields: 1 Firewall WAN IP Address - Choose one of the addresses
  • 3Com 3CR16110-95-US | User Guide - Page 44
    (PPPoE) screen will be Server displayed as shown in Figure 15 below. Figure 15 Configuring the Firewall's PPPoE settings Enter the User Name and Password as supplied by your ISP and click the Next button to proceed to the final part of the configuration. See "Configuring LAN Settings" on page
  • 3Com 3CR16110-95-US | User Guide - Page 45
    Subnet mask for your LAN network in the LAN Subnet Mask field. The default IP address of the Firewall is 192.168.1.254 with a subnet mask 255.255.0. You may want to keep this setting as other 3Com products also have their default addresses in this range. Click the Next button to continue.
  • 3Com 3CR16110-95-US | User Guide - Page 46
    . Confirming Firewall Settings The Firewall prompts you to confirm the settings it has established through automatic configuration as well as those entered manually. You will be presented with a screen similar to Figure 18 below showing you settings with which the Firewall has been configured
  • 3Com 3CR16110-95-US | User Guide - Page 47
    accept the settings click the Next button. I To change the configuration of the Firewall click the Back button. I If you want to configure the Firewall manually: I Click the Cancel button to lose the changes made by the Installation Wizard or I Click the Next Button, continue to the end of the
  • 3Com 3CR16110-95-US | User Guide - Page 48
    48 CHAPTER 3: QUICK SETUP FOR THE FIREWALL Figure 19 Congratulations Page Click the Restart button to complete the configuration of the Firewall using the Installation Wizard. The Firewall will take under a minute to restart during which time the Power/Self test LED will flash. When the Power/Self
  • 3Com 3CR16110-95-US | User Guide - Page 49
    of the Firewall Chapter 5 Setting up Web Filtering Chapter 6 Using the Firewall Diagnostic Tools Chapter 7 Setting a Policy Chapter 8 Advanced Settings Chapter 9 Configuring Virtual Private Network Services Chapter 10 Configuring High Availability
  • 3Com 3CR16110-95-US | User Guide - Page 50
    50
  • 3Com 3CR16110-95-US | User Guide - Page 51
    Tools Policy Advanced VPN High Availability Unit Status Settings Settings View Log Restart Services Proxy Relay VPN Summary Configure Set Password DMZ Address Custom List Log Settings Configuration Add Service Intranet VPN Configure Set Time DHCP Server Filter Update Reports Upgrade Policy Rules
  • 3Com 3CR16110-95-US | User Guide - Page 52
    topologies of network and to provide some of the functionality of a router within your network. I Chapter 9 - "Configuring Virtual Private Network Services" describes the functions available in the VPN menu of the Web interface. These functions enable you encrypt and authenticate external access to
  • 3Com 3CR16110-95-US | User Guide - Page 53
    Setting the Administrator Password Setting the Administrator Password 53 I ROM Version I Firmware Version I Device Up-time in days, hours, minutes, and seconds Problems appear in red text. For example, if the Internet router was not contacted, or the default password was not changed, this would be
  • 3Com 3CR16110-95-US | User Guide - Page 54
    2:30, the clock will synchronize every hour at the half hour-3:30, 4:30 etc. To set the time automatically you need a connection to the Internet. 3Com recommends that initially you set the time manually even if you have selected this option. See Manual Time Set below to set the time
  • 3Com 3CR16110-95-US | User Guide - Page 55
    Mean Time or World Time. Many ISPs require firewall logs to be recorded in UTC as tracking hackers can be very difficult if reports of times are not consistent. Manual Time Set To set the time manually enter the date and time in the boxes at the bottom of the screen. Set the
  • 3Com 3CR16110-95-US | User Guide - Page 56
    56 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Changing the Basic Network Settings Click the Settings Tab from the Network Menu to display the Network Settings window (see Figure 24 below). Figure 24 Network Settings, Standard Window Setting the Network Addressing Mode The Network Addressing Mode
  • 3Com 3CR16110-95-US | User Guide - Page 57
    Changing the Basic Network Settings 57 When using IP addresses on a LAN which have not been assigned by an Internet Service Provider, it is a good idea to use addresses from a special address range allocated for this purpose. The following IP address ranges can be used for
  • 3Com 3CR16110-95-US | User Guide - Page 58
    WAN Gateway (router) Address The WAN gateway address, also called the default gateway, is the address of the router that attaches the LAN to information given to you by your service provider upon initial installation of your broadband service. Password Enter the Password for your PPPoE account in
  • 3Com 3CR16110-95-US | User Guide - Page 59
    server, which are crucial for effective Internet use. In order to allow such services, the Firewall comes with a special Demilitarized Zone (DMZ) port which you use the DMZ port is optional and you do not have to connect it. 3Com recommends that you use the DMZ port as an alternative to Public LAN
  • 3Com 3CR16110-95-US | User Guide - Page 60
    60 CHAPTER 4: BASIC SETTINGS OF THE FIREWALL Click Network, and then select the DMZ Addresses tab. A window similar to that in Figure 25 displays. Figure 25 DMZ Address Window Setting up the DHCP Server Type the addresses for the DMZ individually or as a range. Type an individual address in the
  • 3Com 3CR16110-95-US | User Guide - Page 61
    Firewall can allocate up to 255 static or dynamic IP addresses. 3Com recommends you use a dedicated DHCP server if more addresses are DHCP server. This is disabled by default. Leave the DHCP server disabled if there already is a DHCP server on the LAN or if manual addressing is used on the LAN
  • 3Com 3CR16110-95-US | User Guide - Page 62
    registered domain name for the network in the Domain Name box, for example: 3com.com. If you do not have a Domain Name leave this blank. DNS DNS servers to improve performance and reliability. To specify these manually select the Specify Manually radio box and type the IP address of the DNS supported.
  • 3Com 3CR16110-95-US | User Guide - Page 63
    select it from the scrolling list of dynamic ranges, and click Delete Range. Static Entries Static addresses are used by client machines that support BootP or those which require a fixed IP address. For example, client machines running Web or FTP servers require static addresses. To create a static
  • 3Com 3CR16110-95-US | User Guide - Page 64
    Firewall has several tools built in which can help you solve network problems. Click Network, and then select the Diagnostics tab. Figure 28 Diagnostics Lookup Domain Name Service (DNS) is an internet service which allows users to enter an easily remembered host name, such as www.3Com.com, instead of
  • 3Com 3CR16110-95-US | User Guide - Page 65
    to contact the remote host. If users on the LAN are having problems accessing services on the Internet, try pinging the DNS server, or other machine the IP address of a host. Packet Trace Use the Packet Trace tool to track the status of a data packet or communications stream as it moves from source
  • 3Com 3CR16110-95-US | User Guide - Page 66
    Trace on IP address box, not a host name, such as www.3Com.com. 3 Click Refresh to display the packet trace information. 4 Click Stop to . You can then e-mail this file to Technical Support to help assist with a problem. 1 Select Tech Support Report from the Choose a diagnostic tool menu. 2
  • 3Com 3CR16110-95-US | User Guide - Page 67
    5 SETTING UP WEB FILTERING This chapter describes the commands and options available in the Filter menu. The menu is broken up into five sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab. This
  • 3Com 3CR16110-95-US | User Guide - Page 68
    68 CHAPTER 5: SETTING UP WEB FILTERING Figure 29 Filter Settings Window Content Filtering only applies to nodes on the LAN Port. Select the options in the Settings window, described below, to tailor the content filtering to meet the needs of your organization. Restricting the Web Features
  • 3Com 3CR16110-95-US | User Guide - Page 69
    usage. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities. Because they represent a potential loss of privacy, some administrators may choose to block cookies. Web Proxy When a proxy server is located on
  • 3Com 3CR16110-95-US | User Guide - Page 70
    Time of Day limitations are not enforced. This is enabled by default. Block Between When selected, Internet Filtering is only active during the period, in 24-hour format, and the start and end day of the week during which you want to enforce Internet Filtering. Filtering Web Sites using a Custom
  • 3Com 3CR16110-95-US | User Guide - Page 71
    of the site, that is, do not include http://. All subdomains are allowed. For example, adding 3Com.com also allows www.3Com.com, my.support.3com.com, shop.3com.com and so forth. Up to 256 entries are supported in the Trusted Domains list. Click Update to send the update to the Firewall. Forbidden
  • 3Com 3CR16110-95-US | User Guide - Page 72
    to re-enter names when the Web Site Filter is updated each week, as the custom list does not expire. Disable all Web traffic Site Filter, a message is displayed on their screen. The default message is: Web Site Blocked by 3Com SuperStack 3 Firewall. You can type any message, including embedded
  • 3Com 3CR16110-95-US | User Guide - Page 73
    to the Web Site Filter, you can specify that it is updated automatically every week for one year. It is important to note that host names, and not IP two reasons: I Many blocked sites operate server pools, where many machines service a single host name, making it impractical and difficult to add and
  • 3Com 3CR16110-95-US | User Guide - Page 74
    Download Check this box to enable automatic, weekly updates to the Web Site Filter. Also, select the day of the week and the time of the day to for more information. Allow traffic to all websites Select this option to provide open access to the internet in the event of the Filter List expiring or a
  • 3Com 3CR16110-95-US | User Guide - Page 75
    Blocking Websites by using Keywords 75 Blocking Websites by using Keywords Click Filter and then select the Keywords tab. A window similar to that in Figure 32 displays. Figure 32 Keywords Window Filtering by User Consent You can block Web URLs that contain specified keywords. This functions as
  • 3Com 3CR16110-95-US | User Guide - Page 76
    displaying the page defined in the Consent page URL box. Type the time limit, in minutes, in the Maximum web usage is box. Specify the default value of zero (0) to disable this feature. User idle timeout After a period of inactivity, the Firewall requires the user to agree to the terms outlined
  • 3Com 3CR16110-95-US | User Guide - Page 77
    Filtering by User Consent 77 Consent page URL (Optional Filtering) When users begins an Internet session on a computer that is not always filtered, they are shown a consent page and given the option to access the Internet with or without filtering. Create this page in HTML. It may contain the text
  • 3Com 3CR16110-95-US | User Guide - Page 78
    78 CHAPTER 5: SETTING UP WEB FILTERING create this page, and can add the text from the Acceptable Use Policy, and notification that violations of the AUP are blocked and logged. Consent Page URL (Mandatory Filtering) When users access a page that you include in the list of Mandatory Filtered IP
  • 3Com 3CR16110-95-US | User Guide - Page 79
    I Generating Reports I Restarting the Firewall I Managing the Firewall Configuration File I Upgrading the Firewall Firmware The Firewall maintains an event log, which contains events that may be security concerns. You can address used by the log, or to a different address, such as a paging service.
  • 3Com 3CR16110-95-US | User Guide - Page 80
    80 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS Viewing the Log The Firewall logs the following events: I Unauthorized connection attempts I Blocked Web, FTP and Gopher sites, and blocked NNTP Newsgroups I Blocked ActiveX and Java I Blocked Cookies and Proxy attempts I Attacks such as IP
  • 3Com 3CR16110-95-US | User Guide - Page 81
    address. If the packet was ICMP, the number in parentheses is the ICMP code. The address information is usually preceded by the name of the service described by either the TCP or UDP port, or the ICMP type in quotation marks. Web, FTP, Gopher, or Newsgroup blocked The LAN IP and
  • 3Com 3CR16110-95-US | User Guide - Page 82
    basis, then there is probably no attack in progress. If the log message calls the attack "probable", contact the ISP to see if they can track down the source of the attack. In either case, the LAN and DMZ are protected and you do not need to take further steps. Changing
  • 3Com 3CR16110-95-US | User Guide - Page 83
    on a weekly basis if new software is available for download. See "Upgrading the Firewall Firmware" on page 3Com.com, to which alert messages are sent in this box. This may be a standard e-mail account or, quite often, a paging service of the Firewall is the default value. Syslog Server In addition
  • 3Com 3CR16110-95-US | User Guide - Page 84
    IP addresses, IP service, and number of bytes transferred. To support Syslog, you must the Firewall queries the Automation Settings 3Com server for new firmware. To ease traffic on the network weekly option is selected, then also specify which day of the week the e-mail is to be sent. If the weekly
  • 3Com 3CR16110-95-US | User Guide - Page 85
    . System Errors When enabled, log messages showing problems with DNS, e-mail, and automatic Web Site Filter loading are generated. This is enabled by default. Blocked Web Sites When enabled, log messages showing Web sites, newsgroups, or other services blocked by the Web Site Filter, by keyword
  • 3Com 3CR16110-95-US | User Guide - Page 86
    incoming ICMP packets are generated. This is enabled by default. Network Debug When enabled, log messages showing Ethernet broadcasts, ARP resolution problems, ICMP redirection problems, and NAT resolution problems are generated. This category is intended for experienced network administrators
  • 3Com 3CR16110-95-US | User Guide - Page 87
    Web Site are generated as an alert message. This is disabled by default. Click Update to save your changes. Generating Reports The Firewall can analyze Web sites I Top 25 users of bandwidth by IP address I Top 25 services that consume the most bandwidth Click Log and then select the Reports tab. A
  • 3Com 3CR16110-95-US | User Guide - Page 88
    Select the desired report from the Display Report popup menu. The options are: I Web Site Hits I Bandwidth Usage by IP Address I Bandwidth Usage by Service. These reports are explained as follows. Web Site Hits Selecting Web Site Hits from the Report to view drop-down list displays a table showing
  • 3Com 3CR16110-95-US | User Guide - Page 89
    so forth, and the number of megabytes received from the service during the current sample period. Use the Bandwidth Usage by Service report to make sure the Internet services being used are appropriate for the organization. If services such as video or push broadcasts are consuming a large portion
  • 3Com 3CR16110-95-US | User Guide - Page 90
    the Configuration tab to specify where the settings for the Firewall are saved to and retrieved from for backup purposes. You can also restore the default settings from the Configuration tab. 3Com recommends that you back up the Firewall settings.
  • 3Com 3CR16110-95-US | User Guide - Page 91
    the status at the bottom of the screen will give you the option to Restart the Firewall. 5 Click Restart. Make sure that the Web browser supports HTTP uploads. If it does not, you cannot import the saved settings. Note that this will not change the
  • 3Com 3CR16110-95-US | User Guide - Page 92
    as .exp. This defaults to 3com_firewall.exp. The process may take up to a minute. The Administration password is not saved to the Setup for the Firewall". Upgrading the Firewall Firmware The Upgrade tool allows you to upgrade the operational firmware of the Firewall. The Firewall has
  • 3Com 3CR16110-95-US | User Guide - Page 93
    will be reset to factory default. 3Com recommends that you export the Firewall's configuration settings before uploading new firmware and then import them again after the upgrade has been completed. The Firewall checks to see if new firmware is available for download on a weekly basis. If there is
  • 3Com 3CR16110-95-US | User Guide - Page 94
    Window 3 Click Browse... and select the firmware file you have downloaded from the 3Com FTP site to a local hard drive or server on the LAN. 4 Click Upload to begin the upload. Make sure that your Web browser supports HTTP uploads. When uploading the firmware to an Firewall, it is important not
  • 3Com 3CR16110-95-US | User Guide - Page 95
    Upgrading the Firewall Firmware 95 interrupted this way, it may result in the Firewall not responding to attempts to log in. If your Firewall does not respond, see Chapter 12, "Troubleshooting Guide". 5 Restart the Firewall for the changes to take effect.
  • 3Com 3CR16110-95-US | User Guide - Page 96
    96 CHAPTER 6: USING THE FIREWALL DIAGNOSTIC TOOLS
  • 3Com 3CR16110-95-US | User Guide - Page 97
    of the screen and then on the appropriate tab. This following sections are covered in this chapter: I Changing Policy Services I Adding and Deleting Services I Editing Policy Rules I Updating User Privileges I Setting Management Method See Chapter 11 for background information about policies. This
  • 3Com 3CR16110-95-US | User Guide - Page 98
    window contains a table showing the defined Network Policy Rules. At the bottom of the table is the Default rule which affects all IP services. Any rules you create for a specific protocol override the Default rule with respect to that protocol. LAN Out Checkbox When the check box is clicked for
  • 3Com 3CR16110-95-US | User Guide - Page 99
    box is cleared. When the service is selected, users on the Internet can access all hosts on the DMZ via that protocol. The default value is enabled. When Networking communicate with one another through NetBIOS broadcast packets. By default, the Firewall blocks these broadcasts. If you have Windows
  • 3Com 3CR16110-95-US | User Guide - Page 100
    . Allowing Fragmented Packets By default the Firewall drops fragmented packets as they may form part of a Denial of Service attack. Fragmented packets can Without this timeout, it is possible that connections could stay open indefinitely, creating potential security risks. You can increase the
  • 3Com 3CR16110-95-US | User Guide - Page 101
    the same name. For example, the default configuration has two entries labeled Name Service (DNS). These are UDP port 53 service. Up to 64 entries are supported. Adding Support for a Known Service To add a service known to the Firewall: 1 Select the name of the service from the Add a known service
  • 3Com 3CR16110-95-US | User Guide - Page 102
    port numbers, see: http://www.ietf.org/rfc/rfc1700.txt If you create multiple entries with the same name, they are grouped together as a single service and may not function as expected. Disabling Screen Logs You can disable the log of events which is usually written to the Firewall's internal Screen
  • 3Com 3CR16110-95-US | User Guide - Page 103
    in Figure 46 displays. Figure 46 Policy Rules Window The Current Network Policy Rules table is an extension of the Services display covered in "Changing Policy Services" on page 97. In this display you will see the default rules and any rules you have created. You can use this screen to fine-tune
  • 3Com 3CR16110-95-US | User Guide - Page 104
    to the breadth of scope of the rule. When evaluating rules, the Firewall uses the following criteria: 1 A rule defining a specific service is more specific than the default rule. 2 A defined Ethernet link, such as LAN, WAN, or DMZ, is more specific than * (all). 3 A single IP address is more
  • 3Com 3CR16110-95-US | User Guide - Page 105
    Editing Policy Rules 105 would only be necessary if you wanted the server on the WAN to initiate connections with the PC on the LAN network port. Destination The Destination for a rule refers to the target of the connection made by the source. As with the Source this can be set to a network port
  • 3Com 3CR16110-95-US | User Guide - Page 106
    on the Restore Rules to Defaults Defaults button. This will remove all the custom rule Users will only be able to use the Services currently allowed by the Firewall. If an external user connection to allow the traffic. See Chapter 9 for instructions on configuring VPN on the Firewall and Chapter 14
  • 3Com 3CR16110-95-US | User Guide - Page 107
    amount of time a privileged user can keep their connection open without using it enter the time in minutes into the type the user's login name. 3 In the Password and Confirm Password boxes, enter the user's password. It is important to use a password that could not be guessed by someone else.
  • 3Com 3CR16110-95-US | User Guide - Page 108
    and Privileges To change a user's password or privileges: 1 Highlight the name in the scrollable box. 2 Make the changes. 3 Click Update User. Deleting a User To delete a user, highlight the name and click Remove User. To configure a user's machine to support privileged users see "Establishing an
  • 3Com 3CR16110-95-US | User Guide - Page 109
    The first step in setting up the management of the Firewall, is selecting the managing method to be used. I From the LAN interface is the default and allows you to manage the Firewall from a web browser on the LAN network. When operating in this mode, no Security Association information is needed
  • 3Com 3CR16110-95-US | User Guide - Page 110
    Management SA uses Manual Keying to set the NBX 100 Business Telephone System 3Com recommends that you place your NBX DMZ ports of the Firewall, then you must open a specific port on the Firewall. Do this . 3 Click the Add Service tab. 4 Type in NBX for the Name of the service. 5 Select UDP for
  • 3Com 3CR16110-95-US | User Guide - Page 111
    8 ADVANCED SETTINGS This chapter describes the commands and options available in the Advanced menu. The menu is broken up into sections shown in the user interface as tabs. To access a command click on Filter on the left hand side of the screen and then on the appropriate tab. This following
  • 3Com 3CR16110-95-US | User Guide - Page 112
    8: ADVANCED SETTINGS The problem with installing a proxy server on the LAN is that each client must be configured to support the proxy, which adds how to install the 3Com SuperStack® 3 Webcache 1000/3000 (3C16115/3C16116) as a proxy server of the SuperStack 3 Firewall (3CR16110-95). A sample network
  • 3Com 3CR16110-95-US | User Guide - Page 113
    . c In the Port Number field enter the number 8080 (this is the default value). d Do not configure Web Site Blocking on the Webcache as the Firewall to use the 3Com Web Site Filter (3C16111). 2 Install the Firewall according to the Superstack 3 Firewall User Guide (this guide) taking into account
  • 3Com 3CR16110-95-US | User Guide - Page 114
    , an organization's accounting, research, or other sensitive resources may be protected against unauthorized access by other users on the same network. By default, protected LAN users can only access the Internet and no other devices between the WAN port and the Internet. To enable access to the
  • 3Com 3CR16110-95-US | User Guide - Page 115
    Specifying Intranet Settings 115 Figure 51 Connecting the Firewall to protect an internal part of the network Unrestricted Area Optionally Firewalled from the external networks. F1 R Restricted Area Firewalled from the rest of your network. Key: F1 External Firewall F2 F2 Internal Firewall
  • 3Com 3CR16110-95-US | User Guide - Page 116
    116 CHAPTER 8: ADVANCED SETTINGS Figure 52 Intranet Window To enable intranet firewalling, it is necessary to identify which machines are protected against unauthorized access by specifying the IP addresses of these machines. You can do this in two ways: I Inclusively by specifying which machines
  • 3Com 3CR16110-95-US | User Guide - Page 117
    117 I Firewall's WAN link is connected directly to the Internet router - Use this setting if the Firewall is protecting the entire network. This is the default setting. Click Update to save the configuration. I Specified address ranges are attached to the LAN link - Select this when it is easier to
  • 3Com 3CR16110-95-US | User Guide - Page 118
    118 CHAPTER 8: ADVANCED SETTINGS Figure 53 Isolating a network using a second router S F S R1 Core Network Design Network R2 To configure static routes click Advanced and then select the Static Routes tab. A window similar to that in Figure 54 displays. Figure 54 Static Routes Window
  • 3Com 3CR16110-95-US | User Guide - Page 119
    in order to find this information. Click Update to send the configuration data to the Firewall. One-to-One NAT creates a relationship which maps valid external addresses to internal addresses hidden by NAT. Machines with an internal address may be accessed at the corresponding external valid IP
  • 3Com 3CR16110-95-US | User Guide - Page 120
    120 CHAPTER 8: ADVANCED SETTINGS . Table 4 Address Correspondence in One-to-One NAT LAN Address 192.168.1.1 Corresponding WAN Address 209.19.28.16 192.168.1.2 209.19.28.17 [...] [...] 192.168.1.16 209.19.28.31 192.168.1.17 No corresponding valid IP address [...] [...] 192.168.1.255 No
  • 3Com 3CR16110-95-US | User Guide - Page 121
    Public Range Begin Type the beginning IP address of the public address range being mapped in the Public Range Begin box. This address is assigned by the ISP. the number of valid IP address. You can add up to 64 ranges. To map a single address, use a Range Length of 1. Click Update to save changes.
  • 3Com 3CR16110-95-US | User Guide - Page 122
    122 CHAPTER 8: ADVANCED SETTINGS
  • 3Com 3CR16110-95-US | User Guide - Page 123
    9 CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Editing VPN Summary Information This chapter describes the commands and options available in the VPN menu. The menu is broken up into sections shown in
  • 3Com 3CR16110-95-US | User Guide - Page 124
    124 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Figure 56 VPN Summary Window Changing the and letters in the Unique Firewall Identifier field and click Update. The Unique Firewall Identifier defaults to the serial number of the Firewall. CAUTION: The Unique Firewall Identifier must be
  • 3Com 3CR16110-95-US | User Guide - Page 125
    handshake and the exchange of new encryption and authentication keys. The SuperStack 3 Firewall will support 1000 SAs. Of these SAs, 999 will support a single VPN tunnel, while the remaining single SA can support up to 100 concurrent VPN tunnels. This is called the "GroupVPN" SA. Configuring a VPN
  • 3Com 3CR16110-95-US | User Guide - Page 126
    126 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Figure 57 VPN Configure Window Adding/ -shared secret (Internet Key Exchange using pre-shared Secret) is the default keying mode and offers more security than a Manual Key. I Manual Key does not offer as high a level of security as IKE but
  • 3Com 3CR16110-95-US | User Guide - Page 127
    VPN clients to be authenticated by a RADIUS (Remote Authentication Dial-In User Service) Server. See "Configuring the Firewall to use a RADIUS Server" on page is not available if the IPSec Keying Mode is set to Manual Key. Enable Windows Networking (NetBIOS) broadcast NetBIOS broadcasts are used
  • 3Com 3CR16110-95-US | User Guide - Page 128
    VIRTUAL PRIVATE NETWORK SERVICES Leave the setting is not available if the IPSec Keying Mode is set to Manual Key. SA Life time (secs) The SA Life time (secs) value (short time) will increase security but may cause inconvenience. The default value for the SA Life time (secs) field is 28800 seconds
  • 3Com 3CR16110-95-US | User Guide - Page 129
    a VPN Security Association 129 The Incoming SPI and Outgoing SPI are only used when Manual Keying is employed. These fields do not appear when using IKE as your IPSec Keying Mode. Encryption Method The Firewall supports seven encryption methods for establishing a VPN tunnel. These are shown in Table
  • 3Com 3CR16110-95-US | User Guide - Page 130
    130 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Table 5 Firewall Encryption Methods Method Speed Extremely High Low Supported by Manual Key, IKE Manual Key, IKE Manual Key, IKE Manual Key, IKE, Check Point FW-1 GroupVPN, Manual Key, IKE GroupVPN, Manual Key, IKE Manual Key, IKE
  • 3Com 3CR16110-95-US | User Guide - Page 131
    it is longer than stated then the number will be truncated and the stated number of digits used. The Encryption Key is only used when Manual Keying is employed. This field does not appear when using IKE as your IPSec Keying Mode. Authentication Key The Authentication Key is a hexadecimal number that
  • 3Com 3CR16110-95-US | User Guide - Page 132
    and click the Update button. Configuring the Firewall to use a RADIUS Server The Firewall is capable of using a RADIUS (Remote Authentication Dial-In User Service) server to authenticate VPN users. To configure your Firewall to use a RADIUS server click on VPN on the left hand side of the screen
  • 3Com 3CR16110-95-US | User Guide - Page 133
    your RADIUS server. The Steel-Belted RADIUS Server, for example, is set to listen on port 1645 by default. Click the Update button to save your changes. Shared Secret The shared secret of a RADIUS server is a RADIUS server. Your RADIUS server may use its administrative password as a shared secret.
  • 3Com 3CR16110-95-US | User Guide - Page 134
    9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Enter the shared secret or administrative password of your RADIUS server in not always fully interoperable. Ideally, a firewall should be adaptable to support all of the VPN products it may encounter, but not all the Manual IPSEC encryption algorithm is
  • 3Com 3CR16110-95-US | User Guide - Page 135
    Using the Firewall with Check Point Firewall-1 135 selected for Firewall VPN. If SecuRemote is used, FWZ must also be selected. 2 Create the Remote Object(s). These are the resources behind the remote Firewall (Workstations, Network or Group Objects). Refer to the following example: a From the
  • 3Com 3CR16110-95-US | User Guide - Page 136
    access rules. The rule should contain both firewall objects (Check Point Firewall-1 and Firewall), the services should be IPSEC group and it should be Accepted. Logging is optional and should be used to debug any problems. 7 Next you need to add a rule to allow the two networks/groups to send
  • 3Com 3CR16110-95-US | User Guide - Page 137
    VPN Client for use with the Firewall 137 9 Select the Manual IPSec and the Logging radio buttons. 10 Press the Edit the VPN Configure screen in the Firewall Web interface. Create a Firewall Security Association, using manual key encryption, and name it Check Point (any name will work). Do not use
  • 3Com 3CR16110-95-US | User Guide - Page 138
    138 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES Setting up the GroupVPN Security Association 1 Click on VPN on the left hand side of the screen and then on the Summary tab. a Ensure that
  • 3Com 3CR16110-95-US | User Guide - Page 139
    the CD.s 3 Double-Click setup.exe and follow the VPN client Setup program's step-by-step instructions. This product does not require any serial key for installation. 4 Restart your computer after the VPN select Import Security Policy. 4 Select the exported security file and click the Open button.
  • 3Com 3CR16110-95-US | User Guide - Page 140
    140 CHAPTER 9: CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES 5 Close the Security Policy Editor saving changes when prompted. 6 Delete the export file from the hard drive if it was previously copied there. The client is now set up to access your network safely across the Internet.
  • 3Com 3CR16110-95-US | User Guide - Page 141
    be version 6.0 or above. The 3Com Firewalls 3CR16110-95 and 3CR16110-97 use identical hardware and can be used as a high availability pair provided that they are using the same version of firmware. I You have at least one static IP address available from your Internet Service Provider (ISP). If you
  • 3Com 3CR16110-95-US | User Guide - Page 142
    upgrades and subscriptions enabled. If the backup unit does not have the same upgrades and subscriptions enabled, these functions will not be supported in the event of a failure of the primary Firewall. Network Configuration for High Availability Pair The following diagram illustrates the network
  • 3Com 3CR16110-95-US | User Guide - Page 143
    Configuring High Availability 143 I Configuring High Availability on the Backup Firewall Both steps must be completed before the two Firewalls will function as a High Availability pair. Configuring High Click the High Availability button on the left side of the Firewall browser Availability on the
  • 3Com 3CR16110-95-US | User Guide - Page 144
    top of the window. Next, click the Export button. 2 Choose a location to save the primary Firewall's preferences file. This file is named "3Com_firewall.exp" by default, but can be renamed. The export process may take up to one minute. 3 Log out of the primary Firewall.
  • 3Com 3CR16110-95-US | User Guide - Page 145
    the top of the window. In the event of a mismatch in firmware versions, it will be necessary to upgrade the firmware to correct the problem. See "Upgrading the Firewall Firmware" on page 92 for instructions on upgrading firmware. At this point, you have successfully configured your two Firewalls as
  • 3Com 3CR16110-95-US | User Guide - Page 146
    146 CHAPTER 10: CONFIGURING HIGH AVAILABILITY Checking High Availability Status If a failure of the primary Firewall occurs, the backup Firewall will assume the primary Firewall's LAN and WAN IP Addresses. It is therefore not possible to determine which Firewall is active by logging into the LAN
  • 3Com 3CR16110-95-US | User Guide - Page 147
    Checking High Availability Status 147 If the backup Firewall has taken over for the primary, for example, in the event of a failure to the primary Firewall, the first line in the status window indicates that the backup Firewall is currently Active. Check the status of the backup Firewall by logging
  • 3Com 3CR16110-95-US | User Guide - Page 148
    148 CHAPTER 10: CONFIGURING HIGH AVAILABILITY Figure 62 Log Screen Showing Switchover of Firewall Forcing Transitions In some cases, it may be necessary to force a transition from one active Firewall to another - for example, to force the primary Firewall to become active again after a failure
  • 3Com 3CR16110-95-US | User Guide - Page 149
    Forcing Transitions 149 CAUTION: If the Preempt Mode checkbox has been checked for the primary Firewall, the primary unit will take over operation from the backup unit after the restart is complete.
  • 3Com 3CR16110-95-US | User Guide - Page 150
    150 CHAPTER 10: CONFIGURING HIGH AVAILABILITY
  • 3Com 3CR16110-95-US | User Guide - Page 151
    III ADMINISTRATION AND TROUBLESHOOTING Chapter 11 Administration and Advanced Operations Chapter 12 Troubleshooting Guide
  • 3Com 3CR16110-95-US | User Guide - Page 152
    152
  • 3Com 3CR16110-95-US | User Guide - Page 153
    and filtering by Keywords (see Chapter 8), access to these sites can be enabled or disabled. The 3Com Web Site Filter is provided as a 12-month subscription, and can be automatically updated weekly to ensure that the filter keeps pace with the ever-changing Internet. The Firewall comes with a one
  • 3Com 3CR16110-95-US | User Guide - Page 154
    For example: web sites for publications such as National Geographic or Smithsonian Magazine or sites hosted by museums such as the Guggenheim, the Louvre, or , lesbian or homosexual encounters. Also includes phone sex ads, dating services, adult personal ads, CD-ROMs and videos. I Gross Depictions:
  • 3Com 3CR16110-95-US | User Guide - Page 155
    Introducing the Web Site Filter 155 sexual orientation. Any picture or text that elevates one group over another. Also includes intolerant jokes or slurs. I Satanic/Cult: Satanic material is defined as: Pictures or text advocating devil worship, an affinity for evil, or wickedness. A cult is defined
  • 3Com 3CR16110-95-US | User Guide - Page 156
    subscription. To activate your annual subscription perform the following steps: 1 Using a Web browser, go to the Firewall registration page http://www.3com.com/ssfirewall/ 2 Click the Web Site Filter Registration link. 3 In the box labeled Serial Number, type the Internet Firewall's serial number
  • 3Com 3CR16110-95-US | User Guide - Page 157
    to the Internet, or from the Internet to the LAN? I List which IP services will be affected. I List which computers on the LAN will be affected. I Internet? For example, if IRC is blocked, are there users that require this service? I Is it possible to modify the rule to be more specific? For example
  • 3Com 3CR16110-95-US | User Guide - Page 158
    2 in the "Using Network Access Policy Rules" on page 157. b Service From the Service menu, select the IP protocol, as defined by item 4 in the " protocol is not listed, it is necessary to first define it in the Add Service window. c Source There are three parameters to configure for the Source item.
  • 3Com 3CR16110-95-US | User Guide - Page 159
    Using Network Access Policy Rules 159 When evaluating rules, the Firewall uses the following criteria: I A rule defining a specific service is more specific than the default rule. I A defined Ethernet link, such as LAN, WAN, or DMZ, is more specific than * (all). I A single IP address is more
  • 3Com 3CR16110-95-US | User Guide - Page 160
    the LAN to the WAN. Click the Restore Rules to Defaults button at the bottom of the Rules page to restore the default network access rules. A dialog box will display the message, "This will erase all settings you have made on the Services and Rules tab." Click OK and restart the Firewall for
  • 3Com 3CR16110-95-US | User Guide - Page 161
    , a service will need to be recreated to permit IKE negotiations. Protocols/Services to Filter Although the Firewall is shipped in a safe mode by default, the user are depressed. The RPC services, including NIS and NFS, can be used to steal system information such as passwords and read to write files
  • 3Com 3CR16110-95-US | User Guide - Page 162
    services such as TELNET or FTP are inherently risky, blocking access to these services password from the Firewall. If you want to reset your Firewall to factory default settings, and can access the Web interface of the Firewall successfully, 3Com recommends that you use the "Restore Factory Defaults
  • 3Com 3CR16110-95-US | User Guide - Page 163
    up and running again. The Firewall reverts to its default IP address of 192.168.1.254 after a complete reset, so you must reconfigure your chosen management station to an IP address in the same subnet to access the Web interface. To reload the firmware: 1 Type http://192.168.1.254 into the web
  • 3Com 3CR16110-95-US | User Guide - Page 164
    supports HTML uploads, otherwise you cannot upload the firmware. 2 In the box labeled Please select a firmware file, type in the full file and path name of the firmware the firmware at the default IP address of 192.168.1.254. The default user name is admin, and the default password is password. Once
  • 3Com 3CR16110-95-US | User Guide - Page 165
    issue, using the Direct Connection option to set the password for the first time may be advisable if this is a concern. Direct Connection To connect a management station directly to the firewall follow the steps Instructions below. 1 Disconnect the management station from the local Ethernet
  • 3Com 3CR16110-95-US | User Guide - Page 166
    166 CHAPTER 11: ADMINISTRATION AND ADVANCED OPERATIONS
  • 3Com 3CR16110-95-US | User Guide - Page 167
    12 TROUBLESHOOTING GUIDE This chapter contains the following: I Introduction I Potential Problems and Solutions I Troubleshooting the Firewall VPN Client I Frequently Asked Questions about PPPoE Introduction The Firewall has been designed to help you detect and solve possible problems with its
  • 3Com 3CR16110-95-US | User Guide - Page 168
    168 CHAPTER 12: TROUBLESHOOTING GUIDE Power LED Flashes If the Power LED continues to flash after 120 seconds, please contact Continuously Technical Support (see Appendix A for information about contacting Technical Support). Power and Alert LED If the Power and Alert LEDS are both continuously
  • 3Com 3CR16110-95-US | User Guide - Page 169
    Problems and Solutions 169 I Remember that passwords following: I If NAT is enabled, make sure the default router address on the LAN Client is set to the Management to register the MAC address of the unit with your cable service provider before connecting the Internet Firewall to your network. You
  • 3Com 3CR16110-95-US | User Guide - Page 170
    TROUBLESHOOTING GUIDE Machines on the Make sure the Intranet settings in the Advanced section are correct. WAN Are Not Reachable Troubleshooting misconfigured, or the Internet Service Provider for either the Firewall Client processor time, before the tunnel opens. This usually takes a few seconds
  • 3Com 3CR16110-95-US | User Guide - Page 171
    Troubleshooting the Firewall VPN Client 171 Restarting the Firewall with Active VPN drive for the desired security policy database file (*.spd) and click Open. Uninstall the VPN Client 1 To uninstall the Firewall VPN Client, open the Control Panel in the Windows Start menu. 2 Double click Add
  • 3Com 3CR16110-95-US | User Guide - Page 172
    172 CHAPTER 12: TROUBLESHOOTING GUIDE Frequently Asked Questions about PPPoE Why are ISPs using PPPoE in their broadband services? The theory is that PPPoE makes it easier for the end user of broadband services to connect to the Internet by simulating a Dial-up connection. The ISP realizes
  • 3Com 3CR16110-95-US | User Guide - Page 173
    IV FIREWALL AND NETWORKING CONCEPTS Chapter 13 Types of Attack and Firewall Defences Chapter 14 Networking Concepts
  • 3Com 3CR16110-95-US | User Guide - Page 174
    174
  • 3Com 3CR16110-95-US | User Guide - Page 175
    the worst case the attacker can learn enough about your company infrastructure and exploit its vulnerabilities to crash any server at will. Denial of Service attacks work by exploiting weaknesses in TCP/IP, exploiting weaknesses in your servers or by generating large amounts of traffic (brute force
  • 3Com 3CR16110-95-US | User Guide - Page 176
    your network by requesting new connections but not completing the process to open the connection. Once the buffer for these pending connections is full material, the defacing of a web site or the theft of passwords or discovery of network infrastructure that will enable further attacks. External
  • 3Com 3CR16110-95-US | User Guide - Page 177
    and can be used in a Denial of Service attack. Firewall Response: The Firewall will drop any blocked. I Ports not in use are blocked by default. Trojan Horse attacks that the firewall is capable of . Using an anti-virus tool and updating the firmware of your Firewall as soon as a new version
  • 3Com 3CR16110-95-US | User Guide - Page 178
    178 CHAPTER 13: TYPES OF ATTACK AND FIREWALL DEFENCES
  • 3Com 3CR16110-95-US | User Guide - Page 179
    Protocol (DHCP) I Port Numbers I Virtual Private Network Services Introduction to TCP/IP Protocols are rules that networking hardware data reliability as well as some other services, other protocols such as TCP can be added to provide these services. TCP stands for Transmission Control Protocol.
  • 3Com 3CR16110-95-US | User Guide - Page 180
    number in the set must be less than 255. There are three components that contribute to an IP address: I IP address itself I Subnet mask I Default gateway The following sections discuss each of these components in detail. IP Address Just as each household or business requires a unique phone number
  • 3Com 3CR16110-95-US | User Guide - Page 181
    mask of 255.0.0.0. Class B addresses use a subnet mask of 255.255.0.0, and Class C IP addresses use a subnet mask of 255.255.255.0. Default Gateway A default gateway is like a long distance operator - users can dial the operator to get assistance connecting to the end party. In complex networks with
  • 3Com 3CR16110-95-US | User Guide - Page 182
    fields that apply to a default gateway. Network Address Translation (NAT) Network Address Translation (NAT) is used to re-map all the addresses on a I You may wish to obtain a single-user account from your Internet Service Provider instead of a LAN account, since single user accounts tend to be
  • 3Com 3CR16110-95-US | User Guide - Page 183
    make it much easier to administer these machines, since individual hosts do not need to configure one-at-a-time. The Firewall's DHCP server also supports an older protocol called "BootP". The DHCP client is used in conjunction with Network Address Translation. The Firewall can use its DHCP client to
  • 3Com 3CR16110-95-US | User Guide - Page 184
    (IANA) http://www.iana.org and on most systems can only be used by system processes, or by programs executed by privileged users. Many popular services, such as Web, FTP, SMTP/POP3 e-mail, DNS and so forth operate in this range. The assigned ports use a small portion of the possible port
  • 3Com 3CR16110-95-US | User Guide - Page 185
    Private Network Services 185 I Basic Terms and Concepts Introduction to Virtual Private Networks Virtual Private Networks (VPN) provide an easy, affordable, and secure means for businesses to conduct operations and provide network connectivity to all offices and partners. Using 3Com's intuitive
  • 3Com 3CR16110-95-US | User Guide - Page 186
    186 CHAPTER 14: NETWORKING CONCEPTS I Linking two or more Private Networks Together VPN is the perfect way to connect branch offices and business partners to the primary business. Using VPN over the Internet, instead of leased site-site lines, offers significant cost savings and improved
  • 3Com 3CR16110-95-US | User Guide - Page 187
    Virtual Private Network Services 187 communications can range in length, but are typically 16 used to break encryption involve trying every possible combination of characters, similar to trying to open a safe when the combination is not known. I Asymmetric vs. Symmetric Cryptography Asymmetric and
  • 3Com 3CR16110-95-US | User Guide - Page 188
    f. I ARCFour ARCFour (ARC4) is used for communications with secure Web Sites using the SSL protocol. Many banks use a 40-bit key ARC4 for online banking while others use a 128-bit key. 3Com's implementation of ARCFour uses a 56-bit key. ARCFour is faster than DES for several reasons. First is that
  • 3Com 3CR16110-95-US | User Guide - Page 189
    Virtual Private Network Services 189 The SPI must be unique, is from one to eight characters long, and is comprised of hexadecimal characters. Valid hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f. The range
  • 3Com 3CR16110-95-US | User Guide - Page 190
    190 CHAPTER 14: NETWORKING CONCEPTS
  • 3Com 3CR16110-95-US | User Guide - Page 191
    V APPENDICES Appendix A Safety Information Appendix B Technical Specifications and Standards Appendix C Cable Specifications Appendix D Technical Support Index Regulatory Notices
  • 3Com 3CR16110-95-US | User Guide - Page 192
    192
  • 3Com 3CR16110-95-US | User Guide - Page 193
    A SAFETY INFORMATION WARNING: Please read the 'Important Safety Information' section before you start. VORSICHT: Bitte lesen Sie den Abschnitt 'Wichtige Sicherheitsinformationen' sorgfältig durch, bevor Sie das Gerät einschalten. AVERTISSEMENT: Veuillez lire attentivement la section 'Consignes
  • 3Com 3CR16110-95-US | User Guide - Page 194
    194 APPENDIX A: SAFETY INFORMATION WARNING: There are no user-replaceable fuses or user-serviceable parts inside the unit. If you have a physical problem with the unit that cannot be solved with problem solving actions in this guide, contact your supplier. WARNING: Disconnect the power adapter
  • 3Com 3CR16110-95-US | User Guide - Page 195
    Importantes de Sécurité VORSICHT: Es sind keine von dem Benutzer zu ersetzende oder zu wartende Teile in dem Gerät vorhanden. Wenn Sie ein Problem mit dem Switch haben, das nicht mittels der Fehleranalyse in dieser Anleitung behoben werden kann, setzen Sie sich mit Ihrem Lieferanten in Verbindung
  • 3Com 3CR16110-95-US | User Guide - Page 196
    problème physique avec le moyeu qui ne peut pas être résolu avec les actions de la résolution des problèmes dans ce guide, contacter votre fournisseur. AVERTISSEMENT: Débranchez l'adaptateur électrique avant de retirer cet appareil. AVERTISSEMENT: Points d'accès RJ-45. Ceux-ci sont protégés par des
  • 3Com 3CR16110-95-US | User Guide - Page 197
    Number of Custom Rules: 64 AC Line Frequency 50-60Hz Current Rating (max): 3.15A Input Voltage: 90-264Vrms Operating Temperature 0-50 °C (32-122 °F) Humidity 10-95% (non-condensing) Electrical Interfaces Three 10/100 BASE-T RJ45 Connectors
  • 3Com 3CR16110-95-US | User Guide - Page 198
    198 APPENDIX B: TECHNICAL SPECIFICATIONS AND STANDARDS Table 7 Technical Specifications of the Firewall Functional ISO/IEC 8802-3, IEEE 802.3, ICSA Firewall Certification Safety UL1950, EN 60950, CSA 22.2 #950, IEC 950 EMC EN55022 Class A, EN 50082-1, FCC Part 15 Part Class A, ICES-003 Class A, VCCI
  • 3Com 3CR16110-95-US | User Guide - Page 199
    C CABLE SPECIFICATIONS Cable Specifications The Firewall supports the following cable types and maximum lengths: I Category 5 cable. I Maximum cable length of 100 m (327.86 ft). Pinout Diagrams Figure 66 and Figure 67 below
  • 3Com 3CR16110-95-US | User Guide - Page 200
    200 APPENDIX C: CABLE SPECIFICATIONS Figure 68 and Figure 69 below show the pin connections when using a crossover Category 5 cable. It is not necessary to use a crossover cable with your Firewall as the Normal/Uplink switch beside each port serves the same purpose. Figure 68 Connecting the
  • 3Com 3CR16110-95-US | User Guide - Page 201
    is correct at time of publication. For the most recent information, 3Com recommends that you access the 3Com Corporation World Wide Web site. Online Technical Services 3Com offers worldwide product support 24 hours a day, 7 days a week, through the following online systems: I World Wide Web site
  • 3Com 3CR16110-95-US | User Guide - Page 202
    and MIBs across the Internet from the 3Com public FTP site. This service is available 24 hours a day, 7 days a week. To connect to the 3Com FTP site, enter the following information into your FTP client: I Hostname: ftp.3com.com I Username: anonymous I Password: You do
  • 3Com 3CR16110-95-US | User Guide - Page 203
    changes, if applicable Here is a list of worldwide technical telephone support numbers. These numbers are correct at the time of publication. Refer to the 3Com Web site for updated information. Country Telephone Number Country Asia, Pacific Rim Australia Hong Kong India Indonesia Japan Malaysia
  • 3Com 3CR16110-95-US | User Guide - Page 204
    repair, you must first obtain an authorization number. Products sent to 3Com without authorization numbers will be returned to the sender unopened, at the sender's expense. To obtain an authorization number, call or fax: Country Telephone Number Fax Number Asia, Pacific Rim + 65 543 6500 + 65
  • 3Com 3CR16110-95-US | User Guide - Page 205
    Country U.S.A. and Canada Telephone Number 1 800 NET 3Com (1 800 638 3266) Enterprise Customers: 1 800 876 3266 Returning Products for Repair 205 Fax Number 1 408 326 7120 (not toll-free)
  • 3Com 3CR16110-95-US | User Guide - Page 206
    206 APPENDIX D: TECHNICAL SUPPORT
  • 3Com 3CR16110-95-US | User Guide - Page 207
    icons, About This Guide 12 cookies 23, 69 current sample period 88 custom list 70 options 72 CyberNOT list 153 reviewers 153 D data collection, starting 87 default gateway 181 password 164 default IP address, Firewall 36 default policies diagram 32 deleting services 102 users 108 Demilitarised
  • 3Com 3CR16110-95-US | User Guide - Page 208
    default 181 glossary 13 I IANA 184 ICMP packets 81 installation inventory 27 positioning 28 rack mounting 28 Installation Wizard 35 automatic LAN settings 44 automatic WAN settings 39 configuring LAN settings 44 configuring WAN settings 39 manual WAN settings 40 setting password Service Provider
  • 3Com 3CR16110-95-US | User Guide - Page 209
    , 3Com 20 network supplier support 202 Network Time Protocol 14 networks, introduction 179 NNTP 14 notification of new firmware 93 NTP 14 O one-to-one NAT 119 online technical services 201 P packet inspection stateful 22 Packet LED 30 Packet Trace tool 65 password administrator's 164 default 164
  • 3Com 3CR16110-95-US | User Guide - Page 210
    restarting the SuperStack 3 Firewall 89 restoring configuration 90 factory defaults 92 restricting access Internet 23 to URLs 23 to web self-diagnostic tests 33, 164 services adding 101 deleting 102 setting admin password 53 clock 54 password using Installation Wizard 37 setting up technical support
  • 3Com 3CR16110-95-US | User Guide - Page 211
    Services 201 3Com URL 201 network suppliers 202 product repair 204 Technical Support Report 66 terminology 13 tests, self-diagnostics 33 The Learning Company 153 tools diagnostics 64 DNS Name Lookup 64 Packet Trace 65 Ping 65 top Web site hits 71 troubleshooting 92 uploading firmware 93 URL 201
  • 3Com 3CR16110-95-US | User Guide - Page 212
    212 INDEX
  • 3Com 3CR16110-95-US | User Guide - Page 213
    , if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. Operation of Commission helpful: How to Identify and Resolve Radio-TV Interference Problems This booklet is available from the U.S. Government Printing Office, Washington
  • 3Com 3CR16110-95-US | User Guide - Page 214
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
Part No. DUA1611-0AAA02
Published August 2001
SuperStack
®
3
Firewall
User Guide
SuperStack 3 Firewall 3CR16110-95
SuperStack 3 Firewall Web Site Filter 3C16111