Manuale d’uso / di manutenzione del prodotto BiGuard 2 del fabbricante Billion Electric Company
Vai alla pagina of 170
BiGuard 10 iBusiness Security Gateway Small-Office BiGuard 2 iBusiness Security Gateway Home-Office User ’ s Manual V ersion Release 4.00 (FW:1.05).
2 BiGuard 2/10 User’s Manual (Updated June 1, 2006) Copyright Information © 2006 Billion Electric Corporation, Ltd. The contents of this publica tion may not be reproduced in whole or in part, transcribed, stored, tr anslated, or transmitted in an y form or any mea ns, without the prior written consent of Billio n Electr ic Co rporation.
3 Safety Warn ings Y o ur BiGuard 2/10 is built for reliability and long service life. For your safety , be sur e to rea d and fo llow the f ollowin g safety warnings . • Read this installation guide thoro ughly be fo re attempting to set up y our BiGuard 2/10.
4 Table of C ontents Chapter 1: Intr oduction 1.1 Overview 1.2 Product Highlights 1.2.1 Virtual Private Networ k Support 1.2.2 Advanced Firewall Se curity 1.2.3 Int elligent Bandwidt h Management 1.3 Package Contents 1.3.1 BiGuard 10 1.3.1. 1 Front Pane l 1.
5 Chapter 3: Getting Sta rted 3.1 Overview 3.2 Before You Begin 3.3 Connecting Your Router 3.4 Configuring PCs for TCP/IP Networking 3.4.1 Overview 3.4.2 Wind ows XP 3.4.2.1 Configu ring 3.4.2.2 Verifying Settings 3.4.3 Wind ows 2000 3.4.3.1 Configu ring 3.
6 Chapter 4: Router Configuration 4.1 Overview 4.2 Status 4.2.1 ARP Table 4.2.2 Routing Table 4.2.3 Session Table 4.2.4 DHCP Table 4.2.5 IPSec Status 4.2.6 PPTP Status 4.2.7 System Log 4.2.8 IPSec Log 4.3 Quick Start 4.3.1 DHCP 4.3.2 Stat ic IP 4.3.3 PPPoE 4.
7 4.4.3. 7 System Log Server 4.4.3. 8 E-mail Alert 4.4.4 Firewall 4.4.4. 1 Packet Filter 4.4.4. 2 URL Filter 4.4.4. 3 LAN MAC Filte r 4.4.4. 4 Block WAN Req uest 4.4.4. 5 Intrusio n Detect ion 4.4.5 VPN 4.4.5. 1 IPSe c 4.4.5.1.1 IPSec Wizard 4.4.5.1.2 IPSec Policy 4.
8 5.2.3.2 Javascr ipts 5.2.3.3 Java Permission s 5.3 WAN Interface 5.3.1 Can’t Get WAN IP Address fr om the ISP 5.4 ISP Connection 5.5 P roblems with Date an d Time 5.6 Restoring Facto ry Defaults Appendix A: Produc t Specifications A.1 BiGuard 10 Product Specifications A.
9 Appendix E: Virtua l Private Netw orking E.1 What is a VPN? E.1.1 VPN Applications E.2 What is IPSec? E.2.1 IPSec Security Co mponents E.2.1.1 Authentication Hea der (AH) E.2.1.2 Encapsulating Securi ty Payload (ESP) E.2.1.3 Security Associations (SA) E.
10 Chapter 1: Intr oduction 1.1 Overview Congratulations on purchasing BiGuard 2/10 Router from Billion. Combining a router with an Ethernet network switch, BiGua rd 2/10 is a state-of -the-art device that provides ev erything y ou need to get your network connected to the Internet over your Cable or DSL connection quickly and easily .
11 1.2.3 Intelligent Bandwidth Manage ment BiGuard 2/10 u tilizes Quality of Service (QoS) to give you full control over the priority of both incoming and outgoing d ata, ensuring that critica l data such as customer informat ion moves thr ough your net work, even while under a heav y load.
12 Link/ACT: Lit when device is connected. Blinking when data is transmitting/receiving. LAN 1 – 8 Lit when connected to an Ethernet device. 10/100M : Lit green when connected at 100Mbps. Not lit when connected at 10Mbps. Link/ACT: Lit when device is connected.
13 1.3.1.3 Rack Mounting T o rack mount BiGuard 10, caref ully secure the device to your r ack on both sides using the included brack ets and screws. Se e the diagr am below for a m ore detailed explan ation. 1.3.1.4 Cabling Most Ethernet networks currently use unsh ielded twisted pair (UTP) cabling.
14 4 3 2 1 1.3.2.1 Front Panel LED Function POWER A solid l ight indica tes a stea dy connec tion to a power s ource. STATUS A blinking light indic ates the devi ce is writing to flash memory. WAN Lit when connected to an Ethernet device. 10/100M : Lit green when connected at 100Mbps.
15 Port Meaning 1 RESET After the device is powered on, press it to reset the device or restore to factory default settings. 0-3 seconds: The Status LED w ill light 6 seconds above: resto re to factory default settings (this is used when you cannot login to the router .
16 Chapter 2: Router Applications 2.1 Overview Y o ur BiGuar d 2/10 R outer is a versa tile device that can be configured to not o nly protect your network from malicious attackers, but also ensure optimal usage of available bandwidth with Quality of Servic e (QoS).
17 2.2.2 Q oS Policie s for Differ ent Applicatio ns By setting different QoS policies accordin g to the applicati ons yo u are r unning, you can use BiGuard 2 /10 to optimize the bandwidth tha t is being used on y our network.
18 As illustrated in the diagram above, applicat ions such as V o iceover IP (V oIP) require low network latencies to fu nction properly . If bandwidth is being used by other applications such as an FTP server , user s using V oIP will experience network lag and/or service interr uptions during use.
19 2.2.4 Policy Ba se d Traffic Shaping Policy Based T raffic Shaping allows you to apply specific traffic policies across a range of IP addresses or ports. This is particularly useful for a ssigning different policies for diff erent PCs o n the network .
20 2.2.6 Management by IP or MAC address BiGuard 2/10 can also be configured to appl y traffic policies based on a particular IP or MAC address. This allows you t o quickly assign different traffic policies to a specific computer on the network.
21 2.2.7 DiffServ (DSCP Marking) DiffServ (a.k.a. DSCP Marking) allows y o u to classify tr affic based on IP DSCP v alues. Thes e markin gs can be used to identify traffic w ithin the netw ork. O ther inte rface s can ma tch traffic based o n the DSCP mark ings.
22 secure tunnel. The next t ype of VPN setup is the Gateway to Mu ltiple G ateway setup, where one gateway (Headquarter) is communicat ing with multiple gateways (Br anch Offices) over the Int ernet. As wit h all VPNs, data is ke pt secure with secure t unnels.
23 Concentrat or: Please refer to appendix H for example settings. 100.100.100. 1 200.200.200. 1 192.168.2.x 192.168.3.x 201.201.201. 1 192.168.4.x Local ID T ype: Subnet Local subnet: 0.0. 0.0 Local mask: 0. 0.0.0 Remote ID T ype: Subn et Remote subnet: 1 92.
24 Chapter 3: Getting Sta rted 3.1 Overview BiGuard 2/10 is designed to be a powerful and fl exible network device that is also easy to use. With an intuitive web-based configuration, BiG uard 2/10 al.
25 Be sure to als o review th e Saf ety W a r n ing s located in th e prefa c e o f th is manu a l before working with your BiGuard 2/10. 3.3 Connecting Your Router Connecting BiGuard 2/10 is an easy three-step process: 1. Connect BiGua rd 2/10 to y our LAN by connecti ng Ethernet cabl es from your networked PCs to the L AN ports on the router .
26 3.4 Configuring PCs for TCP/IP Networking Now that your BiGuard 2/10 is conne cted properly to your ne twork, it’s t ime to configure y our network ed PCs for TCP / IP networking. In or der fo r your ne tworked PCs to comm unicate wi th your router , th ey mus t have the following characteristi cs: 1.
27 - Mac OS 7 and later - All versions of UNIX/Linux If you are using Windows 3.1, you must purc hase a third-party TCP/IP application package. Any T CP/IP capable wor k station can be used to communicate wi th or through the BiGuard 2/10. T o configure other types of workstations, please consult the manufacturer’ s documentation.
28 3. Select Internet Protocol (TCP/IP) an d click Properties . 4a. T o have your PC obtain an IP address automati cally , select the Obtain an IP address automatically and Obtai n DNS server address automat i cally ra di o buttons.
29 4b. T o manually assign y o ur PC a fixed IP address, select the Use the following IP address radio b utton and enter y our desired IP address, s ubnet mask, and default gateway in the blanks provided. Remember t hat your PC must reside in the same subnet mask as the router .
30 3.4.2.2 Verify ing Settings T o verify your settings using a command prompt: 1. Click Start > Programs > Accessories > Command Prompt . 2. In the Command Prompt wind ow, type i pconfig and then press ENTER . If you are using BiGuard 2/10’ s default setting s, your PC should have: - An IP addr ess between 192.
31 T o verify your setti ngs using the Windows XP GUI: 1. Click Start > Settings > Netw ork Connections . 2. Right click on e of the netw ork connectio ns listed and select Status from the pop-up menu.
32 3. Click the Support tab. If you are using BiGuard 2/10’ s default setting s, your PC should: - Have an IP address b etween 192.168.1.1 and 192.168.
33 3.4.3 Wind ows 20 00 3.4.3.1 Config uring 1. Select Start > Settings > Control Panel . 2. In the Control Panel window, double-click Netwo rk and Dial- up Conn ecti ons .
34 3. In Network and Dial-u p Connections, dou ble-click Local Area Connec ti on . 4. In the Local Area Conne ction window , click Properties ..
35 5. Select Internet Protocol (TCP/IP) and click Pro perti es . 6a. T o have your PC obtain an IP address automati cally , select the Obtain an IP address automatically and Obtai n DNS server address automat i cally ra di o buttons.
36 6b. T o manually assign your PC a fixe d IP address, select the Use the following IP address radio b utton and enter y our desired IP address, s ubnet mask, and default gateway in the blanks provided. Remember t hat your PC must reside in the same subnet mask as the router .
37 2. In the Command Prompt wind ow, type i pconfig and then press ENTER . If you are using BiGuard 2/10’ s default setting s, your PC should have: - An IP address between 192.168.1.1 and 192 .168.1.253 - A subnet mask of 255.255.255.0 3.4.4 Wi ndows 98 / Me 3.
38 1. On the Windows taskbar , select Start > Settings > Control Panel . 2. Double- click the Network icon. The Netwo rk window displays a list of installed components.
39 Y o u must have the f ollowing ins talled: - An Ethernet adapter - TCP/IP protocol - Client for Microsoft Networks If you need t o install a new Ethernet adapter , follow these steps: a.
40 b. S ele ct Adapter , then Add . c. Select the manufacturer a nd model of your Ethernet adapter , then click OK . If you need TCP/IP: a. Click Add .
41 b. S ele ct Protocol , then click Add . c. Select Microsoft . Æ TCP/IP , then OK . If you need Cl ient for Microsoft Net works: a. Click Add ..
42 b. S ele ct Cli ent , then click Add . c. Select Microsoft . Æ Client for Microsoft Networks , and then click OK . 3. Resta rt your PC to apply y our changes.
43 2. In the Con tro l Panel, do uble -clic k Network and choos e the Configuration tab..
44 3. Select the name of y our PC’ s TCP/IP Network Interface Card (NIC) and click Properties . TCP/IP > ASUST eK is illustr ated in the example below . 4. Select the IP Address tab and click the Obtain an IP ad dress autom atically radio butt on.
45 5. Select the DNS Con figurat ion tab and select the Disable DNS r adio button. 6. Click OK to appl y the co nfiguration..
46 3.4.4.3 Verify ing Settings T o check the TCP /IP configur ation, use the winipcfg.ex e utilit y: 1. Select Start > Run . 2. T y pe winipcf g , and then cl ick OK .
47 3. From the drop-down box, select your Ethernet adapter . The window is updated to show your settings. Us ing th e defau lt BiGua rd 2/1 0 settings, your PC shoul d have: - An IP addr ess between 192.168.1.1 and 192.168.1.253 - A subnet mask of 255.
48 IP Address: 192.168.1.254 Subnet Mask: 255.255.255.0 ISP setting in WAN site: Obtain an IP Address automatical ly (DHCP Client) DHCP server: DHCP server is enabled.
49 3.6 Information From Your ISP 3.6.1 Protocols Before config uring this de vice, you ha ve to check with y o ur ISP (Internet Service Provider) to find out what kind of service is provided such as DHCP , Static IP , PPPoE, or PPTP .
50 Depending on your ISP , a host name and domain suffix may also be provided. If any of these items are dynamically supplied by the ISP , your BiGuard 2/10 will automatically acquire them.
51 3. In the Network Connections window , right-click Local Area Co nnection and select Properties . 4. Select Internet Protocol (TCP/IP) an d click Properties .
52 5. If an IP address , subnet mask and a Default gateway are shown, write down the information. If no address is present, y o ur account’ s IP address is dynamically assigned. Cl ick t he Obt ain an IP a ddr ess aut omat icall y radio bu tto n. 6.
53 7. Click OK to save your changes. 3.7 Web Configuration Interface BiGuard 2/10 i ncludes a W eb Configurati o n Interface for ea sy administr ation via virtually an y browser on y our network. T o access this interface, open your web browser , enter the IP address of your r outer , which by default is 192.
54 If the W eb Configurati on Interface appears, co ngratulations! Y ou are now ready to configure your B iGuard 2/10. If yo u are having troubl e accessing the inter face, please refer to Chapter 5: Tr oubleshooting for possible resolutions.
55 Chapter 4: Router Configuration 4.1 Overview The W eb Configur ation Interface make s it easy for you to manage y our network via any PC connected to it. On the W eb Configuration homepage, you will see the navigation pa ne located on the left hand side.
56 restricted to only one PC accessing the we b configur at ion in terface a t a t ime. Once a PC has logged into the web interface, other PCs cannot gain access until the current PC has logged out. If the previous PC forgets to logout, the second PC ca n access the page after a user-defined period (5 minutes by default).
57 address of your PC’ s network interface to use with the router’s Firew all – MAC Address Filter function. See the Firewall section of this chapter for more information on this feature. No.: Numb er of th e list. IP Address: A list of IP addresses of devices on your LAN.
58 No.: Numb er of th e list. Destination: Th e IP address of the destinatio n network. Netmask: The dest ination n etmask address. Gateway/ Interf ace: Th e IP add ress of t he gate way or exis ting in terfac e that th is route will use. Cost: The number of hops counted as the cost of the route.
59 Last: T o the last page. Jump to the session: please input the session number you would like to see and press “GO” 4.2.4 DHCP Tab le The DHCP T able displays a list of IP addre sses that ha ve been assigned to PCs on your net work via Dynami c Host Configurati on Protocol (DHCP).
60 Enable: Whether th e IPSec connection is currently Enable or Disable. Status: Whether the IPSec is Active, Inactive or Disable. Local Subnet: The local IP address or subnet used. Rem ote Subnet: The subnet of the remote site. Remote Gat eway: The r emote gateway IP addr ess.
61 Re fresh: Refresh the S ystem Log. Clear Log: Clear the System Log. Send Log: Send the Sy stem Log to yo ur emai l account. Y ou can set the email address in Configuration > Syst em > Email Alert . See the Email Alert section for more details.
62 details. Save Log: Save the IPSec log t o a text file. Please refer to Appendix F: IPSec Log Events for more information on log events. 4.3 Quick Start The Quick Start menu allows you to qu ickly configure you r network for Int ernet access using the most basic settings.
63 IP assigned by your ISP: Enter the assigned IP address from yo ur IP . IP Subnet Mask: Enter your IP sub net mask. ISP Gateway Address: Enter your ISP gatew ay address. Primary DNS: Enter your primary DNS. Secondary DNS: Enter yo ur secondary DNS .
64 4.3.4 PPTP Username: Enter your user name. Password : Enter your password. Re type Pas sword: Re type your pas sword. PPTP Clie nt IP: Enter the PPTP Client IP pro vided by yo ur ISP . PPTP Client IP Netmask: Enter th e PPTP Client IP Net mask provided by your ISP .
65 Username: Enter your user name. Password : Enter your password. Re type Pas sword: Re type your pas sword. Login Server: Enter the IP of the Lo gin server provided by your ISP . Click Apply to save y our changes. T o reset to defaults, click Reset .
66 4.4.1 LAN There are two items wi thin this section: Ethernet , DHCP Ser ver and LAN Address Mapping. 4.4.1.1 Ethernet IP Address: Enter the internal LAN IP address for BiGuard 2/10 (192.168.1.254 by default). Subnet Mask: Enter the subnet ma sk (255.
67 T o disable the router’s DHCP Serve r , select the Disable radio button, a nd then click Apply . When the DHCP Server is disabled, yo u will need to manual ly assign a fix ed IP ad dr es s to ea ch PC on you r n etw or k, and set the default gatew ay for each PC to the IP address of the router (192.
68 reserved IP . Candidates: Y ou can also select the Candidates which are referred from the ARP table for automatic input. Click the Apply button to add the configur ation into the Host T able. Press the Delete button to delete a configuration from the Host T able.
69 Name: Please input the name of the rule. IP Address: Please input the LAN Gate way I P Address you woul d like to use. Netmask: Please input the Netmask you would like to use. WAN IP Add ress: Please click Candidates to select the W AN IP address you would like to use from WAN Alias list.
70 4.4.2.1 WAN Connection Meth od: Select how your router will connect t o the Internet. Selection s include Obtain an IP Address Automatically , Static IP Settings , PPPoE Settings , PPTP Settings , an d Big Pond Settings . F or each WAN port, the factory default is DHCP .
71 RIP: T o activate RIP , select Send , Recei ve , or Both from the drop do wn menu. T o disable RIP , select Disable from the drop down menu. MTU: Enter the Max imum T ransmission Unit (MT U) for your network . Click Apply to save y our changes. T o reset to defaults, click Reset .
72 4.4.2.1.3 PPPoE Username: Enter your user name. Password : Enter your password. Re type Pas sword: Re type your pas sword. Connection: Select w hethe r the connection should Always Con nect or Trigger on Demand .
73 MTU: Enter the Max imum T ransmission Unit (MT U) for your network . Click Apply to save y our changes. T o reset to defaults, click Reset . 4.4.2.1.4 PPTP Username: Enter your user name. Password : Enter your password. Re type Pas sword: Re type your pas sword.
74 MAC Address: If your ISP requ ires you to inp ut a WAN Ethern et MAC, check the checkbox and enter your MA C address in the blanks below . Candidates: Y ou can also select the MAC address from the list in t he Candidates. DNS: If your ISP requires you to manu ally setup DNS settings, check the checkbox and enter your primary and secondary DNS .
75 Click Apply to save y our changes. T o reset to defaults, click Reset . A simpler alternative is to select Quic k Star t from the main menu. Please see the Quick Start section of this chap te r for more information. 4.4.2.2 Bandwidt h Settings Under Bandwidth Settings, you can easily configure bot h inbound and outbound bandwidth.
76 Please click Create to create a LAN Address Mapping rule. Name: Please input the name of the rule. IP Address: Please input the additional W AN IP address you would like to use. Click the Apply button to add the configur ation into the W AN IP Alias.
77 4.4.3.1 Time Zone BiGuard 2/10 does not use an onboard real time clock; instead, it uses the Network Time Protocol (NTP) to acquire the current time from an NTP server outsi de your network. Simply choose you r local time zone , enter NTP Server IP Addr ess, and click Apply .
78 Time, please check the Automatic checkbox. Re sync Pe riod: Please input the resy nc circle of time zon e update. Click Apply to apply the ru le, Clic k Cancel to discard the changes. 4.4.3.2 Remote Access T o allow remote users to configure and manage BiGuard 2/10 thro ugh the Internet, select the Enable r adio button.
79 Allow Re mote Access By: Everyone: Please check if you allow any IP addresses for the remote us er to access. Only the PC: Please specify the IP A ddress that is allowed to access. PC from the subnet: Please specify th e subnet that is allowed t o access.
80 Upgrading y our BiGuard 2/10’ s firmware is a quick and easy way to enjo y increased functionality , bett er reliability , and ensure trouble-f ree operation. T o upgrade your firmware, simpl y visit Billion’ s website ( http://www.billion.com ) and down load the latest firmware image file f or BiGuard 2/10.
81 select a file from yo ur PC to restore. Be su re to only restore setting fi les that hav e been genera ted by the Backup function, a n d that were created when using the same firmware version. Setting s files saved to your PC should not be manually edited in any way .
82 In order to prevent unauth orized access to your router ’ s con figuration interface, it requires the admini strator to lo gin with a pass word. Y ou can change y our password by entering your new password in both fields. Click Apply to sa ve your changes.
83 This function allows BiGu ard 2/10 to send sy stem logs to an external S yslog Server . Syslog is an industry -standard protocol used to capture inf ormation about network activity . T o enable this functi on, select the En able r adio button and enter your Syslog server IP addres s in the Log Server IP Ad dress field.
84 Select Enable to activ ate SMTP server l ogin function, disa ble to deactivate. Username: Input the SMTP server’ s username. Password : Input the SMTP serv er’s password. Alert via Email when: Select the frequency of each email update. Choose one of the five options: Immediately: The router will send an alert immediately .
85 The Pack et Filter function is used to limit user access to ce rtain sites on the Internet or LAN. The Filt er T able displays all curren t filter rules. If th ere is an entry in the Filter T able, you can click Edit to modify the setting of this entry , or click Delete to remove this entry , or cli ck Move to change this entry’ s priority .
86 rules prevent unauthorized computers or a pplications accessing the Internet. Select if the new filter ru le is incoming or outgoing . Source IP: Select Any , Subnet , IP Range or Single Address . Starting IP Address: Enter the source IP or star ting source IP address this filter rule is to be applied.
87 The URL Filter is a powerful t ool that can be used to limit access to certain URLs on the Internet. Y ou can block we b site s based on keywords or even block out an entire domain. Certain web features ca n also be blocked to grant added sec urity to your network.
88 checkbox. T o edit the list of f iltered domains, click Details . Enter a domain and select ed whether this domain is t rusted or forbidden with the pull-down menu . Next, click Apply . Y our new domain will be added to either the T rusted Domain or Fo rbidden Domain li s ting, depending on which yo u selected previously .
89 Enter a name for the IP Address and then enter the I P address itself . Click Apply to save your changes. The IP address will be ent ered into the Exception List, an d excluded from the URL f iltering rules in effect. 4.4.4.3 LAN MAC F ilter LAN Mac Filter can decide that BiGuard will serve those devices at LAN side or not by MAC Address.
90 Rule: Enable or disable this ent ry . Action When Matched: Select to Drop or For ward the packet specified in this filt er entry . MAC Address: The MAC Address you would like to apply . Candidates: Y ou can also sele ct the Candidat es which are referred from the AR P table for automatic input.
91 4.4.4.5 Intrusion Detection Intrusion Detection can prevent most common DoS attacks from the Internet or from LAN users. Intrusion Detection: Enable or disable this function. Intrusion Log: All the detected and dropped attacks will be shown in the system log.
92 Connection Name: A user-defin ed name for the connection. Pre-shared K ey: This is for the Internet K ey Exchange (IKE) protocol. IKE is used to establish a shared security po licy and aut henticated keys for services (such as IPSec) that require a key .
93 Re mote Secure Gateway Address ( or Host Name): The IP address or hostname of the remote VPN device that i s connected and establishes a VPN t unnel. Re mote Network: The subnet of the remote network. Allows yo u to enter an IP address and netmask.
94 Re mote Secure Gateway Address ( or Hostna me): T he IP address or hostname of the remote VPN device that is connected and establishes a VPN tunnel.
95 (5)LAN to Host (F or BiGuard VPN Client only): Bi Guard would lik e to establish an IPSec VPN tunnel w ith BiGuard VPN Client software C01 by using aggressive mode. VPN Client IP Address: The VPN C lient Address for BiGuard VPN Client, t his value will be apply on both remote ID and remote Network as single address.
96 After your confi guratio n is done, you will see a Con figuration Summary . Back: Back to the Previous page. Done: Click Done to apply the rule. 4.4.
97 Connection Name: A user-defin ed name for the connection. T unn el: Select Enable to activa te this tunnel. Select Disable to deactiv ate this tunnel. Local: This section configures t he local host. ID: This is the ident ity type of th e local router or host.
98 VPN.COM is the domain na me. When you enter th e FQDN of the local host, the router will aut omatically seek the IP address of the FQDN . FQUN E-Mail(Fu lly Qualified User Name): Consists of a username and its domain name. For example, user@vpn.com is a F QUN.
99 degrees of security and speed of negotiation: Main Mode: Uses the automated Inte rnet K ey Exchange (IKE) setup; m ost secure method with the hi ghest level of security . Aggressive Mode: Uses the automate d Internet K ey Exchange (IKE) setup; mid-level security .
100 K ey Life Time: Allows you to specify the timer interval for renegotiation of another key . The value is in second s e.g. 3600 seconds = 1 hour . Netbios Broadcast: Allows BiGuard to send local Netbios Broadcast packet throug h the IPSec T unnel, please select Enable or Disabl e .
101 PPTP function: Select Enable to activ ate PPTP Server . Disable to deacti vate PPT P Server function. Auth. T ype: The authentication t ype, Pap or Chap, PaP, Chap. Data Encryption: Select Enable or Dis able the Data Encrypti on. Encryption K ey Length: Auto , 40 bits or 128 bits .
102 Connection Name: A user-defin ed name for the connection. T unn el: Select Enable to activa te this tunnel. Select Disable to deactiv ate this tunnel. Username: Please input the userna me for this account. Password : Please input the password for this account.
103 The first menu screen gives you an overview of which WAN ports currently have QoS active, and the bandwidth settings for each. W AN Outbound: QoS Function: QoS status for WAN outbound. Select Enable to activ ate QoS for WAN’ s outgoing traffic. Select Disable to deacti vate.
104 Next, click Create to open the QoS Rule Conf iguration window . Application: User defined applicati on name for the current rule. Pack et T ype: The type of packet this rule applies to . Choose from Any , TCP , UDP , or ICMP . Guaranteed: The guar an teed amount of bandw idth for this rule as a percentage.
105 Bandwidth per source IP Address: Please select Bandwidth per s ource IP Address if you would like the speci f ied bandwidth to be a pplied individually per source IP address in specified IP r ange. Fo r IP Address (default)… Source IP Address Ra nge: The ra nge of source IP Addresses this r ule applies to.
106 application program (usually a server) incoming connections shou ld be delivered to. Some ports have numbers that are pre-assi gned to them by th e Internet Assigne d Numbers Authority (IANA), and these are re ferred to as "well-kn own ports".
107 Enable DMZ fu nction: Enable: Activ ates your router’ s DMZ function. Disable: Default setting . Disables the DMZ fun ction. DMZ IP Address: Give a static IP address to the DMZ Host when the Enable ra d io button is selected. Be aware t his IP will be exposed to the WAN/Internet.
108 Click Create to add a new port forwarding ru le. There are two port forwarding modes: Port Range Mapp ing and Port Redirection . This function allows any incomin g data addressed to a range of service port numbers (from the Inte rnet/W AN P ort) to be re-di rected to a particular LAN private/internal IP address.
109 Internal IP Address: Enter the LAN server /host IP address that the service request from the Intern et will be sent to. Candidates: Y ou can also select the Candidates which are referred from the ARP table for automatic input. N O TE: Y ou need to give your LAN server/host a stat ic IP address for the Virtual Server to work properly .
11 0 (subnet). The routing t able stores the routing informat ion so the router kn ows where to redirect the IP packets. Click on Static Route and then click Create to add a routing table. Rule: Sele ct Enable to activ ate this rule, Di sable to deactiv ate this rule.
111 Click Apply to save your c hanges. 4.4.8.2 Dynamic DNS The Dynamic DNS f unction allows y ou to alias a dynamic IP address to a static hostname, allowing users whose ISP does not assign them a static IP address to use a domain name.
11 2 Enable: Check to enable the Dynamic DN S function. The f ollowing fields w ill be activated and required: Dynamic DNS Server: Select the DDNS service you have established an account with. Wildcard: Select this check box to enable the DYNDNS Wildca rd.
11 3 Management IP Address: Y ou may specify an IP address allowed to logon a nd access the router’ s web server . Setting the IP a ddress to 0.0.0.0 will disable IP address restrictions, allo wing users to login from an y IP address. Expire to auto-logout: S pecify a time fr ame for the system to auto-l ogout the user’ s configuration session.
11 4 IGMP Snooping: Please select enabl e or disable IGMP Snoopi ng function. IGMP Proxy: Please select enable or disable the IGMP Pro xy function. Click Apply to apply this f unc tion, and please note that th e setting wi ll become effective after y ou save to flash and restart the router .
11 5 VLAN Name: Please input VLAN na me of this rule. VLAN ID: Please input VLAN ID that will be used for T agged member port(s ). T agged Member port(s): Please check the interface that you would like to use in this VLAN ID group . Untagged Member port(s): Plea se check the interf ace that you would like to use in this VLAN ID group.
11 6 your config urati on settings before you logout. Be aware that the router is restricted to only one PC accessing the web configur ation interface at a time. Once a PC has logged into the web interfac e, other PCs cannot gain access until the curren t PC has logged out.
11 7 Chapter 5: Troubleshooting 5.1 Basic Functionality This section deals with issues regardin g your BiGuard 2/10’ s basic functions. 5.1.1 Ro uter Won’ t Turn On If the Po wer and other LEDs fa.
11 8 - Make sure each Ethernet cable connection is secure at the firewall and at the hub or workstation. - Make sure that power is tur ned on to the con nected hub or workstati on.
11 9 - Check the 10/100 LAN LEDs on BiGuard 2/10’ s front panel. One of these LEDs should be on. If th ey are both off , ch eck the cables between BiGuard 2/10 and the hub or PC. - Check the correspondi ng LAN LEDs on yo ur PC’ s Ethernet device are on.
120 3. Make sur e that the Delete All O ffline Content checkbox is check ed, and click OK . 4. Click OK under Internet Options to close the dialogue. - In Windows, type ar p –d at the command pr ompt to clear you computer’ s ARP table.
121 5.2.3.1 Pop-up Windows T o use the W eb Configuration Interface, y ou need to disable pop-up blocking. Y ou can either di sable pop-up blocking, which i s enabled by de fault in Wi ndows XP Service P ack 2, or create an exce ption for your BiGuard 2/10’ s IP address.
122 3. Enter the IP address of your r outer . 4. Click Add to add the IP address to the list of Allowed sites . 5. Click Close to return to the Pri vacy tab of the Internet Options dialog ue.
123 3. Under Scripting , check to se e if Active script ing is set to Enable . 4. Ensure that Scripting of Java applets is set to Enable . 5. Click OK to clo se th e dialo gue. 5.2.3.3 Java Permissions The following J av a Permissions should also be given fo r the W eb Conf iguration Interf ace to disp lay properly: 1.
124 5.3 WAN Interface If you are having problems with the W AN Interface, refer to the tips below . 5.3.1 Ca n’t Get WAN IP Ad dress from the ISP If the W AN IP address cannot be obtained from the ISP: - If you are us ing PPPoE or PPTP , you will need a user name and password.
125 2. Access the W eb Configura tion Interface by entering your route r’s IP address (default is 192.168.1.254). 3. The WAN IP Status is displayed on the first page.
126 account as y our PC’ s host name on the router . - Y our ISP m ay check for your PCs MAC address. Either inform yo ur ISP that you have purchased a ne w network device and ask them to use your r outer’s MAC address, or config ure your rout er to spoof you r PC’ s MAC address.
127 Appendix A: Produc t Specifications A.1 BiGuard 10 Product Specifications Virtu al Priva te Ne twork - IPSec VPN, supports up to 10 IPSec tunnel s - IPSec VPN performance is up to 20 Mbps - PPTP V.
128 - Intrusion detecti on Conte nt Filteri ng - URL Filter settings prevent user access to certain sites on the Intern et - Java Apple t/Active X/Cookie Blocking Quality of Servi ce Control - Support.
129 Physical Specificatio ns Dimensions: 18.98" x 6.54" x 1.77" (482mm x 1 66 mm x 45mm, with Br acket) 9.84" x 6.54" x 1.38" (250mm x 166 mm x 35mm, non Brack et) Power .
130 A.2 BiGuard 2 P roduct Specifications Virtu al Priva te Ne twork - IPSec VPN, supports up to 2 IPSec tunnel s - IPSec VPN performance is up to 4 Mbps - PPTP VPN, support up to 4 PPTP tunnels - PPT.
131 Firewall - Stateful P acket Inspection (SPI) and Denial of Service (DoS) preve ntion - P acket filter un-permitted inbound (WA N)/Inbound (LAN) Internet access by IP addre ss, port number and pack.
132 Physical Interface Ethernet W AN 1 ports (10/100 Base- T) , support Auto- Cross over (MDI/MDIX) Ethernet LAN 8 ports (10/100 Base- T) switch, support Auto- Crossover (MDI/MDIX) Physical Specificatio ns Dimensions: 10.
133 Appendix B: Custome r Support Most problems can be solved by referring to the T roubleshoot ing s ection in the User’ s Manual. If y ou cannot resolv e the problem with the T rou bleshooting chap ter , please contact the dealer where you pur chased this product.
134 Appendix C: FCC Inte rference Statement This device complies with Part 15 of FCC rules. Oper ation is subj ect to the following two conditio ns: - This device ma y no t cause har mful interference. - This device must accept an y interference received, including interference that may cause undesired oper ations.
135 Appendix D: Network, R outing, an d Firewa ll Basics D.1 Network Basics D.1.1 IP Addresses With the number of TCP/IP networks interconne cted across the globe, ensuring that transmitted data reache s the correct destination requires each computer on the Internet has a uniqu e identifier .
136 192.168.234.245/24, which means that the net mask is 24 ones followed by 8 zeros. (11111111 11111111 11111111 000 00000). D.1.1.2 Subnet Addressing Subn et address ing enables the spli t of one IP network address into multiple physical networks.
137 D.1.2 Network Address Translat ion ( NAT) T raditionally , multiple PCs that needed simu ltaneous Internet access also required a range of IP addresses from the Internet Se rv ice Provider (ISP). Not only was th is method very costly , but the number of a vailable IP addresses for PCs is limited.
138 connected to at least two networks. Usually , this is a LAN and a WAN that is connected to an ISP network. R outers are located at gatew ays, the places where two or more net works connect.
139 firewall adds features t hat deal with outside Internet intrusion and attacks. When an attack or intrusion is detected, the firewa ll can be configured to log the in trusion attemp t, and c an also notify th e admin istrato r of the in cident. With this informatio n, the administrator can work with the ISP to take action agai nst the hacker .
140 Appendix E: Virtua l Private Netw orking E.1 What is a VPN? A Virtual Privat e Network (VPN) is a sh ared network where pr ivate data is segmented from other tr affic so that only the intended recipient has access. It allows org anizations to securely transmit data over a public medium like the Internet.
141 Internet Protocol Securit y (IPSec) is a set of protocols and algorithms that provide data authentication, integrity , and confiden tialit y as data is transferr ed across IP networks. IPSec provides data se curity at the IP packet level, and protects against possible security risks by protecting data.
142 A typical AH packet looks like this: E.2.1.2 Encapsulating Se curity Payload (ESP) Encapsulating Security P ayload (ESP) provid es privacy f or data through encrypt ion. An encryption algorithm combines the da ta with a key to encrypt it. It then repackages the data using a special format , and tr ansmits it to the destination.
143 like this: E.2.1.3 Security Associations (SA) Security Associations are a one- way relationships bet ween sender and receiver that specify IPSec-related par ameters.
144 Tr a n s p o r t M o d e : - This mode is used to provide data se curity be tween t wo netw orks . It provid es protection for the entire IP pack et and is sent by adding an out er IP header corresponding to the two tunnel end-points.
145 E.2.5 Internet Key Exc hange (IKE) Before either AH or ESP can be use d, it is necessary for the two communication devices to exchange a secret key that the security protocols themselv es will use. T o do this, IPSec uses Internet K ey Exchange (IKE) as a primary support protocol.
146.
147 Appendix F: IPSec Log s and Events F.1 IPSec Log Event Categories There are three major cate gories of IPSec Log Events for your BiGuard 2/10. These include: 1.
148 Send Main mo de second respon se message of ISAKMP Sending the main mod e second r esponse me ssage. Do ne to exc hange key values. Received Main mod e second response me s sage of ISAKMP Received the main mode se cond response message. Done to exch ange key values.
149 Received Quick mode first response message Received the first response message of quick mode (Phase II). Done to exchange propos al and key values (IPSec). Send Quick mode seco nd message Sending the second message of qui ck mode (Phase II). Received Quick mo de second message Received the sec ond message of quic k mode (Phase II).
150 (Main/Aggressive) mode peer ID is (identifier string) ISAKMP SA Established IPsec SA Established.
151 Appendix G: Bandwidth Management with QoS G.1 Overview I n a h o m e o r o f f i c e e n v i r o n m e n t , u s e r s c o n s t a n t l y h a v e t o t r a n s m i t d a t a t o a n d f r o m the Internet.
152 -Prioritization: Assign s different priority levels for different applica tions, prioritizing traffic. High, Normal and Low priority settings. -Outbound and In bound IP Throttli ng: Controls net work traffi c and allows y ou to limit the speed of each application.
153 broadband connection. Application Data Ratio (%) Priority On-line game s 30% High Skype 5% High Email 10% High FTP 20% Upload (High), Download (Normal) Other 35% G.4.2 Office Users QoS is also ideal for small bu sinesses using an office server as a web server .
154 FTP 10% Upload (H igh), Downlo ad (Norm al) Other 30% MP3 (Low), MSN (Normal).
155 Appendix H: Router Setup Examp les H.1 VPN Configuration This section outlines some concrete ex amples on how you can configure BiGuard 2/10 for your VPN. H.1.1 LAN to LAN Branch Office Head Office Local ID IP Address IP Address Data 69.121.1.30 69.
156 ID IP Address IP Address Data 69.121.1.3 69.121.1.30 Network Subnet Subnet IP Address 192.168.1.0 192.168.0.0 Netmask 255.255.2 55.0 255.255.255.0 Proposal IKE Pre-shared Ke y 12345678 12345 678 Security Algorithm Main Mode; ESP: MD5 3DES PFS Main ESP MD5 3DES PFS H.
157 Single client Head Office Local ID IP Address IP Address Data 69.121.1.30 69.121.1.3 Network Any Local Add ress Any Local Address IP Address 0.0.0.0 192.168.1.0 Netmask 0.0.0.0 255.255.255.0 Remote Secure Gateway Address(or Hostname) 69.121.1.3 69.
158 H.2 VPN Concentrator Step 1: Go to Confi guratio n > IPSec and co nfigure the link f rom BiGuard 2/10 Headquarter to BiGuard 2/10 Branch A . 100.100.100. 1 200.200.200. 1 192.168.2.x 192.168.3.x 201.201.201. 1 192.168.4.x Local ID T ype: Subnet Local subnet: 0.
159 Step 2: Go to Confi guratio n > IPSec and co nfigure the link f rom BiGuard 2/10 Headquarter to BiGuard 2/10 Branch B . Step 3: Go to Config urati on > IPSec and configure the connection from BiGuard 2/10 Branch A t o BiGuard 2/10 Headquarter .
160 Step 4: Go to Confi guratio n > IPSec and configure the connection from the BiGuard 2/10 Branch B to BiGuard 2/10 Headquarter . Step 5: Click Save Con fig to save all changes t o flash memory .
161 Step 1: Go to Confi guratio n > Fir ewall > Intrusion Detection and En able the settings. Step 2: Click App ly and then Save Config to save all changes to flash memory . H.4 PPTP Remote Access by Windows XP Internet Internet Window s XP PPTP Clien t Internet Internet 100.
162 Step1: Go to C onf igurat ion > VPN > PPTP and Enable the PPTP functio n, Click Apply . Step2: Click Create to create a PPTP Account..
163 Step3: Click Apply , y ou can see the account is successfully created. Step4: Click Sav e Config to sa ve all changes to flash memory . Step5: In Windows XP , go Start > Settings > N etwor k Conn ecti ons .
164 Step6: In Network Tas ks , Click Cr eate a new conn ection , and press Nex t. Step7: Select Connect t o the net work at my w orkplace and press Next .
165 Step8: Select Virtual Private Ne twork conn ection and press Next . Step9: Input the user-defined name for this connection and press Ne xt ..
166 Step10: Input PPTP Server Address and press Next . Step11: Please press Finish ..
167 Step12: Double click the connection, and input Username and Password th at defined in BiGuard PPTP Account Setting s . PS. Y ou can also refer the Properties > Se curity page as below , by default.
168 H.5 PPTP Remote Access by BiGuard Internet Internet Internet Internet 100.100. 100.1 Headquarter BiGuard &PPTP S erver PPTP Tunnel Branch Office 200.
169 Step3: Click Apply , y ou can see the account is successfully created. Step4: Click Sav e Config to sa ve all changes to flash memory ..
170 Step5: In another BiGuard as Client, Go to Config uration > WAN . Step6: Click Apply , and Save CON FIG ..
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il Billion Electric Company BiGuard 2 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del Billion Electric Company BiGuard 2 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso Billion Electric Company BiGuard 2 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul Billion Electric Company BiGuard 2 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il Billion Electric Company BiGuard 2, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del Billion Electric Company BiGuard 2.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il Billion Electric Company BiGuard 2. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo Billion Electric Company BiGuard 2 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.