3Com SUPERSTACK 3CR16110-95 User manual
http://www.3com.com/
Part No. DUA1611-0AAA02
Published August 2001
SuperStack®3
Firewall
User Guide
SuperStack 3 Firewall 3CR16110-95
SuperStack 3 Firewall Web Site Filter 3C16111
DUA1611-0AAA02.book Page 1 Thursday, August 2, 2001 4:01 PM
3Com Corporation
5400 Bayfront Plaza
Santa Clara, California
95052-8145
Copyright © 2001, 3Com Technologies. All rights reserved. No part of this documentation may be reproduced
in any form or by any means or used to make any derivative work (such as translation, transformation, or
adaptation) without written permission from 3Com Technologies.
3Com Technologies reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of 3Com Technologies to provide notification of such revision or
change.
3Com Technologies provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms or conditions of
merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.
If there is any software on removable media described in this documentation, it is furnished under a license
agreement included with the product as a separate document, in the hard copy documentation, or on the
removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,
please contact 3Com and a copy will be provided to you.
UNITED STATES GOVERNMENT LEGEND
If you are a United States government agency, then this documentation and the software described herein are
provided to you subject to the following:
All technical data and computer software are commercial in nature and developed solely at private expense.
Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or
as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are
provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.
You agree not to remove or deface any portion of any legend provided on any licensed program or
documentation contained in, or delivered to you in conjunction with, this User Guide.
Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not
be registered in other countries.
3Com and SuperStack are registered trademarks of 3Com Corporation. The 3Com logo and CoreBuilder are
trademarks of 3Com Corporation.
Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows
NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of
Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively
through X/Open Company, Ltd.
Netscape Navigator is a registered trademark of Netscape Communications.
JavaScript is a trademark of Sun Microsystems
All other company and product names may be trademarks of the respective companies with which they are
associated.
ENVIRONMENTAL STATEMENT
It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we
are committed to:
Establishing environmental performance standards that comply with national legislation and regulations.
Conserving energy, materials and natural resources in all operations.
Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental
standards. Maximizing the recyclable and reusable content of all products.
Ensuring that all products can be recycled, reused and disposed of safely.
Ensuring that all products are labelled according to recognized environmental standards.
Improving our environmental record on a continual basis.
End of Life Statement
3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.
Regulated Materials Statement
3Com products do not contain any hazardous or ozone-depleting material.
Environmental Statement about the Documentation
The documentation for this product is printed on paper that comes from sustainable, managed forests; it is
fully biodegradable and recyclable, and is completely chlorine-free. The varnish is environmentally-friendly, and
the inks are vegetable-based with a low heavy-metal content.
DUA1611-0AAA02.book Page 2 Thursday, August 2, 2001 4:01 PM
CONTENTS
ABOUT THIS GUIDE
How to Use This Guide 12
Conventions 12
Terminology 13
Feedback about this User Guide 15
Registration 16
IG
ETTING STARTED
1INTRODUCTION
What is the SuperStack 3 Firewall? 19
Firewall and 3Com Network Supervisor 20
Firewall Features 21
Firewall Security 21
Web URL Filtering 23
High Availability 24
Logs and Alerts 24
User Remote Access (from the Internet) 24
Automatic IP Address Sharing and Configuration 24
Introduction to Virtual Private Networking (VPN) 25
Virtual Private Networking 25
2INSTALLING THE HARDWARE
Before You Start 27
Positioning the Firewall 28
Rack Mounting the Units 28
Securing the Firewall with the Rubber Feet 29
Firewall Front Panel 29
Firewall Rear Panel 31
DUA1611-0AAA02.book Page 3 Thursday, August 2, 2001 4:01 PM
Redundant Power System (RPS) 31
Attaching the Firewall to the Network 32
3QUICK SETUP FOR THE FIREWALL
Introduction 35
Setting up a Management Station 36
Configuring Basic Settings 36
Setting the Password 37
Setting the Time Zone 38
Configuring WAN Settings 39
Automatic WAN Settings 39
Manual WAN Settings 40
Using a Single Static IP Address 41
Using Multiple Static IP Addresses 42
Using an IP Address provided by a PPPoE Server 44
Using a Static IP address provided by a DHCP Server 44
Configuring LAN Settings 44
Automatic LAN Settings 44
Entering information about your LAN 45
Configuring the DHCP Server 45
Confirming Firewall Settings 46
II CONFIGURING THE FIREWALL
4BASIC SETTINGS OF THE FIREWALL
Examining the Unit Status 52
Setting the Administrator Password 53
Setting the Inactivity Timeout 54
Setting the Time 54
Changing the Basic Network Settings 56
Setting the Network Addressing Mode 56
Specifying the LAN Settings 57
Specifying the WAN/DMZ Settings 58
Specifying the DNS Settings 59
Specifying DMZ Addresses 59
Setting up the DHCP Server 60
DUA1611-0AAA02.book Page 4 Thursday, August 2, 2001 4:01 PM
Global Options 61
Dynamic Ranges 62
Static Entries 63
Viewing the DHCP Server Status 63
Using the Network Diagnostic Tools 64
Choosing a Diagnostic Tool 64
5SETTING UP WEB FILTERING
Changing the Filter Settings 67
Restricting the Web Features Available 68
Setting Blocking Options 69
Specifying the Categories to Filter 69
Specifying When Filtering Applies 70
Filtering Web Sites using a Custom List 70
Setting up Trusted and Forbidden Domains 71
Changing the Message to display when a site is blocked 72
Updating the Web Filter 73
Checking the Web Filter Status 73
Downloading an Updated Filter List 74
Setting Actions if no Filter List is Loaded 74
Blocking Websites by using Keywords 75
Filtering by User Consent 75
Configuring User Consent Settings 76
Mandatory Filtered IP addresses 77
6USING THE FIREWALL DIAGNOSTIC T
OOLS
Logs and Alerts 79
Viewing the Log 80
Changing Log and Alert Settings 82
Sending the Log 83
Changing the Log Automation Settings 84
Selecting the Categories to Log 85
Alert Categories 86
Generating Reports 87
Collecting Report Data 87
Viewing Report Data 88
Restarting the Firewall 89
DUA1611-0AAA02.book Page 5 Thursday, August 2, 2001 4:01 PM
Managing the Firewall Configuration File 90
Importing the Settings File 91
Exporting the Settings File 92
Restoring Factory Default Settings 92
Using the Installation Wizard to reconfigure the Firewall 92
Upgrading the Firewall Firmware 92
7SETTING A POLICY
Changing Policy Services 97
Amending Network Policy Rules 98
Changing NetBIOS Broadcast Settings 99
Enabling Stealth Mode 100
Allowing Fragmented Packets 100
Adding and Deleting Services 101
Editing Policy Rules 103
Viewing Network Policy Rules 103
Adding a New Rule 106
Restoring Rules to Defaults 106
Updating User Privileges 106
Establishing an Authenticated Session 108
Setting Management Method 109
Selecting Remote Management 110
Using the Firewall with the NBX 100 Business Telephone System 110
8ADVANCED SETTINGS
Automatic Proxy/Web Cache Forwarding 111
Deploying the SuperStack 3 Webcache as a Proxy of the Firewall 112
Specifying Intranet Settings 114
Installing the Firewall to Protect the Intranet 115
Configuring the Firewall to Protect the Intranet 115
Setting Static Routes 117
Setting up One-to-One NAT 119
9CONFIGURING VIRTUAL PRIVATE NETWORK SERVICES
Editing VPN Summary Information 123
Changing the Global IPSec Settings 124
DUA1611-0AAA02.book Page 6 Thursday, August 2, 2001 4:01 PM
Viewing the Current IPSec Security Associations 125
Configuring a VPN Security Association 125
Adding/Modifying IPSec Security Associations 126
Security Policy 127
Setting the Destination Network for the VPN Tunnel 131
Configuring the Firewall to use a RADIUS Server 132
Changing the Global RADIUS Settings 132
Changing RADIUS Server Details 133
Using the Firewall with Check Point Firewall-1 134
Configuring the IRE VPN Client 134
Configuring the Firewall 137
Configuring the IRE VPN Client for use with the Firewall 137
Setting up the GroupVPN Security Association 138
Installing the IRE VPN Client Software 139
Configuring the IRE VPN Client 139
10 CONFIGURING HIGH AVAILABILITY
Getting Started 141
Network Configuration for High Availability Pair 142
Configuring High Availability 142
Configuring High Availability on the Primary Firewall 143
Configuring High Availability on the Backup Firewall 144
Making Configuration Changes 145
Checking High Availability Status 146
High Availability Status Window 146
E-Mail Alerts Indicating Status Change 147
View Log 147
Forcing Transitions 148
III ADMINISTRATION AND TROUBLESHOOTING
11 ADMINISTRATION AND ADVANCED OPERATIONS
Introducing the Web Site Filter 153
Activating the Web Site Filter 156
Using Network Access Policy Rules 157
Understanding the Rule Hierarchy 158
DUA1611-0AAA02.book Page 7 Thursday, August 2, 2001 4:01 PM
Examples of Network Access Policies 159
Resetting the Firewall 162
Resetting the Firewall 163
Reloading the Firmware 163
Direct Cable Connection 164
Direct Connection Instructions 165
12 TROUBLESHOOTING GUIDE
Introduction 167
Potential Problems and Solutions 167
Power LED Not Lit 167
Power LED Flashes Continuously 168
Power and Alert LED Lit Continuously 168
Link LED is Off 168
Ethernet Connection is Not Functioning 168
Cannot Access the Web interface 168
LAN Users Cannot Access the Internet 169
Firewall Does Not Save Changes 169
Duplicate IP Address Errors Are Occurring 169
Machines on the WAN Are Not Reachable 170
Troubleshooting the Firewall VPN Client 170
The IKE Negotiation on the VPN Client 170
Restarting the Firewall with Active VPN Tunnel 171
Export the VPN Client Security Policy File 171
Import the VPN Client Security Policy File 171
Uninstall the VPN Client 171
Frequently Asked Questions about PPPoE 172
IV FIREWALL AND NETWORKING CONCEPTS
13 T
YPES OF ATTACK AND FIREWALL DEFENCES
Denial of Service Attacks 175
Ping of Death 175
Smurf Attack 175
SYN Flood Attack 176
Land Attack 176
DUA1611-0AAA02.book Page 8 Thursday, August 2, 2001 4:01 PM
Intrusion Attacks 176
External Access 176
Port Scanning 177
IP Spoofing 177
Trojan Horse Attacks 177
14 NETWORKING CONCEPTS
Introduction to TCP/IP 179
IP and TCP 179
IP Addressing 179
Network Address Translation (NAT) 182
Limitations of Using NAT 182
Dynamic Host Configuration Protocol (DHCP) 183
Port Numbers 184
Well Known Port Numbers 184
Registered Port Numbers 184
Private Port Numbers 184
Virtual Private Network Services 184
Introduction to Virtual Private Networks 185
VPN Applications 185
Basic VPN Terms and Concepts 186
VA
PPENDICES
ASAFETY INFORMATION
Important Safety Information 193
Wichtige Sicherheitshinweise 194
Consignes Importantes de Sécurité195
BT
ECHNICAL SPECIFICATIONS AND STANDARDS
CCABLE SPECIFICATIONS
Cable Specifications 199
Pinout Diagrams 199
DUA1611-0AAA02.book Page 9 Thursday, August 2, 2001 4:01 PM
DT
ECHNICAL SUPPORT
Online Technical Services 201
World Wide Web Site 201
3Com Knowledgebase Web Services 201
3Com FTP Site 202
Support from Your Network Supplier 202
Support from 3Com 202
Returning Products for Repair 204
INDEX
REGULATORY NOTICES
DUA1611-0AAA02.book Page 10 Thursday, August 2, 2001 4:01 PM
Other manuals for SUPERSTACK 3CR16110-95
2
This manual suits for next models
5
Table of contents
Other 3Com Firewall manuals
3Com
3Com SUPERSTACK 3CR16110-95 User manual
3Com
3Com 3CRFW102 User manual
3Com
3Com AirProtect Enterprise Engine 6100 User manual
3Com
3Com H3C SECPATH F5000-A5 ADVANCED VPN FIREWALL 12-PORT GIGABIT ETHERNET... User manual
3Com
3Com 3C16792 - OfficeConnect Dual Speed Switch 16 User manual
3Com
3Com 3CR3MFA-92 User manual
3Com
3Com OfficeConnect 3C16771 User manual
3Com
3Com 3CR3MFA-92 User manual
3Com
3Com SECPATH U200-CS User manual
3Com
3Com 3C16772 - OfficeConnect Web Site Filter User manual
