IF1000 User Manual EN V2.2

IF1000 User Manual EN V2.2

Version 2.2

User Manual

IT Infrastructure

IF1000

Product Portfolio

IT Infrastructure IF1000

Copyright

© ads-tec GmbH

Raiffeisenstr.14

D-70771 Leinfelden-Echterdingen

Germany

2

HIGH RISK APPLICATION HAZARD NOTICE

Unless otherwise stated in the product documentation, the device is not provided with error-tolerance capabilities and cannot therefore be deemed as being engineered, manufactured or setup to be compliant for implementation or for resale as an online surveillance device in environments requiring safe, error-free performance, e.g. for implementation in nuclear power plants, aircraft navigation, communication systems, or air traffic control, life saving and military facilities whereby possible device failures might result in death, personal injuries, or serious physical and/or environmental damages (i.e. all applications involving high-risk hazard factors). This is therefore to state that neither ads-tec nor any ads-tec sub-supplier do not hereby undertake any warranty of fitness and/or liability whatsoever, be it by express or by tacit consent, in as far as the suitability of the Firewall to high-risk application hazards is concerned.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

I

NDEX

A

BOUT US

.......................................................................................................................................... 6

1 N

OTES

..................................................................................................................................... 7

1.1

R

ELEVANT

U

NIT

D

OCUMENTATION

................................................................................................ 7

1.2

1.3

1.4

1.5

1.6

D

ESCRIPTION OF THE WARNING SYMBOLS USED IN THIS GUIDE

............................................................. 7

D

ATA

,

FIGURES AND MODIFICATIONS

............................................................................................. 7

T

RADEMARKS

........................................................................................................................... 7

C

OPYRIGHT

............................................................................................................................. 8

S

TANDARDS

............................................................................................................................ 8

2 O

PERATING AND

S

AFETY

I

NSTRUCTIONS

........................................................................................ 9

2.1

S

AFETY

I

NSTRUCTIONS

............................................................................................................... 9

2.2

2.3

U

NIT

O

PERATION

S

ITE

............................................................................................................. 10

D

AMAGES DUE TO

I

MPROPER

U

SE

............................................................................................... 10

2.4

W

ARRANTY

/ R

EPAIRS

.............................................................................................................. 10

3 I

NTRODUCTION

....................................................................................................................... 11

3.1

C

UT

& S

TOP

.......................................................................................................................... 11

3.2

3.3

A

LARMING

............................................................................................................................ 11

E

VENT LOG

............................................................................................................................ 11

D

ISPLAY

/K

EYPAD

................................................................................................................... 11 3.4

3.5

3.6

3.7

M

ANAGED

S

WITCH

.................................................................................................................. 12

S

ERVICE

............................................................................................................................... 12

C

ONFIGURATION VERSIONS

....................................................................................................... 12

3.8

3.9

S

UPPLY

C

ONTENTS

.................................................................................................................. 13

E

NVIRONMENTAL

C

ONDITIONS

................................................................................................... 13

4 A

SSEMBLY

.............................................................................................................................. 14

4.1

O

VERALL

D

EVICE

D

IMENSIONS

................................................................................................... 14

4.2

4.3

A

SSEMBLY

D

IMENSIONS

............................................................................................................ 15

A

SSEMBLY

O

PTIONS

................................................................................................................ 16

4.3.1

Top hat rail mounting ............................................................................................................... 16

4.3.2

Wall mounting .......................................................................................................................... 17

5 S

YSTEM

F

EATURES

................................................................................................................... 18

5.1

F

RONT

P

ANEL

O

PERATION

K

EYS

................................................................................................. 18

5.1.1

IP address and contact names configuration examples .......................................................... 20

5.2

LC-D

ISPLAY

.......................................................................................................................... 23

5.3

M

ENU

O

VERVIEW

– S

ETTINGS

.................................................................................................... 24

5.3.1

Description of individual menu items ....................................................................................... 25

5.4

M

ENU

O

VERVIEW

S

TATUS

....................................................................................................... 29

5.4.1

Description of individual menu items ....................................................................................... 30

5.5

O

PERATIONAL

LED S

TATUS

D

ISPLAY

........................................................................................... 34

5.5.1

Status Display performance upon boot-up process ................................................................. 34

5.5.2

Status Display performance upon reset to default settings ..................................................... 35

5.5.3

Status Display performance upon firmware update ................................................................. 36

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

3

IT Infrastructure IF1000

5.6

INTERFACES

.......................................................................................................................... 37

5.6.1

24V DC / Backup voltage supply ............................................................................................. 37

5.6.2

Cut & Alarm ............................................................................................................................. 38

5.6.3

LAN-in (RJ45) / PoE (IEEE 802.AF) voltage supply .............................................................. 38

5.6.4

LWL fibre optic ........................................................................................................................ 39

5.6.5

COM (RS232) Serial Interface ................................................................................................ 39

5.6.6

Sim Card Reader compliant to ISO 7816 ................................................................................ 39

6 I

NITIAL

D

EVICE

O

PERATIONS

.................................................................................................... 40

6.1

F

IRST

-

TIME

C

ONFIGURATION

..................................................................................................... 40

6.2

M

ANUAL

C

ONFIGURATION OF THE

N

ETWORK

A

DAPTER

..................................................................... 41

6.3

6.4

S

ETTINGS FOR USE WITH

I

NTERNET

E

XPLORER

8 ............................................................................ 43

C

ALLING UP THE

D

EVICE

W

EB

I

NTERFACE

..................................................................................... 45

7 F

IREWALL

S

ETUP

A

SSISTANT

..................................................................................................... 47

7.1

F

IRST

-

TIME

C

ONFIGURATION WITH THE HELP OF THE SETUP ASSISTANTS

.............................................. 47

7.1.1

Transparent Bridge .................................................................................................................. 48

7.1.2

IP Router ................................................................................................................................. 50

7.1.3

Password change .................................................................................................................... 51

7.1.4

Setting activation ..................................................................................................................... 52

7.2

S

ECURE

N

OW

! ........................................................................................................................ 53

7.3

C

ONFIGURATION WITH THE HELP OF THE

P

ACKET FILTER

.................................................................. 54

7.3.1

Addition of a rule set ................................................................................................................ 54

7.3.2

Changing and searching existing rule sets ............................................................................. 55

7.3.3

Pre-configured rule-set upload ................................................................................................ 56

7.3.4

Definition of a new rule set on bridged Ethernet Interfaces (layer 2) ...................................... 62

7.3.5

Definition of a new rule set on Standalone IP-Interfaces (layer 3) .......................................... 75

8 F

IREWALL WEB INTERFACE

........................................................................................................ 89

8.1

G

ENERAL OVERVIEW FOR CONFIGURATION IN THE MENUS

.................................................................. 90

8.1.1

IP routing exemplary configuration .......................................................................................... 90

8.1.2

Error messages ....................................................................................................................... 92

8.2

D

IAGNOSTICS MAIN MENU ITEM

.................................................................................................. 93

8.2.1

System status .......................................................................................................................... 93

8.2.2

Eventlog ................................................................................................................................... 95

8.2.3

LAN-in ...................................................................................................................................... 96

8.2.4

LAN-out ................................................................................................................................... 96

8.2.5

Ping test ................................................................................................................................... 97

8.2.6

Remote Capture ...................................................................................................................... 98

8.3

C

ONFIGURATION MAIN MENU ITEM

.............................................................................................. 99

8.3.1

IP configuration ....................................................................................................................... 99

8.3.2

SECURENOW! ...................................................................................................................... 107

8.3.4

Packet filter ............................................................................................................................ 108

8.3.5

Cut & Alarm ........................................................................................................................... 109

8.3.6

LAN- out ................................................................................................................................ 111

8.3.7

Service Modem ..................................................................................................................... 111

8.3.8

Basic settings ........................................................................................................................ 113

8.3.9

Access control ....................................................................................................................... 118

8.3.10

Network ................................................................................................................................. 122

4

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.11

VPN ........................................................................................................................................ 133

8.3.12

Utilities .................................................................................................................................... 141

8.3.13

Prioritisation ........................................................................................................................... 151

8.4

S

YSTEM MAIN MENU ITEM

........................................................................................................ 153

8.4.1

Backup settings ...................................................................................................................... 153

8.4.2

Software update ..................................................................................................................... 155

8.4.3

Factory defaults ..................................................................................................................... 157

8.4.4

Save ....................................................................................................................................... 157

8.4.5

Reboot .................................................................................................................................... 158

8.5

I

NFORMATION MAIN MENU

....................................................................................................... 159

8.5.1

General .................................................................................................................................. 159

8.5.2

Technical data ........................................................................................................................ 160

8.5.3

Hardware installation ............................................................................................................. 161

8.5.4

Local diagnostics ................................................................................................................... 162

8.5.5

Sitemap .................................................................................................................................. 163

9 T

ECHNICAL

D

ETAILS

............................................................................................................... 164

9.1

D

ISPLAY

D

ATA

..................................................................................................................... 164

9.2

9.3

C

OMPUTER

D

ATA

.................................................................................................................. 164

G

ENERAL

D

ATA

.................................................................................................................... 164

10 S

ERVICE AND

S

UPPORT

........................................................................................................... 165

10.1

ADS

-

TEC

S

UPPORT

................................................................................................................ 165

10.2

C

OMPANY

A

DDRESS

............................................................................................................... 165

11 A

PPLICATION EXAMPLES

......................................................................................................... 166

11.1

B

ASIC ROUTER FUNCTIONS

...................................................................................................... 166

11.2

E

STABLISHING AN

O

PEN

VPN

CONNECTION

................................................................................. 170

11.3

O

PEN

VPN

SERVER UNDER

W

INDOWS

......................................................................................... 186

11.4

P

ORT FORWARDING

............................................................................................................... 201

11.5

V

IRUS SCAN

........................................................................................................................ 208

11.6

S

ERVICE

............................................................................................................................. 214

11.7

S

ECURE

N

OW

! ...................................................................................................................... 220

11.8

P

ACKET FILTER

..................................................................................................................... 230

11.9

C

ERTIFICATES

...................................................................................................................... 243

11.10

SCEP ................................................................................................................................ 268

11.11

L2TP ................................................................................................................................ 273

11.12

IP

SEC

................................................................................................................................ 282

11.13

M

ODBUS

TCP ...................................................................................................................... 302

11.14

IF1000

SERIES

M

ODBUS

TCP

REGISTER OVERVIEW

....................................................................... 305

11.15

SIM

CARD

.......................................................................................................................... 310

11.16

E

XTENDED

IP

ROUTER MODE

................................................................................................... 312

11.17

R

EMOTE CAPTURE

................................................................................................................. 316

11.18

1:1 NAT

NETWORK MAPPING

................................................................................................... 320

11.19

P

RIORITISATION

/

SHAPING

..................................................................................................... 329

12 D

ECLARATION OF

CE-C

ONFORMITY

.......................................................................................... 334

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

5

A

BOUT US

ads-tec GmbH

Raiffeisenstr. 14

D-70771 Leinfelde n-Echterdingen

894-0 www.ads-tec.com

894-990 ads-tec GmbH pro technology, up-totechnology, data p vides large enterprises and globally active corpor processing technology and systems engineering. rations with cutting edge the area of automation ads-tec GmbH imp specialized in hand plements full automation solutions from planning dling and material handling technologies. to commissioning and is

The data systems range of industrial division develops and produces PC based solut

PCs, thin clients and embedded systems. tions and offers a broad ads-tec is special develops software lized in modifying and optimizing embedded tools to complement its hardware platforms. operating systems and

6

a

IT Infrastructure IF1000

1 N

OTES

1.1

R

ELEVANT

U

NIT

D

OCUMENTATION

The following documents are decisive to unit setup and operation:

U

SER

M

ANUAL

Contains information on assembly, placing into operation and operation of the unit, further to technical data on unit hardware.

S

ERVICE

CD:

Contains the User Manual, the Assembly Guide, the Quick Install Guide and Tools.

1.2

D

ESCRIPTION OF THE WARNING SYMBOLS USED IN THIS GUIDE

Warning:

The “Warning” symbol precedes warnings on uses or operations that might either lead to personal injury and/or hazards, or to any hardware and software damages.

Note:

This Symbol indicates Notes, terms and/or conditions that strictly need to be observed to ensure optimised and/or zero-defect operations. It also precedes tips and suggestions for efficient unit implementation and software optimisation.

1.3

D

ATA

,

FIGURES AND MODIFICATIONS

All texts, data and figures are non-binding. We reserve the right of modification in accordance with technological progress. At that point in time when the products leave our premises, they comply with all currently applicable legal requirements and regulations. The operator/operating company is independently responsible for compliance with and observance of any subsequently introduced technical innovations and new legal requirements, as well as for all usual obligations of the operator/operating company.

1.4

T

RADEMARKS

It is hereby notified that any software and/or hardware trademarks further to any company brand names as mentioned in this User’s Guide are all strictly subject to the various trademark, brand name and patent protection rights.

Windows

®

, Windows

®

CE are registered trademarks of Microsoft Corp.

Intel

®

, Pentium

®

, Atom™ , Core™2 are registered trademarks of Intel Corp.

IBM

®

, PS/2

®

and VGA

®

are registered trademarks of IBM Corp.

CompactFlash™ and CF™ are registered trademarks of SanDisk Corp.

RITTAL

®

is a registered trademark of the Rittal Werk Rudolf Loh GmbH & Co. KG.

Any further additional trademarks and/or brand names herein, be they domestic or international, are hereby duly acknowledged.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

7

IT Infrastructure IF1000

1.5

C

OPYRIGHT

This User’s Guide inclusive of all the images it contains is entirely proprietary and subject to copyright. Any irregular use of this Guide by third parties infringing copyright terms is thus strictly forbidden. Reproduction, translation, as well as electronic and photographic image storage and/or amendment processes, are subject to prior written authorisation directly by M/s. ads-tec GmbH.

Any violation and infringement thereto will be held liable for compensation of all damages.

1.6

S

TANDARDS

This unit is compliant with the provisions and safety objectives of the following EU

Directives:

• This unit is compliant with the CE mark testing specification limits as defined in the

European test standards EN 55022 and EN 50082-2

• This unit is compliant to the DIN EN 60950 (VDE0805, IEC950) testing specification limits on “Safety of Information Technology Equipment”

This unit is compliant to the DIN EN 60068-2-6 (sinusoidal vibration) testing specification limits

• This unit is compliant to the DIN EN 60068-2-27 (shock and bump) testing specification limits

• The device has a UL-Certification regarding UL-508 and is listed under the UL-File-

Nr. E305773, Section 2

Note:

A corresponding declaration of conformity is available for competent authorities, care of the Manufacturer. Said declaration can be viewed at all times upon request.

For full compliance to the legal requirements in force on electromagnetic compatibility, all components and cables used for unit connection must also be compliant with said regulations. It is therefore necessary to employ BUS and LAN cables featuring screened plug connectors, to be strictly installed as per the instructions contained in the User

Manual.

8

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

2 O

PERATING AND

S

AFETY

I

NSTRUCTIONS

The unit operates under electrical tension and implements supersensitive component parts.

Intervention by the User is required only for power supply line connection operations.

Should any further alterations be required, it is necessary to consult either with the

Manufacturer directly or with authorised service personnel accordingly. During said connection operations, the unit must be completely powered down. Specific requirements need to be met concerning the prevention of electrostatic discharge on component construction parts during contact. If the unit is opened up by a non authorised individual, the User may be subject to potential hazards and, warranty conditions are terminated.

General Instructions:

• This User’s Guide must be read and understood by all User’s and must be available for consultation at all times

• Assembly, operation start-up and unit operation must only be conducted by appropriately qualified and trained personnel

• All individuals and operators using the unit must strictly observe all safety and use instructions as provided within the User’s Guide

All regulations and prescriptions on accident prevention and safety in force c/o the unit installation site must be strictly observed at all times

This User’s Guide provides all the most important directions as required for safe and security oriented operation

• Safe and optimised unit operations are subject to appropriate storage, proper transport and handling, accurate unit setup, start-up and operation

Note:

Only the ads-tec original firmware / software is allowed for any of the adjustments and features described in this User’s Guide. Deployment of any firmware / software that has not been released by ads-tec will terminate all warranty conditions.

2.1

S

AFETY

I

NSTRUCTIONS

Warning:

For the prevention of possible unit damages, all cable lines (power supply, interface cables) must be hooked up strictly with the unit in power-OFF conditions.

Warning:

All unit assembly operations must be strictly conducted only under safe, secure and zeropotential conditions.

Note:

When handling parts and components susceptible to electrical discharge, please accurately observe all the relevant safety provisions.

(DIN EN 61340-5-1 / DIN EN 61340-5-2)

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

9

IT Infrastructure IF1000

2.2

U

NIT

O

PERATION

S

ITE

This unit is engineered for industrial application. It is necessary to ensure that specified environmental conditions are maintained at all times. Unit implementation in non specified surroundings, i.e. onboard ships, in explosive atmospheres or at extreme heights, is prohibited.

Warning:

For the prevention of water condensate accumulation, the unit should be turned ON only when it reaches ambient temperature. This is also particularly necessary when the unit is subject to extreme temperature fluctuations and/or variations.

Avoid overheating during unit operations: the unit must not be subject to direct sunlight or to any other direct light source.

2.3

D

AMAGES DUE TO

I

MPROPER

U

SE

Should the service system have evident signs of damages incurred e.g. due to wrong operation or storage conditions or due to improper unit use, the unit must be decommissioned or scrapped. Ensure that it is safe from accidental re-implementation.

2.4

W

ARRANTY

/ R

EPAIRS

During the unit warranty period, any repairs thereto must strictly be conducted solely by the manufacturer or by service personnel that has been duly authorised by the manufacturer.

10

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

3 I

NTRODUCTION

The Industrial Firewall constitutes a link between the IT world and automation, thereby meeting the requirements of IT security as well as those by the production line maintenance personnel. It enables monitoring and control of the plant setup network, and of the relative access points. Its essential security protection mechanism is constituted by the event-dependent and physical network separation. This Firewall furthermore offers, amongst others, a secure access in the event of service operations; it enables traffic shaping and is capable of implementing the available virus scanners.

Note:

For the efficient online configuration of your ads-tec devices, it is possible to download the current version of the free tool „IDA light" on the company`s homepage

http://www.ads-tec.de. The tool offers you for example the possibility of defining individual parameters or whole groups of parameters at a Server device and to transfer your settings to a limited selection and/or to all ads-tec devices of same design and version, without having to make these configurations time-consuming at each individual device. You also have the possibility of assigning sequential IP addresses for your ads-tec devices.

With IDA light you can comfortably provide own groups of parameters according to your specific requirements and modify them at any time.

3.1

C

UT

& S

TOP

During critical start-up or production phases, the Ethernet uplink can be physically disconnected i.e. via hardware, through a 24 V input. This will safely rule out both intentional and unintentional external manipulation.

The uplink is reconnected through the same input. This function makes integration into an automation concept very simple.

3.2

A

LARMING

In the event that a rule is violated, the alarm signal is reported to the control centre through an output. Necessary measures can be automated directly. For example, acoustic indicator lights can signal the alarm condition.

E-mails can be sent out automatically to signal a rules violation event.

3.3

E

VENT LOG

A zero-voltage event logbook with retentive memory stores all events whenever the firewall is disconnected from the power supply (NV-RAM option).

The event logbook can be read out either locally or via a central Syslog server.

3.4

D

ISPLAY

/K

EYPAD

The built-in display can be used to configure the essential unit functions.It is thus possible to obtain a quick system analysis, e.g. of the network load, directly from the display.

The display and keys can be password-protected against unauthorized manipulation.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

11

IT Infrastructure IF1000

3.5

M

ANAGED

S

WITCH

Network segments can be set up without any additional hardware by using the managed switch integrated into the firewall. It is possible to connect multiple systems or terminals up to one Firewall.

Each port can be switched off individually to prevent unauthorized data traffic monitoring.

3.6

S

ERVICE

Service access via a secure service port.

Connecting the Firewall to an analogue, ISDN or GPRS modem for dial-in access provides for affordable remote maintenance, even without an Internet connection.

3.7

C

ONFIGURATION VERSIONS

The device is available in 4 configuration versions:

Configuration Version

IF 1100

IF 1110

IF 1200

IF 1210

LAN-in

RJ45

RJ45

LWL

LWL

LAN-out

RJ45

RJ45

RJ45

RJ45

NVRAM

- yes

- yes

RJ45 (Registered Jack 45 = standardized jack) provided per an Ethernet standard as frequently implemented in telecom applications. The transmission method is equivalent to

10/100Mbits half and full DUPLEX 100 BASE-TX.

LWL (fibre optic connection) are flexible optic media for controlled conduction of light.

Contrarily to the Ethernet standard, the fibre optic connection technology is insensitive to voltage interference.

The plugs required for implementation are equivalent to the MTRJ Standard Multimode with a 100Base-FX 100 Mbit⁄s Ethernet transmission method via fibre optics.

NVRAM (non-volatile RAM = non-volatile Random Access Memory) is an electronic memory storage technology whereby data is stored even without maintenance of power supply.

Note:

The LAN-in interface can be equipped with an RJ45 or with an LWL fibre optic connection, as the case may be.

12

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

3.8

S

UPPLY

C

ONTENTS

Please check supply package contents for integrity and completeness:

1 device

• 2 x two-pole COMBICON plugs

Manufacturer: Phoenix Contact

Item description/item short text: FMC 1.5 / 2-STF-3.5

• 1 x four-pole COMBICON plug

Manufacturer: Phoenix Contact

Item description/item short text: FK-MCP 1.5 / 4-STF-3.81

• 1 m Ethernet cable

• Quick Install Guide / Quick Assembly Guide

• GNU General Public License

• Service CD

3.9

E

NVIRONMENTAL

C

ONDITIONS

The unit can be put into operation and used under the following conditions. Failure to observe any one of the specified data will immediately terminate all warranty conditions. ads-tec cannot be held liable for any damages arising due to improper device or unit use and handling.

• Permissible ambient temperature during operation from 5 to 60°C during operation (UL) from 5 to 50°C during storage from -20 to 50°C

• Humidity during operation during storage

10 to 85%, without condensate

10 to 85%, without condensate

• Vibration during operation 1 G, 10 to 500 Hz

(DIN EN 60068-2-6)

Shock during operation 5 G, with a 30 ms half-cycle

Note:

For Use In Pollution Degree 2 Environment Only Type 1 “indoor use only”.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

13

4 A

SSEMBLY

4.1

O

VERALL

D

EVICE

D

IMENSIONS

Height: 150mm

Width: 200mm

Depth: 41mm

IT Infrastructure IF1000

14

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

4.2

A

SSEMBLY

D

IMENSIONS

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

15

IT Infrastructure IF1000

4.3

A

SSEMBLY

O

PTIONS

The device unit is designed for both top hat rail mounting as well as for wall-mounting.

4.3.1

T

OP HAT RAIL MOUNTING

1. The Firewall must be placed obliquely up against the top of the top hat rail.

2. Fix it on by pressing the underside lightly up against the rail.

3. The Firewall must firmly snap into place on the top hat rail.

16

Note:

Check to make sure that the Firewall will not detach itself from the top hat rail by lightly tugging the underside forward.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

4.3.2

W

ALL MOUNTING

1. Provide for screws on the relative device mounting wall so that they are set horizontally level, with a distance between screws amounting to 170mm.

2. Attach on the Firewall by way of the appropriate cavities as illustrated.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

17

5 S

YSTEM

F

EATURES

IT Infrastructure IF1000

5.1

F

RONT

P

ANEL

O

PERATION

K

EYS

The device is provided with operation keys for navigation and unit configuration via the

LCD menus. Said LCD menus are easily accessed via simple operation of the ESC or the

ENTER keys. You will find a description of the single menu items in the following LC display section.

The front panel operation keys are provided with the following functions:

S

YMBOL

N

AVIGATION FUNCTION

C

ONFIGURATION

F

UNCTION

Press to exit the current menu level.

(ESC)

If the input mode is activated, the variation can be overruled/abandoned by pressing ESC.

Press to access a menu level or to confirm a change entry.

(ENTER)

Menu navigation direction arrow

(UP)

To enter or to change data, the input mode must first be activated by pressing ENTER. This will have only one digit flashing.

To adopt the change entries, the input mode must first be deactivated by pressing ENTER. This will highlight the whole line.

For selection amongst a number of options, selection is activated via this key. selection of either German or

English from the available language options).

For selection amongst a number of options, the UP key will access and highlight the selection item in ascending/up order (e.g. selection of either German or English from the available language options).

Upon entry or change of various data, the highlighted digit can be accessed and changed in ascending/up direction.

The succession of the characters is provided in the ASCII code. However, a space character is assigned for simplification of first-time operation of the DOWN navigation direction option. If the key is pressed a second time, the system proceeds with ASCII character strings.

18

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Menu navigation direction arrow

(LEFT)

If the input mode is activated, each digit is marked and can be changed via access with the UP and DOWN arrow keys.

Menu navigation direction arrow

(DOWN)

Menu navigation direction arrow

(RIGHT)

For selection amongst a number of options, the DOWN key will access and highlight the selection item in ascending/up order (e.g. selection of either German or English from the available language options).

Upon entry or change of various data, the highlighted digit can be accessed and changed in ascending/up direction.

The succession of the characters is provided in the ASCII code. However, a space character is assigned for simplification of first-time operation of the DOWN navigation direction option. If the key is pressed a second time, the system proceeds with ASCII character strings.

If the input mode is activated, each digit is marked and can be changed via access with the UP and DOWN arrow keys.

Note:

To carry out changes in the LCD menus, the following character set is available.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

19

5.1.1

IP

ADDRESS AND CO

IP Address

Default IP address subnet mask must s 192.168.0.254 needs to be changed into 192.16

t be changed from 255.255.255.0 into 255.255.52

68.1.250 whilst the

2.0.

The IP address proceed as follow is highlighted and the input window is deactiva ws: ated. To change the IP,

Menu

ate the iput mode.

-> The input focus wil digit. l be active on the first

Press times rection arrow key eight

-> The input focus will be active on the 0 arrow key once.

-> Change to 1

Press times rection arrow key three

-> The input focus will be active on the 4

Press times rection arrow key four

-> Change to 0 press to the first line in the in confirm all the changes nput mode.

-> The overall IP is hig

The text message “Ple on display whilst the the input mode is exit changes are overruled/ ease wait” will come up data is being stored. If ted by pressing ESC, the

/ abandoned. ction arrow key once

-> The subnet mask is highlighted ate the iput mode.

-> The input focus wil digit. l be active on the first

20

IT Infrastructure IF1000 on arrow key six times

-> Change on the space on arrow key twice on arrow key twice

Press times ction arrow key three

-> Change to 2 press put mode.

-> The overall IP is high lighted

The text message “Plea on display whilst the d the input mode is exited changes are overruled/ a ase wait” will come up ata is being stored. If d by pressing ESC, the abandoned. the een duly stored.

21

C

ONTACT

N

AME

Contact name Mr. Miller must be changed to Ms. Miller.

The Contact Nam

Contact Name, fo ctivated. To change the

Menu

ate the iput mode.

-> The input focus wil digit. l be active on the first ction arrow key once.

-> The input focus wil l be active on the r

arrow key once.

-> Change to s press to the first line in the i confirm all the changes nput mode.

-> The overall Contact t Name is highlighted

The text message “Pl on display whilst the the input mode is exit changes are overruled/ ease wait” will come up data is being stored. If ted by pressing ESC, the

/ abandoned. the changes entered have been duly stored.

22

IT Infrastructure IF1000

5.2

LC-D

ISPLAY

The device is fitted with an LCD which allows direct access to configuration settings. Any modifications to the firewall and web interface settings made via the LCD menu will take effect immediately. Furthermore, the display shows event messages and status information for quick on-site system analysis.

The LCD menu option Lock can be used to lock the display and all front panel keys. When these are locked, the device PIN is required to access and/or modify any device information. Hence, the Lock function protects the device against unauthorised on-site modifications.

The LCD menu can be accessed by pressing the ESC or ENTER key.

The LCD menu contains the following main menu items:

S

ETTINGS

Allows configuration of basic Firewall settings, which includes locking the display and all front panel keys. Also allows setting the local IP address as well as the display language and various system information.

S

TATUS

Shows all current event log entries and device information. Also allows initiating a self test of the following components: display, front panel keys, CUT and ALARM function.The connection control displays the state of the Service, Open VPN and IPsec connections.

Note:

The default language setting is English. In order to select a different language, open the main menu and select the following menu items:

Settings/ LCD menu/ Language

Confirm your selection by pressing ENTER.

(Selection will be marked by an X.)

Then leave the menu by pressing ESC.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

23

5.3

M

ENU

O

VERVIEW

– S

ETTINGS

24

IT Infrastructure IF1000

5.3.1

D

ESCRIPTION OF IND

Network

Network

Display

Transbridge

The network mask operational mode. A available for each m k allows setting the

Additional options are mode.

In Transparent Brid acts as a Layer 2 Br all participants. ge mode, the Firewall ridge and is invisible to

IP Router

The Firewall treats the networks at the

LAN-In and LAN-O separate networks separately. Hence, t this mode requires that two independent IP addresses be

LAN Settings

Depending on the selected operational mode, IP address configured under LA options are: Static

DHCP fallback and P assignment can be

AN Settings. Available c IP address, DHCP,

PPPoE/DHCP.

25

System Info

Display

System name

System location

Contact name

Contact location

Selection Descript ion and Notes

System name

This name serves the device at its in as a unique identifier of stallation site.

The Firewall syste be specified/chang em name displayed can ged here. name. The name shown in the LCD interface. e entered here will be

D menu and in the web

System location

This item serves a the location at operated. as a unique identifier of which the device is

The Firewall sys specified/changed stem location can be here.

You may freely ch location. Specifyin provides additiona device location. Th will be shown in th web interface. he LCD menu and in the item as a unique identifier of ntact person.

A contact name ca here. an be specified/changed

You may specify a be contacted in c maintenance is req contact person that can case problems occur or quired.

Contact

location

This item serves a the responsible co as a unique identifier of ontact person and their location.

A contact specified/changed location can be here.

In addition to the person, you ma location. e name of the contact ay also specify their

26

IT Infrastructure IF1000

LCD Menu

Display

Language

Selection Descripti ion and Notes

German

English

Two language opt tions are available.

Changing the lang also affect the l interface. The def guage setting here will language of the web fault setting is English.

Lock

Display Selection Descripti ion and Notes

Display & Keys The display and prevent unauthori keys can be locked to ised access.

When locked, the any information e display will not show and the keys can no longer be used configuration. T possible in locked required PIN for and keys. to modify the device

The only operation d mode is entering the unlocking the display

The lock will only the user exits pressing ESC. y become active once the LCD menu by

The PIN needs t in order for all L to be entered correctly

CD menu functions to become accessib

Firewall is turned lock will still be needs to be re-en ble again. When the off and on again, the active and the PIN tered.

Keys only

This option allow separately from th ws locking the keys he display.

With locked keys, the LCD menu can no longer be used configuration. Th however, still sh load and other sy only operation po is entering the ossible in locked mode e required PIN for unlocking the disp to modify the device he LC display will, how current network ystem information. The play and keys.

The lock will only the user exits pressing ESC. y become active once the LCD menu by

The PIN needs t in order for all L become accessib

Firewall is turned needs to be re-en to be entered correctly

CD menu functions to ble again. When the lock will still be off and on again, the active and the PIN tered.

27

Change PIN

Reboot

Display

Unlocked new PIN

locked. nge the PIN, the old PIN needs to be ent changed indepe tered. The PIN may be endently from the web interface passwo empty; any use ord. The default PIN is er-defined PIN may be up to 14 digits lo

The reboot optio

Firewall via the L on allows re-starting the

LCD menu.

Confirm selecti on of this option by pressing the dow .

28

IT Infrastructure IF1000

5.4

M

ENU

O

VERVIEW

S

TA

29

5.4.1

D

ESCRIPTION OF IN

Events

Display

Event log

Message Ack.

Event log

The event log al llows retracing system ms. Select individual log entries using the UP

The event log disp transcript of messag play is comparable to a ges.

Use the Event log m events. menu to view any logged

Message Ack. Use the Message A to override or end, logged in the acknowledging even active events. In au will be acknowledge predefined period of respectively, any events event log. Manually utomatic setting, events ed automatically after a f time.

30

IT Infrastructure IF1000

Connections

Display

Service

Service

Use the menu item monitor, respectively service connection. successfully connecte to connected. If the

If the device is device is not properly

Open VPN

OpenVPN

Use the menu item O active VPN connecti changed directly via t

OpenVPN to display all ons. Settings can be he LCD menu.

IPsec

IPsec Use the menu item

IPsec-related informa display screen can be

IPsec status. Settin menu.

Device Info

Display

Device Info

Device Info

This option displa information. ays general device

The screen shows manufacturer, the dev

NVRAM card is in firmware version, and build. the name of the vice variant, whether a nstalled, the current d the current firmware

31

Device Test

Display

Display

Keys

ALARM

Selection Description and Notes

Screen

Starts the display test.

Keys

ck the display for correct sually check whether all characters are displayed p

Four different test scree which will need to be co front panel key. ens will appear, each of nfirmed by pressing any

When the test is finished be taken back to the men

Starts the key test.

Perform this test to che functioning. eck the keys for correct

You will be prompted whereupon you should pr to press specific keys, ress the respective key.

In case one key is defe test using the other keys.

ctive, you may exit the

.

When the test is finished be taken back to the men

Alarm

Sets the alarm output.

Sets the alarm output a

LED. and turns on the alarm

The letters AL will app corner of the display, in was triggered. AL will co alarm is either switched automatically. pear in the upper right ndicating that an alarm ontinue to flash until the d off or acknowledged

Perform this test to chec correct functioning. ck the alarm output for

32

IT Infrastructure IF1000

Internal CUT

Ping-Test

Display

Ping-Test

Internal

CUT

Sets the internal CUT.

Sets the CUT and turns on the CUT LED. corner of the display, indic

CUT was triggered. INT until the internal CUT is acknowledged automaticall cating that an internal will continue to flash either switched off or ly. correct functioning.

Ping-Test

With the aid of the PING-T an affiliated remote station

Test sends an echo re destination address of the tested and then proceeds assessment. quest packet to the

with test information

Enter the destination add tested in IP address form in packet quantity required to ress that needs to be n the appropriate entry field. It is furthermore ne o be sent. Said quantity is limited to a maximum of ecessary to enter the

10 packets.

33

IT Infrastructure IF1000

5.5

O

PERATIONAL

LED S

TATUS

D

ISPLAY

5.5.1

S

TATUS

D

ISPLAY PERFORMANCE UPON BOOT

-

UP PROCESS

Te boot-up process starts as soon as the firewall is supplied with a voltage source. With the aid of the Lan-in LEDs it is possible to check whether the Firewall is booting up as well.

The table herunder provides boot-up process LED blink frequency via which it is possible to check that the device is booting up correctly. In the example, no LAN-in cable / PoE is connected up.

The minute the traffic display comes up on the LCD, the boot up process has been successfully concluded.

34

POWER

L+

BACKUP

L+

LAN IN

LINK / ACT

LINK

LINK / ACT

ACT

SIGNAL ACTION

The device is provided with voltage via POWER and is ready for operation.

The device is provided with BACKUP voltage supply and is ready for operation.

The LEDs flash briefly just once

The LEDs are off

The LEDs flash briefly just once

The LEDs are off

The LED blinks at regular intervals

The LEDs flash briefly just once

The LEDs are off

The LEDs flash rapidly.

The LEFT LED goes off / the ACT led goes on blinking

The LED flashes rapidly

The LED is off

The traffic display is shown up on the LCD.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

5.5.2

S

TATUS

D

ISPLAY PERFORMANCE UPON RESET TO DEFAULT SETTINGS

Via the Factory Default keys on the rear side of the Firewall it is possible to reset the

Firewall back to its default factory settings at any time, independently of its configuration.

To set the Firewall back to its default settings, the factory default keys must be pressed during current operations. In the example, no LAN-in cable / PoE is connected up.

The factory default keys must be pressed once, briefly in order to start the set-back to default settings process. The table herunder provides boot-up process LED blink frequency via which it is possible to check that the set-back to default settings process is being run correctly.

POWER

L+

BACKUP

L+

LAN IN

ACT

LINK / ACT

LINK

LINK / ACT

ACT

LINK / ACT

LINK / ACT

SIGNAL ACTION

The device is provided with voltage via POWER and is ready for operation.

The device is provided with BACKUP voltage supply and is ready for operation.

The LED flashes briefly

The LEDs flash briefly just once

The LED blinks at regular intervals

The LED flashes briefly

The LED flashes

The LED flash at regular intervals

The LEDs are off

The traffic display is shown up on the LCD.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

35

IT Infrastructure IF1000

5.5.3

S

TATUS

D

ISPLAY PERFORMANCE UPON FIRMWARE UPDATE

It is possible to execute firmware updates via the web interface. The actual update process may require a few mintues. During the update process, an indication thereof shows up on the LC display. The table herunder provides boot-up process LED blink frequency via which it is possible to check that the fiormware update process is being run correctly.

POWER

L+

BACKUP

L+

LAN IN

LINK / ACT

LINK / ACT

LINK

LINK / ACT

ACT

SIGNAL ACTION

The device is provided with voltage via POWER and is ready for operation.

The device is provided with BACKUP voltage supply and is ready for operation.

The LEDs flash rapidly.

The LEDs flash briefly just once

The LEDs are off

The LEDs flash briefly just once

The LEDs are off

The LED blinks at regular intervals

The LEDs flash briefly just once

The LEDs are off

The LEDs flash rapidly.

The LEFT LED goes off / the ACT led goes on blinking

The LED flashes rapidly

The LED is off

The traffic display is shown up on the LCD.

36

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

5.6

INTERFACES

The device is provided with the following interfaces:

1.

Power 24V DC voltage supply (2 pole COMBICON plug)

2.

Backup 24V DC BACKUP voltage supply (2 pole COMBICON plug)

3.

CUT& ALARM plug (4 pole COMBICON plug)

4.

LAN-in with RJ45 (PoE) or LWL fibre optic connection

5.

9 pole SUB-D connector / RS232

6.

LAN-out with 4x RJ45 connection

Note:

All input voltages can be hooked up redundantly (Power, Backup and PoE via LAN-in).

5.6.1

24V DC / B

ACKUP VOLTAGE SUPPLY

The supply voltage implements a lead-through terminal with screw connection (the illustration shows the jack provided in the device).

PIN-NUMBER SIGNAL NAME

1

2

24V DC

0V DC

PIN 1: = L+ 24V DC voltage supply

PIN 2: = GND Ground

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

37

IT Infrastructure IF1000

5.6.2

C

UT

& A

LARM

The Cut & Alarm connection implements a lead-through terminal with screw connection

(the illustration shows the connector provided in the device).

SIGNAL NAME PIN-NUMBER

1

2

110/230 V AC

PE

3

0 V DC

PIN 1: = L+ 24V DC feed-in of the alarm output voltage

PIN 2: = GND Ground feed-in of the alarm output voltage

PIN 3: = CUT 24V DC feed-in of an external switching signal (galvanically isolated)

PIN 4: = AL 24V DC ALARM output (galvanically isolated) alarm out put for signalling to external users

5.6.3

LAN-

IN

(RJ45) / P

O

E (IEEE 802.AF)

VOLTAGE SUPPLY

For voltage supply transmission the adapter-pair 4/5 is implemented for the plus pole whilst the lead-pair 7/8 is implemented for the minus pole.

PIN-NUMBER

4

5

6

1

2

3

7

8

SIGNAL NAME

TX +

TX -

RX +

PoE/G

PoE/G

RX -

PoE/-48V

PoE/-48V

38

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

5.6.4

LWL

FIBRE OPTIC

An MTRJ fibre optic plug is implemented for the LWL fibre optic connection.62.5/125µm multimode cable from the MTRJ plug to the Duplex plug.

5.6.5

COM (RS232) S

ERIAL

I

NTERFACE

9 pole SUB-D connector

RS232 for connection of an analogue, ISDN or GPRS standard modem unit.

PIN-NUMMER SIGNAL NAME

6

7

8

9

1

2

3

4

5

DCD

RxD

TxD

DTR

GND

DSR

RTS

CTS

RI

5.6.6

S

IM

C

ARD

R

EADER COMPLIANT TO

ISO 7816

The SIM card reader serves for the storage of the configuration data.

PIN-NUMMER SIGNAL NAME

5

6

7

8

1

2

3

4

VCC 5 Volt

RESET

CLOCK n/c

GND n/c

I/O n/c

Note:

The interfaces as well as the device voltage/power supply plugs are arranged on the underside of the device. It is necessary to ensure that the plugs are protected against possible slip-outs.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

39

6 I

NITIAL

D

EVICE

O

PERATIONS

IT Infrastructure IF1000

6.1

F

IRST

-

TIME

C

ONFIGURATION

Warning:

First-time configuration of the device can only be executed via the LAN-in or LAN-out interfaces marked RJ45 / LWL fibre optic.

FIRST-TIME CONFIGURATION REQUIRES THAT THE DEVICE IS HOOKED UP TO A PC.

Hook-up of the 24V DC / PoE voltage supply source

The device can be powered with a 24V DC (2 pole plug) voltage supply source or via a

PoE connection. Furthermore, a 24V DC (2 pole plug) is available for backup

connection requirements. The corresponding COMBICON plug is supplied on issue with the device supply contents.

Connect up the device with teh appropriate voltage supply source.

Connection of the RJ45 / LWL fibre optic network cable

For first-time device operations a connection between the device and a PC via the

RJ45/LWLfibre optic network cable is sitrictly required.

Connect the device up to a PC:

Device LAN-in / LAN-out connection <-> PC LAN connection

40

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

6.2

M

ANUAL

C

ONFIGURATION OF THE

N

ETWORK

A

DAPTER

Note:

The procedural method described as follows was generated to serve as an example with the Microsoft Windows XP professional

®

operating system. If another operating system was implemented instead, the paths and properties described herein may vary.

Now access you network adapter properties map. The relative path is as follows:

Network connections> LAN connection> Properties (righ-click on your mouse).

In the dialogue tab that come sup on screen, click to select option: Internet protocol

(TCP/IP) then click on the Properties selection box.

Simply click to select: Use the following IP address

Acces to the device is only enabled when the following parameters are recorded as the fixed IP address or if the computer is located in the same subnet space:

IP

ADDRESS

: 192.168.0.100

Note:

The last set of digits must be a number between 1 and 253. In the example, “100” has been selected.

Once the IP address has been recorded, the subnet mask address must be recorded. Click directly on the Subnet mask field will and the correct address will pop in.

S

UBNET MASK

: 255.255.255.0

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

41

IT Infrastructure IF1000

It is now possible to close and exit the dialogue tab by clicking on the “OK” button.

42

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

6.3

S

ETTINGS FOR USE WITH

I

NTERNET

E

XPLORER

8

Warning:

If Internet Explorer 8 is used, issues with the web interface might occur. If you experience any problems, the IP address of the device must be entered in the Local

Intranet list in order to display the web interface correctly.

Open Internet Explorer and navigate to the Security tab with the following directory path:

ToolsInternet optionsSecurity

Switch to the Local Intranet tab and click there on Sites.

Then click on Advanced.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

43

IT Infrastructure IF1000

In the Add this website to the zone address line, enter the device IP address and confirm this step with Add.

Default IP address: http://192.168.0.254

The entered IP address should now appear in the list under Websites.

44

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

6.4

C

ALLING UP THE

D

EVICE

W

EB

I

NTERFACE

To access and open the device web interface, start up your web browser. In the browser’s address bar, enter the following IP address then confirm with Enter

http://192.168.0.254

L

OGIN

Once the IP address has been entered with success, the login prompt appears. In the login prompt, entry of the default settings is required.

The default configuration in just-delivered conditions is:

U

SER NAME

: admin

P

ASSWORD

: admin

Confirm your entries by clicking on: OK

Note:

If the login prompt does not appear, check to ensure that the device has been connected via a RJ45/LWL optic fibre connection cable. Otherwise, connect the device up to a PC

(Device LAN-in/LAN-out connection <> PC LAN connection).

If there still is no connection to the firewall login prompt, it is necessary to check the proxy and local firewall settings. It often occurs that also local subnet addresses ( e.g.

192.168.x.x) are diverted to a proxy server. In this case it is possible to select the

“Bypass proxy server for local addresses” option to enter the address in question.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

45

IT Infrastructure IF1000

Finally, the device web interface will come up on screen.

46

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

7 F

IREWALL

S

ETUP

A

SSISTANT

For a quick and easy start-up and configuration of the firewall, two setup assistants are integrated. With the aid of the setup assistants a guided configuration process of the language settings, the operation modes as well as the password is provided. Via the filter assistants, a guided configuration process of the filter rules is provided. Further information is provided in the Filter Assistant section herein. All settings can also be changed through the web interface, independently of the assistants.

7.1

F

IRST

-

TIME

C

ONFIGURATION WITH THE HELP OF THE SETUP ASSISTANTS

To carry out a basic configuration, in the Quicklinks field on the start page, select:

S

TART

S

ETUP

A

SSISTANT

Note:

The question mark to the right near the drop-down menu provides directions and brief explanations concerning the menu points available for selection.

Said directions and brief explanations are correctly provided with Microsoft

©

Explorer as of Version 7 and Mozilla Firefox

©

as of Version 1.0.

Internet

L

ANGUAGE

S

ELECTION

Via the dialogue window it is possible to set the user interface language.

The selected language is used for the overall web interface and the LC display.

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

47

IT Infrastructure IF1000

O

PERATION

M

ODE

S

ELECTION

The operation mode can be selected between Transparent Bridge and IP Router.

7.1.1

T

RANSPARENT

B

RIDGE

In the transparent bridge mode, the firewall acts as a Layer 2 bridge and is invisible to participants.

48

The following options are available for IP assignment:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Static:

If this option is selected, it is possible to record a fix-allocated IP address. Static IP assignment requires entry of the IP address and subnet mask.

The default values are:

IP address: 192.168.0.254

Subnet mask: 255.255.255.0

DHCP:

The DHCP function requests an Ip address from a DHCP server and proceeds with allocation automatically.

OpenVPN/DHCP:

The IP address assignment is configured by an OpenVPN connection.

Note:

This setting requires additional input in menu OpenVPN.

DHCP fallback:

This option allows for automatic allocation of the IP address. Should there be an error with the automatic allocation, the IP assignment automatically switches to the static setting option. For this reason, selection of DHCP fallback always requires the entry of an IP address and subnet mask.

Note:

Access to the device is only enabled when the computer is located in the same subnet space as the Firewall.

Activate Spanning Tree Protokoll:

The Spanning Tree Protocol (STP) constitutes a tree structure for the prevention of redundant network paths (loops) in the LAN, especially in switched environments.

Implementation essentially underlies a Spanning Tree Algorithm (to the IEEE Standard

802.1D).

The Spanning Tree Protokoll also serves for the build-up of redundant network paths, especially in switched environments.

Confirm your selection by clicking on: Next.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

49

IT Infrastructure IF1000

7.1.2

IP R

OUTER

The firewall divides the nets between the LAN-in and LAN-out interfaces into two separate nets and filters them separately. It is for this reason that in this operating mode two independent addresses for LAN-in and LAN-out need to be allocated.

In the IP-Router operation mode the LAN-in and LAN-out interfaces are configured consecutively.

Select the LAN-in interface for the IP assignment to be used and enter all the required data.

Confirm by clicking on: Next

50

Select the LAN-out interface for the IP assignment to be used and enter all the required data. The Spanning Tree Protocol can also furthermore be activated.

Confirm by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

7.1.3

P

ASSWORD CHANGE

Via the dialogue window, it is possible to change the Password.

To change an already allocated password, enter the current password into the Old

password field.

Enter another password in the New password field, then reconfirm it by entering it again into the Password confirmation field.

If you no longer wish to change the password, leave the fields free.

Finally, click on: Apply

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

51

7.1.4

S

ETTING ACTIVATION

Your settings are now activated.

IT Infrastructure IF1000

Note:

Should you not wish to begin directly upon connection with the filter configuration, remove the check marks at “Start SecureNow!”.

Subsequent to the setup assistents comes SecureNow!. Close configuration by clicking on

Close.

The setup assistent is thus closed.

52

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

7.2

S

ECURE

N

OW

!

G

ENERAL INFO

SecureNow! allows everybody the achievement of a maximum security for local networks with only very little interaction. In order to ensure this, SecureNow! is analysing the network traffic passing through the industrial firewall and is generating precisely tailored filer rules for ebtables (in Transbridge mode) or iptables (in IPRouter or IPRouter5Port mode) based on this information.

S

TART PAGE

At the start, the user defines for all enabled interfaces of the IF1000 series device individually, which security requirements apply. Three security levels are available for selection: High, medium and low. SecureNow! is going to generate particularly strict rules for a zone with high security level. With the medium security level, the rules are less strict in order to meet requirements like they would be present in office networks, for instance.

The low security level should be used for the uplink, e.g. for the interface connected with the Internet. This zone's rules are strict with respect to the traffic coming from it, on one hand. But the traffic directed from the higher security level to the lower one is - if in doubt

- always permitted. This, as a result, is always valid for the lowest level.

The network traffic recognised as critical for security is an exception. In order to recognise it, SecureNow! has a database, in which frequently used protocols are evaluated with respect to their security.

The user can switch to the next security level by simply clicking with the mouse on one of the clouds. On the right hand side, you'll find a note explaining the significance of the zones by means of examples.

Note:

If two networks are identified with the same colour (e.g. yellow), the rules for the traffic between these zones will allow all packets.

Note:

Additional information for “SecureNow!” can be seen in the sections of the web interface and the relevant Use-Cases.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

53

IT Infrastructure IF1000

7.3

C

ONFIGURATION WITH THE HELP OF THE

P

ACKET FILTER

A packet filter located in the firewall is reponsible for the classification of both desired and non-desired data traffic and for the initiation of the corresponding actions.

If not started directly subsequent to the start of the Start Assistants over SecureNow!, the packet filter can be started via the Configuration > Packet filter path.

The Packet filter start page allow for the addition of new rule sets as well as the processing and cancellation of existing rule sets.

Note:

A rule describes the configuration of a specific filter command.

A rule set can consist of up to 10 separate rules.

7.3.1

A

DDITION OF A RULE SET

The addition of a rule set requires first of all the selection of the layer via the particular

tab (1). In transparent bridge mode, in most cases a filtering on layer 2 is required, whilst in IP router mode or if using the SERVICE modem, selection of layer 3 may also come into question.

Bridged Ethernet interfaces (Layer 2): is equivalent to the Ethernet filtering layer. This setting allows e.g. for the filtering based on the Ethernet MAC addresses or network protocols that do not employ IP addresses.

Nevertheless, a filter on the basis of IP protocol criteria is also possible.

Standalone IP-Interfaces (Layer 3):

On this layer, filtering is possible exclusively on the basis of IP protocol criteria in that between layer 3 interfaces, it is exclusively IP data traffic that takes place.

Via the Adding (2) button, it is possible to generate or to add on a new or pre-configured rule to the selected layer. You will find a description on the generation of a new rule set under the Defintion of a new rule set on layer 2 and Definition of a new rule set

on layer 3 sections herein. In the Pre-configured rule set upload section, a description of the pre-defined rule sets is provided.

54

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

7.3.2

C

HANGING AND SEARCHING EXISTING RULE SETS

If rules have already been generated or uploaded, they appear in the relative rule summary. If searching for a rule, the filter criteria for the rule set being sought can be restricted via the drop-down fields From and To (1).

The Edit (2) button allows for the subsequent variation of the selected rule sets.

By way of the Delete (3) option, it is possible to remove the selected rule set.

Note:

By using the arrows in front of the ruleset, detailled information to the selected ruleset is will be shown.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

55

IT Infrastructure IF1000

7.3.3

P

RE

-

CONFIGURED RULE

-

SET UPLOAD

Select a pre-configured rule set.

The dialogue window show the pre-configured rule sets to the left.

Select the required pre-configured rule set, and confirm by clicking on: Next

56

Confirm your entries as shown on display by clicking on: Close

Successful selection will show the rule set in the filter overview.

To activate the modified rule set list click on Activate.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

57

58

IT Infrastructure IF1000

By way of example, the following standard rule sets are already pre-configured in layer levels 2 and 3.

R

ULE SETS FOR BRIDGED

E

THERNET

I

NTERFACES

(L

AYER

2):

Name

ARP

Brief description

Address Resolution Protocol allows for the assigment of network addresses to hardware addresses.

Alarm_L2

Allow_L2

Block_L2

Cut_L2

Sets off the alarm signal, logs the event in the event log and overrules all the data packets.

Enables overall data traffic on layer 2.

Overrules all the data packets (blocks the overall data traffic) on layer 2.

Sets off the internal Cut, logs the event in the event log and overrules all the data packets on layer 2.

E_CAT_FRLI

E_CAT_FRLO

E_NET_FRLI

E_NET_FRLO

HTTPS_FRLI

HTTPS_FRLO

HTTP_FRLI

HTTP_FRLO

ICMP_L2

IMAP_FRLI

IMAP_FRLO

Allows for the EtherCAT protocol related data traffic through

LAN-in to LAN-out.

Allows for the EtherCAT protocol related data traffic through

LAN-out to LAN-in.

Allows for the EtherNET/IP protocol-related data traffic through LAN-in to LAN-out.

Allows for the EtherNET/IP protocol-related data traffic through LAN-out to LAN-in.

Allows for the HTTPS related data traffic through LAN-in to

LAN-out.

Allows for data traffic through HTTPS through LAN-out to

LAN-in.

Allows for data traffic through HTTPS through LAN-in to

LAN-out.

Allows for data traffic through HTTPS through LAN-out to

LAN-in.

Enables overall data traffic through ICMP on layer 2.

Allows for data traffic via IMAP TCP through LAN-in to LANout.

Allows for data traffic via IMAP TCP through LAN-out to

LAN-in.

Log_L2

MODBS_FRLI

MODBS_FRLO

Logs events in the event log and overrules all the data packets on layer 2.

Allows for data traffic via MODBUS TCP through LAN-in to

LAN-out.

Allows for data traffic via MODBUS TCP through LAN-OUT to

LAN-in.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

[email protected]_FRLI

[email protected]_FRLO

POP_FRLI

POP_FRLO

PRNET_FRLI

PRNET_FRLO

PTP_FRLI

PTP_FRLO

RTPS_FRLI

RTPS_FRLO

SMTP_FRLI

SMTP_FRLO

TELNT_FRLI

TELNT_FRLO

WIN_FRLI

WIN_FRLO

Allows for data traffic of all the [email protected] packets through

LAN-in to LAN-out.

Allows for data traffic of all the [email protected] packets through

LAN-out to LAN-in.

Allows for all POP TCP connections through LAN-in to LANout.

Allows for all POP TCP connections through LAN-out to LANin.

Allows for data traffic of all the PROFINET packets through

LAN-in to LAN-out.

Allows for data traffic of all the PROFINET packets through

LAN-out to LAN-in.

Allows for Precision protocol-related data traffic through

LAN-in to LAN-out.

Allows for Precision protocol-related data traffic through

LAN-out to LAN-in.

Allows for Realtime Publish Subscribe protocol-related data traffic through LAN-in to LAN-out.

Allows for Realtime Publish Subscribe protocol-related data traffic through LAN-out to LAN-in.

Allows for data traffic of all the SMTP TCP packets through

LAN-in to LAN-out.

Allows for data traffic of all the SMTP TCP packets through

LAN-out to LAN-in.

Allows for data traffic of all the TELNET packets through

LAN-in to LAN-out.

Allows for data traffic of all the TELNET packets through

LAN-out to LAN-in.

Allows for data traffic of all the Microsoft Windows

Networking packets through LAN-in to LAN-out.

Allows for data traffic of all the Microsoft Windows

Networking packets through LAN-out to LAN-in.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

59

IT Infrastructure IF1000

R

ULE SETS FOR

S

TANDALONE

IP-I

NTERFACES

L

AYER

3

Name

Alarm_L3

Brief description

Sets off the alarm signal, logs the event in the event log and overrules all the data packets.

ALLOW_L3

BLOCK_L3

Cut_L3

E_CAT_FRLI

Enables overall data traffic on layer 2.

Blocks overall data traffic on layer 2.

Sets off the internal Cut, logs the event in the event log and overrules all the data packets.

Allows for the EtherCAT protocol related data traffic through

LAN-in to LAN-out.

E_CAT_FRLO

E_NET_FRLI

E_NET_FRLO

FTP_FRLI

FTP_FRLO

HTTPS_FRLI

HTTPS_FRLO

HTTP_FRLI

HTTP_FRLO

Allows for the EtherCAT protocol related data traffic through

LAN-out to LAN-in.

Allows for the EtherNET/IP protocol-related data traffic through LAN-in to LAN-out.

Allows for the EtherNET/IP protocol-related data traffic through LAN-out to LAN-in.

Allows for the FTP data traffic through LAN-in to LAN-out.

Allows for the FTP data traffic through LAN-out to LAN-in.

Allows for the HTTPS related data traffic through LAN-in to

LAN-out.

Allows for data traffic through HTTPS through LAN-out to

LAN-in.

Allows for data traffic through HTTPS through LAN-in to

LAN-out.

Allows for data traffic through HTTPS through LAN-out to

LAN-in.

ICMP_L3

IMAP_FRLI

IMAP_FRLO

Log_L3

MODBS_FRLI

MODBS_FRLO

Enables overall data traffic through ICMP on layer 3.

Allows for data traffic via IMAP TCP through LAN-in to LANout.

Allows for data traffic via IMAP TCP through LAN-out to

LAN-in.

Logs events in the event log and overrules all the data packets on layer 3.

Allows for data traffic via MODBUS TCP through LAN-in to

LAN-out.

Allows for data traffic via MODBUS TCP through LAN-OUT to

LAN-in.

60

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

[email protected]_FRLI

[email protected]_FRLO

POP_FRLI

POP_FRLO

PRNET_FRLI

PRNET_PRLO

PTP_FRLI

PTP_FRLO

RTPS_FRLI

RTPS_FRLO

SMTP_FRLI

SMTP_FRLO

TELNT_FRLI

TELNT_FRLO

WIN_FRLI

WIN_FRLO

Allows for data traffic of all the [email protected] packets through

LAN-in to LAN-out.

Allows for data traffic of all the [email protected] packets through

LAN-out to LAN-in.

Allows for all POP TCP connections through LAN-in to LANout.

Allows for all POP TCP connections through LAN-out to LANin.

Allows for data traffic of all the PROFINET packets through

LAN-in to LAN-out.

Allows for data traffic of all the PROFINET packets through

LAN-out to LAN-in.

Allows for Precision protocol-related data traffic through

LAN-in to LAN-out.

Allows for Precision protocol-related data traffic through

LAN-out to LAN-in.

Allows for Realtime Publish Subscribe protocol-related data traffic through LAN-in to LAN-out.

Allows for Realtime Publish Subscribe protocol-related data traffic through LAN-out to LAN-in.

Allows for data traffic of all the SMTP TCP packets through

LAN-in to LAN-out.

Allows for data traffic of all the SMTP TCP packets through

LAN-out to LAN-in.

Allows for data traffic of all the TELNET packets through

LAN-in to LAN-out.

Allows for data traffic of all the TELNET packets through

LAN-out to LAN-in.

Allows for data traffic of all the Microsoft Windows

Networking packets through LAN-in to LAN-out.

Allows for data traffic of all the Microsoft Windows

Networking packets through LAN-out to LAN-in.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

61

IT Infrastructure IF1000

7.3.4

D

EFINITION OF A NEW RULE SET ON BRIDGED

E

THERNET

I

NTERFACES

(

LAYER

2)

Note:

Should you need to configure layer 3 filter levels, please go on to the Definition of a

new rule set on layer 3 section herein.

Select menu item: Define a new rule set

Enter a name and a description for the new rule set.

Note:

The rule set name is restricted to 16 characters. It is not possible to use umlauts.

Confirm your entries by clicking on Next.

62

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

A

LL RULES IN THE CURRENT RULESET

Via the dialogue window the path of the packets on which the rule set is to be implemented, is set up. An inbound interface (via which the packets are entered) as well as an outbound interface (via which the device packets are released subsequent to acceptance) are required.

Symbol description

==

The selected interface is implemented.

!=

E

XAMPLE

:

All interfaces are implemented, except for the selected interface

Interface

Inbound interface: LAN-in

Selection

==

Result

filters all the inbound data packets on LAN-in

Outbound interface LAN-out != filters all the outbound data packets on all ports, except for

LAN-out

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

63

IT Infrastructure IF1000

MAC A

DRESSES AND

MAC

PROTOCOLS RELATED TO THE

R

ULES

Via the dialogue window it is possible to configure filtering of the data packages based on the source and target MAC addresses.

Only data packages provided with a source and/or target MAC address are admitted or filtered. Via the Protocol setting, it is possible to further restrict the data packages specifically.

The source MAC address defines the participant MAC address that sends in the data.

The target MAC address defines the participant MAC address that is meant to receive the data.

64

Note:

If the "Use hardware groups" option is activated (checkbox ticked) hardware groups previously added can be selected. Please use this option if you'd like to assign rules to more than one MAC address.

Note:

Should you wish to avail of a long-term connection between two permanently defined devices, here it is possible to enter the MAC addresses of both devices respectively.

Protocol

ARP

IPV4

VLAN

Description

The Address Resolution Protocol (ARP) is a Netzwerkprotokoll

network protocol

, enbaling the assignment of network addresses to hardware addresses. Although it is not restricted to Ethernet

Etehrnet and IP

Internet protocols, it is practically exclusively impleemnted in connection with IP-

Adressierung

IP addressing

on Ethernet Netzen nets.

IPv4 (Internet Protocol Version 4), earlier simply referred to as IP, is the fourth version of the Internet Protocols IP internet protocol. It was the first

Internet Protocol version spread and implemented worldwide and constitutes the Internet’s fundamental technical foundation Internets.

A Virtual Local Area Network (VLAN) is a virtual local network lokales Netz within a physical network. A widespread technical implementation of VLANs has been partially defined via the

IEEE

IEEE 802.1Q standard provisions.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

Should you not require any special protocol, select the star symbol. No further protocol settings are required and the assistant proceeds with Rule name and performance.

Confirm by clicking on: Next

P

ROTOCOL

O

PTIONS

In the event that selection of one of the TCP, UDP or “Other” protocols has been entered, following configuration options are available:

1.

ARP:

The ARP protocol allows for the following selection options:

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

65

2.

IPV4:

IT Infrastructure IF1000

The IPV4 protocol provides for a further, extensive selection of filter criteria. It is possible to filter source IP addresses, target IP addresses, IP protocol, as well as source and target ports.

Note:

TCP/UDP ports may be specified as port ranges. E.g. 80:88 for 80-88, :1024 (all ports are<1024), or 1024: (all ports are above 1024)

Under IP protocol, the following protocols ( in the red text box ) are available for selection:

66

Confirm your entries by clicking on: Next

Should you select “Other”, UDP or TCP it is necessary to proceed with some additional settings.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

UDP with IPv4:

Under UDP it is necessary to select the connection control:

Confirm your entries by clicking on: Next

TCP under IPv4:

Under TCP it is necessary to select the connection control and with manual selection, it is necessary to set the STATE settings:

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

67

Manual Selection:

IT Infrastructure IF1000

68

Confirm your entries by clicking on: Next

Note:

The following protocols are supported for status based filtering:

S

UPPORTED FILTER BASED PROTOCOLS

IPV4

FTP

TFTP

IRC

H323

NETBIOS

PPTP

GRE

SCTP

RTSP

SANE

SIP

Confirm your selection with: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Other with IPv4:

Other lists a good number of further IP protocols for selection. It is possible to select whether implementation of a specific IP protocol is required, or whether all the IP protocols with the exception of the specified IP protocol are required.

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

69

3.

VLAN:

IT Infrastructure IF1000

The VLAN protocol requires the entry of the VLAN ID, the VLAN Priority and the packed protocol data.

The packed protocol contains selection options of a high number of different protocol versions. It is thus possible to select whether implementation of a specific protocol is required, or whether all the protocols with the exception of the specified protocol are required.

70

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

4.

Other:

Other includes a large number of different protocols for selection. Here you can select whether you'd like to use a specific protocol only, or if you'd like to use any but the specified protocol.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

71

IT Infrastructure IF1000

A

CTION AND NAME OF THE RULE

:

The dialogue window allows for the definition of rule performance: Under the Rule Action

Routine it is possible to determine how the device is required to handle the packets:

Furthermore, the events can be logged, an alarm can be set off and the data throughput / information flow rate can be restricted.

72

Rule Action Routine:

Available selection here is:

Release:

Reject:

Separate:

The packet is forwarded.

The packet is cancelled without notifying the sender.

The network connection is separated (Cut) at hardware level.

Cut & Allow: Separates data traffic between LAN-in and for ex. Service-Port.

Log: a log entry is generated and logged.

Alarm:

The alarm output is set.

Max.Packets/sec:

Here it is possible to determine maximum number of packets per second, that can be setup as an upper limit against denial-of-service. It is anyway sensible to limit rules that in the event of frequent intervals, would generate an event log record.

Rule Name:

Define a clear-cut, non-ambiguous rule name. It is strictly necessary that you give all the rules in the rule sets a name.

Confirm by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

O

VERVIEW OF ALL THE RULES IN A RULE SET

:

The dialogue window will display only the single rules in the rule set that can be altered in sequence. It is furthermore also possible to change the rule set name.

Via the Add button the setup process will start again and a new rule can be defined. The

Edit button allows for the subsequent variation of rules that have already been generated.

Select Delete to remove a selected rule.

With the aid of the arrow keys it is possible to alter the position of a rule internally to a current rule set.

Confirm by clicking on: Store

Confirm your entries as shown on display by clicking on: Close

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

73

IT Infrastructure IF1000

To activate the adaptations, it is necessary to run the “apply changes” function.

Confirm by clicking on “Apply settings”.

.

74

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

7.3.5

D

EFINITION OF A NEW RULE SET ON

S

TANDALONE

IP-I

NTERFACES

(

LAYER

3)

Note:

Should you need to configure layer 2 filter levels, please proceed according to the

Definition of a new rule set on layer 2 section, previously herein.

Select menu item: Definition of a new rule set

Enter a name and a description for the new rule set.

Note:

The rule set name is restricted to 16 characters. It is not possible to use umlauts, spaces or special characters.

Confirm your entries by clicking on Next.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

75

IT Infrastructure IF1000

R

ULE

S

ET

L

AYERS AND

I

NTERFACES

Via the dialogue window the path of the packets on which the rule set is to be implemented, is set up. An inbound interface (via which the packets are entered) as well as an outbound interface (via which the device packets are released subsequent to acceptance) are required.

On layer 3, depending on the configuration, the following interfaces are available:

L3-VPN /Service/IPsec

76

Symbol description

==

The selected interface is implemented.

!=

E

XAMPLE

:

All interfaces are implemented, except for the selected interface

Selection Interface

Inbound interface: LAN-in

==

Result

filters all the inbound data packets on LAN-in

Outbound interface LAN-

out

== filters all the outbound data packets on the LAN-out port.

Note:

Should you not have any need to filter special ports, select the star symbol, which represents the standard settings.

Confirm your entries by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

R

ULE

-R

ELATED

IP A

DRESSES AND

IP

PROTOCOLS

Via the dialogue window it is possibile to configure filtering of the data packages based on the source and target IP addresses.

Only data packages provided with a source and/or target IP address are admitted or filtered. Via the Protocol setting, it is possible to further restrict the data packages specifically.

The source IP address defines the participant IP address sending in the data. The

target IP address defines the participant IP address that is meant to receive the data.

Note:

If the "Use network groups" option is activated (checkbox ticked) network groups previously added can be selected. Please use this option if you'd like to assign rules to more than one IP address.

Note:

Should you wish to avail of a long-term connection between two permanently defined devices, here it is possible to enter the IP addresses of both devices respectively.

IP address:

Selection

TCP

UDP

Result

The Transmission Control Protocol (TCP) is an agreement (a protocol agreement) setting forth terms and conditions for data exchange between computers. All the updated modern computer operating systems implement TCP for data exchange operations with other computers.

The User Datagram Protocol (UDP) is a minimal, connectionless net protocol belonging to the transport layers of the internet protocol families. The purpose of DTP is to accord the correct applications to the data being transferred over the internet.

ICMP

Likewise to TCP and UDP, the Internet Control Message Protocol

(ICMP) also implements the Internet Protocol (IP) and is therefore part of the internet protocol families. In networks, it serves for the exchange of error and information messages.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

77

IT Infrastructure IF1000

Confirm your selection by clicking on: Next

P

ROTOCOL

O

PTIONS

In the event that selection of one of the TCP, UDP or “Other” protocols has been entered, following configuration options are available:

1.

TCP

78

Auto:

Stateless:

Stateful:

In TCP/UDP protocols, the back tracking of data packages is superimposed automatically. It is simply the rule link connection that needs to be specified.

Only for TCP:

The TCP flags such as ACK, SYN, FIN etc., can be specified manually.

It is possible to enter various different settings such as State Related,

State New, State Established and State Invalid. Manual selection of TCP flags is not possible. In this case the Firewall implements a protocol

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000 analysis for the detection of the connection conditions in a TCP connection or in a layer 6 data connection such as an FTP.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

79

Stateless:

IT Infrastructure IF1000

Confirm your selections by clicking on: Next

Stateful:

80

State Related: The data packet is assigned with an existing data connection, e.g. setup of an FTP feedback channel.

State New:

SYN

The data package sets up a new data connection, e.g. TCP with

flag.

State Established: The data packet belongs directly to an existing data connection, e.g. TCP data without a SYN flag.

State Invalid: Data packages for which the Firewall is not capable of determining a valid connection condition.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

The following protocols are supported for status based filtering:

S

UPPORTED FILTER BASED PROTOCOLS

IPV4

FTP

TFTP

IRC

H323

NETBIOS

PPTP

GRE

SCTP

RTSP

SANE

SIP

Confirm your selection with: Next

Confirm your selections by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

81

2.

UDP

IT Infrastructure IF1000

82

Auto:

Stateful:

In TCP/UDP protocols, the back tracking of data packages is superimposed automatically. It is simply the rule link connection that needs to be specified.

It is possible to enter various different settings such as State Related,

State New, State Established and State Invalid. Manual selection of TCP flags is not possible. In this case the Firewall implements a protocol analysis for the detection of the connection conditions in a TCP connection or in a layer 6 data connection such as an FTP.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Stateful:

State Related:

State New:

SYN

The data package sets up a new data connection, e.g. TCP with

flag.

State Established:

The data packet is assigned with an existing data connection, e.g. setup of an FTP feedback channel.

State Invalid:

The data packet belongs directly to an existing data connection, e.g. TCP data without a SYN flag.

Data packages for which the Firewall is not capable of determining a valid connection condition.

Confirm your selections by clicking on: Next

Note:

The following protocols are supported for status based filtering:

S

UPPORTED FILTER BASED PROTOCOLS

IPV4

FTP

TFTP

IRC

H323

NETBIOS

PPTP

GRE

SCTP

RTSP

SANE

SIP

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

83

Confirm your selection with: Next

5.

Other:

IT Infrastructure IF1000

Other includes a large number of different protocols for selection. Here you can select whether you'd like to use a specific protocol only, or if you'd like to use any but the specified protocol.

84

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

A

KTION AND NAME OF THE RULE

:

The dialogue window allows for the definition of rule performance: Under the Rule Action

Routine it is possible to determine how the device is required to handle a packet.

Furthermore, the events can be logged, an alarm can be set off and the data throughput / information flow rate can be restricted.

Rule Action Routine:

Available selection here is:

Release: The packet is forwarded.

The packet is cancelled without notifying the sender. Reject:

Separate:

Refuse:

The network connection is separated at hardware level.

The packet is cancelled and the sender is notified accordingly. It is possible to define a refusal message.

Inactive: The rule is not implemented.

Cut & Allow: Separates data traffic between LAN-in and for ex. Service-Port.

Reasons for refusal:

Here it is possible to define a refusal message that is then notified to the sender.

Log:

An event log entry is generated and logged.

Alarm:

The alarm output is set.

Max.Packets/sec:

Here it is possible to determine maximum number of packets per second, that can be setup as an upper limit against denial-of-service. It is anyway sensible to limit rules that in the event of frequent intervals, would generate an event log record.

Rule Name:

Define a clear-cut, non-ambiguous rule name. It is strictly necessary that you give all the rules in the rule sets a name.

Confirm by clicking on: Next

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

85

IT Infrastructure IF1000

O

VERVIEW OF ALL THE RULES IN A RULE SET

:

The dialogue window displays the individual rules in a rule set. The sequence of said rules can be subject to alterations. It is furthermore also possible to change the rule set name.

Via the Add button the setup process will start again and a new rule can be defined. The

Edit button allows for the subsequent variation of rules that have already been generated.

Select Delete to remove a selected rule.

With the aid of the arrow keys it is possible to alter the position of a rule internally to a current rule set.

Confirm by clicking on: Next

86

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

R

ULE

S

ET

T

IME

S

ETTINGS

Via the dialogue window it is possible to enter time settings for the overall rule expression.

If relative validity is restricted, it is necessary to enter a start and end time in HH:MM format. Furthermore, it is also necessary to indicate the day the rule set must be applied to.

Note:

If validity is restricted at least one weekday needs to be entered, otherwise the rules are invalid and not implemented.

Note:

The validity periods must be configured considering the UTC time, regardless of which time zone might have been set up for the device!

Close configuration by clicking on Save.

Confirm your entries as shown on display by clicking on Close.

Successful selection will display the rule set in the filter overview.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

87

IT Infrastructure IF1000

To activate the adaptations, it is necessary to run the “apply changes” function.

Confirm by clicking on “Apply settings”.

.

88

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8 F

IREWALL WEB INTERFACE

The start page of this web interface shows important firewall parameters at a glance.

Individual settings can be selected directly via hyperlink from the start page. The firewall start page is described in more detail in the system status section.

The menu structure, which allows navigation through the individual configuration pages, is shown in the left part of the web interface.

D

IAGNOSTICS

Shows the current interface status,

- e.g.: - LAN-in

LAN-out

- CUT & ALARM

C

ONFIGURATION

Configures firewall specific functions, e.g.: - IP-Routing

Server

VPN

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

89

IT Infrastructure IF1000

S

YSTEM

Allows basic settings and changes in the web interface, e.g.: - Software update

- Save settings

I

NFORMATION

Contains general information with respect to this device, e.g.: - Technical data

-

8.1

G

ENERAL OVERVIEW FOR CONFIGURATION IN THE MENUS

8.1.1

IP

ROUTING EXEMPLARY CONFIGURATION

This example shows, by means of the IP routing menu item, how a setting is made and stored. Furthermore it explains how a certain setting is disabled or deleted.

90

Note:

If you don't know exactly, which setting is the correct one in a specific selection / input box, you can put the mouse pointer on the question mark right next to this selection. A tooltip box will appear, giving you some advice and explanation, including some examples.

S

ELECTION

1

Make a selection in the pull down menu first. Click on the arrow next to the setting in order to make a selection. Cinfirm with Apply settings.

S

ELECTION

2

Subsequently, enter all user specific settings in the input boxes.

S

ELECTION

3

Confirm your entry by clicking on "Add entry". Your settings will now be stored.

Your settings are stored and enabled now. (Tick at no. 1)

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

ELECTION

1

Remove the tick at no. 1 and select "Apply settings" if you want to disable a currently enabled setting. This setting is disabled now.

S

ELECTION

2

Tick the box at no. 2 and select "Apply settings" in order to delete a certain setting.

Note:

The "Reset changes" button in the task bar allows to reset settings you made earlier to the default value.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

91

IT Infrastructure IF1000

8.1.2

E

RROR MESSAGES

The firewall identifies wrong entries by highlighting the affected input box in red.

Note:

By means of the exclamation mark next to the wrong entry you can identify what the reason for this error might be, or which values might be required.

92

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.2

D

IAGNOSTICS MAIN MENU ITEM

8.2.1

S

YSTEM STATUS

The web interface start page shows all important firewall settings at a glance. Important

Functions can be selected directly via hyperlinks from the start page.

S

YSTEM DATA

The most important system data is summarised here for technical support and unambiguous firewall identification.

S

YSTEM STATUS

The system status displays the current time settings used by the firewall. It is recommended to use an NTP time server in order to synchronise the local firewall time.

The Uptime indicates how long the firewall runs without rebooting and also shows the load average of the system resources over this period. Furthermore, the number of optional, active VPN connections is also displayed.

S

YSTEM RESOURCES

The Flash, Memory and CPU indicators represent the current load of the firewall system.

N

ETWORK STATISTIC

The network statistics represents the current network traffic on LAN or LAN-IN-OUT in real-time graphical form.

I

NTERFACE STATUS

Here you'll find an overview over the interfaces currently in use and about the status of communication ports, as well as the allocated IP addresses and subnet masks.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

93

IT Infrastructure IF1000

E

VENTLOG

For faster diagnostics, the last five current event log entries will be shown in this place.

You can switch to a full event log view if you use the main menu item Eventlog or by clicking on the Last five messages hyperlink.

Warning:

Status information is statically displayed and must be refreshed via the Reload button on the bottom margin of the screen in the web interface or via the Reload browser function..

Note:

If you didn't start the setup wizard at the beginning, you can configure all settings by using several menu functions, at any point in time.

94

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.2.2

E

VENTLOG

S

TATUS

The Eventlog represents the most important diagnostics tool of this device and contains essential information about the system status. Potential system error messages will be entered and displayed here. The Eventlog display acts like a news protocol and records all system activities. In the Eventlog, you can view changes in settings and error messages as a protocol.

C

ONFIGURATION

The Eventlog protocol can also conveniently be sent to a central computer. In order to do this, the remote computer will be entered in the input boxes.

Additionally, syslog messages can be sent by email. To do this, specify the IP-address of your E-mail server and a receiver address.

Note:

In order to avoid high data volumes due to email volumes, a suitable threshold value should be entered in the Line threshold box. The Line threshold specifies the number of lines which will be sent together in one email if the threshold value is reached.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

95

IT Infrastructure IF1000

8.2.3

LAN-

IN

Based on the data, how the packets have been received or sent can be traced back exactly. The display can be updated by using the Reload button.

8.2.4

LAN-

OUT

Based on the data, how the packets have been received or sent can be traced back exactly. The display can be updated by using the Reload button.

96

(Ansicht IP-Router extended LAN-out 1)

The operational mode IP-Router extended lists all four LAN-out Ports separately.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.2.5

P

ING TEST

By using the Ping test option you can check if a connected remote station can be reached or not. The Ping test sends an echo request packet to the destination address of the remote station to be tested and evaluates the test information.

Please enter the destination address to be tested in form of an IP-address in the designated box. Additionally, the number of packets to be sent must be specified. It is limited to 10 packets.

By clicking on the Apply settings button the ping test will start.

After a short time an overview will appear which shows the ping test process steps and result. The overview indicates both the sent and the received packet status.

The Ping test is finished by pressing the Continue button.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

97

8.2.6

R

EMOTE

C

APTURE

IT Infrastructure IF1000

Data packets of individual firewall interfaces can be recorded for diagnostic purposes by using the Remote Capture function. For this purpose, it is required to use the "Wireshark" tool in Windows. By using the "Enable hub mode on Lan-out" checkbox, the 4 port switch is configured in such a way that the traffic that flows between the individual Lan-out ports is also recorded.

98

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3

C

ONFIGURATION MAIN MENU ITEM

8.3.1

IP

CONFIGURATION

The operating mode can be selected under IP configuration.

The following operating modes are available: Transparent bridge, IP-router and IP-router

(extended).

By using the Transparent bridge mode, you can integrate the firewall into an existing network structure with no required adaptations to it. The firewall will be transparent for the existing network structure.

The firewall divides the network in two separate subnets by using IP routers. This setting may require an adaptation of the existing network structures, should it be applied.

If IP router (extended) is selected, the four ports of the LAN-out switch will be separated in four individual LAN-out ports. By separating the four IP interfaces you can, for example, operate several subnets.

All operating modes differ with respect to their configuration.

Note:

The LC display will remain blank for approx. 20 seconds if the firewall operating mode is switched from Transparent bridge mode to IP router mode and the mode is activated.

Note:

When switching the operating mode, the device might change the MAC/IP address combination. Should you no longer be able to reach the device once the operating mode has been switched, please verify your computer's IP address and delete its ARP cache, if necessary. (Path specification under Windows: Start / Run and enter the "arp -d *" command in the command line.)

T

RANSPARENT BRIDGE

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

99

IT Infrastructure IF1000

Note:

The question mark to the right of the pull down menu provides you with advice and brief explanations for the menu items available for selection.

Notes and short explanations are correctly displayed by Microsoft

© version 7 and by Mozilla Firefox

©

browser from version 1.0.

Internet Explorer from

LAN

The following pull down menu allows configuring the IP address.

Static:

If this option is selected, a permanently assigned IP address may be entered.

Static IP-address assignment requires that the IP address and the subnet mask is entered.

The default values are:

IP address: 192.168.0.254

Subnet mask: 255.255.255.0

DHCP:

The DHCP function requests an IP address from a DHCP server and assigns it automatically to the firewall.

DHCP with fallback address:

This option is a combination of static and automatic IP-address assignment. If an error occurs during automatic address assignment of the DHCP server or if no DHCP server is available, IP assignment automatically switches to the entered static IP address.

100

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

PPPoE / DHCP

The IP address of the Point to Point Protocol over Ethernet connection is dynamically assigned by the system. This option is the classic setting for ADSL dial-up connections, in which the provider dynamically assigns the IP address.

The PPPoE user name contains the login data supplied by the provider.

Note:

Exemplary configuration for a T-Online DSL dial-up connection (without guarantee):

AAAATTTT#[email protected]

- AAAA – 12-digit terminal identification number

- TTTT – T-Online number

# - only if the T-Online number has less than twelve digits

- MMMM – user identification number

DNS via DHCP / Gateway via DHCP

If the DHCP, DHCP/Fallback or PPPoE interface is to be configured, both checkboxes will show. If several interfaces are configured on DHCP, the user decides from which of these interfaces the default gateway and DNS are to be retrieved. If only one interface is set to

DHCP, the user can overwrite the values for gateway or DNS assigned per DHCP by manual configuration by clearing the checkboxes.

Note:

Every time you can only configure one interface with these options at a time. If you attempt to configure another interface, the checkboxes you had ticked in your previous configuration will be cleared.

Activate Spanning Tree Protocol:

The spanning tree protocol is used for avoiding loops in particular in network environments with switching. With this function activated, redundant network lines can be generated.

Standard gateway:

In this option, you can specify the IP address of the used gateway.

Click subsequently on: Apply settings

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

101

IT Infrastructure IF1000

IP

ROUTER

The IP router option divides the networks in two separate networks between LAN-in and

LAN-out interface and filters them separately.

102

LAN-in/out interface:

IP assignment for the LAN-in interface can be made in two different ways:

Static:

If this option is selected, a permanently assigned IP address may be entered.

Static IP-address assignment requires that the IP address and the subnet mask is entered.

The default values are:

IP address: 192.168.0.254

Subnet mask: 255.255.255.0

DHCP:

The DHCP function requests an IP address from a DHCP server and assigns it automatically to the firewall.

DHCP with fallback address:

This option is a combination of static and automatic IP-address assignment. If an error occurs during automatic address assignment of the DHCP server, or if no DHCP server is available, IP assignment automatically switches to the entered static IP address.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

PPPoE / DHCP

The IP address of the Point to Point Protocol over Ethernet connection is dynamically assigned by the system. This option is the classic setting for ADSL dial-up connections, in which the provider dynamically assigns the IP address.

The PPPoE user name contains the login data supplied by the provider.

Note:

Exemplary configuration for a T-Online DSL dial-up connection (without guarantee):

AAAATTTT#[email protected]

- AAAA – 12-digit terminal identification number

- TTTT – T-Online number

# - only if the T-Online number has less than twelve digits

- MMMM – user identification number

DNS via DHCP / Gateway via DHCP

If the DHCP, DHCP/Fallback or PPPoE interface is to be configured, both checkboxes will show. If several interfaces are configured on DHCP, the user decides from which of these interfaces the default gateway and DNS are to be retrieved. If only one interface is set to

DHCP, the user can overwrite the values for gateway or DNS assigned per DHCP by manual configuration by clearing the checkboxes.

Note:

Every time you can only configure one interface with these options at a time. If you attempt to configure another interface, the checkboxes you had ticked in your previous configuration will be cleared.

Activate Spanning Tree Protocol:

The spanning tree protocol is used for avoiding loops in particular in network environments with switching. With this function activated, redundant network lines can be generated.

Activate NAT on:

By enabling the Network Address Translation (NAT) option on the selected interface, a private IP address range is masked with a global IP address. Activating NAT is recommended with DSL/PPPoE connections.

Standard gateway:

In this option, you can specify the IP address of the used gateway.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

103

IT Infrastructure IF1000

E

XAMPLE

The following example shows, how to change the IP-adress from 192.168.0.254 to

192.168.1.254.

Click subsequently on: Apply settings

104

Now your changes are activated.

Warning:

If the IP router mode is selected, the IP address of the LAN-in port is switched to the IP address of the LAN-out port. Now, a new IP address must be defined for LAN-in. If you configure your firewall from LAN-in to LAN-out you might have no longer access to the web interface under certain circumstances. In order to get back to the web interface, the

IP address of your PC must be adapted and the previously defined IP address for LAN-in must be entered in the address line of your web browser.

After changing the IP-adress, you have to open your web browser enter the new IP-adress to get to the webinterface of the device.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

(IP

ROUTER

(

EXTENDED

)

If IP router (extended) is selected, the four ports of the LAN-out switch will be separated in four individual LAN-out ports. By separating the four IP interfaces you can, for example, operate several subnets.

If a special OpenVPN-Setting is chosen, the LAN-out (internal) interface is available. It is exclusively used for Open VPN channels. If this mode is selected, you will obtain specific setting opportunities for each LAN-out port on the respective page (DHCP, prioritisation, IP routing...).

Note:

802.1q VLAN Tagging cannot be used in this operating mode. (function is disabled)

Note:

Since this mode is controlled by the software, the full bandwidth of 100Mbits per second is not available between the LAN-out ports.

LAN-in Switch:

If this function is enabled, the respective LAN-out port is bridged to the LAN-in interface.

The respective port acts like a switch, which is connected to LAN.in. Notwithstanding this rule, NAT settings are applied to the continuous traffic. The IP-adress of this port is the IPadress of LAN-in.

Activate NAT on:

By enabling the Network Address Translation (NAT) option on the selected interface, a private IP address range is masked with a global IP address. Activating NAT is recommended with DSL/PPPoE connections.

Standard gateway:

In this option, you can specify the IP address of the used gateway.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

105

IT Infrastructure IF1000

106

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.2

SECURENOW!

G

ENERAL INFO

SecureNow! allows everybody the achievement of a maximum security for local networks with only very little interaction. In order to ensure this, SecureNow! is analysing the network traffic passing through the industrial firewall and is generating precisely tailored filer rules for ebtables (in Transbridge mode) or iptables (in IPRouter or IPRouter5Port mode) based on this information.

S

TART PAGE

At the start, the user defines for all enabled interfaces of the IF1000 series device individually, which security requirements apply. Three security levels are available for selection: High, medium and low. SecureNow! is going to generate particularly strict rules for a zone with high security level. With the medium security level, the rules are less strict in order to meet requirements like they would be present in office networks, for instance.

The low security level should be used for the uplink, e.g. for the interface connected with the Internet. This zone's rules are strict with respect to the traffic coming from it, on one hand. But the traffic directed from the higher security level to the lower one is - if in doubt

- always permitted. This, as a result, is always valid for the lowest level.

The network traffic recognised as critical for security is an exception. In order to recognise it, SecureNow! has a database, in which frequently used protocols are evaluated with respect to their security.

The user can switch to the next security level by simply clicking with the mouse on one of the clouds. On the right hand side, you'll find a note explaining the significance of the zones by means of examples.

C

APTURE

M

ODE

In IP-Router Mode it is neccessary to select the network layer (Layer 2 / Layer 3) which should be analysed, before executing thje Analysis of the data packages.

Note:

If two networks are identified with the same colour (e.g. yellow), the rules for the traffic between these zones will allow all packets.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

107

IT Infrastructure IF1000

8.3.4

P

ACKET FILTER

The packetfilter supports you in creating firewall rules in such way that a step-by-step user interface creates prompts for the most frequently used configuration parameters of firewall rules.

108

Note:

The rules are processed in their respective order, starting with the first rule set.

A certain rule set is only considered for a package if the "IN/OUT" interface setting corresponds with the package in question.

If data is processed with a rule set, the rules included in the set are applied from the top to the bottom.

As soon as the rule in a currently processed rule set perfectly matches the package, the corresponding action is executed and no more rules are applied.

Every rule set can contain up to 10 rules, where all rules of a rule set have the same settings with respect to the inbound and outbound interface. All active layer 2 rule sets are displayed on the main page of the package filter.

Thanks to a filter function at the bottom of the page, the displayed rule sets can be restricted by specifying the inbound and outbound interface. This has no impact on the functioning of rules: the rules not displayed are still enabled.

The toolbar for adding new rule sets is located above the filter function for the inbound and outbound interface. By clicking on the Plus icon, a dialogue window pops up, which guides the user step by step through the setup options for different protocol levels.

In IP router mode with layer 2 selected in the advanced settings, only Open VPN interfaces can be filtered. Layer 3 level allows the filtering of all interfaces in any direction, as long as they have an IP address.

Only those rule sets, for which the inbound and outbound interface as well as the direction of communication is a match, appear in this list.

Note:

After defining the rules, the button Apply changes in the web interface must be activated for testing this function.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.5

C

UT

& A

LARM

C

ONFIGURATION

Under Cut & Alarm, you can set up how the firewall should behave in the event of a CUT

(breach of the rule).

The display can be updated by using the Apply settings button.

The following menu items are available for selection:

Automatic acknowledgement:

The automatic acknowledgement function automatically releases the lock (CUT) after a preset period.

Manual acknowledgement:

The manual acknowledgement function does not automatically release the lock; the CUT must instead manually be confirmed or acknowledged.

Enable automatic client monitoring recovery acknowledgement

Resets the Cut & Alarm message as soon as the device is available again.

Enable Switched OpenVPN connections when CUT is

If this option is active, the OpenVPN connections will be triggered through the Cut signal.

This only affects OpenVPN "switched" connections from the state to set.

Note:

This option should only be used if the Internal Cut & Alarm is set to Manual.

S

TATUS

The CUT & ALARM state display shows the current Alarm mode or Internal cut mode configuration.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

109

IT Infrastructure IF1000

110

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.6

LAN-

OUT

All interfaces have their own setup options, which have an impact on how the interface works. Furthermore, individual ports can be activated or deactivated at the LAN-out interface for security reasons.

8.3.7

In order to deactivate a LAN port, you have to untick the box for the respective port.

Confirm this action subsequently with Apply settings.

S

ERVICE

M

ODEM

C

ONFIGURATION

Before activating the Service interface you have to define in which operating mode the service interface is used. You can select between the Dial-in service and the dial

service mode.

Note:

For detailled information about the service-port, see the use-case „Service” .

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

111

IT Infrastructure IF1000

S

TATE

The service menu item will show if there is a remote terminal at the service port.

112

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.8

B

ASIC SETTINGS

S

YSTEM DATA

In the System data menu, important data like the system name and the firewall location in the system, as well as the contact name of a potential service employee can be stored.

This information is used for unambiguous identification of the device at its location and of the corresponding contact data, which you can view here in a service case.

Serial no. as system name:

This option is activated as default and uses the device serial number as system name.

For confirming the settings you made, please click on: Apply settings

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

113

IT Infrastructure IF1000

D

ATE

&

TIME

By using the Date & time menu, date and time can be configured.

The firewall does not have a real time clock. Because of that, the settings will fall back to the last saved data.

By entering and activating the IP address of the NTP server, the time setting will automatically be synchronised.

Date and time can either automatically via an NTP server or, as an alternative, be set manually.

Time zone:

The pull down menu allows the proper time zone to be set. GMT (Greenwich Meridian

Time) represents the middle-European time zone, which can be adapted depending on the time shift.

Enable timeserver synchronisation (NTP):

This function allows synchronising date & time via three different NTP servers. As soon as a certain NTP server successfully responds, it will be used.

Please tick the checkbox next to this option and enter the IP-address of the NTP server.

Manual setting of date & time:

Here you can set the current date & time manually.

In order to save your changes, please click on Apply settings.

Note:

The correct setting of date and time is important for creating certificates, for evaluating event log entries, and for time based rules. Without any activated NTP server, settings will be lost after a power cut and must manually be set.

114

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

U

SER INTERFACE

In the User interface menu, you can set language and apply mode of the web interface.

You can choose between German and English. This is set by using the pull down menu.

In the Save & apply pull down menu, you can choose from the options Apply

immediately & do not save or Save only & do not apply.

The Apply immediately & do not save function shows an Apply settings button on all pages of the firewall interface, by means of which all changes in configuration are applied immediately. That means that changed options will have an immediate effect on the firewall functionality right after pushing the Apply settings button. You must save the settings by clicking on the flashing floppy-disk icon in the upper area of the web interface screen in order to permanently retain the new configuration even after a restart!

Warning:

If changes are not saved, all changes will be lost after a power drop.

The Save only & do not apply function shows a Save button on all pages of the firewall web interface. Changed settings will not be applied, but immediately saved instead.

The Please wait dialogue shown when transmitting a page is not applicable here. Instead of the floppy-disk icon, a restart icon, which brings you back to the start page where you can perform a restart, will flash now.

Note:

Exceptional cases, for which the Please wait dialogue is displayed, are specific actions like the PING test or firmware updates.

Confirm your settings by pushing Apply settings.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

115

IT Infrastructure IF1000

C

ERTIFICATES

Certificates are used for authentication with L2TP/IPSec or OpenVPN connections and with the HTTPS web server in the firewall. Some demo certificates for test purposes only are already set up in this certificate administration website of the firewall.

If a certificate is uploaded its validity will automatically be verified. An invalid certificate, in which time and date settings do not match the firewall system time, will be displayed as

invalid in the validity column. Subsequently, a question mark icon will appear for the invalid certificate, which allows retrieving further information about the system error message in English.

CRL

CERTIFICATES

:

The CRL status of a certificate is shown in the line below.

Individual certificates can appear to be invalid if a certificate has been withdrawn using

CRL.

Note:

A client certificate file must contain both, a private key as well as a public certificate portion. The private key must be available in RSA format.

116

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

SCEP:

Allows the use of a SCEP certificate service (e.g. NDES in connection with Windows 2008

Server).

If this function is used, a certificate is automatically assigned to the device.

Note:

Refer to the corresponding application example for more details.

S

TATUS

Visualises the certificate update process.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

117

IT Infrastructure IF1000

8.3.9

A

CCESS CONTROL

U

SER ACCOUNTS

The firewall users can be created and their access rights are individually configured by using the user accounts.

118

User accounts

Shows the list of currently configured user accounts. Here, you can disable or entirely delete user accounts, if desired.

By enabling a guest account, a user account is created, which enables the guest user to view all device configurations, but does not allow them to make any change.

If the guest account is enabled without assigning a new password, guest is used as the default password. For the initial setup of a guest account password, guest must also be used or entered as the old password.

Change password

By using the Change password function, the password of the corresponding user account can be changed. The password you have defined here is also prompted when opening the web interface from the browser window. To change an existing password, please enter the current password in the Enter old password box. Select a new password, enter it and confirm it by re-entering it in the Confirm password box.

The admin user, which is previously set up and can neither be deleted nor enabled, is the only user account authorised to change the passwords of other users without having to enter the old password first.

New user account

Allows you to create a new user account. A user name and a password must be defined.

Then click on Apply settings in order to create this account.

Note:

The User account menu item is only used for Account administration. The access rights for a certain user account are assigned in the Variable access rights menu item.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

A freshly created user account must be enabled by checking the "Activate account“ checkbox.

Switching between accounts:

The link User:xxxx at the end of the navigation bar can be used for switching accounts.

Now enter the required data for the account you wish to switch. Subsequently, the new account is enabled.

Note:

This link can also be used for logging off from the web interface. In the dialogue window, which pops up as a result, you'll have to confirm this action with Cancel.

Note:

The selected password must have between 4 and 20 characters. Valid characters are: 0-

9, A-Z, a-z, as well as "-._# /@".

Note:

If you have used the browser specific "Save password" option, it can happen that logging off by using the link does not work properly. Should this happen, disable this setting in your browser, if required, or select the corresponding option in your browser, which deletes any active authentications.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

119

IT Infrastructure IF1000

P

ERMISSIONS

By using Variable permissions, the authorisation for certain write operations, e.g. the write permission for certain areas can be assigned to a newly created user account. In the example, the test user account was created, which is now to be configured.

Every setting can be opened by clicking once on the corresponding setting. By checking the corresponding checkbox, you can determine for every setting, for which area the write access right should be applied.

All settings made must be confirmed with the Apply settings button.

If you'd like to create an additional admin account, which has the same properties as the default admin account, you can check the "Default write permission" checkbox. But in one aspect, this account is different from the default "admin" account: Only the "admin" user is authorised to change the passwords of other users without having to know the old password. If you are using the "Default write permission", you can set up exceptions from these write permissions by removing individual write permissions by unchecking the corresponding checkbox.

120

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

W

EB ACCESS

The Webinterface access control function depending operation mode, allows setting up access to the LAN-in and LAN-out interfaces via HTTP or HTTPS. Additionally you can set whether access violations should be reported using Eventlog.

For denying a specific access type, you have to untick the checkbox next to the respective option.

Confirm your changes by pushing Apply settings.

LCD C

ONFIGURATION

The LCD configuration allows the configuration of the LC display function. The described function can also be set by using the front panel buttons on the device.

Lock mode:

By using this function, the LCD menu and the device front buttons are locked and may be unlocked e.g. by password protection (PIN). The following options are available: No Lock,

Display and Keys, or Keys only.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

121

8.3.10

N

ETWORK

1:1 NAT

IT Infrastructure IF1000

(Transparent bridge mode view)

122

(IP router mode view)

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Activate 1:1 NAT:

Static mapping of an internal IP subnet to a subnet that can be reached externally, e.g.: If

LAN-out-1 is configured with a public network address of 172.16.1.0/24, a private network with the address 192.168.0.0/24 can be entered. The result would be that a host located behind the LAN-out-1 interface with the IP address 192.168.0.1 can be reached via the

LAN-in interface by using the IP address 172.16.1.1.

In the IP router (extended) mode, the same private network may be configured on all physical interfaces (LAN-Out-1 to LAN-Out-4 and LAN-In).

Private IP address subnet mask:

The private network address range must be specified in the address/subnet mask notation.

So, you can e.g. enter 192.168.0.1/24. This has the effect that the firewall itself can be addressed by using 192.168.0.1 from the internal network and that, at the same time, the connected IP subnet 192.168.0.0/24 will be defined.

Note:

The 1:1 NAT option cannot be used together with the regular NAT option.

Note:

If 1:1 NAT is used in connection with IPsec, then 1:1 NAT is also applied on the IPsec connection. That means that the same global address must be defined as the local subnet address with the IPsec menu, as it is used under IP configuration.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

123

DNS

IT Infrastructure IF1000

Hostname:

The DNS host name of the device itself, will e.g. be used with Eventlog messages.

Serial number as host name::

This option is enabled by default, and allows the use of a serial number as the system name.

Domainname (Search search suffix):

The search suffix will be attached to all DNS enquiries.

DNS server:

At least one DNS server must be configured in order to transform host names into IP addresses. The device is using this in order to transform all host names, which can be specified with different parameters.

Register hostname at DHCP server:

If enabled all DHCP requests by the device will register the specified hostname at the

DHCP server.

Register hostname at DHCP server:

If activated, the hostname will be transmitted at each DHCP-Request to the DHCP Server.

State:

124

I

Note:

If dynamical DNS Updates according to RFC2136 are supported by the DHCP server, this will lead to a valid DNS entry for the hostname on the DNS server.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

The following pages will be DNS-compatible: Date & time, Software update, SNMP Trap receiver, Open VPN Client connection-Open VPN terminal points, Ping test, Syslog server -

Syslog to Email server

Note:

Manually made settings will be dynamically overwritten if an interface is configured with

DHCP or PPPoE.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

125

IT Infrastructure IF1000

D

YNAMIC

IP

ROUTING

There are two opportunities for IP routing, dynamic routing including standard routing protocols and creating a static routing table.

A static route forwards IP packets belonging to a certain network to a gateway computer

(for further processing by this gateway computer). A network is defined by an IP address and by a subnet mask, which indicates how many bits starting from the left are fixed.

For instance, all addresses compliant with the form 192.168.5.x (3 bytes = 3*8 bits = 24 bits) belong to the network with IP address 192.168.5.0 and subnet mask 24.

Another example is 192.168.0.0/16. All addresses complying with 192.168.x.x

(2 bytes = 2*8 bits = 16 bits) belong to this network.

Due to the relationship between destination address and subnet mask, route destinations cannot be more precisely defined than the corresponding subnet mask. In other words, in the destination address, no bit be may be defined to be 1 if the corresponding bit in the subnet mask is a 0.

The gateway specifies the forwarding IP-address or the next section IP address, by which the address set defined by network destination address and subnet mask can be reached.

In case of locally linked subnet routes, the gateway address corresponds to that IP address that was assigned to the interface, which is linked to the subnet. In case of remote routes available via one or several routers, the gateway address corresponds to an IP address assigned to a neighbouring router, which can directly be reached.

126

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

All interfaces can be configured by using the Type, Password and Enabled Interface functions. By using the Log level menu, you can define, whether status and error messages are to be output - and if so - how often.

The following protocols are available with dynamic routing for the selected interface:

Type

RIP Routing Information Protocol:

RIP and OSPF are used and intended for dynamic creation of routing tables. RIP works with disctance vector method

OSPF: intends circle free routing and uses the Shortest Path First Algorithmus.

Both:

Both protocols are simultaneously used with this option

Password

The Password box is optional. All routing packets are authenticated if a password is entered via OSPF/RIP. Wrongly configured routers are excluded from the network via the password function.

Note:

The password is sent as a plain text!

Enabled interface

RIP:

Router advertisements are sent on this interface if the checkbox is ticked (enabled). If you leave the checkbox empty (disabled), only arriving router advertisements are accepted, and if router advertisements are present, the interface is added to other enabled interfaces.

OSPF:

With the checkbox disabled, the interface is only added on other enabled interfaces, if router advertisements are present. In difference to RIP, inbound router advertisements are not considered.

Log level

None:

No dynamic routing messages are logged in the Eventlog.

Info:

Only a small number of status messages and critical errors are displayed.

Debug:

Comprehensive status messages, as well as error messages are displayed.

Verbose:

Detailed status and error messages, as well as information about all sent and received packets of the dynamic routing process is logged.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

127

IT Infrastructure IF1000

A

DD NEW STATIC

IP

ROUTE

By using the IP route, IP packets can be forwarded to a specific gateway computer.

Destination network:

Here, you'd have to enter the destination network in form of an IP address

Network mask:

Enter the network mask of the destination network

Gateway:

Enter the gateway of the destination network here.

Metric:

The metric defines a numeric measuring unit for the costs of a certain connection inside the network range. The Metric box is used in connection with dynamic IP routing. The admissible values are 0-100.

Interface:

Network interface for this entry.

S

TATUS

The Status page shows all currently enabled IP routes.

The following routes are displayed in this example:

Line 1: Default gateway

Line 2: Routes created by the interfaces belonging to the device

Line 3: Added static route

Line 4: Routes created by the interfaces belonging to the device

Line 5: Added dynamic route

128

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

P

ORT FORWARDING

By using the Port forwarding menu item, it is possible to forward or initiate connections by using freely selectable ports connected to computers/addresses within the same network.

If port forwarding is to be created, it must be clear what the purpose of the forwarding is.

The private port and the private IP address must be used for a local network (intranet). If no routing is to be used but a private network instead, the Private IP address box is used.

If you wish to initiate port forwarding to locations outside the local network, the public port should be used.

Note:

Refer to the corresponding application example for more details.

Note:

By using the Public IP address box, a 1:1 NAT protocol in combination with port forwarding and regular NAT can be created.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

129

IT Infrastructure IF1000

VLAN 802.1

Q

Thanks to the built-in firewall mechanisms, VLAN identifiers (VLAN tags) can be used in order to set up virtual subnets and to separate data traffic. For this, every subnet is using a unique number (VLAN ID) in order to identify the Ethernet packets. A device, which belongs to the VLAN with an ID of 1, can communicate with any other device within the same VLAN, but not with a device in another VLAN with an ID of 2, 3, etc.

Additionally, prioritisation with VLAN is also possible. One priority can be specified for each frame (see Prioritisation menu item). This allows e.g. forwarding of control data with higher priority while

HTTP data

are held back.

The firewall is using an uplink port, from which it forwards the packets exactly to another port, the destination port. A packet arriving at the destination port is output at the uplink port with the corresponding VLAN ID. By using individual VLAN IDs per port, a VLAN network is set up between the Uplink and the other port, each time.

The VLAN functionality according to 802.1q is started up by using the Enable 802.1q VLAN option.

The Activate ingress filtering option discards all packets with VLAN identifiers which do not correspond to the port VLAN ID.

VLAN tags will be removed or deleted on a destination port by using the Untag on egress option. Packets without any identifier arriving at the destination port will be labelled with the VLAN ID of this port. As a result, a device at the destination port does not require any specific VLAN configuration.

For the LAN-in interface, as well as for the four ports of the managed switch

LAN-out interface, the VLAN ID can be entered in the following input boxes.

130

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

N

ETWORK GROUPS

The network group function allows the grouping of IP addresses and IP subnets for use with filter rules in the Packet filter. The status line delivers information about the use of this group. The "Used in 1 rule(s)" status line information is output if a certain group is used once in the Packet filter.

The rule as shown here would result in 2 system entries.

Note:

The use of != in the layer2 Packet filter for network groups is not supported.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

131

H

ARDWARE GROUPS

IT Infrastructure IF1000

The hardware group function allows the grouping of MAC addresses for use with filter rules in the Packet filter. The status line delivers information about the use of this group. The

"Used in 1 rule(s)" status line information is output if a certain group is used once in the

Packet filter.

Note:

Hardware groups can only be used in layer2 rulesets, because only there, filtering for MAC addresses is possible.

132

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.11

VPN

The VPN menu item allows establishing a Virtual Private Network connection based on an OpenVPN implementation.

O

PEN

VPN

HTTP / HTTPS Proxy Settings for Clients

For Open VPN client, an HTTP proxy can be used. When using the HTTP proxy for clients, the fields must be filled out.

IP address pool settings for OpenVPN Server:

OpenVPN allows the automatic assignment of IP addresses to clients, similar to DHCP.

Activating this option will effect that each client gets automatically assigned with an

IPAddress and Subnet from the specified IP range. This option can only be used on a single Server entry. The IP address space for allocations must be within the IP subnet of

LANout / LAN-out (internal) interface, to the subnet of the L3-VPN-interface in case of a

Layer 3 connection, and may not already covered by the DHCP server, or some other device used. The Server Device "specifies the interface on the OpenVPN to table entry on which the IP address assignment should be used. If the drop down field is empty, a Server entry has to be created first.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

133

IT Infrastructure IF1000

OpenVPN / DHCP settings for client

One of the OpenVPN client connections can be used to obtain the IP settings of LANout/LANout (internal) interface.

134

Addionally a drop down box for LANout/LAN-out (internal) for IP-assignment has to be set to OpenVPN/DHCP. The “Client-Device” sets the interface of the OpenVPN table entry, which will be used for OpenVPN. One entry is possible. If the drop down field ist empty, an client entry has to be created first. Independet ffrom Default gateway the OpenVPN Server can transfer several static routes. The checkbox will decide if they will be applied. The application of an Default Gateway which is transferred too, has to be configured on the IP-

Configuration site.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Additional Settings:

By default, the log level "info" is active. It is meant for normal operation and reports simple status information and critical errors. The log level "debug" and "verbose" is intended for troubleshooting, if a connection does not materialize and involve significant performance loss.

Add new OpenVPN entry:

The OpenVPN menu item is available for defining and configuring OpenVPN connections.

Server/Client

You have to define in the pull down menu if the firewall should work as a Server or

Client. Please select the corresponding function.

In the Server mode, the device starts a TCP connection, on which several clients can connect. The TCP port is automatically incremented and starts with port 1194.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

135

IT Infrastructure IF1000

In the Client mode, a connection is established to a remote endpoint in Server mode. The endpoint must be specified in form of an IP address:Port.

Certificate:

Select the desired certificate from the pull down menu. For confirming your settings, please select Apply settings.

S

TATE

In order to display the current status, please select OpenVPN state, and the website will either display the states or the message "OpenVPN table is empty" if no VPN connection has been configured yet.

136

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

L2TP

L2TP allows establishment of VPN connections from a Microsoft Windows system to the firewall. In this case, the firewall works as a server and allows up to ten client connections.

After activating this functionality by using the Activate L2TP/IPSec server option, the interface, over which the VPN communication should take place, must be selected.

Additionally, a local IP address will be assigned to the adapter dynamically generated, in this case. This address should be in the same subnet like LAN-in and LAN-out.

Authentication can now either be performed by using a PSK (preshared key) or a certificate.

Note:

If filtering using the L2TP/IPsec adapter is to be used, the user IP of the L2TP user entries must be added as a criterion in the Packet filter. A separate interface is not available, but it* must be selected.

Note:

This function requires Windows XP SP2 or a later version for the remote terminal. Windows

2000 must be equipped with the corresponding Microsoft updates with respect to L2TP

VPN. MacOSx is not supported.

Note:

This function is not supported if the L2TP connection is to be configured via a modem locally connected with the firewall.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

137

IT Infrastructure IF1000

IP

SEC

IPsec allows the encoding of the entire communication between this device and a remote endpoint on IP level. IPsec allows the encoding of subnets located behind the corresponding remote terminal.

138

Enable IPsec:

Enables / disables the IPsec function.

Enable NAT traversal:

This function must be enabled if the remote terminal has NAT activated.

Limit MTU:

This function requires IP packet encapsulation, which increases packet fragmentation and reduces network performance. If this is the case, it might be helpful to enable this feature but limit the size of outgoing packets.

In order to encode a connection between the firewall and a remote terminal, the following data must be specified.

Enable PFS:

With Perfect Forward Secrecy, a temporary key is generated in order to protect the data.

This session key is renewed in short intervals and grants additional security.

Allow weak encryption:

If the remote terminal suggests using a non-secure algorithm (DES/DH1), it will be accepted.

Local interface:

Select the interface over which the IPsec tunnel should be created.

Local nexthop:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

The IP address or host name of the next router can be specified here for improved availability.

Use default route:

Uses the standard gateway, which has been set up manually or via a DSL connection, as the next router.

Local subnet:

This option specifies the subnet, the traffic of which towards the remote terminal is to be encrypted. The subnet must be defined as an IP/netmask, e.g. as 192.168.0.0/24. The interface IP-address is used, if no data is entered.

A

UTHENTICATION METHOD

:

Authentication can now either be performed by using a PSK (preshared key) or a certificate. Certificate is the most secure connection setting.

PSK:

The generated PSK code is entered here.

Certificate:

Using this certificate, the device authenticates itself at the remote terminal.

Send certificates:

Here you can set up when certificates should be sent.

Log Level:

By default, the log level "info" is active. It is meant for normal operation and reports simple status information and critical errors. The log level "debug" and "verbose" is intended for troubleshooting, if a connection does not materialize and involve significant performance loss.

Hinweis:

Die IF1000 Firewall verwendet bei IPsec außerdem folgende Defaultparameter:

● Dead Peer Detection Timeout: 120 Sekunden

● IKE Lifetime: 1h

● SA Lifetime: 8h

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

139

A

DD NEW CONNECTION

:

IT Infrastructure IF1000

O

PERATIONAL MODE

:

Active:

In active mode, the firewall will permanently try to establish a connection with the remote terminal.

Passive:

In passive mode, the firewall will wait until the remote terminal tries to establish a connection. This mode is required if the IP address of the remote terminal is unknown.

Local ID:

The local ID is used for identifying the remote terminal with a PSK connection. The IP address is automatically used if this box remains blank.

Remote IP address:

The IP address of the remote terminal is specified here.

CA certificate:

In order to be accepted, the certificate of the remote terminal must be signed by this CA.

Remote ID:

If the remote terminal certificates are known they can be copied and pasted here.

Remote subnet:

The subnet of the remote terminal is entered here. The subnet must be defined as an

IP/netmask, e.g. as 192.168.0.0/24. If no data is entered the interface IP-address will be used.

140

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.12

U

TILITIES

DHCP

SERVER

The built-in DHCP server can be used for distributing IP addresses. By default it is, however, turned off and may be activated by using the Activate DHCP server option.

Note:

The range of IP addresses must be within the same range like the IP address of the interface used!

The interfaces, on which the DHCP server should respond to client requests can be specified in the On following interfaces options in more detail. The pool range can be set up separately for each interface.

Additionally to distributing IP addresses, the DHCP server can also transmit a domain search suffix and three DNS server addresses in server mode. This information is forwarded to DHCP clients. The device is using an internal DNS utility in order to buffer all enquiries. Should the firewall not work with an own static IP address but as a DHCP client, this data will be overwritten by the DHCP server used in that case.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

141

IT Infrastructure IF1000

142

(IP router view)

LAN-out ports may be configured individually in the IP router extended mode.

DHCP

RELAY

:

In the IP router mode, you have the opportunity to Enable a DHCP relay server as an alternative to the DHCP server. The DHCP relay server is used for forwarding DHCP requests via an Ethernet segment. All interfaces, on which DHCP requests are received, as well as the interface, on which the actual DHCP runs, must be selected in DHCP relay mode.

Automatic relay IP:

If this function is activated, the firewall itself works as a DHCP server and responds to requests from the selected interface.

Relay IP address:

Here you'll have to enter the IP address of the DHCP server.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

(IP router view)

LAN-out ports may be configured individually in the IP router extended mode.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

143

IT Infrastructure IF1000

D

YNAMIC

DNS

The dynamic DNS option enables communication with a remote terminal if this terminal can be accessed via the Internet. You can set up an account. on the website www.dyndns.org where can create DynDNS domains. This data consisting of User name,

User password and Dyndns.org registered domain can be entered here. If this function is turned on, the firewall enables this DynDNS domain to access an IP address located behind it.

The correct Network interface must be selected in order to use this function properly. This setting depends on how the firewall is connected with the Internet. If, for instance, an analog modem is used, this is usually connected to the service port, and as a result you would have to select Service modem. PPPoE should be used if the firewall is connected to the Internet using a conventional LAN connection.

W

EB SERVER

Access to the firewall web interface using the protocols http or https can be set up in the

Web server > Access control menu.

144

The web server integrated in the firewall for configuration can only be reached using the activated protocols.

Note:

You should assign an individual certificate to each firewall for an optimum in security.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

SNMP

Using the Simple Network Management Protocol (SNMP) allows to administrate and monitor network resources like routers, switches or servers via a central location. This protocol does not only control communication between the monitored device and the monitoring station but also allows error recognition and notification.

E

NABLE

SNMP:

Enables or disables SNMP protocol.

SNMP

V

1/

V

2:

With SNMP activated the first or second protocol version is used. These are, however, not encrypted and thus not secure enough.

SNMP

V

3:

With SNMP activated, the third SNMP-protocol version is used. It provides additional protection by assigning User name and Password.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

145

IT Infrastructure IF1000

SNMP

READ ONLY ACCESS

/ SNMP

READ

/

WRITE ACCESS

:

Note:

Select if you want to configure read-only or read/write access rights according to your requirements, and fill your data in the corresponding mask.

SNMP Community Name:

The name to be entered here is comparable with a password. Frequently used default settings are Private or Public.

SNMP Community IP:

Access to the specified Community Name is restricted to the following IP address.

Note:

If you want to allow all source IPs, select the following IP: 0.0.0.0

SNMP Community network mask:

Here you must enter the corresponding network mask for this IP address.

SNMP

V

3

USERNAME AND ENCRYPTION

:

Note:

This function is available only if SNMPv3 was selected. Select if you want to configure read-only or read/write access rights according to your requirements, and fill your data in the corresponding mask.

User name:

Assign a user name for authentication with the SNMPv3 protocol.

Password:

Assign a password to your user name.

Note:

The authentication protocol used with this login is MD5.

Preshared Key for encryption:

The preshared key (PSK) is a key that consists of a combination of numbers and letters and can be used in addition to user name and password. A randomly generated number code, which may be used as a preshared key, can be created by using the "Generate

PSK" button.

146

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

E

NABLE

SNMP

TRAP GENERATION

:

Allows to enable/disable the SNMP trap function. With the function enabled, events like e.g. Link Up / Link Down events can be received and traced back. The firewall can trace back, from which device the message originated, because its IP address is included.

SNMP Trap Community Name:

Here you enter the Community Name for traps.

SNMP Trap Receiver IP:

Enter the IP address of the trap receiver here.

M

ODBUS

TCP

Modbus TCP allows to control the function of a device via Ethernet from a PLC unit and to retrieve status information. Communication services (Service, IPsec and Open VPN) can be controlled at the firewall and Cut & Alarm messages can be acknowledged by using this protocol.

Enable Modbus TCP server:

If the function is enabled several aspects may be controlled via Modbus TCP.

Server port:

If a specific port should be used for enquiries, it can be defined in this place. Port 502 is the default setting.

Client address:

If you want to connect a specific client and IP address or a host name can be entered. By default all clients can connect.

Password:

Here you can define a Password, which is prompted in the client login. This password must be re-entered in the Confirm password box.

Verbose logging:

By default, only access violations are reported. Using this option you can log additional information.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

147

IT Infrastructure IF1000

C

LIENT MONITORING

The integrated client monitoring functionality is used for monitoring terminals for their availability in the network. The clients to be monitored are added to the Current monitoring table and will be checked for availability by ICMP messages in regular cycles.

A client to be monitored can initiate an activity if it is no longer available. In this case, an alarm signal or a CUT event may be initiated.

Note:

If you want to check the response time for ICMP responses you can pop up a tool tip on the

LED icon in the State box.

Note:

A change in state will trigger an E-mail notification if a valid address is saved in the optional

E-mail server and E-mail address boxes.

148

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

HARED FOLDERS

By using this menu item, folders can be shared, which might then e.g. be used for performing a virus scan via the firewall.

Access must be configured first in order to set up a shared folder.

You enable sharing by clicking on the checkbox. In the Computer name box you can specify the name of the computer or the IP address. Additionally, you have to specify the corresponding Password (user account password in Windows).

Access configuration can be completed by using the Apply settings button.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

149

IT Infrastructure IF1000

In order to set up a new shared folder, you have to enter the computer name on which the shared folder is located or the corresponding IP address in the Computer name box. The domain name can be entered here if the computer for sharing is part of a domain.

With the User and Password boxes, the user information will be specified, for which access to the shared folder will be permitted. The user data entered are used for limiting access to the shared folder. You enter the name of the shared folder in the Shared folder box.

Confirm your entry by clicking on Add entry.

Your shared folder will appear in the upper window section.

Note:

The "Shares" from the list are completely mapped to a directory on the firewall, and can then be addressed from the Explorer of the access computer by using e.g. the

192.168.0.254\share command. This is no filtering of shares, but a collective share!

150

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.3.13

P

RIORITISATION

LAN

The prioritisation function integrated in the firewall is used for differentiated treatment of data flows between different interfaces. This way, it is possible to prioritise packets or to limit the bandwidth for certain protocols.

Prioritisation is enabled by entering a maximum bit rate as well as at least one prioritisation class. For instance, you'd have to enter a maximum bit rate of 51,200

Kbit/sec if the connected Ethernet infrastructure offers a maximum throughput of 50

Mbit/sec.

Criteria for prioritisation classes cannot be combined in all possible variations.

Selecting IP and VLAN at the same time, is e.g. excluded by the work principle.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

151

LAN

IT Infrastructure IF1000

152

(IP router extended view)

LAN-out ports may be configured individually in the IP router extended mode.

Note:

At least two classes must be created if you want to prioritise a specific data flow. The class to be created gets the lowest priority value in the Priority option box and so specifies the prioritised data traffic. This ensures that the prioritised data flow of the first class will have sufficient bandwidth.

Note:

A numerically small value in the Priority input box symbolises the shortest delay for

Ethernet packets while a high value corresponds to a long delay!

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.4

S

YSTEM MAIN MENU ITEM

8.4.1

B

ACKUP SETTINGS

Using the backup settings you can perform a backup or recovery of the device configuration. These backups or recoveries can also be transmitted to several devices if the same firewall firmware version is used.

M

ANUALLY SAVE AND RESTORE THE SYSTEM SETTINGS

For saving your data in a file, please click on: Manually save and restore settings in a

file.

Note:

The file name is predefined and cannot be set up in the web interface. The file name can be renamed when defining the location for saving. The file extension *.cf2 may not be changed in this case.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

153

IT Infrastructure IF1000

Select Download settings.

It asks you to save the settings.cfg file. Please click on Save and then select a location for saving. Click on Save one more time.

R

ESTORING THE DEVICE CONFIGURATION

Click on Look in and select the settings.cfg file in order to load your backup settings.

154

Confirm this action with Open.

Subsequently click on the Restore settings button.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Settings will be loaded or restored after restating the device.

8.4.2

S

OFTWARE UPDATE

The firewall firmware may be updated using the Software update function. This can be done in three different ways:

U

PDATING VIA

O

NLINE

U

PDATE

By using the Check button, you can check whether an update is available or not. The adstec website must be available via the Internet in order to use this function.

U

PDATING THE

F

IRMWARE

S

ERVER

It is possible to update the firmware via a FTP, TFTP or HTTP server.

U

PDATING VIA

B

ROWSER

U

PLOAD

If the file was locally stored, the firmware file can directly be selected. Confirm your selection with Upload via Browser Upload.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

155

IT Infrastructure IF1000

P

ROCEDURE

:

1) Save the firmware file in a local folder of your choice on the PC.

2) Start the desired server utility or use a freeware programme like tftpd32 (available on the ads-tec service CD) in order to update your firmware. Also consider the local firewall settings on your PC so that the communication with the firewall is not barred.

3) Now, specify the folder path in which the new firmware is located under Browse and confirm it with OK.

Note:

Be sure that the name of the firmware ends with (.bin).

example: Ads-tec-IF1xxx-X.X.X-SVN-R10923M.B-7251.bin

4) We recommend that you select Set the factory defaults of the new firmware before starting the update process.

5) Start the update process now, by Upload from server.

This dialogue window will appear during the firmware update.

156

As soon as the Link LED on the selected port lights continuously and the ACT LED is extinguished you can push the Try to reconnect button for confirmation.

Now the firewall will try to access the web interface. If the update process was successful the software update will be displayed.

Warning:

Under no circumstances should the power supply be disrupted during this process!

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.4.3

F

ACTORY DEFAULTS

This menu item allows restoring the factory defaults by the software.

The default settings of the device will be loaded by clicking on the Restore to factory

defaults button.

Using the web window which will appear after that, you can click on Try to reconnect.

The firewall will now try to access the web interface. If the update process was successful the software update will be displayed.

Warning:

All settings will be reset. All created filter rules will be deleted. Should you not be able to get back to the web interface after resetting to factory defaults, adapting the IP address of your PC accordingly might be required.

The following defaults are set:

• Transparent bridge operating mode

• IP 192.168.0.254

• User name: admin

Password: admin

8.4.4

S

AVE

All system settings made can be saved with the Save function. The settings can additionally be saved to a SIM card.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

157

8.4.5

R

EBOOT

Reboots the system.

IT Infrastructure IF1000

158

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.5

I

NFORMATION MAIN MENU

8.5.1

G

ENERAL

The General menu item shows the basic device information.

V

ENDOR

:

This box shows all relevant data about ads-tec GmbH as the manufacturer.

D

EVICE INFORMATION

:

The Device information field shows all relevant device data like type, model and firmware version.

U

SER DEFINED

:

The User defined section displays customer-specific device data.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

159

IT Infrastructure IF1000

8.5.2

T

ECHNICAL DATA

The Technical data screen displays General data for commissioning and the Permissible power supply data for the device.

160

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.5.3

H

ARDWARE INSTALLATION

On this page you'll find which installation options are available for the firewall.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

161

IT Infrastructure IF1000

8.5.4

L

OCAL DIAGNOSTICS

The Local diagnostics page shows the LED display functions with different system activities.

162

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

8.5.5

S

ITEMAP

The Sitemap displays the web interface in a tree structure with all submenus for easy navigation.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

163

9 T

ECHNICAL

D

ETAILS

9.1

D

ISPLAY

D

ATA

Display

IT Infrastructure IF1000

Active monochrome liquid crystal display, 128x64 pixels, fully graphical, backlit

9.2

C

OMPUTER

D

ATA

Hardware

Random access memory

Flash memory

Operating system

Configuration protocol

Keys

Power supply

CUT and Alarm

LAN-in

LAN-out

Service

Intel IXP 425 / 533MHz

64MB RAM

32MB RAM

Embedded Linux http, https

4 membrane keys for directional navigation and input

1 ESC membrane key, 1 Return membrane key

24V DC +/- 20%, redundant voltage input, PoE

24V DC alarm output voltage supply

24V DC feed-in of an external switching signal - galvanically isolated

ALARM output - galvanically isolated

RJ45 or LWL connection 19/100MBit/s half and full duplex

100BASE-TX

Power over ethernet in compliance with IEEE 802.3af, Class

3.

4x RJ45 or LWL connection 10/100MBit/s half and full duplex

100BASE-TX

9-pol SUB-D connector, RS232 for connection of an external, analogue, ISDN or GPRS standard modem unit, with dial-in and dial-out functionality

9.3

G

ENERAL

D

ATA

External measurements 200 mm x 150mm x 41mm (B x H x T)

Protection Class

Power consumption

Maximum current consumption

Permissible ambient temperature

IP20 max. 12 Watt (typ.)

500 mA

5° … 60°C

5° … 50°C (UL)

164

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

10 S

ERVICE AND

S

UPPORT

ads-tec and appointed partner companies offer you comprehensive maintenance and support services, ensuring quick and competent support should you have any questions or concerns with regard to ads-tec products and equipment. ads-tec products may also be provided and installed by partner companies. Such devices may have customised configurations. Should any questions arise with regard to such specific settings and software installations, please contact the system supplier in question as ads-tec will not be able to reply to such questions. ads-tec does not provide support services for any device or unit that was not bought directly from ads-tec. In any such case, maintenance and support is provided solely by the partner company that supplied the device or unit.

10.1

ADS

-

TEC

S

UPPORT

The ads-tec support team is available for inquiries by direct customers between 8:30am and 5:00pm, Monday to Friday. The support team can be reached via phone, fax or email.

E-Mail: [email protected]

10.2

C

OMPANY

A

DDRESS

ads-tec

Automation Daten- und Systemtechnik GmbH

Raiffeisenstraße 14

70771 Leinfelden-Echterdingen

Germany

Email: [email protected]

Web: www.ads-tec.de

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

165

11 A

PPLICATION EXAMPLES

Note:

Below described external websites been updated or not guarantee th never be held li responsibility or application examples and the glossary include hy iable for this function. Additionally, ads-tec als liability of any kind with respect to the insta freedom from err rors of any piece of Open Source software. yperlinks directing you to r are in the meantime available by using another hat any such hyperlinks to external websites w work because they have r hyperlink. ads-tec does work properly, and shall so does not accept any tallation, application and

11.1

B

ASIC ROUTER FUNCT

G

ENERAL

These instructions operation as a reg

We assume in thi using a DSL mode is case that the uplink towards the Internet pr is connected with t the LAN-out interface. the IF1000 device into ngs and the packet filter. rovider is established by your own home network

IP

CONFIGURATION

The DSL modem is out connection. T computer which is

192.168.0.0/24 ne

255.255.255.0 is s plugged in in the LAN-in, and the home netwo

The firewalls default IP address is 192.168.0.254

s supposed to be used for the configuration mu etwork; i.e. it must for example have IP ad used as the net mask. Both user name and p website, which can g the essential information. st be located within the dress 192.168.0.1, and assword for the IF1000 rting point is the system

166

IT Infrastructure IF1000

If you right-click on page. Here, you sho as a result, and bot

You should use PPP n Configuration in the main menu, you'll land o ould choose the IP router operating mode. This th the LAN-in and the LAN-out interface can sep

PoE/DHCP as an assignment method for LAN-in on the IP configuration page is then reloaded parately be configured. n and enter the PPPoE user name and the

(which will then be

PPPoE password (as specified by the provider) i visible). The second interface is then configured network (as an exam n the respective boxes d for the desired home mple, the 192.168.0.0/24 default setting is retaine

Note:

Should there operating mod menu (you can be problems in reaching the firewall, you can n skip an entry by using the ESC key). n read out the current ating display of the LCD

For providers w

DHCP instead o without any PPPoE access information (e.g. wit of PPPoE/DHCP must be used in the IP assignme th a cable connection), ent for the uplink.

Enabling NAT connection wit th the Internet. While this is done automatically w for DHCP (e.g. with a cable provider) must be made manually. red for establishing a with PPPoE, the setting

You can swit interface.

167

P

ACKET FILTER

The packet filter a websites (HTTP) m sets for either brid for autonomous IP the wizard under inbound and outbo

Configuration/Packet filter, and restrict the d ound interface. y, for instance, that only can view the active rule he Transbridge mode) or on the overview page of display according to the

Click on Add in th available rule sets.

he Overview window for layer 3 and select HTT

.

TP_FRLO from the list of

168

Then click on Ne encrypted HTTP tr same way. The A selecting this item ext and subsequently on Close. Add the HTT raffic) and the DNS_FRLO rule set (for Internet a

Allow_L3 rule set (which allows all types of traf in the list and clicking on Delete. Finally, the sett

TPS_FRLO rule set (for ddress resolution) in the ffic) must be deleted by tings are stored by using

IT Infrastructure IF1000

Note:

An own rule se button. et can be changed or a pre-defined rule set be vie

In order to sav top bar of the menu or on Save settings under System/Save

.

floppy disk icon in the

E

VENTLOG

The Event log und services (PPPoE con der Diagnostics/Eventlog shows messages ab nections, DHCP server, VPN, etc.). out currently running

169

IT Infrastructure IF1000

11.2

E

STABLISHING AN

O

PEN

VPN

CONNECTION

G

ENERAL

By using OpenVPN, you can exchange data even beyond the borders of a complex transmission network (e.g. by using the Internet) like inside a (virtual) internal LAN. In order to do so, all subnets, which together define the virtual LAN, are connected by an

Open VPN tunnel between an OpenVPN server (Server) and an OpenVPN client.

The firewall may either be configured as an OpenVPN Server or as an OpenVPN client. SSL certificates are used for authentication and encryption of this connection. The most important VPN applications are "Site-To-Site VPN" and "Site-To-End VPN" - these will be explained in this document by using examples.

The ads-tec IF1000 series supports OpenVPN, because it excels, thanks to its simple usability and its smooth establishment of connections beyond any routing and NAT borders. Subnets on Ethernet level (OSI layer 2) or on IPv4 level (layer 3) can be connected with each other by using OpenVPN. In layer 2 mode, transmitted data is independent on the IPv4 protocol - this means that the data can also be purely Ethernet based data.

E

THERNET

(

LAYER

2)

AND

IP

V

4 (

LAYER

3)

TUNNEL MODE

In layer 2 mode, all OpenVPN connections at the LAN-out interface together with their physical connections (in IP router mode) or all OpenVPN connections at the LAN-out interface (internal traffic) (in extended IP router mode) are connected as an Ethernet bridge. Data traffic can be filtered on layer 2 level.

Layer 3 OpenVPN connections, on the other hand, always have their own independent virtual interface, which must be set up in the Configuration IP configuration menu item.

Only IPv4 data traffic can be transmitted by using these connections. The layer 3 packet filter (Configuration  Packet filter) is then to be used for filtering the inbound and outbound data traffic of the tunnel.

The tunnel mode to be used for a certain connection must be defined by using the "Layer" option when adding a new connection.

Note:

There are some certificates pre-installed for testing purposes on the device. These certificates must never be used for the final configuration, since they cannot ensure an unambiguous authentication. Instead it is essential to generate your own certificates. We recommend that you delete the demo certificates before any use in production. With respect to this, please refer to our use case "Certificates".

The IF1000 series is always using DHE-RSA-AES128-SHA as a fixed TLS cyphering algorithm. This provides for an optimum performance of the crypto hardware acceleration and for higher security as well. Please make sure that no different algorithm is set up in the remote device, if you connect the device with another OpenVPN device.

170

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

ITE

-

TO

-

SITE

VPN

VPN, two remote subnets are connected to a sing two VPN routers (e company). In the IF e.g. two local networks of two very remote l the routers (e.g. the the computers of th e Internet) is connected with the corresponding locations of the same firewalls is configur etwork located between

LAN-in interface, while he local networks are connected with the LAN-ou ne is configured as an

OpenVPN client, wh

In IP router extend don't unconditionally to that later. ich establishes the connection with the Server fire ded mode or when using layer 3 OpenVPN conn y have to be connected via the LAN-in interface s. But we'll come back

Note:

Should the complex that a dedicated ro

In our example, bo

In order to make s within the same subnet (e.g. 192.168.1.0/24).

ts, you'll have to ensure points! oth devices must be configured as an IP router. sure that the computers of both subnet LANs can must be located wi reach each other, they

171

S

ITE

-

TO

-

END

VPN

With site-to-end V working employee external computer the company inter as the PC, may ent, each time). irewall (e.g. a remotely rface (e.g. via DSL) and rnal LAN is connected via the LAN-out interface. B mote terminal must be

172

Note:

Should the compl that a dedicated ets, you'll have to ensure route for IP packets exists between both VPN end

In our example, b

In order to make within the same subnet (e.g. 192.168.1.0/24).

an reach each other, they

L

AYER

2 O

PEN

VPN S

ERVER CONFIGURATION

For the device to b for LAN-in and wit as well as a certific by using "Add", a number is essentia mbers start from 1194 and consecutive). of the "LAN-out" i info" column. be configured in Server mode (e.g. with 192.168

th 192.168.1.254 for LAN-out), the options "Serve cate have to be selected. An OpenVPN Server con and the local port is automatically assigned in with this port (num

The new connectio st establish a connection with the IP configuration ayed in the interface “IP

IT Infrastructure IF1000

Note:

Server and client certificates must have been signed by the same CA (certificate authority). The related CA certificate must be available at both endpoints of the connection, and is then automatically used for verifying the client certificates of the corresponding remote terminal.

A maximum of 10 OpenVPN connections is possible.

L

AYER

2 O

PEN

VPN

CLIENT CONFIGURATION

The "Client" mode is now selected for the device to be configured in client mode (e.g. with

192.168.0.1 as an IP address for LAN-in and with 192.168.1.1 for LAN-out). The IP address of the OpenVPN Server followed by ":" and by the port number of the VPN server is specified as the VPN remote endpoint. The "Layer" option must be set to "L2 Ethernet".

The endpoint definition is added by using "Add" and the OpenVPN tunnel is directly established.

The new connection now appears in "Current OpenVPN entries" with the IP configuration of the "LAN-out" interface (or the LAN-out interface) being displayed in the interface “IP info" column.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

173

IT Infrastructure IF1000

Note:

If the client is located behind a proxy server, the HTTP proxy settings must be enabled in the "HTTP/HTTPS proxy settings for clients" menu item. Then you'll be able to specify IP address and port, as well as username and password for the proxy.

174

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

L

AYER

3 O

PEN

VPN S

ERVER CONFIGURATION

The "Server" mode and a certificate are selected for the device to be configured in Server mode. An OpenVPN Server connection entry is created by using "Add", and the "Layer: L3

IP interface" option is applied in this case.

The new connection now appears in the "Current OpenVPN entries" menu item, where the

""Interface IP info" column shows that the related L3 VPN interface does not have a valid

IP configuration at this point in time. A single click on the note text will guide you to the

"Configuration IP configuration" page, where an IP address and a net mask must be specified for the matching L3 VPN entry.

Once the IP is configured, the IP setting is visible on the OpenVPN page. All that's left to do now is setting the VPN connection status from "Inactive" to "Active".

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

175

IT Infrastructure IF1000

L

AYER

3 O

PEN

VPN

CLIENT CONFIGURATION

For the device to be configured in client mode, the option "Client" and "Layer: L3 IP interface" is selected when adding the new connection. The IP address of the OpenVPN

Server followed by ":" and by the port number of the VPN server is specified as the VPN remote endpoint. The endpoint definition is then added by using the "Add" button, and the

OpenVPN tunnel is directly established with the "OpenVPN/DHCP" default setting. As a result, no further IP configuration is required as long as the server assigns the IP addresses per OpenVPN method. Configuration with dynamic IP addresses is explained in more detail in the next chapter.

176

In all other cases, the IP address and net mask of the L3 VPN interface must be set up in the Configuration IP configuration menu item.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Subsequently, the statically assigned IP address is visible on the OpenVPN page.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

177

IT Infrastructure IF1000

O

PEN

VPN

WITH DYNAMIC

IP

ADDRESSES

OpenVPN offers the opportunity of having IP addresses assigned to an OpenVPN client by an OpenVPN Server. This works similar to the DHCP method, but with a specific OpenVPN protocol. Settings must be made for both the Server and the client device in order to use this option.

S

ERVER DEVICE SETTINGS

The "Enable IP address pool on selected Server" function must be enabled at the Server device. An interface for the existing connections has to be selected if several Server connections are created. As a result, this function can only be used for one of the 10 connections possible at max.

In the example, the Server is now to assign IP addresses from the LAN-out range of addresses. Additionally, the Server device is in "Extended IP router" mode in the example, which has the result that the VPN connections on the LAN-out (internal) interface are bridged, and not connected with the LAN-out ports on Ethernet level (but on IPv4 level by means of routing).

Selected IP addresses are e.g. 192.168.5.100-110 corresponding to a valid address range of the LAN-out (internal) or L3 VPN interface.

178

Furthermore, the Server device can also offer its services as a default gateway ("Push local

IP address as default gateway" option), or the static routes configured in Configuration

Network IP routing can be transmitted to the client ("Push all static routes to OpenVPN clients" option).

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

C

LIENT DEVICE SETTINGS

The options in the "OpenVPN / DHCP settings for clients" window must be enabled for the client. If a layer 2 connection is used, the corresponding interface must be selected for the

"L2 VPN client for OpenVPN/DHCP on LAN-out (int.)" setting. This is only possible for one layer 2 connection of 10 connections usable at max.

With a layer 2 OpenVPN connection, the protocol of the LAN-out interface (in IP router mode) or of the LAN-out internal interface (in IP router extended mode) must now be configured at the client device on the "IP configuration" page, and set to

"OpenVPN/DHCP". If the Server acts as the default gateway, like in our example ("Push local IP address as default gateway" option), the "Gateway via DHCP" option can additionally be enabled in this menu item.

If a layer 3 connection is used, the "OpenVPN/DHCP" option must be configured for the L3

VPN interface in the same way:

The option for static routes must be enabled, so that it matches the Server configuration

("Get static IP routes from OpenVPN Server"). Assigning the DNS server via OpenVPN is impossible.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

179

IT Infrastructure IF1000

O

PEN

VPN

STATUS

Once the OpenVPN configuration is completed, you can retrieve the status of connections in the status menu. For instance for the client:

For instance for the server:

180

Additionally, the "OVPN" character sequence appears in the top right corner of the LC display, which indicates a currently running OpenVPN connection.

If OpenVPN Server and client both use the dynamic IP configuration with

"OpenVPN/DHCP", additional information with respect to the IPs assigned from the address pool appears on the status page of the Server device. The ads-tec OpenVPN clients additionally transmit the local routing information of physical interfaces to the Server.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

This routing information is shown in the "manual routing" column in the status view. Such a route can be selected and used for the running operation. This allows the Server device to reach other devices in subnets, which from the point of view of the Server are located behind the clients. This route is automatically removed once the client is disconnected. The corresponding setting can also not be saved, but will have to be reactivated after a restart of the Server device. Permanent routes can be created in the Configuration Network

IP routing menu item.

E

VENTLOG MESSAGES FOR

O

PEN

VPN

The following messages for OpenVPN may appear in the event log:

-

IF1xxx L2-VPN: 192.168.5.204:4420 [DEMO-CN5] Peer Connection Initiated with

192.168.5.204:4420

(Indicates that the DEMO-CN5 client has successfully established a connection from source

IP address 192.168.5.204 and TCP port 4420)

-

IF1xxx L2-VPN: TCP: connect to 192.168.5.204:1194 failed, will try again in 5 seconds: No route to host (errno=113)

(Indicates a connection error of a client, which tries to connect to the server. In the example, no IP route exists for the server IP address.)

-

IF1xxx L2-VPN: VERIFY ERROR: depth=1, error=certificate is not yet valid:

/C=DE/ST=Baden-Wuerttemberg/L=DEMO-LN/O=DEMO-ON/OU=DEMO-OUN/CN=DEMO-

CN/[email protected]

(Error message telling that the used certificate is invalid, because the validity period does not match the system time.)

-

Should the certificate be entered in a CRL and therefore be rejected by the remote device, no concrete error message will be displayed for this fact. An indication for this is

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

181

IT Infrastructure IF1000 the fact, that the TCP connection is successfully established, but then immediately reset once the first data packet has been received. If in doubt, the log of the remote device should always be included in the investigation.

Additionally, comprehensive OpenVPN messages can be enabled by using the "Log Level" setting (in the Additional settings menu). This will give you support with any issues where the desired connections cannot be established.

I

NSTALLING

O

PEN

VPN

UNDER

W

INDOWS

You'll find some notes on installation and application of OpenVPN under Windows on the website http://www.openvpn.net/index.php/open-source.html

182

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

C

ONFIGURATION AS A

In order to configur

.ovpn file extension

O

PEN

VPN

CLIENT UNDER

W

INDOWS

re an OpenVPN connection under Windows, a co n must be created in C:\Programmes\OpenVPN nfiguration file with an

N\config. The attached exemplary open_win

The exemplary conf address 192.168.11

"OpenVPN Server co local TAP interfac demoCA.pem certi

C:\Programmes\Ope figuration connects the client with an OpenVPN se

1.166 on port 1194 (this corresponds with t the firewall from the onfiguration" section), and uses the IP address 19 ce (OpenVPN tunnelling end point). The d ificates required for authentication must enVPN\config. also be copied to

The OpenVPN conn

OpenVPN on this co nection is started by right-clicking on the file nfig file". e and selecting "Start

This causes a prom pt to open, in which you can watch the connect tion status. As soon as pt, the VPN connection will be terminated.

183

IT Infrastructure IF1000

Note:

The system time on the VPN Server and client must match the time specified in the certificates, or they will be invalid if the system time is outside the validity period!

Instead of using the "ifconfig..." OpenVPN config line, you could also manually assign the

IP address to the TAP adapter under Control panel/Network connections (the "ifconfig..." line must be separated by a semicolon in order to mark it as a comment, in that case).

If a proxy server is used, the server access data may be set in the "http-proxy" config line

(the semicolon must be removed, since this line would be considered a comment, otherwise). If user name and password are required, they must be stored in a separate file.

The certificates may also be stored at a central location (e.g. at C:\Certificates). The complete path information must be specified for the ca, cert and key entries, in that case

(e.g. ca C:\\ Certificates\\demoCA.pem). Warning: The backslashes must be doubles!

A detailed explanation of all options can be found at http://openvpn.net/

From OpenVPN version 2.0.9, the required routing information is automatically entered.

With older versions, a route must manually be added by using the route command, in order to route the traffic for the subnet via the local TAP adapter of the client. If the client is, for instance, using 192.168.1.168 as an IP address for the TAP adapter, the traffic for 192.168.1.0/24 must be routed via 192.168.1.168. This happens in the open command prompt: route add 192.168.1.0 mask 255.255.255.0 192.168.1.168

184

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

PN GUI

OpenVPN GUI is an

The GUI tool is very is started, a corresp no active connection additional tool for OpenVPN, and is available at

h

y handy for enabling and monitoring OpenVPN c ponding icon (a network icon including red moni

. itor screens, if there is ht in the screen):

By right-clicking on and enabling the co this icon, a menu will appear, which allows chan nnection. nging the configuration

Corresponding mess

The window is close by using the "Show ed as soon as the connection is established (but m age appears in the info area.

One sub-item per c to “Connect” if several ns have been defined.

Note:

ay be made regardless of the configuration file em (e.g. adopting the Internet Explorer settings connections exist, a ont of their menu item.

185

11.3

O

PEN

VPN

SERVER UN

W

INDOWS

G

ENERAL

This use case desc using OpenVPN, y cribes the configuration of several OpenVPN serv on network like inside a

(virtual) internal LA by an Open VPN tu

AN. In order to do so, the subnets defining the v unnel between an OpenVPN server (Server) and a irtual LAN are connected an OpenVPN client.

Note:

Please refer to th configuring the IF

OpenVPN client and for

R

EMOTE MAINTENA

plication. In the event of a service case, th endpoints and the he system to be maintained connects with one technician with another one. of the OpenVPN server

So, you can, for in another one for th customer network cannot communica the technician and via corresponding routing and filter settings, but

the system will terminate their connection. ch customer, and define to communicate with the t the customer networks as been completed, both

Note:

ficates based on the demoCA.pem example CA application, you'l ll have to generate your own certificates, since t freely available an the demo certificates are

Certificates" use case.

186

IT Infrastructure IF1000

I

NSTALLING

O

PEN

VP

You'll find note http://openvpn.net/

-

OpenSSL ( ht

OpenVPN ( h es on the installation and application

INSTALL-win32.html

. Generally you'll need the fo ttp://www.openssl.org/related/binaries.html

) http://openvpn.net/download.html

) of OpenVPN at ollowing software:

-

First, you'll have to archive, by double-c o unpack and install the OpenSSL archive, an clicking on it. nd then the OpenVPN

Note:

With OpenVPN, a w test may occur. Th e of a missing Microsoft with the installation.

The regular installa been changed, the enVPN. If this path has d accordingly.

C

REATING THE

O

PEN

VPN

INTERFACES

First you'll have to a the OpenVPN menu add the desired number of OpenVPN interfaces (T

. Each time you use "Add a new TAP-Win32 virtu

TAP adapters) by using al Ethernet adapter", a

Under certain circu installation. Howeve veral times during the message.

187

Subsequently, thes se new interfaces must be renamed in the netwo rk connections panel.

188

An OpenVPN confi we simply use the iguration will identify related interfaces by their n designations "OpenVPN connection 1", "OpenVP names. For our example,

N connection 2", etc.

IT Infrastructure IF1000

An OpenVPN example, we etc. y their names. For our e simply use the designations OpenVPN con connection 2, configuration will identify related interfaces by nnection 1, OpenVPN

Note:

Any number of authentication proc defined for every c clients might connect on a server connect e useful. tion, as long as the nt does not have to be connection. The division into customers and gro

C

ONFIGURING AN

O

P

port 443

VPN

CONNECTION AS A SERVER

proto tcp dev tap ca demoCA.pem key demo-server1.p

em dh dh1024.pem ifconfig-pool-persist ipp.txt keepalive 10 120 persist-key persist-tun status openvpn-stat us-server1.log verb 3

In order to confi configuration file

C:\Programmes\Ope first exemplary conn

The Windows serv server1.pem certific accept all clients, w gure an OpenVPN connection under Windo with an .ovpn file extension mus enVPN\config. The configuration for ads-tec-ifnection, is for instance as follows:

-server1.ovpn, for the ver will authenticate itself for this connection cate (which also includes the required private which have a certificate signed by demoCA.pem.

192.168.10.0/24 sub by using the demokey), and will in turn

IP addresses from the self is generally always using the first IP add don't have any

C:\Programmes\Ope dress from this range. In this case that is 192.168

y path specification but must also path information might

189

be given in every

C:\\Certificates; W certificates (for instance

Note:

Configuration individual opt detailed comments on

– r connection requires an unambiguous port. The hich is usually dedicated for HTTPS. Because of t can simply ru first connection is using this, the remote terminal he proxy specifically.

Both other server3.ovpn

192.168.20.0

subnet and p exemplary connections, the ads-tec-if-server n connection, are designed in the same way. The sing the 192.168.30.0/24 port 1195. r2.ovpn and ads-tec-ife second one is using the

0/24 subnet and port 1194. The third one is usi

The ads-teccommand is networks to having to ma also included used there, in order to automatically specify t the client. This allows the service technician d in the attachment.

rity. The push "route ..." the routes for the other to reach them without the dh1024.pem file are

S

TARTING AN

O

PEN

VPN

CONNECTION

ile and selecting "Start

190

This causes a prom you close this prom ection status. As soon as mpt, the OpenVPN connection will be terminated.

IT Infrastructure IF1000

OpenVPN can be c such way, that all enabled when the service, and set the onfigured in the Control panel under Administr connections defined in C:\Programmes\OpenV computer is started up. In order to do so, ri

Startup type under Properties to Automatic. rative tools/Services in ight-click on OpenVPN

191

S

TATUS OF AN

O

PE N

VPN

CONNECTION

By using the stat updated once per

The log files are us command in the configuration, you can def minute, and in which you can read the current s could look like this, for example, if the con fine a log file, which is status of the connection. located in C:\Programmes\OpenVPN\log, and c nnection was successfully established:

E

NABLING

IP

FORW

In order to allow be enabled. You can check this by using the regist te with each other, IP try editor. In order to do so, enter the rege under HKEY_ edit command under Start/Run... and verify the

LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser not be set to 1, the value can be adapted by righ u item. value of IPEnableRouter rvices\Tcpip\Parameters. t-clicking on the variable

192

IT Infrastructure IF1000

IP

FILTERING BETWE

O

PEN

VPN

INTERFACES

In order to bar data access), a correspo entering the secpol

Microsoft Managem policies on Local com a traffic between different factories (so that onl onding IP security policy must be created. By

.msc command, you can start the local security ment Console. This wizard is started by right-c mputer, and by clicking there on "Create IP secur y technicians can gain using Start/Run... and rity policy...".

"OpenVPN-Server" m be activated, but the response rule must not nally click on "Finish".

Then untick the "Us enable the Wizard h

"Bar" as a general o opposite action not se wizard" option and click on "Add". Switch to here and click on "Add". Then use "Bar" as the option, and complete the process with "Finish". yet exist, it must be created in the same way, the "Filter action" tab, name for this rule, set

Should "Allow" as the but this time by using

Subsequently go ba back to the "IP filter ck to the IP filter list tab and click on Add in this r list" tab and click on "Add" in this tab. Two filte s tab. Subsequently go er lists are required for

193

allowing the traffic to bar the remainin c between an individual company and the subne ng traffic between the individual factories. et of the technician, and

You can enter "Fa example. Then, on ame for the first list, for ffic between the factory subnet network an to disable the wiza nd the technician network, must be created. In or ard and then click on "Add". rder to do so, you'll have

Select "Specific IP subnet as the Sou the technicians as option "This filter ss." must remain selected. line, specify the factory

55.0), and the subnet of with 255.255.255.0). The h different source and

In the remote m

(192.168.20.0/24) filters. maintenance example, a filter for the subnet

must be added in the same way, so that this f of the second factory filter list will contain two

194

"Factory networks he second list. This list is structured in the address is set to "A same way (one filter required for each factor

Any IP address". ry), but the destination

IT Infrastructure IF1000

This has the results that two new filter lists exist.

195

In the final step, y

"OK" button for th button in the Polic

"Bar" in the same you have to select the "Allow" filter action, push t he "Factory networks - technician network" IP-fi the "Store" and then the ilter list. Push the "Add" ks - residual traffic" with e way. As a result, the completed policy now inc which bars any tra traffic into the tech affic from the OpenVPN connections, whereas t hnician subnet as an exception. he other one allows the

196

The security policy y must finally be assigned in order to become acti ive.

IT Infrastructure IF1000

Note:

If the default fire connections must b ewall of Windows is active, the access to th be enabled, so that the clients can be connected.

he ports for OpenVPN

197

C

ONFIGURING THE

IF1000

AS AN

O

PEN

VPN

CLIENT

On an IF1000 seri

Windows server, a instance, that the connected via th scenario, and that es device, you just have to define a client OpenV and to create the route for the technician net

Windows server, the two factory firewalls and t the Windows server has the IP address 192.168.

work. Let's assume, for the technician laptop are he 192.168.253.0/24 subnet according to the

.253.168.

On the first firew

192.168.10.0/24 s d is connected with the create an OpenVPN entry with 192.168.253.

from the configur client1.pem).

168:443 as the destination address (according ation file), and to use one of the demo certific to the port specification cates for it (e.g. demo-

198

IT Infrastructure IF1000

Additionally, the Op entered as the gatew

92.168.10.1) must be

in this example).

In the same way, yo endpoint and the de with the 192.168.2

2.168.30.0/24 subnet.

192.168.253.168:1194 all, which is connected must be entered as a

Note:

The first IP addres

LAN-Out subnet (e server. ss from the subnet address range must never b e.g. the 192.168.10.1 address), because it will a

The route towards in order to allow bo entered in the firewall,

You'll find the exe configuration of fac nt. “factory1.cfg” is the f factory 2.

199

IT Infrastructure IF1000

C

ONFIGURING AN

O

PEN

VPN

CLIENT UNDER

W

INDOWS

First, OpenVPN must be installed on the computer (e.g. on the service technician's laptop) according to above description. The automatically created TAP interface must be configured as "Automatically refer to IP address". You can check this in the Network connections by right-clicking on the TAP interface and verifying the settings under

Properties/Internet protocol (TCP/IP).

The configuration and related certificates must also be created or stored at

C:\Programmes\OpenVPN\config, according to above example. In this case, this refers to the attached "technician.ovpn" file and the demoCA.pem, as well as to the democlient2.pem certificate.

If the connection is manually established by right-clicking on the configuration file, the technicians can remotely maintain the machines to which they have dialled in without having to make any further settings.

Note:

You'll find a detailed explanation concerning the client configuration in the "OpenVPN" use case.

200

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

11.4

P

ORT FORWARDING

G

ENERAL

Port forwarding allow via freely selectable service would be pro in the LAN beyond t

Internet, although it ports. For the person with the external access it the firewall. In this way, a computer can e.g. act then looks, as if the ates from a computer as a server in the t cannot directly be accessed (e.g. due to NAT ma in a second network asquerading).

As an example of ap

6000 to the outside the firewall (LAN-ou

(LAN-in), which is in fact provided by a compute t) with IP address 192.168.1.100 on port 9999. T based service on port r of the LAN behind

The Firewall should in the example use the

LAN-out.

E

NABLING

NAT

MASQ

owed to change the IP ming and outgoing packets, in order to make actually located in th firewall. The option configuration" page, d and accessible via the n "Enable NAT" must be set to "LAN-in" on the

, in order to realise this. the service, which is e "Configuration IP

Note:

The firewall must usable. t either run in IP router or IP router extended

201

IT Infrastructure IF1000

A

DDING A PORT FORWARDING ENTRY

Port forwarding entries can be defined in the "Configuration Network Port forwarding" menu item. This requires that the "Public port" (via which the service can be addresses on the firewall), the "Private port" (the actual port, on which the service runs on the local host computer), the transmission “Protocol” and the “IP address” of the local host computer are specified. This entry is created with "Add entry".

202

The service can then be addressed from the outside by using 192.168.0.1:6000, although it actually (but not visibly from the outside) runs on the host with IP 192.168.1.100:9999.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

D

ELETING PORT FORWARDING ENTRIES

If you'd like to delete a definition, you'll have to check the checkbox underneath the trash can icon for the corresponding entry, and then select “Active”.

E

NABLING

/

DISABLING OF PORT FORWARDING ENTRIES

Port forwarding entries can temporarily be disabled by clicking on the corresponding checkbox in the "Active" column in order to untick it (disable it), and then push "Apply settings". The definition then remains existent, and can be re-enabled at any point in time.

R

ELEASING A FORWARDED PORT

The device default setting allows all packets on layer 3 level. Or in other words: all IP packets are forwarded. The "Allow_L3" rule set in the packet filter provides for that. By defining rule sets, which bar certain traffic and which are positioned in front of the

"Allow_L3" rule set in the order of processing, exceptions from this treatment can be added. This treats the traffic like a "black list".

In the opposite case, traffic can be treated like with a white list, if the "Allow_L3" rule set is deleted. Rule sets which allow certain ("white") traffic must be added in this case. For this example, we will now explain how such a "white list" rule set is created.

Note:

You'll find comprehensive information on how to control a packet filter in our "Packet filter" use case.

A new rule set must be defined by using the packet filter: it will allow the transmission of

TCP packets to the host computer (192.168.253.162:9999 in this case).

First, you create a new rule set in the packet filter by using the Plus icon, and call it e.g.

"forward_IN":

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

203

IT Infrastructure IF1000

204

This rule set must verify the incoming packets (from LAN-in to LAN-out) of layer 3

(TCP/UDP packets) , which is why "LAN-in" is selected as the inbound interface and "LANout" as the outbound interface in the overview of rule sets.

By clicking on "Add", the process is continued with defining a rule for the rule set. This rule is to release the port not in general, but only for the corresponding computer, on which the TCP based service actually runs. The subnet mask 255.255.255.255 specified in the example means that only this single IP address is valid as a destination:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Apart from the destination IP address, the port must also be an exact match.

"Auto" can be selected as a connection control method for rules concerning TCP connections. It saves you from creating a separate rule for the return direction of this connection.

In the next step, we'll define what should happen with those packets which meet all of the criteria (i.e. with those packets directed to the 192.168.1.100:9999 address). The packets

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

205

IT Infrastructure IF1000 are allowed in this example. Additionally, the name of the rule is here defined

(allow_9999):

206

The rule definition is now completed. An overview of this rule set is displayed next.

In the next step, the availability of the forwarding can be limited to a certain time window on certain days and the access to this service limited, as a result.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Finally, the rule set is enabled by clicking on "OK". As a result, the input window is closed, and the packet filter overview is displayed once more. If a "whitelist" behaviour is to be achieved, the "Allow_L3" rule set must still be deleted, so that only the new "forward_IN" entry is visible.

In the final step, all settings are saved including the changes by clicking on "Apply

Settings".

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

207

IT Infrastructure IF1000

11.5

V

IRUS SCAN

G

ENERAL

Up to 50 directories shared via the network (the so-called shares or shared folders) can be addressed from a centralised computer by means of the firewall, in order to scan them for viruses with antivirus software.

Note:

Only files can be checked for viruses, but not the running processes and not the network traffic of the computer on which the shared folders are located!

Shared folders are only opened with read-only access permission. That means that although viruses can be diagnosed they can't be removed or healed!

Scanning via the network is slower than a local scan.

We assume for this use case, that the firewall runs in IP router mode, which means that it routes the traffic between two separate networks. The firewall is connected with the network 192.168.111.0/24 (includes computers with an 192.168.111.xxx IP address pattern) via LAN-in, and with the network 192.168.253.0/24 (includes computers with an

192.168.253.xxx IP address pattern) via the LAN-out interface. The network would be the same for both interfaces, if the Transbridge mode would be used. The firewall configuration and the virus scan are carried out by a computer called "Server", which is located in the 192.168.111.0/24 network.

Note:

Computer names can only be resolved for computers in both directly connected networks.

The list of shared folders and their access are set up in the "Firewall device/Services/Shared folders" menu. By default, this service is disabled.

208

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

HARE ACCESS

The access is always made by the "smbuser" user, and is only permitted for the computer whose name is entered (or its IP address, alternatively). The password can freely be defined and is not based on the existing NT users. All changes are saved by clicking on

"Apply Settings".

Note:

This service can entirely be disabled! Access is in fact only possible if "Enable sharing" is activated. Access is always of read-only type only, i.e. there are no write permissions for the shared folders!

A

DDING SHARED FOLDERS

If you wish to add a new shared folder, the folder name, user name and password for this/these shared folder(s) must be known, as they have been defined on the local computer (user name and password of the user's Windows login). The computer name can alternatively be an IP address. Specifying the domain is recommended, but is not necessarily required under certain circumstances.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

209

By clicking on "Add shown below: d Entry", the entry is added to the list, which the

Note:

Passwords should

The user with wh changes! That m d only be disclosed to the administrator! hose account the shared folder is configured mus for the shared f means, if for instance "Administrator“" is used as

"Administrator" u this/these shared

If defining a sha message is sent, ust have write permission rogramme to make any s shared folder user, the user on the computer with the shared folder mu d folder(s). ust have write access for ared folder fails (is only attempted if the servic t, but the definition is saved (for the event that temporarily shut like to access this

If the "No such s but with all small down). Simply disable, and then immediately ena s share later (once the computer is restarted). ce is enabled), an error t the computer e.g. was nable the service, if you'd ng the entire name again ssue with capital letters.

210

IT Infrastructure IF1000

D

ELETING SHARED FO

Simply tick the box and then push "App to the right of the corresponding entry (underne ly settings", if you'd like to delete a shared folder ath the trash can icon) r.

Note:

If more than one e the "Enable sharin service enabled! entry is to be deleted, the share service should b ng" option and then push "Apply settings"), and the changes have b very long time with the

A

CCESS VIA

W

INDOW

E

XPLORER

Open Windows Exp the actual IP addres display). In our use interface. This mean lorer and activate the "share" network directory ss of the firewall must directly be used (you can e case, the firewall has the IP address 192.16

ns that you have to specify "\\192.168.111.1\sha y of the firewall. Here, n e.g. read it from the

68.111.1 at the LAN-in are" in the address bar of the Windows Exp the password corres plorer. During authentication, the user is always sponds with the one defined for share access. s called "smbuser" and

If the user authenti

"status.txt" file appe successfully address cation was successful, a list with the shared fold sed (e.g. because of the wrong password). ders and additionally a all shared folders were

211

IT Infrastructure IF1000

Note:

Authentication under Windows can sometimes fail accompanied with the error message

"Share not found" despite having correctly entered the share name. Should this happen, please proceed according to the instructions given in the "Network drive mapping" section, and address the share as a network drive.

The "status.txt" file must be opened with WordPad, because it is not correctly represented in the editor.

V

IRUS SCAN VIA

W

INDOWS

E

XPLORER

If the antivirus software has created an entry in the Explorer, first select all shares (CTRL-

A), and then right-click on the corresponding menu entry.

212

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

N

ETWORK DRIVE MAPPING

Should the antivirus software not allow the direct use of network folders as a scan target, then you can turn such a network folder into a local drive by using "Tools / Map network drive"

Note:

The user must be set to "smbuser" and the corresponding password must be set as well by using the "Connect with different user name" option.

If a virus scan is to be used after login, the "Reconnect on logon" option must be set.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

213

11.6

S

ERVICE

G

ENERAL

Dialling in or out modem. If SERVIC or LAN-out netwo

Transbridge mode

(Dial-In/Out) via the firewall SERVICE port ca

CE is configured as Dial-In, an external device ca

.168.253.0/24) exists in

. an be done by using a an dial in into the LAN-in ork of the firewall. Only a single LAN (e.g. 192

If SERVICE is conf mode), then the D figured as Dial-Out (and if the remote device, e.

g. of a Dial-In firewall). g. a firewall is in Dial-In

with the network of the

SERVICE

CONFIGU

D

IAL

-I

N

"Dial-In SERVICE" menu. The "Rem established, wher reas the "Local IP" represents the IP addres transmission endp which the dial-in d

is selected as the mode in the "General Settin device has to be authenticated, must be specified ngs/Interfaces/SERVICE" once the connection is ss of the local remote me and password, with

.

214

IT Infrastructure IF1000

Note:

The "Remote IP“ and the "Local IP" must both originate from either the LAN-in or LANout network. That means the device which dials in is connected with one of both networks (except in Transbridge mode, where there is only a single network, that is e.g.

192.168.253.0/24).

SERVICE

CONFIGURATION AS

D

IAL

-O

UT

In this case, the mode is set to "Dial-Out SERVICE", and the phone number of the remote device is specified (an internal telephone system was used in this example, in which the modem of the Dial-Out firewall had extension number 11). User name and password must match the data specified in the Dial-In configuration. If "dial-on-demand" is used, the connection is established as soon as the firewall can no longer forward a data packet because the route is missing. The remote transmission connection then also acts as the default gateway.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

215

IT Infrastructure IF1000

216

In the "manual" dialling mode, the connection can manually be established or terminated in the "Diagnostics/SERVICE" menu item.

Note:

The "Remote IP" assigned by the remote device must never be located in any of both networks (LAN-in as well as LAN-out, or LAN only in Transbridge mode), since otherwise the routing via the remote transmission connection cannot work.

PC

CONFIGURATION AS

D

IAL

-O

UT

If you, for instance, want to dial in with a standard laptop and with an integrated modem, you'll have to define a connection for remote transmission in the "Control panel" menu,

"Network connections" menu item, by using the "New connection" wizard.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

In the wizard, you'll have to set up an Internet connection via modem access. Any name can be chosen for the name of the connection. User name and password must match the data specified in the Dial-In configuration of the firewall.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

217

IT Infrastructure IF1000

218

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

Should the computer be integrated in a LAN or WLAN, the IP address of the remote transmission PPP interface must never be located in any of the previously configured networks, since otherwise the routing does not work correctly (you can recognise it by the fact that the remote network cannot be reached although the connection for remote transmission has been established without errors). The network in question is then either temporarily to be disabled, or the routing table to be adapted.

If error 680 ("No dial tone") occurs, the "Wait for dial tone" modem option in the control panel must be disabled.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

219

IT Infrastructure IF1000

11.7

S

ECURE

N

OW

!

G

ENERAL

SecureNow! enables everybody to achieve a maximum level of security for local networks with very little interaction. SecureNow! analyses the network traffic, which goes through the Industrial Firewall, and generates tailored filter rules for ebtables (in Transbridge mode) or iptables (in IP router or IP router extended mode) based on this information.

S

TART PAGE

At the start, the user defines for all active interfaces of the IF1xxx device, which security requirements should apply. Here you can chose from three different levels: High, moderate, and low. SecureNow! creates particularly strict rules for the zones with "high" security level. Rules are less strict with the “moderate” level, in order to accommodate for requirements like they usually occur in, let's say, office networks. The "low" security level should be selected for the uplink, e.g. for the interface with the Internet. On the one hand, the rules for this zone are strict when it comes to the traffic originating from this zone. But on the other hand, the traffic originating from a zone with a higher security level and directed to a zone with lower security level, is always permitted if in doubt - i.e. this always applies to the lowest level.

Network traffic, which has been recognised as security critical items, is treated as an exception. SecureNow! has an integrated database, in which frequently used protocols are evaluated with respect to their security.

220

The user can switch from one security level to another by clicking on one of the clouds with the mouse. On the right-hand side, you'll find notes which explain the significance of these zones by using examples.

Note:

If two networks are highlighted by using the same colour (e.g. yellow), rules for the traffic between these zones will allow all packets.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Once the security zones are configured, the user starts the analysis phase by clicking on

"Start analysis". Network traffic will not be affected by SecureNow! during this phase.

The protocol information of data packets is saved in a structured approach and in an efficient way by SecureNow!.

T

RAFFIC STATISTICS

During this period, the user can see a traffic statistics window, which shows at a glance which network traffic classes have which share in the overall data traffic.

Note:

The percentages shown in the traffic statistics window may differ from the data shown in the result overview (see further below), if filter rules have previously been enabled. The traffic statistics window shows all packets which pass through the firewall, whereas

SecureNow! only displays the packets which have not been covered by any of the previously defined rules.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

221

IT Infrastructure IF1000

The user can finish the recording phase at any point in time. After that, the recorded network traffic is analysed and filter rules are generated.

Any time period can be chosen for the duration for the recording phase. It should, however, be chosen in such a way that a representative proportion of traffic can be analysed. Selecting a duration of 24 hours usually is reasonable, unless the network traffic differs a lot from day to day.

222

After clicking on "Stop analysis", filter rules are automatically created. Creating the rules can take up to several minutes, depending on the recording time and on the number and variance of the monitored data packets.

These rules are subsequently presented on an overview page, where the user has the opportunity of partially modifying or saving some individual rules.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

R

ESULT PAGE

The rules are divided into several classes, which have already been used in the traffic statistics page shown before. If you click on one of the classes, the rules included in this class are displayed in the detailed view.

There is one special class: „Scan“. Rules are listed here, which are destined to completely bar certain network subscribers purely because of the IP address used. The basis for this action is a detected port scan of this subscriber. Since ports scans are frequently used for detecting weaknesses of individual computers, it must be assumed that this type of subscriber poses a security threat. IP packets coming from this source are therefore completely discarded.

Note:

Some applications, such as Bittorrent, establish a large number of connections with different subscribers. The same applies to some servers, which provide a large number of services. This behaviour cannot be distinguished from a port scan by using SecureNow!.

Should this be the case and this traffic be desired, the scan rule should simply be set to

"Allow".

By using the class control bar, all included rules can be selected ("apply") or unselected.

Additionally it is possible to modify the action for all included rules at once. "Allow" means that all affected packets may pass through the firewall. All packets are discarded with

"Drop". "Custom" means that the rules within this class use different (customised) actions.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

223

IT Infrastructure IF1000

Note:

If the action is modified, you'll have to consider that other rules could probably still allow or bar a portion of the packets affected by this modification afterwards. It could, for example, happen that one rule checks a certain protocol first for an individual IP address and then another rule with the same protocol defines an action for an IP address range, which includes the IP address from the first rule. This would mean the first rule is a special case of the second rule. If this is the case, then both rules have the same previously defined action.

For the user, this means in detail: If a previously defined action is modified, all special cases further up in the order might have to be considered as well, and the associated actions might also have to be changed, if required.

The order, in which these rules are executed, corresponds with the order on the result page at the start, i.e. the more specific rules are placed further up in the list, and are always checked before the more general rules.

In the detailed view of rules it is always possible to sort the entries in lexicographical order by using different properties. In this case, the column header is an icon with two small white arrows. The rules of this class can be sorted in ascending or descending order, depending on the selected property, by clicking on the icon.

224

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

IGNIFICANCE OF COLUMNS IN THE DETAILED VIEW

In: This rule only applies to packets arriving on this port.

Out: This rule only applies to packets leaving this interface of the firewall.

protocol: In Transbridge mode, the layer 3 protocol, i.e. the ethertype priority of the rule is displayed here. The layer 4 protocol is displayed here with the regular or extended IP router mode.

transport protocol: (Is only shown in Transbridge mode). Here, you'll find the layer 4 protocol (e.g. UDP or TCP), if available.

source IP / source mask: This rule only applies to packets, which originate from an IP address of the network range, which is defined by the IP address and mask specified here.

The user can obtain a more detailed explanation of this range by using the Help icon next to the net mask.

destination IP / destination mask: This rule only applies to packets, which are sent to an IP address of the network range, which is defined by the IP address and mask specified here.

source / destination port: In the event that TCP or UDP packets are used, the port number is specified in this place. Sometimes, the "*" symbol is used here, which represents all possible port numbers.

action: The destination address of the rule is defined here, i.e. it defines what should happen with the packets characterised by the previously specified criteria. You can chose between "Allow" and "Drop". Allow means that the packets are allowed to pass the firewall. Drop means that these packets are discarded.

apply: Individual rules can be selected for use by checking this checkbox individually. This requires that "apply rules" is finally pushed to confirm the changes.

Affected rules are no longer displayed on this page afterwards. But they'll be still available for detailed configuration on the "Packet filter" page.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

225

IT Infrastructure IF1000

For more frequently used port numbers, a Help tooltip shows, which application is typically assigned to this port.

Rules on the overview page are even then displayed, if the action set up for the rule matches the default policy. The default policy is displayed in the filter wizard, as soon as at least one SecureNow! rule has been adopted. It defines the action which applies to all remaining packets, which so far haven't been allowed or prohibited. It is explained in more detail further below.

Rules, whose actions match the default policy, are actually superfluous, and it would have the same effect, for example, if only rules are adopted, which have the target action

"Allow", as long as all remaining packets from the default policy are dropped. But rules with the "Drop" action are still displayed on the result page in order to give the user the opportunity of modifying the action before adopting it, if desired.

This means that in an ideal case, the entire network traffic, which passed through the firewall during the recording phase, is mapped to rules. Then there is not a single packet that doesn't match one of the displayed rules. However, there are the following exceptions:

If the traffic throughput is very high, some individual packets are not included in the analysis, i.e. they are not recorded although passing the firewall.

No separate rules are displayed for TCP packets in the return direction. In IP router mode, they are allowed by using the "def Policy rev" rule, which we will explain later. This is done by an automatic monitoring of the connection status by so-called connection tracking. In

Transbridge mode, the TCP packets of the return direction are treated by using a status independent check of the TCP flags.

Packets which have been excluded from analysis by previously defined rules (later described in the "Adoption and configuration in the filter wizard" section), are not analysed and also not mapped to rules.

226

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

A

DOPTION AND CONFIGURATION IN THE PACKET FILTER

A certain class, e.g. "Industrial Ethernet", is mapped to one or several rule sets with similar names during adoption. The rule sets are further divided regardless of which interfaces are involved in the process.

E

XAMPLE

:

On the result page, you can see rules under the "Microsoft" class, which originated from the "Lan-out" interface, and were directed either to the "Lan-in" zone or to the "L2-

VPN1" zone. Two rule sets will be created from this in the packet filter. There will be one rule set with the traffic from "Lan-out" to "Lan-in", and another rule set for the traffic from "Lan-out" to "L2-VPN1".

Default rule sets for the different network interfaces are created in addition to the rules displayed on the result page. They define what should happen with the packets which have not been treated by any of the generated rules. These default rules are visible in the packet filter after at least one of the rules has been adopted. They can be recognised by the "_DEFAULT" suffix in their name, which is followed by the short ID for the corresponding interface.

The default rule sets must unconditionally be put in the last position (this happens automatically once they are adopted). But the order amongst the default rules does not matter at all.

Once automatically generated rules have been adopted in the packet filter, they are active immediately, i.e. clicking on "Apply changes" is no longer required.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

227

IT Infrastructure IF1000

Having more rules determined by SecureNow! is even possible once rules have been defined in the packet filter - regardless whether they have automatically or manually been generated. SecureNow! then generates more rules, which reasonably complement the existing ones. The network traffic matching the existing rules is then excluded from the analysis in the first place.

However, certain existing rules are not observed in the analysis:

Default configuration: An "Allow L3/L2" rule is already included in the wizard. A default "ARP" rule additionally exists in Transbridge mode. SecureNow! records the traffic before it is checked by any of both rules. This means that every packet is analysed first, and only then subjected to checking with the default rules.

After completed analysis and adoption of rules: There are now several automatically generated "_DEFAULT" rules for every network interface in the packet filter. The network with the "low" security level forms an exception - it does not require any default rule. The mentioned "_DEFAULT" rules are placed in the lowest positions in the list. This allows their automatic detection in the event that SecureNow! is restarted. The network traffic, which has not yet been treated by the rules located in front of the "_DEFAULT" rules, is analysed.

Example:

There is a rule set called "HTTP", which prohibits HTTP. Additionally, there are two

"_DEFAULT" rules. SecureNow! is now restarted. Every packet passing through the firewall is checked whether it meets the rule criteria in the HTTP rule set or not. The packet is dropped if this is the case - i.e. if it is HTTP traffic. All other packets are now being further treated. In this case, only the "_DEFAULT" rule sets are left for checking.

That's why the SecureNow! analysis is first carried out at this point in time. So, all packets not considered as being HTTP are subjected to the analysis. Then the "_DEFAULT" rule sets are applied to the packets.

After manual configuration: If one or more "_DEFAULT" rule(s) generated by

SecureNow! is/are in the last position(s), or if a previously defined "Allow L2" or "Allow

L3" rule is in the last position, the packets are used for the SecureNow! analysis, before the corresponding default rule(s) is/are applied. Otherwise, the analysis is carried out in accordance with all existing rule sets.

228

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

The two rules included in the "_DEFAULT" rule sets are a particularity. The rule called

"def Policy rev" only allows packets which belong to an established TCP connection or represent responses to other packets, which have previously passed the firewall.

This rule does not exist if the firewall is operated in Transbridge mode. Extra rules are then created for the packets of the return direction.

The "default Policy" rule is a simple rule, which either allows or drops all inbound packets for a certain zone, depending on which security level was selected for it. If the "moderate" or "high" security level was chosen, the default policy is "Drop", and if the "low" security level was assigned, then the default policy is "Allow"/"Accept".

Additionally, a specific "HO_DEFAULT" rule is created for every security zone with a

"high" security level. „HO" stands for "High Out", and the corresponding rule set includes a rule for all packets, which allows the output of all packets originating from a zone with

"high" security level. This rule corresponds with the mindset that the components in the green zone are all particularly trustworthy. This rule can however be deleted, if this behaviour is undesired.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

229

IT Infrastructure IF1000

11.8

P

ACKET FILTER

G

ENERAL

Rule sets on a MAC level (layer 2) and IP level (layer 3) can be defined in order to control the data traffic through the ads-tec firewall by using the packet filter, which you can open from the start page or from the "Configuration" section. Every rule set can contain up to 10 rules, where all rules of a rule set have the same setting as far as the inbound and outbound interface is concerned. All active layer 2 rule sets are displayed on the main page of the package filter.

Thanks to a filter function at the bottom of the page, the displayed rule sets can be restricted by specifying the inbound and outbound interface. This has no impact on the functioning of rules: the rules not displayed are still enabled.

The toolbar for adding new rule sets is located above the filter function for the inbound and outbound interface. By clicking on the Plus icon, a dialogue window pops up, which guides the user step by step through the setup options for different protocol levels.

The overview pages for layer-2 and layer-3 rule sets are structured in the same way. All displayed rule sets can be opened by clicking on the triangular icon to the left of the rule set name, as a result of which all rules included in the set become visible.

On the right margin of the tool bar, there are the controls for modifying the position of rule sets - and of their internal order of processing, as a result - as well as an Edit and Delete icon.

An existing rule set including all rules can be modified by using the Edit icon, or a complete rule set be removed by using the Delete icon. Once a rule set is deleted in this way, it is no longer enabled, but can be re-enabled from the collection of existing rule sets by using the

Plus icon on the overview page.

230

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

The rule sets and the rules within the rule sets are processed from top to bottom. As soon as a packet meets the criteria of a rule, all subsequent rules of this set and the subsequent rule sets are no longer processed! This means, frequently matched rule sets and rules should be in top position in order to ensure an optimised performance!

Note:

The default setting of this device is to allow all packets. Or in other words: Depending on which mode is set, and which interface is used, all Ethernet packets (layer 2) or IP packets (layer 3) are forwarded. The "Allow_L2" rule set or "Allow_L3" in the packet filter provides for that. By defining rule sets, which bar certain traffic and which are positioned in front of the "Allow_L2" / "Allow_L3" rule set in the order of processing, exceptions from this treatment can be added. They then treat the traffic like a "black list".

In the opposite case, traffic can be inspected by a white list, if the "Allow_L2" /

"Allow_L3" rule set is deleted. Rule sets which allow certain ("white") traffic must be added in this case. Otherwise, all packets are dropped in this case, i.e. they are not forwarded.

A

DDING A RULE SET FOR LAYER

2

1) Select the "Define a new rule set" option in the list of existing rule sets (enabled and disabled rule sets) and give it a name as well as a short description. You can delete a rule set from the list by using the "Delete" option.

2) Specify the traffic "direction" for the rule set: e.g. from LAN-in to LAN-out. "*" for both interfaces means that the set applies to all directions.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

231

IT Infrastructure IF1000

3) Then, the first rule of the rule set is directly defined. First, the source and destination

MAC address (e.g. from any source to the network adapter with MAC address

00:50:c2:40:e0:aa) is specified, and then the protocol is defined for which the rule should apply. The consecutive steps for this rule then differ depending on which protocol is used. An entire group of MAC addresses can also be selected instead of a source and destination address. Hardware groups are configured in the Configuration

 Network  Hardware groups menu.

232

4) Depending on what was previously selected, there are protocol specific settings in this place. Refer to "Protocol specific rule settings for layer 2" further below.

5) Once the specific criteria are defined, the decision is made, what is going to happen with the packets, which meet all the criteria, as well as which name should be given to the rule within the rule set. Additionally, a log message can be generated (refer to

"Structure of a log message") or an alarm can be triggered (24V are switched through to the alarm output).

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

6) More rules can be added or adapted in the next step.

7) Finally, the rule is saved and enabled.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

233

IT Infrastructure IF1000

A

DDING A RULE SET FOR LAYER

3

The procedure for layer 3 is the same apart from a few exceptions.

1) Only one interface, the "LAN" interface is available in Transbridge mode. Both, the inbound as well as the outbound interface must therefore be set to "*". LAN-in and LAN-out can be used for the IP router mode. The individual interfaces of LAN-out ports are additionally available in the IP router extended mode. From firmware version 2.1.0, there are additional L3 VPN interfaces available in every mode, if OpenVPN connections have previously been created with layer 3 interfaces.

2) IP addresses including the related subnet masks are here used instead of MAC addresses as source and destination address (e.g. from any source into the 192.168.0.1/24network).

An entire group of addresses can also be selected instead of a source and destination address in this place. Network groups are configured in the Configuration  Network 

Network groups menu.

234

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

3) Apart from the specific criteria which depend on the protocol used (refer to "Protocol specific rule settings for layer 3), the rule can be defined to be "stateful".

TCP/UDP connections have extended settings - refer to the section about protocol specific settings for more information.

4) If the rule is defined to be "stateful", the firewall "memorises", which inbound and outbound packets belong to a certain TCP or UDP connection. This allows the generation of rules which depend on the corresponding connection. An example is shown in the "Port forwarding" use case.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

235

IT Infrastructure IF1000

5) The additional action "Reject" exists for layer 3 for the event that all rule criteria are met. A reason can be defined for this action, which is then transmitted to the sender of this packet (via ICMP).

P

ROTOCOL SPECIFIC RULE SETTINGS FOR LAYER

2

After defining the source and destination MAC address of a rule, all further steps depend on which protocol is selected.

6) ARP: The ARP type can be specified here (e.g. ANY for any type). The most important types are "Request" and "Reply", which are used for determining of IP addresses in local subnets.

IPv4: The source address, destination address, protocol as well as (for TCP or UDP only) the source and destination port of the encapsulated IPv4 address can be verified here (the rule must e.g. apply to all TCP packets from any source which have been sent to the computer with IP address 192.168.253.162 and port number 9999). An entire group of addresses can also be selected instead of a source and destination address in this place.

Network groups are configured in the

Configuration  Network  Network groups menu.

236

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

In the next step, the connection control mode can be set to "Auto" or "Manual" for the TCP or UDP protocol.

In "Auto" mode, the rules for the traffic of the same connection but in the opposite direction are automatically inserted. In "Manual" mode, the rule for the return direction must manually be defined. For the TCP protocol can then in the next step be specified, which header flags are to be checked. Which TCP flags must be checked, is defined in the

"to check" column. The "Bit is set" property means that the criterion is met if the flag is set

(e.g. all packets with a SYN flag, but without any ACK flag - i.e. packets which initiate a

TCP connection - must meet the rule criteria).

If "Other" is used as the protocol setting, you can select from an extended list of IPv4 protocols (e.g. select the PIM protocol).

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

237

IT Infrastructure IF1000

238

7) VLAN: The 802.1Q VLAN ID of a "tagged" packet or the prioritisation level (for VLAN ID 0) and the protocol of the encapsulated packet can be checked here (e.g. IP packets tagged with ID 100 must meet the rule criteria).

8) Other: The layer 3 protocol (e.g. NetBEUI) of the packet can be specified here. If the required protocol is not available from the selection of known layer 3 protocols, you can specify a protocol number by entering the number in hex code in the bottom input box.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Then, the action is specified as explained in the "Adding a rule set for layer 2" section (see further above), which is to be applied if the packet meets all criteria.

Note:

If you selected "Manual" instead of "Auto" for the connection control mode earlier, the rule for the traffic in return direction must manually be added! Please refer to the "Port forwarding" use case for a layer 3 example.

P

ROTOCOL SPECIFIC RULE SETTINGS FOR LAYER

3

After defining the source and destination IP address of a rule, all further steps depend on which protocol is selected.

1) TCP/UDP: Source and destination port for the packet can be specified here (e.g. from any source port to destination port 9999).

Then, the connection control mode can be set to either "Auto" or "Stateful".

For "Auto" mode, the rule for traffic in the return direction is automatically added. For

"Stateful" mode, the state settings for the connection can be set like with the other protocols. "Stateless" can additionally be used for the TCP protocol. The flags of the TCP header can be checked in this case, as described earlier in the "Protocol specific rule settings for layer 2" section.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

239

IT Infrastructure IF1000

2) There are no additional options for the remaining protocols.

Then, the action is specified as explained in the "Adding a rule set for layer 3" section (see further above), which is to be applied if the packet meets all criteria.

Note:

If the connection control mode for a TCP/UDP connection is not set to "Auto", the rule for the return direction must manually be added! Refer, for example, to the "Port forwarding" use case.

L

AYER

2

FLOW CHART

L

AYER

3

FLOW CHART

240

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

E

XAMPLES

The existing filter rules for layer 2 and layer 3 are good examples for the definition of your own rule sets.

S

TRUCTURE OF A LOG MESSAGE

If the log checkbox is ticked with a rule, and if the packet meets the criteria of this rule, the firewall generates a log entry which you can read in the "Eventlog".

If, for instance, the computer with IP address 192.168.253.161 (at the LAN-out interface) responds to a ping from the computer with the IP address 192.168.253.160 (at the LAN-in interface), if the firewall works in Transbridge mode and logs the ICMP traffic by an according rule on layer 2 level, a log entry of the form

Mar 1 02:13:13 IF-1000 kernel: icmplog.icmplogrule IN=ixp0 OUT=ixp1 MAC source =

00:50:c2:40:e0:aa MAC dest = 00:30:05:ac:b2:22 proto = 0x0800 IP

SRC=192.168.253.161 IP DST=192.168.253.160, IP tos=0x00, IP proto=1 is generated, where the individual specifications have the following meanings: icmplog.icmplogrule: Ruleset.Rulename of the true rule

MAC source = 00:50:c2:40:e0:aa

MAC dest = 00:30:05:ac:b2:22 proto = 0x0800

IP SRC=192.168.253.161

IP DST=192.168.253.160

IP tos=0x00

IP proto=1

MAC address of the source adapter

MAC address of the destination adapter

Ethernet protocol (here IP)

IP address of the source computer

IP address of the destination computer

Type of service

IP protocol (here ICMP)

If the firewall works in router mode (LAN-in IP address 192.168.172.162, LAN-out IP address 192.168.253.162), and if the computer with IP address 192.168.172.219 (at the

LAN-in interface) sends a ping request to the computer with IP address 192.168.253.161

(at the LAN-out interface), if the firewall logs the ICMP traffic on layer 3, then the following entry is for instance generated:

Mar 1 03:00:06 IF-1000 kernel: icmplog3.icmplog3rule IN=ixp1 OUT=br0 PHYSOUT=ixp0

SRC=192.168.172.219 DST=192.168.253.161 LEN=84 TOS=0x00 PREC=0x00 TTL=63

ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=20769 SEQ=11

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

241

IT Infrastructure IF1000

The individual specifications have the following meaning:

OUT=br0

SRC=192.168.172.219

DST=192.168.253.161

Outbound interface (br0 corresponds to ixp0)

Source IP address

Destination IP address

SEQ=11

ID connection

Sequential number of the current packet

242

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

11.9

C

ERTIFICATES

G

ENERAL

Certificates are used connections (e.g. O certification authorit remote terminal ce d for authentication of computers or users, as w authenticated if the called root certificate another instance (s other, subordinate ell as for encryption of have been signed by a ty (CA) so that it can be used for this purpose. ertificate is verified with the CA certificate. Th signature is valid and the CA is trustworthy. Th e, if it is the basis (root) for authentication, and h self-signed certificate). Such a root CA can the

CA certificates. A chain of trust is built in th

For authentication the he remote terminal is he CA certificate is also has not been signed by n be used for signing is way, with the root certificate being the root of it.

The certificates of a was signed by a CA all superior CAs must be available if a certificate not identical with the root CA. is to be signed, which

Example

: A root CA in turn signs the clie tec ST-CA", as well a

A (ads-tec Root-CA) signs a subordinate sub CA ( ent certificate for an OpenVPN connection. Both available on the system in order to verify the as the certificate of "ads-tec Root-CA", must be a

(ads-tec ST-CA), which the certificate of "adsads-tec Industrial F certificates of the hi

Firewalls support these multi-level CA hierarchi erarchy are available, the complete hierarchy pat es. As long as all CA ths are always checked with certificate base the chain turn out t as well. ed services (e.g. OpenVPN, IPsec, Radius). Shoul to be invalid, then all subordinate certificates are ld one CA certificate of e considered as invalid

In order to prevent

List (CRL) may be c correct signature. any misuse of lost or compromised certificates, a created by the CA. Certificates on this list will the

Note:

With this authenti signed) by a certa te has been issued (or s based on trusting the

243

IT Infrastructure IF1000 certification authority, i.e. on the trust in the fact that this authority has issued (or signed) the certificate for the specified purpose (e.g. for authentication of a certain website) only!

C

REATING CERTIFICATES WITH

O

PEN

SSL

CA certificates and thus also signed certificates can be created with OpenSSL via prompts.

You can download OpenSSL for Windows from http://www.openssl.org/related/binaries.html

. You'll find instructions e.g. on:

- http://www.online-tutorials.net/security/openvpn-tutorial/tutorials-t-69-209.html

- http://www.madboa.com/geek/openssl/

Note:

Exemplary certificates are used for illustration only, and may under no circumstances be used for a genuine authentication!

Certificates are valid from the date and time of their creation - the date on the computer used for creating them therefore must be correct.

You can also create a certificate infrastructure by using Microsoft Windows Server

2000/2003 PKI. A starting point would be: http://www.microsoft.com/pki .

Identity data (country name, etc.) must be indicated in order to make all certificates unique! Two different certificates must never use exactly the same data. At least one field must differ (for instance Common name).

Certificate administration with OpenSSL is somewhat cumbersome due to the laborious

Windows command line control, which is why we recommend using a graphical frontend instead for all use cases of a smaller scale. In the next chapter, we therefore explain how to use the free "XCA" software for this purpose.

C

REATING CERTIFICATES WITH

XCA

Key administration with XCA for OpenVPN

This chapter explains how you can create and control CA, server and client certificates with

XCA - specifically for the use with OpenVPN.

Introduction:

XCA is a very useful and versatile tool for managing certificates. The variety of options can be a little bit confusing at the start, if you'd "only" like to create a few certificates for

OpenVPN. This document is based on version 0.9.0 of the XCA software.

244

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Helpful links:

You'll find some additional hints and tips at: http://XCA.sourceforge.net/

The current version of the XCA software can be downloaded from: http://sourceforge.net/projects/XCA/

Please install the programme and adopt the default settings in the basic setup. After the initial programme start, you'll create a new database:

Use a plausible name like "CA_Projectname". This database must be encrypted with a password: Preserve the password well!

In preparation, you should create templates for the 3 default work steps in order to simplify the use of XCA for yourself right from the start.

Go to the "Templates" tab, select there "New template" and then select "CA" in the pop up window, which appears next.

Enter "CA_template" as the "Internal name" for this new CA template. Fill all boxes except for "commonName". This box has to remain blank.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

245

IT Infrastructure IF1000

In the next tab called "Advanced", the standard validity period for certificates can be set up.

Selecting a long period of time here is usually recommended.

246

Once you click now on "OK", you should get a message that your CA template has successfully been created.

Repeat all previous steps but select now "HTTPS_server" as a template.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

For the "Internal name", we recommend using "OpenVPN_Server_Template". All other values should remain like in the CA template.

Please pay particular attention to the validity period of certificates. It can be useful to renew a certificate after a certain period of time and therefore to select a shorter validity period, under certain circumstances.

Otherwise, you should select a longer period of time:

The third and last step in this process is creating the "HTTPS_client" template.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

247

IT Infrastructure IF1000

For the "Internal name", we recommend using "OpenVPN_client_template", for example. Otherwise, please select the same values as with the server and CA template.

The following three templates should be present now:

248

C

REATING A

CA

Now, you can start creating the required files. You can now use the previously created CA template for creating a CA. Select the "Certificates" tab, and then "New certificate".

Now, select your CA template ("CA_template") in the new window, in the "Origin" tab.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Go into the "Signature algorithm" field and switch to 'MD5'. Please don't forget to

push the "Save all" button in order to confirm your settings.

Enter a name, e.g. OpenVPN_CA in the next tab called "Owner", in the "commonName" box.

All remaining boxes should have been filled automatically with the values from your template.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

249

IT Infrastructure IF1000

Then click on "Create a new key". The best idea is to use the same name in this place as you've used in "commonName". That means in our example: „OpenVPN_CA".

You should adapt the length of the key in accordance with your security demands. It has to be considered though, that long keys will reduce the VPN speed and increase the loading time for the Industrial Firewall operating system.

The setting "2048 bit" is usually a good choice, which also provides high security at the same time.

Now click on "Create". The following message should appear:

250

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

C

REATING A SERVER CERTIFICATE

Once again, select "New certificate".

For the "Signature algorithm", please select 'MD5'. Go to the "Signature" section and switch to "Use this certificate as a signature" and select the CA you've just created before.

This time, the server template created at the start is used as a template. Please don't forget to click on "Save all" at the end!

Switch to the "Owner" tab and enter a name in the "commonName" box, for instance:

"OpenVPN_Server1".

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

251

IT Infrastructure IF1000

All remaining boxes should have been filled automatically with the values from your template.

All that's left to do for you now, is to create a new key for this certificate.

Go to the "Create a new key" section and enter the same name as used in the

"commonName" box for this certificate.

252

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

C

REATING A CLIENT CERTIFICATE

A new individual certificate must be created for every client.

Repeat the steps from the server certificate creation, but select the previously created

"Client template", this time.

Note:

-

-

The "commonName" must always be unambiguous!

For example: OpenVPN_Client1, OpenVPN_Client2, etc.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

253

IT Infrastructure IF1000

A new key must now be created for every client. (Name = commonName).

E

XPORT AS

PKCS#12

FILES

For using the paired keys with OpenVPN, the keys can be exported into a PKCS#12 file in a compact form. Go to the "Certificates" tab and push the "Export" button in order to do this.

254

Now highlight (select) all clients and servers you'd like to export, and then push the

"Export" button.

Then select the desired directory path in which the clients and servers are to be stored in your system.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Note:

• Please exclusively select "PKCS #12 with Certificate Chain"" as the export format, in order to ensure that the certificate properly works with OpenVPN as well as with the Industrial Firewall.

Additionally, you can protect the PKCS#12 file with a password. No password should be used for the server, however, since this could prevent the autostart of Linux and Windows

XP systems from working. All passwords are needed by the firewall once only - that is during the process of uploading the certificates to the device.

When using VPN clients under Linux or Windows, the password must be entered for every new connection, which is established with the network.

Under certain circumstances, it can be useful to leave all boxes empty and to not assign a password. Protection from unwanted use can also be provided by using a limited validity period instead of a password.

Hint: The server load is reduced, if you set up at the firewall, that the VPN connection is only initiated if the key switch inside the switch cabinet is used.

Select a password which provides high security, if a password is to be used.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

255

IT Infrastructure IF1000

256

I

NTEGRATING CERTIFICATES IN

O

PEN

VPN

If you wish to use certificates on the same PC where the XCA application runs, you'll have to copy these certificates into the OVPN folder, once the certificates have been created and exported.

If you wish to use certificates on your Industrial Firewall, you'll have to ensure that the firewall is connected with a PC and that you have access to the Web interface.

Now, go to "General / Certificates" and click on the "Upload" button. Look for the folder in which the certificates were stored, and select the one you'd like to upload to the firewall with a double click. If this certificate is protected by a password, you'll have to enter it now.

Go to "Configuration / OpenVPN" in order to configure your OpenVPN settings. The uploaded certificate should now be available from the drop down menu.

Please go to the following section for instructions on how to use the p12 file in a regular

OpenVPN configuration:

# SSL/TLS parms.

# See the server config file for more

# description. It's best to use

# a separate .crt/.key file pair

# for each client. A single ca

# file can be used for all clients.

Enter the following: pkcs12 "…OpenVPN\\cert\\OpenVPN_Client1.p12"

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

All other file types described in the OVPN file can be ignored.

C

REATING A

CRL (

CERTIFICATE REVOCATION LIST

)

XCA additionally offers a function for creating a CRL on the basis of your CA and the chain of certificates.

The CRL is a list where all certificates including their respective validity status are included.

It allows individual certificates to be withdrawn at the server in a centralised and simplified way.

This is a specific file which is created in XCA and is uploaded to the firewall like a certificate.

You'll have to determine the validity period as well as the point in time when the next update has to be made. Your next update date should be as far as possible in the future, because usually there is no other reason for creating a new certificate other than the loss of the old certificate.

Tick the three boxes as visualised in the next screenshot and then click on "OK".

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

257

IT Infrastructure IF1000

Once the CRL is created, you can find it in the last tab of the main menu called

Revocation lists".

258

Then click on "Export" in order to upload the CRL to the firewall:

Select "PEM" as the file format. The file name assigned by XCA should already be provided with the correct file extension based on the previous selection.

The CRL PEM file is now located in the same folder in which the other certificates have previously been exported. Now proceed as with the upload of regular certificates in order to upload them to the firewall Server:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Go to the web interface in "Configuration / General settings / Certificates", click on

"Browse" and select the corresponding CRL. Subsequently, you can upload the file to the device by using the "Upload certificate" button.

All installed and integrated certificates are verified by using the new CRL. If you wish to renew your trust into a previously revoked certificate, you'll have to select this specific certificate in the XCA programme by clicking on it with the right mouse button, and changing its status to "Renew certificate". After that, you'll create a new CRL by exporting and uploading as described above.

If you have a copy of this certificate on your firewall, you will notice that its status in the web interface has also changed to "Renewed certificate".

This can be useful in order to temporarily reject VPN access for certain users and machines.

Note:

Even if the validity period of a revocation list is expired, it is still used for verification of certificates as long as no newer CRL is available.

The revocation lists of a firewall (a maximum of one list per CA) should always be kept up to date, if possible, in order to avoid creation of security vulnerabilities by lost certificates.

I

NCREASED SECURITY WITH

DH

FILES

:

For security reasons, it is recommended to use XCA in connection with an own DH file.

This can be realised by using OpenSSL.

If you don't have OpenSSL yet, you can download it including the default options by using the following link: http://www.openssl.org/related/binaries.html

Select "Start -> Run" from the start menu after installation. Enter "CMD" in the command line and push the "Enter" key.

Then change the directory path to: C:\OpenSSL-Win32\bin\ and enter the following command:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

259

openssl dhparam -out dh1024.pem 1024

IT Infrastructure IF1000

The new file dh1024.pem must be saved on the OpenVPN Server, and then provides for an increased security level when used.

Creating the DH files is going to be integrated in XCA in future as well, but in the current version it still didn't work without any trouble.

A

DDITIONAL NOTES

XCA offers many options and additional functions, which could be useful for you in future.

Please get in touch with us if you have more questions, or if you require any assistance when creating your certificates.

U

PLOADING CERTIFICATES TO THE FIREWALL

CA certificates, regular certificates (client certificates) and revocation lists as well are uploaded to the firewall by using the interface for certificates in the same way. If a valid

CA certificate is saved on the firewall, then all certificates which have been signed by this

CA are considered as trustworthy, as far as they are not included in a CRL.

260

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

If the PKCS12 container or the certificate itself is provided with a password, this password must be specified when uploading. The actual upload is then carried out using the "Upload certificate" button.

Note:

The certificate must either be available as a PKCS12 file or in PEM format including a private key in order to upload it to the firewall.

The private key (e.g. myClient1.key) must be protected from unauthorised access.

With an external CA, the certificate request is generated and submitted to the certification authority. It will verify the specified information and will sign the request (if proper data is provided). The certificate generated in this way may then be used for authentication.

For deleting a certain certificate, the checkbox next to this certificate below the trash can icon must be unticked and "Apply settings" must be clicked.

If a revocation list exists for a certain CA certificate it will be displayed in the "CRL status" column.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

Note:

-

-

-

-

For uploading a certificate as a PEM file, the private key has to be included in the certificate. This does not apply to CA certificates.

A CRL can only successfully be uploaded if the corresponding CA certificate exists in the firewall.

If a CA certificate is deleted, the corresponding CRL file is also automatically deleted.

The demoCA.pem respectively myCA.pem certificates, as well as the demo-

261

IT Infrastructure IF1000 clientX.pem or myClientX.pem certificates signed with these CA certificates are exclusively used for test purposes, and must never be used for live authentication!

E

RROR MESSAGES FOR UPLOADED CERTIFICATES

If a successfully uploaded certificate may actually be used will be indicated in the validity column. If it is invalid, clicking on the small question mark icon will allow you to view the error message in detail.

If the certificate is not yet or no longer valid, the following message will appear: error 9 at 0 depth lookup: certificate is not yet valid

Solution: The system time must be set correctly. Otherwise, if this is an invalid certificate, a new certificate has to be requested from the issuer.

262

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

If the corresponding CA certificate for a regular certificate is missing, the following message will appear: error 20 at 0 depth lookup: unable to get local issuer certificate

Solution: The corresponding CA certificate must be uploaded.

If a regular certificate is uploaded and by mistake exactly the same identity data is used as in the CA certificate with which it was signed, the following message will appear: error 7 at 0 depth lookup: certificate signature failure

Solution: The certificate has to be recreated. First, a new client request has to be created where at least one identity field (for instance the Common Name field) must differ from the entries in the CA certificate.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

263

264

I

MPORTING CERTIF

W

INDOWS

First the "Microso command mmc in "Start/Run". Within the console, then load the s computer account of the local computer by using Add/Remove file/ be started. Enter the snap-in:

IT Infrastructure IF1000 ertificate wizard is then

Next the certificate f file has to be selected:

265

If the container o for importing (for r the certificate is password protected, this pass the exemplary demo-client2.p12 container, there is why you may pr ress the Next button directly): sword must be specified e is no password, which

Certificates must be sorted automatically (so that e.g. demo-clie nt2.pem as a certificate and demoCA.pem

container):

266

Finally, import mu and root certifica updated first (right st be completed. Certificates may then be viewe tes under Trusted root certificates. These fold t-click and select the Update item in the menu).

IT Infrastructure IF1000

Note:

-

-

The PKCS1 actual dem tificate, apart from the

If the root

(own certif t certificate is not included in the container in c ificates), it must be imported in the same way. case of My certificates

267

11.10

SCEP

G

ENERAL

The "Simple Certif ficate Enrolment Protocol" was developed with t distribution of cert tificates as simple and scalable as possible. The

30th November http://tools.ietf.org

2009) is defined in the IETF draft, g/id/draft-nourse-scep-20.txt

. the intent of making the e current status (as per which you'll find at

Precisely one cert tificate can be uploaded into the ads-tec devic certificate is then and uploaded cert set up with the sa several ads-tec inf available for all certificate based services, just ce by using SCEP. This like a manually created of a certain type can be der an environment with frastructure products (e.g. by using IDA), and can

The prerequisite is

(RA) exists, which a Windows Server r CA (certificate authority), with which the NDES enrolment service)

Server in connectio supports the Simple Certificate Enrolment Proto

) is installed (also possible as an individual RA on with OpenSSL and OpenSCEP. g a registration authority col. This is possible with service (network device server) or with a Linux

Note:

y of certificates is always restricted to a certain pe must have the c

(network time pr devices at all time ommend using the NTP rotocol) service on all devices in order to ensure mes. period of time, all devices e the correct time on all

268

The figure shows

SCET data is set u the procedure of a certificate request by using S up on the firewall (e.g. the SCEP server URL), t

SCEP. Once the required the certificate request is generated, which retrieved from the subsequent comm is submitted to the SCEP server. The CA an unication is protected from any manipulation. nd SCEP certificates are figure). In this way the

IT Infrastructure IF1000

Then the SCEP server forwards the request to the CA. The firewall retrieves the process status ("Waiting for SCEP certificate" status in this figure) in regular intervals until the

SCEP server has obtained the desired certificate from the CA.

Once the certificate is approved and issued by the CA, it is downloaded from the IFW via the SCEP server. If OpenVPN connections, which use the SCEP certificate (and which is not yet available) are already configured at this point in time, then these connections are automatically started now.

C

ONFIGURATION

All basic settings with respect to the SCEP server and the certificates are made on the

SCEP main page. The setting "Enable SCEP" must be selected in order to enable SCEP.

More settings can be made after that.

The SCEP "Server URL" setting is of utmost importance. To be valid, the entry has to be made in the form http://SCEP_SERVER/PATH, where "SCEP_SERVER" can be either an IP address or a DNS name in this case. The PATH depends on the SCEP server software. If for instance the NDES Windows Server is used, then "certsrv/mscep/mscep.dll" is usually the correct path.

In order to allow the SCEP service to verify the SCEP server / RA, it is required that the CA certificate, with which the SCEP server certificate has been signed, is uploaded to the firewall beforehand. The SCEP server certificate and the CA certificate are then automatically obtained, verified and subsequently displayed on the "Certificates" page.

E

XAMPLE

:

The PKCS12 file contains also the demoCA.pem root certificate, apart from the actual demo-client2.pem certificate.

If the root certificate is not included in the container in case of My certificates (own certificates), it must be imported in the same way.

Challenge password:

The challenge password is a "disposable password" in most cases, i.e. it can only be used exactly once. This prevents under certain circumstances that unauthorised people can obtain a certificate from the CA and has therefore a vital role in particular with publically available CAs.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

269

IT Infrastructure IF1000

Renewal interval:

If a challenge password is not set, a number of days can be defined here. It tells you how many days before the certificate expiry date a new certificate is automatically obtained via

SCEP.

Automatic CRL download: This option is used for the automatic retrieval of an up-to-date

CRL from the CA. Once started, it tries to obtain an updated CRL every hour. If a new CRL was successfully obtained, it is displayed on the "Certificates" page including the related

CA certificate.

C

LIENT CERTIFICATE DETAILS

:

More setup options concerning the properties of the certificate appear if you click on the

"Client certificate details" button. Frequently used "Distinguished name" boxes and the length of the RSA key belonging to the certificate can be defined here.

With the "Use device serial number as name" option, the combination "Device_typeserial_number (e.g. IF1100-AX00900071) is used as the "Common name". This option is important if several devices with the same configuration are set up. Since the serial number is different for every individual device, this ensures that every device is provided with a certificate with individual properties.

270

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

S

TATUS PAGE

You can reach the status page from the SCEP main page by using the "Status" tab. The progress bar in this tab displays the current status.

If the bar has reached the "5 - completed" position, the certificate is available on the

"Certificate" page and can be used like all the other certificates.

In the event of an error, detailed error messages, which provide notes regarding the error cause, appear underneath the progress bar.

U

SE OF

O

PEN

VPN

WITH A CERTIFICATE

It is possible to use the "scep-cert.pem" certificate with OpenVPN connections, although the SCEP service is probably not enabled at all, or the SCEP request is not completed yet.

These connections are only enabled once the certificate has successfully been obtained via

SCEP.

As long as the "scep-cert.pem" certificate is not available yet, the certificate is displayed with a red font colour on the OpenVPN page. After the successful download, the font colour is switched to black, and more certificate details can be displayed.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

271

IT Infrastructure IF1000

Note:

Windows Server NDES is using the "IPSEC Intermediate (offline)" certificate template as a default setting. This template cannot be used for OpenVPN connections, since it is not intended for client and server authentication in accordance with the "x509 v3 extended key usage". With Windows Server 2003, there is additionally no other opportunity of using a different template for NDES. If Windows Server 2008 is used, a different template can be set up via the registry (directory path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP).

272

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

11.11

L2TP

G

ENERAL

The "Layer 2 Tunne private network (VP instance via DSL by elling Protocol" (L2TP) is a tunnelling solution f used as a L2TP/IPse using LAN-in: for setting up a virtual n. The IF1100 may be of external clients. For g SERVICE:

In our exemplary

191.168.11.164 (LA addresses 192.168.

does not see the clie is configured in such thus becomes a sub configuration for LAN-in, the server is usi

11.166 (LAN-in) and 192.168.1.166 (LAN-out). address 192.168.1.1

ent IP-address but only the gateway IP-address) ). The L2TP connection h way, that the client endpoint gets the IP addre bscriber of the LAN-out network of the server by u ng the IP addresses eway is using the IP

The client with the IP

N-out (the server thus using the VPN tunnel.

273

IT Infrastructure IF1000

Note:

IPsec and L2TP/IPsec are exclusive services and may not run at the same time. As soon as the L2TP/IPsec service is activated, the pure IPsec service is disabled and vice versa.

F

IREWALL CONFIGURATION AS

L2TP/IP

SEC SERVER FOR

LAN-

IN WITH

PSK

274

The interface of the local tunnelling endpoint, its local IP address and the type of authentication can be specified in the upper section of the configuration page for

L2TP/IPsec. Users are added in the lower half (user name, password and IP address). In our example, the server is using IP address 192.168.5.100, and assigns the IP address

192.168.5.101 to the client. These addresses are included in the LAN-out subnet

(192.168.5.0/24). As a result, the client becomes a component of the LAN-out network via the secure L2TP/IPsec connection.

Note:

The local IP address and the user IP addresses must not have been assigned yet. User name and password are used by the client in order to login at the server (see next passage)

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

C

ONFIGURATION OF

W

INDOWS

XP

AS AN

L2TP/IP

SEC CLIENT WITH

SK

First an entry must with the "regedit"

AssumeUDPEncapsu

HKEY_LOCAL_MACH

Create the DWORD be added in the Windows registry. The registry

" command in the "Start/Run..." command by right-clicking and using New/Create DWORD v y editor can be started d line. The DWORD under must be set to 1.

Then change the act tual value by right-clicking on the DWORD.

275

Open the Network wizard there by us to the Network at k connections view via Control Panel/Network co sing View network connections/Create a new con my Workplace for the network connection type: onnections and start the nnection. Select Connect ate Network connection for the connection type:

As the Connection Name you can use L2TP test, for example:

276

IT Infrastructure IF1000

The server IP addre ss is 192.168.11.164, for instance:

Finally, the connect right-click on the ne

Connect dialogue). tion setup is completed. Before you can now est

First you must select Advanced under Propert tablish the VPN with a e to be adapted (in the ties > Security options and set the Data en cryption there to Optional encryption:

277

The PSK must be s in the example):

278

st be set to L2TP-IPsec-VPN under Networking:

IT Infrastructure IF1000 n can be established by using a User name and a ses):

Note:

The L2TP function systems should al lso work. However, certain updates might be xample, PSK cannot be used under Windows 200 ng certificates in that case (see next passage). ional. Other operating required or limitations

00. Authentication must

If the client is not and if you e t located behind the router (but directly connect experience problems when establishing th

AssumeUDPEncaps lue should be set to 0.

279

C

ONFIGURATION O F

W

INDOWS

XP P

ROFESSIONAL AS AN

L2TP

CLIEN

A change in Authe as an L2TP/IPsec s ntication (method) to Certificates is required at th server (demo-client1.pem is used for authenticati he firewall which works ion in the example):

Under Windows, a demo-client2.p12) remote terminal (e

certificate must be uploaded into the certificate

. Additionally, a root certificate is required for aut memory (for example ontainer, already).

Defining the VPN n but with the differe network connection is carried out as described in ence that no pre-installed key (and thus automat the previous section, tically a certificate) is used:

Note:

How to create ce described in the ertificates, upload them to the firewall and import

"Certificates" use case. t them under Windows is

280

IT Infrastructure IF1000

C

ONFIGURATION OF

W

INDOWS

XP P

ROFESSIONAL AS AN

L2TP

CLIENT WITH CERTIFICATES

USING A MODEM

This feature is currently unavailable due to an interoperability issue caused by Windows. A laptop, for instance, is currently unable to dial in at the firewall and to additionally start an

L2TP connection.

Should, however, the network connection be established between a Dial-out and a Dial-in firewall via modem (refer to our "SERVICE" use case), and the L2TP connection be established to the second firewall, configuration is carried out in the same way as described for the example of L2TP/IPsec tunnelling via LAN-in. Connecting a laptop to a firewall via SERVICE and establishing a tunnel to the firewall behind it, also works in the same way.

Note:

If in a firewall SERVICE and L2TP are activated for the SERVICE interface, the user name of the SERVICE interface must differ from the L2TP user name.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

281

11.12

IP

SEC

G

ENERAL

IPsec allows the e level. Establishmen

(Main mode), and either carried out short PSK, which is by using certificates (recommended) or by usin s less safe than a certificate). mote endpoint on an IP authenticate each other mode). Authentication is ng a Pre-Shared Key (or

Note:

ding of certificates.

"S

UBNET

-

TO

-

SUBN ET

"

USE CASE

In this use case, a traffic between tw an IPsec tunnel is established between two firew wo dedicated subnets is encrypted. Up to 64 conn on the IF1000 firew ions, in this case.

Note:

IPsec encrypts th the entire data tr possible subnets, raffic between two firewalls, the 0.0.0.0/0 subnet,

, must specifically be used. nly. In order to encrypt t, which includes all

The subnets of b traffic can proper both remote terminals must differ from the local rly be allocated. subnet, so that the data

282

IT Infrastructure IF1000

"R

OADWARRIOR

"

SE CASE

In this case, a so establishes an IPsec o-called "roadwarrior" (e.g. a "moving" laptop c connection with a firewall and gains access to p from a hotel room)

a network behind the

Note:

Any number of r roadwarriors is allowed to connect with the roadwarrior connec not the traffic of roadwarrior connec are both set to *). firewall by using the e roadwarrior itself (but n each case. Only one ess and remote subnet

"S

UBNET

-

TO

-

SUBNET

"

CONFIGURATION

Both endpoints of a server/client model.

. Therefore, the configuration of both parties i with the difference s that it is not about a is generally the same, that the definition of subnet and remote endp accordingly. e "West" and "Southwest" firewalls are supposed ewall. All three devices are connected with a

1.0/24 network). The data traffic between the L be encrypted. "West in has 192.168.1.1

address), while "Sou t" has the end number 165 in the corresponding

65 as an IP address, and LAN-out has 192.1

uthwest" has the end number 166 and "East" the switch on the LAN-In

168.253.165 as an IP end number 164.

The configuration fo or "West" ("Southwest" is configured in the same way) looks as follows:

283

"East":

The settings for th all connections, an tunnelling endpoin decrypted there ( he local IPsec endpoint and the authentication m nd are defined above the table. The local interfa nt. The entire traffic from or to the specified loca

(The packets which originate from the firewall method are the same for ace describes the actual al subnet is encrypted or will be encrypted if no subnet is specified gained via a route next router (Usual the default gatewa ly, this box should remain empty though.). If eached (e.g. if access is pecify the address of the

Use ay specified in the IP configuration is used as the next router.

is clicked,

Underneath the ta ble, new connections can be added, for instance: :

284

IT Infrastructure IF1000

The operating mo established) or Pass ode of a connection is either Active (conne sive (waiting for inbound connections). Instead of d as well. If the subnet box is left blank, the pac encrypted (like with the local subnet). ection is immediately f an IP address, a host ckets of the firewall are

If certificates are us the remote termina certificate must be instance demo-clien signed by the demo

LN1, O=DEMO-ON1, which the certificate of f the remote terminal specified as the Remote ID for this connect tion ("West" uses, for that the certificate is uerttemberg, L=DEMOation, field can simply be

& paste”: [email protected] which corresponds with demo-client1.pem of "East"). The subject

285

IT Infrastructure IF1000

Note:

The subject field information must exactly match the certificate description of the remote terminal.

Should a router use NAT between both firewalls (i.e. change the IP addresses of packets, like a router does, which connects a LAN with the Internet), the NAT Traversal option must be set (since authentication might fail otherwise).

If the network performance decreases due to NAT, it might help to restrict the Maximum

Transfer Unit (MTU) number.

For security reasons, certificates are usually sent on request only. But this might prevent compatibility with some providers, like for instance with Cisco and Safenet, under certain circumstances. That means if a firewall is to be connected with a device of such a provider, the Send certificates option must probably set to Always.

If a firewall is to be connected with a device which is only capable of non-secure methods

(DES/DH1), the Allow weak encryption option must be enabled.

The subnets must be different, in order to allow IPsec service to route the packets in an unambiguous way. That means that an individual virtual LAN is not established, but the data traffic between different subnets is secured.

If a PSK is used for authentication, the Remote ID box might be left blank (The IP address is then used as an ID.). If the remote terminal, however, explicitly uses a defined

ID (for instance a Cisco router), it might be required to specify this ID.

Should the authentication method change, the invalid entries will be labelled as such, and not considered until the method is changed back again.

286

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

"R

OADWARRIOR

"

ERVER CONFIGURATION

Exactly one specific setting the IP addre server mode in its u await (passively) th

Any number of road course). on) may be defined by

". Even if this is not a use the firewall has to ng mode is required). dwarriors is allowed to connect (only if authentic

In this example, a "

"Gateway" firewall, w local network:

"Roadwarrior" firewall behind a router called "Ro which is configured as a roadwarrior server and r outer" connects with a routes the traffic into a

Whilst you must kn detail, a * might b which are allowed t the country must be to-subnet" use case in the roadwarrior setup, es set to * means that e Germany, but that the other entries might hav

Even if wildcards a certificates of the ro might fail (If e.g. an roadwarrior certifica in the certificate su omitted). are allowed, all subject info boxes must exist oadwarrior, as well as must be sorted, because ot n email address stands as the last entry in the s ate, and if the firewall is usually not supposed to and must match the therwise authentication subject info box of the verify it, the last entry

The configuration of f the "Gateway" device looks as follows:

287

IT Infrastructure IF1000

Note:

Although * may be used as a wildcard for any box in the certificate subject info, all box entries must always exist and match the certificates of the roadwarriors.

The email address box has three equivalent notations: E=*, emailAddress=*, and

Email=*.

The NAT traversal option should always be enabled, since you don't know beforehand, if a roadwarrior is located behind a NAT router (e.g. one that has no direct connection with the Internet, but is connected with the Internet via a router). This option has no effect if

NAT traversal is not required.

Should the roadwarrior connect from inside a LAN by using a NAT router, the LAN subnet must belong to one of the official IP address ranges for private networks, i.e. to

10.0.0.0/8, 192.168.0.0/16 or 172.16.0.0/12.

"S

UBNET

-

TO

-

SUBNET

"

CONFIGURATION BETWEEN A

W

INDOWS

2003

SERVER AND A FIREWALL

A corresponding IP security policy must be created under Windows, in order to establish an

IPsec tunnel connection between a Windows server and a firewall. The exemplary setup corresponds with the "Subnet-to-subnet" example, with the difference that the Windows server is used instead of the "West" device and that "Southwest" is omitted. The "East" device configuration is unchanged (the connection for "Southwest" is simply no longer used):

That means the Windows server has 192.168.253.165 as the internal, and 192.168.1.165 as the external IP address; it authenticates itself by using the demo-client2.pem certificate

(You'll find a detailed instruction for importing this certificate into the certificate memory in the "Certificates" use case.).

First, you'll have to start the Microsoft Management Console in order to create a new IP policy. To do this, enter the secpol.msc command in the "Start/Run..." line. This wizard is started by right-clicking on IP security policies on Local computer, and by clicking there on

Create IP security policy.

288

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

A name (e.g. "Wes must be disabled:

If you leave the Ed immediately be ope

Select properties). defined. In order to dit properties box ticked when finishing, the P ened (Otherwise go to the respective policy by r

For each direction of the IPsec tunnel a sep do so, untick the Use wizard box and click the Ad

Properties dialogue will ight-clicking it and use parate policy must be dd button:

289

Click on Add in the be used for the ou w filter list. This list is to and requires exactly one filter policy. In ord on Add: der to create this list, you'll have to disable Use wizard and then to click

290

IT Infrastructure IF1000

The own internal s internal subnet of t

Protocol type in the ticked (disabled): subnet (192.168.253.0/24) is used as the Sou the firewall (192.168.5.0/24) is used as the De

Mirrored" should not be

Push the OK button enabled by clicking t the round radio button in front of it: licy. The filter must be

Then switch to the

In this case, the IP

Secrecy must be en

Filter action tab. Disable the wizard there once m between both subne

Select Encryption an der General (e.g. to "West tunnel"): more and click on Add.

action for data traffic level and click on Add. utton. Perfect-Forwardnabled, whereas Insecure communication must b can be renamed und be disabled. The action

291

This action must, l ike the filter, also be selected by clicking the radi io button:

Switch to the Tunn the tunnel endpoin nel settings tab next and specify the external IP a nt: address of the firewall as

292

IT Infrastructure IF1000

Finally, you'll have t from the following authority: to unselect “Active Directory Standard (Kerberos n methods tab, and click on Add. Click in this plac g certification authority”, and select the “D

V5 protocol)” method)

DEMO-CN” certification

The All network con this policy is finished nnections item should be selected in the Connec d by using Close: tion type tab. Defining

In the next step, th same way. Click onc e.g. using "ToWest" as a name) and select it: d under Policies in the he opposite direction of

293

The West tunnel address of the Wi in the Tunnel setti the Authentication action must again be selected in the Filter acti ndows server (192.168.1.165) must be specified ings tab. The same settings as with the "ToEast" es in this policy: on tab. The external IP d as the tunnel endpoint

" policy must be made in

"ToWest" rule, are then

294

IT Infrastructure IF1000

Subsequently, push must be enabled. In

the OK button in order to return to the cons e on Assign: ole. Finally, the policy policy, which opens the

In the Computer m

Manage), you can v iew messages with respect to IPsec under Event

Computer and then on viewer/Security:

If the tunnel was p mode and for the established. In orde roperly established, one message each must be

Quick mode, which indicates that the IKE sec start the Microsoft m the command line; t curity assignment was ttempts, you'd have to

" and entering mmc in then you'd have to add the "Group-policy object e available for the Main editor" snap-in there.

295

There, you'd have configuration/Wind

Properties for "Mo ocal computer/Computer nitor login events" and "Monitor login attempts": onitoring policies in the

Note:

You'll find a comp http://support.mi

t must be created in Active Directory (with the se d to the security policy. this is achieved, because the external network ada ddress of the firewall (192.168.1.164) as the defa server is supposed to exclusively permit traffic bet s must be created in order to prevent traffic from

Psec tunnel connection between a PC using Wind work of a firewall is done in the same way. The on n IP address" must be specified as the Source add the Destination address of the "ToWest" filter list.

TP in this use case (which uses IPsec as a basis), r. With respect to this, please refer to our use cas ach the system if an error occurs during this proc monitor MMC sna plete documentation with respect to IPsec for Win he "Certificates" use case if you'd like to import ce

2.pem certificate cannot directly be selected. The es of the specified certification authority until auth er be part of a domain with previously set security

Organisation unit must be assigned

The route to the icrosoft.com/kb/816514/EN-US . above example th internal subnet of the firewall must probably be s the external IP ad

If the Windows se further filter rules

Establishing an IP the internal netw is, that "Use own filter list and as th useful to use L2T configured easier

It is not recomme can no longer rea

Information and s ap-in.

indows 2003 server at ertificates. e Windows server will hentication is successful. y policies, a new erver as a member), and set manually. In the apter of the server uses fault gateway. tween both subnets, m or to other subnets. dows XP Professional and nly difference in this case dress of the "ToEast"

However, it is more because it can be se "L2TP".

It is possible that you cess. in the IP security

296

IT Infrastructure IF1000

IP

SEC STATUS PAGE

Active tunnels, that t means only actually present IPsec connections

IPsec status page. T connection the tunnel belongs (but the a instance, for the fire assignment is visible in the configuration page ewall "East" from the "Subnet-to-subnet" example

Note:

mote terminal was authenticated, the tunnel c e remark "hold" or "trap" is found next to the n packets. This indica tup).

R

EGULAR

IP

SEC

E

VE NTLOG MESSAGES

The IPsec tunnel is parties must authen mode). A successf scenario for the "We to bottom): established in two phases, as was mentioned a nticate (Main mode), and then the actual tunne ful connection establishment generates for th est" device, for instance, the following Eventlog at the start. First, both el is established (Quick he "Subnet-to-subnet" entries (read from top

IF1xxx ipsec_pluto[

Wuerttemberg,

[email protected]

L c.de" found (strict=no) r "C=DE, ST=Baden-

UN, CN=DEMO-CN,

IF1xxx ipsec_pluto[

L=DEMO-LN1, O=D

=Baden-Wuerttemberg,

[email protected]' e sing isakmp#1}

297

IT Infrastructure IF1000

IF1xxx ipsec_pluto[1677]: "IPsecConn" #1: no crl from issuer "C=DE, ST=Baden-

Wuerttemberg, L=DEMO-LN, O=DEMO-ON, OU=DEMO-OUN, CN=DEMO-CN,

[email protected]" found (strict=no)

IF1xxx ipsec_pluto[1677]: "IPsecConn" #1: peer ID is 'C=DE, ST=Baden-Wuerttemberg,

L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-CN1, [email protected]'

IF1xxx ipsec_pluto[1677]: "IPsecConn" #1: initiating Main Mode

IF1xxx ipsec_pluto[1677]: loaded private key file 'demo-client2.key' (497 bytes)

IF1xxx ipsec_pluto[1677]: loaded host cert file 'demo-client2.pem' (1384 bytes)

IF1xxx ipsec_pluto[1677]: loaded CA cert file 'demoCA.pem' (1330 bytes)

IF1xxx ipsec_pluto[1677]: Starting IPsec service

ISAKMP SA established means that authentication was successful, and IPsec SA established means that the tunnel was successfully established. If both parties are set to

Active (like in above example), it is possible that both the authentication and the tunnel establishment occur twice. In an Active/Passive constellation this would happen only once.

Authentication and tunnel establishment are repeated in varying time intervals in order to increase security.

IP

SEC

E

VENTLOG ERROR MESSAGES

In general it can be said that errors in the Main mode indicate failed authentication (Either the remote terminal was not reached, or one of both parties couldn't authenticate itself properly.). Errors in Quick mode, on the other hand, indicate erroneous configuration of the tunnel endpoints (a wrong subnet specification, for example). A few error messages are listed below.

The certificate, by means of which the firewall is trying to authenticate, is invalid, because the system time is not included in the range of the validity period. As a result, the certificate cannot be used and the firewall cannot authenticate:

IF1xxx ipsec_pluto[3161]: "IPsecConn" #1: sending encrypted notification

INVALID_KEY_INFORMATION to 192.168.1.164:500

IF1xxx ipsec_pluto[3161]: "IPsecConn" #1: no RSA public key known for 'C=DE,

ST=Baden-Wuerttemberg, L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-

CN1, [email protected]'

IF1xxx ipsec_pluto[3161]: "IPsecConn" #1: X.509 certificate rejected

IF1xxx ipsec_pluto[3161]: "IPsecConn" #1: checking validity of "C=DE, ST=Baden-

Wuerttemberg, L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-CN1,

[email protected]": X.509 certificate is not valid until Jan 11 12:59:20 UTC 2007 (it is now=Dec 31 23:01:39 UTC 2006)

298

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

The remote terminal cannot be reached (not available):

IF1xxx ipsec_pluto[9224]: "IPsecConn" #1: ERROR: network error on LAN-in (sport=500) for message to 192.168.1.168 port 500 , complainant 192.168.1.165: No route to host

The remote terminal can be reached, but either the IPsec service does not run there at all or it was configured for another interface:

IF1xxx ipsec_pluto[3609]: "IPsecConn" #23: ERROR: network error on LAN-in (sport=500) for message to 192.168.1.165 port 500 , complainant 192.168.1.165: Connection refused

The remote terminal does not accept the desired type of authentication (PSK or certificates):

IF1xxx ipsec_pluto[4186]: packet from 192.168.1.164:500: received notification

NO_PROPOSAL_CHOSEN

The remote terminal tries to authenticate by using a certificate, although a PSK is expected:

IF1xxx ipsec_pluto[4186]: "IPsecConn" #6: sending notification NO_PROPOSAL_CHOSEN to 192.168.1.164:500

IF1xxx ipsec_pluto[4186]: "IPsecConn" #6: policy does not allow OAKLEY_RSA_SIG authentication

The remote terminal tries to authenticate by using a PSK, although a certificate is expected:

IF1xxx ipsec_pluto[1664]: "IPsecConn" #59: sending notification NO_PROPOSAL_CHOSEN to 192.168.1.165:500

IF1xxx ipsec_pluto[1664]: "IPsecConn" #59: policy does not allow

OAKLEY_PRESHARED_KEY authentication

The PSK of both parties do not match:

IF1xxx ipsec_pluto[4186]: "IPsecConn" #16: sending notification PAYLOAD_MALFORMED to 192.168.1.164:500

Authentication at the remote terminal failed. The corresponding "sending notification" message of the other party stands there usually in the context of explanatory error messages:

IF1xxx ipsec_pluto[1664]: "IPsecConn" #54: received notification

INVALID_ID_INFORMATION

The certificate subject info of the remote terminal does not match the expected certificate subject info, and will thus be rejected (e.g. the state of "Berlin" is expected, but the certificate originates from the state of "Baden-Württemberg", according to the subject info):

IF1xxx ipsec_pluto[7061]: "IPsecConn" #1: we require peer to have ID 'C=DE, ST=Berlin,

L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-CN1, [email protected]', but peer declares 'C=DE, ST=Baden-Wuerttemberg, L=DEMO-LN1, O=DEMO-ON1,

OU=DEMO-OUN1, CN=DEMO-CN1, [email protected]'

The equivalent message, if the firewall responds to a request from a remote terminal, instead of having initiated the authentication process on its part, (in this example the

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

299

IT Infrastructure IF1000 remote terminal offers a certificate from Baden-Württemberg, although the connection is only defined for a certain certificate from Berlin) is:

IF1xxx ipsec_pluto[7061]: "IPsecConn" #2: no suitable connection for peer 'C=DE,

ST=Baden-Wuerttemberg, L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-

CN1, [email protected]'

Authentication was successful, but the definition of tunnelling endpoints does not match

(In this example, the remote terminal expects the 192.168.6.0/24 subnet, although

192.168.5.0/24 was specified as the local subnet.):

IF1xxx ipsec_pluto[4707]: "IPsecConn" #1: cannot respond to IPsec SA request because no connection is known for 192.168.6.0/24===192.168.1.164[C=DE, ST=Baden-

Wuerttemberg, L=DEMO-LN1, O=DEMO-ON1, OU=DEMO-OUN1, CN=DEMO-CN1,

[email protected]]...192.168.1.165[C=DE, ST=Baden-Wuerttemberg, L=DEMO-LN2,

O=DEMO-ON2, OU=DEMO-OUN2, CN=DEMO-CN2, [email protected]]

If the SERVICE tunnelling endpoint interface is selected and the modem connection is not yet active at this point in time, establishing the IPsec connection will be postponed until the SERVICE interface is actually started up:

IF1xxx ipsec_pluto: IPsec service not started yet: SERVICE is not running

This message indicates an internal IPsec configuration error: ipsec_pluto[1677]: packet from 192.168.11.166:500: initial Main Mode message received on 192.168.11.164:500 but no connection has been authorised==192.168.253.0/24

IP

SEC FILTER RULES

If IPsec is enabled, the IPsec version of the tunnel interface additionally appears in the packet filter (e.g. there will be LAN-In (IPsec) additionally to LAN-In). This version may then be used for defining rule sets for the data traffic through the IPsec tunnel. The regular version continues referring to the remaining data traffic.

300

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

IP

SEC SPECIFICATION

Key exchange

IKE phases

Authentication method

DH groups

Data integrity

IKE (Internet Key Exchange) is based on the ISAKMP (Internet

Security Association and Key

Management Protocol).

Main mode

Quick mode

X.509 certificates incl. RSA

PSK

DH group 1 MODP 768

DH group 2 MODP 1024

DH group 5 MODP 1536

MD5 (128bit)

SHA1 (160bit)

Hardware encryption

IPsec mode

Maximum number of IPsec connections

NAT traversal

Dead peer detection

3DES (192bit)

AES (128bit)

AES (192bit)

AES (256bit)

Yes

ESP tunnel

64

Yes

Yes

The firewall is using AES128-MD5-DH2 in the Main mode and AES128-SHA1 in the Quick mode, by default.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

301

11.13

M

ODBUS

TCP

G

ENERAL

ws the control of the function of a device via Ethe val of status information. Communication service be controlled at the firewall and CUT&ALA using this protocol. ernet from a PLC unit, as es (SERVICE, IPsec and

RM messages can be activated from a P this way. n OpenVPN connection is defined between two fi

"inactive" (see the "OpenVPN" use case for that)

PLC unit via Modbus TCP and the OpenVPN conn rewalls, and the client is nection be established in

Note:

Only one PLC ca same time.

You'll find a deta document.

The general regis

CUT&ALARM inpu only mode, only).

The SERVICE inp

(you can then ma

The IPsec input r all defined and en active mode will passive mode wil impossible.

An OpenVPN inp

(you can then ac reas connections with a ill await a connection request. Managing these co list position but t entry is associate he status register and the he status register in read-

). put register can only be addressed if the SERVI VICE interface is enabled ake a dial-in connection or terminate a connection register always enables or disables the entire se enabled connections are enabled or disabled at on ll automatically establish the connection, where onnections individually is put register can only be addressed if the corresp ctivate and deactivate this entry via Modbus TCP ed with the L2-VPN3 interface, the status registe for OpenVPN-3 m the associated L2-VPN interface counts. So, if f ponding entry is defined

CP). In this case, not the for instance the relevant er and the input register

302

IT Infrastructure IF1000

M

ODBUS

TCP

CONFIGURATION

The Modbus TCP server can be enabled under Configuration/Advanced/Modbus TCP.

Additionally, the following settings can be made:

There are no restrictions for selecting the server port. If a certain port was specified, the firewall waits for incoming requests on the default port for Modbus TCP (502).

Access can be limited to a certain client. For this purpose, the client address may be specified as an IP address on the one hand, or as a host name, which will be resolved when starting up the server, on the other hand. The connection can be established from any computer if no specific client address is specified.

For increasing the security, a 32 bit password may be specified. Before a client is allowed to access the status and input registers, the client has to write the 16 high-order bits into the "PASSWORD-HIGH" register 0x01 and the 16 low-order bits into the "PASSWORD-

LOW" register 0x02 if a password is set up. Otherwise the client has direct access to all registers.

Usually only access violations are reported (if the IP address is restricted or a password is required), so that the Eventlog is not overflowing with information. If “Message details” is activated, additional information about connection establishment, requests and access times will be logged.

Note:

The password is checked when the low-order portion is written in register 0x02. So, if the password is 0xaa11bb22 for example, then 0xaa11 must first be written in register 0x01, and 0xbb22 in register 0x02, subsequently. The password is valid for the duration of the

TCP connection. If the connection is re-established, all password registers are reset to

0x0000.

If a host name is used for restricting the client address, this name will be resolved into an

IP address as early as during the server start, and not only when the actual connection is established. This means that Modbus TCP has to be restarted if the meaning of a host name changes.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

303

IT Infrastructure IF1000

A

CTIVATING

O

PEN

VPN

In order to enable an OpenVPN entry associated with the L2-VPN1 OpenVPN interface for example, the PLC must set the 0x24 register of unit 0x00 to 1 by using the 0x10 function code (write multiple registers). If this register is set to 0, the entry is disabled and the connection shut down.

Note:

Unit 0 stands for the firewall itself and is the only permitted unit.

The connection is directly established and lasts for approximately 10 seconds. This is the time needed for responding to the request. This means the PLC receive timeout must be set sufficiently high.

The input register contains the most recently written value regardless of which result the action had (or 0 if the input register has not been written yet). The actual connection status must be read from the corresponding status register (for example 0x14 for

OpenVPN-1).

The other input registers work in the same way (except for the 0x10 CUT&ALARM register, which can only be set to 0x00 for acknowledging the message). Please refer to the "IF1xxx Modbus TCP register overview" document for a detailed description of input registers.

R

EADING THE STATUS REGISTERS

The PLC is able to retrieve all status registers in one request. For this purpose, it has to read 14 registers from the starting address 0x10 of unit 0x00 by using the function codes

0x03 or 0x04.

Note:

The reading of all status registers takes approximately 5 seconds. Due to performance reasons the status registers should not be read too often (once per minute at most).

You'll find a detailed explanation of the register contents in the "IF1xxx Modbus TCP register overview" document.

304

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

11.14

IF1000

SERIES

M

ODBUS

TCP

REGISTER OVERVIEW

G

ENERAL

Modbus TCP implementation is based on the official documentation of the Modbus-IDA

Independent User Organization ( http://modbus.org

):

• df http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.p

A Modbus TCP server runs on IF1xxx, which receives the requests on TCP port 502 (if not otherwise configured). Currently, only the logical unit 0 can be addressed, which stands for the firewall itself.

The Modbus TCP server is able to process the following address codes:

• 0x03 (Read Holding Registers)

0x04 (Read Input Registers)

0x10 (Write Multiple Registers)

Reading operations 0x03 and 0x04 are identical in their behaviour. In the following explanations, bit 0 stands for the lowest and bit 15 for the highest bit in the order used in the registers.

If an error occurs whilst processing the request, the following exception codes are possible:

0x01 Invalid function code

0x02 Invalid register

Neither 0x03, 0x04, nor 0x10 was used as a function code.

The register either does not exist, or the desired operation cannot be performed.

0x03

0x04

Invalid register value

Server error

The value to be written is invalid for the register.

An internal error occurred while processing the request.

Note:

Processing time for implementation has not been optimised. Establishing an OpenVPN connection, for instance, may take approximately 10 seconds. Reading of all status registers in a request may take approximately 5 seconds. The response from the Modbus

TCP server requires a corresponding period of time. For performance reasons, these requests thus may not be performed too often (The status in particular should only be retrieved once per minute at most, and should be restricted to required registers), and the PLC timeouts should be sufficiently high. Furthermore, only one client at a time may connect to the firewall using the Modbus TCP server.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

305

IT Infrastructure IF1000

R

EGISTER OVERVIEW

General registers:

0x00 (VERSION)

0x01 (PASSWORD-HIGH)

0x02 (PASSWORD-LOW)

Status registers:

0x10 (CUT&ALARM)

0x11 (SERVICE)

0x12 (reserved for L2TP)

0x13 (IPsec)

0x14 (OpenVPN-1)

0x1D (OpenVPN-10)

Input registers:

0x20 (CUT&ALARM)

0x21 (SERVICE)

0x22 (reserved for L2TP)

0x23 (IPsec)

0x24 (OpenVPN-1)

0x2D (OpenVPN-10)

Status registers cannot be written. The content for all status registers for a specific connection is similar:

Bit 0 contains the information whether the considered connection is defined at all, i.e. whether there is an entry or the service is enabled.

• Bit 1 contains the information whether the connection was enabled. For SERVICE, this bit is only temporarily set, as long as the dialling process runs, and with IPsec it is always set if the mode is "active" or "passive" (that means if the connection cannot manually be controlled at all).

Bit 2 contains the information whether this connection is actually existent.

The other bits indicate type specific information.

“Read” as well as “Write” are permitted actions for the input registers. As long as the corresponding service of a register for a specific connection is not active or cannot be configured, all writing attempts will be invalid and the exception code 0x02 (invalid register) will be returned. Independent on the success of an action initiated by writing an input register, the value will be written into the input register and can be retrieved.

However, the actual status of the corresponding service must be retrieved from the status register.

V

ERSION

(0

X

00

REGISTER

)

This register is currently always set to 0x0100, and you read it but not write it. The higher value byte is the major, and the lower value byte is the minor version number.

306

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

P

ASSWORD

(0

X

01

AND

0

X

02

REGISTER

)

Register 0x01 (PASSWORD-HIGH) is the high-order portion and register 0x02

(PAASWORD-LOW) the low-order portion of the 32 bit password. Both registers may be written and read as usual. If a password is required, it must be set correctly before you can access the status and input registers. The password verification is carried out as soon as register 0x02 is written (because of that, register 0x01 must be set first). The password is valid for the entire duration of the TCP connection. If the connection is re-established, the content of both registers is reset to 0.

CUT & ALARM

Status (0x10 register)

Bits Meaning

0 ALARM

Explanation

ALARM is active

1

2

Internal CUT

External CUT

CUT is active

CUT is active

3-

15

Unused

Input (0x20 register)

The register can be written with the value 0x0000 in order to acknowledge ALARM and internal CUT messages. The external CUT cannot be reset in this way because it is a signal that is externally applied. 0x0000 is the only permitted value.

S

ERVICE

Status (0x11 register)

Bits Meaning Explanation

0 Service active

The service is enabled

1 Dial-in SERVICE attempts to connect to a remote terminal

(Dial-out only)

2

3

Connected SERVICE is connected with a remote terminal

Dial-out SERVICE is configured as Dial-out (if not set, then configured as Dial-in)

4-

15

Unused

Input (0x21 register)

This register can either be written with the value 0x0001 (establish the connection, for

Dial-out only) or with the value 0x0000 (shut down connection).

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

307

308

IT Infrastructure IF1000

L2TP

[RESERVED]

IP

SEC

Status (0x13 register)

2

3

Bits Meaning Explanation

0 Service active

1 Enabled

The IPsec service is enabled and the connection configured as manual

The connection is enabled (always with Active/Passive)

Connected Tunnel is established

Manual mode Connection can explicitly be established/shut down

4 Active Mode if the connection cannot be operated in manual mode (if not set up: Passive)

5 Dynamic remote terminal

Connection awaits roadwarriors (i.e. multiple connections are possible)

6-7 Unused

8-15 Roadwarriors Number of roadwarriors

Bits Meaning Explanation

0 Defined

1 Enabled

At least one connection is defined

IPsec is globally enabled

2 Connected

3-7 Unused

At least one tunnel is established

8-15 Enabled tunnels

How many IPsec tunnels are actually established

Input (0x23 register)

This register can either be written with the value 0x0001 (establish the connection), or with the value 0x0000 (shut down connection). This is impossible for versions before version 1.0, if IP sec is configured for manual control.

O

PEN

VPN

Status (0x14-0x1D register)

1

2

Bits Meaning Explanation

0 Defined The OpenVPN entry exists

Enabled

Connected

OpenVPN entry is enabled

Tunnel is established

3 Server

4-7 Unused

8-15 Clients

The entry is defined as a Server

Number of clients (with Server only)

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

Input (0x24-0x2D register)

This register can either be written with the value 0x0001 (enable entry) or with the value

0x0000 (disable entry) if this entry is defined.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

309

IT Infrastructure IF1000

11.15

SIM

CARD

G

ENERAL

A faulty piece of equipment may be simply replaced by using a SIM card. You just have to remove the SIM card from the faulty device and insert it in the replacement device. No intervention by qualified staff is required.

SIM

CARD TYPE

Only SIM cards from ads-tec must be used!

S

AVING THE CONFIGURATION ON A

SIM

CARD

If no SIM card is inserted, the message "No SIM card available" appears.

In order to save the settings to a SIM card, you have to select the "Write settings additionally to SIM card" checkbox in the "Save" dialogue, and to push the Save settings button afterwards.

R

EPLACING A DEVICE

Place the SIM card in the switched off device and then turn the device on. Settings will now be loaded during booting. The following messages might appear in the Eventlog:

310

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

E

XAMPLES

:

Successful loading of settings:

Nov 1 00:00:05 IF1xxx system: successfully loaded config from SIM card

The successful update of a SIM card was saved to a different firmware than before:

Nov 1 00:00:05 IF1xxx system: successfully updated SIM card config to firmware version:

1.1.1

Note:

If a SIM card in a device is loaded with the up-to-date firmware version and the same

SIM card put into a device with an older firmware version afterwards, all newly set up parameters of the later firmware version are deleted since they are unavailable in the older firmware version. This also applies to the data stored on the SIM card itself.

(Only applicable for RAP/RAC!) A SIM card including configuration cannot be switched between two different types of devices. If, for example, the configuration of a RAP111x type is stored to a SIM card, this SIM card will not be readable if you put it into a

RAC111x type device. But the card can be overwritten at any point in time.

Some RAP/RAC devices with an older hardware version can't manage this function despite having a SIM card slot. SIM card functions will not be visible in these cases.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

311

11.16

E

XTENDED

IP

RO

G

ENERAL

In regular IP rout ter mode, the IF1000 device connects two diffe other. The LAN-ou only a single IP a router mode, on t address. The IF100 erent subnets with each hich means that there is ddress for all the outputs of the LAN-out interfa the other hand, each port defines an own subn

00 will then, as a result, route between five differ ace. In the extended IP net including an own IP rent subnets.

Note:

In extended mod convey any VLAN de, the switch cannot be configured as a VLAN s

N packets. switch, and can also not

312

IT Infrastructure IF1000

C

ONFIGURING THE EXTENDED

IP

ROUTER MODE

Basic configuration

If you select the IP router (extended) mode in the IP configuration, subnets may individually be specified for each port. In this mode, all "LAN-in" interfaces as well as all

LAN-out ports are always available for configuration.

Every interface can statically be configured or configured as per DHCP. Additionally,

"PPPoe/DHCP" can be configured with any hardware interface which allows a connection with a connected DSL modem to be also established on one of the LAN-out ports.

Depending on the actual OpenVPN configuration, the interfaces "LAN-out (internal)" (with

OpenVPN layer 2 connections) or "L3-VPN" (with OpenVPN layer 3 connections) can additionally be available. This requires that first a connection is defined in the

"Configuration VPN OpenVPN" menu. Subsequently, the corresponding interfaces can be configured on the IP configuration page.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

313

314

IT Infrastructure IF1000

Lan-in switch configuration

Physical interfaces can only be connected with the LAN-in port on an Ethernet level, if the

IP router extended mode is used, which means that virtual VPN interfaces are excluded.

The principle is similar to the regular IP router mode, where the LAN-out ports are connected with a "LAN-out" interface. But there is an important difference: The LAN-out ports in the IP router mode are connected with each other by using a hardware switch.

Packets which for instance arrive at port 1 and are destined for port 2 cannot be filtered by the Industrial Firewall, even not by using the layer 2 packet filter. The Industrial Firewall system doesn't get to know these packets, since they are forwarded by using the integrated hardware switch regardless of the firewall.

But if these interfaces are connected with each other by using the "LAN-in switch" option, the situation is different: The hardware switch no longer independently forwards the packets on an Ethernet level. This is now the responsibility of the Industrial Firewall system

- realised by the software. On the one hand, the throughput is slightly lower than the maximum value, as a result. But on the other hand, it is of great benefit that every port of the LAN-in software switches in the layer 2 packet filter can now be used for configuration.

The data traffic between the involved LAN-in switch ports now basically behaves as if the connected devices are all connected with a single switch, which in turn is connected with the LAN-in port of the Industrial Firewall as well. But there are two important differences:

The data traffic between the LAN-in switch ports passes through the Industrial Firewall system and can be restricted by the layer 2 packet filter.

The different possible NAT modes (refer to the "NAT" use case) apply here anyway, i.e. a packet is probably modified by a NAT, by port forwarding or by a 1:1 NAT setting, if required, before it is forwarded on an Ethernet level.

Please select the corresponding checkbox for the LAN-out port in question on the IP configuration page if you want to add LAN-out ports to the LAN switch in IP router extended mode. The corresponding LAN-out port has then no longer an individual IP address. The IP address of "LAN-in" applies to all LAN-in switch ports instead.

Additional OpenVPN interfaces

Depending on the actual OpenVPN configuration, the interfaces "LAN-out (internal)" (with

OpenVPN layer 2 connections) or "L3-VPN" (with OpenVPN layer 3 connections) can additionally be available. This requires that first a connection is defined in the

"Configuration VPN OpenVPN" menu. Subsequently, the corresponding interfaces can be configured on the IP configuration page.

OpenVPN layer 2 connections (of which a maximum of 10 is possible) are all together connected with the "LAN-out (internal)" interface on an Ethernet level. As a result, the tunnels are all available within a single subnet. The devices at the tunnelling endpoints can communicate with each other via the tunnel by using any type of layer 3 protocol, e.g.

IPv6.

OpenVPN layer 3 connections have an individual IPv4 interface. They have therefore their own subnet and can only directly communicate by using IPv4 packets. This means in particular that the endpoints of corresponding routes must be configured for the foreign subnet, as a result. Then you have to configure an IP address and subnet mask for every tunnel on the Industrial Firewall.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

315

IT Infrastructure IF1000

11.17

R

EMOTE CAPTURE

G

ENERAL

"Remote capture" is used for recording and analysing the traffic of any active firewall interface via the network from a Windows PC, on which Wireshark is installed

(http://www.wireshark.org).

Note:

This feature is designed for debugging. The capture server should only be used for short periods of time and if required, in order to minimise the security risk since authentication is impossible.

F

IREWALL CONFIGURATION

The remote capture service can be enabled in the Diagnostics/Remote capture menu and then listens to the default port 2002 for any inbound connections. The IP address of the computer which is supposed to make the recording, must explicitly be specified (e.g.

192.168.253.168) in order to minimise the security risk since no authentication is possible:

316

As an additional security feature, only a single connection is permitted at any point in time, i.e. the specified computer cannot make two recordings simultaneously.

LAN-out regularly works as a switch. That means if two devices communicate with each other (e.g. on port 1 and port 2), the packets are forwarded within the switch by the hardware, so that they do not reach the firewall system, and cannot be recorded, as a result. The "Enable hub mode on LAN-out" option can be used for making the entire traffic between the ports visible, if required. All packets are forwarded to all ports including the firewall system in hub mode.

Usually only access right violations are logged (if an attempt is made to either establish the connection from a wrong IP address or to establish two connections at the same time).

With "Message details", information about the connection (control/data channel) and the overlistened interfaces is also recorded.

Note:

A warning is output in the Eventlog every hour in order to avoid that this service might keep running unintentionally.

The remote capture connection between the firewall and the recording computer is

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000 order to ensure a reasonable recording.

The hub mode tak capture is started t kes about 10 seconds until it is activated. That t means if the remote d in the log.

W

IRESHARK CONFIG URATION UNDER

W

INDOWS

XP

The minimum requi any later version is irement is that Wireshark version 1.0.6 and Win used. In all earlier versions it was impossible to nPcap version 4.0.2 or o stop and then restart the capture process .

The remote interfac

(the second icon in t es must explicitly be specified in the "Show the c the main toolbar) or in the "Capture/Options" me capture options" option enu item:

"rpcap://192.168.25

the data traffic on "L re URL for recording

253.165:

The "rpcap://..." pr

The firewall interfac is used and should exceptions - the sp interface, which can e capture per network. match the names used in the web interface. Th n be addressed with either "dsl" or "pppoe". Her er upper or lower case he IPsec interfaces are here - and the PPPoE e is an example of the

317

Interface

DSL

PPPoE

LAN-in

LAN-out

Remark

PPPoE uplink (independent on the interface it is which the connection was established) s based on, and via

Always exists

Always exists

LAN-out-x The individual ports (x in the name is always to

2, 3 or 4) only exist in extended IP router mode internal endpoint for the layer 2 OpenVPN conn be replaced with 1, e. LAN-out is then the ections.

Exists if a modem connection is present SERVICE

L2-VPNx The individual OpenVPN interfaces (x in the nam with 1 to 10) always exist with Server connectio connections they exist only if the client connect established. ion is actually

LAN-in(IPsec)

LAN(IPsec)

LAN-out-

1(IPsec)

According to the IPsec configuration, there is a interface (e.g. LAN-in(IPsec) as a tunnel endpoi crypted packets are e.g. LAN-in).

LAN(IPsec) belongs to the tunnel endpoint for L dedicated IPsec int, on which the traffic is visible without encryption. Only the enc visible on the interface which forms the basis (e

LAN-out.

LAN-out-

2(IPsec)

LAN-out-

3(IPsec)

LAN-out-

4(IPsec)

SERVICE(IPsec)

If the connection w like in a regular ca

viewed and filtered just

318

IT Infrastructure IF1000

Note:

Should the Window a separate data co ws firewall be enabled, enabling only port 2002 is similar to FTP. The does not require an sible, and which is e ads-tec Industrial Firewall, on which the remote ny particular filter settings. s not enough, because e capture server runs,

W

IRESHARK ERROR M

Wireshark shows a initiated" and with a most frequently occ window with the error message "The capture urring causes are explained below.

session could not be e connection fails. The

The specified interfa to above table), th unavailable (the PPP with the notation (refer nterface is temporarily

PoE interface e.g. only exists with an existing upli nk).

Is the server proper rly installed on <IPADDRESS>? connect() failed: .

...

The specified IP add not run on this locat dress <IPADDRESS> is unavailable or the remot tion. te capture service does

The IP address of t web interface (this c the own computer does not match the address causes an entry in the Eventlog of the firewall). allowed in the firewall

Too many clients

A connection with t the remote capture server already exists. It was another Wireshark address by accident application or by another network subscriber

(causes an entry in the Eventlog of the firewall).

s either established by r with an identical IP

319

IT Infrastructure IF1000

11.18

1:1 NAT

NETWORK MAPPING

G

ENERAL

This document shows how the extensive NAT functions of the ads-tec Industrial Firewalls can be used in practice.

NAT (network address translation) is the designation of the process, in which the IP address of an IP packet is replaced by another address. There are several options for this translation:

"NAT / 1:1 NAT / Masquerading": The IP address of a certain range is replaced by a single

IP address under certain conditions. Such a condition could be, for instance, if the packet is sent via an interface, on which masquerading is enabled.

"Port forwarding / PAT (port address translation)": A target address is substituted in this case, where the port number of the transport protocol (either UDP or TCP) is translated accordingly. This option is mostly used for enabling the establishment of connections with hosts, which would be unavailable due their NAT routers otherwise.

"1:1 NAT / symmetric NAT": An entire address range is used for the substitution in this case, which results in the fact that the sender or target is not unambiguously identified.

Establishing the connection is then possible from both sides of the NAT.

NAT (

MASQUERADING

)

The configuration is made in the "Configuration  IP configuration" menu. Depending on a certain network interface, all packets sent by using this interface are translated. Each packet is provided with the IP address of the firewall on this interface as the sender IP.

P

ORT FORWARDING

The settings are made in the "Configuration  Network  Port forwarding" menu. You'll find more information about port forwarding in the "Port forwarding" use case specifically created for this topic.

320

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

1:1 NAT

NETWORK MAPPING

F

UNCTIONALITY

Usually it is impossible to create a router in such a way that the same IP address range

(e.g. 192.168.0.0/24) can be used on different network interfaces at the same time. A switch is usually used for this function, but routing is then impossible.

It can happen that devices which have the same IP address are supposed to communicate with each other. Normally, the configuration should be arranged between different devices so that all devices have an unambiguous IP address. But in some cases, this is possible only with a huge effort, or this address conflict can only be resolved by using NAT routers.

Our ads-tec Industrial Firewalls are using an exclusive NAT technology to bypass this issue

- the network mapping technology - which saves the additional introduction of routers.

Every one of these "identical" subnets would have to be masked with an individual NAT router, if the commonly available methods would be used.

Identical subnets can be defined for different routing interfaces (refer to figure 1) in the

"Configuration  Network  1:1 NAT" menu. This even allows that devices with the same

IP address can communicate with each other. A second IP address range, the so-called

"Public subnet", is used for each interface in order to allow this. If two devices are connected with different interfaces, which have the same IP address (e.g. 192.168.0.1), it looks for every host like the communication takes place with a device from the corresponding other public subnet.

Regardless whether identical subnets are masked in this way or not, this functionality can also be used for a regular symmetric 1:1 NAT, of course.

Note:

The designations "private Subnet" and "public Subnet" in the 1:1-NAT terminology have nothing to do with the three private address ranges of 10.0.0.0/8, 172.16.0.0/12 and

192.168.0.0/16 as they have been defined in the RFC 1918 standard.

"Private" and "Public" in this case means that the corresponding "Internal" and "External" subnets have different appearances. The private IP range is isolated on the corresponding interface, so that the IP addresses of the "public" range even have to be used for the filter rules and routing entries in the firewall. This means that in a sense the private addresses are "unknown" even for the firewall - except for the settings on the 1:1 NAT page, of course.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

321

IT Infrastructure IF1000

Figure

1

: 1:1 NAT with (identical) private subnets

322

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

A

SSIGNMENT OF PRIVATE TO PUBLIC ADDRESSES

The public IP address results (1:1) from the private IP address of a certain device by combining a prefix from the subnet designation (length in accordance with the subnet mask) with a suffix from the device address.

E

XAMPLE

:

The device has the IP address 172.16.100.40 in the private subnet 172.16.100.20/24. The public subnet is 10.20.30.0/24. The prefix of the public IP address of this device is

10.20.30 (the first 24 bits are fixed, i.e. there are 3 tuples with 8 bit each). The suffix is taken from the remaining bits of the device address, i.e. "40" in this case. According to this procedure, the device is mapped to the public IP address "10.20.30.40".

C

OMPLEX EXAMPLE

:

Let's assume that the device from the previous example again has the IP address

172.16.100.40, but the size of the subnet is "/28" this time. This means that it contains the

IP addresses 172.16.100.32 – 172.16.100.47, since the first 28 bits (172.16.100.32) are fixed, and only the last 4 bits are variable. The device now has the ninth IP address in this subnet, and this is 1:1 mapped to the public range. This means in particular, that the device also has the ninth IP address there (Attention: zero is counted as well).

Let's assume that the public subnet is defined as 10.20.30.0/28 this time. If you combine this with the last 4 bits of the private IP address of this device, you'll obtain the public IP address of the device. It is „10.20.30.8“.

Note:

Together with the "private subnet" setting on the configuration page for 1:1 NAT, the IP address of the firewall in the private range is defined, at the same time (refer to figure 2).

The Industrial Firewall has two IP addresses in this case: one is the private IP address for devices connected with the corresponding 1:1 NAT interface, and the other one is the public IP address for the rest of the world. Here, you should ensure that the 1:1 allocation between the private and public IP address is preserved, since it is defined by the user. So if the firewall has for instance the public IP address "192.168.0.99/24" (this is the 100th address in the subnet), you'll have to ensure that the 100th address of the private subnet is also used for "private subnet") (e.g. "192.168.1.99/24"). If this is impossible for any reason, e.g. if the firewall is assigned with "192.168.1.100" as the private address, then you'll have to expect trouble for an existing device in the private network, which uses the address "192.168.1.99". This address should then not be used for it.

C

OMMUNICATION VIA

1:1 NAT / N

ETWORK MAPPING

For communication beyond the 1:1 NAT borderlines, you'll have to ensure that the devices behind the 1:1 NAT, i.e. in the private subnet, are always addressed with their public IP address. Moreover, the addresses of private subnets must never be referenced in a different place on the Industrial Firewall, e.g. where routing entries or filter rules are concerned. The public IP addresses must be used in these places.

E

XAMPLE

:

The network topology as shown in figure 3 should be provided. LAN-out-1 and LAN-out-2 are configured with 1:1-NAT / Network mapping and use identical private networks

(192.168.10.254/24).

The firewall itself can be reached in the 192.168.10.0/24 network by using LAN-out-1 or

LAN-out-2 with the IP address 192.168.10.254.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

323

IT Infrastructure IF1000

One device each with IP address 192.168.10.1 is available at the LAN-out-1 and LAN-out-2 interface. If you wish to communicate with one of these devices via the firewall, you'll have to use the public IP address of the corresponding device. This is 192.168.110.1 with host A and 192.168.120.1 with host B.

This also applies to the communication between the two hosts: If e.g. host A tries to establish a connection with host B, host A must use 192.168.120.1 as the destination address. In the other direction, host B "knows" host A only as "192.168.110.1".

Figure

2

: Network mapping network topology, simple case

324

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

1:1 NAT -

ADVANCED SETTINGS

The IP address range which is used as a private subnet with 1:1 NAT is also used by hosts on other public interfaces, under certain circumstances. If, for example, a scenario according to figure 4 is present, then the address range "192.168.10.0/24" is used by host

C, which is located on the LAN-in side of the firewall. In a simpler case, it would be sufficient to make a 1:1 NAT configuration for LAN-in as well, but this cannot be done in our example for two reasons:

NAT (masquerading) is enabled on LAN-in, and 1:1 NAT cannot additionally be used, as a result.

The subnet connected with LAN-in is the "192.168.0.0/24" subnet. The packets from host C with the "192.168.10.0/24" address range are forwarded to the firewall by an additional router. But 1:1 NAT can only be defined for the next directly adjacent subnet, since the firewall on the corresponding interface is also assigned with an IP address from this subnet.

The "Advanced settings" including "Double sided network mapping" are provided in order to solve the arisen address conflict in spite of these facts. Here another network range is defined, which is used by host C in certain situations (and by all other hosts from this range), i.e. an additional, specific 1:1 NAT is enabled, which is applied independently on the interface of the sender.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

325

IT Infrastructure IF1000

326

Figure

3

: Network mapping network topology, complex case

E

XAMPLE

:

The same settings like in the previous examples, as well as the settings and assumptions from figure 5 and figure 4, shall apply.

Furthermore, there are two avoidance address ranges configured for "Double sided network mapping": 192.168.210.0/24 for the private subnet of LAN-out, port 1, and

192.168.220.0/24 for the private subnet of LAN-out, port 2.

So there are now three hosts in total with the same IP address "192.168.10.1": host A, host B and host C. The IP address of host C is public in contrast to host A and B. As a result, it can happen that packets from host C with this public IP pass through the firewall

(as explained before). By using the settings from figure 5, the communication between host A and host C is processed as follows:

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

TCP

PORT

80

VIA

LAN-

IN

NAT +

PORT FORWARDING

:

A port forwarding entry exists on the firewall, as a result of which TCP packets for IP address "192.168.0.112" and port "2000" are forwarded to host A, i.e. to "192.168.110.1" and port 80.

NAT (masquerading) is enabled on LAN-in.

Host C reaches host A via IP 192.168.0.112 and port 2000. At host A, host C appears under the masked source address 192.168.210.1

Host A reaches host C by using IP 192.168.210.1.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

327

IT Infrastructure IF1000

Note:

The previous example with port forwarding would also work if you do it in the following way: Forward all protocols and ports to the IP "192.168.110.1", except for TCP port 80

(in order to retain continued access to the firewall web interface).

A port forwarding entry, which forwards all TCP packets with destination IP

"192.168.210.1" and port "80" to the IP "192.168.0.112" and port "80", must be defined first.

Then an entry is added, which forwards all packets of all protocol types with destination

IP "192.168.0.112" to the IP "192.168.110.1". The order is critical here: The first entry always has priority over the second, and in this way, the desired effect is achieved.

V

IA

LAN-

IN WITH ROUTING

:

On host C, there is a route of the form "default via 192.168.10.254" (IP of the router between the grey clouds in figure 4) or a more specific one.

On the router, there is a route of the form "default via 192.168.0.112" or more specific.

On the Industrial Firewall, there is a route of the form "default via 192.168.0.254" or more specific.

On host A, a route of the form "default via 192.168.10.254" exists (this was always tacitly implied in the previous examples).

Host C reaches host A by using IP 192.168.110.1.

Host A reaches host C by using IP 192.168.210.1.

Host B reaches host C by using IP 192.168.220.1.

The firewall itself or hosts on other, probably defined interfaces (LAN-out (internal), LANout port 3, etc.), reach host C by using the IP 192.168.10.1.

328

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

11.19

P

RIORITISATION

/

SHAPING

G

ENERAL

In general, there are two different ways by which you can ensure that a sufficient bit rate is available for a certain Ethernet based form of communication:

1) Shaping.

Different traffic classes defined by certain protocol values are assigned with fixed bit rates. Disadvantage: A traffic class is already restricted when reaching the defined limit, even if the maximum possible overall bit rate is not yet fully utilised.

2) Prioritisation.

Only once the overall bit rate reaches the maximum possible overall bit rate, certain traffic classes are prioritised over others. Disadvantage: In the worst case scenario, a traffic class with the highest priority could suppress any other traffic altogether.

The IF1000 series devices can manage the following modes:

Pure prioritisation:

No type of traffic is restricted in a regular case. Only if the interface traffic limit is reached, which means that the related interface has reached maximum utilisation, certain types of packets are preferred to others.

Pure shaping:

For certain traffic types, only a fixed bit rate limit is available. This limit is never exceeded, even if other classes do not utilise their limit and if the interface bit rate limit is not fully utilised.

Prioritisation + shaping:

This is a mixed form of both, the "pure prioritisation" and the "pure shaping" mode. The following trend applies: Until reaching the maximum bit rate, the function is similar to

"prioritisation", but beyond that, the "pure shaping" functionality is applied. The general disadvantages of pure shaping and pure prioritisation are avoided by this combination.

But with all applications, the interface limit has to be observed, even if the physical prerequisites would allow higher speeds.

Exception: If the total of all guaranteed bit rates of the individual traffic classes exceeds the specified interface limit, then the interface limit is exceeded, provided that all traffic classes utilise their assigned limits.

Note:

It is always only the outbound data traffic, which can be prioritised or restricted for every physical interface. The inbound traffic can only be prioritised or restricted by being treated at the corresponding outbound interface and when exiting the device.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

329

IT Infrastructure IF1000

P

URE PRIORITISATION

C

ONFIGURATION EXAMPLE

:

The interface limit is set e.g. to 10.000 kbit/s, and exactly one prioritisation class is defined, which has a bit rate of 1kbit/s and a priority of < 7.

330

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

E

FFECTS

:

There is no effect as long as the maximum bandwidth, i.e. the 10,000 kbit traffic speed, is not reached.

Moreover: The prioritised class is preferred. It gets as much bandwidth as it needs until the full limit of 10,000 kbit is reached. If it doesn't need the full bandwidth, then the remaining traffic gets the rest of it.

P

RIORITISATION

+

SHAPING

Shaping means that the affected traffic class is artificially restricted in its bandwidth.

Configuration example:

An interface limit is set, for example at 10,000 kbit/s.

Different classes are created, which have different bit rates and different priorities.

Class 1: 5,000 kbit; priority 5

Class 2: 3,000 kbit; priority 1

Class 3: 2,000 kbit; priority 2

W

ARNING

:

Traffic which does not belong to any of the created prioritisation classes is treated like a class with a guaranteed bit rate of 1kbit and priority 7. This behaviour can be modified if a class with the desired properties is created, for which no header properties are specified.

Note:

The total of all bit rates of all individual prioritisation classes, which is in this example

5,000+3,000+2,000=10,000, must never exceed the interface limit in this mode.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

331

IT Infrastructure IF1000

E

FFECTS

:

Even before the overall traffic reaches the maximum bandwidth:

No prioritisation class obtains more than 120% [1] of the guaranteed bandwidth. If there is, for example, only traffic of class 1 and no other traffic, the available bandwidth is only utilised with 60,000kbit.

If the overall traffic reaches the maximum bandwidth, but there are classes which don't utilise their individually guaranteed bandwidth:

Every prioritisation class is only assigned with an additional bandwidth proportion if there is no class with a higher priority, which also claims more bandwidth. Even then, the maximum additional bandwidth is limited to 20% [1].

If the overall traffic reaches the maximum bandwidth, but all classes utilise their individually guaranteed bandwidth:

In this example, the overall available bandwidth would just precisely be utilised, and all classes would exactly receive their guaranteed bit rate and nothing more.

[1]: Applies if the total of all class bit rates equals the interface limit. If the total is smaller, the percentage is increased accordingly.

P

URE SHAPING

Pure shaping means that the specified priorities lose their significance. Every class gets exactly the guaranteed bit rate but nothing more.

C

ONFIGURATION EXAMPLE

:

An interface limit is set, for example at 10,000 kbit/s.

Different classes with different bit rates are created.

The total of all bit rates is slightly higher than the interface limit, e.g.

Class 1: 7,001 kbit/s

Class 2: 3,000 kbit/s

332

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

E

FFECTS

:

Even before the overall traffic reaches the maximum bandwidth:

No class receives more than the guaranteed bandwidth. If there is e.g. only traffic of class 1 and no other traffic, the available bandwidth is only utilised with 7,001 kbit/s.

Traffic which is not covered by any of the classes, always receives the bandwidth, which is available until reaching the maximum bandwidth, as long as none of the classes claims this portion.

If the overall traffic reaches the maximum bandwidth:

Every class gets exactly the guaranteed bandwidth.

Traffic which is not covered by any of these classes gets 1 kbit/s.

A

PPLICATION EXAMPLES

E

XAMPLE

1:

An important web server in the LAN-out network should always get as much bandwidth as it needs. It is connected with the Internet via LAN-in of the firewall. Only if resources are available in excess of the web server demand should they be usable by other services. This application case corresponds with the "prioritisation" option.

An interface limit is defined at e.g. 100,000 kbit/s for both, LAN-in as well as LAN-out.

A class for TCP destination port 80 including priority 0 and a guaranteed bit rate of 1 kbit/s is created for LAN-out. As a result, the HTTP traffic from LAN-in to the server is prioritised.

A class for TCP source port 80 including priority 0 and a guaranteed bit rate of 1 kbit/s is created for LAN-in. As a result, the HTTP traffic of the return direction is prioritised.

E

XAMPLE

2:

A less important web server should always be provided with a guaranteed bandwidth on the uplink interface. It has to share the uplink with the SSH server, which should get a higher priority. Only if the SSH server does not fully utilise its capacity should it be available for the web server up to a certain proportion. This application corresponds with the "prioritisation + shaping" option.

Since the uplink is the connection "bottleneck" in this case, it is sufficient to only create interface classes for this connection type.

For the uplink interface, an interface limit of e.g. 10,000 kbit/s is specified.

A class for TCP source port 80 with priority 3 and a guaranteed bit rate of 7,000 kbit is created for the web server.

A class for TCP source port 22 with priority 1 and a guaranteed bit rate of 3,000 kbit is created for the SSH server.

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

333

12 D

ECLARATION OF

CE-C

ONFORMITY

IF1100

Glossar

IT Infrastructure IF1000

334

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

IT Infrastructure IF1000

IF1110

Glossar lossar

© ads-tec GmbH • Raiffeisenstr.14 • 70771 Leinfelden-Echterdingen

335

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement