User Manual Software Configuration
Contents
1. Bold values indicate the default setting of the BAT radio adapters when utilized in a base station 13 3 2 Radio channels in the 5 GHz frequency band In the frequency range from 5 13 to 5 805 GHz up to 19 non overlapping channels are available in Europe defined as the sub bands as follows BAT54 Rail F 524 Release 7 54 06 08 Appendix 13 3 Radio channels gt Band 1 5150 5350 MHz channels 36 40 44 48 52 56 60 and 64 gt Band 2 5470 5725 MHz channels 100 104 108 112 116 120 124 128 132 136 and 140 gt Band 3 5725 5875 MHz channels 147 151 155 167 Note Please note that frequency ranges an radio channels in band 3 are re served for operation in UK only The following overview shows which channels are allowed in different re gions 36 5 180 GHz yes yes 40 5 200 GHz yes yes 44 5 220 GHz yes yes h ke 48 5 240 GHz yes yes F 52 5 260 GHz yes yes 56 5 280 GHz yes yes 60 5 300 GHz yes yes 64 5 320 GHz yes yes D 147 5 735 GHz no yes S 151 5 755 GHz no yes lt 155 5 775 GHz no yes 167 5 835 GHz no yes ise xe S ie BAT54 Rail F Release 7 54 06 08 525 Appendix 13 3 Radio channels 13 3 3 Radio channels and frequency ranges for Indoor and Outdoor operating In several countries specific regulations are valid concerning the use of fre quency ranges and radio channels for indoor and outdoor operating2. Port Port to close at the station If the respective protocol is not port related then the entire protocol for this station becomes closed Timeout Duration of the blocking in minutes Filter rule Name of the rule which has produced the entry determines also the actions to be executed when a suitable packet is received Host block list The address of a station is filed in the host block list if blocking of the sender was selected in a filters packet action This table is a sender address sorted semi dynamic table and contains the following elements Element Element meaning Address Address of the station to which the blocking should apply Timeout Duration of the blocking in minutes Filter rule Name of the rule which has generated the entry determines also the actions to be executed when a suitable packet is received 8 3 10 Firewall limitations Apart from understanding the functioning of Firewalls itis also very important to discern their limitations and to extend them if necessary The Firewall does not protect against malicious contents coming through the permitted ways into your local network It is true that certain effects of some viruses and worms are stopped because communication is blocked via the required ports but no Firewall alone is a comprehensive protection against viruses BAT54 Rail F Release 7 54 06 08 301 Firewall 8 4 Intrusion Detection Also monitoring of sensit
3. BAT54 Rail F Release 7 54 06 08 367 Routing and WAN connections 11 3 Configuration of remote stations In the occasion of a DSLoL interface the same entries as for the DSL inter face are valid The entries are made in the Broadband Peers list 11 3 2 Layer list With a layer a collection of protocol settings are defined which should be used when connecting to specific remote stations The list of the communi cation layers can be found under Configuration tool List LANconfig Communication General gt Communication layers WEBconfig Expert Configuration Setup gt WAN P Layer list Terminal Telnet cd setup WAN module set layer list In the communication layer list the common protocol combinations are al ready predefined Changes or additions should only be made when remote stations are incompatible to the existing layers The possible options are con tained in the following list Note Please note that the parameters located in BAT depend upon the func tionality of the unit It is possible that your unit does not offer all of the op tions described here Parameter Meaning Layer name The layer is selected in the peer list under this name Encapsula Additional encapsulations can be set for data packets tion Transpar No additional encapsulations ent Ethernet Encapsulation in the form of ethernet frames LLC MUX Multiplexing via ATM with LLC SNAP enca
4. Have you assigned a password to the SNMP configuration Also protect the SNMP configuration with a password The field for pro tection of the SNMP configuration with a password is also contained in LANconfig in the Management configuration area on the Security tab BAT54 Rail F 244 Release 7 54 06 08 Security 7 2 The security checklist Have you allowed remote access If you do not require remote access deactivate call acceptance by deac tivating a call acceptance by number and leaving the number list blank in LANconfig in the Communication configuration area on the Call accepting tab Have you activated the callback options for remote access and is CLI activated When a call is placed over an ISDN line the caller s number is normally sent over the D channel before a connection is even made CLI Calling Line Identifier Access to your own network is granted if the call number appears in the number list or the caller is called back if the callback option is activated this callback via the D channel is not supported by the Windows Dial Up Network If the BAT is set to provide security using the telephone number any calls from remote stations with unknown numbers are denied access Have you activated the Firewall The Stateful Inspection Firewall of the BAT ensures that your local net work cannot be attacked from the outside The Firewall can be enabled in LANconfig under Firewall QoS on the r
5. LCR Least Cost Router Script script processing IPX RIP IPX Routing Information Protocol Firewall Firewall activities RIP IP Routing Information Protocol ARP Address Resolution Protocol ICMP Internet Control Message Protocol IP masquerading processes in the masquerading module DHCP Dynamic Host Configuration Protocol NetBIOS NetBIOS management DNS Domain Name Service Protocol Packet dump display of the first 64 bytes of a package in hexadecimal form D channel dump trace on the D channel of the connected ISDN bus ATM cell spoofing at the ATM packet level ATM Error ATM errors ADSL ADSL connections status SMTP Client E mail processing of the integrated mail client Mail Client E mail processing of the integrated mail client SNTP Simple Network Time Protocol information NTP Timeserver Trace Connact Messages from the activity protocol Cron cron table RADIUS RADIUS trace Serial Status of serial interface USB Status of USB interface Load Balancer Load balancing information VRRP Information concerning Virtual Router Redundancy Protocol Ethernet 226 Status of ethernet interface BAT54 Rail F Release 7 54 06 08 Diagnosis This parameter 6 1 Trace information for advanced users brings up the following display for the trace VLAN Information concerning virtual
6. Besides the packets of the VoIP connection are often much larger than the pure net payload The additional headers of the IP and Ethernet packets as well eventual IPsec headers have to be added as well The net load results from the product of net data rate and sampling time of the used codec For all codecs each 40 bytes UDP header and at least 20 bytes for the IPSec header must be added RTP and IPSec headers can be larger depending on the configuration The following table is an overview of bit rates for various VoIP codecs for voice connections over VPN VoIP codec Packets s Voice payload IP payload IPSec payload kbps Bytes kbps Bytes kbps Bytes G729 33 3 8 30 32 70 36 136 30ms G726 33 3 32 120 42 7 160 62 232 30ms G711 33 3 64 240 74 7 280 92 344 30ms G711 50 64 160 80 0 200 106 264 20ms G722 50 64 160 80 0 200 106 264 20ms IP payload Voice payload 40 byte header 12 byte RTP 8 byte UDP 20 byte IP header IPSec payload IP paket padding 2 byte padding length amp next header multiple of the IPSec initialization vector BAT54 Rail F Release 7 54 06 08 323 Quality of Service 9 6 QoS in sending or receiving direction Caution The values in the table apply to the use of AES With other en cryption methods the resulting package may vary on a minor degree Note Further information on bandwidth requirements for Voice over IP with IPSec is available in the BAT
7. Firewall 8 3 The BAT Firewall Quality of Service i 2x Conditions J Action only for default route i e internet I Action only for DiffServ CP ee z J7 Action only for send packets J7 Action only for received packets eee gt Stations Here the stations as sender or addressee of the packets are specified for which the filter rule shall match Filter rule ALLOW_FTP 2 x General Actions QoS Stations Service m Connection source This tule applies to packets on connections from all stations connections from the following stations i stations in local network Edit Delete m Connection destination gt This tule applies to packets on connections to all stations connections to the following stations site REMOTE Add Edit Delete Services Here the IP protocols source and destination ports are speci fied for which the filter rule shall apply For example it can be specified here that only access to web pages and emails shall be permissible BAT54 Rail F 288 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Filter rule ALLOW_FTP 2 xi General Actions QoS Stations Service m Scope of tule services protocols WW e 8 s P QE This rule applies to all services protocols This rule applies to the following services protocols Special services T World Wide Web HTTP HTTPS T Mail and News SMTP PO
8. Off No callback occurs Auto not for The remote station will be called back if so specified in the peer list At first the call is Windows oper denied and as soon as the channel is clear again it is called back duration is approx 8 ating systems seconds If the remote station is not found in the numerical list it is first accepted as the see below DEFAULT remote station and the callback is negotiated during the protocol negotiation A charge of one unit is incurred for this Name Before a callback occurs a protocol negotiation is always carried out even when the remote station was found in the numerical list e g for computers with Windows having direct dialing on the device Here only minor charges result fast When the remote station is found in the numerical list a quick callback is carried out i e the BAT sends a special signal to the remote station and calls back immediately when the channel is clear again After approx 2 seconds the connection is established If the remote station does not take back the call immediately after the signal then after two sec onds the situation reverts back to normal callback procedures duration is once again approx 8 seconds This process is only available for DSS1 connections Looser Use the Looser option when a callback is expected from the remote station This setting carries out two functions simultaneously On the one hand it ensures that a cus
9. Release 7 54 06 08 435 Routing and WAN connections 11 10 Establishing connection with PPP After the password has been successfully transmitted the IPCP and or IPXCP network layer can be established IP and or IPS packets can be transferred from the router modules to the opened line if the negotiation of parameters is successful for at least one of the network layers Terminate phase In the final phase the line is cleared when the logical connections for all protocols are cleared PPP negotiation in the BAT The progress of a PPP negotiation is logged in the devices PPP statistics and the protocol packets listed in detail there can be used for checking pur poses in the event of an error The PPP trace outputs offer a further method of analysis You can use the command trace ppp to begin output of the PPP protocol frames exchanged during a terminal ses sion You can perform a detailed analysis once the connection has been bro ken if this terminal session has been logged in a log file 11 10 2Everything o k Checking the line with LCP The devices involved in the establishment of a connection through PPP ne gotiate a common behavior during data transfer For example they first de cide whether a connection can be made at all using the security procedure names and passwords specified The reliability of the line can be constantly monitored using the LCP once the connection has been established This is achieved within the p
10. 11 2 3 Local routing You know the following behavior of a workstation within a local network The computer searches for a router to assist with transmitting a data packet to an IP address which is not on its own LAN This router is normally introduced to the operating system with an entry as standard router or standard gateway It is often only possible to enter one default router which is supposed to be able to reach all the IP addresses which are unknown to the workstation com puter if there are several routers in a network Occasionally however this de fault router cannot reach the destination network itself but does know another router which can find this destination How can you assist the workstation computer now By default the router sends the computer a response with the address of the router which knows the route to the destination network this response is known as an ICMP redirect The workstation computer then accepts this ad dress and sends the data packet straight to the other router Certain computers however do not know how to handle ICMP redirects To ensure that the data packets reach their destination anyway use local rout ing In this way you instruct the router itself in your device to send the data packet to other routers In addition in this case no more ICMP redirects will be sent The setting is made under Configuration tool LANconfig WEBconfig IP router gt General gt Forward packets
11. CLIP operation Deactivated x CLIP password O i yO Configuration tool Call LANconfig Communication gt RADIUS WEBconfig Telnet Expert configuration gt Setup gt WAN gt RADIUS Radius server default disabled When authenticating using RADIUS the user administration and authen tication tasks are passed on to a RADIUS server Disabled The functionality of RADIUS is disabled and no requests are forwarded to the RADIUS server Enabled The functionality of RADIUS is enabled and requests may be forwarded to the configured RADIUS server Depending on the setting other sources may be used for the authentication process e g PPP list Exclusive RADIUS functionality is enabled and the authentication pro cess is run exclusively by RADIUS The appropriate RADIUS server must be configured to use the function ality of RADIUS All user data such as user name and password is entered on the RADIUS server Server IP address Specify here the IP address of your RADIUS server from which users are managed centrally BAT54 Rail F Release 7 54 06 08 505 More services 12 9 RADIUS Server port default 1 812 Specify here the port used for communication to your RADIUS server Key shared secret Specify here the key to be used for coding data The key must also be configured on the RADIUS server PPP mode default disabled A RADIUS server may be used for the authentication process when dial ing in using PPP Disabled
12. Default Any Note Binding to all logical interfaces with the setting any is only possible for devices with a LAN bridge VLAN ID ID of the VLAN with the active IPX router Default 0 11 7 11Assigning logical interfaces to bridge groups Particular properties of the logical interfaces are defined in the port table Port table LAN 1 Local area network 1 2 x IV Enable this port oo Bridge group ERG 1 ba Cancel Point to point port DHCP limit 0 Configuration tool Call LANconfig Interfaces Spanning Tree WEBconfig Telnet Expert Configuration gt Setup gt LAN Bridge gt Port Data Active This option activates or deactivates the logical interface Bridge group Assigns the logical interface to a bridge group to enable bridging from to this logical interface via the LAN bridge If assigned to a common bridge group several logical interfaces can be addressed at once and they appear to the BAT Router to be a single interface This can then be used for Advanced Routing and Forwarding for example Values BRG 1 to BRG 8 none Default BRG 1 Special significance If the interface is removed from all bridge groups by setting none then there is no communication between the LAN and WLAN via the LAN bridge isolated mode With this setting LAN WLAN data transfers over this interface are only possible via the router BAT54 Rail F Release 7 54 06 08 413 Routing and WAN connections 11 7 Ch
13. Drop C Reject DoS Further measures IV Send Syslog message V Send email T SNMP i e LANmonitor I Disconnect T Lock source address I Lock target port Duration Duration Note In order to drastically reduce the susceptibility of the network for DoS attacks in advance packets from distant networks may be only accepted if either a connection has been initiated from the internal network or the incoming packets have been accepted by an explicit filter entry source distant network destination local area network This measure already blocks a multitude of attacks For all permitted accesses explicitly connection state source addresses and correctness of fragments are tracked in a BAT This happens for incoming and for outgoing packets since an attack could be started also from within the local area network This part is configured centrally in order not to open a gate for DoS attacks by incorrect configuration of the Firewall Apart from specifying the maximum number of half open connections fragment action and possible notification mechanisms also these more extensive possibilities of reaction exist The connection will be cut off The sender address will be blocked for an adjustable period of time The destination port of the scan will be blocked for an adjustable period of time BAT54 Rail F 308 Release 7 54 06 08 Firewall 8 5 Denial of Service WEBconfig Telnet The behavior of the DoS detectio
14. In response to these requirements most models with a serial interface can be extended with an additional WAN interface with the use of analog mo dems GSM or GPRS The following functions are available with a suitable modem in combination with the Modem Adapter Kit Internet access via modem with all of the router functions such as firewall automatic connection establishment and termination etc Remote maintenance e g dial in to international sites Backup connection e g high availability through GSM GPRS modem connection BAT54 Rail F 444 Release 7 54 06 08 Routing and WAN connections 11 14 serial interface mm FANN MNE 000000 KANE NI Internet provider Modem GSM GPRS 11 14 2System requirements The following are required to set up a backup connection over the serial in terface BAT with serial configuration interface and support for BAT modem adapt er kit gt LANconfig or alternatively a web browser or Telnet Serial configuration cable supplied with the device gt Analog modem Hayes compatible with access to a suitable analog tele phone connection BAT modem adapter kit to connect the modem over the serial configura tion cable 11 14 3Installation The installation simply involves the connection of the modem with the BAT Modem Adapter Kit with the serial configuration interface of the BAT Note Please do not use any other adapters than the original BAT Modem Adapter Kit The contact a
15. It is best to use the point to point protocol in the following applications for reasons of compatibility wnen communicating with external routers for example remote access from remote workstations with ISDN cards Internet access when sending addresses The PPP which is implemented by BAT can be used synchronously or asyn chronously not only via a transparent HDLC connection but also via an X 75 connection The phases of PPP negotiation Establishment of a connection using PPP always begins with a negotiation of the parameters to be used for the connection This negotiation is carried out in four phases which should be understood for the sake of configuration and troubleshooting Establish phase Once a connection has been made at the data communication level negotiation of the connection parameters begins through the LCP This ascertains whether the remote site is also ready to use PPP and the packet sizes and authentication protocol PAP CHAP MS CHAP or none are determined The LCP then switches to the opened state Authenticate phase Passwords will then be exchanged if necessary The password will only be sent once if PAP is being used for the authentication process An encrypted password will be sent periodically at adjustable intervals if CHAP or MS CHAP is being used Perhaps a callback is also negotiated in this phase via CBCP Callback Control Protocol Network phase BAT supports the protocols IPCP and IPXCP BAT54 Rail F
16. Name iere a Short hold time 9 999 seconds Cancel VPI js VCI jst Access concentrator tti i w stwS Service Layer name T DSL v MAC address type foa H MAC address DSL ports VLAN ID Configuration tool Call LANconfig Communication gt Remote sites Remote sites DSL WEBconfig Telnet Expert Configuration gt Setup gt WAN gt DSL Broadband Peers VLAN ID ID used to explicitly identify the VLAN over the DSL connection Default 0 With VLAN ID 0 only untagged packets are accepted with any other VLAN ID only packets with the corresponding tag are accepted BAT54 Rail F Release 7 54 06 08 349 Virtual LANs VLANs 10 8 VLAN Q in Q tagging 10 8VLAN Q in Q tagging VLANs compliant with IEEE302 1q are generally used to connect multiple networks that share a common physical medium but which are to be kept separate from one another In some cases VLANs are operated on public networks that are operated by providers in order to keep the various compa ny networks separate Consequently VLAN tags may be used both in the LAN and over the WAN path VLAN tagged LAN packets therefore require an additional VLAN tag for transmission over WAN For control over VLAN tagging the actions performed by each port can be defined separately Port table LAN 1 Local area network 1 2 x Tagging mode ox I Accept frames on this port that belong to other Cancel VLANs
17. Note With LANmonitor you can only monitor those devices that you can ac cess via IP local or remote With this program you cannot access a rout er via the serial interface 5 7 1 Extended display options Under View gt Show Details you can activate and deactivate the following display options Error messages Diagnostic messages System information Note Many important details on the status of the BAT are not displayed until the display of the system information is activated These include for ex ample the ports and the charge management Therefore we recommend that interested users activate the display of the system information BAT54 Rail F Release 7 54 06 08 209 LANtools network management 5 7 2 Enquiry of the CPU and Memory utilization over SNMP The load on CPU and memory in the BAT can be queried with SNMP or dis played in LANmonitor f LANmonitor File Device View Tools Help x salsa alelaala S xxl Y WAN connections 1 A Wireless LAN By VPN connections 1 LANCOM Systens a Firewall 31 3 2005 16 00 16 DENY_ALL Packet rejected i 31 3 2005 16 00 16 DENY_ALL i 31 3 2005 15 55 16 DENY_ALL i 31 3 2005 15 50 16 DENY_ALL i 31 3 2005 15 45 16 DENY_ALL i 31 3 2005 15 40 16 DENY_ALL UDP packet from 192 168 2 113 1901 to 239 255 255 250 1900 Packe UDP packet from 192 168 2 113 1901 to 239 255 255 250 1900 Packe UDP packet from
18. Poisoned reverse The use of poisoned reverse can be set here Possible values Yes No Default No Static routes for constant propagation Routers use RIP to propagate not only dynamic routes but statically config ured routes as well Some of these static routes may not be constantly avail able for example when an Internet connection or dial up access is temporarily unavailable For a static route the setting for Active in the routing table defines whether it should be propagated constantly or only when it is actually reachable WEBconfig Setup gt IP router gt IP routing table Active Indicates the route s status Possible values Yes Route is active and propagated constantly No Route is inactive and is not propagated Semi Route is active and is only propagated when it is reachable Default Yes Extended filter options Until now routes learned from RIP could only be filtered by their routing tag However it is desirable to be able to filter routes by their network address as well For example only learn routes within the network 192 168 0 0 255 255 0 0 BAT54 Rail F 404 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services Initially the filters are defined in a central table these can then used by en tries in the LAN and WAN RIP table WEBconfig Setup gt IP router gt RIP Filter Name Name of the filter Possible values 18 alphanumerical characters Examples
19. certain times If the installation features a large number of active devices all of which are subjected to the same CRON job at the same time e g updating a configuration by script unpleasant side effects can result if for example all devices try to establish a VPN connection at once To avoid these effects the CRON jobs can be set with a random delay time between 0 and 59 min utes BAT54 Rail F 492 Release 7 54 06 08 More services 12 7 Scheduled Events 12 7 3 Configuring the CRON job The following parameters are available in the BAT for configuring CRON jobs Configure Date amp Time z General synchronization Time Server Public Holidays Date ine crontable New Esty TE Time zone f 01 Berlin Brussels Paris Rome x i I Entry active Ok Daylight saving time Automatic Europe EU Which time base should be used for the trigger pa If Automatic user defined has been selected above here you Real time can configure individual values for the automatic e ay daylight saving time changes between nomal and summer time Operation time Hours fo Cron table Days of week Jol Define actions that are performed on a time basis LANconfig Date amp time General gt CRON table WEBconfig Telnet Expert configuration gt Setup gt Config gt CRON table gt Entry active Activates or deactivates the entry gt Default Active gt Time base The Time base field de
20. intruder de Immediately Packet dropped SYSLOG sent 3 2 4 2004 12 06 45 10 1 1 11 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent 4 2 4 2004 12 05 44 10 1 1 114 255 255 255 255 17 U 67 bo 68 bo intruder de Immediately Packet dropped SYSLOG sent 5 2 4 2004 12 02 32 10 1 1 111 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent e 2 4 2004 12 01 31 10 1 1 114 255 255 255 255 17 U 67 bo 68 bo intruder de Immediately Packet dropped SYSLOG sent 7 2 4 2004 12 00 04 10 1 1 111 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent s 2 4 2004 11 59 03 10 11 11 10 1 255 255 17 U 137 n 137 n intruder de Immediately Packet dropped SYSLOG sent o 2 4 2004 11 55 08 10 1 4 11 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent 10 2 4 2004 11 54 07 10 1 1 114 255 255 255 255 17 U 67 bo 68 bo intruder de Immediately Packet dropped SYSLOG sent 11 2 4 2004 11 48 05 10 1 1 141 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent 12 2 4 2004 11 47 04 10 1 1 111 255 255 255 255 17 U 67 bo 68 bo intruder de Immediately Packet dropped SYSLOG sent 13 2 4 2004 11 45 00 10 1 1 11 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent
21. window After entering the correct user name and password the WEBconfig main menu will appear This menu only displays the options that are available to the administrator who is currently logged in If more than one administrator is set up in the admin table the main menu features an additional button Change Administrator which allows other us ers to log in with different rights if applicable 4 8 1 Rights for the administrators Two different groups are differentiated regarding administrators rights Each administrator belongs to a certain group that has globally defined rights assigned to it Each administrator also has function rights that determine the personal access to certain functions such as the Setup Wizards Administrator groups Description under Description Rights Telnet Terminal under LANconfig Supervisor All Supervisor member of all groups Admin RW Limited Local administrator with read and write access Admin RO Read only Local administrator with read access but no write access None None No access to the configuration Supervisor Has full access to the configuration BAT54 Rail F 150 Release 7 54 06 08 Configuration and management 4 8 Managing administrators rights Local administrator with read and write access Also has full access to the configuration although the following options are prohibited Upload firmware onto the device Upload configuration onto the device Configu
22. word Never use a password twice If you use the same password for several purposes you reduce its secu rity effect If the other end is not secure you also endanger all other con nections for which you use this password at once Change the password regularly Passwords should be changed as frequently as possible This requires ef fort however considerably increases the security of the password Change the password immediately if you suspect someone else knows it If an employee with access to a password leaves the company it is high time to change this password A password should also always be changed when there is the slightest suspicion of a leak BAT54 Rail F 238 Release 7 54 06 08 Security 7 1 Protection for the configuration If you comply with these simple rules you will achieve the highest possible degree of security Entering the password You will find the box to enter the password in LANconfig in the configuration area Management on the Admin tab Under WEBconfig you run the wizard Security Settings In a terminal or Telnet session you set or change the password with the command passwd Configuration tool Run LANconfig Management Admin Main device password WEBconfig Security settings Terminal Telnet passwd Protecting the SNMP access At the same time you should also protect the SNMP read access with a pass word For SNMP the general configuration password is used
23. 95 335 134 134 473 439 125 138 142 125 181 529 491 529 226 529 307 307 305 BAT54 Rail F Release 7 54 06 08 Index Ping of Death Smurf SYN Flooding Teardrop Denial of Service attacks DES Device name DHCP broadcast address DHCP server DNS and NBNS server for WINS resolution network mask period of validity standard gateway Differentiated Services see DiffServ Differentiated Services Code Point see DSCP DiffServ Assured Forwarding Best Effort Class Selector Expedited Forwarding IPSec Distance of a route DMZ IP address assignment DNS available information DNS forwarding DNS server DNS table Dynamic DNS filter mechanism Domain deny access Domain name service DNS DNS Download Downstream BAT54 Rail F Release 7 54 06 08 226 368 465 465 466 312 312 312 313 226 473 465 469 477 473 478 305 305 304 306 304 34 438 529 469 473 469 470 469 470 469 313 313 313 313 315 312 357 378 468 529 474 474 473 478 479 473 530 478 473 530 530 535 Index rate DS DSCP DSL DSSS Dynamic DNS Dynamic Host Configuration Protocol DHCP Dynamic routing E EAP Process of a session secured by EAP RADIUS server EAP 802 1x Master Secret EAP MD5 EAP TLS EAP TTLS EIRP E mail virus Encapsulation Encryption asymmetric symmetric Encryption methods AES CCM End address Enterprise specific Traps ESS ESSID ET
24. Admin RO Local administrator with read access but no write access None No access to the configuration The different function rights are represented by the following hexadecimal values Value Rights 0x00000001 The user can run the Basic Configuration Wizard 0x00000002 The user can run the Security Wizard 0x00000004 The user can run the Internet Wizard 0x00000008 The user can run the Wizard for selecting Internet providers 0x00000010 The user can run the RAS Wizard 0x00000020 The user can run the LAN LAN Coupling Wizard 0x00000040 The user can set the date and time also applies for Telnet and TFTP 0x00000080 The user can search for additional devices 0x00000100 The user can run the WLAN Link test also applies for Telnet 0x00000200 The user can run the a b Wizard The entry results from the sum of the first second and third columns from the right If for example the user is to receive rights to use the Security Wizard Selection of Internet provider RAS Wizard Change time and WLAN Link Test then the resulting values are as follows First column from the right 2 Security Wizard 8 Selection of Internet Provider a hexadecimal Second column from the right 1 RAS Wizard 4 Change Time 5 hexadecimal Third column from the right 1 WLAN Linktest 1 hexadecimal For this example the function rights are entered with the value 0000015a BAT54 Rail F 154 Rele
25. E Connection The connection of a Firewall rule defines to which data packets the rule should refer to A connection is defined by its source its destination and the used services The following details can be used to specify the source or des tination All stations The entire local network LAN Certain remote stations described by the name of the remote site list Certain stations of the LAN described by the host name Certain MAC addresses Ranges of IP addresses Complete IP networks VVVVVVY BAT54 Rail F Release 7 54 06 08 271 Firewall 8 3 The BAT Firewall You can only operate with host names when your BAT is able to transform the names into IP addresses For that purpose the BAT must have learned the names via DHCP or NetBIOS or the assignment must be entered stati cally in the DNS or IP routing table An entry in the IP routing table can there fore assign a name to a whole network Note If the source or the destination for a Firewall rule has not been deter mined at greater detail the rule applies generally to data packets from all stations resp to all stations The service is determined by the combination of an IP protocol with respec tive source and or destination port For frequently used services www mail etc the appropriate combinations are already predefined in the BAT others can be compiled additionally as required Condition The effectiveness of a Firewall rule is also reduce
26. File Edit Device View Tools Help alaa aale Sls Sel lal Sialels LANconfig Name Central Site SAD eee Group Config 192 168 2 102 Ok 5 4 4 Using multiple group configurations Multiple group configurations can be created within a single folder Only one of these group configurations may be active at a time since the device status only relates to one group configuration Active group configurations are indi cated by a blue tick inactive group configurations are indicated by a red cross To activate a group configuration click on the entry with the right hand mouse key and select Active from the context menu All other group config urations are then deactivated automatically Note Different group configurations in one folder may not be linked to the same partial configuration file BAT54 Rail F 200 Release 7 54 06 08 LANtools network management 5 5 Rollout Wizard LANconfig WLAN lolx File Edit Device View Tools Help aT LANconfig WLAN clas Gialel ele ale slal mlale File Edit Device View Tools Help SSLANCOM Group Wireless 5 00 Group Sa Og wE alk SR sales SISeI Sl S BIE SB LANCOM Group Wireless 5 00 Group hae Gee LANCOM DSL I1 1611 Office SSLANCOM Group Wireless 5 00 Spa VPN_NHAMEL Group Configuration Edit e figuration Delete S LANCOM Geo VPN_NHE Properties Alt Enter 5 5 Rollout Wizard In complex scenarios with multiple BAT devi
27. HTTP NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 7 1 7 NMP Integer Value 80 0x50 zZz 2u DR ame of the filter rule NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 8 1 8 NMP String Value BLOCKHTTP Note This trap and all different in the BAT generated traps are sent to all manually configured trap receivers just like to each registered LANmonitor which can evaluate this and possibly all other traps M vuv BAT54 Rail F 278 Release 7 54 06 08 Firewall 8 3 The BAT Firewall 8 3 6 Strategies for Firewall settings Firewalls are the interface between networks and they restrict to a smaller or larger extent an unhindered data exchange Thus Firewalls have opposite objectives than networks although they are a part of them networks should connect workstations Firewalls should prevent the connection This contradiction shows the dilemma of the responsible administrators who have developed subsequently different strategies to solve this problem Allow All The Allow All strategy favours unhindered communication of the employees compared over security Any communication is allowed at first the LAN is still open for attackers The LAN becomes gradually more secured by configura tion of the administrator by settings of more and more new rules which re strict or prevent parts of communication Deny All The Deny All strategy proceeds at first according to the method Block all The Fire
28. IPX over PPTP VPN BAT54 Rail F Release 7 54 06 08 261 Firewall 8 3 The BAT Firewall Note If no explicit Firewall rule exists for a data packet the packet will be accepted Allow All That grants a backward compatibility for existing installations For maximum protection by the Stateful Inspection please note the section Set up of an explicit Deny All strategy gt page 283 The four lists obtain their information as follows In the host block list are all those stations listed which are blocked for a certain time because of a Firewall action The list is dynamic new entries can be added continuously with appropriate actions of the Firewall En tries automatically disappear after exceeding the timeout In the port block list those protocols and services are filed which are blocked for a certain time because of a Firewall action This list is likewise a dynamic one new entries can be added continuously with the appropri ate Firewall actions Entries automatically disappear after exceeding the timeout For each established connection an entry is made in the connection list if the checked packet has been accepted by the filter list In the connec tion list is noted from which source to which destination over which pro tocol and which port a connection is actually allowed The list contains in addition how long an entry will stay in the list and which Firewall rule is responsible for the entry This list is very dy
29. IV Entry active IP address Netmask Routing tag Active Router _ Distance Router INTERNET hd 172 16 0 0 255 240 0 0 0 Yes 0 0 00 0 3 T 255 0 0 0 0 Yes 0 0 0 0 Distance 224 0 0 0 Yes 0 0 0 0 IP masquerading a sn IP Masquerading switched off masking Intranet and DMZ default masking Intranet only Comment The virtual remote site is entered into the routing table as the router for the default route in LANconfig via IP router Routing Routing table Telnet Setup IP router IP routing table WEBconfig Expert configuration gt Setup gt IP router gt IP routing ta ble Note The virtual remote site INTERNET is now to be used for Internet ac cess When data are routed over this connection the load balancing table will cause the real DSL connections to be established and the data will be transmitted over the selected DSL ports Routing tags can be used for the application dependent direction of data traffic to specific DSL ports If for example outgoing e mail traffic is to be routed over a certain DSL interface with a certain IP address then the ap propriate firewall rule must be created that transmits e mail data traffic from all local stations to the mail server and sets the routing tag to 1 do this with LANconfig via Firewall QoS Rules Telnet Setup IP router Firewall Rules WEBconfig Expert configuration gt Setup gt IP router gt Firewall Rules BAT54 Rail F 424
30. LAN 1 LAN 2 WAN1 etc Note The hash symbol can be used to combine multiple entries into a sin gle filter Taken together the entries LAN 1 and LAN 2 make up a filter LAN that can be called from the RIP table Filter Comma separated list of networks that are to be accepted or rejected Example of an accepted network 10 0 0 0 255 0 0 0 Example of an unaccepted network 192 168 0 0 255 255 0 0 Possible values 64 characters from 0123456789 Note The plus sign for accepted networks is optional Filters defined in the filter table can be referenced in the columns for RX filter and TX filter in the LAN RIP and WAN RIP tables RX defines the networks from which routes can be learned or blocked and TX defines the networks to which propagation should be allowed or blocked Caution Filtering by routing tags is unaffected i e if a tag for a route in dicates that it is not to be learned or propagated then this cannot be forced by means of the filter table Global RIP parameters Maximum hop count In some scenarios it may be desirable to use a larger maximum hop count than that intended by RIP 16 This value can be adapted with the parameter Max Hopcount WEBconfig Setup gt IP router RIP Parameters Max hop count Sets the maximum number of permissible hops Possible values 16 to 99 Default 16 BAT54 Rail F Release 7 54 06 08 405 Routing and WAN connections 11 7 Changes in other services No
31. Management gt Interfaces gt Interface Settings gt ISDN gt Max outgoing calls Predefined charging limit x The fee limit under Configure gt Management exceeded gt Costs gt Charge limit ISDN was reached Indicated by a synchronized blinking of the Power LED Predefined time limit exceeded X The time limit under Configure gt Management gt Costs gt Time Limit ISDN was reached Indicated by a synchronized blinking of the Power LED No IP address for PPTP server X The IP address of the PPTP selected has not been entered Enter the IP address under Con figure gt Communication gt Protocols gt PPTP list Also see Exchange type mismatch Main or x IKE The exchange type does not match that of the Aggressive mode remote device Please check the value under Configure gt VPN gt Connection list gt Edit VPN remote site entry gt IKE Exchange No proposal matched x IKE The IKE proposals do not match gt Check VPN rules No proposal matched x IKE The IKE proposals do not match gt Check VPN rules IKE group mismatch x IKE Please check the IKE groups on both sides under Configure gt VPN gt Connection parameters gt VPN remote site identification gt IKE Group Life type unsupported other than x IKE The value for the lifetime is not supported Kbytes or seconds Please use a life type in sec seconds or kb kilobytes Check this
32. Port VLAN ID 1 Configuration tool Call LANconfig Interfaces gt VLAN gt Port table WEBconfig Telnet Expert configuration gt Setup gt VLAN gt Port table Tagging mode Controls the processing and assignment of VLAN tags at this port Never Outbound packets are not given a VLAN tag at this port Incom ing packets are treated as though they have no VLAN tag If incoming packets have a VLAN tag it is ignored and treated as though it were part of the packet s payload Incoming packets are always assigned to the VLAN defined for this port Unconditional Outgoing packets at this port are always assigned with a VLAN tag irrespective of whether they belong to the VLAN defined for this port or not Incoming packets must have a VLAN tag otherwise they will be dropped Mixed Allows mixed operation of packets with and without VLAN tags at the port Packets without a VLAN tag are assigned to the VLAN defined for this port Outgoing packets are given a VLAN tag unless they belong to the VLAN defined for this port Ingress mixed Arriving ingress packets may or may not have a VLAN tag outbound egress packets are never given a VLAN tag Default Ingress mixed BAT54 Rail F 350 Release 7 54 06 08 Virtual LANs VLANs 10 8 VLAN Q in Q tagging Allow all VLANs allows packets from other VLANs to enter this port This option defines whether tagged data packets with any VLAN ID should be accepted even if the port is
33. Release 7 54 06 08 139 Configuration and management 4 4 Configuration using different tools General Startup Windows Extras Set up new devices I aren o E aen an File Edit Device View Tools Help unconfigured device is found External programs g Telnet client ftelnet exe 197 148 2 100 SSH client DsProgrnmesLan CNEA Enter Setup Wizard Ctrl ew Check Ctrl FS Configuration Managenent Firmware Management WEBconfig Console session Open Web Browser Open secure Web Browser Ctr Open Telnet Session ctr Open SSH Session Monitor Device Ctrl M Set Date Time Activate Software Option Nalaka The configuration is carried out with the same gommande as used under Tel net or other terminal program Command line reference page 134 4 4 7 SSH authentication The SSH protocol generally allows two different authentication mechanisms With user name and password With the help of a public key In the public key method a key pair is used that is made up of a private and public key a digital certificate Detailed information about the keys men tioned here can be found under the section Digital certificates in the chapter on VPN in the user manual configuration The private part of the key pair is saved on the client frequently protected with a password the public part is loaded into the BAT Router The BAT Router supports both RSA and DSS DSA keys RSA key
34. SR VPN_OSCHILPE Connected 0 seconds INTERNET 82 72 51 240 AES 128 bit none 0 bit t lt QvPn_PcPRO Connected 0 seconds INTERNET 62 226 217 119 AES 128 bit none 0 bit t Saven 95 TEST Connected 0 seconds INTERNET 80 146 87 133 AES 128 bit none 0 bit F gt Name of the remote device Current status Last error message IP address of the gateway YV VvV YV Encryption information gt Accounting information The accounting information is a protocol of the connections from each station in the LAN to remote sites in the WAN The detailed information recorded includes LC_ PN_M_LCSTEST Accounting Information Accounting View ye Remote ste Type 1 connections Received Trenenitted Total onlne Tine 2 il 00 00 VPN_QS_TEST VPN connection OKB OKB 1732 days and 21 hours VPN_WTIW VPN connection 833 KB 740 KB 18 days and 8 hours VPN_CSCHALLE VPN connection 12 899 KB 10 552 KB 18 days and 6 hours E cbuersch qs VPN_CBUERSCH YPN connection 1 007 186 KB OKB 17 days and 22 hours E cbuersch qs VPN_CBUERSCH YPN connection 4KB 1 129 MB 17 days and 22 hours l ic_vpn_m_ethout VPN_WOHN YPN connection 3 904KB 113 534 KB 17 days and 21 hours E ic_vpn_m_ethout VPN_WTIW VPN connection 538 KB 58 035 KB 17 days and 14 hours E dev prodtest VPN_HBATTI VPN connection OKB 434 448 KB 16 days and 18 hours a 10 1 80 173 VPN_HBATTI VPN connection 467 340 KB OKB 16 days and 18 hours 10 1 80 172 VPN_FTHEINEN VPN connection OKB 11 655 KB 15 days and 5 hour
35. The fol lowing table gives information on the permitted application Country Band Sub Frequency Chan Turbo Emitted Indoor GHz band nels channels power dBm Outdoor Germany Austria Swit 2 4 1 2 4 2 4835 1 13 6 100 20 1 0 zerland Netherlands Belgium Luxembourg 5 1 5 15 5 35 36 64 42 58 200 23 Italy Malta France 2 5 470 100 140 106 130 1000 30 1 0 5 725 UK 2 4 1 2 4 2 4835 1 13 6 100 20 1 0 5 1 5 15 5 35 36 64 42 58 200 23 2 5 470 100 140 106 130 1000 30 1 0 5 725 3 5 725 147 151 7 2000 33 1 only fixed 5 585 155 167 WLAN outdoor installations Czechia 2 4 1 2 4 2 4835 1 13 6 100 20 1 0 5 1 5 15 5 35 36 64 42 58 200 23 Further details to the restrictions for the use of wlan adapters within the EU can be found in the internet Country Organization Link Belgium Institut Belge des Postes et Telecommuni www bipt be cations BIPT Denmark National Telecom Agency www tst dk Germany Regulierungsbeh6rde f r Telekommunika www regtp de tion und Post Finland Finnish Communications Regulatory www ficora fi Authority FICORA France Autorit de R gulation des T l communi www art telecom fr cations ART Greece National Telecommunications Commis www eett gr sion EET Great Britain Office of Telecommunications Oftel www oftel gov uk Postal Services Commission Postcomm www postcomm gov uk Radiocommunicati
36. The redirect function assist the applications being used by the WLAN clients to find the correct target computer in the LAN automatically If a WLAN cli ent s HTTP request from a certain logical wireless network should always be directed to a certain server in the LAN then a filter setting for the appropriate protocol with the action redirect will be set up for the desired logical WLAN interface 10 0 0 99 Logical wireless network on f interface WLAN 1 2 a I a 4 HTTP request to 1 2 192 168 2 25 JT I I l 2 WLAN 1 2 to 10 0 0 99 Redirect HTTP from f E gt All requests with this protocol from this logical wireless network will automat ically be redirected to the target server in the LAN The returning data pack ets are sent to the senders addresses and ports according to the entries in the connection statistics which ensures the trouble free operation in both di rections Further information to the configuration of the protocol filter can be found Protocol filter page 55 IEEE 802 1x EAP The international industry standard IEEE 802 1x and the Extensible Authentication Protocol EAP enable access points to carry out reliable and secure access checks The access data can be managed centrally on a RA DIUS server and can be called up by the access point on demand This technology also enables the secure transmission and the regular auto matic changing of WEP keys In this way IEE
37. This happens either in order to trick the Firewall which trusts packets from the own network more than packets from untrusted networks or in order to hide the author of an attack e g Smurf The BAT Firewall protects itself against spoofing by route examination i e it examines whether a packet was allowed to be received over a certain inter face at all from which it was received BAT54 Rail F 302 Release 7 54 06 08 Firewall 8 4 Intrusion Detection Portscan Detection The Intrusion Detection system tries to recognize Portscans to report and to react suitably on the attack This happens similarly to the recognition of a SYN Flooding attack see SYN Flooding gt page 304 The half open connections are counted also here whereby a TCP RESET which is sent by the scanned computer leaves a half open connection open again If a certain number of half open connections between the scanned and the scanning computer exist then this is reported as a port scan Likewise the receipt of empty UDP packets is interpreted as an attempted port scan 8 4 2 Configuration of the IDS LANconfig Parameters of the Intrusion Detection System are set in LANconfig in the configuration tool Firewall QoS on index card IDS Configure Firewall QoS hed General Rules DoS IDS m Intrusion Detection System If the amount of port inquiries grows above the here given value an intrusion attack will be detected and the IDS
38. Upload New Amware Monitor Device Ctrl M 1 Version 4 00 of 26 11 2004 Set Date Time 2 Version 3 52 of 21 09 2004 Activate Software Option E View a full list of all firmware versions If your search in the archive did not reveal a new firmware version you can alternatively view a full list of all of the firmware files that have been found You can for example switch back to an older version LANconfig displays all versions found for the marked devices including the version currently active in each device For each device you can select precisely one firmware ver sion that will then be uploaded onto the device Firmware update x No newer firmware was found in the selected archive director D Programme LANCOM LANconfig Firmware For the following devices firmwares were found Would you like to view the Found firmwares anyway CA VPN_NHAMEL 4 00 26 11 2004 gt 3 52 21 09 2004 p VPN_NHAMEL 4 00 26 11 2004 gt 4 00 25 11 2004 h VPN_NHAMEL 4 00 26 11 2004 gt 4 00 26 11 2004 QP LANCOM DSL I 1611 Office 4 00 26 11 2004 gt 3 52 2 QP LANCOM DSL I 1611 Office 4 00 26 11 2004 gt 4 00 2t Yes X lt Of 5 2 6 Password protection for SNMP read only access The read only access to a BAT device via SNMP for example with LANmonitor can be password protected This uses the same user data as with access to LANconfig Password protection of SNMP access mea
39. and any other DMZ networks of course DMZ type networks with the interface tag 0 are a special case As supervisor networks they can see all other networks and they are also visible to all other networks BAT54 Rail F Release 7 54 06 08 385 Routing and WAN connections 11 6 Advanced Routing and Forwarding IP network Company A 10 0 0 0 255 255 255 0 Interface tag 1 Provider A Provider B IP network Company B 10 0 0 0 255 255 255 0 Interface tag 2 Routing table IP address Netmask F Interface tag Routers 255 255 255 255 0 0 0 0 1 Provider A 255 255 255 255 0 0 0 0 2 Provider B Note For cases which do not allow IP addresses to be uniquely assigned by interface tag the Advanced Routing and Forwarding can be supported by firewall rules In the above example this would be the case if each of the networks were to support a public web or mail server all of which use the same IP address 11 6 2 Defining networks and assigning interfaces When defining a network the first setting is for the IP address range which is to be valid for a certain local interface on the BAT Router Local interfaces are logical interfaces which are assigned either to a physical Ethernet port LAN or a wireless port WLAN To realize the scenarios outlined above it is possible for several networks to be active on one interface Conversely a network can also be active on multiple interface
40. connections The distance values entered are propagated as follows All networks which can be reached while a connection exists to a des tination network are propagated with a distance of 1 All non connected networks are propagated with the distance entered in the routing table but with a minimum distance of 2 as long as a free transmitting channel is still available The remaining networks are propagated with a distance of 16 unreachable if there are no longer any channels available Remote stations connected using proxy ARP are an exception to this These proxy hosts are not propagated at all Masquerading Use the Masquerade option in the routing table to inform the router which IP addresses to use when transferring packets from local net works For further information see the section IP masquerading gt page 369 BAT54 Rail F Release 7 54 06 08 357 Routing and WAN connections 11 2 IP routing 11 2 2 Policy based routing Policy based routing does not rely exclusively upon the destination IP ad dress to define the destination route meaning the remote device that is to be used to transfer the data Further information can be used such as the ser vice or the protocol used sender addresses or the destination for the data packets for the selection of the destination route Policy based routing can be used to achieve a significantly finer grained routing behavior such as in the following application scenari
41. gt Interfaces WLAN Interfaces Opera tion Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Operation Settings Radio settings Frequency band Subband When selecting the frequency band on the Radio tab under the physical in terface settings you decide whether the WLAN card operates in the 2 4 GHz or in the 5 GHz band also see Standardized radio transmission by IEEE page 21 and thus the available radio channels In the 5 GHz band a subband can also be selected which is linked to certain radio channels and maximum transmission powers Note In some countries the use of the DFS method for automatic channel selection is a legal requirement Selecting the subband also defines the radio channels that can be used for the automatic channel selection Channel number Automatic selection of 5 Ghz WLAN channels over DFS with a blacklist and whitelist To avoid for instance disturbances through radar units and to achieve an even distribution of the WLAN devices on the frequency band the DFS method dynamic frequency selection selects a channel automatically After switching on or booting the device perchancely selects one channel out of a number of available channels e g due to the country settings and checks if a radar signals or a different wireless LANs are already working on this channel This scanning procedure is repeated until a channel without radar signals and as less networks as
42. method the first data packet is transmitted unen crypted and must be sent back by the client correctly encrypted This method presents potential attackers with at least one data packet that is unencrypted Default key If WEP encryption is selected the access point can select from four different WEP keys for each logical WLAN interface Three WEP keys for the physical interface An additional WEP key particular to each logical WLAN interface The private WEP settings are used to set the additional key for each logical WLAN interface see Key 1 passphrase You should also select which of the four keys is currently to be used for the encryption of the data default key This setting can be used to change the key frequently so increasing se curity Rules of the entry of the keys can be found in the description of the WEP group key Rules for entering WEP keys page 62 Configuration with LANconfig For configuration with LANconfig you will find the private WEP settings under the configuration area WLAN Security on the 802 11i WEP tab BAT54 Rail F Release 7 54 06 08 59 Wireless LAN WLAN 3 4 Configuration of WLAN parameters xt Configure WLAN Security z General Stations Protocols 802 11i WEP IEEE 802 1 802 11i WPA AES Wired Equivalent Privacy You should select 802 111 Enhanced Security with Advanced Encryption Standard WPA AES or at least Wired Equivalent Privacy WEP so that all inf
43. per minute Fragmentation of other packets ond May Packetsize yte Ls Reduction of PMTU The option Action only for default route limits the rule to those pack ets which are sent or received via default route BAT54 Rail F 328 Release 7 54 06 08 Quality of Service 9 7 QoS configuration The option Action only for VPN route limits the rule to those packets which are sent or received via VPN tunnel The option Forced defines a static reservation of bandwidth Band width reserved in this way cannot be used for any other connections even while the preferred connection is inactive The option Per connection resp Globally specifies whether the min imum bandwidth set here is valid for each single connection corre sponding to this rule per connection or if this should be the upper limit for the sum of all connections together globally Like for other Firewall rules index cards Stations and Services deter mine for which stations in the LAN WAN and for which protocols this rule applies WEBconfig Telnet For configuration with WEBconfig or Telnet the minimum resp maximum bandwidths are entered into a new Firewall rule at the following places Configuration tool Run WEBconfig Setup IP router Firewall Rule list Telnet Setup IP router Firewall Rule list A required minimum bandwidth is introduced by Q Here it is implicitly as sumed that th
44. set DSL Broadband Peers set Dialup Peers BAT54 Rail F 366 Release 7 54 06 08 Routing and WAN connections 11 3 Configuration of remote stations For the remote stations following parameters are required Peer list DSL Parameter Meaning Name With this name the remote stations are identified in the router modules As soon as the router module has detected the remote station using the IP address of the destination the connection parameters are located in the peer list Short hold This time indicates how long the connection is kept if no data is being transmitted anymore If zero is entered the connection does not terminate automatically If 9999 seconds are entered a broken off connection is rebuild automati cally see Extended connection for flat rates Keep alive page 440 Access The Access concentrator AC is a server which can be accessed by the concentrator remote station If several ADSL providers are listed select the provider that is responsible for the remote station using the name of the AC The value for the AC is advised to you by your provider If no value is entered for the AC every AC is accepted that provides the demanded service Service Enter the service you would like to use from your provider The service can be e g internet surfing or even video downstream The value for the service is advised to you by your provider If no value is entered every Service is accepted tha
45. ternet NTP server The BAT can then be provided the time to all stations in the local network When defining the time server the name or IP address of the NTP server being queried by the BAT Router can be entered as well as loopback addresses BAT54 Rail F Release 7 54 06 08 161 Configuration and management 4 9 Named loopback addresses Name or Address ptbtimel ptb de Co Source IP address LOOPBACK 1 Configuration tool Menu Table LANconfig Date amp time Synchronization Time server WEBconfig Telnet Expert configuration gt Setup gt NTP gt RQ address Name or address Name or IP address of the NTP server The BAT Router attempts to reach the servers in the order that they are entered Maximum 5 entries Loopback address Sender address sent with the NTP request this is also the destination for the NTP answer The following can be entered as the loopback address Name of a defined IP network INT for the IP address in the first network with the setting Intranet DMZ for the IP address in the first network with the setting DMZ Note If the list of IP networks or loopback addresses contains an entry named DMZ then the associated IP address will be used Name of a loopback address Any other IP address 4 9 3 Loopback addresses for SYSLOG clients The SYSLOG module enables the logging of accesses to the BAT Router SYSLOG clients are set up to be able to receive the SYSLOG mes
46. the logical destination address of a packet which next network component should trans mit the packet knows the overall topology of the network BAT54 Rail F Release 7 54 06 08 531 Appendix 13 5 Glossary SDSL Single Line Digital Subscriber Line downstream and upstream with 2 048 Mbit s two strand wire Server Computer which provides services over the network e g files news email WWW pages SINA Secure Inter Network Architecture SMTP Simple Mail Transfer Protocol SMTP protocol is the Internet standard for distribution of electronic mail the protocol is based on the TCP protocol SNMPv3 Simple Network Management Protocol Version 3 SSID Service Set Identity network name of the wireless LAN SSL Secure Socket Layer Splitter The splitter is comparable with an audio frequency filter in an ADSL connection the split ter separates the ISDN signals from the DSL signals the ISDN signals go to the NTBA and the DSL signals go to the DSL modem Switch A central distributor in a star shaped network each station has the entire bandwidth available if a station fails the rest of the network is not affected is used for collision pre vention increases the overall throughput of the network switches are cascadable TAE Telephone connection unit used in Germany Plug for the connection of analog devices like a telephone or modem into the telephone net
47. tunnel over IP nets to a remote station A tunnel is a logical shield connection that protects the transferred data from unauthorized access For this purpose the encoding algorithm RC4 is used Configuration of PPTP As soon as the internet access over PPTP is selected the BAT enquires all needed PPTP parameters with the Internet Access Wizard Additionally to the entries for PPPoE access the IP address of the gateway must be speci fied A PPTP gateway is often a DSL modem Detailed information is avail able from your DSL provider The PPTP list for editing the configuration can be reached as follows Configuration tool List LANconfig Communication gt Protocols PPTP list WEBconfig Expert Configuration Setup gt WAN gt PPTP Peers Terminal Telnet cd Setup WAN set PPTP Peers The PPTP configuration consists of three parameters Remote site the entry from the DSL Broadband Peers list BAT54 Rail F Release 7 54 06 08 439 Routing and WAN connections 11 12 Extended connection for flat rates IP address IP address of the PPTP gateway often the address of the DSL modem Port IP port the PPTP protocol runs on For conformity with the protocol standard enter the port 1 723 11 12Extended connection for flat rates Keep alive The term flat rate is used to refer to all inclusive connection rates that are not billed according to connection times but instead as a flat fee for fi
48. using an SNMP trap Using this error message the corresponding parameter in the configuration can be checked and changed if necessary Thus is it always necessary to verify the error mes sages on both sides Message Initiator Responder License exceeded no more VPN x X The maximum number of possible VPN chan tunnels available Responder nels has been reached IKE No route to remote gateway X X The router to the remote gateway could not be found Please check the public IP address or the DynDNS name of the remote device Dynamic VPN no PPP table X In dynamic VPN the outgoing call could not be entry matched authenticated with the PPP data sent Please check the PPP username and PPP password on both sides under Configure gt Communication gt Protocols gt PPP list gt Remote site Dynamic VPN no PPP table X The incoming call cannot be authenticated with entry matched the PPP data received Please check the PPP username and PPP password on both sides under Configure gt Communication gt Proto cols gt PPP list gt Remote site IKE or IPSec establishment time X X A time limit was reached The router on the out remote side is no longer responding Please check the VPN error message in the LANmonitor on the remote device Line polling to remote gateway The LCP polling failed Please check on the failed remote device whether ping blocking is enabled in the firewall menu under Conf
49. we will be introducing the functions of the devices associated with the PPP here in a separate section 11 10 1The protocol What is PPP The point to point protocol was developed specifically for network connec tions via serial channels and has asserted itself as the standard for connec tions between routers It implements the following functions Password protection according to PAP CHAP or MS CHAP Callback functions Negotiation of the network protocol to be used over the connection estab lished IP or IPX for example Included in this are any parameters nec essary for these protocols for example IP addresses This process is carried out using IPCP IP Control Protocol BAT54 Rail F 434 Release 7 54 06 08 Routing and WAN connections 11 10 Establishing connection with PPP Negotiation of the connection parameters e g the MTU Maximum Transmission Unit Manual definition of the MTU gt page 453 Verification of the connection through the LCP Link Control Protocol Combining several ISDN or DSL channels MultiLink PPP resp MultiLink PPPoE PPP is the standard used by router connections for communication between devices or the WAN connection software of different manufacturers Connec tion parameters are negotiated and a common denominator is agreed using standardized control protocols e g LCP IPCP CCP which are contained in PPP in order to ensure successful data transfer where possible What is PPP used for
50. which react in fact to the classi cal variant sender address destination address but which pass through the new form without hindrance This variant is also recognized and blocked by a BAT Ping of Death The Ping of Death belongs to those attacks which use errors when fragment ed packets are reassembled This functions as follows BAT54 Rail F Release 7 54 06 08 305 Firewall 8 5 Denial of Service In the IP header there is a field fragment offset that indicates in which place the received fragment is to be assembled into the resulting IP packet This field is 13 bits long and gives the offset in 8 byte steps and can form an offset from 0 to 65528 With a MTU on the Ethernet of 1500 bytes an IP packet can be made up to 65528 1500 20 67008 bytes This can lead to an overrun of internal counters or to buffer overruns and thus it can provoke the possi bility to the aggressor of implementing own code on the victim workstation In this case the Firewall offers two possibilities Either the Firewall reassembles the entire incoming packet and examines its integrity or solely the fragment which goes beyond the maximum packet size is rejected In the first case the Firewall itself can become the victim when its implementation was incorrect In the second case half reassembled pack ets accumulate at the victim which are only rejected after a certain time whereby a new Denial of Service attack can result thereby if the mem
51. 08 Firewall 8 3 The BAT Firewall TCP Stealth mode Apart from ICMP messages also the behavior in case of TCP and UDP con nections gives information on the existence or non existence of the ad dressed workstation Depending on the surrounding network it can be useful to simply reject TCP and UDP packets instead of answering with a TCP RE SET resp an ICMP message port unreachable if no listener for the respec tive port exists The desired behavior can be adjusted in the BAT Note If ports without listener are hidden this generates a problem on masked connections since the authenticate resp ident service does no longer function properly resp do no longer correctly reject The ap propriate port can so be treated separately Mask authentication port page 267 Possible settings are Off All ports are closed and TCP packets are answered with a TCP reset Always All ports are hidden and TCP packets are silently discarded WAN only On the WAN side all ports are hidden and on the LAN side closed Default route only Ports are hidden on the default route usually Inter net and closed on all other routes Mask authentication port When TCP or UDP ports are hidden inquiries of mail servers to authenticate users can no more be answered correctly Inquiries of the servers run into a timeout and delivery of mails will be considerably delayed Also when the TCP Stealth mode is activated the Firewall detects the
52. 08 401 Routing and WAN connections 11 7 Changes in other services Default 30 Holddown interval The Holddown interval defines how many update intervals pass before a route from router A which is no longer being propagated is replaced by an inferior route from router B Until the holddown interval expires the BAT will only accept a route from the same router that propagated the original route Within this time period the BAT only accepts a route from another router if it is better than the former route Possible values 0 to 99 as multiples of the update interval Default 4 Invalidate interval The invalidate interval defines the number of update intervals before a route is marked as invalid unavailable when it stops being propagated by the router that originally reported it If the BAT learns of an equivalent or better route from another router within this time period then this will be used instead Possible values 0 to 99 as multiples of the update interval Default 6 Flush interval If a route in a router is not updated before the flush interval expires then the route is deleted from the dynamic routing table Possible values 0 to 99 as multiples of the update interval Default 10 Note Please note that changes to the timing may accelerate route propaga tion but network load will increase at the same time Triggered update in the LAN With a triggered update changes to the metrics are immediately reported to the
53. 1 to LAN 3 and all WLANs to a bridge group and assigning the intranet to this group the network for the DMZ LAN 4 can be kept separate from the intranet Bridge groups are only available on devices with a WLAN module To bond several networks to one logical interface the corresponding number of entries are added with different network names and different IP addresses or netmasks and all of these are assigned to the same interface Note Loopback addresses are not defined with the IP network s table but in a separate table instead Named loopback addresses page 159 The routing tag defined at the same time controls which networks can see the loopback address Source check This option determines how to react to a packet received over this inter face Loose All source addresses are accepted if the BAT Router itself is being addressed no return route has to be available Strict A return route has to be explicitly available otherwise an IDS alarm is triggered Interface tag All packets received at the interface are marked with this interface tag This tag enables the separation of routes which are valid for this network even without explicit firewall rules This tag also has an influence on the routes propagated by RIP and on the hosts and groups visible to the Net BIOS proxy The interface tag also influences automatic VPN rule gener ation If a routing tag is defined for a VPN route then automatic VPN rules are only ge
54. 14 2 4 2004 11 43 59 10 1 1 141 10 1 255 255 17 U 137 n 137 n intruder de Immediately Packet dropped SYSLOG sent 15 2 4 2004 11 42 13 10 1 1 111 224 0 0 9 17 U 520 ro 520 ro intruder de Immediately Packet dropped SYSLOG sent Time Source and destination address Protocol with source and destination port Activated filter rule and exceeded limit Action carried out 5 7 LANmonitor know what s going on The LANmonitor includes a monitoring tool with which you can view the most important information on the status of your routers on your monitor at any time under Windows operating systems of all of the BAT routers in the net work Many of the internal messages generated by the devices are converted to plain text thereby helping you to troubleshoot Note Explanations about the LANmonitor messages and helpful tips can be found in the appendix under Error messages in LANmonitor page 519 You can also use LANmonitor to monitor the traffic on the router s various in terfaces to collect important information on the settings you can use to opti mize data traffic In addition to the device statistics that can also be read out during a Telnet or terminal session or using WEBconfig a variety of other useful functions are also available in LANmonitor such as the enabling of an additional charge limit BAT54 Rail F 208 Release 7 54 06 08 LANtools network management 5 7 LANmonitor know what s going on
55. 192 168 2 113 1901 to 239 255 255 250 1900 Packe UDP packet from 192 168 2 113 1901 to 239 255 255 250 1900 Packe UDP packet from 192 168 2 113 1901 to 239 255 255 250 1900 Packe 5 7 LANmonitor know what s going on E System information jp Device LANCOM 1811 Wireless DSL fi Firmware version 4 12 0029 Serial number 015300600046 MAC address 0030570Fb9bf fi Date and time 31 03 2005 17 26 17 i System up time One day and one hour fi CPU type Intel ixP425 Stepping BO CPU clock 533 MHz CPU load 0 fi Total memory sae KBytes Free memory 5469 KBytes WLAN card Atheros AR5212 AR5111 AR2111 Y WAN interfaces DSL ISDN 24 Total charge 0 units Total online time 5 7 3 Monitor Internet connection To demonstrate the functions of LANmonitor we will first show you the types of information LANmonitor provides about connections being established to your Internet provider To start LANmonitor go to Start Programme gt Hirschmann gt BAT gt Hirschmann LANmonitor Use File Add Device to set up a new de vice and in the following window enter the IP address of the router that you would like to monitor If the configuration of the device is protected by password enter the password too Alternatively you can select the device via the LANconfig and monitor it using Device Monitor Device BAT54 Rail F Release 7 54 06 08 210 LANtools network management 5 7 LANmoni
56. 2 Default tag The column Default tag lists the valid Default touting tag for the WAN connection All untagged routes are tagged with this tag when sent on the WAN Routing tags list The column Routing tags list details a comma separat ed list of the tags that are accepted on the interface If this list is empty then all tags are accepted If at least one tag is in the list then only the tags in this list are accepted When sending tagged routes on the WAN only routes with valid tags are propagated All learned routes from the WAN are treated internally as untagged routes and propagated on the LAN with the default tag 0 In the WAN they are propagated with the tag with which they were learned Configuration with LANconfig The WAN RIP table can be found in the LANconfig in the configuration area IP router on the General tab WAN RIP New Entry d 21x Remote site DEFAULT X x RIP type RiP 1 X Cancel IV Accept RIP from WAN Masquerade On Default routing tag 0 Routing tag list 1 2 BAT54 Rail F Release 7 54 06 08 455 Routing and WAN connections 11 17 The rapid spanning tree protocol Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the WAN RIP table under the following paths Configuration tool Menu Table WEBconfig Expert Configuration Setup gt IP router RIP WAN sites Terminal Telnet Setup IP router RIP WAN sites 11 17Th
57. 3 5 11 Virtual LANs enable to perform this task in a very smart way Also when de partments or companies change at a later time inside of the building the net work structure can be easily adjusted All network users in this example use the central Ethernet which is like the connected devices supervised by a service provider Company A has three departments on two floors The sales department can communicate with the administration department via VLAN ID 3 the accounts department with the administration via VLAN ID 5 The networks of accounts department and sales do not see each other Company B is also shielded by VLAN ID 11 against all other networks only the service provider can access all devices for maintenance purposes 10 3Configuration of VLANs Note VLAN technology functions are presently only supported by BAT Router devices BAT54 Rail F 340 Release 7 54 06 08 Virtual LANs VLANs 10 3 Configuration of VLANs The configuration of BAT Router devices within the VLAN realm has to per form two important tasks Defining virtual LANs and assigning them a name a VLAN ID and the af fected interfaces Defining for the interfaces how to proceed with data packets with or with out VLAN tags 10 3 1 The network table In the network table are those virtual LANs defined in which the BAT should participate The table contains 32 entries at maximum with the following in formation Name The VLAN name serves only as a desc
58. 3 Telnet 4 4 4 TFTP 4 4 5 SNMP 4 4 6 Encrypted configuration with SSH access 4 4 7 SSH authentication 4 5 Working with configuration files 112 112 114 117 117 117 117 118 119 119 122 123 125 125 126 127 128 128 131 133 137 138 139 140 142 BAT54 Rail F Release 7 54 06 08 4 6 New firmware with Hirschmann FirmSafe 4 6 1 This is how Hirschmann FirmSafe works 4 6 2 How to load new software 4 7 How to reset the device 4 8 Managing administrators rights 4 8 1 Rights for the administrators 4 8 2 Administrators access via TFTP and SNMP 4 8 3 Configuration of user rights 4 8 4 Limitation of the configuration commands 4 8 5 HTTP tunnel 4 9 Named loopback addresses 4 9 1 Loopback addresses with ICMP polling 4 9 2 Loopback addresses for time servers 4 9 3 Loopback addresses for SYSLOG clients 5 LANtools network management 5 1 Switch UI language 5 2 Project management with LANconfig 5 2 1 User specific settings for LANconfig 5 2 2 Directory structure 5 2 3 Multithreading 5 2 4 Better overview in LANconfig with more columns 5 2 5 Manual and automatic searches for firmware updates 5 2 6 Password protection for SNMP read only access 5 2 7 Device specific settings for communications protocols 5 2 8 LANconfig behavior at Windows startup 5 3 Scripting 5 3 1 Applications 5 3 2 Scripting function 5 3 3 Generating script files 5 3 4 Uploading configuration commands and script files 5 3 5 Multiple parall
59. 4 Dst 00 00 00 00 00 00 6 6 6 6 6 4 Limit per conn after tra ittin actions after exceeding the limit Under WEBconfig the filter list has the following structure 8 8 137 139 8 80 8 8 g or receiving of kilobits per Expert Configuration 3 Status J lP router statistics Filter list ldx Prot Src MAC Src address Src netmask S st S end Dst MAC Dst address Dst netmask D st 0001 6 000000000000 192 168 2 0 255 255 255 0 0 0 000000000000 0 0 0 0 0 0 0 0 995 0002 6 000000000000 192 168 2 0 255 255 255 0 0 0 000000000000 0 0 0 0 0 0 0 0 143 0003 6 000000000000 192 168 2 0 255 255 255 0 0 0 000000000000 0 0 0 0 0 0 0 0 119 0004 6 000000000000 192 168 2 0 255 255 255 0 0 0 000000000000 0 0 0 0 0 0 0 0 110 0005 6 000000000000 192 168 2 0 255 255 255 0 0 0 000000000000 0 0 0 0 0 0 0 0 25 0006 6 000000000000 192 168 2 0 255 255 25500 0 000000000000 0 0 0 0 0 0 0 0 21 anny 4 NNNNNNNNNNNN 1071hA IN FAR PAA BRAN N n AnnnnnAnnnnnnnhnann nann n The individual fields in the filter list have the following meaning Entry Description Idx Current index Prot Protocol to be filtered e g 6 for TCP or 17 for UDP Src MAC _ Ethernet source address of the packet to be filtered or 000000000000 if the filter should apply to all packets Src Source IP address or 0 0 0 0 if the filter should apply to all packets address Source Source network mask which determinates the source network together with the source IP mask address o
60. 4RADIUS server parameters For the configuration of the RADIUS server the clients which are permitted to access the RADIUS server are defined including password as is the UDP port which the clients can use to communicate with the RADIUS server The authentication port applies globally for all clients Configuration tool Call WEBconfig Telnet Expert configuration gt Setup gt Radius gt Server Global settings for the RADIUS server Authentication port default 0 Specify here the port used by the authenticators to communicate with the RADIUS server in the BAT access point Port 1812 is normally used Port 0 disables the RADIUS server Default realm This realm is used if the user name is supplied with an unknown realm that is not in the list of forwarding servers Empty realm This realm is used when the user name supplied does not contain a realm RADIUS clients The client table can contain up to 16 clients that can communicate with the RADIUS server IP address Enter the IP address of the client that may communicate with the RADIUS server in the BAT access point Secret Password required by the client for access to the RADIUS server in the BAT access point Note In addition to the configuration of the RADIUS server the user infor mation source must also be defined BAT54 Rail F Release 7 54 06 08 515 More services 12 10 Extensions to the RADIUS server RADIUS user Up to 64 users can be enter
61. 74 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Authentication with EAP 802 1X for BAT Wireless Router in client mode In WLAN client operation mode the BAT Wireless Router can authenticate to another access point using EAP 802 1X To activate the EAP 802 1X au thentication in client mode the client EAP method is selected as the encryp tion method for the first logical WLAN network WPA or Private WEP settings Edit Entry 2 x Interface Wireless Network 1 Lox IV Encryption activated aa Method Key 1 length wer 128 104bit Key 1 passphrase Looa0570FB96F WPA Session Key Type WPA version PAI Authentication Jopen system recom Y Default key key 1 b Client EAP method TLS ba Configuration tool Call LANconfig Wireless LAN gt 802 11i WEP WPA or private WEP settings gt Wireless network 1 WEBconfig Telnet Expert configuration gt Setup gt Interfaces gt WLAN gt Encryption gt WLAN 1 Client EAP method Select the desired client EAP method here Please observe that the selected client EAP method must match the settings on the access point that the BAT Wireless Router is attempting to log onto The following val ues are available TLS TTLS PAP TTLS CHAP TTLS MSCHAP TTLS MSCHAPv2 TTLS MD5 PEAP MSCHAPv2 BAT54 Rail F Release 7 54 06 08 75 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Note In addition to setting t
62. DSL 11 8 4 Static load balancing Apart from the dynamic choice of connection outlined in the previous section there are possible scenarios where certain TCP connections should always make use of the same DSL connection Two cases are to be considered here BAT54 Rail F Release 7 54 06 08 421 Routing and WAN connections 11 8 Load balancing A server with a fixed IP address can only be contacted via a dedicated connection All that is required for the selection here is the destination IP address A server uses a protocol that requires a control channel and other chan nels for data transfer e g FTP H 323 PPTP In establishing the data channels servers accept only the same IP address as that used by the control channel Destination based channel selection Destination based channel selection is handled by an entry in the routing ta ble that directly uses one of the bundle connections to reach the destination instead of using the virtual balancing connection Policy based routing Suitable entries can be made in the firewall to select channels according to the destination port or the source address These entries are supplemented with a special routing tag that is used to control the channel selection with the routing table Policy based routing page 358 11 8 5 Configuration of load balancing Note For the following configurations we assume that the remote devices are already set up with all necessary access
63. DSL connections bundle connections Depending on the number of avail able DSL ports several bundle connections can be assigned to one balanc ing connection Note The balancing connection is entered as a virtual connection No ac cess data or similar has to be entered for this connection The entry mere ly serves as a distributor which uses the load balancing table to assign several real bundled connections to an entry in the routing table Note DSL bundling is a static bundling Any additional channels are not opened or closed according to the demand from data transfer volumes With load balancing decisions about the routing of data packets can no long er be made simply based on the IP addresses because the individual bun dled DSL connections all have different IP addresses Thus load balancing also considers the information in the firewall connection list This list has an entry for every established TCP connection and for load balancing the list is supplemented with information about the DSL port used BAT54 Rail F 420 Release 7 54 06 08 Routing and WAN connections 11 8 Load balancing Connection establishment A request for data transmission to a balancing remote station initially prompts the first bundle connection from the load balancing table to be established Further progress depends upon the success of this connection establish ment If the connection is successfully established the first step is the assign
64. Data Setting the entry to 0 means that any number of clients can register at this interface via DHCP If the maximum number of DHCP cli ents is exceeded by a further attempt to register the oldest entry in the list is deleted When checking data packets IP addresses and the IP network mask defined in the rule are not used Consequently no check is made as to whether the destination IP address of the packet lies within the range specified Instead a check is made as to whether the source IP address of the packet matches the IP address assigned to the client via DHCP The connection of the two IP addresses is made based on the source MAC address This check can be used to block clients which have received an IP address via DHCP but which actually use a different IP address either intentionally or inadvertently A rule in which the DHCP Source MAC parameter is set to Yes would not apply since the two addresses do not match The packet would instead be processed either by other rules or the default rule In order for DHCP tracking to work at least two more rules must be set up for this interface rules which are not dependent on DHCP tracking This is nec essary since the required DHCP information is not exchanged until the end of DHCP handshake This is why packets due to be sent beforehand must be allowed by rules which do not use DHCP tracking These usually included TCP UDP packets on port 67 and 68 and ARP packets Note I
65. IP address 192 168 1 0 Intranet netmask aR OBR AR BAT54 Rail F Release 7 54 06 08 381 Routing and WAN connections 11 6 Advanced Routing and Forwarding Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the settings for activating the DMZ and Intranet address check under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup TCP IP Terminal Telnet Setup TCP IP 11 6Advanced Routing and Forwarding 11 6 1 Introduction Up until LCOS version 6 30 BAT Routers supported two local networks only The intranet and the DMZ For some applications however it may be desir able to realize more than one intranet and one DMZ with a BAT Router for example to provide multiple IP networks with Internet access via a central router As of LCOS version 7 00 BAT Routers support up to 64 different IP networks depending on the model Various scenarios are possible when realizing multiple IP networks One network per interface Multiple networks per interface Multiple VLANs per interface one or more networks per VLAN which cor responds with a combination of the first two scenarios The realization of these scenarios is facilitated by Advanced Routing and Forwarding ARF which provides very flexible options in the definition of IP networks and the assignment of these networks to the interfaces The dia gram below illustrates the network interface
66. IV Entry active Lox Name VPN Site Cancel Remote site vPn ste Lock time fo seconds Condition roken x Action mailto admin mycompany com subject VPN connection broken at t body VPN connection to Subsidiary 1 was broken Result Check Select the remote site for the relevant connection As Condition select Bro ken and enter the action as the transmission of an e mail mailto admin mycompany com subject VPN connection broken at t bo dy VPN connection to Subsidiary 1 was broken If the connection is broken this action sends an e mail to the administrator with the time of the event in the subject line Note If the mail is sent to an appropriate Mail2SMS gateway the alert can be sent directly to a mobile telephone Note For complex scenarios with several subsidiaries each of the remote sites is given a corresponding entry in the central BAT For monitoring the central device itself an action is entered into a device at one of the sub sidiaries In this way the administrator receives an alert even if the VPN gateway at the central location fails which could potentially prevent any messages from being transmitted BAT54 Rail F Release 7 54 06 08 223 LANtools network management 5 9 Messaging E Suppress messaging in case of re connects with a DSL connection Some providers interrupt the DSL connection used for the VPN connections once every 24 hours To avoid informing the administrator of th
67. In order to prevent attacks from a cracked server to the local network some BAT provide a dedicated DMZ interface or are able to separate their LAN ports on Ethernet level by hardware Two local networks operating servers in a DMZ This feature requires an Internet access with multiple static IP addresses Please contact you ISP for an appropriate offer Example You are assigned the IP network address 123 45 67 0 with the net mask 255 255 255 248 by your provider Then you can assign the IP ad dresses as follows DMZ IP Meaning use address 123 45 67 0 network address 123 45 67 1 BAT as a gateway for the Intranet 123 45 67 2 Device in the LAN which is to receive unmasked access to the Internet e g web server con nected at the DMZ port 123 45 67 3 broadcast address All computers and devices in the Intranet have no public IP address and therefore appear with the IP address of the BAT 123 45 67 1 on the Inter net Separation of Intranet and DMZ Note Although Intranet and DMZ may be already separated on a Ethernet level by distinct interfaces an appropriate Firewall rules must be set up in any case so that the DMZ is being separated from the LAN on the IP level as well Thereby the server service shall be available from the Internet and from the Intranet but any IP traffic from the DMZ towards the Intranet must be prohibited For the above example this reads as follows With a Allow All
68. LANtools network management 5 2 Project management with LANconfig Configuration of the global communication settings When setting up the communications protocols one must differentiate be tween the protocol that is used solely for checking the device and for other operations such as a firmware upload etc Le x General Startup Communication Extras Network T Always clear ARP cache before IP communication M HTTPS M HTTP M TFTP Protocols IV Prefer check via TFTP faster Configuration tool Call LANconfig Tools gt Options Communication HTTPS HTTP TFPT When this is selected the individual protocols are enabled for the opera tions firmware upload configuration up download and script up down load In these operations LANconfig attempts to use these protocols in the order HTTPS HTTP and TFTP If the transfer fails when using a selected protocol then the next protocol is automatically attempted Prefer checks via TFTP When checking the devices only small amounts of data are transferred with the system information As such device checks could be performed using the TFTP protocol particularly in the LAN When this option is acti vated the TFTP protocol is used to check the device first regardless of the previously set communications protocols If the check via TFTP fails then the protocols HTTPS HTTP and TFTP are attempted in that order Caution The device specific s
69. PPP clients are not authenticated using RADIUS They are checked exclusively using the PPP list Enabled RADIUS authentication for PPP clients is enabled User data supplied by clients is first checked using the PPP list If no matching entry is found in the PPP list the client is checked by the RADIUS server Authentication is successful if the PPP list checkor RADIUS server check returns as positive Exclusive RADIUS authentication for PPP clients is enabled User data supplied by clients is checked exclusively by the RADIUS server In this mode it is just the advanced settings of the PPP list for the user which are interpreted e g check for PAP CHAP or the allowed pro tocols IP IPX and or NetBIOS CLIP mode default disabled A RADIUS server may be used for control of a return call when dialing in using PPP Disabled The return call function is not controlled by RADIUS Only those entries in the name list are used Enabled The RADIUS function for the return call is enabled Tele phone numbers reported by clients are first checked using the name list If no matching entry is found in the name list the telephone num ber is checked by the RADIUS server If the name list check or RADIUS server check returns as positive a return call can be estab lished Note If the telephone number communicated is in the name list but no re turn call is active there RADIUS ceases checking Exclusive The RADIUS function for the return call
70. PPP list You can specify a custom definition of the PPP negotiation for each of the remote sites that contact your net Configuration tool List LANconfig Communication Protocols PPP list WEBconfig Expert Configuration Setup gt WAN gt PPP list Terminal Telnet cd setup WAN set PPP list The PPP list may have up to 64 entries and contain the following values In this column of the PPP list enter the following values Remote site device name Name the remote site uses to identify itself to your router User name The name with which your router logs onto the remote site The device name of your router is used if nothing is specified here Password Password transferred by your router to the remote site if demanded An asterisk in the list indicates that an entry is present Auth Security method used on the PPP connection PAP CHAP or none Your own router 438 demands that the remote site observes this procedure Not the other way round This means that PAP CHAP security is not useful when connecting to Internet service providers who may not wish to provide a password Select none as the security attribute for connections such as these BAT54 Rail F Release 7 54 06 08 Routing and WAN connections 11 11 DSL Connection with PPTP In this column of enter the following values the PPP list Time Time between two checks of the con
71. Password gt BAT54 Rail F Release 7 54 06 08 151 Configuration and management 4 8 Managing administrators rights Access with TFTP In TFTP the user name and password are coded in the source TFTP read request or target file names TFTP write request The file name is either made up of the master password and the command to be executed or of the combined user name and password separated by a colon plus with the com mand as a suffix Thus a command sent by TFTP resembles the following lt Master password gt lt Command gt or lt Username gt lt Password gt lt Command gt Examples the BAT has the address mybat intern the master password is RootPwd and a user has been set up named LocalAdmin with the pass word Admin Read the configuration from the device supervisor only tftp mybat intern GET RootPwdreadconfig mybat 1cf Write the configuration to the device supervisor only tftp mybat intern PUT mybat lcf RootPwdwriteconfig Read out the device MIB for the local administrator tftp mybat intern GET localadmin Adminreadmib mybat 1lcf mybat mib For the menus and available commands the same limitations on rights apply as with Telnet Access with SNMP management systems For the administration of networks with the help of SNMP tools such as HP OpenView the various levels of administrator access can be used for the precise control of rights Under SNMP user name and password are coded in the communi
72. Rh HIRSCHMANN A Belden Company User Manual Configuration Dualband Industrial Wireless LAN Access Point Client BAT54 Rail BAT54 Rail FCC BAT54 F BAT54 F FCC BAT54 F X2 BAT54 F X2 FCC BAT54 Rail F Technical Support Release 7 54 06 08 HAC Support hirschmann de Windows Windows Vista Windows XP and Microsoft are registered trademarks of Mi crosoft Corp LCOS is registered trademarks of LANCOM Systems GmbH The naming of copyrighted trademarks in this manual even when not specially indicated should not be taken to mean that these names may be considered as free in the sense of the trademark and tradename protection law and hence that they may be freely used by anyone 2008 Hirschmann Automation and Control GmbH Manuals and software are protected by copyright All rights reserved The copying reproduction translation conversion into any electronic medium or machine scannable form is not permitted either in whole or in part An exception is the preparation of a backup copy of the software for your own use For devices with embedded software the end user license agreement on the en closed CD applies This product includes software developed by the OpenSSL Project for use in the OpenSSL Tool kit http Awww openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software developed by the NetBSD Foundation Inc and its contributors The per
73. State Windows Ewas MIV Search for new devices at startup Firmware updates for your devices have been found during the automatic update scan in the Following directory D Programme LANCOM LANconfig Firmware I inthe local network 3 seconds i i e EE Do you like to select the devices to be updated now fis 3 seconds ve No Ad R Edit Firmware update Remove Select the devices to be updated IM Scan firmware archive at startup Me VPN_NHAMEL 3 52 21 09 2004 gt 4 00 26 11 2004 Archive D Programme LANCOMSLANconfig Firm x M amp p LANCOM DSL I 1611 Office 3 52 21 09 2004 gt 4 00 26 11 21 IV Check devices for possible firmware updates E Manual search for firmware updates To search manually for firmware updates click with the right hand mouse key on a device marked in the list and select the following point from the con text menu Firmware management gt Check for firmware update If you wish to update several devices simultaneously the entry Check for firm ware updates is displayed directly in the context menu BAT54 Rail F 174 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig LANconfig File Edit Device View Tools Help LANCOM C Configure Setup Wizard Ctrl w Check Ctrl F5 z fe cai Configuration Managenent gt Firmware Management WEBconfig Console session Ctrl U
74. The DHCP server takes the IP addresses either from a freely defined ad dress pool or determines the addresses automatically from its own IP ad dress or intranet address In DHCP mode a completely unconfigured device can even automatically assign IP addresses to itself and the computers in the network In the simplest case all that is required is to connect the new device to a net work without other DHCP servers and switch it on The DHCP server then in teracts with LANconfig using a wizard and handles all of the address assignments in the local network itself 12 1 2 DHCP on off auto client or forwarding The DHCP server can be set to five different states on The DHCP server is permanently active The configuration of the server validity of the address pool is checked when this value is entered When correctly configured the device will be available to the network as a DHCP server In the event of an incorrect configuration e g invalid pool limits the DHCP server is disabled and switches to the off state Note Only use this setting if assured that no further DHCP server is active in the LAN off The DHCP server is permanently disabled auto In this mode after switching it on the device automatically looks for other DHCP servers within the local network This search can be recog nized by the LAN Rx Tx LED flashing If at least on other DHCP server is found the d
75. These examples reserve a desired bandwidth for Voice over IP phone calls The first element LcdsO dAFxx A accepts DSCP AF xx marked packets of signalling calls Voice data marked with EF is transferred prefer entially by the entry Qcds32 dEF and a bandwidth of 32 Kbps is guar anteed thereby as well In parallel the PMTU is reduced to 256 byte by Fprw256 dEF which enables ensuring the required bandwidth in re ceiving direction at all Note Further information about defining Firewall rules can be found in chap ter Firewall gt page 249 9 7 2 Defining minimum and maximum bandwidths LANconfig A minimum bandwidth for certain applications is defined in LANconfig by a Firewall rule according to the following conditions The rule does not need an action because QoS rules always implicitly as sume transfer as action The guaranteed bandwidth is defined on index card QoS General Actions QoS Stations Service 5 A Quality of Service rixi rm Quality of Service a The Quality Of Service table descr Conditions 4 amount of minimal bandwidths frac i ar a R T Action only for default route ie internet matching packets are routed prefe J7 Action only for DiffServ CP BE 7 Actions I Action only for send packets T Action only for received packets Action Grant minimum bandwidth kbit 256 persecond T i Add X Edit Per connection cci per hour
76. VPN client of the WLAN and another workstation of the cable bound LAN This passing through of VPN encrypted data is called in technical jargon VPN pass through Follow ing are provided PPTP pass through IPsec pass through VPN client fa VPN remote station Note The BAT base stations support VPN pass through function for multiple stations within a wireless network Wireless bridge between two Ethernet segments With two base stations two LANs can be connected via a radio link point to point mode In this so called bridge mode all data is transferred automati cally to the remote network BAT54 Rail F Release 7 54 06 08 29 Wireless LAN WLAN 3 1 What is a Wireless LAN By the use of narrow beam antennas also larger distances can be bridged securely An additional increase of reach can be achieved by use of further base stations which operate in relay mode between two LAN segments ee nae 000 Tee COWL Point to multipoint operation It is possible to couple up to seven remote network segments to an united network by wireless bridges in the so called P2MP operation point to multi point mode Point to station operation The so called P2Station operation point to station connects a single station is to a remote LAN BAT54 Rail F 30 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN Base station in client mode For binding single devices with Ethernet
77. a virtual WAN interface With appropriate LCOS settings it is pos sible to use on some models a LAN interface as an additional xDSL Ca ble interface BAT54 Rail F 20 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN 3 Wireless LAN WLAN 3 1 What is a Wireless LAN Note The following sections are a general description of the LCOS operating system functions in wireless networks The precise functions supported by your device are described in its manual In this chapter we will show you briefly the technology of wireless networks In addition we give you an overview of the various applications functions and abilities of your BAT Access Points and WLAN Router A Wireless LAN connects single terminals e g PCs or notebooks to a local network also LAN Local Area Network In contrast to a conventional LAN communication takes place via radio links rather than via network cables This is the reason why a Wireless LAN is also called a Wireless Local Area Network WLAN All functions of a cable bound network are also available in a Wireless LAN access to files servers printers etc is as possible as the connection of indi vidual stations to an internal mail system or to the Internet access The advantages of Wireless LANs are obvious notebooks and PCs can be set up just where they are needed Due to Wireless LANs problems with missing connections or structural alterations belong to the pas
78. a rekeying again during the session using the same type of packets In principle the cli ent may also request rekeying from the access point WPA also takes the case of older WLAN hardware into account in which the access point does not support pairwise keys but only group keys The first phase of the handshake in this case proceeds exactly as before but doesn t result in the installation of a pairwise key the group key handshake simply proceeds in clear text but an encryption in the EAP packets themselves pre vents an attacker from simply reading the keys WPA with passphrase The handshake described in the previous section runs strictly under WPA i e the user will never have to define any TKIP or Michael keys In environ ments in which no RADIUS server is available to provide master secrets for instance in smaller companies or home networks WPA therefore provides the PSK method besides authentication using a RADIUS server here the user must enter a passphrase of 8 to 32 characters on the access point and on all stations from which the master secret is calculated along with the SSID used using a hash procedure The master secret is therefore constant in such a PSK network although different TKIP keys still result In a PSK network similar to classical WEP both access security and con fidentiality depend on the passphrase not being divulged to unauthorized people As long as this is the case WPA PSK provides significantly im
79. a terminal program you will find the list of SYS LOG clients under the following paths WEBconfig Expert Configuration Setup gt SYSLOG gt Table SYSLOG Terminal Telnet Setup SYSLOG Table SYSLOG 6 2 3 Read out SYSLOG messages To read the SYSLOG messages access the statistics under WEBconfig or Telnet The SYSLOG output can be accessed under Status TCP IP sta tistics Syslog statistics BAT54 Rail F Release 7 54 06 08 231 Diagnosis 6 3 The ping command Expert Configuration amp Status amp TCP IP statistics Syslog Statistics Last Messages Idx Time Source Level Message 8 12 3 2004 17 43 32 LOCALO Error error for peer 1UND1 DSL layer 1 9 12 3 2004 17 43 32 LOCALO Notice none state DSL ERR Ready 10 12 3 2004 17 43 33 LOCALO Notice none state DSL ERR Dial to 1UND1 11 12 3 2004 17 43 33 LOCALO Notice Router state DSL 1 Establ PPPoE to 1UND1 12 12 3 2004 17 43 34 LOCALO Notice Router state DSL 1 Protocol 13 12 3 2004 17 43 35 AUTH Notice Successfull logged in to peer 1UND1 6 3 The ping command With the ping command in Telnet or in a terminal connection an ICMP Echo Request is sent to the addressed host As long as the recipient provides the protocol and the request is not filtered by the firewall the addressed host an swers with an ICMP Echo Reply In case the host is not available the last router before the host answers with Network unreachable or Host unre
80. a threat APs displayed in gray Own APs New affiliated WLAN networks from access points monitored by WLANmonitor are automatically grouped here APs displayed in green The WLANs that have been found can be placed into a corresponding group depending on their status You can set up your own network groups within the individual groups by using the context menu right mouse button except for the group All APs WLANmonitor File Access Point Yiew Tools Sal Groups Rogue AP Detection Er _ tastseen Identification Network Name 5S Cha WLANmonitor 12 Ed Rogue AP Detection 18 08 2006 15 45 49 Cliento1 NetworkO1 2 4GH2 11 Nor ey all APs 111 18 08 2006 15 45 49 Clientaz NetworkO1 24GHz2 11 Nor a New APs 03 07 2006 16 39 05 Client03 NetworkO1 SGHz 100 AEE Rogue APs 03 07 2006 16 39 05 Client04 Network01 SGHz 100 AEE asians 04 07 2006 18 16 46 Client01 Network02 2 4GHz 11 Nor a Own Ps 09 08 2006 15 39 52 Clientoz Network02 2 4GHz 11 Nor 18 08 2006 15 45 44 ient03 E cl cl cl cl J Rogue Client Detection qd 11 08 2006 09 15 06 Client04 al a a cl cl C All Clients 2 J New Clients 1 J Rogue Clients J Unknown Clients J Known Clients J Own Clients 10 1 1 31 Interface WLAN 1 Signal 50 10 1 10 193 Interface WLAN 1 Signal 10 10 1 10 192 Interface WLAN 1 Signal 31 10 1 10 189 Interface WLAN 1 Signal 45 10 1 10 188 Interface WLAN 1 Signa
81. a true session key that is a WEP key which will only be used for data packets between the access point and precisely this client or a so called group key which the access point will use for communication with multiple clients Classical WEP hardware can usually handle only group keys these being the four mentioned in the chap ter on WEP The particular advantage of this procedure is that the access point can regu larly change the WEP key over the EAP tunnel that is it can perform a so called rekeying In this way WEP keys can be replaced by new ones long before they run the risk of being cracked due to IV collisions A common use time for such WEP keys might be 5 minutes The disadvantage of the procedure is its complexity The maintenance of the central RADIUS server and the certificates stored there is generally only pos sible in large installations with a separate IT department it is less suitable for use in the home or in smaller companies These practical hurdles have thus limited EAP 802 1x to professional use so far the home user must sim ply make do with WEPplus or address security problems on the applications level BAT54 Rail F Release 7 54 06 08 39 Wireless LAN WLAN 3 2 Development of WLAN security 3 2 5 TKIP and WPA As Clarified in the last section the WEP algorithm is flawed and insecure in principle the measures taken so far were largely either quick fixes with lim ited improvement or so com
82. access points according to their departments locations or applications e g public hotspot for example BAT54 Rail F 216 Release 7 54 06 08 LANtools network management 5 8 Visualization of larger WLANs The groups are shown in the left column in WLANmonitor Starting from the top group WLANmonitor you can use the menu item File Add group to create new sub groups and so build up a structure Access points found dur ing a search are assigned to the currently selected group in the group tree Access points that have been recognized already can be moved to the an other group with drag and drop File Access Point View Tools gt QS amp Groups Access Points Clients cients Band channel Identification signal Access Point ssion Key Type al 1 47 o VPN_NHAMEL Name B E Location Aachen amp p VPN_NHAMEL 1 2 4 10 camp fen Research B Location Berlin Accountancy Managemnent B Location Munich Administration E Training To aid the allocation of access points and clients you can mark a device with the mouse The counterpart s will then be marked in the list as well If an access point is marked in the access point list all of the clients logged in to this device will also be marked in the client list If a client is marked in the client list the access point that it is registered with will be marked in the access point list 5 8 5 Rogue AP and rogue client detectio
83. access to one or more server s of the other one Network of firm A 10 0 0 mm MOON of firm B Target 192 168 2 1 ma Server_A1 10 0 0 1 Server_B1 10 0 0 1 Server_A2 10 0 0 2 Server_B2 10 0 0 2 BAT54 Rail F 426 Release 7 54 06 08 Routing and WAN connections 11 9 N N mapping In this example network servers of company A and B should have access over a VPN tunnel to the respective other network All stations of the LAN should have access to the server of the remote network For the time being there is no access possible to the other network because both networks use the same address range If one station of the network of company A wants to access server 1 of company B the addressee with an address from the 10 0 0 x network will be searched within the own local network and the in quiry even does not reach the gateway With the help of N N mapping all addresses of the LAN can be translated to a new address range for the coupling with the other network The network of company A e g will be translated to 192 168 1 x the network of company B to 192 168 2 x Under these new addresses the two LANs are now reachable for the respective other network The station from the network of company A is now addressing server 1 of company B under the address 192 168 2 1 The addressee does not reside any more within the own network the inquiry is now passed on to the gateway and the routing to the other network is
84. access to the address has been denied Next it searches in its own static DNS table for suitable entries If the address cannot be found in the DNS table it searches the dynamic DHCP table The use of DHCP information can be disabled if required If no information on the name can be located in the previous tables the DNS server then searches the lists of the NetBIOS module The use of the NetBIOS information can also be disabled if necessary Finally the DNS server checks whether the request to another DNS serv er is to be forwarded to another DNS server via a WAN interface special DNS forwarding via the DNS destination table If the requested name cannot be found in any of the information sources available to it the DNS server sends the request to another server that of the Internet provider for example using the general DNS forwarding mech anism or returns an error message to the requesting computer 12 3 2 DNS forwarding If it cannot serve the request from its own DNS tables the DNS server for wards the request to other DNS servers This process is called DNS forward ing Here a distinction is made between special DNS forwarding Requests for certain name areas are forwarded to certain DNS servers general DNS forwarding All other names not specified in detail are forwarded to the higher level DNS server Special DNS forwarding With special DNS forwarding name areas can be defined for the resolution of which
85. actions defined below will be executed Maximum port inquiries m IDS Packet action C Transmit Drop C Reject IDS Further measures IV Send Syslog message IV Send email T SNMP i e LANmonitor I Disconnect T Lock source address I Lock target port Duration E Durations Cancel Apart from the maximum number of port inquiries fragment action and the possible registration mechanisms also these reactions are possible The connection will be cut off BAT54 Rail F Release 7 54 06 08 303 Firewall 8 5 Denial of Service The sender address will be blocked for an adjustable period of time The destination port of the scan will be blocked for an adjustable period of time WEBconftig Telnet The behavior of the Intrusion Detection Systems can be configured here un der WEBconfig or Telnet Configuration tool Run WEBconfig Expert Configuration Setup IP Router Module Firewall Terminal Telnet Setup IP Router Module Firewall 8 5 Denial of Service Attacks from the Internet can be break in attempts as well as attacks aiming to block the accessibility and functionality of individual services Therefore a BAT is equipped with appropriate protective mechanisms which recognize well known hacker attacks and which guarantee functionality 8 5 1 Examples of Denial of Service Attacks Denial of service attacks do profit from fundamental weaknesses of TCP IP protocols as well as from in
86. additionally the system descrip tor and the system name from the MIB 2 For the example the following trap is thus produced SNMP SNMPvl community public SNMPv1 Trap Length 443 0x1BB SNMP Message type SNMPv1 SNMP Version 1 0x0 SNMP Community public SNMP PDU type SNMPvl1 Trap SNMP Enterprise 1 3 6 1 4 1 2356 400 1 6021 SNMP Agent IP address 10 0 0 43 SNMP Generic trap enterpriseSpecific 6 BAT54 Rail F Release 7 54 06 08 277 Firewall 8 3 The BAT Firewall wn NMP Specific trap 26 0x1A NMP Time stamp 1442 0x5A2 DM Bw ystem descriptor wn NMP OID 1 3 6 1 2 1 1 1 0 1 NMP String Value BAT54 Rail 2 80 0001 23 09 2002 8699 000 036 evice string D B NMP OID 1 3 6 1 2 1 1 5 0 2 System Name NMP String Value BAT54 Rail M vUN a ime stamp wn NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 2 1 3 NMP String Value 9 23 2002 17 56 57 ource address u UL NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 3 1 3 NMP IP Address 10 0 0 37 D B estination address NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 4 1 4 NMP IP Address 192 168 200 10 rotocol 6 TCP NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 5 1 5 NMP Integer Value 6 0x6 TCP DT RULA M vUN 02 ource port wn NMP OID 1 3 6 1 4 1 2356 400 1 6021 1 10 26 1 6 1 6 NMP Integer Value 4353 0x1101 estination port 80
87. address the de vice has gone into a special operating mode It then uses the IP address 172 23 56 254 for itself and the address pool 172 23 56 x for the assign ment of IP addresses in the network BAT54 Rail F 468 Release 7 54 06 08 More services 12 1 Automatic IP address administration with If only one computer in the network is started up that is requesting an IP ad dress via DHCP with its network settings a device with an activated DHCP module will offer this computer an address assignment A valid address is taken from the pool as an IP address If the computer was assigned an IP address at some point in the past it requests this same address and the DHCP server attempts to reassign it this address if it has not already been assigned to another computer The DHCP server also checks whether the address selected is still available in the local network As soon as the uniqueness of an address has been es tablished the requesting computer is assigned the address found Netmask assignment The network mask is assigned in the same way as the address If a network mask is entered in the DHCP module this mask is used for the assignment Otherwise the network mask from the TCP IP module is used The order is the same as during the assignment of the addresses Broadcast address assignment Normally an address yielded from the valid IP addresses and the network mask is used for broadcast packets in the local network In special
88. alternative network paths in case of connection failure BAT54 Rail F Release 7 54 06 08 457 Routing and WAN connections 11 17 The rapid spanning tree protocol 11 17 3Configuring the Spanning Tree Protocol The following parameters are available for configuring RSTP or STP func tionality in BAT Configure Jintefaces LAN WAN Modem VLAN Span Tree r Spanning Tree Protocol A Please note Modification of these values is only recommended to individuals with adequate knowledge of the spanning tree Soning kee portas torco LAN port can be configured separately in this table Port table X LANconfig Interfaces Span Tree WEBconfig Telnet Expert Configuration gt Setup gt LAN Bridge gt Spanning Tree E General parameters gt Spanning tree operating When Spanning Tree is turned off a BAT does not send any Spanning Tree packets and passes received packets along instead of processing them itself gt Protocol version Classic Uses the classical STP to determine network topology Rapid Uses the RSTP method to determine network topology BAT54 Rail F 458 Release 7 54 06 08 Routing and WAN connections 11 17 The rapid spanning tree protocol Note RSTP is compatible with STP Network components which only sup port classical STP continue to be supported where RSTP is operational Default Classic Path Cost Computation Classic Uses the classical STP method to compute path
89. appropriate password for the device Path defines the branch of the configuration menu tree that is to be read out If no path is entered then the entire configuration will be read out script Ics is the name of the script file in the current directory where the commands will be written to Note Please be aware that device passwords will be clearly visible as plain text while entering this command Via Hyperterminal Terminal programs such as Hyperterminal provide an option of storing the text displayed by the console directly to a text file This method is especially advantageous when dealing with larger configuration files as it avoids the po tentially confusing method of using the Clipboard Set up a connection to the device with Hyperterminal BAT54 Rail F 184 Release 7 54 06 08 LANtools network management 5 3 Scripting Select the menu item Transfer Capture Text and select the desired storage location and file name for the script alolxj LANCON 1811 Wir ler 4 30 0 018 s 30 oe S00s H sh 015300600046 Copyright c LANCOM System VPN NHAMEL Connection No 003 LAN At the command prompt execute the command readscript Observe the optional command extensions Scripting commands page 190 As soon as you have called up all of the required sections of the configu ration stop the recording with the menu item Transfer Capture Text gt Stop The configuration commands are
90. as Ethereal can be connected to this port for example BAT54 Rail F Release 7 54 06 08 417 Routing and WAN connections 11 8 Load balancing The allocation of DSL ports to the Ethernet ports can be chosen freely An effective solution is to allocate the DSL ports in the reverse order to the ports at the switch for example BAT Wireless 1811 DSL og Bees GOB Aux AC12V LAN3 LANI ISDN Sy Config COM Reset Anteni MONE Liel LAN4 gt DSL 2 LAN3 gt DSL 3 LAN2 gt DSL 4 LAN1 gt LAN 1 This port remains reserved for the LAN WAN gt DSL 1 dedicated WAN port for the device If the device is equipped with more than one DSL port the DSL port to be used is entered in the DSL Broadband Peers list If no port is defined or port 0 the BAT selects the port after the one chosen for the connection s communication layer If Layer 1 is set with AAL 5 then the ADSL interface is chosen If Layer 1 is set with ETH then the first DSL port i e DSL 1 is cho sen If a particular port is defined not 0 then it will be used for the connec tion Note Observe that the communication layer set for the connection over this port in Layer 1 is set to ETH To enable channel bundling via multiple DSL interfaces the appropriate ports are entered into the peer list for the remote station as a comma separated port list 1 2 3 or as a port range 1 3 With a port list the bun d
91. at least 13 x 20s 260 seconds Note Background scanning can be limited to a lower number of channels when indoor mode is activated This allows roaming for the mobile BAT Wireless Router in client mode to be improved even further 3 4 Configuration of WLAN parameters Changes to the wireless network settings can be made at various points in the configuration Some parameters concern the physical WLAN interface Some BAT mod els have one WLAN interface others have the option of using a second WLAN card as well The settings for the physical WLAN interface apply to all of the logical wireless networks supported by this card These param eters include for example the transmitting power of the antenna and the operating mode of the WLAN card access point or client Other parameters are related solely to the logical wireless network that is supported by a physical interface These include for example the SSID or the activation of encryption either 802 11i with AES or WPA with TKIP or WEP A third group of parameters affect the wireless network operation but are not significant only to WLANs These include for example the protocol filter in the LAN bridge BAT54 Rail F 52 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters 3 4 1 WLAN security In this part of the configuration you can place limitations on the communica tions available to the users in the wireless network This is done by limiting
92. band the channels and the 2 4 GHz 5 GHz mode to match the settings of the access point Note Selection of the frequency band and channels is not necessary on some models such as those devices which support only one frequency band Under WEBconfig or Telnet the settings for client mode can be found under the following paths Configuration tool Call LANconfig WLAN interfaces Physical WLAN settings gt Radio WEBconfig Telnet Expert configuration gt Setup gt Interfaces gt WLAN gt Radio settings Set the SSID of the available networks In the WLAN clients the SSIDs of the networks to which the client stations are to connect must be entered To enter the SSIDs change to the General tab under LANconfig in the Wireless LAN configuration area In the Interfaces section select the first WLAN interface from the list of logical WLAN settings BAT54 Rail F 96 Release 7 54 06 08 Wireless LAN WLAN 3 6 Client mode Logical WLAN settings WLAN interface 1 Network i 2 x Network Transmission Interface WLAN interface 1 Network 1 Network name SSID wan SSD IV This radio network cannot be accessed with the network name ANY closed network IV MAC filter enabled Maximum count of clients fo J Client Bridge Support Abbrechen L Enable the WLAN network and enter the SSID of the network the client station should log onto Under WEBconfig or Telnet the network settings f
93. button Time Server With the button Add you can extend the list Configure Date amp Time 7 General Synchronization Time Server Public Holidays Select the adjustment method for the implemented realtime clock No regular adjustment of the device time Adjustment whenever a connection is made to ISDN Synchronize to a time server using NTP at regular intervals r Be settings Time Server TT zx Powe Domain Name or IP Address OK PTBTIME1 PTB DE If you Cancel time 4 numb B Phon nts a Dialin Edt Remove Name or Address l gt Cancel ptbtime2 ptb de ntps1 0 cs tu berlin de teed a cee bok sda With these settings only the BAT applies the time from public time servers To provide the real time for the remaining device enable the local time server under the tab Time Server Furthermore activate the broadcast mode and enter the broadcast interval BAT54 Rail F Release 7 54 06 08 487 More services 12 6 Time server for the local net Configure Date amp Time hd General Synchronization Time Server Public Holidays Local time server Your device can serve as a local time server to which other devices or stations can synchronize Additionally it can send the time in constant intervalls to all stations of your local network IV Time server enabled MV Broadcast Mode Broadcast Interval 64 seconds 12 6 2
94. can be switched on or off Min Value and Max Value are of no further significance for these entries Check marks are activated as standard if the default value is not empty Default Label Min Value Minimum value for the current variable if type integer or minimum num ber of characters where type String or Password Possible values 0 to 232 1 Default 0 Max Value Maximum value for the current variable if type integer or maximum number of characters where type String or Password Possible values 0 to 232 1 Default 0 Default value Default value of the current variable Possible values Maximum 64 alphanumerical characters Default blank 5 5 3 Actions to be executed by the Rollout Wizard Max 19 definitions of actions with index and action which are to be execut ed by the Rollout Wizard after the user data has been entered Index Index for the action The Rollout Wizard executes the actions in ascend ing order Possible values 1 to 292 1 Default 0 Action Action to be executed by the Rollout Wizard after the user data has been entered Possible values Similar to Cron commands actions are entered in the syntax Protocol Argument If no protocol is entered exec is applied exec Executes any command just as it is used in Telnet to configure a BAT The following example sets the name of the device to MyLAN COM BAT54 Rail F Release 7 54 06 08 203 LANtools network management 5 5 Rol
95. cases however e g when using subnetworks for some of the workstation comput ers it may be necessary to use a different broadcast address In this case the broadcast address to be used is entered in the DHCP module Note The default setting for the broadcast address should be changed by experienced network specialists only Incorrect configuration of this sec tion can result in the undesired establishment of connections subject to connect charges Standard gateway assignment The device always assigns the requesting computer its own IP address as a gateway address If necessary this assignment can be overwritten with the settings on the workstation computer DNS and NBNS assignment This assignment is based on the associated entries in the TCP IP module BAT54 Rail F Release 7 54 06 08 469 More services 12 1 Automatic IP address administration with If no server is specified in the relevant fields the router passes its own IP ad dress as a DNS address This address is determined as described under IP address assignment The router then uses DNS forwarding also see DNS forwarding to resolve DNS or NBNS requests from the host Period of validity for an assignment The addresses assigned to the computer are valid only for a limited period of time Once this period of validity has expired the computer can no longer use these addresses In order for the computer to keep from constantly losing its addresses abo
96. cons for the WLAN networks in the same order The first beacon trans mission 0 Kus is WLAN 1 WLAN 2 and WLAN 3 the second transmission is in the same order and so on Default Cyclic Some older WLANs are unable to process the quick succession of bea cons which occur with simple burst Consequently these clients often rec ognize the first beacons only and can only associate with this network Staggered transmission of beacons produces better results but increases load on the access point s processor Cyclic transmission proves to be a good compromise as all networks are transmitted first in turn The transmission table The transmission settings regulate variables such as the packet size for WLAN communications and minimum and maximum transmission speeds Transmission properties can also be improved with the number of repetitions for packet transmission Configuration tool Call WEBconfig Telnet Expert Configuration gt Setup gt Interfaces gt WLAN gt Transmission Hard retries This value defines the number of times that the hardware should attempt to send packets before a Tx error message is issued Smaller values mean that a packet which cannot be sent blocks the sender for less time Default 10 Soft retries If the hardware was unable to send a packet the number of soft retries defines how often the system repeats the attempt to transmit The total number of attempts is thus soft retries 1 hard retries T
97. context menu to select the entry Configuration Management gt Apply Script If multiple devices are marked the entry Apply Script appears directly in the context menu In the following dialog select the required script file Ics for upload 5 LANconfig E 10 x File Edit Device View Tools Help lalx alale elk va aal Raa alal 21 LANconfig Name Description Address ee central site Folder ev LANCOM DSL I 1611 Office 192 168 2 101 Ok an 192 168 2 100 Ok Configure Enter Setup Wizard Ctrl Check Ctr FS Central Site Apply script to PN NHAMEL Look in Bse script Configuration Managenent Print Ctrl P Firmware Management Save to File Ctrl 5 WEBconfig Console session gt Restore from File Ctrl R Monitor Device Ctrl M Monitor WLAN Device Set Date Time File name foies oo lcs Activate Software Option Inlock SIM Files of type Configuration Script Files a z Nl Note The upload of the script starts automatically Status and error messag es are either displayed directly by LANconfig or the can be viewed in a console session with the command show script Upload script with Hyperterminal A further way to upload scripts to a BAT is to use a terminal program such as Hyperterminal as supplied with Windows Set up a connection to the device with Hyperterminal BAT54 Rail F 188 Release 7 54 06 08 LANtools network management 5 3 Scripting _ Sele
98. e g WEP of a device with a wireless interface and in the configuration PC has been adjusted correctly and or has been deactivated BAT54 Rail F Release 7 54 06 08 127 Configuration and management 4 4 Configuration using different tools gt Via the serial configuration interface gt Via a ISDN connection 4 4 Configuration using different tools 4 4 1 LANconfig Start LANconfig by for example using the Windows Start menu Start gt Programme gt Hirschmann gt BAT gt Hirschmann LANconfig LANconfig will now automatically search for devices on the local network It will automat ically launch the setup wizard if a device which has not yet been configured is found on the local area network LANconfig File Edit Device View Tools Help ey S cry oe i als alale Sle Sisal E re SI LaNconfg ame O o Toese address Devs arsenate crime n aa SSPLANCOM 1811 Wireless DSL 172 23 56 254 Open iimagietaadred amma C I vazh to deira the seting nyaet Note If the firewall is activated the LANconfig might not be able to find the new device in the LAN In this occasion deactivate the firewill whilst the configuration Your BAT device is equipped with an extensive firewall and protects your computer even if no further firewall is active BAT54 Rail F 128 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools E Find new devices Click on the Find button or c
99. entered as the sub protocol the filter applies to all packets of the protocol entered Start port and end port e g both 80 for HTTP If 0 is entered as the start port this filter will be applied to all ports of the corresponding protocol sub protocol If 0 is entered as the end port the start port becomes an end port Note Lists of the official protocol and port numbers are available in the Inter net under www iana org Action Action performed for the data packets captured using this rule Pass The packet is forwarded on without change Drop The complete packet is dropped BAT54 Rail F 88 Release 7 54 06 08 Wireless LAN WLAN 3 5 Extended WLAN protocol filters Redirect The packet is forwarded on albeit with changed destination IP address and target MAC address Interface list List of the interfaces to which the filter applies All of the LAN interfaces DMZ interfaces logical WLAN networks and point to point connections in the WLAN may be entered as interfaces The following examples illustrate how interfaces are specified LAN 1 for the first LAN interface WLAN 2 3 for the third logical WLAN network on the second physical WLAN interface P2P 1 2 for the second point to point connection on the first physical WLAN interface Groups of interfaces may be specified in the form WLAN 1 1 WLAN 1 6 logical WLANs 1 to 6 on the first physical WLAN interface or with a wildcard as P2P 1 all P2P connections on the
100. entry under Configure gt VPN gt Parameters gt Lifetime Lifetime mismatched x IKE The lifetime specified does not match that of the remote device Check this entry under Config ure gt VPN gt Parameters gt Lifetime ID type value unsupported other x IKE False entry of identity Please correct your entry than IP network domain or under Configure gt VPN gt IKE gt IKE key email ID type mismatch e g IP net x IKE The two sites are using different identities Com work domain or email pare the identification at both sites under Con figure gt VPN gt IKE gt IKE key No rule matched ID unknown x IKE The incoming VPN connection could not be connection or wrong ID e g assigned to a remote device remote gateway definition IKE key mismatch x IKE Please compare the preshared keys under Configure gt VPN gt IKE gt IKE key IKE key mismatch x IKE Please compare the preshared keys under BAT54 Rail F Release 7 54 06 08 Configure gt VPN gt IKE gt IKE key 521 Appendix 13 1 Error messages in LANmonitor Message Initiator Responder Out of memory x IKE The number of VPN connections has overloaded the device s memory To maintain the stability of the device no further VPN connections should be established Out of memory x IKE The number of VPN connections has overloaded the device s memory To maintain the s
101. first physical interface Note Only filter rules with valid entries in the interface list are active A rule with no specification of the interfaces does not apply to all of them it is ignored instead Redirect IP address Destination IP address for the Redirect action On redirection the destination IP address of the packets is replaced by the Redirect IP address entered here Furthermore the destination MAC address is replaced by the MAC address determined using ARP for the Redirect IP address Note If ARP was unable to determine the destination MAC address the packet is dropped rather than redirected Example Name DHCP_ Destina Prot IP IP net Sub Start End Inter Action Redirect source tion MAC address work type port port face list IP MAC address address ARP irrele 00000000 0806 0 0 0 0 0 0 0 0 0 0 0 WLAN Pass 0 0 0 0 van 0000 1 2 DHCP irrele 00000000 0800 0 0 0 0 0 0 0 0 17 67 68 WLAN Pass 0 0 0 0 van 0000 1 2 TEL irrele 00000000 0800 0 0 0 0 0 0 0 0 6 23 23 WLAN Redirect 192 168 1 NET van 0000 1 2 1 5 ICMP irrele 00000000 0800 0 0 0 0 0 0 0 0 1 0 0 WLAN Pass 0 0 0 0 van 0000 1 2 HTTP irrele 00000000 0800 0 0 0 0 0 0 0 0 6 80 80 WLAN Redirect 192 168 1 van 0000 1 2 1 5 ARP DHCP ICMP are allowed to pass Telnet and HTTP are redirected to 192 168 11 5 and all other packets are rejected
102. frequencies Gateway Network component which provides access to other network components on a layer of the gt OSI model Packets which do not go to a local partner are sent to the gateway The gateway takes care of communication with remote networks Hub Network component distributor collector also used to translate from one connection type to another HotSpot Locally limited wireless network with a base station with Internet access public wireless Internet access IAPP roaming Roaming between the cells of a wireless network using IAPP Inter Access Point Proto col IBSS Independent Basic Service Set IDS ntrusion Detection System earliest possible detection of attacks on the network IEEE nstitute of Electrical and Electronics Engineers New York www ieee org IP nternet Protocol IP masquerad ing Combination of PAT Port Address Translation and NAT Network Address Translation from Hirschmann process used for connection of an intranet multiple workstations to the ernet over a single IP address simultaneously the internal computers are protected from attacks from outside a IPSec 530 nternet Protocol Security BAT54 Rail F Release 7 54 06 08 Appendix 13 5 Glossary IP Quality of These functions give precedence to enterprise critical applications particular services or Service user groups ISDN Integrated Services Digital Network f
103. gateway information to the other workstations within the LAN provided that the workstations are set to obtain their IP address automatically auto DHCP In this constellation the device can be accessed with any web browser from each PC with activated auto DHCP function through the name BAT or by its IP address 172 23 56 254 C o xi Ele Edt view Favorites Toos Hep 7 i lt Back gt 8 A A A Search File Edit View Favorites Tools Help Address http LANCOM 0 Back gt r A A Asearch Favorites Meda 4 Ey Address E hitp iii7az3s625 OOOO If the configuration PC does not obtain its IP address from the BAT DHCP server figure out the current IP address of this PC with Start Execute gt cmd and command ipconfig at the prompt under Windows 2000 or Windows XP with Start Execute cmd and the command winipcfg at the prompt under Windows Me and Windows 9x or with the command ifconfig on the console under Linux In this case the BAT is reachable under the IP address X X X 254 x stands for the first three blocks in the IP address of the config uration PC Network with DHCP server If a DHCP server is active in the LAN to assign IP addresses an unconfig ured BAT device will turn off its own DHCP server It will change into DHCP client mode and will obtain an IP address from the DHCP server of the LAN This IP address is not known at first The accessibility of the device depends on the nam
104. i A Telnet client ftelnet exe guag SSH client Automatic retry Attempts 1 Time interval 1 Minutes 4pplication language Language English Md English A Configuration tool Call LANconfig Tools gt Options Extras Tools gt Options General LANmonitor and WLANmonitor 5 2 Project management with LANconfig LANconfig facilitates the configuration of various devices within a project with a range of functions that can be run on several devices at once If the list in LANconfig contains multiple devices just click on the device of your choice with the right mouse key to open a context menu offering the following ac tions BAT54 Rail F 166 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig fe LANconfig File Edit Device View Tools Help alal allel ols Eea alsle BI Name LANconfig 1 10 187 1 10 188 1 10 189 1 680 125 1 80 149 1 80 150 1 80 245 nee m 1 80 247 SpYueksel Gancel Actions 1 82 100 E cliento1 10 1 1 31 5 6 Cliento2z 10 1 10 183 officeo1 10 1 10 184 E officeo2 a x 10 1 10 186 itera Fe a a mM check Ctrl F5 Firmware Upload Ctrl U Open Telnet Session Ctrl T Monitor Device Ctrl M M arnan asanarea Description Address Device Status Ok Ok Ok Ok Ok Ok Ok Ok Ok Ok Ok Ok Ok gt Configure Opens up the LANconfig configuration dialog for the selected devi
105. in the table The route exists in the table with a time of 5 or 6 The new route is then used if it indicates the same or a better distance The route exists in the table with a time of 7 to 10 and thus has the dis tance 16 The new route will always be used The route exists in the table The new route comes from the same router which notified this route but has a worse distance than the previous entry If a device notifies the degradation of its own static routing table in this way e g releasing a connection increases the distance from 1 to 2 see below the router will believe this and include the poorer entry in its dy namic table Note RIP packets from the WAN will be ignored and will be rejected imme diately RIP packets from the LAN will be evaluated and will not be prop agated in the LAN BAT54 Rail F Release 7 54 06 08 363 Routing and WAN connections 11 2 IP routing The interaction of static and dynamic tables The router uses the static and dynamic tables to calculate the actual IP rout ing table it uses to determine the path for data packets In doing so it in cludes the routes from the dynamic table which it does not know itself or which indicate a shorter distance than its own static route with the routes from its own static table Scaling with IP RIP If you use several routers in a local network with IP RIP you can represent the routers outwardly as one large router This procedure is a
106. in your provider s network The polling table is to be found under the following paths Configuration tool Menu Table LANconfig Communication gt Remote Sites Polling Table WEBconfig Expert configuration gt Setup gt WAN P Polling table Terminal Telnet Setup WAN Polling table BAT54 Rail F 452 Release 7 54 06 08 Routing and WAN connections 11 15 Manual definition of the MTU 11 14 11Contact assignment of BAT modem adapter kit Contact assignment for BAT interlink or modem connection Device signal sub d 9 plug Device or modem signal sub d 9 plug TxD 3 RxD 2 RxD 2 TxD 3 RTS 7 CTS 8 CTS 8 RTS T DTR 4 DCD 1 DCD 1 DTR 4 GND 5 GND 5 11 15Manual definition of the MTU Many Internet providers operate their own backbone however their custom ers dial in to the network over the access nodes provided by third party tele communications providers The two stage dial in procedure can lead to problems with the realized data rate When dialing into the nodes of Deutsche Telekom for example a BAT negotiates a permissible maximum transmission unit MTU which de fines the greatest possible size of unfragmented data packet This MTU is then observed by the BAT When the data packets are forwarded to the actual provider an additional header is added which increases the size of the data packets again For the data packets to meet with the permitted size they must now be frag mented into sma
107. interface is considered to be a default route if ei ther the untagged default route or if a default route tagged with the inter face tag refers to this WAN interface BAT54 Rail F Release 7 54 06 08 409 Routing and WAN connections 11 7 Changes in other services The first point influences behavior during ping blocking and also the stealth mode as all tagged default routes are affected In LCOS prior to version 7 00 a WAN interface could be pinged as long as just one tagged default route re ferred to it and under Ping Block the item default route only was selected The same applies to the stealth mode Both points affect the behavior of session recovery With LCOS version 6 30 session recovery was allowed for all tagged routes as long as the item Deny Session Recovery was restricted to the default route From LCOS version 7 00 this is prohibited even if the point mentioned above is satisfied Similarly the default router filters now take effect even if the default route is in the LAN Here it applies that the filter takes effect when A packet was received over a tagged LAN interface and is to be sent over a default route tagged with the interface or A packet from another router was received at a tagged LAN interface and there is a default route with the interface tag to the packet s source ad dress or A packet was received from the WAN and is to be sent to the LAN viaa default route with any tag 11 7 9 Extended port forw
108. interfaces to a Wireless LAN BAT Wireless base stations can be put into the so called client mode in which they behave like a conventional Wireless LAN adapter and not like a base station Due to the client mode it is also possible to integrate devices like PCs or printers having only one Ethernet interface into a Wireless LAN base stations in client mode base stations in standard mode Note An Access Point in normal mode further clients can log on but not in client mode Multiple radio cells with Multi SSID Conventionally a wireless network card supports exactly one radio cell These radio cells are given a network name known as the SSID Service Set Identifier that is entered into the access points and network cards during configuration Certain settings that apply to the radio cell can be defined un der the SSID during the configuration of the access point The settings in clude for example the data transfer speed and the first WEP key which is also used as passphrase for encryption with 802 11i and WPA Those clients that are programmed with the SSID can make use of the radio cell and work with the parameters as defined The access point treats all clients on an equal basis BAT54 Rail F Release 7 54 06 08 31 Wireless LAN WLAN 3 1 What is a Wireless LAN In some applications however it may be desirable to divide the clients the radio cell into different groups each of which is treated in a ce
109. internal table in the BAT Wireless Router Once activated background scanning records neighboring access points and records them to the scan table WLANmonitor presents this information visually The access points and clients found can be categorized in groups such as known unknown or rogue Note Further information can be found under Background WLAN scanning page 49 Rogue AP detection The WLANmonitor sorts all of the access points found into predefined sub groups under Rogue AP Detection while displaying the following informa tion Time of first and last detection BSSID the MAC addresse of the AP for this WLAN network Network name Type of encryption used Frequency band used Radio channel used Use of 108Mbps mode Note To use rogue AP detection background scanning has to be activated in the BAT Wireless Router The WLANmonitor uses the following groups for sorting the APs that are found All APs List of all scanned WLAN networks grouped as follows New APs New unknown and unconfigured WLAN networks are automat ically grouped here APs displayed in yellow BAT54 Rail F 218 Release 7 54 06 08 LANtools network management 5 8 Visualization of larger WLANs Rogue APs WLAN networks identified as rogue and in need of urgent ob servation APs displayed in red gt Unknown APs WLAN networks which are to be further analyzed APs displayed in gray gt Known APs WLAN networks which are not
110. itself Windows XP or Windows Vista may interpret this change as an attack and may is sue a warning or even prevent the entry from being made In order for LANconfig s startup behavior to be controlled as desired you can ignore these warnings and allow the changes to be made BAT54 Rail F 180 Release 7 54 06 08 LANtools network management 5 3 Scripting 5 3 Scripting Installations with multiple BAT devices often profit from the automatic execu tion of certain configuration tasks The scripting function in BAT enables en tire sets of commands for device configuration to be stored in a single file a script for transfer to one or more devices in one step 5 3 1 Applications Scripting provides users with a powerful tool for the centralized configuration of BAT devices and thus a wide range of potential applications Read out device configurations in a form that is easy to read and save The configuration files generated by LANconfig are not intended for pro cessing with other tools users will only get an overview of the complete configuration from a print out of the configuration file The scripting func tions can output the configuration as ASCII text to be saved as a text file Edit the configuration with a simple text editor If offline configuration with LANconfig is not possible or not desired a configuration file generated by scripting can be edited with a text editor and then uploaded to the device again Edit section
111. negotiation in an 802 1x authen tication between client and access point In VoIP environments it is possible that a user moves back and forth among a relatively small number of access points Thus it may happen that a client switches back to an access point in which it was already registered earlier In this case it wouldn t be sensible to repeat the entire 802 1x authentication again For this reason the access point can provide the PMK with a code the so called PMKID which it trans mits to the client Upon a new registration the client uses the PMKID to ask whether this PMK is still stored If yes the 802 1x phase can be skipped and the connection is quickly restored This optimization is unnecessary if the PMK in a WLAN is calculated from a passphrase as this applies everywhere and is known BAT54 Rail F Release 7 54 06 08 43 Wireless LAN WLAN 3 2 Development of WLAN security A second measure allows for some acceleration even in the case of first time registration but it requires a little care on the part of the client The client must already detect a degrading connection to the access point during operation and select a new access point while it is still in communication with the old access point In this case it has the opportunity to perform the 802 1x nego tiation with the new access point over the old one which again reduces the dead time by the time required for the 802 1x negotiation 3 2 7 Summary After the secu
112. neighboring router The system does not wait until the next regular up date An update delay stops faulty configurations from causing excessive up date messages Update delay The update delay starts as soon as the routing table or parts of it are propagated As long as this delay is running new routing information is accepted and entered into the table but it is not reported any further The router actively reports its current entries only after expiry of this delay BAT54 Rail F 402 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services The value set here sets the upper limit for the delay the actual delay is a random value between one second and the value set here Possible values 0 to 99 seconds Default 5 Triggered update in the WAN Other than in the LAN WAN bandwidth limitations may make regular up dates every 30 seconds undesirable For this reason RFC 2091 requires that routes are transmitted to the WAN once only when the connection is es tablished After this updates only are transmitted Because updates are explicitly requested here broadcasts or multicasts are not to be used for delivering RIP messages Instead the the subsidiary de vice must be statically configured with the IP address of the next available router at the central location Due to these requests the central router knows which subsidiary routers it has received update requests from it then sends any messages on route cha
113. networks applies here too The workgroup domain enables networks to be scanned for NetBIOS names when a device is started The workgroup is different for every network and has to be defined everywhere In networks without domains the name of the largest workgroup should be defined here BAT54 Rail F Release 7 54 06 08 399 Routing and WAN connections 11 7 Changes in other services 11 7 4 RIP Similar to the NetBIOS proxy the local network structure should generally not be propagated by RIP in the DMZ Apart from that it is sometimes desir able to propagate routes to a network but not to learn routes from that net work e g in the WAN For this reason the RIP function can be configured separately for each network RIP networks Edit Entry 2 x Network name x Co RIP type off X I Accept RIP for this network J Propagate this network on other networks Default routing tag 0 Routing tag list Configuration tool Call LANconfig IP router gt General gt RIP networks WEBconfig Telnet Expert Configuration gt Setup gt IP Router gt RIP gt LAN Sites Network name Name of the network that the RIP support is to be activated for RIP support RIP type for propagating own routes Values Off No routes are propagated RIP 1 Routes are propagated with RIP 1 packets RIP 1 compatible Routes are propagated in RIP 1 compatible pack ets RIP 2 packets as broadcast RIP 2 Routes are propagated wit
114. on Edit Firmware Management After upload start the new firmware in test mode BAT54 Rail F Release 7 54 06 08 145 Configuration and managemer 6 New firmware with Hirschmann FirmSafe WEBconfig Start WEBconfig in your web browser On the starting page follow the Per form a Firmware Upload link In the next window you can browse the folder system to find the firmware file and click Start Upload to start the installation Terminal program e g Telix or Hyperterminal in Windows If using a terminal program you should first select the set mode firmsafe command on the Firmware menu and select the mode in which you want the new firmware to be loaded immediately login or manually If desired you can also set the time period of the firmware test under set Timeout firmsafe Select the do Firmware upload command to prepare the router to receive the upload Now begin the upload procedure from your terminal program If you are using Telix click on the Upload button specify XModem for the transfer and select the desired file for the upload If you are using Hyperterminal click on Transfer Send File select the file specify XModem as the protocol and start the transfer with OK Note The firmware upload over a terminal program is only possible over a serial configuration interface Please observe the following hints when using a terminal program over the serial interface The models BAT54 F and BAT54 F X2 feature
115. only by reset dule enabled This Kable holds the peee i innar table ET Remote site Netmask_ Mapped This table holds YLAI ZENTRALE 10 gt eal the device has Seu MEUG Cancel l i Device VLAN ID Destination remote site ZENTRALE x of Pan E Original source address 10 0 0 0 Cancel Netmask 255 255 255 0 Toned Mapped source address h92 168 1 0 Network table EE VLAN name YLAN ID Port list Default_VLAN 1 LAN 1 WLAN 1 P2P 1 P2P 6 Cancel al Network table New Entry VLAN name INTERNAL Add Edit VLAN ID E A Port list LAN 1 WLAN 1 The button Port table opens a drop down list where a VLAN port can be se lected for editing BAT54 Rail F Release 7 54 06 08 343 Virtual LANs VLANs 10 3 Configuration of VLANs J Frames emitted on this port will have a VLAN tag IV Allow the Forwarding of untagged frames being received on this port Cancel IV Accept frames on this port that belong to other VLANs Port VLAN ID 1 10 3 4 Configuration with WEBconfig or Telnet Under WEBconfig or Telnet the tables for configuring the VLANs can be found via the following paths WEBconfig Expert Configuration Setup LAN Management gt VLAN Configuration Terminal Telnet ca Setup LAN Management VLAN Configuration The VLAN configuration shows up under WEBconfig as follows Expert Confiquration amp Setup amp LAN management module VLAN Configuration Network T
116. possible is found To assure that there are no radar signal the selected channel is watched for about 60 seconds The data transfer can therefore possibly be dis connected for about 60 seconds while the device is scanning or search ing for a new free channel To prevent the data transfer being interrupted whenever a new channel is being selected a BAT LCOS version 5 00 and higher executes the scanning procedure before selecting a certain channel Following infor mation about the scanned channels is saved in an internal data base BAT54 Rail F 66 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Has a radar signal been found on the channel How many other networks have been found on the channel With the help of this data base a WLAN device can select a radar free channel with the least number of networks As soon as a Channel has been selected the data transfer can begin with no further waiting time The blacklist in the data base saves the channels which are blocked due to found radar signals To keep the blacklist up to date every entry is deleted automatically after 30 minutes The whitelist contains the channels where no radar signals were found As long as no radar signals occur on a channel an entry re mains valid for the next 24 hours If a radar signal is found then the entry is directly deleted out of the list and saved in the blacklist The 60 second scanning procedure is only n
117. power of the antennas must be high enough to ensure acceptable data transfer rates On the other hand the country specific legal regulations re garding maximum transmission power should not be exceeded The calculation of effective power considers everything from the radio mod ule in the transmitting access point to the radio module in the receiving ac cess point In between there are attenuating elements such as the cable plug connections or simply the air transmitting the signals and amplifying ele ments such as the external antennas BAT54 Rail F Release 7 54 06 08 111 Wireless LAN WLAN 3 8 Establishing outdoor wireless networks Amplification with antenna Free space loss Amplification with antenna Loss through cable Loss through ca plugs and lightning ble plugs and light protection ning protection Output power of the ra Input signal at the ra dio module io module EIS sA 3 8 Establishing outdoor wireless networks BAT access points in combination with appropriate external antennae are ideally suited to establishing point to point wireless connections to other ac cess points There are two main questions to be answered when setting up the wireless connection How should the antennae be positioned to ensure a problem free connec tion gt What performance characteristics do the antennae need to ensure suffi cient data rates within legal limitations 3 8 1 Geometrical layout of the transmissio
118. protection and plug connectors is 5 dB The radio signal thus arrives at the receiver s radio module with the following power 97 dBm 18 dBi 5 dB 84 dBm From the table for reception sensitivity of the radio module the attainable data rate can be read off in this case 24 Mbps Reception sensitivity 802 11a dBm Mbps 5 150 5 725 GHz 5 725 5 850 GHz 6 90 85 9 89 84 12 88 83 18 87 82 24 85 80 36 81 76 48 76 71 54 73 68 72 Turbo 78 73 96 Turbo 73 68 108 Turbo 70 65 Note This values are the result of a calculation that includes a safety margin of 10dB As every radio path is unique these values can only serve as a rough guide BAT54 Rail F 116 Release 7 54 06 08 Wireless LAN WLAN 3 9 Bandwidth limits in the WLAN 3 8 3 Emitted power and maximum distance Please refer to the Hirschmann Antenna Guide download from www hir schmann ac com for concrete antenna data 3 8 4 Transmission power reduction Every country has regulations concerning the permissible output power from WLAN antennae often with differences according to the WLAN standard or divided according to indoor or outdoor use The output power from external antennae may not exceed these maximum power levels The relevant power level is the result of adding the radio module power and the antenna gain and subtracting the loss from cable connectors and lightning protection S
119. reduces the emitted power The reception sensitivity reception antenna gain remains unaffected This option is useful for example where large distances have to be bridged by radio when using shorter cables The reception antenna gain can be increased without exceeding the legal limits on transmission pow er This leads to an improvement in the maximum possible range and in particular the highest possible data transfer rates BAT54 Rail F Release 7 54 06 08 69 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Access point density The more access points there are in a given area the more the reception ar eas of the antennae intersect The setting Access point density can be used to reduce the reception sensitivity of the antenna Access point density Low TX power reduction 0 dB Maximum distance Large distances between transmitter and receiver give rise to increasing de lays for the data packets If a certain limit is exceeded the responses to transmitted packets no longer arrive within an acceptable time limit The en try for maximum distance increases the wait time for the responses This dis tance is converted into a delay which is acceptable for wireless communications Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the radio parameters under the fol lowing paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt Interface
120. requests from other network stations reliably If ARP handling is activated the access point takes over this task and answers the ARP re quests on behalf of stations that are on standby Broken link detection Country The Broken link detection deactivates the WLAN card if the access point loses contact to the LAN Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the general WLAN parameters un der the following paths Configuration tool Menu Table WEBconfig Expert Configuration gt Setup gt WLAN Terminal Telnet cd Setup WLAN 3 4 3 WLAN routing isolated mode When set by default the data between LAN and WLAN is transmitted trans parently Thereby the data transmission between cabled and radio network does not pass over the IP Router This means that the features firewall and Quality of Service integrated in the IP router are not provided for transferring data between WLAN and LAN To use these options nevertheless the WLAN interface can be set to isolated mode so the data is transferred de liberately over the IP router Note So the IP router can transfer data between LAN and WLAN correctly both areas must have different IP address sections and the local routing must be activated in the IP router settings BAT54 Rail F Release 7 54 06 08 63 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configuration with LANconfig When configuring with LA
121. rule with activated observation of further rules applies to a data packet the appro priate action will be carried out at first but then the checking in the Firewall will continue If one of the further rules applies also to this data packet the action being defined in this rule will also be carried out If also for this follow ing rule the observe further rules option is activated the checking will be con tinued until either a rule applies to the packet for which observe further rules is not activated or the list of the Firewall rules has been completely worked through with out applying a further rule to the packet To realize this aforementioned scenario it is necessary to install for each sub network a Firewall rule that rejects from a data rate of 512 kbps up additional packets of the protocols FTP and HTTP For these rules the observe further rules option will be activated Defined in an additional rule for all stations of the LAN all packets will be rejected which exceed the 1024 kbps limit VPN rules A VPN rule can receive its information about source and destination network from Firewall rules By activating the option This rule is used to create VPN rules for a Firewall rule you determine that a VPN rule will be derived from this Firewall rule Apart from this basic information a Firewall rule answers the question when and or on what it should apply to and which actions should be executed BAT54 Rail F Release
122. set up phase In the corresponding operation mode the WLAN link LED blinks faster the better the reception quality in the respective antenna position is When configuring the WLAN link LED the operation mode in which the LED is to be used must be set Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode V WLAN interface enabled WLAN operation mode Access point i Link LED function Count of connections he Count of connections G For link LED function the sele Client signal strength sensible only in client WLAN q P2P 1 signal strength signal strength between this s P2P 2 signal strength access point P2P 3 signal strength All signal strength selections y P2P 4 signal strength by blink frequency The faste P2P 5 signal strength the connection is P2P 6 signal strength Configuration tool LANconfig WEBconfig Telnet WLAN interfaces gt Physical WLAN settings gt Operational Expert configuration gt Setup gt Interfaces gt WLAN gt Operation Link LED function default number of connections Number of connections In this operation mode the LED uses inverse flashing in order to display the number of WLAN clients that are logged on to this access point as clients There is a short pause after BAT54 Rail F Release 7 54 06 08 TT Wireless LAN WLAN 3 4 Configuration of WLAN parameters the number of flashes for each client Select thi
123. sig nificantly impair the effective signal power The object not only screens off a portion of the Fresnel zone but the resulting reflections also lead to a signif icant reduction in signal reception The radius R of Fresnel zone 1 is calculated with the following formula as suming that the signal wavelength A and the distance between transmitter and receiver d are known R 0 5 V A d The wavelength in the 2 4 GHz band is approx 0 125 m in the 5 GHz band approx 0 05 m Example With a separating distance of 4 km between the two antennae the radius of Fresnel zone 1 in the 2 4 GHz band is 11 m in the 5 GHz band 7 m To ensure that the Fresnel zone 1 remains unobstructed the height of the an tennas must exceed that of the highest obstruction by this radius The full height of the antenna mast M should be as depicted BAT54 Rail F 110 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections Safety 1m Obstruction height H ADMINISTRATION PRODUCTION Earth s curvature E M R 1m H E earth s curvature The allowance for the curvature of the earth E can be calculated at a dis tance d as E d 0 0147 i e at a distance of 8 km this is almost 1m Example With a distance of 8 km between the antennae the result in the 2 4 GHz band is a mast height above the level of the highest obstruction of approx 13 m in the 5 GHz band 9 m E Antenna power The
124. signal at the ra dio module dio module BAT54 Rail F 114 Release 7 54 06 08 Wireless LAN WLAN 3 8 Establishing outdoor wireless networks The calculation of the power over the path begins at the transmitters s ra dio module The radio module in the BAT access points in 802 11a mode emits the following power levels depending on the channel used and the data transmission rate Mbps 5 150 5 250 GHz 5 250 5 350 GHz 5 470 5 725 GHz 5 725 5 850 GHz 6 7 17 7 7 9 7 7 7 17 12 7 7 7 7 18 7 7 17 7 24 7 17 17 17 36 4 4 4 4 48 3 3 3 3 54 2 2 2 2 72 tubo u unu un T num 96 Turbo 3 13 3 13 108 Turbo 2 12 2 12 To achieve a data transmission rate of 24 Mbps the radio module emits a power of 17 dBm Note The data transmission rate is set according to the reception power A WLAN module has an input sensitivity equivalent to a power level of for example 80dBm If the received power falls below this level then a lower data rate can be switched in that corresponds with an improved sensitivity with a lower level of power Outdoor wireless connections are usually realised with external antennae and extension cables together with lightning protection for safety The power loss from the cable is approx 1 dB per metre A cable 4 m long thus reduces power by 4 dB the lightning protection and the various plug con nections also lead to the loss of a further 1 dB Thus th
125. site separately because the mapping applies after routing For the remote site the stations or networks will be reachable with their mapped addresses ZENTRALE 10 0 0 0 255 255 255 0 192 N N NAT table New Entry Destination remote site ZENTRALE 7 e Original source address 10 0 0 0 Cancel Add Netmask ass 255 255 0 Mapped source address h92 168 1 0 WEBconfig Telnet Under WEBconfig and Telnet you find the NAT table for configuration of N N mapping at the following positions of the menu tree WEBconfig Expert configuration Setup IP router NAT table Terminal Telnet Setup IP router NAT table When starting a new entry under WEBconfig the NAT table shows up as fol lows BAT54 Rail F Release 7 54 06 08 433 Routing and WAN connections 11 10 Establishing connection with PPP Expert Configuration 3 Setup y P router module NAT table Idx i Sre Address hooo Src Mask 255 255 255 0 Dst Station COMPANY B Mapped Network ha216810 11 10Establishing connection with PPP Hirschmann routers also support the point to point protocol PPP PPP is a generic term for a whole series of WAN protocols which enable the interac tion of routers made by different manufacturers since this protocol is support ed by practically all manufacturers Due to the increasing importance of this protocol family and the fact that PPP is not associated with any specific operating mode of the routers
126. special priority All packets of this queue of the secured queue and the standard queue share now the existing bandwidth The packets are taken in order from the queues when sending in exactly the same sequence in which they have been placed into these queues If the interval runs off all blocks which are at this time still in the Urgent queue II up to the exceeding of the in each case assigned minimum bandwidth are placed again into the Urgent queue I The rest remains in the Urgent queue II With this procedure it is guaranteed that prioritized connections do not crush the remaining data traffic Secured queue This queue does not have a separate priority However packets in this queue are never dropped transmission guaranteed Packets with ToS High Reliability Packets with DiffServ Assured Forwarding Standard queue The standard queue contains all not classified data traffic Packets in this queue are dropped at first when packets cannot be delivered fast enough The queue concept can however only work out when a traffic congestion of data packets has been accumulated at the interface from LAN to the WAN Such a congestion is created when the interface within the BAT can submit fewer data to the WAN than data are delivered in peak periods from the LAN This is e g the case if the interface to the WAN is an integrated ADSL inter face with comparatively low transmission speed upstream The int
127. stations is saved in the accounting table with entries for the connec tion time and the transferred data volume Using accounting snapshots ac counting data can be regularly saved at specific times for later evaluation BAT54 Rail F Release 7 54 06 08 481 More services 12 4 Accounting Configuring accounting When configuring accounting the general parameters must be defined xl Configure Management hd General Admin Costs Location gt Accounting Accounting information can be used to determine which stations and users have established connections and transferred data IV Collect accounting information Specify how to assign i e sort the accounting information Discriminator by MAC address SE Specify if the device should regularly store an accounting snapshot Accounting Snapshot X I Store accounting information in flash ROM r Charge and time monitoring Configuration tool Call LANconfig Management gt Costs WEBconfig Telnet Expert configuration gt Setup gt Accounting Collect accounting information Turn accounting on or off Store accounting information in flash ROM Turn accounting data in flash memory on or off Accounting data saved to flash will not be lost in the event of a power outage Discriminator Selection of the feature according to which the accounting data are to be gathered MAC address The data are collected according to the client s MAC
128. support when using your BAT product BAT54 Rail F 16 Release 7 54 06 08 Preface In case you encounter any errors or just want to issue critics enhancements please do not hesitate to send an email directly to info hirschmann com BAT54 Rail F Release 7 54 06 08 17 Preface BAT54 Rail F 18 Release 7 54 06 08 System design 2 1 Introduction 2 System design 2 1 Introduction The BAT operating system LCOS is a collection of different software mod ules the BAT devices themselves have different interfaces to the WAN and LAN Depending on the particular application data packets flow through dif ferent modules on their way from one interface to another The following block diagram illustrates in abstract the general arrangement of BAT interfaces and LCOS modules In the course of this user manual con figuration the descriptions of the individual functions will refer to this illustra tion to show important connections of the particular applications and to deduce the resulting consequences The diagram can thus explain for which data streams the firewall comes into play or in case of address translations IP masquerading or N N mapping at which place which addresses are valid LAN interfaces VPN services P i Assignment via Switch LO ART REESI ct i IP router i Load Balancing F D IP Redirect 1 Assignment over Switch Assignment via Switch i Assignment via Switc
129. table describes a Conditions lg amount of minimal bandwidths fragment reduction of PMTU actions which assur matching packets are routed preferred I Action only for DiffServ CP BE v Actions J Action only for default route fi e internet IV Action only for send packets I Action only for received packs Action Grant minimum bandwidth kbit x 0 per second x T 2 Add gt Ed Per connection Global Fragmentation of other packets May Packetsize l Bytes Reduction of PMTL WEBconfig Telnet For configuration with WEBconfig or Telnet the interpretation of the data transfer direction is specified at the following places in a new Firewall rule by parameters R for receive T for transmit send and W for reference to the WAN interface Configuration tool Run WEBconfig Setup IP router Firewall Rule list Telnet Setup IP router Firewall Rule list A restriction of data transfer to 16 Kbps in sending direction applying to the physical WAN interface is e g made by the following Firewall rule Lcdstw16 d 9 7 5 Reducing the packet length The length reduction of the data packets is defined by a Firewall rule accord ing to the following conditions BAT54 Rail F Release 7 54 06 08 331 Quality of Service 9 7 QoS configuration The reduction refers to all packets which will be sent to the interface and which do not correspond to the rule Not packets of ce
130. techpaper Performance Analysis of BAT Routers The time for transmission via Internet depends on the distance about 1 ms per 200 km and on the thereby passed routers about 1 ms per hop This time can be approximated by the half average ping time to the re mote station The jitter buffer can be adjusted directly at many IP telephones e g as fixed number of packets which should be used for buffering The tele phones load then up to 50 of the adjusted packets and begin afterwards to replay The jitter buffer correspond therefore to half of the entered pack ets multiplied with the sampling time of the codec Conclusion The total delay is composed as follows for the according bandwidth a ping time of 100 ms to the remote station and a jitter buffer of 4 packets for both codecs in this example Codec Processing Serialization Propagation Jitter buffer Sum G723 1 30 ms 32 ms 50 ms 60 ms 172 ms G711 20 ms 32 ms 50 ms 40 ms 142 ms The transfer time of the packets to the interface serialization assumes a PMTU of 512 bytes on a 128 Kbps connection Therefore for slower interfaces or other codecs it is eventually necessary to adjust jitter buff ers and or PMTU values Note Please notice that the bandwidths are required in the sending and re ceiving direction as well as just for one single connection 9 6 QoS in sending or receiving direction For controlling data transfer by means of QoS one can select whether
131. terminated by new input sleep u Value suffix Delays processing the configuration commands for a certain time or terminates them at a certain time As a suffix s m or h for seconds minutes or hours without suffix the command works in milliseconds With the option switch u the sleep command time of the form MM DD YYYY hh mm ss english or the form DD MM YyYy hh mm ss german is used The date as parameters is only accepted if the sys tem time is set stop stop ping set path lt value s gt Set a configuration item to the specified value If the item is a table entry multiple values must be given one for each table column A as a value indicates that the column in question should be left at its previous value set path Show which values are allowed for a configuration item If path is empty this is displayed for each item in the current directory setenv lt NAME gt Set environment variable lt VALUE gt unsetenv lt NAME gt Remove environment variable getenv lt NAME gt Read out environment variable no newline BAT54 Rail F Release 7 54 06 08 135 Configuration and management 4 4 Configuration using different tools Command Description printenv Dump environment variable show lt options gt Shows internal data Run show for a list of available items e g boot history firewall filter rules vpn rules and memory usage sysinfo S
132. the former DFS Danger In principle the operator of the WLAN is responsible for maintaining the new ETSI standards For this reason Hirschmann recommends that you perform an update to a firmware version with DFS 2 support Note In the 2 4 GHz band two separate wireless networks must be at least three channels apart to avoid interference Compatibility mode Two different wireless standards are based on the 2 4 GHz band the IEEE 802 11b standard with a transfer rate of up to 11 Mbps and the IEEE 802 11g standard with up to 54 Mbps When 2 4 GHz is selected as the frequency band the data transfer speed can be set as well Note Please observe that clients supporting only the slower standards may not be able to register with the WLAN if the speeds set here are higher The 802 11g b compatibility mode offers the highest possible speeds and yet also offers the 802 11b standard so that slower clients are not excluded In this mode the WLAN card in the access point principally works with the faster standard and falls back on the slower mode should a client of this type log into the WLAN In the 2Mbit compatible mode the access point supports older 802 11b cards with a maximum transmission speed of 2 Mbps BAT54 Rail F 68 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Turbo mode Using two neighboring vacant channels for wireless transmissions can in crease the transfer speeds up to 108 Mbps S
133. the ac cording rule applies to the sending or to the receiving direction But which di rection refers to sending and receiving for a given a data transfer depends on the particular point of view The following two variants apply The direction corresponds to the logical connection setup The direction corresponds to the physical data transfer over the appropri ate interface BAT54 Rail F 324 Release 7 54 06 08 Quality of Service 9 7 QoS configuration The differences are unveiled by looking at a FTP transfer A client of the LAN is connected to the Internet through a BAT During an active FTP session the client sends by the PORT command the information to the server on which port the DATA connection is ex pected As the result the server establishes the connection to the client and sends the data in the same direction In this case the logical connec tion as well as the real data stream over the interface go from the server to the client and the BAT takes both as the receiving direction Different is the case of a passive FTP session Here the client itself estab lishes the connection to the server The logical connection setup thus is from client to server but the data transmission over the physical interface flows in the reverse direction from server to client With standard settings a BAT assumes the sending or receiving direction de pending on the logical connection setup Because such a point of view may not be easy to follo
134. the data traffic The Firewall works in prin ciple like a door keeper for data packets Each packet will be checked wheth er it may pass the door of the network Firewall in the desired direction or not For such a checking different criteria are used in common language of Firewalls called rules or guidelines Depending on the kind of information which are used for creation of the rules and which are checked during the op eration of the Firewall one distinguishes different types of Firewalls BAT54 Rail F 252 Release 7 54 06 08 Firewall 8 2 What is a Firewall Above all the aspect of the central positioning is very Important Only when the entire data traffic between inside and outside goes through the Fire wall it can fulfil its task reliably under any circumstances Each alternative way can reduce or even turn off the security of the Firewall This central po sition of the Firewall simplifies by the way also the maintenance One Firewall as common passage between two networks is certainly easier to maintain than a Personal Firewall on each of the workstations belonging to the LAN Note In principle Firewalls operate at the interconnection between two or more networks For the following explanation we only look as example at the passage between a local network of a company and the Internet These explanations can be transferred however in a general manner also to other network constellations
135. the peer list or Looser when configuring via WEBconfig terminal program or Telnet The callback party selects Call back the remote site fast procedure in the peer list and enters the calling number fast when configuring via WEBconfig terminal program or Telnet Note For fast callback using this method the number list for answering calls must be kept up to date at both ends BAT54 Rail F 442 Release 7 54 06 08 Routing and WAN connections 11 13 Callback functions 11 13 3Callback with RFC 1570 PPP LCP extensions The callback as per 1570 is the standard method for calling back routers of other manufacturers This protocol extension describes five possibilities for requesting a callback All versions are recognized by BAT All versions will be processed in the same way however The BAT drops the connection after authenticating the remote station and then calls back the station a few seconds later Configuration For callback as per PPP you select the option Call back the remote site in LANconfig or Auto with configuration via WEBconfig terminal program or Telnet Note For callback as per PPP the number list for answering calls in the BAT must be up to date 11 13 4O0verview of configuration of callback function The following options are available in the peer list under WEBconfig and ter minal program telnet for the callback function With this you set up the callback in this manner entry
136. the transmission operation Even during operation a check is run to see if a primary application such as a radar device is using this channel This exploits the fact that radars frequently work according to the rotation method whereby a tightly bun dled directional transmission signal is transmitted by a rotating antenna A remote receiver perceives the radar signal as a short pulse radar peak If a device receives such a radar peak then it initiates the trans mission operation and monitors the channel for further pulses If addi tional radar peaks occur during the COT then a new channel is selected automatically Such as check has to take place every 24 hours This is why interrupting the data transmission for 60 seconds is unavoidable DFS is stipulated for the frequency ranges of 5250 5350 MHz and from 5470 5725 MHZ It is optional for the frequency range of 5150 5250 MHz Transmission Power Control TPC Dynamically adjusting the transmission power is intended to reduce interference from radio technology Dynamically adjusting the transmission power facilitates the shared use of the 5250 5350 MHz and 5470 5725 MHz frequency bands with satel lite services TPC should cause an average reduction in the transmission power by at least 3 dB compared with the maximum permitted transmis sion power TPC determines the minimum transmission power neces sary to maintain the connection with the partner Such as an access point If
137. their level of detail First all specific rules are considered afterwards the general ones e g Deny All Examine the filter list in case of complex rule sets as de scribed in the following section 8 3 8 Configuration of Firewall rules E Firewall wizard The fastest method to configure the Firewall is provided by the Firewall wiz ard in LANconfig r Setup Wizard Setup Wizard What do you want to do X Check security settings A Connect two X Configure Dyr This wizard lets you configure your device for specific applications quickly and easily X Set up Interne naan Provide ro Add Firewall Rule Which data packet does the new firewall rule apply to Should this rule apply to all services protocols or only to certain services protoco This rule applies to all services protocols This rule applies to the following services protocols Special services IV World Wide Web HTTP HTTPS J Terminal access TELM 7 Mail and News SMTP POP3 NNTP J Layer2 Tunnel PPTP I File transfers FTP Name resolution DNS Windows network NetBIOS via IP Virtual Privat Network VPN IPSec Custom protocols Edit custom protocols BAT54 Rail F Release 7 54 06 08 lt Zuriick 285 Firewall 8 3 The BAT Firewall E LANconfig The filters can be installed very comfortably with LANconfig Starting from the general register card Firewall QoS Rules you rea
138. to devices released in this way is not trans ferable Configuring the TCP HTTP tunnel The following parameters are available for configuring HTTP tunnel in BAT Configuration tool Call WEBconfig Telnet Expert configuration gt Setup gt HTTP BAT54 Rail F 156 Release 7 54 06 08 Configuration and management 4 8 Managing administrators rights Max tunnel connections The maximum number of simultaneously active HTTP tunnels Values Max 255 tunnels Default 3 tunnels Tunnel idle timeout Life expectancy of an inactive tunnel After expiry of this time period the tunnel closes automatically unless data transfer is actively taking place Values Max 4294967295 seconds Default 300 seconds Create the TCP HTTP tunnel HTTP tunnels are set up on the start page of WEBconfig In WEBconfig log on to the BAT Router behind which the device to be released is locat ed If necessary obtain the required login data from the responsible ad ministrator In the area Extras select the entry Create TCP HTTP tunnel File Handling SB Edit List of Allowed SSH Public Keys Download Certificate or File Upload Certificate or File Firmware Handling Q Perform a Firmware Upload Extras Q Show Search Other Devices ga Get Device SNMP MIB Enable Software Option a Create TCP HTTP Tunnel 08 1 3 07 17 31 Search BAT54 Rail F Release 7 54 06 08 157 Configuration and management 4 8 Managing administrators r
139. two different variants of this marking ToS and DiffServ can simply described assume the following states ToS Low Delay ToS High Reliability DiffServ Expedited Forwarding DiffServ Assured Forwarding Note The IP header bits of the ToS resp DiffServ field are copied in case of a VPN route also into the enclosing IP header of the IPSec VPN packet Thus QoS is available also for VPN routes over the Internet as long as your provider treats according packets preferentially also in the WAN When the application itself has no possibility to mark the data packets ap propriately the BAT can ensure the correct treatment For this it uses the existing functions of the firewall which can classify e g data packets ac cording to subnets or services applications Due to these functions it is e g possible to treat individually data packets of a FTP connection or those of a certain department in a separate subnet For treatment of data packets classified by the firewall the following two possibilities can be chosen Guaranteed minimum bandwidth Limited maximum bandwidth BAT54 Rail F 312 Release 7 54 06 08 Quality of Service 9 2 Which data packets to prefer What is DiffServ DiffServ stands for Differentiated Services and is a quite recent model to signal the priority of data packets DiffServ is based on the known Type of Service ToS field and uses the same byte within the IP header T
140. unobstructed the height of the an tennae must exceed that of the highest obstruction by this radius The full height of the antenna mast M should be as depicted BAT54 Rail F Release 7 54 06 08 113 Wireless LAN WLAN 3 8 Establishing outdoor wireless networks Safety margin 1m Obstruction height H i M R 1m H E Earth s curvature The height of the Earth s curvature E is calculated from the distance d E d 0 0147 even at a distance of 8 km that results in almost 1m Example With a distance of 8 km between the antennae the result in the 2 4 GHz band is a mast height above the level of the highest obstruction of approx 13 m in the 5 GHz band 9 m 3 8 2 Antenna power The power of the antenna must be high enough to ensure acceptable data transfer rates On the other hand the country s legal limitations on transmis sion power should not be exceeded The calculation of effective power considers everything from the radio mod ule in the transmitting access point to the radio module in the receiving ac cess point In between there are attenuating elements such as the cable plug connections and even the air and amplifying elements such as the external antennae Amplification with antenna Free space loss Amplification with antenna gain gain Loss through ca ble plugs and light ning protection Loss through ca ble plugs and lightning protec tion Output power of the ra Input
141. via the default route e g Internet Denied for WAN The Firewall re establishes the session only if the pack et wasn t received over one of the WAN interfaces Always allowed The Firewall re establishes the connection in principle if the packet belongs to a former connection of the connection list Ping blocking One not undisputed method to increase security is hiding the router Based loosely on the method Who doesn t see me neither tries to attack me Many attacks begin with the searching for workstations and or open ports by actual harmless inquiries e g with the help of the ping command or with a portscan Each answer to these inquiries even the answer I m not here in dicates to the attacker that he has found a potential destination Because anybody who answers must be existing too In order to prevent this conclu sion the BAT is able to suppress the answers to these inquiries In order to achieve this the BAT can be instructed not to answer ICMP echo requests any more At the same time TTL exceeded messages of a trace route are also suppressed so that the BAT cannot be found neither by ping nor by trace route Possible settings are Off ICMP answers are not blocked Always ICMP answers are always blocked WAN only ICMP answers are blocked on all WAN connections Default route only ICMP answers are blocked on default route usually Internet BAT54 Rail F 266 Release 7 54 06
142. which are not explicitly allowed remain forbidden Only by this strategy the administrator can be sure not to have forgotten an access method because only those accesses exist which have been opened explicitly by himself We recommend to set up the Deny All rule before connecting the LAN via a BAT to the Internet Then you can analyse in the logging table to start e g via LANmonitor which connection attempts have been blocked by the Firewall With the help of this information the Firewall and the Allow rules can be gradually extended Some typical applications are shown in the following Note All filters described here can be installed very comfortably with the Firewall wizard and if necessary be further refined with e g LANconfig Example configuration Basic Internet Rule name Source Destination Action Service target port ALLOW_HTTP Local network All stations transmit HTTP HTTPS ALLOW_FTP Local network All stations transmit FTP ALLOW_EMAIL Local network All stations transmit MAIL NEWS ALLOW_DNS_FOR IP address of LANOM transmit transmit DNS WARDING or Local network DENY_ALL All stations reject reject ANY BAT54 Rail F Release 7 54 06 08 283 Firewall 8 3 The BAT Firewall If you want to permit a VPN dial in to a BAT acting as VPN gateway then you need a Firewall rule allowing incoming communication from the client to the local network ALLOW_VPN_DIAL_IN remote sit
143. with compatible wireless interfaces they both can communicate directly via radio This simplest use is the so called ad hoc mode Only in IEEE 802 11b or IEEE 802 119 standard In ad hoc networks you connect two or more PCs with own wireless interfac es directly together for building a Wireless LAN This operation mode is generally called peer to peer network spontaneous network PCs can immediately get in touch and exchange data The infrastructure network By use of one or more base stations also called access point a Wireless LAN becomes more comfortable and more efficient A Wireless LAN with one or more base stations is referred to as an infrastructure network in Wireless LAN terminology Note In some devices the access point is built in so called WLAN router BAT54 Rail F 26 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN Interesting applications arise for the Wireless LAN from the LAN connection of base stations Connecting the Wireless LAN to an existing LAN Extending the coverage of a Wireless LAN Additionally the use of a base station enables a central administration of the Wireless LAN Connection to an existing LAN An infrastructure network is ideally suitable as an extension to existing wired LANs For extension of a LAN in areas where a wiring is not possible or un economical the infrastructure network represents an ideal alternative 5 base station Larger exte
144. with the first packet If over the current connection now 8 kbit 1cds8 is transferred in one sec ond then all further packets up to the expiration of the second will be silently discarded d thus automatically creating a Traffic Shaping If 100 packets for the server destination address of the connection arrive lgbs100 in one second then the remote host source address is locked for 10 minutes h10 and an email is sent to the administrator m Similar to the address and service objects of the object table action objects can be provided with a name and can arbitrarily be combined recursively whereby the maximum recursion depth is limited to 16 In addition they can be entered directly into the action field of the rule table BAT54 Rail F 294 Release 7 54 06 08 Firewall 8 3 The BAT Firewall When building the actual filter table action objects get minimized similarly to the address and service objects to the smallest necessary number i e mul tiple definitions of an action get eliminated and contradictory actions are turned into the safest Thus e g a accept and d drop becomes only d and Sr reject and d becomes Sr 8 3 9 Firewall diagnosis All events conditions and connections of the Firewall can be logged and monitored in detail The most comfortable inspection is accomplished by displaying the logging table see below with LANmonitor LANmonitor displays under Firewall the last
145. work name down when starting the com ANY closed network 802 119 only SAME patibility mode even if only BMbit inactivated 802 11b stations are near to your base station When these 802 11b stations start to be activated in a wire less network with operating compatibility mode the actual transfer rate will fall again That s why you should only activate the compatibility mode when you have really operating 802 11b and 802 11g stations in your wire less network Note Please notice that not all frequencies are permitted in each country You will find a table with the allotted frequencies and the permission reg ulations in the appendix 3 1 2 Operation modes of Wireless LANs and base stations Wireless LAN technology and base stations in Wireless LANs are used in the following operation modes BAT54 Rail F Release 7 54 06 08 25 Wireless LAN WLAN 3 1 What is a Wireless LAN Simple direct connections between terminals without base station ad hoc mode only with 2 4 GHz Larger Wireless LANs connection to LANs with one or more base sta tions infrastructure network Connecting two LANs via a direct radio link point to point mode point to multipoint Connecting of devices with Ethernet interface via base stations client mode Extending an existing Ethernet network with WLAN bridge mode Multiple radio cells with one access point Multi SSID The ad hoc mode When two terminals are equipped
146. working as desired Remote monitoring and remote control of networks Remote maintenance and control of networks become more and more impor tance because of the possibilities given by VPN With the use of the nearly ubiquitous broadband Internet connections the administrator of such man agement scenarios is no longer dependent of the different data communica tion technologies or expensive leased lines BAT54 Rail F Release 7 54 06 08 427 Routing and WAN connections 11 9 N N mapping Gateway e g Customer A office 1 Customer B office 1 10 1 2 1 10 1 2 x 255 255 255 0 10 1 2 x 255 255 255 0 Customer A headquarters Customer B headquarters ti 1 m J YQ 10 1 x x 255 255 0 0 10 1 x x 255 255 0 0 VPN tunnel Gateway a y 7 a a SJ Customer B ane J 10 1 3 x 255 255 255 0 Customer A office 2 Customer 56 385 Sesi o 10 1 3 x 255 255 255 0 Hot Spot e g 172 16 10 11 7 ni Gateway Mo 2 iq i i Customer C Gateway e g 172 16 10 x 255 255 255 0 80 123 123 123 public iq and 172 16 10 11 intern O D D Sess Ts Service provider 172 16 10 x 255 255 255 0 aa In this example a service provider monitors the networks of different clients out of a central control For this purpose the SNMP capable devices should send the respective traps of important events automatically to the SNMP trap addressee e g LANmonitor of the network of the
147. 0 Hirschmann recom mends to use the High Encryption Pack or at least Internet Explorer 5 5 with Service Pack 2 or above Access to the device over WEBconfig For the usage of WEBconfig the PC must be connected to the LAN or WAN over TCP IP WEBconfig runs with the help of a web browser and accesses the device either with the IP address of the BAT with the name of the device if already assigned or with a any desired name in case the device has not been configured yet The reaction of Routers and Access Points as well as their accessibility for configuration via web browser is dependent on whether a DHCP server and a DNS server are already active in the LAN and whether these two server processes exchange the assignment of IP addresses to symbolic names within the LAN between each other BAT54 Rail F Release 7 54 06 08 131 Configuration and management 4 4 Configuration using different tools After powered on unconfigured BAT devices check first whether a DHCP server is already active in the LAN Dependent on the situation the device is able to switch on its own DHCP server or alternatively to activate its DHCP client mode In this second operating mode the device itself can obtain an IP address from a DHCP server already existing in the LAN Network without DHCP server In a network without DHCP server unconfigured BAT devices activate their own DHCP server service after starting and assign appropriate IP addresses and
148. 0 1 140 154 0 to 10 1 80 125 0 Packet rejected 3 12 2003 14 25 44 intruder detection Packet of protocol 0 from 10 1 80 180 0 to 10 1 80 125 0 Packet rejected VPN connections System information p Device LANCOM 1621 ADSL ISDN Firmware version 3 20 0029 Serial number 858050000017 MAC address 00a0570b13ff Location 212 Administrator GReichel Date and time 1 29 2004 12 24 26 PM System up time 62 days and 0 hours E WAN interfaces ADSL ISDN DSLoL gt ADSL modem Handshaking AF Line type ADSL over ISDN Annex B FF Line code U74 4 3 3F Line made Multimode Y Upstream rate 0 kBit s 2 Downstream rate 0 kBit s YF Signal to Noise ratio 0 0 dB B ISDN D551 Euro ISDN Y 50 bus active Yes 3F TEI assigned Yes Y Layer 2 active No EF DSL over LAN F Link state Up EEB Total charge 0 units amp Router ISDN 0 units amp LANCAPI 0 units amp Time sync 0 units Total online time Router ADSL 0 minutes Router ISDN outgoing 0 minutes Dotitar TENN fincamina A minuhac The information that can be taken from the overview includes among others details about active WAN connections the five most recent firewall messag es the current VPN connections and system information about charges and online times BAT54 Rail F Release 7 54 06 08 205 LANtools network management 5 6 Display functions in LANmonitor Right clicking with the mouse on a device in LANmonitor opens up a
149. 0 1 What is a Virtual LAN 10 Virtual LANs VLANs 10 1What is a Virtual LAN The increasing availability of inexpensive layer 2 switches enables the setup of LANs much larger than in the past Until now smaller parts of a network had been combined with hubs These individual segments collision do mains had been united via routers to larger sections Since a router repre sents always a border between two LANs several LANs with own IP address ranges arose by this structure By using switches it is possible to combine much more stations to one large LAN By the specific control of data on the individual ports the available bandwidth can be utilized much better than by using hubs and the configu ration and maintenance of routers within the network can omitted But also a network structure based on switches has disadvantages Broadcasts are sent like hubs over the entire LAN even if the respective data packets are only important for a certain segment of the LAN A suffi cient number of network stations can thus lead to a clear reduction of the available bandwidth in the LAN The entire data traffic on the physical LAN is public Even if single seg ments are using different IP address ranges each station of the LAN is theoretically able to tap data traffic from all logical networks on the Ether net segment The protection of individual LAN segments with Firewalls or routers increases again the requirements to network administr
150. 048 entries that is it allows 2048 simultaneous transmissions between the masked and the unmasked network After a specified period of time the router however assumes that the entry is no longer required and deletes it automatically from the table E Configuration of the inverse masquerading The service table for setting inverse masquerading can be reached in LANconfig in the configuration area IP Router on the tab Masq BAT54 Rail F Release 7 54 06 08 373 Routing and WAN connections 11 4 IP masquerading lt E PN_NHAMEL Configuration Configure fir Router x General Routing Masq nen Mapping m Masquerading options Service list F TCP aging vias em First port Last port Address Map port Active Comment Ok UDP aging feo 3 389 3 389 192 168 2 11 12 345 Yes Cancel ICMP aging fi 0 ee IPSec aging 2 000 l Service list Edit Entry Fragment aging 5 First port 3 389 A m Inverse masquerading X Lastport 3 389 Cancel You can make individual services a V available to people outside your network by speciying each Intranet address j 192 168 2 11 service in this list Map port j 12345 Service list N IV Entry active Comment l Abbrechen Under WEBconfig or Telnet the parameters for setting inverse masquerading can be found as follows WEBconfig Expert Configuration gt Setup gt IP router gt Masquerading Service ta
151. 100 12 AF41 100010 34 CS2 010000 16 AF13 001110 14 AF42 100100 36 CS3 011000 24 AF21 010010 18 AF43 100110 38 CS4 100000 32 AF22 010100 20 EF 101110 46 CS5 101000 40 AF23 010110 22 CS6 110000 48 AF31 011010 26 CS7 111000 56 AF32 011100 28 9 2 1 Guaranteed minimum bandwidths Hereby you give priority to enterprise critical applications e g Voice over IP VolP PBX systems or certain user groups BAT54 Rail F Release 7 54 06 08 313 Quality of Service 9 2 Which data packets to prefer For BAT devices with VoIP functions that were already integrated or added in with a software option the QoS settings for SIP calls are defined auto matically Full dynamic bandwidth management for sending Concerning the sending direction the bandwidth management takes place dynamically This means that e g a guaranteed minimum bandwidth is only available as long as the corresponding data transfer really exists An example For the transmission of VoIP data of an appropriate VoIP gateway a band width of 256 Kbps is to be guaranteed always Thereby each individual VoIP connection consumes 32 Kbps As long as nobody telephones the entire bandwidth is at the disposal to other services Per adjacent VoIP connection 32 Kbps less is available to other ap plications until 8 VoIP connections are active As soon as a VoIP connection is terminated the corresponding bandwidth is available again to a
152. 11 9N N mapping Network Address Translation NAT can be used for several different mat ters for better utilizing the IP4 addresses ever becoming scarcer for coupling of networks with same private address ranges for producing unique addresses for network management In the first application the so called N 1 NAT also known as IP masquerading IP masquerading page 369 is used All addresses N of the local net work are mapped to only one 1 public address This clear assignment of data streams to the respective internal PCs is generally made available by the ports of the TCP and UDP protocols That s why this is also called NAT PAT Network Address Translation Port Address Translation Due to the dynamic assignment of ports N 1 masquerading enables only those connections which have been initiated by the internal network Excep tion an internal IP address is statically exposed on a certain port e g to make a LAN server accessible from the outside This process is called in verse masquerading Inverse masquerading gt page 372 A N N mapping is used for network couplings with identical address ranges This transforms unambiguously multiple addresses N of the local network to multiple N addresses of another network Thereby an address conflict can be resolved Rules for this address translation are defined in a static table in the BAT Thereby new addresses are assigned to single stati
153. 1i WEP tab Cotone Poss Seoul face ern atid yt ey psa G 1 Stati Pi less Network 1 off WEP64 40 bit 0x0000000000 eneral Stations Protoc Wireless Network2 Off WEP64 40 bit 0x0000000000 3 Wireless Nets FSET eer rear ese m 802 11i WPA AES Ww 4 Wireless Neti z 5 Wireless Net G you shoul select Fa Ane Net Interface WLAN 1 Wireless vanced Encrypl a Wired Equivalent F 7 Wireless Neti JY Activate 802 111 Enhanced Security with will be transmitted Advanced Encryption Standard WPA AES or Standard Wired Equivalent Privacy WEP This is where you can m wireless LAN network Mrerrcsre lt WPA or Private WEP sett Method Key 1 length feo 11i WPA PSK 7 Key 1 passphrase HatruHUS 786 Jitalkk 8 This is where you can specify for each physical wirele interface those WEP group keys 2 to 4 that areused WPA Session Key Type fra AES X E N ree eat Configuration with WEBconfig or Telnet The encryption settings for the individual logical WLAN networks can be found under WEBconfig or Telnet under the following paths WEBconfig Expert configuration Setup gt Interfaces WLAN Inter faces Encryption Settings Terminal Telnet Setup Interfaces WLAN Interfaces Encryption Settings 3 7 5 LEPS for P2P connections A further gain in security can be attained by additionally using BAT Enhanced Passphrase Security LEPS which involves the matching of MAC ad
154. 2 WLAN clients must be entered as follows on the RADIUS server The user name is the MAC address in the format AABBCC DDEEFF The password for all users is identical to the key shared secret for the RADIUS server 12 9 3 Configuring RADIUS as server In addition to its function as RADIUS authenticator or NAS an BAT access point can also operate as a RADIUS server When in this mode information in the device on users authorized to register is made available to other ac cess points in Authenticator mode BAT54 Rail F Release 7 54 06 08 509 More services 12 9 RADIUS RADIUS server parameters When configuring the RADIUS server a definition is needed of which authen ticator can access the RADIUS server the password required for this access and the open port that is to be used to communicate with the RADIUS server The authentication port applies globally for all authenticators Configuration tool Call LANconfig WLAN security gt RADIUS WEBconfig Telnet Expert configuration gt Setup gt Radius gt Server Authentication port default 0 Specify here the port used by the authenticators to communicate with the RADIUS server in the BAT access point Port 1812 is normally used Port 0 disables the RADIUS server In addition to the port 16 authenticators that are allowed to communicate with the RADIUS server may be entered here Entries are made in the corre sponding table and with the following parameters IP
155. 2 1x will be supported as of LCOS version 3 52 BAT54 Rail F 44 Release 7 54 06 08 Wireless LAN WLAN 3 3 Protecting the wireless network 3 3 Protecting the wireless network A wireless LAN does not like conventional LAN use cable as the transmit ting medium for data transfer but the air instead As this medium is openly available to any eavesdropper the screening of the data in a WLAN is an im portant topic Depending on how critical WLAN security is for your data you can take the following steps to protect your wireless network Activate the Closed network function This excludes all WLAN clients using Any as the SSID and those that do not know your network SSID Network settings page 79 Do not use your access point s default SSID Only take a name for your SSID that cannot be guessed easily The name of your company for ex ample is not a particularly secure SSID Network settings page 79 If you know exactly which wireless network cards are permitted to access your WLAN you can enter the MAC addresses of these cards into the ac cess control list thus excluding all other cards from communications with the access point This reduces access to the WLAN only to those clients with listed MAC addresses Access Control List gt page 54 Use encryption on the data transferred in the WLAN Activate the stron gest possible encryption available to you 802 11i with AES WPA or WEP and enter the ap
156. 2 8 2 Example application 495 12 8 3 Configuration 498 12 9 RADIUS 500 12 9 1 How RADIUS works 502 12 9 2 Configuration of RADIUS as authenticator or NAS 502 12 9 3 Configuring RADIUS as server 509 12 10 Extensions to the RADIUS server 511 12 10 1 New authentication method 511 12 10 2 EAP authentication 512 12 10 3 RADIUS forwarding 513 12 10 4 RADIUS server parameters 515 12 11 RADSEC 517 12 11 1 Configuring RADSEC for the client 517 12 11 2 Certificates for RADSEC 518 13 Appendix 519 13 1 Error messages in LANmonitor 519 13 1 1 General error messages 519 13 1 2 VPN error messages 519 13 2 SNMP Traps 523 13 3 Radio channels 524 13 3 1 Radio channels in the 2 4 GHz frequency band 524 13 3 2 Radio channels in the 5 GHz frequency band 524 13 3 3 Radio channels and frequency ranges for Indoor and Out door operating 526 BAT54 Rail F 12 Release 7 54 06 08 13 4 RFCs supported 528 13 5 Glossary 529 14 Index 533 BAT54 Rail F Release 7 54 06 08 13 14 BAT54 Rail F Release 7 54 06 08 Preface 1 Preface User manual installation and user manual configuration The documentation of your device consists of two parts The user manual in stallation and the user manual configuration The hardware of the BAT devices is documented in the respective user manual installation Apart from a description of the specific feature set of the different models you find in the user manual installation information about interfaces and displa
157. 25 426 165 473 531 488 486 161 531 125 126 311 226 197 46 239 438 175 531 470 336 324 52 284 266 232 305 531 320 531 531 101 541 Index Protocol PPTP 439 Port 373 Port Address Translation 425 PPP 211 368 531 callback functions 440 checking the line with LCP 436 IP address assignment 437 LCP Extensions 443 PPPoE 369 PPTP 33 439 531 Precedence 313 Preshared key 34 Private WEP settings 58 Project management 166 Protection for the configuration 237 Protocol filter 55 PSK 34 Q QoS 319 531 Direction of data transfer 324 VLAN tag 333 Qos Quality of Service Quality of Service 311 802 11e 333 Queues 315 Secured queue 316 Standard queue 316 Urgent queue 315 Urgent queue II 315 R Radio cell 27 Radio frequency 530 RADIUS 38 517 531 WLAN access list 511 RADIUS server 84 510 515 RADSEC 517 Range 24 27 RC4 34 531 BAT54 Rail F 542 Release 7 54 06 08 Index Redirect Remote access Remote configuration Remote control Remote maintenance with N N mapping Remote ID Repetitions Reset switch RFC RFCs RIP Roaming Rogue AP detection Rogue client detection Roll out Router Router name RSA RTS threshold RTS CTS protocol RX rate S Scheduled Events Scripting commands SDSL Security checklist settings Security settings Serial port Server Signal quality display via LEDs SINA SMTP Smurf SNMP SNMP Trap SNMP ID BAT54 Rail F Rele
158. 291 Firewall 8 3 The BAT Firewall Action table As described above a Firewall action consists of condition limit packet ac tion and further measures In the action table Firewall actions are composed as any combination of the following elements Conditions Condition Description Object ID Connect filter The filter is active when no physical connection to the packet des c tination exists DiffServ filter The filter is active when the packet contains the indicated Differ entiated Services Code Point DSCP Evaluating ToS and Diff Serv fields gt page 325 d plus DSCP Internet filter The filter is active when the packet is received or will be transmit i ted via default route VPN filter The filter is active when the packet is received or will be transmit v ted via VPN connection If no further actions are specified in a connect or Internet filter then implicitly a combination of these filters with the reject action is assumed Limits Trigger Each Firewall action can be tied together with a limit whose excess leads to the triggering of the action Also several limits for a filter thereby can build action chains Limit objects are generally introduced by L followed by Reference per connection c or globally g Kind Data rate d number of packets p or packet rate b Value of the limit Further parameters e g period and quantity The follo
159. 2improvements from rapid spanning tree As mentioned above the primary aim of RSTP is to accelerate the activation of network paths once an active connection has failed RSTP achieves this by dispensing with the states blocking and listening to reduce the time re quired to update the network paths to just a few seconds In case of a net work path failure not all of the links are blocked until the new topology has been calculated instead only the failed connections are unavailable for use RSTP also enables the administrator to configure information on network to pology A bridge port can be defined as an edge port An edge port is the only bridge port leading to the connected LAN segment i e no other bridges are connected to the LAN segment but workstations or servers only for example As these ports cannot lead to loops they change immediately into the forwarding state without waiting for the network topology to be de termined However RSTP continues to monitor these ports Should BP DUs be unexpectedly received at an edge port due to another bridge being connected to the LAN the ports automatically return to their normal state A bridge port can also operate as a point to point link In this case the port is directly connected with an additional bridge Since no additional sta tions can occur between the two bridges the switch into the forwarding state can take place faster In the ideal case RSTP immediately resorts to familiar
160. 335 335 336 337 338 340 341 341 342 344 345 346 346 346 347 348 349 350 BAT54 Rail F Release 7 54 06 08 11 Routing and WAN connections 353 11 1 General information 353 11 1 1 Bridges for standard protocols 353 11 1 2 What happens in the case of a request from the LAN 354 11 2 IP routing 355 11 2 1 The IP routing table 355 11 2 2 Policy based routing 358 11 2 3 Local routing 361 11 2 4 Dynamic routing with IP RIP 362 11 2 5 SYN ACK speedup 365 11 3 Configuration of remote stations 366 11 3 1 Peer list 366 11 3 2 Layer list 368 11 4 IP masquerading 369 11 4 1 Simple masquerading 370 11 4 2 Inverse masquerading 372 11 4 3 Free translation of TCP IP ports on masked connections 375 11 4 4 De Militarized Zone DMZ 376 11 4 5 Unmasked Internet access for server in the DMZ 377 11 5 Demilitarized Zone DMZ 379 11 5 1 Assigning interfaces to the DMZ 379 11 5 2 Assigning network zones to the DMZ 380 11 5 3 Address check with DMZ and intranet interfaces 381 11 6 Advanced Routing and Forwarding 382 11 6 1 Introduction 382 11 6 2 Defining networks and assigning interfaces 386 BAT54 Rail F Release 7 54 06 08 9 11 7 Changes in other services 11 7 1 DHCP server 11 7 2 DHCP relay server 11 7 3 NetBIOS proxy 11 7 4 RIP 11 7 5 Automatic generation of VPN rules 11 7 6 Firewall rules for certain local networks 11 7 7 Virtual routers 11 7 8 Default routes filter 11 7 9 Extended port forwarding 11 7 10 IPX route
161. 4 Rail F Release 7 54 06 08 143 Configuration and managemert 6 New firmware with Hirschmann FirmSafe In contrast to the first option the device will wait for the adjusted firm safe timeout using WEBconfig in the menu Expert Configuration gt Firmware gt Timeout firmsafe using Telnet adjust with Firmware Timeout firmsafe until it is logged on over Telnet a terminal program or WEBconfig Only if this login attempt is successful does the new firmware remain active permanently If the device no longer responds or it is impossible to log in it automat ically loads the previous firmware version and reboots the device with it Manual With the third option you can define a time period during which you want to test the new firmware yourself The device will start with the new firmware and wait for the preset period until the loaded firmware is manually activated and therefore becomes permanently effective Acti vate the new firmware using LANconfig with Device Firmware Man agement gt Activate Firmware running in Test Mode using Telnet under firmware firmsafe table with the command set active is the position of the firmware in the firmsafe table Using WEBconfig you can find the firmsafe table under Expert Configuration Firmware The modus for the firmware upload can be adjusted using WEBcontfig in the menu Expert Configuration gt Firmware Mode firmsafe using Telnet under firmware timeout firmsafe
162. 46 Port 3456 IP 10 0 0 100 internal IP 10 0 0 1 public IP 80 146 74 146 10 0 0 100 3456 E Which protocols can be transmitted using IP masquerading IP masquerading for all IP protocols that are based on TCP UDP or ICMP and communicate exclusively through ports One example of this type of un complicated protocol is the one the World Wide Web is based on HTTP Individual IP protocols do use TCP or UDP but do not however communi cate exclusively through ports This type of protocol calls for a corresponding special procedure for IP masquerading Among the group of protocols sup ported by IP masquerading in the BAT are FTP using the standard ports H 323 to the same extent as used by Microsoft Netmeeting PPTP IPSec IRC vvvvYv BAT54 Rail F Release 7 54 06 08 371 Routing and WAN connections 11 4 IP masquerading Configuration of IP masquerading The use of IP masquerading is set individually for each route in the routing table The routing table can be reached as follows Configuration tool Run LANconfig IP router gt Routing Routing table WEBconfig Expert Configuration Setup gt IP router IP routing table Terminal Telnet setup IP router IP routing table 11 4 2 Inverse masquerading simple masquerading has the effect that all IP addresses in the local net work are masked behind the IP address of the router But when using simple masquerading if a certain computer on t
163. 5 Cable testing You can test the cabling with the built in cable tester of your BAT Change under WEBconfig to menu item Expert configuration gt Status Ethernet Ports Cable test Enter here the name of the interface to be tested e g DSL1 or LAN 1 Pay attention to the correct spelling of the interfaces Start the test for the specified interface by clicking on Execute Expert Configuration amp Status D LAN statistics Cable Test Enter here any additional arguments for the command you are about to execute Arguments DSL1 Change then to menu item Expert configuration Status Ethernet Ports Cable test results The results of the cable test for the individual in terfaces are show up in a list Expert Configuration amp Status amp LAN statistics Cable Test Results Port Rx Status Rx Distance Tx Status Tx Distance DSL1 open 0m open Om LAN 1 unknown unknown LAN 2 unknown unknown LAN 3 unknown unknown LAN 4 unknown unknown The following results can occur OK Cable plugged in correctly line ok open with distance Om No cable plugged in or interruption within less than 10 meters distance open with indication of distance Cable is plugged in but defect at the in dicated distance Impedance error The pair of cables is not terminated with the correct im pedance at the other end BAT54 Rail F Release 7 54 06 08 235 Diagnosis 6 5 Cable testing BAT54 Rail F 236 Re
164. 523 Routing of these different networks reaches very fast its limiting factors if two or more clients use same address ranges Additionally if some clients use the same address range as the service provider as well further address con flicts are added In this example one of the hot spots of client C has got the same address as the gateway of the service provider There are two different variants to resolve these address conflicts Loopback decentralized 1 1 mapping In the decentralized variant alternative IP addresses for communicating with the SNMP addressee are assigned to each of the monitored devices by means of an 1 1 mapping This address is in technical language also known as loopback address the method accordingly as loopback method Note The loopback addresses are valid only for communication with certain remote stations on the connections belonging to them Thus a BAT is not generally accessible via this IP address Alternative central N N mapping Even more appealing is the solution of a central mapping instead of con figuring each single gateway in the branch networks the administrator configures solely one central address translation in the gateway of the head office On this occasion also all subnetworks located behind the head office are supplied with the needed new IP addresses In this example the administrator of the service provider selects 10 2 x x as central address translation for th
165. 6 08 253 Firewall 8 2 What is a Firewall Port numbers of source and destination MAC address The rules defined in a packet filter orientated Firewall determine e g wheth er the packets may pass on by a special IP address range into the local net work or whether packets should be filtered for special services i e with special port numbers By these measures the communication with certain workstations entire networks or via special services can be reduced or even prevented Besides the rules are combinable so that e g only workstations with special IP addresses get access to the Internet via the TCP port 80 while this services remains blocked for all other workstations The configuration of packet filtering Firewalls is quite simple and the list with the permitted or forbidden packets can be extended very easily Because also the performance requirements of a packet filter can be address with quite little means the packet filters are often directly implemented in routers which operate as interface between the networks anyway An unfavorable effect on the packet filters is that the list of rules becomes uncomfortable after a while Besides for some services the connection ports are negotiated dynamically To enable communication then the administra tor has to leave open all possibly used ports which is contrary to the basic orientation of most security concepts One example for a process which is quite problematical for simple pa
166. 7 54 06 08 Routing and WAN connections 11 8 Load balancing 11 8 1 DSL port mapping A basic requirement for DSL channel bundling is the support of more than one DSL interface per device This means that one or more external DSL mo dems are connected to the switch of a BAT router Allocation of switch ports to the DSL ports Depending on the mode devices with an integrated switch can enable some of the LAN ports to be used as additional WAN ports for connecting to exter nal DSL modems These ports are listed in the interface table as separate DSL interfaces DSL 1 DSL 2 etc The DSL ports are activated as DSL in terfaces in teh WAN interfaces list configured with the up and downstream rates and allocated to the switch ports in the LAN interfaces list example BAT Wireless 1811DSL Port Allocation Connectors MDI mode Private mode LAN 1 LAN 1 Auto Auto No LAN 2 LAN 1 Auto Auto No LAN 3 LAN 1 Auto Auto No LAN 4 LAN 1 Auto Auto No WAN DSL 1 Auto Auto No The column Port contains the description of the associated port as marked on the back cover of the device The utilization of the port is listed In the column Allocation None The port is deactivated LAN 1 The port is allocated to the LAN DSL 1 DSL 2 The port is allocated to one of the DSL interfaces Monitor The port is a monitor port i e everything received at the other ports is output via this port A packet sniffer such
167. 7 54 06 08 269 Firewall 8 3 The BAT Firewall Stations Service To which stations networks and services protocols does the rule refer to Page 271 Conditions s the effectiveness of the rule reduced by other conditions Page 272 Trigger On exceeding of which threshold shall the rule being triggered Page 272 Action What should happen to the data packets when the condition ap plies and the limit is reached Page 273 Further measures Should further measures be initiated apart from the packet action Page 273 Quality of Service QoS Are data packets of certain applications or with the corresponding markings transferred preferentially by assurance of special Quality of Services Page 274 Note Condition limit packet action and other measures form together a so called action set Each Firewall rule can contain a number of action sets If the same trigger is used for several action sets the sequence of action sets can be adjusted In section How the BAT Firewall inspects data packets page 259 we have already described that in the end the lists for checking data packets are cre ated from Firewall rules Thus the extension of the block diagram looks like as follows BAT54 Rail F 270 Release 7 54 06 08 Firewall 8 3 The BAT Firewall E Structure of the Firewall rules Host Port Connection VPN services i lt E IP Redirect IPX over PPTP VPN
168. 8 6 8 224 0 0 0 224 0 0 255 255 255 255 No Setup Mail SMTP Port 7Setup Mail POP3 Port 7Setup Mail Send Again lt min gt 7Setup Mail Hold Time Chrs gt set Setup Mail Buffers flash Yes From this example it is possible to recognize the behavior or the script that was generated with the command readscript First of all the parameters with values different from the default set tings are displayed The values in the tables are deleted del and replaced with the cur rent values in the configuration add Only those table entries or values which cannot be left empty are di rectly changed with the Set command Note The table lines or strings containing passwords are displayed in plain text as this is the format required by the Telnet user interface BAT54 Rail F Release 7 54 06 08 191 LANtools network management 5 3 Scripting This script can be used to program other BATs with exactly the same configuration as the original device As these scripts can be very long in some cases it is possible to gener ate scripts that focus only on parts of the configuration To do this you first change to the directory with the configuration that is to be recorded e g cd set ip router firewall for the firewall settings and then exe cute the readscript command Alternatively enter the path directly with the readscript command as a path parameter e g readscript set ip router firewall In both
169. 9 250 250 251 252 252 253 259 259 262 264 268 274 279 281 285 295 301 302 302 303 304 304 307 309 311 311 9 2 Which data packets to prefer 9 2 1 Guaranteed minimum bandwidths 9 2 2 Limited maximum bandwidths 9 3 The queue concept 9 3 1 Queues in transmission direction 9 3 2 Queues for receiving direction 9 4 Reducing the packet length 9 5 QoS parameters for Voice over IP applications 9 6 QoS in sending or receiving direction 9 7 QoS configuration 9 7 1 Evaluating ToS and DiffServ fields 9 7 2 Defining minimum and maximum bandwidths 9 7 3 Adjusting transfer rates for interfaces 9 7 4 Sending and receiving direction 9 7 5 Reducing the packet length 9 8 QoS for WLANs IEEE 802 11e 10 Virtual LANs VLANs 10 1 What is a Virtual LAN 10 2 This is how a VLAN works 10 2 1 Frame tagging 10 2 2 Conversion within the LAN interconnection 10 2 3 Application examples 10 3 Configuration of VLANs 10 3 1 The network table 10 3 2 The port table 10 3 3 Configuration with LANconfig 10 3 4 Configuration with WEBconfig or Telnet 10 4 Configurable VLAN Protocol ID 10 5 Configurable VLAN IDs 10 5 1 Different VLAN IDs per WLAN client 10 5 2 Special VLAN ID for DSLoL interfaces 10 6 VLAN tags on layer 2 3 in the Ethernet 10 6 1 Configuring VLAN tagging on layer 2 3 10 7 VLAN tags for DSL interfaces 10 8 VLAN Q in Q tagging 312 313 315 315 315 317 318 320 324 325 325 328 329 331 331 333 335
170. AN client applications to automatically find the correct target computer in the LAN Ifa WLAN client s HTTP request from a particular logical wireless network is to be always directed to a particular server in the LAN a filter setting with the Redirect action is set up for the appropriate protocol for the desired logical WLAN interface 10 0 0 99 2 L penne Logical wireless network on Sy interface WLAN 1 2 A m G si i i o HTTP request to 192 168 2 25 Redirect HTTP from WLAN 1 2 to 10 0 0 99 All requests with this protocol from this logical wireless network are automat ically redirected to the target server in the LAN The returning data packets are sent to the senders addresses and ports according to the entries in the connection statistics ensuring trouble free operation in both directions 3 5 4 DHCP address tracking DHCP address tracking keeps a record of which clients have received their IP addresses using DHCP The relevant information for an interface is auto matically maintained in a table under Status gt LAN Bridge Statistics gt DHCP Table DHCP tracking is enabled on an interface if for this interface a mini mum of one rule is defined where DHCP Source MAC is set to Yes BAT54 Rail F 92 Release 7 54 06 08 Wireless LAN WLAN 3 6 Client mode Note The number of clients which may be connected to an interface via DHCP can be configured in the Port table under Setup gt LAN Bridge gt Port
171. Advanced Encryption Standard Access point Base station in a wireless LAN independent LAN WLAN bridge connects stations of a LAN local network with a WLAN wireless network in a point to multipoint mode con nects two networks over a wireless network in point to point mode Access router Active network component for connection of a local network to the Internet or a company network ADSL Asymmetrical Digital Subscriber Line transmission process for high speed data trans mission over normal telephone lines With ADSL transmissions downstream of up to 6 Mbps can be implemented over normal telephone lines for bidirectional transmission there is a second frequency band with transmission speeds of up to 640 kbps upstream hence the name asymmetric Bandwidth Data rate with which a user can surf the Internet the higher the bandwidth the faster the connection Broadband Service which provides high bandwidth e g DSL or WLAN Bridge Transport protocol independent transparent network component transmits all packets which are identified as not local and only understands the difference between local and remote Works on Layer 2 of the OSI model Broadcast Broadcasts are packets to all stations of a local network bridges transmit broadcasts routers do not transmit broadcasts BSS Basic Service Set CAPI Common ISDN Application Programming Interface CAPI is a standard for control o
172. BAT54 Rail F Release 7 54 06 08 89 Wireless LAN WLAN 3 5 Extended WLAN protocol filters 3 5 2 Procedure for filter test If no filter rules are defined for an interface all packets from and destined to it are transmitted without alteration As soon as a filter rule has been defined for an interface all packets to be transferred via this interface are checked prior to being processed As a first step the information required for checking is read out of the packets DHCP source MAC Destination MAC address of the packet Protocol e g IPv4 IPX ARP Sub protocol e g TCP UDP or ICMP for IPv4 packets ARP Request or ARP Response for ARP packets IP address and network mask source and destination for IPv4 pack ets Source and destination port for IPv4 TCP or IPv4 UDP packets As a second step this information is checked against the information from the filter rules All those rules in which the source or destination interface is included in the interface list are considered Checking of the rules for the individual values is as follows For DHCP source MAC protocol and sub protocol the values read out of the packets are checked for consistency with the values defined in the rule With IP addresses the source and destination address of the packet are checked to see whether they lie within the range formed by the IP address and the network mask of the rule Source and destination ports are checked to see whether they li
173. C address or station name Is the point to point mode of operation activated Which access point is to be monitored All of the base stations defined as P2P remote stations in the device concerned can be selected here Are both antennas approximately aligned The basic P2P connection has to be working before fine tuning can be performed with the aid of LANmonitor Once signal monitoring has commenced the P2P dialog displays the abso lute values for the current signal strength and the maximum value since start ing the measurement The development of the signal strength over time and the maximum value are displayed in a diagram too LANCOM 1811 Wireless DSL Adjusting Point to Point WLAN Antennas sioj x p Check List p Measurement IV Is the P link configured at both ends Link signal strength Maximum I Which access point is to be reached ooaos70i0203 z IV Are both antennas approximately aligned BAT54 Rail F Release 7 54 06 08 103 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections Initially only one of the two antennas should be adjusted until a maximum val ue is achieved This first antenna is then fixed and the second antenna is then adjusted to attain the best signal quality 3 7 2 Configuration In the configuration of point to point connections entries have to be made for the point to point operation mode the channel selection scheme and the MAC addresses
174. Configuration Main device password aici Number MSN fi 23454 Further Administrators A Rights Fi te network 71 xi F Passend requred ior snup cess tights From remote networks ug r Configuration login lock Telnet fony via VPN zi Lock configuration after 5 TFTP only via VPN d Cancel Lock configuration for 5 SNMP foniy via VPN z z HTTP fonty via VPN z m Configuration access ways Here you can specify the access r tures each supported configuration proti you can limit access to the unit to certain stations Access rights X Access stations OK l Cancel Note If you want to remove the network access to the router over the WAN completely set the configuration access from distant nets for all methods to denied You can reach the configuration of the access list of WEBconfig or Telnet with the following runs WEBconfig Expert Configuration Setup Config gt Access list Terminal Telnet Setup Config Modul access list BAT54 Rail F 242 Release 7 54 06 08 Security 7 1 Protection for the configuration Restriction of the network configuration access to certain IP addresses With a special filter list the access to the internal functions of the devices can be limited to certain IP addresses The configuration dialog with the access rights from local or distant networks can be opened with the Button Access stations dX Configure Management hd General Admin Cos
175. Configuration of the time server with WEBconfig or Telnet When configuring with WEBconfig or Telnet you can find the required param eters in the following areas Configuration tool Run WEBconfig Expert Configuration Setup NTP Terminal Telnet cd Setup NTP Modul 12 6 3 Configuring the NTP clients The NTP clients must be configured so that they use the time information from the BAT Not all operating systems provide an integrated NTP client Windows XP does so for other Windows operating systems a separate NTP client is required Linux distributions have to be installed with NTP The settings of date and time in a XP system can be opened with a double click on the time at the bottom left where you can select the server for syn chronization BAT54 Rail F 488 Release 7 54 06 08 More services 12 6 Time server for the local net Date and Time Properties 4 2 x Date amp Time Time Zone Internet Time IV Automatically synchronize with an Internet time server Server LC VPN internal x Update Now The time has been successfully synchronized with time windows com on 1 28 2004 at 6 15 AM Next synchronization 2 4 2004 at 6 14 AM Synchronization can occur only when your computer is connected to the Internet Learn more about time synchronization in Help and Support Center Cancel Apply E Configuring daylight saving time change according to UTC BAT devices work internally with the coordinate
176. Configuration tool Run LANconfig Management gt Admin Password required for SNMP read permission WEBconfig Expert Configuration Setup gt SNMP gt Password required for SNMP read access Terminal Telnet setup SNMP password required 7 1 2 Login barring The configuration in the BAT is protected against brute force attacks by bar ring logins A brute force attack is the attempt by an unauthorized person to crack a password to gain access to a network a computer or another device To achieve this a computer can for example go through all the possible combinations of letters and numbers until the right password is found As a measure of protection against such attacks the maximum allowed num ber of unsuccessful attempts to login can be set If this limit is reached ac cess will be barred for a certain length of time If barring is activated on one port all other ports are automatically barred too The following entries are available in the configuration tools to configure login barring Lock configuration after Login errors BAT54 Rail F Release 7 54 06 08 239 Security 7 1 Protection for the configuration Lock configuration for Lock minutes Configuration tool Run LANconfig Management Admin WEBconfig Expert Configuration Setup gt Config Terminal Telnet Setup Config 7 1 3 Restriction of the access rights on the configuration Access to the internal functions of the devices can be restricted s
177. E 802 1x improves the security of WEP The IEEE 802 1x technology is already fully integrated in Windows XP Cli ent software exists for other operating systems BAT54 Rail F Release 7 54 06 08 83 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configuration with LANconfig For the configuration with LANconfig you will find the IEEE 802 1x settings in the configuration area WLAN Security This is where you decide if you want to activate IEEE 802 1x If IEEE 802 1x is activated a RADIUS server must be defined for the IEEE 802 1x authentication dX Configure whan Security hud General Stations Protocols 802 11i WEP IEEE 802 1x r Interface settings Specify login settings for each local area network interface Authentication via RADIUS al You can manage the physical MAC addresses of LUSSU AE Local area network d rixi LAN users in a central RADIUS server name is DE addition you can define own RADIUS server for spi Reauthentication required wireless LAN networks to be entered in place of pz For each RADIUS server given here a backup sery Reauthentication Interval 3 600 seconds Cancel specified f IV Enable dynamic Re Keying RADIUS server Re Keying Interval 900 seconds Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the settings for IEEE 802 1x under the following paths Configuration tool Menu Table WEBconfig Exper
178. E WEP group keys Wired Equivalent Privacy WEP is an effective method for the encryption of data for wireless transmission The WEP method uses keys of 40 WEP64 104 WEP128 or 128 bits WEP152 in length Each WLAN interface has four WEP keys a special key for each logical WLAN interface and three com mon group WEP keys for each physical WLAN interface Note If 802 1x EAP is in use and the dynamic key generation and transmis sion is activated the group keys from 802 1x EAP will be used and are consequently no longer available for WEP encryption BAT54 Rail F 60 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Rules of the entry of the keys can be found in the description of the WEP group key Rules for entering WEP keys page 62 Configuration with LANconfig The tab 802 11i WEP in the configuration area WLAN Security is used for setting the three WEP keys 2 to 4 Open the list with the button for WEP Group Keys These WEP keys apply to the physical WLAN interface and thus globally to all of the associated logical WLAN interfaces SX Configure WLan Security z General Stations Protocols WEP IEEE 802 1x m Wired Equivalent Privacy l G You shouid ate Wied aval Pier EXERT STEN TTT 2 lt encrypt all data transmissions in your wireless LAI 40 bit WEP64 This is where you can make WEP settings for each log Kay 2 length GEROER wireless LAN network Multis SID K
179. E64 unencrypted VPN Container as PKCS 12 File pfx p12 requires passphrase ___ EAP TLS Root CA Certificate pem crt cer BASE64 EAP TLS Device Certificate pem crt cer BASE64 05 07 2008 22 59 EAP TLS Device Private Key key BASE64 unencrypted EAP TLS Container as PKCS 12 File pfx p12 requires passphrase RADSEC Root CA Certificate pem crt cer BASE64 Previous Page 9 BAT54 Rail F 518 Release 7 54 06 08 Appendix 13 Appendix 13 1 Error messages in LANmonitor 13 1Error messages in LANmonitor It is possible to read out VPN error messages over the LANmonitor 13 1 1 General error messages Connection attempt cancelled Connection establishment failed D channel layer 1 Connection establishment failed D channel layer 2 Connection establishment failed Layer 1 Connection establishment failed Layer 2 ISDN line error Layer 1 Connection aborted layer 2 Local error Bus activation failed no UA on SABME a b ports a b ports Cable not connected X 75 V 110 Required resource not available gt ISDN prob lem boot telecommunications system PP login at remote site PAP rejected Remote device can only handle PAP but CHAP is required PPP login from remote site timeout PPP PAP RX Remote did not send PAP request PPP login at remote site timeout PPP PAP TX Remote did not respond to PAP request PPP login from rem
180. EBconfig Expert configuration Setup gt Interfaces gt WLAN Interfaces gt Network Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Network settings Transmission settings Details for the data transfer over the logical interface are set on the Trans mission tab Logical WLAN settings WLAN network 1 2 x Network Transmission Packet size 559 byte Minimum transmit rate jo o SYS Maximum transmit rate Jato o SY Broadcast rate 2megabt RTS threshold 2 347 byte T Use long preamble for 802 11b Abbrechen BAT54 Rail F 80 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Packet size Smaller data packets cause fewer transmission errors than larger packets although the proportion of header information in the traffic increases leading to a drop in the effective network load Increase the factory value only if your wireless network is largely free from interference and very few transmission errors occur Reduce the value to reduce the occurrence of transmission er rors Minimum and maximum transmit rate The access point normally negotiates the data transmission speeds with the connected WLAN clients continuously and dynamically In doing this the ac cess point adjusts the transmission speeds to the reception conditions As an alternative you can set fixed values for the minimum and maximum trans mission speeds if you wish to prevent
181. ESTVPN 1060 TESTVPN PPTP is a PPTP connection established over the VPN connection PPTP TESTVPN The overhead for PPTP connections is 40 bytes and consequently the MTU here is 1060 bytes Note MTU lists and MTU statistics are only available for devices with a DSL or ADSL interface 11 16WAN RIP In order for routes learned from RIP to be broadcast across the WAN the re spective remote stations can be entered into the WAN RIP table The WAN RIP table contains the following values BAT54 Rail F 454 Release 7 54 06 08 Routing and WAN connections 11 16 WAN RIP Remote site The name of the remote station is listed in the Remote site column RIP type The column RIP type details the RIP version with which the lo cal routes are propagated RIP accept The column RIP accept lists whether RIP from the WAN is to be accepted The RIP type must be set for this Masquerade The column Masquerade lists whether or not masquerad ing is performed on the connection and how it is carried out This entry makes it possible to start WAN RIP even in an empty routing table The following values are possible Auto The masquerade type is taken from the routing table value 0 If there is no routing entry for the remote station then masquerading is not performed On All connections are masqueraded value 1 Intranet P masquerading is used for connections from the intranet connections from the DMZ pass through transparently value
182. FTP resembles the following lt Master password gt lt Command gt or lt User name gt lt Password gt lt Command gt Futher information concerning TFTP commands and user rights can be foung in Rights for the administrators page 150 and Access with TFTP page 152 Loading firmware script or device configuration over TFTP Instead of loading firmware or configuration files with LANconfig or WEBcon fig onto a device Telnet or SSH can directly load these files over a TFTP server Using a TFTP server simplifies the administration of regular firmware and or configuration updates in large installations For this purpose firmware files and configuration files are provided ona TFTP server which works similar to a FTP server but applies a different protocol The files on a TFTP server can be loaded with the following commands LoadConfig LoadFirmware LoadScript These commands can be used with following parameters s lt server IP address or server name gt f lt directory and file name gt In directory and file name the following variables are permitted BAT54 Rail F Release 7 54 06 08 137 Configuration and management 4 4 Configuration using different tools m LAN MAC address hexadecimal no characters no seperators s serial number n device name l location d device type Examples The following example shows how a firmware file named LC 1811 5 00 0019 upx in the directory _COS 500
183. H 10 Ethernet Exclusion routes Exposed host Extensible Authentication Protocol F Fail FHSS Firewall FirmSafe 536 318 530 313 530 23 530 479 530 465 355 37 530 37 38 39 517 39 530 530 530 530 283 368 34 34 34 42 467 523 530 530 369 530 357 378 37 83 439 530 28 291 530 143 BAT54 Rail F Release 7 54 06 08 Index Firmware Firmware updates Firmware upload with LANconfig with terminal program with TFTP with WEBconfig Flash No mode Flash ROM memory Flash Yes mode Flat rate Fragrouter Frame tagging Frequency Frequency band Fresnel zone FTP active FTP data transfer download passive FTP TCP secured transfer G Gateway GPRS backup connection Gross data rate Group configuration H HDLC Hidden station Host Host name table HotSpot HTTPS Hub l IAPP roaming IBBS IBSS BAT54 Rail F Release 7 54 06 08 465 137 173 145 145 146 147 146 183 143 183 440 307 336 530 530 110 530 325 318 312 325 319 530 448 317 196 369 81 473 476 530 131 530 530 72 530 537 Index ICMP ICMP polling IDS IEEE IEEE 802 11 IEEE 802 11a IEEE 802 11b IEEE 802 11e IEEE 802 119 IEEE 802 11 IEEE 802 1p IEEE 802 1p q IEEE 802 1x EAP IEEE 802 3 Inband Configuration via Inband with Telnet Indoor function Install software Internet Internet access Intranet IP address assignment Intrusion Detection I
184. IEEE 802 11a standard uses OFDM Orthogonal Frequency Division Multiplexing as modulation scheme OFDM In the 5 GHz frequency band the OFDM modulation scheme is used for IEEE 802 11a OFDM is a modulation scheme which utilizes multiple independent carrier frequencies for the signal transmission and which modulates these multiple carriers each with a reduced data transfer rate Thus the OFDM modulation scheme is very insensitive in particular to echoes and other im pairments and enables high data transfer rates Turbo mode In turbo mode BAT Wireless Router base stations are able to use simulta neously two radio channels and can so increase the transfer rate up to max imum 108 Mbps The turbo mode can be used in conjunction with the IEEE 802 11a standard between BAT base stations and WLAN wireless network cards The increase of the transfer rate must be switched on in the base sta tion but can also reduce the transmitting power and the range of the radio connection IEEE 802 11b 11 Mbps IIEEE 802 11b describes the operation of local Wireless LANs in the ISM fre quency band ndustrial Scientific Medical 2 4 up to 2 483 GHz The max imum transfer rate is up to 11 Mbps The real through put depends however on the distance and or on the quality of the connection With increasing dis tance and diminishing connecting quality the transmission rate lowers to 5 5 Mbps afterwards to 2 and finally to 1 Mbps The range of the tr
185. ING command A complete listing of available commands for a particular device is avail able by entering from the command line BAT54 Rail F 136 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools 4 4 4 TFTP Certain functions cannot be run at all or not satisfactorily with Telnet These include all functions in which entire files are transferred for example the up loading of firmware or the saving and restoration of configuration data In this case TFTP is used TFTP is available by default under the Windows 2000 and Windows NT op erating systems It permits the simple transfer of files with other devices across the network The syntax of the TFTP call is dependent on the operating system With Win dows 2000 and Windows NT the syntax is tftp i lt IP address Host gt get put source target Note With numerous TFTP clients the ASCII format is preset Therefore for the transfer of binary data e g firmware the binary transfer must usually be explicitly selected This example for Windows 2000 and Windows NT shows you how to achieve this by using the i parameter If the device is password protected username and password needs to be in serted into the TFTP command The file name is either made up of the mas ter password and the command to be executed or of the combined user name and password separated by a colon plus with the command as a suf fix Thus a command sent by T
186. IOS over IP Authentication of the remote site No active authentication However the remote site your Internet Service Provider For example can do his own authentication Authenticate the remote site via PAP i jke vie GHAP Along with the activation of the PPPoE server LANconfig Communication gt General further limitations e g permissible MAC addresses can also be defined in the PPPoE server The example uses the existing entry DE FAULT with the MAC address 00 00 00 00 00 00 thereby permitting all MAC addresses BAT54 Rail F 496 Release 7 54 06 08 More services 12 8 PPPoE Servers The firewall LANconfig gt Firewall QoS Rules can be used to control which services are available to the employees in Purchasing e g release of HTTP and EMAIL only BAT54 Rail F Release 7 54 06 08 497 More services 12 8 PPPoE Servers I x m One or more stations ae aa C Al stations in local netnork A specific remote site General Actions QoS Station C A specific local station rm Scope of rule services protocols C Aspecific MAC address m Connection source C An IP address or range of addresse A complete IP network Filter rule General Actions QoS Stations Service This rule applies to pacl or This rule applies to all services protocols connections from al This rule applies to the following services pr connections from th 9 ea services A PURCHASING V
187. IP adress for the selection of the route is detected but also other information which is joined to the data packets by the firewall With the routing tag O the routing entry is valid for all packets Router BAT54 Rail F Release 7 54 06 08 356 Routing and WAN connections 11 2 IP routing The router transmits the appropriate data packets to the IP address and network mask to this remote station If the remote station is a router in another network or an individual workstation computer the name of the remote station If the router on the network cannot address the remote station itself then the IP address of another router which knows the path to the des tination network is entered The router name indicates what should happen with the data packets that match the IP address and network mask Routes with the entry 0 0 0 0 identify exclusion routes Data packets for this zero route are rejected and are not routed any further That way routes which are forbidden on the Internet private address spac es e g 10 0 0 0 for example are excluded from transmission If an IP address is input as router name this is a locally available rout er which is responsible for transfer of the relevant data packets Distance Number of routers between your own and the destination router This value is often equated with the cost of the transmission and used to dis tinguish between inexpensive and expensive call paths for wide area
188. If the user wishes to direct the default route through a VPN tunnel with a dynamic tunnel endpoint for example then the VPN module uses the default route with the routing tag 0 as standard To direct the default route through the VPN tunnel anyway create a sec ond default route with routing tag 1 and the VPN remote station as router names With the appropriate firewall rule you can transfer all ser vices from all source stations to all destination stations with routing tag E gt Routing tags and RIP The routing tag is also transmitted in RIP packets for processing upon reception so that for example the change in dis tances in the proper route can be changed BAT54 Rail F Release 7 54 06 08 359 Routing and WAN connections 11 2 IP routing Routing tags for VPN and PPTP connections Routing tags are used on the BAT in order to evaluate criteria relevant to the selection of the target route in addition to the IP address In general routing tags are added to the data packets using special firewall rules However in some cases it is desirable to assign the tags directly Routing tags for VPN connections The VPN name list can be used to enter the routing tag for every VPN con nection The routing tag is used in order to determine the route to the remote gateway default 0 In addition every gateway can be assigned a specific routing tag in the gate way table The tag 0 has a special function in this table If the tag is set
189. L 4 others private mode irre port and the BAT54 Rail F Release 7 54 06 08 379 Routing and WAN connections 11 5 Demilitarized Zone DMZ Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the settings for the Eth ernet ports under the following paths WEBconfig Expert Configuration Setup gt Interfaces gt LAN Terminal Telnet Setup Interfaces LAN 11 5 2 Assigning network zones to the DMZ Various network zones address ranges are assigned to the DMZ and the LAN using the address settings Depending on availability WLAN interfaces can also be selected Configuration with LANconfig Addresses can be defined in LANconfig in the configuration area TCP IP on the General tab Configure TCP IP hd General Addresses DHCP BOOTP DNS DNS Fiter m Own addresses DMZ IP address fi 0 0 0 0 DMZ netmask 255 255 255 0 DMZ interface DMZ 1 7 DMZ check strict 7 Intranet IP address fi 92 168 1 0 Intranet netmask 255 255 255 0 Intranet interface LAN 1 he Intranet check loose 7 Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the settings for the Eth ernet ports under the following paths WEBconfig Expert configuration Setup TCP IP Terminal Telnet Setup TCP IP BAT54 Rail F 380 Release 7 54 06 08 Routing and WAN connections 11 5 Demilitarized Zon
190. LAN inter faces Yes Access only for stations with encryption recommended In this mode only the WLAN clients with activated WEP and the correct key can register with the access point Yes Access also for stations without encryption allowed In this mode WLAN clients with activated WEP and WLAN clients without WEP can register with this access point No No encryption Method Key 1 length Set the encryption method to be used here 802 111 WPA PSK Encryption according to the 802 11i standard offers the highest security The 128 bit AES encryption used here offers security equivalent to that of a VPN connection WEP 152 WEP 128 WEP 64 encryption according to the WEP stan dard with key lengths of 128 104 or 40 bits respectively This setting is only to be recommended when the hardware used by the WLAN client does not support the modern method WEP 152 802 1x WEP 128 802 1x WEP 64 802 1x encryption accord ing to the WEP standard with key lengths of 128 104 or 40 bits respec tively and with additional authentication via 802 1x EAP This setting is also only to be recommended when the hardware used by the WLAN cli ent does not support the 802 11i standard The 802 1x EAP authentica tion offers a higher level of security than WEP encryption alone although the necessity fora RADIUS server makes very high demands of the IT in frastructure Key 1 passphrase In line with the encryption method activated you can
191. LAN security The access point is thus a sort of middle man between client and server it doesn t have to check the contents of these packets it just has to check that no other data traffic to or from the client can occur Over this tunnel through the access point the client and server authenticate one another that is the server checks the client s access privilege to the network and the client checks that it is talking to the right network Wild access points set up by hackers can be recognized in this way A whole series of authentication processes exist which can be used in this tunnel A current process and one supported by Windows XP is for instance TLS in which server and client exchange certificates another is TTLS in which only the server supplies a certificate the client is authenticated using only a username and password After the authentication phase a secure tunnel even without WEP encryption has been set up in which the access point is connected in the next step For this the RADIUS server sends the so called Master Secret a session key calculated during the negotiation to the access point The LAN behind the access point is considered secure in this scenario so that this transmission can be performed in clear text With this session key the access point now takes over the tunnel and can use it to provide the actual WEP key to the client Depending on the capabil ities of the access point hardware this can be
192. N settings 62 3 4 3 WLAN routing isolated mode 63 3 4 4 The physical WLAN interfaces 64 3 4 5 The logical WLAN interfaces 78 3 4 6 Additional WLAN functions 82 3 5 Extended WLAN protocol filters 87 3 5 1 Protocol filter parameters 88 3 5 2 Procedure for filter test 90 3 5 3 Redirect function 91 3 5 4 DHCP address tracking 92 BAT54 Rail F Release 7 54 06 08 3 3 6 Client mode 93 3 6 1 Basic configuration 94 3 6 2 Advanced configuration 98 3 6 3 The roaming table 100 3 7 IEEE 802 11i for point to point connections in the WLAN 101 3 7 1 Antenna alignment for P2P operations 102 3 7 2 Configuration 104 3 7 3 Access points in relay mode 107 3 7 4 Security for point to point connections 107 3 7 5 LEPS for P2P connections 108 3 7 6 Geometric dimensioning of outdoor wireless network links 109 3 8 Establishing outdoor wireless networks 3 8 1 Geometrical layout of the transmission path 3 8 2 Antenna power 3 8 3 Emitted power and maximum distance 3 8 4 Transmission power reduction 3 9 Bandwidth limits in the WLAN 3 9 1 Operating as an access point 3 9 2 Operating as a Client 3 10 WLAN according to 802 11h 3 10 1 Standards 3 10 2 Radio channels in the 5 GHz band 3 10 3 Frequency ranges for indoor and outdoor use 4 Configuration and management 4 1 Configuration tools and approaches 4 2 Configuration software 4 3 Searching and configuring devices 4 4 Configuration using different tools 4 4 1 LANconfig 4 4 2 WEBconfig 44
193. Nconfig you can find the WLAN routing in the con figuration area Interfaces on the tab LAN in the section Ethernet switch set tings Configure l Interfaces bd LAN Wireless LAN WAN Modem VLAN m Network adapter MAC address 0040570FB9BF Ethernet switch settings This is where you can make further settings for each Ethernet interface Select how to connect the LAN and the wireless LAN interface Connect by using a bridge default Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you can find the WLAN routing as follows Configuration tool Menu T able WEBconfig Expert Configuration gt Setup gt LAN P Isolated Mode Terminal Telnet ca Setup LAN Isolated Mode 3 4 4 The physical WLAN interfaces Setting up the WLAN card Apart from the parameters common to all WLAN cards there is a series of settings to be made that are particular to each WLAN card of the access point Configuration with LANconfig For configuration with LANconfig you will find the settings for the WLAN card under the configuration area Interfaces on the Wireless LAN tab Open the list of physical WLAN interfaces by clicking on the button Physical WLAN settings BAT54 Rail F 64 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters RM tx Configure Interfaces z LAN Wireless LAN WAN Modem VLAN r General This is where you can make settings for all
194. Note Up until LCOS version 6 30 a BAT Router could only be accessed from the network with the device VLAN ID From LCOS version 7 00 a dedicated network with its own VLAN ID can be set up exclusively for con figuring the BAT Router this network can be protected from general ac cess with an appropriate firewall rule During an upgrade to LCOS version 7 00 any device VLAN IDs which were in use will be entered into all of the networks This is for compatibility reasons Interface assignment Logical interface that this network is assigned to Values LAN 1 to LAN 4 WLAN 1 1 to WLAN 2 8 P2P 1 1 to P2P 2 6 BRG 1 to BRG 8 any depending on the availability of logical inter faces in the respective model A logical interface which is assigned to a network in this way is referred to as a bonded interface Any The network is valid for all logical interfaces WLAN VoIP x SS VLAN ID 2 BAT54 Rail F Release 7 54 06 08 389 Routing and WAN connections 11 6 Advanced Routing and Forwarding Default Any Note Using the bridge groups Assigning logical interfaces to bridge groups page 413 is an important aspect of network security Many applica tions demand that an intranet is valid for several logical interfaces for ex ample so that clients in the LAN and in the WLAN can communicate with one another easily only certain logical interfaces are reserved for the DMZ By grouping certain logical interfaces e g LAN
195. P Spoofing Inverse masquerading IP IP address IP broadcast IP header IP masquerading simple masquerading IP multicast IP Quality of Service IP routing standard router IP routing table IP Spoofing IP telephony IPSec IPSec over WLAN 538 284 160 530 530 529 22 22 333 23 101 347 335 83 369 125 126 126 133 76 143 369 437 468 302 302 372 425 530 211 425 437 364 312 28 226 369 425 530 372 364 531 361 355 302 318 33 530 84 BAT54 Rail F Release 7 54 06 08 Index ISDN ISM frequency band ISP K Keep Alive L LAN Different organisations on one LAN logical physical LANcapi LANconfig Columns for display Download script Management of multiple devices LAND LANmonitor Accounting information Activity log Display options Firewall actions log Monitor Internet connection System information Traces VPN connections LANtools Layer 2 Layer 2 switch Layer 3 LCOS LCP echo reply request LLC MUX Logging table Logical LAN Logical sending direction Logical wireless networks Login Login barring BAT54 Rail F Release 7 54 06 08 531 531 531 440 531 339 337 336 531 126 128 145 166 531 172 185 130 305 205 208 206 207 209 207 210 209 212 206 531 369 335 368 16 531 436 436 368 295 337 324 52 143 239 239 539 Index Loopback address M MAC MAC address MAC address filter MAC
196. P key entered To check the WEP settings select in the LANconfig in the configuration area Man agement on the tab Interfaces under Wireless LAN the wireless LAN interface you would like to configure With the Access Control List ACL you allow or prohibit the access of single radio LAN clients to your radio LAN The access is regulated over the static MAC address of the wireless client adapter To check the Access Control List select in LANconfig in the configuration area WLAN Security the tab Stations Have you configured 802 1x or IPsec over WLAN for especially sensitive data transfer For more security when transmitting sensitive data over your wireless LAN you can use the IEEE 802 1x technology To check or activate the IEEE 802 1x settings select in the LANconfig the configuration area WLAN Security the tab IEEE 802 1 If your base station provides VPN you can alternatively to IEEE 802 1x select IPsec over WLAN to protect your data between radio networks and local networks in a VPN tunnel Have you activated the mechanism that protects your configuration if the device is stolen That confidential information about RAS access LAN coupling or VPN connections could fall into the wrong hands if the device is stolen The device s configuration can be protected by various means for example it will cease to function if there is an interruption to the power supply or if the device is switched on in another locat
197. P3 NNTP IV File transfers FTP I Terminal access TELNET I Layer2 tunnel PPTP Name resolution DNS C Windows network NetBIOS via IP Virtual Privat Network VPN IPSec Custom protocols WEBconfig Telnet Under WEBconfig or Telnet the Firewall rules are configured in the following menus and lists Configuration tool Run WEBconfig Expert Configuration Setup IP Router Module Firewall Rule Table Object Table Actions Table Terminal Telnet Setup IP Router Module Firewall Rule Table Object Table Actions Table There is a special syntax in LCOS for the description of the Firewall rules This syntax allows to describe also complex relations for checking and treat ment of data packets within the Firewall just with a few characters Rules are defined in the rule table Pre defined objects can be saved in two additional tables in order to prevent entering frequently used objects each time again in LCOS syntax The action table contains Firewall actions The object table contains stations and services Note Objects from these tables can be used for rule definition but this is not a must They simply facilitate the use of frequently used objects BAT54 Rail F Release 7 54 06 08 289 Firewall 8 3 The BAT Firewall Rule table The rule table combines different information to a Firewall rule The rule con tains the protocol to be filtered the source the destination as well as the Fi
198. RIV login errors occurring during this process Connections messages regarding establishing and releasing connections and errors LOCALO occurring during this process display trace Accounting accounting information after release of a connection user online time LOCAL1 transfer volume Administra messages regarding configuration changes remotely executed com LOCAL2 tion mands etc Router regular statistics on the most frequently used services sorted by port LOCAL3 numbers and messages regarding filtered packets routing errors etc BAT54 Rail F Release 7 54 06 08 485 More services 12 6 Time server for the local net The eight priority stages defined initially in the SYSLOG are reduced to five stages in the BAT The following table shows the relationship of alarm level significance and SYSLOG priorities Priority Meaning SYSLOG priority Alert All messages requiring the attention of the administrator are collected PANIC ALERT under this heading CRIT Error All error messages that can occur during normal operation without requir ERROR ing administrative intervention are sent to this level e g connection errors Warning Error messages that do not affect normal operation of the device are sent WARNING to this level Information All messages that are purely informative in character are sent to this level NOTICE e g accounting information INFORM Debug Transfer of all debug messages Debug m
199. RSEBURG 10 1 202 220 Firmware upload started 27 01 2004 10 38 00 WITTENBERG 10 1 205 137 Firmware upload started 27 01 2004 10 38 00 ANGERMUENDE 10 1 206 211 Firmware upload started 27 01 2004 10 38 00 CHEMNITZ 10 1 206 212 Firmware upload started 27 01 2004 10 38 00 ADLERSHOF 10 1 206 213 Firmware upload started gt Open Telnet session Opens up multiple DOS windows and sets up a Tel net connection to each device gt Monitor device Starts LANmonitor for the surveillance of the selected de vices gt Set date time Sets the same time on all selected devices Note When setting the time please observe the functions of the BAT as NTP client and NTP server Time server for the local net page 486 Delete Deletes the selected devices from the LANconfig list BAT54 Rail F 168 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig 5 2 1 User specific settings for LANconfig The program settings for LANconfig are saved to the file lanconf ini located in the program directory when the program is ended This includes among others the displayed devices directory structure selected language etc When the program is started LANconfig reads this ini file and restores the previous status of the software To save the ini file the user needs a write authorization to the program directory As an alternative to the ini file in the program directory the program settings can be read f
200. Rail F Release 7 54 06 08 411 Routing and WAN connections 11 7 Changes in other services 11 7 10IPX router The IPX router can only handle a LAN and so this has to be assigned explic itly by entering the interface and the VLAN ID Pe ee Configure IPX SPX a General Routing Fitering RIP Settings SAP Settings I IPX module enabled Network Jooooo000C t i C O Binding Auto ball Interface assignment M VLAN ID pb is Configuration tool call LANconfig IPX SPX router gt General WEBconfig Telnet Expert Configuration gt Setup gt IPX Router gt LAN Network Netware network number of the local network Default 00000000 The setting 00000000 means that the network number is determined automatically as long as a Novell server exists in the network Binding The Ethernet packet format for the local network Automatic Sets the packet format automatically if possible j 802 3 802 2 SNAP Interface assignment Logical interface that this network is assigned to Values LAN 1 to LAN n WLAN 1 1 to WLAN 2 8 P2P 1 1 to P2P 2 6 BRG 1 to BRG 8 any depending on the availability of logical inter faces in the respective model A logical interface which is assigned to a network in this way is referred to as a bonded interface Any The network is valid for all logical interfaces BAT54 Rail F 412 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services
201. Release 7 54 06 08 Routing and WAN connections 11 9 N N mapping Filter rule E MAIL_ROUTING_TAG 2 x Filter rule E MAIL_ROUTING_TAG 2 x General Actions QoS Stations Service General Actions QoS Stations Service Rule Pees Connection source 25 Fiter rules can be used to transferot General Actions QoS Stations G gt This tule appes to packets Filter rule E MAIL_ROUTING_TAG Fx according to specified criteria Q C connections from all stal 3 General Actions QoS Stations Service Name of this rule Actions connections from the fol E MAIL_ROUTING_TAG Q The actions table descr p Scope of rule services protocols tg actions that will be exect was M This rule is active for the firewall amounts of data or pack C This rule applies to all services protace 5 5 This rule applies to the following servic JT This rule is used to create VPN r ieee EA Add Speci J7 Observe further rules after this n Tv immediately Reject SNMP I This tule tracks connection state r Connection destination IV Mail and News SMTP POP3 Routing tag 1 E This rule applies to packets J File transfers FTP Comment C connections to all statio I Terminal access TELNET connections to the follor I Laper2 tunnel PPTP Routing Tag 1 for e mail traffic Name resolution DNS mall ie Add Windows network NetBIOS via IP 7 Virtual Divat Netaind MPN ADCan
202. T Firewall inspects data packets The Firewall filters only those data packets out of the entire data stream run ning through the IP router of the BAT for which a special treatment has been defined BAT54 Rail F Release 7 54 06 08 259 Firewall 8 3 The BAT Firewall E The Firewall only checks routed data packets LAN interfaces VPN services IP Redirect a 4 IPX over PPTP VPN J The Firewall only checks data packets routed by the IP router of the BAT In general these are the data packets which are exchanged between one of the WAN interfaces and the internal networks LAN WLAN DMZ For example the communication between LAN and WLAN is normally not carried out by the router as long as the LAN bridge allows a direct exchange Thus the Firewall rules do not apply here The same applies to the so called internal services of the BAT like Telnet TFTP SNMP and the web server for the configuration with WEBconfig The data pack ets of these services do not run through the router and therefore aren t influenced by the Firewall Note Due to the positioning behind the masquerading module seen from the WAN the Firewall operates with the real internal IP ad dresses of the LAN stations and not with the outside known Internet address of the BAT The BAT Firewall uses several lists for checking data packets which are au tomatically generated from Firewall rules resulting Firewall actions or by ac
203. T access point for this task Client Y a Authenticator ie Client Rec Authenticator The authenticator has no initial information on the clients want to register This is all stored in a database on the RADIUS server The registration infor mation the RADIUS server needs for the authentication process is stored in the database there and can vary from network to network The authenticator has just the one task that of transferring the information between the client and the RADIUS server Access to a RADIUS server can be configured in several ways Using PPP when dialing into a network see Dial in using PPP and RA DIUS page 505 Via WLAN see Dial in using WLAN and RADIUS page 507 Via the 802 1x protocol see Dial in using 802 1x and RADIUS page 508 BAT54 Rail F Release 7 54 06 08 501 More services 12 9 RADIUS 12 9 1 How RADIUS works The authentication process of a client using the authenticator on a RADIUS server can vary in complexity and is implementation dependent In a simpli fied application the client sends its registration data to the RADIUS server via the authenticator and receives back either an Accept or a Reject 1 User ID gt Ouse ID Q Accept Accept In more complicated applications the RADIUS server can request additional registration data using what is known as a Challenge The handshake se quence looks something like this Identit
204. TPC is not used within these frequency bands then the highest permissible average EIRP and the corresponding maximum EIRP den sity are reduced by 3 dB This restriction does not apply to the frequency range of 5150 5350 MHz Without DFS and TPC a maximum of only 30 mW EIRP is permitted When DFS and TPC are used a maximum 1000 mW EIRP is permitted as the transmission power compared with 100 mW with 802 11 b g 2 4 GHz DFS and TPC are not possible here The higher maximum trans mission power not only compensates for the higher attenuation of 5 GHz radio waves in air it also makes noticeably longer ranges possible than in the 2 4 GHz range BAT54 Rail F Release 7 54 06 08 121 Wireless LAN WLAN 3 10 WLAN according to 802 11h Differences from USA and Asia The USA and Asia use different frequency bands and different maximum sig nal strengths to the European standard In the USA three sub bands each 100 MHz wide are used for wireless net works in the 5 GHz band The lower band ranges from 5150 5250 MHz the middle band ranges from 5250 5350 MHz and the upper band rang es from 5725 5825 MHz In the lower band a maximum average EIRP of 50 mW is permitted in the middle band this is 250 mW and 1 W in the upper band In Japan the use of the 5 GHz band is possible to a limited extent only the lower band of 5150 5250 MHz is released for private use 3 10 2 Radio channels in the 5 GHz band In the usable freq
205. The behavior of an access point when exchanging data with other access points is defined in the Point to point operation mode BAT54 Rail F Release 7 54 06 08 101 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections Off The access point only communicates with mobile clients On The access point can communicate with other access points and with mobile clients Exclusive The access point only communicates with other base stations In the 5 GHz band the automatic search for vacant WLAN channels can lead to several simultaneous test transmissions from multiple access points with the result that they do not find each other This stalemate situation can be avoided with the appropriate Channel selection scheme Master This access point takes over the leadership when selecting a free WLAN channel Slave All other access points will search for a channel until they have found a transmitting Master Thus it is recommended for the 5 GHz band that one central access point should be configured as Master and all other point to point partners should be configured as Slave In the 2 4 GHz band too this setting simplifies the establishment of point to point connections if the automatic channel search is activated Note It is imperative that the channel selection scheme is configured cor rectly if the point to point connections are to be encrypted with 802 1 1i WPA 3 7 1 Antenna alignment for P2P operations The pr
206. This procedure is called PMTU reduction The PMTU reduction can be used for sending as well as for receiving direction For the sending direction the data source of the own LAN is adjusted with the PMTU reduction to a smaller packet size for the receiving direction the data source of the WAN e g web or FTP servers in the Internet Provided that the data connection already exists when the VoIP connec tion is started the senders regulate packet lengths very quickly to the permitted value When setting up new data connections while a VoIP connection is already established the maximum permitted packet length is negotiated directly during the connection phase Note The reduced packet length on the data connection still remains also after terminating the VoIP connection as long as the sender checks the PMTU value again The BAT is able to split packets to be sent above an adjustable maximum size e g 256 byte into smaller units itself But such a procedure called fragmentation is not supported by all servers of the Internet because dealing with fragmented packets is considered as a security risk and therefore is turned off by many servers That s why disturbances can oc cur e g while downloading or while transmitting web pages Thus this procedure is recommended only for connections without involving unknown servers e g for a direct connection of branches to their head office via VPN connection over which the Internet traffic is n
207. Times will only be accepted if the system time has been set The sleep function is useful for a time delayed reboot when testing an altered configuration or for a scheduled firmware update for large scale roll outs with multiple devices 5 3 7 WLAN configuration with the wizards in LANconfig Highly convenient installation wizards are available to help you with the con figuration of BAT Access Points for your wireless LAN The settings include the general shared parameters and also the individual settings for one or more logical wireless LAN networks WLAN radio cells or SSIDs BAT54 Rail F 194 Release 7 54 06 08 LANtools network management 5 3 Scripting Mark your BAT Access Point in the selection window in LANconfig From the command line select Extras Setup Wizard xl Setup Wizard This wizard lets you configure your device for specific applications quickly and easily What do you want to do amp p Manually edit the configuration A Set up Intemet access A Provide remote access RAS VPN 8 Connect two local area networks VPN A Remove remote site or access In the selection menu select the Setup Wizard Configure WLAN inter face and confirm the selection with Continue Make the settings as requested by the wizard and as described as fol lows Country settings Regulations for the operation of WLAN cards differ from country to country The use of some radio channels is p
208. To use a WLAN client to connect to a new unconfigured BAT access point the WEP128 encryption must be activated in the WLAN client and the 13 character standard WEP key must be programmed in as described above 3 3 3 Background WLAN scanning In order to identify other access points within the device s local radio range the BAT Wireless Router can record the beacons received management frames and store them in the scan table Since this recording occurs in the background in addition to the access points normal radio activity itis called a background scan Background scanning is mainly used for the following tasks Rogue AP detection Fast roaming for WLAN clients Rogue AP detection WLAN devices that make unauthorized attempts at accessing a WLAN by posing as an access point or client are called rogues An example of rogue APs are access points that a company s employees connect to the network without the knowledge or permission of the system administrators thereby consciously or unconsciously making the network vulnerable to potential at BAT54 Rail F Release 7 54 06 08 49 Wireless LAN WLAN 3 3 Protecting the wireless network tackers via unsecured WLAN access Not quite as dangerous but disruptive all the same are access points that belong to third party networks yet are within the range of the local WLAN If such devices also use the same SSID and channel as the local AP default settings then local clients could at
209. Using LANconfig select the modus when selecting the new firmware file Note LIt is only possible to upload a second firmware if the device has enough memory for two firmware versions Current firmware versions in occasion with additional software options may use up more than half of the available memory In this case the configuration software notifies a conflict and recommends the use of the converter This converter can be downloaded free of charge from the Hirschmann website With the converter the memory in the BAT is divided into a larger area for the new firmware version and a smaller area for the exist ing version While uploading the new firmware a minimal version of the previous firm ware is loaded into the smaller memory area This version is used as a safety copy with the following restrictions The minimal version of the firmware only partly provides the LCOS functions to restore the previous state or to load another firmware In ternet access is possible with this version ABAT with an active minimal firmware can only be addressed over the LAN the WLAN or the outband interface The remote configuration is not possible not even over ISDN BAT54 Rail F 144 Release 7 54 06 08 Configuration and managemer 6 New firmware with Hirschmann FirmSafe The minimal firmware can not be configurated Changes in the config uration over LANconfig WEBconfig or Telnet are not saved in the de vice 4 6 2 How to load new
210. WLAN the possibility of installing a valid WEP key for the next session is more or less a byproduct Figure 2 shows the basic process of a session secured by EAP BAT54 Rail F Release 7 54 06 08 37 Wireless LAN WLAN 3 2 Development of WLAN security Client Access point RADIUS server WLAN registration Li Li Li Li Li 1 EAP 802 1x negotiation 1 i 5 sharing of Master Secret Lj session key 1 Normah data traffic new session key 1 more normal data traffic ae O o Figure 2 Schematic process of a WLAN session with EAP 802 1x In the first phase the client registers with the access point as usual and en ters the state in which it can now send and receive over the access point in normal WEP or WEPplus but not with EAP because in this state the client still doesn t have a key to secure its data traffic from eavesdropping Instead the client is in an intermediate state from the point of view of the access point in which only particular packets from the client are forwarded and these are only directed to an authentication server These packets are the EAU 802 1x mentioned previously The access point packs these packets in RADIUS queries and sends them on to the authentication server The access point converts the replies coming from the RADIUS server back into EAP packets and sends them back to the client BAT54 Rail F 38 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of W
211. World Wide Web HTTP HTTPS i JV Mail and News SMTP POP3 NNT I File transfers FTP I Terminal access TELNET J7 Layer2 tunnel PPTP ml I Layer2 tunnel L2TP m Connection destination Name resolution DNS gt This rule applies to pacl Windows network NetBIOS via IP connections to all sl C Virtual Privat Network VPN IPSec connections to the Custom protocols Edit custom protoi 12 8 3 Configuration Configuration with LANconfig The settings for the PPPoE server can be found in LANconfig in the configu ration area Communication on the General tab BAT54 Rail F 498 Release 7 54 06 08 More services 12 8 PPPoE Servers Configure Communication ii General Remote Sites Protocols RADIUS This is where to group the individual protocols to be used when transferring data to other routers into specific Layers Namelist a es Short hold time ok Define actions that are performed if connect _ SIMS aLaELNSMESUE Sse Ga Ac IA C nd Here you can configure a PPPoE server Remote site PURCHASING OK IV PPPoE server enabled Dx 3 E Short hold time 300 seconds Cancel Service name fu set_Auth Senet MAC address 000000000000 Session limit jd You can adjust further values for each remote site within this table Namelist Cancel Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will fi
212. YS VLAN ID poo Configuration tool Call LANconfig Bridge gt General WEBconfig Telnet Expert Configuration gt Setup gt Bridge BAT54 Rail F 414 Release 7 54 06 08 Routing and WAN connections 11 8 Load balancing Remote site Name of the remote site which the remote bridge is connected to Bridge aging The time lapse between learning a MAC address and deleting it again Interface assignment Logical interface that this remote bridge is assigned to Values LAN 1 to LAN n depending on the availability of logical inter faces in the model in question Note WLANs cannot be selected during interface assignment because the WAN bridge is only available in devices without WLAN For this reason the interface assignment Any is not possible VLAN ID ID of the VLAN with the active remote bridge Default 0 11 7 13PPPoE Servers The PPPoE server can be separately activated or deactivated for each logi cal interface Configuration tool call WEBconfig Telnet Expert Configuration gt Setup gt PPPoE Server gt Ports 11 8Load balancing Despite the ever increasing bandwidth of DSL connections they remain the communications bottle neck In some cases it can be advisable to combine multiple DSL connections There are a number of possibilities to realize this some of which need active support from the Internet provider DSL channel bundling Multilink PPPoE MLPPPoE The availability of direct bundlin
213. _BUHMAN Last Error ISDN or DSL error on interfac 2 4 2004 3 17 34 AM VPN Connected to YPN_DEICH via INTERNET 2 4 2004 3 17 34 AM YPN No connection to PN_DKRAU Last Error Dynamic YPN no ISDN call numb 2 4 2004 3 17 34 AM VPN Connected to VPN_ETRABER via INTERNET 2 4 2004 3 17 34 AM Connected to VPN_FJANSSEN via INTERNET 2 4 2004 3 17 34 AM Connected to WPN_FTHEINEN via INTERNET Connected to VPN_HBATTI via INTERNET DSL Line gt INTERNET Connect 2 4 2004 3 17 34 AM Connected to YPN_MBAGSIK via INTERNET 2 4 2004 3 17 34 AM Connected to VPN_MBRIX via INTERNET 2 4 2004 3 17 34 AM Connected to YPN_MPLUM via INTERNET 2 4 2004 3 17 34 AM Connected to VPN_OSCHILPE via INTERNET 2 4 2004 3 17 34 AM Connected to YPN_PCPRO via INTERNET 2 4 2004 3 17 34 AM Connected to VPN_QS_TEST via INTERNET 2 4 2004 3 17 34 AM Connected to YPN_WOHN via INTERNET 2 4 2004 3 17 34 AM Connected to PN_WTIW via INTERNET Date and time gt Source gt Message gt Firewall actions log The firewall actions log lists the last 100 actions taken by the firewall The detailed information recorded includes BAT54 Rail F Release 7 54 06 08 207 LANtools network management 5 7 LANmonitor know what s going on Event Log View 2 4 2004 12 12 41 10 1 1 11 224 0 0 9 17 U 520 Toir 520 ior intruder de Immediately Packet dropped SYSLOG sent bt 2 2 4 2004 12 11 40 10 1 1 11 255 255 255 255 17 U 67 bo 68 bo
214. a executed Ht done executed Script terminated successfully bsoo t U PN_NHAMEL iol x Note Supervisor rights are necessary to execute this command killscript The command killscript deletes the content of a script session that has not yet been executed The script session is selected by its name show script gt page 193 Note Supervisor rights are necessary to execute this command flash Yes No BAT54 Rail F Release 7 54 06 08 193 LANtools network management 5 3 Scripting When configuring a device with scripts any add set or del command can lead to an unintentional update of the configuration in flash to pre vent this the update to flash function can be deactivated After conclud ing the configuration this function can be activated again with flash Yes Changes in the RAM configuration are then written to flash The status flash Yes No is stored globally Note Supervisor rights are necessary to execute this command sleep The sleep command allows the processing of configuration commands to be delayed for a certain time period or to be scheduled for a certain time Syntax sleep u value suffix Permissible suffixes are s m or h for seconds minutes or hours if no suffix is defined the units are milliseconds With the option switch u the sleep command accepts times in the for mat MM DD YYYY hh mm ss English or in the format TT MM JJJJ hh mm ss German Note
215. a certain packet order prob lems may result in a few isolated applications This only concerns applica tions that assume a certain order that differs from the protocol standard In this case the SYN ACK speedup can be deactivated Configuration tool Menu table LANconfig IP router gt General Pass on TCP SYN and ACK packets preferentially WEBconfig Expert Configuration Setup gt IP router gt Routing method gt SYN ACK speedup Terminal Telnet cd setup IP router routing method set SYN ACK speedup OFF 11 3Configuration of remote stations Remote stations are configured in two tables In the peer list s all information is set that applies individually to only one remote station Parameters for the lower protocol levels below IP or IPX are defined in the communication layer table Note The configuration of the authentication protocol user name pass word is not covered in this section Information on authentication is con tained in the section Establishing connection with PPP gt page 434 11 3 1 Peer list The available remote stations are created in the peer list with a suitable name and additional parameters For every WAN interface exists a separate peer list The peer list reached as follows Configuration tool Menu table LANconfig Communication Remote sites gt Remote Sites DSL WEBconfig Expert configuration gt Setup gt WAN DSL Broadband Peers Terminal Telnet cd Setup WAN
216. a device with the help of LANconfig For this right click on the corresponding entry in the device list and select the entry Configura tion management gt Save script to file from the context menu Select the following options here Numeric sections Enable this option if you do not want the configuration sections in the script to be displayed in cleartext e g setup wlan ppp but numerically 2 2 5 Default parameters Unless defined otherwise the only parameters saved in a script are those that deviate from the default values Enable this option if the standard val ues should also be entered into the script Column names Unless defined otherwise the fields of a table are initially entered as col umn names in the scripts and thereafter only the respective values are inserted into the rows Enable this option when every value in the table should explicitly receive the description of the column in which it is inserted Comments Activate this option when additional comments should be included in the script file Compact formatting Enable this option if spaces and tabs should be suppressed Download only selected sections Without further entries the entire device configuration will always be saved in the script In contrast entering the sections also makes it possi ble to save partial configurations Enter the sections to which the script should be transferred into this field e g setup wlan 5 3 4 Uploading configuration co
217. a reduced serial inter face Rx TX ground only hence the hardware handshake has to be deactivated The BAT54 Rail featurees a fully fledged serial interface which sup ports the hardware handshake of the terminal program Caution If the hardware handshake is not well configured some char acters may get lost while transmitting script or configuration files result ing in a damaged device configuration In contrast the firmware upload will work even with wrong configured hardware handshake because the X Modem protocol ensures a se cure data transmission BAT54 Rail F 146 Release 7 54 06 08 Configuration and managemer 6 New firmware with Hirschmann FirmSafe TFTP TFTP can be used to install new firmware on BAT This can be done with the command or target writeflash For example to install new firmware in a BAT with the IP address 10 0 0 1 enter the following command under Win dows 2000 or Windows NT tftp i 10 0 0 1 put Lc_l6xxu 282 writeflash Firmware upload via the serial interface with configuration reset The serial interface can also be used to load firmware into the device Enter ing the serial number instead of the configuration password results in the de vice configuration being reset to its ex factory settings In this way you can re open the device in the case that the configuration password is lost and the reset button has been set to Ignore or Boot only Use the serial configuration cable to con
218. able 32x Name VLAN ID PortList EB Port Table 8 x Port Use Tagging Allow Untagged Frames Allow All VLANSs E Device VLAN ID 1 B Help Reference Manual 2 4 2004 13 26 Previous Page Entry Page a LANCOM Systems Homepage BAT54 Rail F 344 Release 7 54 06 08 Virtual LANs VLANs 10 4 Configurable VLAN Protocol ID 10 4Configurable VLAN Protocol ID When transmitting VLAN tagged networks via provider networks that use VLAN themselves providers sometimes use special VLAN tagging IDs In or der to set VLAN transmission on the BAT to accommodate this the Ethernet2 type of the VLAN tag can be set as a 16 bit hexadecimal value as tag value under Setup LAN Bridge VLAN or in LANconfig in the configuration area under Interfaces using the VLAN tab in the field VLAN tag The default is 8100 802 1p q VLAN tagging other typical values for VLAN tagging could be 9100 or 9901 Configure i Interfaces ad LAN Wireless LAN wAN VLAN Span Tree M VLAN settings A Attention These settings are sensefull only in a VLAN network You should change it only if the consequences are known It is simply possible here to lockout yourself from this router The device will potentially be reachable afterwards only by reset T VLAN module enabled This table holds the definition of all VLANs used Network table This table holds VLAN telated configuration items for every port the device has Port ta
219. ably automatically look for the server mail yourdomain com The DNS server thereupon returns the IP address 10 0 0 99 The mail program will then look for that IP address With the proper entries in the IP routing table and peer list a connection is automatically established to the network in the headquar ters and finally to the mail server To resolve entire name areas of another DNS server add a forwarding entry consisting of a name area and remote station LANconfig TCP IP gt DNS Forwarding Add WEBconfig gt DNS destination table Add Terminal Telnet cd setup DNS DNS destination table set intern COMPANY When entering the name areas the wildcards for individual charac ters and for multiple characters may be used To reroute all domains with the ending intern to a DNS server in the LAN of the remote station COMPANY create the following entry Forwarding New Entry 2 xi Domain internal Remote site CENTRAL_OFFICE v Cancel BAT54 Rail F Release 7 54 06 08 477 More services 12 3 DNS Note The DNS server may either be specified by the remote site name for automatic setting via PPP or by an explicit IP address of the according name server 12 3 4 URL blocking Finally one can restrict access to certain names or domains with the filter list To block the domain in this case the web server www offlimits com for all computers in the LAN the following comman
220. access via e mail or www is not possible the attacker can also look out for certain services of servers in the LAN which are useful for his purposes Because services of the servers are identified over certain ports of the TCP IP protocol the search for open ports is also called port scanning On the occasion the attacker starts an inquiry for particular services with a certain program either generally from the Internet or only on certain networks and unprotected workstations which in turn will give the according answer BAT54 Rail F 250 Release 7 54 06 08 Firewall 8 1 Threat analysis A third possibility is to access an existing data connection and use it as a free rider The attacker observes here the Internet connection of the victim and analyses the connections Then he uses e g an active FTP connection to smuggle his own data packets into the protected LAN A variant of this method is the man in the middle attack The attacker ob serves here first the communication of two workstations and gets then in be tween 8 1 4 The victims The question about the degree of exposure for an attack influences to a con siderable degree the expenditure one wants to or must meet for defending In order to assess whether your network would be particularly interesting for an attacker as a potential victim you can consult the following criteria Particularly endangered are networks of common known enterprises or institutions whe
221. according to the connection status of the router and so do the RIP packets transmitted If the router has established a connection to a remote station it propa gates all the networks which can be reached via this route in the RIPs with the distance 1 Other routers in the LAN are thus informed by these means that a connection to the remote station has been established on this router which they can use The establishment of additional connec tions by routers with dial up connections can be prevented thus reducing connection costs If this router cannot establish a further connection to another remote sta tion all other routes are propagated with the distance 16 in the RIPs The 16 stands for This route is not available at the moment A router may be prevented from establishing a connection in addition to the present one may be due to one of the following causes Another connection has already been established on all the other channels also via the LANCAPI Y connections for the S port have been explicitly excluded in the in terface table The existing connection is using all B channels channel bundling The existing connection is a leased line connection Only a few ISDN providers enable a dial up connection to be established on the second B channel in addition to a permanent connection on the first B channel BAT54 Rail F 362 Release 7 54 06 08 Routing and WAN connections 11 2 IP routing Which information does t
222. aces of the distribu tors the rules for generating and processing of the VLAN tags are assigned to the single interfaces Coming back again to the first example BAT54 Rail F Release 7 54 06 08 337 Virtual LANs VLANs 10 2 This is how a VLAN works _ Data packet without VLAN tag Data packet without VLAN a Vie Mia Data packet with VLAN ID 3 f A workstation from the marketing sends a data packet to a workstation of the sales department The marketing hub passes the packet simply on to the switch The switch receives the packet at its port no 1 and recognizes that this port belongs to a VLAN with the VLAN ID 3 It inserts an additional field into the MAC frame with the appropriate VLAN tag and issues the packet only on ports 2 and 5 which also belong to VLAN 3 The base station of the sales department will receive the packet on its LAN interface By its settings the base station can recognize that the WLAN interface belongs also to VLAN 3 It will remove the VLAN tag from the MAC frame and issues the packet again on the wireless interface The WLAN client can handle the packet then which has a usual length again like each other data packet without VLAN tagging 10 2 3 Application examples Main application of virtual LANs is to install different logical networks on a physical Ethernet segment whose data traffic is protected against the other logical networks The following sections pres
223. ach able The syntax of the ping commando is ping fngr s n i n c n a a b c d hostaddress The meaning of the optional parameters are listed in the following table Parameter Meaning aa b c d Sets the sender address of the ping standard IP Adresse of the router a INT Sets the intranet address of the router as sender address a DMZ Sets the DMZ address of the router as sender address a LBx Sets one of the 16 Loopback addresses as sender address Valid for x are the hexadeci mal values 0 f f Flood ping Sends many ping signals in a small amount of time Can be used e g to test the broadband of the network ATTENTION flood ping can easily be interpretated as a DoS attack n Sends the computer name back zu the given IP address q Ping command does not give an output on the panel r Change to traceroute mode every interstation passed by the data package is listed s n Sets the package size to n Byte max 1472 i n Time between the packages in seconds BAT54 Rail F 232 Release 7 54 06 08 Diagnosis 6 4 Monitoring the switch Parameter Meaning cn Send n ping signals hostaddress Address or hostname of the recipient stop Entering stop or pressing the RETURN button terminates the ping command lt RETURN gt gt lo x 217 160 175 241 241 seq root VPN_NHAMEL gt ping r www lar 9 ping statistic T NHAMEL 6 4 Monitor
224. ackets Note When a tagged packet is received the tag is saved to the associated entry in the connection list If a packet is to be sent with a precedence set ting then the VLAN ID recorded earlier is entered into the packet together with the precedence to form a VLAN tag Where a connection causes oth er connections to be opened e g with FTP or H 323 then the tag is in herited to the new entries BAT54 Rail F Release 7 54 06 08 347 Virtual LANs VLANs 10 6 VLAN tags on layer 2 3 in the Ethernet 10 6 1 Configuring VLAN tagging on layer 2 3 Configuring VLAN tagging on layer 2 3 involves the definition of the general routing settings and the behavior upon receipt and transmission of tagged packets dX Configure fir Router hd General Routing Masq N N Mapping VRRP r Routing options I Use Proxy ARP to tie remote stations into the LAN I Send ICMP redirects I Transfer ICMP packets secured IV Pass on TCP SYN and ACK packets preferentially IV Note the Type Of Service field in IP packets Interpret the DiffServ field in IP packets I Copy DiffServ tags from Layer 3 to Layer 2 DiffServ tags from Layer 2 Ignore he Ignore m RIP options Copy to Layer 3 RIP type Copy automatically Configuration tool Call LANconfig IP Router General WEBconfig Telnet Expert Configuration gt Setup gt IP Router gt Routing Method Routing method Normal TOS DiffServ field is ignored T
225. address IP address The data are collected according to the client s IP address Caution When varying IP addresses are in use e g when using a DHCP server the option IP address can lead to inaccurate accounting data In this case it may not be possible to accurately assign the data to users Conversely with this setting data can be separated from clients that are behind another router and therefore appear with the same MAC address as the router in the accounting list BAT54 Rail F 482 Release 7 54 06 08 More services 12 4 Accounting Sort according to Select here whether the data should be sorted in the accounting table according to connection times or data volume Snapshot configuration When configuring the snapshot the interval is set in which the accounting data are temporarily saved into a snapshot Accounting Snapshot Time 2 xi IV Accounting snapshot active Interval monthly bed Cancel Day of month 1 Day of week Hour Minute Configuration tool Call LANconfig Management gt Costs gt Accounting Snapshot WEBconfig Telnet Expert configuration gt Setup gt Accounting gt Time snapshot Caution The snapshot function can only be used when the device is set with the correct system time Accounting snapshot active Turn intermediate storage of accounting data on or off Interval Daily weekly or monthly Day of month The day of the month on which caching w
226. address IP address of the authenticator which may communicate with the RADIUS server in the BAT access point Secret Password required by the authenticator for access to the RADIUS server in the BAT access point Note In addition to the configuration of the RADIUS server the client infor mation source must also be defined WLAN access list as a basis for RA DIUS information page 510 WLAN access list as a basis for RADIUS information 512 WLAN clients all able to register with the BAT access point may be en tered in the access list When operating in RADIUS server mode this list can also be used to check on RADIUS clients wanting to register at other access points In an installation having several access points client access authori zations can be maintained centrally Configuration tool Call LANconfig WLAN security gt RADIUS WEBconfig Telnet Expert configuration gt Setup gt WLAN gt RADIUS access check BAT54 Rail F 510 Release 7 54 06 08 More services 12 10 Extensions to the RADIUS server Provide server database default yes This parameter specifies whether the WLAN access list is to be used as an information source for the RADIUS server in the BAT access point The WLAN access list contains the user name in the form of the MAC address and the password WPA passphrase In addition to this access data the access list provides information such as bandwidth restriction and association
227. ag for the remote gateway The network is of the type Intranet Note VPN rules for a DMZ also have to be manually created just as for net works with an interface tag which does not fit to the routing tag of the VPN route BAT54 Rail F 406 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services 11 7 6 Firewall rules for certain local networks For defining source or destination objects with WEBconfig or Telnet the fire wall has the key L for addressing the local network All networks on all log ical local interfaces Intranet and DMZ belong to this local network By extending the key Lintranet dmz individual or multiple networks can be addressed On the one hand this includes the addresses of the networks into the rule on the other hand the rule only takes effect when the source ad dresses are correct and when the source interface of the received packet fits If a network of this type is defined as the target network then the packet will be forwarded precisely to the given interface Under LANconfig too firewall rules can also be limited to certain networks as source or destination x m One or more stations All stations in local network C A specific remote site Aspecific local station C A specific MAC address C An IP address or range of addresses A complete IP network Network name All local networks id All local networks R INTRANET E Configurati
228. ail F Release 7 54 06 08 251 Firewall 8 2 What is a Firewall 8 2 What is a Firewall The term Firewall is interpreted very differently We want to define at this point the meaning of Firewall within the boundaries of this user manual con figuration A Firewall is a compilation of components which monitors at a central place the data exchange between two networks Mostly the Firewall mon itors the data exchange between an internal local network LAN and an external network like the Internet The Firewall can consist of hard and or software components In pure hardware systems the Firewall software often runs on a propri etary operating system The Firewall software can also run on a conventional workstation which is dedicated to this task under Linux Unix or Windows As a third and frequently used alternative the Firewall software runs di rectly within the router which connects the LAN to the Internet In the following sections we only look at the Firewall in a router Note The functions Intrusion Detection and DoS protection are part of the content of a Firewall in some applications The BAT contains these func tions also but they are realised as separate modules beside the Firewall Further information can be found in the section Intrusion Detection page 302 and Denial of Service page 304 8 2 1 Tasks of a Firewall Checking data packets How does the Firewall supervises
229. al default 0 seconds If a value is entered here the BAT Wireless Router searches the frequen cies in the active band that are currently not in use in cycles within this interval in order to find available access points The background scan function is usually deployed for rogue AP detec tion for the BAT Wireless Router in access point mode Here the scan interval should be adjusted to correspond to the time span in which unauthorized access points should be recognized e g 1 hour Conversely for the BAT Wireless Router in client mode the back ground scan function is generally used for improved mobile WLAN cli ent roaming In order to achieve fast roaming the scan time is limited here for example to 260 seconds BAT54 Rail F Release 7 54 06 08 51 Wireless LAN WLAN 3 4 Configuration of WLAN parameters When the background scan time is 0 the background scanning func tion is deactivated The background scan interval sets the time period between searches by a Wireless Router or Access Point for third party WLAN networks within range The time interval allows the entered value to be defined in milliseconds sec onds minutes hours or days Note To avoid adverse effects on data transfer rates the interval between channel scans should be at least 20 seconds Lesser values will be cor rected to this minimum value automatically For example with 13 chan nels to scan in the 2 4GHz band one scan of the full spectrum takes
230. all up the command with Device gt Find to initiate a search for a new device manually LANconfig will then prompt for a location to search You will only need to specify the local area network if using the in band solution and then you re off Once LANconfig has finished its search it displays a list of all the devices it has found together with their names and perhaps a description the IP ad dress and its status File Edit Device View Tools Help LANconfig E Cliento1 PLC PPP 10 1 1 31 Ok Clientoz SQple wrls e201 10 1 10 183 Ok E officeo1 SQple wrls e316 10 1 10 184 Ok S valli amp ple wrls e201 54m 10 1 10 186 Ok nternal ple e214 L54aq 10 1 10 187 Ok ple e308 L54ag 10 1 10 188 Ok ple e310 L54aq 10 1 10 189 Ok 9LC1621 Internet 10 1 80 125 Ok Calvin 10 1 80 149 Ok pHobbes 10 1 80 150 Ok amp pWLansry 10 1 80 245 Ok SP AMay_ISDN 10 1 80 247 Ok Sp Yueksel 10 1 82 100 Ok 10 1 140 159 Reading config 41472 bytes SP 1621 Annex 10 1 140 160 Ok _ Date time Name dress 1 29 2004 1 04 4 1621AnnexB 10 1 140 159 Configuration editing started 1 29 2004 1 04 4 1621AnnexB 10 1 140 159 Configuration reading started b4 1 29 2004 1 04 5 1621AnnexB 10 1 140 159 Configuration read successfully E The expanded range of functions for professionals Two different display options can be selected for configuring the devices with LANconfig gt The Simple configuration displa
231. an accept action is inserted In this case accept is unveiled as main action You can see the complete actions under the command show filter Linked Indicates whether it concerns a first Match rule linked no Only with linked rules in the case of applying of this rule also further rules are evaluated Prio Priority of the rule having generated the entry The connection list The connection table files source address destination address protocol source port destination port etc of a connection as well as possible actions This table is sorted according to source address destination address proto col source port and destination port of the packet which caused the entry in the table Under WEBconfig the filter list has the following structure Expert Configuration amp Status amp P router statistics Connection list Src address Dst address Prot Src port Dst port Timeout Flags Filter rule Src route Dest rou 192 168 2 60 80 190 240 17 6 3617 80 295 00020008 ALLOW_HTTP 1UND1 De 192 168 2 60 80 190 240 17 6 3618 80 296 00020008 ALLOW_HTTP 1UND1 192 168 260 212 227 15 181 6 3610 110 1 00020038 ALLOW_EMAIL 1UND1 x 192 168 2 60 212 227 15 181 6 3612 110 2 00020038 ALLOW_EMAIL 1UND1 Delianne 2 An 71739714181 A AAA 110 a NNNPNNIA All OW FMAII 1UND1 BAT54 Rail F Release 7 54 06 08 299 Firewall 8 3 The BAT Firewall The table contains the following elements Element Element mea
232. an be set separately for LAN WAN and WLAN Configuration tool Call WEBconfig Telnet Expert configuration gt Setup gt Config gt SSH authentication methods Methods All Allows authentication using password and digital certificate Password Allows authentication with a password Public key Only allows authentication with a digital certificate Certificate check on SSH access When establishing the SSH connection the client first asks the BAT Router which authentication methods are permitted for this connection If the public key method is allowed the client searches for private keys that have been installed and transfers these with the user name to the BAT Router When the BAT Router finds an entry in the list that includes the user name that cor BAT54 Rail F Release 7 54 06 08 141 Configuration and management 4 5 Working with configuration files responds to its public SSH key the SSH connection is permitted If the client does not have a suitable private key installed or if the BAT Router does not have a corresponding entry with the user name or public key the SSH client can revert to authentication with user name password as long as this au thentication method is permitted 4 5 Working with configuration files The current configuration of an BAT can be saved as a file and reloaded in the device or in another device of the same type if necessary Additionally configuration files can be generated and ed
233. an centrally adjust the desired behavior of the Firewall The following options are available Filter Fragmented packets are directly discarded by the Firewall Route Fragmented packets are passed on without any further checking by the Firewall as long as permitted by valid filter settings Re assemble Fragmented packets are buffered and re assembled to complete IP packets The re assembled packets will then be checked and treated according to the valid filter settings Session recovery The Firewall enters all actual permitted connections into the connection list Entries disappear automatically from the connection list after a certain time timeout when no data has been transmitted over this connection any more re triggering the timeout BAT54 Rail F Release 7 54 06 08 265 Firewall 8 3 The BAT Firewall Sometimes connections are ended according to the general TCP aging set tings before data packets requested by an inquiry have been received by the remote station In this case perhaps an entry for a permitted connection still exists in the connection list but the connection itself is no more existing The parameter Session recovery determines the behavior of the Firewall for packets that indicate a former connection Always denied The Firewall re establishes the session under no circum stances and discards the packet Denied for default route The Firewall re establishes the session only if the packet wasn t received
234. anet LAN a second local net with private addresses can be linked to the Internet masking Intranet only This setting is especially for the internet access with several static IP addresses The difference to the case IP Masquer ading switched off is that besides the DMZ the intranet address section with masked private IP addresses is available in the LAN The DMZ and the intranet addresses of the BAT are set as follows Configuration tool Run LANconfig TCP IP General WEBconfig Expert Configuration Setup gt TCP IP Terminal Telnet setup TCP IP 11 4 5 Naa Internet access for server in the While the inverse masquerading described in the proceeding paragraph al lows to expose at least one service of each type e g one Web Mail and FTP server this method is bound to some restrictions BAT54 Rail F Release 7 54 06 08 377 Routing and WAN connections 11 4 IP masquerading The masquerading module must support and understand the particular server service of the exposed host For instance several VoIP servers use proprietary non standard ports for extended signalling Thus such server could be used on unmasked connections solely From a security point of view it must be considered that the exposed host resides within the LAN When the host is under control of an attack er it could be misused as a starting point for further attacks against ma chines in the local network Note
235. anges in other services Note A requirement for data transfer from to a logical interface via the LAN bridge is the deactivation of the global isolated mode which applies to the whole of the LAN bridge Furthermore the logical interface must be assigned to a bridge group With the setting none no transfers can be made via the LAN bridge Priority Sets the priority for the logical interface where the spanning tree protocol is being used Where multiple connections are available the interface with the highest priority is used The smaller the value the higher the pri ority If priorities are the same then the interface with lower transmission fees is chosen or alternatively the interface which is highest in the table Values 0 to 255 Default 128 DHCP limit Number of clients which can be handled by DHCP If the limit is exceeded the oldest entry is dropped This feature can be used in combination with the protocol filer table to limit access to just one log ical interface Values 0 to 255 Special significance A limit of 0 means there is no limit 11 7 12Remote bridge The remote bridge couples two remote networks as if they were physically connected They are completely independent of the employed network pro tocols PC ee 2x Configure Bridge hed General Local Filtering Remote Fitering I Remote bridge enabled Remote site DEFAULT Bridge aging Bo minutes Interface assignment jar t is s
236. anges to the configuration in test mode A script triggers a time delayed system boot the intervening time period can be used to change and test the device s configuration without risk Should the changes lead to a failure the device automatically reboots after the time delay and is reset to its original configuration Comparable to the FirmSafe function this variation is a type of Conf Safe Changes to the configuration after a firmware update can on occasion be impossible to edit in the case of a later downgrade to an older firmware version If however the configuration subsequent to the firmware upgrade is stored in test mode only then downgrading and sub sequently re booting the system will result in the restoration of the origi nal firmware and its configuration 5 3 2 Scripting function Scripting involves the collective transmission of a series of configuration commands to a BAT device just as if they were entered at a Telnet console or similar There are two variants of the collective transfer of configuration commands The device is set to script mode by entering the command beginscript at the console In this mode the commands are not executed individually but are stored in an intermediate memory in the BAT These commands are only executed after the command exit has been entered Alternatively the configuration commands are written offline to a script file text file and uploaded to the device as a complete script The co
237. ansmission distances is between up to 150 m in open expanses and in buildings typically up to 30 m Due to different frequency bands in use IEEE 802 11b is not compatible to IEEE 802 11a BAT54 Rail F 22 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN DSSS For shielding against interferences by other transmitters which have possi bly the same frequency band the DSSS procedure Direct Sequence Spread Spectrum is used for IEEE 802 11b in the 2 4 GHz frequency band A trans mitter normally uses only a very narrow range of the available frequency band for transmission If exactly this range is used by another transmitter in terferences in transmission would be the result With the DSSS procedure the transmitter uses a broader spread of the possible frequencies and be comes more insensitive to narrow band disturbances then This procedure is also used in military range for increasing tap proof security IEEE 802 11g 54 Mbps The IEEE 802 119 standard works likewise with up to 54 Mbps data trans mission rate in the 2 4 GHz ISM frequency band Contrary to IEEE 802 11b the OFDM modulation is used for IEEE 802 11g like already introduced for IEEE 802 11a IEEE 802 11g contains a special compatibility mode that en sures a downward compatibility to the popular IEEE 802 11b standard How ever in this compatibility mode you encounter reduced transmission speeds Due to the different frequency bands IEEE 802 11g ca
238. aragraph For this reason your BAT base station operates without prob lems and with reliably also with devices of other manufacturers Your BAT base station supports according to the model type the standards IEEE 802 11g downward compatible to IEEE 802 11b and or IEEE 802 11a 1 Institute of Electrical and Electronic Engineers International association which established i a numerous technology standards BAT54 Rail F 24 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN The operation of the integrated wireless card of your base station is only pos sible in one single frequency band that is either 2 4 GHz or 5 GHz Thus a simultaneous operation of IEEE 802 11g and IEEE 802 11a is not possible Since IEEE 802 11g is downward compatible to IEEE 802 11b an simulta neous operating of these two standards is possible but with certain speed constraints Transfer rates in compatibility mode ax WEP WEPKeys PointtoPoint Clientmode Please notice that the reached Operation General Rado Transmission data transfer rates depend on Fener band zanz 02110 z the used 2 4 GHz mode You subbands SSA will achieve the highest trans Channel number Channel 10 2 457 GHz fer rates with a base station 2 4 GHz mode 802 11a b compatible operating in the 802 11g PE 802 11g b compatible 802 11g b 2Mbit compatibh mode The transfer rate will go FZ This radio network can 802 11b only 11 Mbit
239. arding The use of virtual routers when using port forwarding demands an exact se lection of the remote station First port so Co Last port 80 Canc Remote site DEFAULT hd Intranet address 10 0 0 20 Map port C Protocol feo WAN address foooo 8 8 F IV Entry active Comment Fs Configuration tool Call LANconfig IP Router gt Masq Port forwarding table WEBconfig Telnet Expert Configuration gt Setup gt IP Router gt 1 N NAT gt Service table Start port D port from start port BAT54 Rail F 410 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services End port D port to end port Peer Remote station which applies for this entry If no peer is entered then the entry applies to all peers Intranet address Internet address that a packet within the port range is forwarded to Map port Port used for forwarding the packet Protocol Protocol which applies for this entry Values TCP UDP TCP UDP Default TCP UDP WAN address WAN address which applies for this entry If the device has more than one static IP address then this allows port forwarding to be limited to certain connections Values Valid IP address Default 0 0 0 0 Particular values With the IP address 0 0 0 0 the address assigned to the connection will be used automatically Entry active Switches the entry on or off Comment Comment on the defined entry 64 characters BAT54
240. are excluded from taking part in the wireless LAN Activate the closed network mode if you wish to prevent WLAN clients using the SSID ANY from registering with your network Enable MAC filter In the MAC filter list WLAN Security gt Stations Stations the MAC ad dresses of the Clients are entered which may connect to the access point With the switch MAC filter enabled the MAC filter list for single logical net works can be switched off BAT54 Rail F Release 7 54 06 08 79 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Note The MAC filter list is always required in logical networks in which cli ents log in with an individual passphrase over LEPS The Passphrase used with LEPS must also be enterd in the MAC filter list For the log in with an individual Passphrase the MAC filter list is always considered even if the option is deactivated at this place Maximum count of clients Here you can specify the number of clients that can connect to the access point Further clients are rejected Client Bridge Support Enable this option for an access point if you have enabled the client bridge support in the WLAN client mode for a client station Note The client bridge mode can only be used between two BAT devices Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you can set the network settings for the logical WLAN interface under the following paths Configuration tool Menu Table W
241. area on the General tab The Interfaces section allows you to select from a list the physical WLAN settings for the desired WLAN interface Note The devices have either one or more WLAN interfaces depending on model The WLAN interface is enabled from the Operation tab In addition the WLAN operating mode is set to Station client mode BAT54 Rail F 94 Release 7 54 06 08 Wireless LAN WLAN 3 6 Client mode Physical WLAN settings WLAN interface 2 x Operation Radio Super A G Point to Point Client mode V WLAN interface enabled WLAN operation mode Access Point iad Access Point Station Client mode L Note A WLAN interface can only be set to one of the two operating modes Simultaneous operation of a WLAN interface as both access point and cli ent is not supported Many models can not be operated as an access point In this case the WLAN operating mode is permanently set to Client Under WEBconfig or Telnet the setting for the operating mode of the physical WLAN interface can be found under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup Interfaces gt WLAN P Operational settings Terminal Telnet Setup Interfaces WLAN Operational settings Client settings For BAT Wireless Routers in client mode further settings client behavior can be configured from the Client mode tab under the settings for the physical interfa
242. arry out trace re quests with LANmonitor aio File Device View Tools Help BASH Bo OBQAS Ms ws x WLC 4025 H N Wireless LAN 5 WAN connections None E K Certificates H S Firewall 04 29 2008 16 30 05 intruder detection Packet dropped H E System information a y wa Refresh E 8 vpn Delete ality disabled amp vor View VPN Connections lt Q Fire HO sys View Accounting Information Lanco View Firewall Event Log my wa View Device Activities m N Wir Device Activities Logging Q9 Fire Reset Charge and Time Limits sys Ping e p The trace function in LANmonitor exceeds the standard trace functions avail able from Telnet and offers greater convenience in the generation and anal ysis of traces For example the current trace configuration for activating the necessary trace commands can be stored to a configuration file An experi enced service technician can set up a trace configuration and provide it to a less experienced user for executing specialized trace requests for a device The trace results can also be stored in a file and returned to the technician for analysis LANmonitor has the following buttons for operating the trace module Opens a pre defined configuration for the trace command This al lows you to carry out trace commands precisely as required by the service technician for example Stores the current trace configuration to be passed on to a user ition Packet dropped Opens a fi
243. as the standard for server based authen tication authorization and billing RADIUS is now being used for applications outside of its original design purpose for example in combination with EAP 802 1x and a number of deficits have become apparent RADIUS operates via UDP and thus offers no native procedure for pack et loss detection Although this is no problem in a LAN environment it is becoming increasingly important over WAN connections or on the Inter net RADIUS is equipped only with simple procedures for authentication by means of a shared secret and a low level of confidentiality RADSEC is an alternative protocol that transmits RADIUS packets through a TLS encrypted tunnel TLS is based on TCP thus providing a proven mech anism for monitoring packet loss Furthermore TLS is highly secure and it features a method of mutual authentication by means of X 509 certificates 12 11 1Configuring RADSEC for the client BAT as a RADIUS client To function as a RADIUS client a BAT is set up to use RADIUS via UDP or RADSEC via TCP with TLS Additionally the port to be used has to be set 1812 for authentication with RADIUS 1813 for billing with RADIUS and 2083 for RADSEC These settings are made at all locations where a BAT is configured as a RA DIUS client WEBconfig Setup WAN gt RADIUS WEBconfig Setup gt WLAN gt RADIUS access check WEBconfig Setup WLAN RADIUS accounting WEBconfig Setup gt Public spot mod
244. ase 7 54 06 08 55 82 91 437 125 126 426 427 438 439 149 531 528 226 49 49 217 217 181 28 531 356 34 81 81 216 491 181 190 532 237 244 16 239 126 532 77 532 532 305 138 210 428 523 135 543 Index SNMPv3 Splitter SSH access SSH authentication SSID SSL Start address Stateful Inspection Static routing Switch SYN Flooding SYN ACK speedup SYSLOG T TAE TCP TCP control packets TCP Stealth mode TCP IP TCP IP networks TCP Stealth Modus Teardrop Telnet Ausgabe der SNMP ID Temporal Key Integrity Protocol Term Terminal program TFTP Time Time server TKIP TLS Tos High Reliability IPSec Low Delay Priority TPC Trace examples 544 532 532 139 140 215 532 532 467 28 355 532 304 365 229 484 532 311 315 267 355 532 473 267 306 135 40 439 145 137 439 486 532 517 532 312 313 312 312 312 315 313 532 228 BAT54 Rail F Release 7 54 06 08 Index keys and parameters outputs starting Trace configuration Traces Transfer rates Transmission rates Trojans Troubleshooting TX rate Type of Service see ToS U UDP Upload Upstream Upstream rate User name V V 110 VC MUX Virtual LAN VLAN Allow all VLANs Allow untagged frames Configuration Connection of WLAN stations Conversion in the interfaces Default ID Default VLAN ID ID Layer 2 tagging Management of LAN traffic Network table Port Po
245. ase 7 54 06 08 Configuration and management 4 8 Managing administrators rights Said differently it is a disjunction of the hexadecimal values Description Value Security Wizard 0 foo Selection of Internet provider foxoooooos SS TRAS Wizard S i ooo Change time 0x00000040 WLAN Link Test 0x00000100 Disjunction 0x0000015a Examples The following command sets up a new user in the table who as local admin istrator Smith with the password BW46zG29 can select the Internet pro vider The user will be activated immediately set Smith BW46zG29 yes Admin RW 00000008 The following command extends the function rights such that user Smith can also run the WLAN link test the asterisks stand for the values which are not to be changed set Smith 00000108 4 8 4 Limitation of the configuration commands The availability of commands when configuring the devices with Telnet or a terminal program depends on the user s rights Command Supervisor Local administrator Remark activateimage oY cfgreset oY linktest vd The linktest command can also be executed if the user possesses the function right to carry out a WLAN link test readconfig oY writeconfig oY writeflash va setenv va va testmail va va time va va The time command can also be executed if the user possesses the function right to set the system time BAT54 Rail F Release 7 54 06 08 155 Configuration and mana
246. assignment at various levels The configuration options applied here are described in the following chap ters BAT54 Rail F 382 Release 7 54 06 08 Routing and WAN connections 11 6 Advanced Routing and Forwarding Physical inter logical Logical interfaces with VLAN tags IP networks faces Interfaces bridge groups 1 ETH 1 1 ETH 2 1 ETH 3 ETH 4 1 WLAN 1 WLAN J The assignment of IP networks to interfaces proceeds as follows gt The various models have different numbers of physical interfaces i e Ethernet ports or WLAN modules gt The logical interface s is are assigned to the physical interface For the Ethernet ports Ethernet port mapping assigns the physical ETH 1 to ETH 4 to the logical LAN 1 to LAN 4 Note For some but not all models the number of logical LAN interfaces cor responds to the number of physically available Ethernet ports gt Inthe case of the WLAN modules the establishment of point to point connections P2P and or the use of Multi SSID can mean that multi ple WLAN interfaces are assigned to each physical WLAN module Per module this may be up to eight WLAN networks and up to six P2P connections These logical interfaces are further specified and grouped in the next stage BAT54 Rail F Release 7 54 06 08 383 Routing and WAN connections 11 6 Advanced Routing and Forwarding For devices supporting VLAN multiple VLANs can be defined for each logical in
247. ast connection two independent channels higher transmission rates than analog up to 128 Kbit s uses the old analog lines comfort fea tures call forwarding callback on busy etc supports both analog and digital services ISM frequency _ Industrial Scientific Medical license free frequency bands which can be used for indus band trial scientific and medical purposes ISP Internet Service Provider service provider with a connection to the Internet backbone who provides connection points for end customers LCOS LANCOM Operating System uniform operating system for BAT products LAN Local Area Network local network limited to one site LANcapi Virtual CAPI which is provided over the network with LANcapi which is implemented in all BAT routers with ISDN interfaces a PC connected to the LAN can use ISDN telematic services LANconfig Software for configuration of BAT devices under Windows LANtools Diverse user friendly set of tools for the management and monitoring of BAT products and systems MAC Media Access Control radio access protocol on ISO Layer 2 data link it defines packet format packet addressing and error detection MAC address Serial number of a network component which is assigned by the manufacturer Mbit Megabit standard unit for the specification of data quantities in the context of bandwidths MIC Message Integrity Check cryptographic integrity prot
248. at 0 on a gateway then the tag from the VPN name list table is used The VPN routing tag parameters can be found under Setup VPN VPN Peers or Setup VPN Additional Gateways and under LANconfig in the configuration area VPN on the General tab by clicking on Connection List and Other re mote gateways in the list Routing tags for PPTP connections In the PPTP table a routing tag can be entered in addition to the IP address of the PPTP server Using this routing tag two or more DSL modems that use a single IP address can be operated on different DSL ports Peer IP Address Rtg tag Port SH time PEERO1 10 0 0 138 1 1723 9999 PEERO2 10 0 0 138 2 1723 9999 In the IP routing table two appropriately tagged routes are required IP address IP netmask Rtg tag Peer or IP distance Masquerading 10 0 0 138 255 255 255 25 2 PEERO2 PPTP 0 No 5 10 0 0 138 255 255 255 25 1 PEERO1 PPTP 0 No 5 192 168 0 0 255 255 0 0 0 0 0 0 0 0 No 172 16 0 0 255 240 0 0 0 0 0 0 0 0 No 10 0 0 0 255 0 0 0 0 0 0 0 0 0 No 224 0 0 0 224 0 0 0 0 0 0 0 0 0 No 255 255 255 255 0 0 0 0 0 PEER LB 0 yes BAT54 Rail F 360 Release 7 54 06 08 Routing and WAN connections 11 2 IP routing Using these settings and the corresponding entry in the load balancing table load balancing can be performed that would also work in Austria Peer Bundle Peer 1 Bundle Peer 2 Bundle Peer 3 PEER LB PEERO1 PEERO2
249. ata rates indicated by the provider as the guaranteed data rate see also The queue concept page 315 The external overhead considers information added to the packets dur ing the data transfer Concerning applications with small data packets e g Voice over IP this extra overhead is quite noticeable Examples for the external overhead y y PPPoEoA 36 bytes additional headers loss by not completely used ATM cells PPTP 24 bytes additional headers loss by not completely used ATM cells IPoA LLC 22 bytes additional headers loss by not completely used ATM cells IPoA VC MUX 18 bytes additional headers loss by not completely used ATM cells Cable modem 0 direct transfer of Ethernet packets WEBconfig Telnet Under WEBconfig or Telnet the restrictions of data transfer rates for Ether net DSL and DSLoL interfaces are entered at the following places WEBconfig Setup Interfaces DSL Interfaces Telnet Setup Interfaces DSL Interfaces Note Only upstream and downstream rates are indicated by Kbps external overhead in bytes packet BAT54 Rail F 330 Release 7 54 06 08 Quality of Service 9 7 QoS configuration 9 7 4 Sending and receiving direction LANconfig The interpretation of the data transfer direction can be adjusted in LANconfig when defining the QoS rule General Actions QoS Stations Service i i i kd Ea Midiana Quality of Service 2 xI B The Quality Df Service
250. ation EAP is not a specific authentication mechanism it is more like a framework for various authentication methods The LCOS RADIUS server supports a range of EAP methods EAP MD5 defined in RFC 2284 EAP MD5 is a simple challenge re sponse protocol It does not cater for mutual authentication nor does it of fer a dynamic key such as those required for 802 1x authentication in wireless networks WLANs Thus it is only used for the authentication of non wireless clients or as a tunneled method as a part of TTLS EAP MSCHAP v2 defined in draft kamath pppext eap mschapv2 01 txt As opposed to EAD MD5 EAP MSCHAPv2 does supports mutual au thentication but does not support dynamic keys making it just as prone to dictionary attacks as EAP MD5 This method is usually used within PEAP tunnels EAP TLS defined in RFC2716 The use of EAP TLS requires the use of a root certificate a device certificate and a private key in the device EAP TLS provides outstanding security and the dynamic keys necessary for wireless connections its implementation is complex however because each individual client requires a certificate and a private key Note Please note that the TLS implementation in LCOS does not support certificate chains or certificate revocation lists CRLs BAT54 Rail F 512 Release 7 54 06 08 More services 12 10 Extensions to the RADIUS server EAP TTLS defined in draft ietf pppext eap ttls 05 txt TTLS is based on TLS it does
251. ation One possibility to resolve these problems are virtual LANs VLANs as de scribed in IEEE 802 1p q By this concept several virtual LANs are defined on a physical LAN which do not obstruct each other and which also do not receive or tap data traffic of the respective other VLANs on the physical Eth ernet segment 10 2This is how a VLAN works By defining VLANs on a LAN the following goals should be achieved Data traffic of certain logical units should be shielded against other net work users Broadcast traffic should also be reduced to logical units not bearing a burden on the entire LAN BAT54 Rail F Release 7 54 06 08 335 Virtual LANs VLANs 10 2 This is how a VLAN works Data traffic of certain logical units should be transmitted with a specific pri ority compared to other network users An example to clarify A switch is connected to a hub within a LAN which connects four stations from the marketing department to the network One server and two stations of the accounting department are directly connected to the switch The last section is the base station of a wireless network where four WLAN clients reside from the sales department The stations from marketing and sales should be able to communicate with each other Additionally they should be able to access the server The ac counting department needs also access to the server but should otherwise be shielded against the other stations f 2 LAN seg
252. ation files and thus makes the si multaneous administration of multiple devices a reality BAT54 Rail F 196 Release 7 54 06 08 LANtools network management 5 4 Group configuration with LANconfig The partial configuration files with the common parameters for a group of BAT devices are just like the full configuration files stored on hard disk or on a server To aid the configuration of entire groups of devices links to the par tial configuration files are created under LANconfig to provide a convenient connection between the device entries in LANconfig and these partial config uration files Note Group configuration is supported only by BAT devices with a firmware version LCOS 5 00 or higher LCOS version 5 00 initially support the group configuration of WLAN devices Later firmware versions will also support further types of group configuration such as the VPN parameters Refer to the BAT web site www hirschmann com for more information about the latest firmware versions and the additional possibilities of group configura tion 5 4 1 Create a group configuration A requirement for working with group configuration to the grouping of devices within folders These LANconfig folders contain those device entries which are effectively managed by common partial configurations and the group configurations as links to the partial configuration files Group configuration with a new partial configuration file Create a new folder and mo
253. ations If the stations do not answer these packets then the charging sys tems recognizes the station as no longer active Configuration with LANconfig For configuration with LANconfig you will find the general WLAN access set tings under the configuration area WLAN Security on the General tab BAT54 Rail F Release 7 54 06 08 53 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configure General Stations Protocols WEP IEEE 802 1 General settings Data traffic between the individual stations Allow data traffic between the individual stations C Do not allow data traffic between those stations that are associated to this access point C Do not allow data traffic between the individual stations I Monitor stations to recognize inactive ones IV Mobile stations can roam between the access points in the local network Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the general WLAN access settings under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup WLAN P Inter stations traffic monitor sta tions or IAAP protocol for roaming Terminal Telnet cd Setup WLAN Inter station traffic Monitor stations or IAAP protocol for roaming Access Control List With the Access Control List ACL you can permit or prevent the access to your wireless LAN by individual clients The decision is base
254. ay out puts trace ip router GEGEN switches on all trace outputs for IP routers related to remote site A or B STELLE A GEGENSTELLE B trace ip router GEGEN switches on all trace outputs for IP routers related to remote site A or B STELLE A ICMP that do not use ICMP trace ip router GEGEN switches on all trace outputs for IP routers related to remote site A or B STELLE A GEGENSTELLE B that use ICMP ICMP trace ip router TCP port switches on all trace outputs from the IP router wiht TCP IP and port 80 80 port 80 is in quotes so that the space is recognised as a part of the string 6 1 7 Recording traces Traces can be conveniently recorded under Windows e g as an aid to Sup port and we recommend you do this as follows BAT54 Rail F 228 Release 7 54 06 08 Diagnosis 6 2 SYSLOG storage in the device Start the program HyperTerminal under Start Programs Accessories gt Communications Hyper Terminal Enter a name of your choice when prompted to do so Connect To B LANCOM Systems Enter details for the host that you want to call Host address 192 169 2 10q Port number 23 Connect using TCP IP Winsock v In the window Connect to use the pulldown menu Connect using and select the entry TCP IP As Host address enter the local official IPaddress or the FQDN of the device After confirmation HyperTerminal dipslays a request to log in Enter the configurat
255. ay you can be quite sure not to have overlooked any thing important during the security configuration of your BAT Have you assigned a password for the configuration The simplest option for the protection of the configuration is the estab lishment of a password As long as a password hasn t been set anyone can change the configuration of the device The box for entering the password is located in LANconfig in the Management configuration area on the Security tab It is particularly advisable to assign a password to the configuration if you want to allow remote configuration Have you permitted remote configuration If you do not require remote configuration then deactivate it If you require remote configuration then be sure to assign a password protec tion for the configuration see previous section The field for deactivating the remote configuration is also contained in LANconfig in the Manage ment configuration area on the Security tab Under Access Rights From remote networks select for all configuration types denied Have you permitted the configuration of wireless networks If you do not require the configuration from wireless networks switch it off The field for switching off the configuration from wireless networks you can also find in LANconfig in the Management configuration area on the Security tab Under Access Rights From the wireless LAN select for all configuration types denied
256. be realized By using the interface tag a virtual router uses only a part of the routing table for an IP network and in this way controls the routing specifically for that one IP network This method allows for example several default routes to be defined in the routing table each of which is giv en a routing tag Virtual routers in the IP networks use the tags to select the default route which applies to the IP network with the appropriate interface tag The separation of IP networks via virtual routers even permits multiple IP networks with one and the same address range to be operated in parallel in just one BAT Router without problem For example Within an office building a number of companies have to be connected to the Internet via a central BAT Router even though each of these companies has its own Internet provider All of the companies want to use the popular IP network 10 0 0 0 with the netmask 255 255 255 0 To implement these requirements each company is given an IP network 10 0 0 0 255 255 255 0 with a unique name and a unique interface tag In the routing table a default route with the corresponding routing tag is created BAT54 Rail F 384 Release 7 54 06 08 Routing and WAN connections 11 6 Advanced Routing and Forwarding for each Internet provider This allows the clients in the different company networks all of which use the same IP addresses to access the Internet via their own provider Employing VLANs enables l
257. ble Terminal Telnet setup IP router masquerading service table Note Stateful Inspection and inverse masquerading If in the Masquer ading module a port is exposed i e all packets received on this port should be forwarded to a server in the local area network then this re quires with a Deny All Firewall strategy an additional entry in the Stateful Inspection Firewall which enables the access of all stations to the respec tive server BAT54 Rail F 374 Release 7 54 06 08 Routing and WAN connections 11 4 IP masquerading 11 4 3 Free translation of TCP IP ports on masked connections If IP masquerading is used over a connection the IP address of the computer in the local network is hidden behind the IP address of the router So that in dividual computers in a LAN can still be contacted inverse masquerading is used whereby an incoming port range in the service table is assigned to a particular IP address in the LAN On occasion it is desirable for the exposed host not to be contacted over this standard port e g when security reasons demand the use of another port In this case it is not only necessary to map the ports to an IP address but to translate between ports as well Another example of port mapping is the translation of multiple WAN ports to one common port in the LAN but to different IP addresses N IP mapping The configuration of port mapping involves the assignment of a port or port range start port to e
258. ble X Device VLAN ID fi BAT54 Rail F Release 7 54 06 08 345 Virtual LANs VLANs 10 5 Configurable VLAN IDs 10 5Configurable VLAN IDs 10 5 1 Different VLAN IDs per WLAN client VLANs are usually connected to a LAN interface on the BAT Therefore all packets that pass through this interface receive the same VLAN ID when the VLAN module is enabled However in some cases administrators will want to assign different WLAN users to different VLANs This can be accomplished by assigning a special VLAN ID to each MAC ad dress under Setup WLAN Access List The client specific VLAN ID can take on values from 0 to 4094 The default value of 0 stands for an unspecified VLAN ID In such a case the client will be assigned to the VLAN port of the logical WLAN The following requirements must be met in order to ensure successful client specific VLAN assignment VLAN operation must be enabled The VLAN IDs that are to be assigned to the individual clients must be in cluded in the VLAN network table The LAN interfaces and all WLAN interfaces that are used by the clients must be assigned to the corresponding VLAN 10 5 2 Special VLAN ID for DSLoL interfaces In order to better separate the data traffic on a DLSoL interface from other traffic VLAN ID can be set up for the DSLoL interface under Setup Inter faces DSLoL or in LANconfig in the configuration area Interfaces using the WAN tab under the interface settings
259. bution you might have to replace your version with one that provides SSL The encoded Telnet connection is started with the command C gt telnet z ssl 10 0 0 1 telnets BAT54 Rail F Release 7 54 06 08 133 Configuration and management 4 4 Configuration using different tools Change the language of the display The terminal can be set to English and German modes The display language of your BAT is set to English at the factory In the remaining documentation all configuration commands will be provided in English To change the dis play language to German use the following commands Configuration tool Run when English is the selected language WEBconfig Expert configuration gt Setup gt Config gt Language Telnet set Setup Config Language German Terminating Telnet To terminate the configuration using Telnet e g from the Windows com mand line with the command C gt exit The structure of the command line interface The BAT command line interface is always structured as follows Status Contains all read only statistics of the individual SW modules Setup Contains all configurable parameters of all SW modules of the device Firmware Contains all firmware management relevant actions and tables Other Contains dialling boot reset and upload actions Command line reference Navigating the command line can be accomplished by DOS and UNIX style commands as follows Note For executing some commands Supervisor rig
260. c WLAN and security from the ground up The result is a set of standardized methods that enable the construction of secure and man ufacturer independent WLANs in line with current standards On the way from the original WEP of the 802 11 standard to 802 11i a whole series of concepts have arisen that have tended to increase confusion and insecurity among the users This chapter should help to explain the concepts and the processes used in chronological order of their development 3 2 1 Some basic concepts Even though one constantly hears the blanket term Security when talking about computer networks it is still important for the coming exposition to dif ferentiate a little more closely between the requirements it actually entails Authentication The first point in security is access security Here a protective mechanism is involved which allows access to the net work only to authorized users On the other hand however it must also be ensured that the client is con nected to the precise desired access point and not with some other ac cess point with the same name which has been smuggled in by some nefarious third party Such an authentication can be provided for exam ple using certificates or passwords BAT54 Rail F Release 7 54 06 08 33 Wireless LAN WLAN 3 2 Development of WLAN security Authenticity Authenticity Proof of the authorship of the data and the originality of the data content the process of establ
261. called Dynamic DNS service providers e g www dynDNS org Thereby a BAT becomes available under a certain DNS resolvable name FQDN fully qualified Domain Name for example http my bat dynDNS org The advantage is obvious If you want to accomplish e g remote mainte nance for a remote site without ISDN available e g over WEBconfig HT TPS or to connect with the VPN Client to a branch office with dynamic IP address then you just need to know the appropriate Dynamic DNS name How to deposit the current IP address at the Dynamic DNS server All Dynamic DNS provider support a set of client programs which can deter mine the current assigned WAN IP address of a BAT via different methods and transfer this address in case of a change to their respective Dy namic DNS server server at DynDNS provider PC with DynDNS cli ent program The current WAN IP address of a BAT can be picked under the following ad dress http lt address of Device gt config 1 6 8 3 BAT54 Rail F Release 7 54 06 08 479 More services 12 3 DNS IP detection settings k xj Check IP every 300 sec Warming Remote IP detection won t occur less than every 10 minutes Enable detection on local machine http 10 1 80 125 contig http directupdate free fr check_ip php3 http checkip dyndns org http www hn org YourlP YourlP cgi I Enable http upsys de dyndns check_ip php3 JT Can be moved to preserve bandwi
262. can be used to transfer content between the configu ration windows via the Windows clipboard Multithreading allows changes to both the internal configurations of the avail able devices and to the configuration files Each configuration is written sep arately to the file and to the device when the dialog is closed 5 2 4 Better overview in LANconfig with more columns Even for large scale projects a better overview and quicker orientation are facilitated in LANconfig by the columns featuring device related details that can be displayed or concealed according to your needs Simply click on the column header with the right hand mouse button and use Select columns The menu item Arrange icons allows you to sort the items as you prefer BAT54 Rail F 172 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig The following details can be displayed in the various columns Device name Description Address Device status Progress Device type Hardware release Serial number MAC address Firmware version active Firmsafe 1 Image version 2 Image version VVVVVVVVVVVVY File Edit Device View Tools Help Sax MBE SRB FIRAR ERTA Tanl E kolegen Ordner Pre range Icons Arrange Icons a Panes Gewebinar Ordner ANG om 1 ewebinar fic ppp 10 1 1 show orid ines ean _ 57 Se SpRouter123 10 1 2 or OO AOIS7 11 2 ine ic teone SP SpRo
263. cance of the Rx and Tx values depends on the device s op erating mode In this case as an access point Rx stands for Send data and Tx stands for Receive data Configuration with LANconfig The maximum bandwidths for the connected clients are entered in LANconfig in the MAC access list in the WLAN Security configuration area on the Sta tions tab page dX Configure WLan Security 7 Filter stations MAC address Name Passphra MAC address DOOCFS1DAS1Z OK Data traffic betw QOOCF31DA312 WLAN Client 1 pen WLAN Client 1 AA can be restricte J only enabling sp Passphrase optional HHHH Filter function TX bandwidth limit 1 000 fiter out dat RX bandwidth limit 1000 transfer date via RADIUS Add Comment VLAN ID 0 Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the MAC access list un der the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt WLAN gt Access list Terminal Telnet Setup WLaN access List 3 9 2 Operating as a Client If the device is operated as a WLAN client the device can transmit its maxi mum bandwidth when it registers with the access point The access point then provides the actual maximum bandwidths with proprietary limits for this client where necessary Note The significance of the Rx and Tx values depends on the device s op erating mode In this ca
264. cases only the firewall settings that have been changed will be recorded in the script The following options can be used with the readscript command d default The commands for modifying parameters that are set to the factory settings will be listed as well These long scripts are useful for transferring configurations between different types of devices or between devices with different firmware versions as the factory set tings can vary n numeric This suffix causes the paths to be output in the numeric form of the SNMP description instead of plain text This also facilitates the transfer of scripts between devices with different firmware versions as the path names may change but the SNMP tree generally does not c comment In combination with d and n this parameter generates additional comments which make the script easier to read For the pa rameter d every command combination that sets a default value is marked with default value With n each numeric path is supple mented with its plain text equivalent m minimize This parameter removes any gaps in the script so making it more compact The character followed by a space at the start of a line are the first characters of a comment Subsequent characters to the end of the line will be ignored Note The space after the is obligatory del This command deletes the table in the branch of the menu tree defined with Path Syntax del PATH defaul
265. cation Office www ctu cz Hungary Communication Authority HIF www hif hu Note Please inform yourself about the current radio regulations of the coun try you want to operate a Wireless LAN device BAT54 Rail F Release 7 54 06 08 527 Appendix 13 4 RFCs supported 13 4RFCs supported RFC Title 1058 Routing Information Protocol 1331 The Point to Point Protocol PPP for the Transmission of Multi protocol Datagrams over Point to Point Links 1334 PPP Authentication Protocols 1389 RIP Version 2 MIB Extensions 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 1542 Clarifications and Extensions for the Bootstrap Protocol 1552 The PPP Internetworking Packet Exchange Control Protocol IPXCP 1577 Classical IP and ARP over ATM 1631 The IP Network Address Translator NAT 1877 PPP Internet Protocol Control Protocol Extensions for Name Server Addresses 1974 PPP Stack LZS Compression Protocol 2284 Extensible Authentication Protocol 2104 HMAC Keyed Hashing for Message Authentication 2131 Dynamic Host Configuration Protocol 2132 DHCP Options and BOOTP Vendor Extensions 2225 Classical IP and ARP over ATM 2364 PPP Over AALS 2401 Security Architecture for the Internet Protocol 2402 IP Authentication Header 2403 The Use of HUAC MD5 96 within ESP and AH 2404 The Use of HMAC SHA 1 96 within ESP and AH 2405 The ESP DES CBC C
266. ccess point but they also increase the WLAN overhead Default 100 DTIM period This value defines the number of beacons which are collected before mul ticasts are broadcast Higher values enable longer client sleep intervals but worsen the latency times Default 1 Beacon order Beacon order refers to the order in which beacons are sent to the various WLAN networks For example if three logical WLAN networks are active and the beacon period is 100 Kus then the beacons will be sent to the three WLANs every 100 Kus Depending on the beacon order the bea cons are transmitted at times as follows Cyclic In this mode the access point transmits the first beacon trans mission at 0 Kus to WLAN 1 followed by WLAN 2 and WLAN 3 For the second beacon transmission 100 Kus WLAN 2 is the first recipi ent followed by WLAN 3 and then WLAN 1 For the third beacon transmission 200 Kus the order is WLAN 3 WLAN 1 WLAN 2 Thereafter the order starts at the beginning again Staggered In this mode the beacons are not sent together at a partic ular time rather they are divided across the available beacon periods Beginning at 0 Kus WLAN 1 only is sent after 33 3 Kus WLAN 2 after BAT54 Rail F Release 7 54 06 08 85 Wireless LAN WLAN 3 4 Configuration of WLAN parameters 66 6 Kus WLAN 3 At the start of a new beacon period transmission starts again with WLAN 1 Simple burst In this mode the access point always transmits the bea
267. ce gt Check Checks if the selected device can be contacted gt Firmware upload Uploads firmware simultaneously to all selected devic es gt Apply Script Applies a configuration script to all selected devices BAT54 Rail F Release 7 54 06 08 167 LANtools network management 5 2 Project management with LANconfig fe LANconfig Branch_offices File Edit Device View Tools Help lal BSE 3 3 ols Ral alale 212 LANconfig 4 Branch_offices 10 1 202 192 Uploading Firmware 53 68968 Byte E Glientor 10 1 202 193 Uploading Firmware 58 69240 Byte H E Clientoz 10 1 202 194 Uploading firmware 58 55022 Byte E Internal 10 1 202 198 Uploading firmware 57 43670 Byte 10 1 202 199 Uploading firmware 53 68675 Byte 10 1 202 210 Uploading Firmware 59 70285 Byte 10 1 202 211 Uploading Firmware 53 52147 Byte 10 1 202 213 Uploading Firmware 58 53007 Byte 10 1 202 217 Uploading Firmware 56 52525 Byte 10 1 202 218 Uploading Firmware 32 21644 Byte TEMPELHOF 10 1 202 219 Uploading Firmware 46 53706 Byte MERSEBURG 10 1 202 220 Uploading Firmware 58 50486 Byte WITTENBERG 10 1 205 137 Uploading firmware MENEE 42 66901 Byte 10 1 206 211 Uploading firmware Manamin 54 62541 Byte 27 01 2004 10 38 00 LEIPZIG 10 1 202 218 Firmware upload started 27 01 2004 10 38 00 TEMPELHOF 10 1 202 219 Firmware upload started 27 01 2004 10 38 00 ME
268. ces Physical WLAN settings WLAN interface 1 Gnternal Operation Radio Super A G Point to Point Client mode Network types Infrastructure I Create IBSS IV Keep client connection alive Scan bands 2 4 GHz only vi Preferred BSS 000000000000 To edit the settings for client mode in LANconfig go to the Client mode tab under the physical WLAN settings for the desired WLAN interface In Scan bands define whether the client station scans just the 2 4 GHz just the 5 GHz or all of the available bands to locate an access point BAT54 Rail F Release 7 54 06 08 95 Wireless LAN WLAN 3 6 Client mode Under WEBconfig or Telnet the settings for client mode can be found under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup Interfaces WLAN gt Client modes Terminal Telnet Setup Interfaces WLAN Client modes Radio settings For the WLAN client to connect to an access point it needs to use suitable frequency bands channels To edit the radio settings in LANconfig go to the Radio tab under the physical WLAN settings for the desired WLAN interface Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode Frequency band 2 4 GHz 802 11g b Sub bands ooo Channel number Channel 10 2 457 GHz gt 2 4 GHz mode 802 11g b mixed he 5 GHz mode 54MBit s normal mode v Set the frequency
269. ces at different locations on site technicians may not be available to carry out the installation and configura tion of a BAT A large part of the configuration can be prepared at headquar ters All that has to be set up on site are a few location dependent parameters The Rollout Wizard allows non expert on site employees to car ry out these last minute adjustments with the help of a browser After running the Rollout Wizard the device is either operational or it can independently re trieve the rest of its configuration from a central storage location The parameters for configuration can be found under the following paths WEBconfig Expert Configuration gt Setup gt HTTP gt Rollout Wizard 5 5 1 General settings in the Rollout Wizard Operating Switches the Rollout Wizard on or off After being switched on the Wizard appears directly on the WEBconfig start page Possible values On off Default Off Title The name for the Rollout Wizard that appears on the start page of WEBconfig Possible values Maximum 64 alphanumerical characters Default Roll out BAT54 Rail F Release 7 54 06 08 201 LANtools network management 5 5 Rollout Wizard 5 5 2 Variables Maximum ten variables can be defined with Index Ident Title Type Min Val ue Max Value and Default Value Index Index for the variable The Rollout Wizard displays the variables in ascending order Possible values 1 to 232 1 Default 0 Ident Unique ident
270. ch after Add or Edit the dialogue to define the Firewall rules dX Configure Firewall 0S x General Rules Dos IDS r Firewall Rules Filter QoS You can filter or prefer packets according to a variety of criteria to protect your system against unauthorized access or to assure a minimal bandwidth to specific services Quality of Service for example Rules Firewall Prio On i On 1 ALLOW_FTP On 1 ALLOW_PING On 1 ALLOW_DNS_FORWARDING On 1 ALLOW_HTTP On 0 ALLOW_VPN Off 0 WINS On 0 DENY_ALL a af ada Edt Delete Within the dialogue for the definition of filter rules the following options can be found on different index cards gt General Here the name of the Firewall rule is specified as well as if fur ther rules should be considered after this rule matched and whether a VPN rule should be derived from this rule Filter rule ALLOW_FTP 2 x General Actions QoS Stations Service gt Rule S Filter rules can be used to transfer or drop data packets according to specified criteria Name of this rule aow FTE JV This rule is active for the firewall J This rule is used to create VPN rules J Observe further rules after this rule matches IV This rule tracks connection states recommended Comment _ _ BAT54 Rail F 286 Release 7 54 06 08 Firewall 8 3 The BAT Firewall The option Observe further rules can be used to create complex f
271. cket fil ters is the establishing of a FTP connection from a workstation of the own LAN to a FTP server in the Internet By the generally used active FTP the client of the protected LAN sends an inquiry from a port of the upper range gt 1023 to port 21 of the server The client informs the server over which port it is expecting the connection The server will establish as a result from its port 20 a connection to the desired port of the client Source port 4321 A a Destination port 21 Destination port 4322 Source port 20 Client Server To enable this process the administrator of the packet filter must open all ports for incoming connections because he does not know in advance for which port the client will inquire the FTP connection An alternative is to use passive FTP Thereby the client establishes the connection itself to the serv er over a particular port which was told to the server before This process is however not supported by all clients servers BAT54 Rail F 254 Release 7 54 06 08 Firewall 8 2 What is a Firewall If we furthermore compare the Firewall with a porter this door keeper only checks whether he knows or not the courier with the packet at the door If the courier is known and came ever into the building before he has the per mission to go in without hindrance and without being checked also for all fol lowing orders up to the workplace of the addressee Stateful Packet Inspection Stat
272. ckets suitably Preferred data packets will be directly passed on to the LAN up to the guaranteed minimum bandwidth all remaining data packets are running into congestion This congestion produces generally a delayed con firmation of the packets For a TCP connection the sending server will react to this delay by reducing its sending frequency and adapting itself to the avail able bandwidth The following queues operate on the receiving side Deferred Acknowledge Queue Each WAN interface contains additionally a QoS reception queue which takes up those packets that should be slowed down The storage period of each individual packet depends on its length and on the actual permitted reception bandwidth on the receiving side Packets with a min imum reception bandwidth assigned by a QoS rule are passing through without any further delay as long as the minimum bandwidth is not exceeded Standard reception queue All packets that do not need special treatment because of an active QoS rule on the receiving side end up here Packets of this queue are directly passed on resp confirmed without consideration of maximum band widths 9 4 Reducing the packet length The preferential treatment of data packets belonging to important applica tions can be endangered depending on the situation by very long data packets of other applications This is the case e g when IP telephony and a FTP data transfer are simultaneously active on the WAN connecti
273. configuration General Addresses DHCP BOOTP DNS DNS Fiter 9 I DNS server enabled r General settings Own domain intemal com Validity 2 000 minutes r Host name resolving IV Resolve addresses of DHCP clients IV Resolve names of NetBIOS stations Enter the host names and the corresponding IP addresses ere Host names You can forward requests for certain domains explicitly to certain remote sites Forwarding Cancel The main task of the DNS server is to distinguish requests for names in the Internet from those for other remote stations Therefore enter all com puters in the Host names table for which you know the name and IP address that are not located in your own LAN that are not on the Internet and that are accessible via the router BAT54 Rail F 476 Release 7 54 06 08 More services 12 3 DNS With the following commands you add stations to the Host names table LANconfig TCP IP gt DNS Host names Add WEBconfig gt DNS table gt Add Terminal Telnet cd setup DNS DNS table set mail yourdomain com 10 0 0 99 For example if would like to access the mail server at your headquarters name mail yourdomain com IP 10 0 0 99 via the router from a branch office enter Host names New Entry 2 xi Host name mail tmylancom com IP address 10 0 0 99 era 3i Stating the domain is optional but recommended When you now start your mail program it will prob
274. connection to another PC WAN connections form a kind of bridge for the communication between networks or for con necting individual computers to the LAN Which protocols are used for WAN connections WAN connections over highspeed ports e g DSL connections use the IP standard for transmitting packets Devices with an ISDN interface provide be side IP additionally IPX Close cooperation with router modules Characteristic of WAN connections is the close cooperation with the router modules in the BAT The router modules IP and IPX take care of connecting LAN and WAN They make use of the WAN modules to fulfil requests from PCs within the LAN for external resources BAT54 Rail F Release 7 54 06 08 353 Routing and WAN connections 11 1 General information 11 1 2 What happens in the case of a request from the LAN Initially the router modules only determine the remote station to which a data packet is to be sent The various parameters for all required connections must be arranged so that a given connection can be selected and established as required These parameters are stored in a variety of lists the interaction of which permits the correct connections A simplified example will clarify this process Here we assume that the IP ad dress of the computer being searched for is known in the Internet Data packet with Internet user s PC IP target address m g g LP _Internet__ i I Provider Remote
275. connection will understand the caller even if small parts of the speech got lost This application aims at the fastest sending of data packets as possible The connectionless User Datagram Protocol UDP is often used for this kind of application Also this protocol has very little administrative overhead But chronological delivery of packets is not guaranteed data packets are simply sent out Because no confirmation receipt exists lost packets never get delivered again BAT54 Rail F Release 7 54 06 08 311 Quality of Service 9 2 Which data packets to prefer 9 2 Which data packets to prefer The necessity of a QoS concept results only from the fact that the available bandwidth is not always sufficient for transferring all pending data packets re liably and on time Load peaks result easily from running simultaneously large FTP downloads while exchanging e mails and using IP telephones over the data line In order to meet also in these situations the demands of the desired data transfer certain data packets must be treated preferentially It is necessary for this that at first a BAT recognizes which data packets should be preferred at all There are two possibilities to signal the need for a preferential treatment of data packets in the BAT The application as e g the software of certain IP telephones is itself able to mark the data packets appropriately This marking the tag is set with in the header of the IP packets The
276. connections 11 14 serial interface Once an entry in the remote site list has been generated for the WAN inter face this remote station can be used just like any other for routing and WAN connections 11 14 10Configuration of a backup connection on the serial interface The configuration of a backup connection via a modem at the serial interface requires first of all an entry in the Dialup Peers list so that the required remote site can be reached The following entries will also be required for the config uration of the BAT Entry in the backup table In the backup table generate an entry for the remote site that is to be used for the backup connection This remote site is to be allocated to the remote site that is to be called by the modem at the serial interface The backup table is to be found under the following paths Configuration tool Menu Table LANconfig Communication Call Management Backup Table WEBconfig Expert configuration gt Setup gt WAN Backup table Terminal Telnet Setup WAN Backup table Entry in the polling table If the link to the remote station that is to be backed up cannot be checked by LCP polling with PPP only then an additional entry in the polling table is required This involves assigning the remote site with an IP address that can be regularly tested with a ping command The IP address should typically be a computer directly at the opposite end of the connection being tested e g a DNS server
277. context menu with further information gt VPN connections The list of VPN connections is a log of the 100 most recent VPN connec tions The detailed recorded information includes amp LC_YPN_M_LCSTEST YPN Connections Connections View Name state Last Error short Hold __ Connection Encryption Algorithm t lt QVPN_CBUERSCH Connected 0 seconds INTERNET 80 142 179 234 BLOWFISH 128 bit none 0 bit F lt jVPN_CSCHALLE Connected 0 seconds INTERNET 80 146 104 30 AES 128 bit none 0 bit t S VPN_C_BUHMAN Not connected ISDN or DSL err 0 seconds VPN_C_BUHMAN 10 98 100 87 3DES 192 bit none 0 bit t lt QvPN_DEICH Connected 0 seconds INTERNET 80 142 147 155 BLOWFISH 128 bit none 0 bit t RYVPN_DKRAU Not connected Dynamic VPN 0 seconds INTERNET 0 0 0 0 none 0 bit none 0 bit lt gVPN_ETRABER Connected 0 seconds INTERNET 212 202 73 28 BLOWFISH 128 bit SHA 160 bit F S VPN_FIANSSEN Connected O seconds INTERNET 213 23 254 17 BLOWFISH 128 bit SHA 160 bit F lt QVPN_FTHEINEN Connected 0 seconds INTERNET 80 146 80 9 BLOWFISH 128 bit none 0 bit t i VPN_HBATTI Connected 0 seconds INTERNET 80 146 95 224 BLOWFISH 128 bit none 0 bit F lt QvPN_MBAGSIK Connected 0 seconds INTERNET 82 82 224 144 AES 128 bit none 0 bit t lt gvPn_MBRIX Connected 0 seconds INTERNET 213 54 108 209 AES 128 bit none 0 bit t lt gvPn_MPLUM Connected 0 seconds INTERNET 80 146 86 178 BLOWFISH 128 bit none 0 bit t
278. correct implementations of TCP IP protocol stacks Attacks which profit from fundamental weaknesses are e g SYN Flood and Smurf Attacks aiming at incorrect implementations are all attacks which operate with incorrectly fragmented packets e g Teardrop or which work with falsified sender addresses e g Land In the following some of these attacks are described their effects and possible countermeasures SYN Flooding SYN Flooding means that the aggressor sends in short distances TCP pack ets with set SYN flag and with constantly changing source ports on open ports of its victim The attacked computer establishes as a result a TCP con nection replies to the aggressor a packet with set SYN and ACK flags and waits now in vain for the confirmation of the connection establishment Hun dreds of half open TCP connections are staying thereby and just consume resources e g memory of the attacked computer This procedure can go that far that the victim can accept no more TCP connection or crashes due to the lack of memory BAT54 Rail F 304 Release 7 54 06 08 Firewall 8 5 Denial of Service An appropriate countermeasure of a Firewall is to supervise the number of half open TCP connections which exists between two stations and to limit it That means if further TCP connections between these workstations were established these connections would be blocked by the Firewall Smurf The Smurf attack works in two stages and paralyze
279. costs Rapid Uses the RSTP method to compute path costs Default Classic Bridge priority Defines the priority of the bridge in the LAN This can influence which bridge should preferably be made root bridge by the Spanning Tree Pro tocol Values 0 to 65535 where a higher value means a lower priority Default 32 768 Note So as to maintain compatibility with RSTP this value should only be adjusted in steps of 4096 owing to the fact that RSTP uses the lower 12 bits of this 16 bit value for other purposes Maximum Age This value defines the time in seconds after which a bridge drops mes sages received through Spanning Tree as outdated This parameter defines how quickly the Spanning Tree algorithm reacts to changes for example due to failed bridges Values 0 to 65535 Default 20 Hello Time This parameter defines in seconds in which intervals a device selected to be the root bridge sends Spanning Tree information into the LAN Default 2 Forward Delay This time in seconds determines how much time must pass at a mini mum before a Spanning Tree port can change the status listening learn ing forwarding Default 6 Note When using RSTP the forwarding delay often has no effect because RSTP has suitable mechanisms of its own to prompt a rapid switching into the forwarding state BAT54 Rail F Release 7 54 06 08 459 Routing and WAN connections 11 17 The rapid spanning tree protocol Note Modifying any of th
280. ct the menu item Transfer Capture Text Choose the required script file and start the transfer alal x i saagaa sena torera T LANCOM 1811 Wireless Look in tHtp_server J Of E Ver 4 30 0017 25 05 2005 SN 015900600056 Copyright c LANCOM Systems 2 VPN_NHAHEL Verbindung Nr 004 LAN My Recent i i Documents vis Sat wen OR nD sername roo Passwort La Dls l3 O15 roo t VPH_NHAMEL Desktop gt Ife In Betrieb Netzwerkname etwork Maxiaum Stationen C1 Brg Support eN My Documents A pE My Computer muw 2 2 ja BRI WLANT 0 nein Test lroot VPH_NHAMEL Setup Schni t tste len HLAN Schn lungen gt Sends a bent fhe to the remate system pst Jroot VPN_NHAHEL Setup Schni ttstel len WLAN Schn ungen Set ok WERT set H ja File k t3 txt pe aware fiig sro rooteVPH_NHAMEL Setup Schni tts tel len WLAN Schni ttste Fes oftype Text fle root VPH_NHANEL Setup Schni ttstel len WLAN Schni ttste gt H done Sebeare greve Ambien TO fF wou an kien Following the successful completion of the transfer the script is started au tomatically Please observe the following hints when using a terminal program over the serial interface The models BAT54 F and BAT54 F X2 feature a reduced serial inter face Rx TX ground only hence the hardware handshake has to be deactivated The BAT54 Rail featurees a fully fledged serial i
281. ctive channel with the right mouse button You may be required to enter a configuration pass word If you would like a log of the LANmonitor output in file form select Device gt Device Activities Logging and go to the Logging tab Open the dialog for the settings for the activity protocol click on Tools Options BAT54 Rail F Release 7 54 06 08 211 LANtools network management 5 7 LANmonitor know what s going on options a xl Record Logging m Filter Log WAN connections Log WLAN connections Log VPN connections Log LANCAPI connections Log a b ports connections Log actions of Firewall Butter a I Load Activity Log file at the start of record Buffer size 100 Lines I Stop record if buffersize is reached On the Protocol tab you can define whether the following activities should be protocolled WAN connections WLAN connections VPN connections LANCAPI connections a b port connections Firewall actions You can also specify whether LANmonitor should create a log file daily monthly or on an ongoing basis 5 7 4 Tracing with LANmonitor Traces can be executed very easily with LANmonitor Simply click on the en try for the device with the right hand mouse key and select Traces from the context menu BAT54 Rail F 212 Release 7 54 06 08 LANtools network management 5 7 LANmonitor know what s going on Note Telnet access to the device must be enabled to c
282. d The user can therefore also be authenti cated using a RADIUS server 12 9RADIUS RADIUS stands for Remote Authentication Dial In User Service and is re ferred to as a triple A protocol The three A s stand for Authentication Authorization Accounting billing This protocol allow you to grant users access to a network to assign them certain rights and to track their actions Where necessary the RADIUS serv er can also be used in the billing of user services such as WLAN hot spots For every action performed by the user the RADIUS server can run an au thorization procedure releasing or blocking access to network resources on a per user basis 3 different devices are required for RADIUS to work Client This is a device PC notebook etc from which the user wishes to dial in to the network Authenticator A network component positioned between network and cli ent and which forwards on the authorization This task can be performed by an BAT Access Point for example The authenticator is referred to as the Network Access Server NAS P RADIUS server SS EL Authenticator ma BAT54 Rail F 500 Release 7 54 06 08 More services 12 9 RADIUS Authentication server RADIUS server on which user data is configured This is usually located within the same network for which it issues access authorizations It is accessible to the client via the authenticator Some scenarios may also allow the use of a BA
283. d default AT amp F Initialize command default ATLOM1X1S0 0 L0 Loudspeaker quiet M1 Loadspeaker on while connecting X1 Operation at an extension S0 0 Disable auto answering Deactivate modem echo default ATE0 AT polling cycle time Default 1 in seconds AT polling count Default 5 Ring count Default 1 Initialize answer command Answer command Default ATA Initialize dial command Dial command default ATDT Escape sequence to terminate data phase resp to return to command phase Default Hold time after escape sequence Default 1000 in milli seconds Disconnect command to hang up during data phase Default ATH BAT54 Rail F Release 7 54 06 08 447 Routing and WAN connections 11 14 serial interface Note The modem parameters are set with values that should suit most mo dems Thus changes are generally not necessary Refer to the documen tation for your modem for settings that vary from these E Setting up a GPRS backup connection If the connection is to use a GPRS capable modem at the serial interface you will need the APN name and the dial up telephone number The follow ing init strings for the configuration apply to T Mobile and Vodafone T Mobile Init string LOX1M1S0 0 CGDCONT 1 IP internet t dl de Dial up number 99 Vodafone Init string LOX1M1S0 0 CGDCONT 1 IP web vodafone de Dial up number 99 or 99 1 Configuration with LANconfig The mode
284. d on the MAC address that is permanently programmed into wireless LAN adapters Configuration with LANconfig For configuration with LANconfig you will find the general WLAN access set tings under the configuration area WLAN Security on the Stations tab Check that the setting filter out data from the listed stations transfer all other is activated New stations that are to participate in your wireless network are added with the button Stations BAT54 Rail F 54 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configure wLaNn Security 7 General Stations Protocols WEP IEEE 802 1 m Filter stations Data traffic between the wireless LAN and your local network can be restricted as required by excluding individual stations or only enabling specified stations Filter function filter out data from the listed stations transfer all other m Authentication via RADIUS Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the Access Control List under the fol lowing paths WEBconfig Expert configuration gt Setup gt WLAN P Access list Terminal Telnet cd Setup WLAN Access List E Protocol filter With the protocol filter you can influence the handling of certain protocols dur ing transfer from the WLAN to the LAN Note Packets from the WLAN for certain protocols ports can be redirected to special IP addresses in the LAN by
285. d with additional conditions The following conditions are available Only packets with certain ToS and or DiffServ markings Only if the connection does not yet exist Only for default route Internet Only for VPN routes Limit Trigger The limit or trigger describes a quantified threshold value that must be ex ceeded on the defined connection before the filter action gets executed for a data packet A limit is composed by the following parameters Unit kbit kbyte or packets Amount that means data rate or number Reference value per second per minute per hour or absolute 1 MAC is the abbreviation for Media Access Control and it is the crucial factor for communication inside of a LAN Every network device has its own MAC address MAC addresses are worldwide unique similar to serial numbers MAC addresses allow distinguishing between the PCs in order to give or withdraw them dedicated rights on an IP level MAC addresses can be found on most networking devices in a hexadecimal form e g 00 A0 57 01 02 03 BAT54 Rail F 272 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Additionally you can adjust for the limit whether it refers to a logical connec tion or to all connections together which exist between the defined destina tion and source stations via the corresponding services Thus it is controlled whether the filter takes effect if e g all HTTP connections of the users in the LAN exceed the limit in sum o
286. d world time UTC For pro tocol displays and time related settings e g cron jobs the local time is tak en as calculated from the defined time zone To take local daylight saving time into account settings can be configured according to requirements C gt Configure Date amp Time z General Synchronization Time Server Public Holidays Date and time Time zone fon Berlin Brussels Paris Rome 7 Daylight saving time On z If selected Automatic ug 4 Automatic Europe EU individual values for the between normal and Automatic Russia Automatic USA Automatic user defined LANconfig Date amp time General WEBconfig Telnet Expert configuration gt Setup gt Time gt Daylight saving time gt Daylight saving time Off The system time will not be adjusted to daylight saving time BAT54 Rail F Release 7 54 06 08 489 More services 12 6 Time server for the local net On As long as this option is enabled one hour is added statically to the current system time comprised of UTC and time zone Automatic EU USA Russia In this setting the daylight saving time change is performed automatically in conformance with the time zone of the device s location Automatic user defined If the device is located in an area that is not listed here then the daylight saving time change options can be man ually defined by the user User defined daylight saving time chan
287. data Direct channel bundling via PPPoE The following method is for the configuration of channel bundling via PPPoE Assign the DSL ports to the required Ethernet ports in LANconfig via In terfaces gt LAN gt Ethernet Ports Telnet Setup Interfaces Ethernet ports WEBconfig Expert configuration Setup gt Interfaces Ethernet ports Activate the additional DSL interfaces in LANconfig via Interfaces WAN gt Interface settings Enter the data rates for up and downstream Telnet Setup Interfaces DSL WEBconfig Expert configuration Setup gt Interfaces DSL BAT54 Rail F 422 Release 7 54 06 08 Routing and WAN connections 11 8 Load balancing For the required remote station enter the DSL ports that are to be used in LANconfig via Communication gt Remote sites Remote sites DSL Telnet Setup WAN DSL broadband peers WEBconfig Expert configuration Setup gt WAN gt DSL broadband peers Actitivate channel bundling for the relevant layers in LANconfig via Com munication General gt Communication layers Telnet Setup WAN Layer WEBconfig Expert configuration Setup WAN gt Layer zixl I DSL interface enabled oa Downstream rate 3 000 kBit s Cancel Communication layers Edit Entry ee ce Remote sites DSL Edit Entry Layer i INT_PPPOE External overhead 0 byte Name Encapsulation Transparent X Short hold time 300 seconds Ca Layer 3 PPP z Access concentrator La
288. data packet is indicated by a 3 bit value 0 represents the lowest priority 7 the highest one Data packets without VLAN tag are treated with priority 0 This additional field makes the MAC frames longer than actually allowed These overlong packets can only be recognized and evaluated by VLAN capable stations and switches Frame tagging incidentally leads to the de sired behavior for network users without VLAN support Switches without VLAN support simply pass on these data packets and ignore the additional fields within the MAC frame Stations without VLAN support are not able to recognize the protocol type due to the inserted VLAN tag and discard the packets silently Note Older switches in the LAN are perhaps not able to pass on correctly the overlong frames between the individual ports and will reject the tagged packets 10 2 2 Conversion within the LAN interconnection Certain stations shall be grouped to logical units by virtual LANs But the sta tions themselves are usually neither able to generate the required VLAN tags nor able to handle them Data traffic between network users always runs over different interfaces of the distributors in the LAN These distributors switches base stations have got the task to insert VLAN tags according to the desired application into the data packets to evaluate them and if necessary to remove them again Be cause logical units are each connected to different interf
289. ded to allow the device to execute predefined commands in a telnet like environment at times defined by the user The functionality is equivalent to the UNIX cron service Subject of execution can be any BAT command line command Therefore the full feature set of all BAT devices can be controlled by this facility Application examples scheduled connection Many leased lines disconnect automatically after 24 hours of continuous operation This enforced disconnection can have some unwanted side effects for example if it happens to an unsuitable time during the day because e g the VPN tunnel is disconnected and the IP address of the BAT is changed To control the disconnecting time a manual disconnec tion can be set e g at midnight so it can not happen at an unsuitable time As a second example devices with a distributed network with only dynamic IP addresses can build up a connection at a certain time to a VPN gateway so that data can be transferred safely This way a pro tected access is even possible without an ISDN connection time dependant firewall or QoS rules The firewall and QoS rules are at first temporally constant But it can be useful to make variable settings for different daytimes or weekdays At e g off hours or weekends different priorities for guaranteed bandwidths can be set than at business hours regular firmware or configuration updates BAT54 Rail F Release 7 54 06 08 491 More services 12 7 Scheduled Events Tim
290. dicates itself to quality Under the generic term Quality of Ser vice short QoS those LCOS functions are summarized which are con cerned with the guarantee of certain service availabilities 9 1 Why QoS The main objective of Quality of Service is to transfer certain data packets ei ther particularly safe or as immediately as possible It may happen during a data transfer that data packets are not delivered to the addressee But for some applications it is very important that all sent packets really do arrive An e mail for example divided into several small data packets can only be assembled together again when all parts have arrived completely Whether one or an other packet arrives with little time delay does not make any difference These applications often count on the connection orientated Transmission Control Protocol TCP This protocol ensures that data will be transferred correctly and chronologically via the net It automatically adjusts the sending rate downwards if the con firmation of sent data packets is outstanding for longer times and also takes care of repeated transmission in case of packet losses In other applications e g telephony via the Internet Voice over IP VoIP it is differently to the case above very important that the data packets arrive at the addressee with only little time delay But it really doesn t matter if once a data packet gets lost in this case The participant at the other end of the
291. dress and passphrase BAT54 Rail F 108 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections LEPS can be used to secure single point to point P2P connections with an individual passphrase Even if an access point in a P2P installation is stolen and the passphrase and MAC address become known all other WLAN con nections secured by LEPS remain secure particularly when the ACL is stored on a RADIUS server When using LANconfig for the configuration you enter the passphrases of the stations approved for the WLAN in the configuration area Wireless LAN on the Stations tab under the button Stations F PN_NHAMEL Configur Congue WLAN Secu Phvsialaddress Nane Passphrase conment 0010c6252a3f Sales hfd7tuwe8iu596jkmwefj L 54 Wireless General Stations Protoc 00306526ac19 Marketing sdafmhert76tkjeo7864ij56 1821 Wireless 00904b6a551b IT sdalfketOp9 i less Filter stations Stations Edit Entry KE Data traffic between the can be restricted as req Physical address po904b6a551b SE only enabling specified X 5 Name IT Filter function Cancel filter out data from tt Passphrase optional sdglFketopstuo68ssijgfop transfer data from the listed stat Comment 1811 Wireless via RADIUS or filter them out Configuration with WEBconfig or Telnet The access list for the matching of MAC addresses to the passphrases LEPS can be found under WEBconfig or Tel
292. dress and port 0x20000000 Send SYSLOG notification 0x40000000 Send SNMP trap 0x80000000 Send email Note All Firewall actions are likewise displayed within the IP router trace How to start a trace gt page 225 Furthermore some BAT models have a Firewall LED which signals each filtered packet The filter list The filter list allows to examine filters generated by rules defined in the action object and rule table Note Please note that manually entered filter rules do not generate a fault indication and also no error message If you configure filters manually you should in each case examine on the basis of the filter list whether the desired filters were generated or not On Telnet level the content of the filter list can be displayed with the com mand show filter BAT54 Rail F Release 7 54 06 08 297 Firewall 8 3 The BAT Firewall of Telnet 10 1 140 160 LANCOM 1621 ADSL ISDN lt Annex A gt Ver 3 30 0031 26 61 2004 5 66 56 SN 689546269681 Copyright lt c gt LANCOM Systems 1621AnnexfA Verbindung Nr 862 CLAN 1621AnnexA gt show filter Filter 6061 from Rule WINS Protocol 17 Src 00 00 00 00 00 00 6 6 6 6 a 137 139 Dst 00 00 00 00 00 00 6 0 6 6 A t i 0 0 0 0 6 8 Limit per conn after transmi ng or receiving of kilobits per second actions after exceeding the lim reject a 4 i t t Filter 6062 from Rule WINS Protocol 6 Src 66 66 66 66 66 66 6 6 6 6 6
293. dress of mer the access point and server Station 2 D gt In this operating mode not the usual MAC addresses for instance in client mode are used in this example for server access points and client stations but in conformity to point to point connections four addresses the MAC ad dress of the station in LAN of the client station is additional The fully trans parent connection of a LAN to the client station allows transmitting data packets in the WLAN and therefore works like TFTP downloads which are triggered over a broadcast The Client Bridge mode has following advantages compared to other meth ods Compared to the normal client mode the address encryption masquer ading is not required Compared to a point to point connection the entry of the MAC addresses is not required Additionally in the Client Bridge mode more than six con nections with P2P limited can be established Note The Client Bridge mode can only be used between two BAT devices Applying the Client Bridge mode must also be activated in the settings for the logical network of the access point Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the settings for the client mode under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt Interfaces WLAN Interfaces Client Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Client Settings BAT54 Rail F
294. dress of the connected computer or computers MAC address of the client station 1 Hic Adresse of I the computers tio fo MAC address of the computer p z S grasa 1 MAC Adresse of With MAC Address Adaption ihe computer i Client station In some installations it is required that the MAC address of the computer and not of the client station is transmitted With the option Address Adaption the replacement of the MAC address by the client stations is prevented and the data packets are transmitted with the original MAC address Note The address adaption only works if only one computer is connected to the client station Without MAC Address Adaption Access Point Client st Q Client Bridge Support With address adaption Address Adaption page 73 the MAC address of only one connected device is visible to the access point With a Client Bridge Support all MAC addresses of the stations in the LAN behind the client sta tions are transmitted transparently to the access point BAT54 Rail F Release 7 54 06 08 73 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Source MAC address of station 1 and client station Target MAC address of ac Station 1 cess point and server gt E MAC address of a ee ee I station 1 3 rift a Source MAC address of MAC address of tatier 2 and client sta seeing ge station 2 A client station Server Access Point Target MAC ad
295. dresses for DHCP clients First address 0 0 0 0 Last address 0 0 0 0 Netmask 0 0 0 0 Broadcast 0 0 0 0 Default gateway 0 0 0 0 Forwarding of DHCP queries Server address HCP request ID recognition User class ID LANCOM_HG Ls 472 BAT54 Rail F Release 7 54 06 08 More services 12 3 DNS 12 3DNS The domain name service DNS is responsible in TCP IP networks for asso ciating computer names and or network domains and IP addresses This service is required for Internet communications to return the correct IP ad dress for a request such as www hirschmann com for example However it s also useful to be able to clearly associate IP addresses to computer names within a local network or in a LAN interconnection 12 3 1 What does a DNS server do The names used in DNS server requests are made up of several parts one part consists of the actual name of the host or service to be addressed an other part specifies the domain Specifying the domain is optional within a lo cal network These names could thus be www domain com or ftp domain com for example If there is no DNS server in the local network all locally unknown names will be searched for using the default route By using a DNS server it s possible to immediately go to the correct remote station for all of the names with known IP addresses In principle the DNS server can be a separate comput er in the network Howe
296. ds and entries are required LANconfig TCP IP DNS Filter gt DNS filter Add WEBconfig Filter list B Add Terminal Telnet cd setup DNS filter list set 001 www blocked com 0 0 0 0 0 0 0 0 DNS filter New Entry 2 x Domain Jw blocked domain corr IP address fo 0 0 0 za Netmask fo 0 0 0 The index 001 in the console command can be selected as desired and is used only for clarity Note When entering the domains the wildcards represents exactly one character and for any number of characters are permitted To only block the access of a certain computer e g with IP 10 0 0 123 to COM domains enter the following values DNS filter New Entry 2 x Domain Ir com IP address 10 0 0 23 Netmask 255 255 255 255 In the console mode the command is set 002 com 10 0 0 123 255 255 255 255 Note The hit list in the DNS statistics contains the 64 most frequently re quested names and provides a good basis for setting up the filter list BAT54 Rail F 478 Release 7 54 06 08 More services 12 3 DNS If your LAN uses subnetting you can also apply filters to individual departments by carefully selecting the IP addresses and subnet masks The IP address 0 0 0 0 stands for all computers in the network and the subnet mask 0 0 0 0 for all networks 12 3 5 Dynamic DNS Systems with dynamic IP addresses become accessible over the WAN for example over the Internet via so
297. dth http www dnsart com myip php http dynupdate no ip com ip php j one http update dynu com basic ipcheck asp IV Requires authentication Chttp www disart com 7777 myip php rd http checkip dyndns org 8245 Usemame Password A I Use proxy server Move down Move up Alternatively the BAT can directly transmit the present WAN IP to the DynDNS provider server at DynDNS provider The required settings can be changed comfortably with the Setup Wizard BAT54 Rail F 480 Release 7 54 06 08 More services Setup Wizard Configure Dynamic DNS 12 4 Accounting E This wizard supports you to configure the automatic refresh of a DNS account The refresh is performed every time your device establishs a connection and can be configured for each remote site separately For this you should already have configured a registered domain and an account with one ol providers Dynamic DNS provider DynDNS org Setup Wizard Configure Dynamic DNS A Enter the fully qualified domain name FQDN for which the DNS update should be performed DNS resolvable name mylancom dyndns org Please enter your DNS account data here These data should have been given to you by your DNS provider when your dynamic DNS account was set up 12 4Accounting Information on connections between clients in the local network and various remote
298. e in WEBconfig or in the console In the peer list no telephone number may be specified BAT54 Rail F Release 7 54 06 08 441 Routing and WAN connections 11 13 Callback functions After the Authentication an input window appears on the caller s screen in Windows that requests the ISDN telephone number of the PC The calling number is determined in the BAT For this setting the callback entry must be set to Call back the remote site after name verification or must be set to the value Name in WEBconfig or in the console In the peer list one telephone number must be specified Some Windows versions especially Windows 98 prompt the user to confirm the callback to the telephone number stored in the BAT Administrator Spec ified with an input window Other Windows versions only inform the user that the PC is waiting for the callback from the BAT Callback Security x You may supply a callback location to connect to PPP_LANCOM Specify the phone number of your current location Cancel Callback to e EE een The callback to a Windows workstation occurs approx 15 seconds after the first connection has been dropped This time setting cannot be decreased since it is a Windows default setting 11 13 2Fast callback This fast process is ideal if two BAT are to communicate with one another via callback The caller who may wish to be called back can activate the function Wait for callback from remote site in
299. e DMZ 11 5 3 Address check with DMZ and intranet interfaces To shield the DMZ demilitarized zone and the Intranet from unauthorized attacks you can activate an additional address check for each interface us ing the firewall s Intrusion Detection System IDS The relevant buttons are called DMZ check or Intranet check and can have the values loose or strict If the button is set to loose then every source address is accepted if the BAT is addressed directly If the switch is set to strict then a return route has to be explicitly avail able so that no IDS alarm is triggered This is usually the case if the data packet contains a sender address to which the relevant interface can also route data Sender addresses from other networks to which the interface cannot route or sender addresses from its own address range therefore lead to an IDS alarm Note For all devices the default is loose The default is set to strict for BAT 7011 VPN only as a more precise address check has already already been used for this device Configuration with LANconfig You will find the button for activating the DMZ and Intranet address check in LANconfig in the TCP IP configuration area on the General tab page Configure TCPAP hd General Addresses DHCP BOOTP DNS DNS Fiter Dwn addresses DMZ IP address 10 0 0 0 DMZ netmask 255 255 255 0 DMZ interface DMZ 1 ba DMZ check strict ha Intranet
300. e components of Firewall rules and the available options to set up the different parameters Note Information regarding definition of Firewall rules with the different kinds of configuration tools LANconfig WEBconfig or Telnet can be found in chapter Configuration of Firewall rules gt page 285 Components of a Firewall rule A Firewall rule is at first defined by its name and some further options On Off switch Is the rule active for the Firewall Priority Which is the priority of the rule Page 268 Observe further rules Should further Firewall rules be observed when this rule applies to a data packet Page 269 Create VPN rule s this Firewall rule also used to create a VPN rule Page 269 Routing Tag When applying the routing tag further information about for instance the used service or protocol can be used for selecting the target route With this so called policy based routing a much better control of the routing behaviour is possible Policy based routing gt page 358 Priority When setting up the filter list of the Firewall rules the BAT will automatically sort the entries Thereby the grade of detail will be considered All specified rules are observed at first after that the general ones e g Deny All If after the automatic sorting the desired behavior of the Firewall does not turn out it is possible to change the priority manually The higher the priority of the Firewall rule
301. e controlled rules do not only provide the settings of particular val ues it is even possible to switch to a whole different configuration This possibility allows you to pool a whole string of settings and change them all at once with one command Therefore changing the configuration of the device with completely different values at the weekend and switching back on monday mornings can be done with just one command Additionally the regular update of the newest firmware from one single source is adjustable Email messages With the time controlled rules you have the option that the BAT informs the administrator by email not only about specific firewall events but even to set times The email can e g inform about building up an internet connection successfully after an enforced disconnection or after booting the device because of a restart time dependant interfaces The time dependant use of interfaces for a set duration is also provided by the time controlled rules Therewith e g a WLAN interface can permit the wireless access to the network only at certain times Deleting certain tables It can be useful to delete the content of some tables in LCOS regularly If your internet access for example has a monthly limited transfer volume you can delete your accounting table monthly to have a survey of the present transferred data volume 12 7 2 CRON jobs with time delay CRON jobs are used to carry out recurring tasks on a BAT automatically at
302. e following paths Configuration tool Call Table WEBconfig Expert Configuration gt Setup gt SYSLOG Terminal Telnet Setup SYSLOG 6 2 2 Configuring the SYSLOG client The SYSLOG module can write different messages to the memory in the de vice If there are messages that you do not require e g debug and informa tion messages you can reduce the scope of the messages by entering a local loopback address of you BAT device in the IP area 127 x x x e g 127 0 0 1 as the SYSLOG client for this client you then activate only certain sources and or priorities LANconfig For configuration with LANconfig you can open the list of SYSLOG clients un der the configuration area Log amp Trace on the SYSLOG tab using the SYS LOG clients button BAT54 Rail F 230 Release 7 54 06 08 Diagnosis 6 2 SYSLOG storage in the device EE x Confoue loge ace z SNMP SYSLOG SMTP Account SMTP iP address System Login System time Console login Connections Accounting IP address l 10 1 1 88 System Event Logging IV Send information about system events clients in the following list Source IP address LOOPBACK1 X SYSLOG clients Fa ae Source I system Login IV system time IV Console login I Connections I Accounting I Administration I Router r Priority I Alert IV Error Warning I Information I nehun WEBconfig Telnet or terminal program Under WEBconfig Telnet or
303. e g for the protection of a subnetwork of the personnel department of a company against the remaining network users Logging and alerting An important function of the Firewall is beside the checking of data packets and the right reaction to the results of this checking also the logging of all ac tions triggered by the Firewall By analyzing these protocols the administra tor can draw conclusions from the occurred attacks and on the basis of this information he can if necessary go on to improve the configuration of the Firewall But sometimes logging alone comes too late Often an immediate interven tion of the administrator can prevent a major danger That is why Firewalls have mostly an alerting function by which the Firewall notifies the adminis trator e g by e mail 8 2 2 Different types of Firewalls During the last years the operating principles of Firewalls have more and more evolved Under the generic term Firewall a whole range of different technical concepts is offered to protect the LAN Here we introduce the most important ones Packet filters One speaks about a packet filter based Firewall if the router only checks the details in the header of the data packets and decides on the basis of this in formation whether the packet may pass or not The following details belong to the analyzed information IP address of source and destination Transfer protocol TCP UDP or ICMP BAT54 Rail F Release 7 54 0
304. e in the range between start port and end port If none of the rule values specified not filled by wildcards agree with the values read out of the packet the rule is not considered applicable and is disregarded If several rules apply the most accurate rule action is car ried out Parameters are more accurate the further down the list of parameters they are or the further right they appear in the protocol table BAT54 Rail F 90 Release 7 54 06 08 Wireless LAN WLAN 3 5 Extended WLAN protocol filters Note If rules are defined for an interface but there is no match with one of the rules for a packet from for this interface the default rule for this inter face is used for the packet The default rule is pre configured for each in terface with the drop action but this is not visible in the protocol table To modify a default rule for an interface a rule with the name default drop is defined Besides the interface naming this rule can only contain wildcats and the required action Checking of MAC addresses in packets sent over the respective inter face takes on a different form to that with in coming packets With out going packets the source MAC address read out of the pack et is checked against the destination MAC address entered in the rule The destination MAC addresses read out of the packet are then checked to see whether they are listed as currently active DHCP cli ents Rules with the Redirect action are ignor
305. e is selected e g MAC Ac cess Control Lists for all BAT Wireless Access Points Aranona Device Edit View Tools Help 5 ADSL CPE E Branch Offices E Engineering ga IT E SDSL CPE E WLAN AP 10 1 80 125 0 1 140 159 Delete Loads a new firmware into the selected BAT54 Rail F 130 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools 4 4 2 WEBconfig You can use any web browser even text based for basic setup of the device The WEBconfig configuration application is integrated in the BAT All you need is a web browser in order to access WEBconfig Functions with any web browser WEBconfig offers setup wizards similar to LANconfig and has all you need for easy configuration of the BAT contrary to LANconfig but under all oper ating systems for which a web browser exists A LAN or WAN connection via TCP IP must be established to use WEBconfig WEBconfig is accessed by any web browser via the IP address of the BAT via the name of the device if previously assigned or via any name if the device has not been configured yet http lt IP address or device name gt Secure with HTTPS WEBconfig offers an encrypted transmission of the configuration data for se cure remote management via HTTPS https lt IP address or device name gt Note For maximum security please ensure to have installed the latest ver sion of your Internet browser For Windows 200
306. e name Local network transmit ANY gt Incase a VPN is not terminated by the BAT itself e g a VPN Client in the local area network or BAT as Firewall in front of an additional VPN gate way you d have to allow IPSec and or PPTP for the IPSec over PPTP of the VPN Client ports additionally ALLOW_VPN VPN Client VPN Server transmit IPSEC PPTP gt For ISDN or V 110 dial in e g by HSCSD mobile phone you have to al low the particular remote site see also Configuration of remote stations page 366 ALLOW_DIAL_IN remote site name Local network transmit ANY For a network coupling you permit additionally the communication be tween the involved networks ALLOW_LAN1_TO_LAN2 LAN1 LAN2 transmit ANY ALLOW_LAN2_TO_LAN1 LAN2 LAN1 transmit ANY Ifyou operate e g an own web server you selectively allow access to the server ALLOW_WEBSERVER ANY Webserver transmit HTTP HTTPS For diagnostic purposes it is helpful to allow ICMP protocols e g ping ALLOW_PING Local network ANY transmit ICMP BAT54 Rail F 284 Release 7 54 06 08 Firewall 8 3 The BAT Firewall These rules can now be refined as needed e g by the indication of minimum and maximum bandwidths for the server access or by a finer restriction on certain services stations or remote sites Note The BAT automatically sorts Firewall rules when creating the filter list Thereby the rules are sorted into the filter list on the basis of
307. e network of client B so that both networks with actual same address range looks like two different networks for the gate way of the service provider The administrator selects the address ranges 192 168 2 x and 192 168 3 x for client C and D so that the addresses of these networks do differ from the own network of the service provider BAT54 Rail F Release 7 54 06 08 429 Routing and WAN connections 11 9 N N mapping In order to enable the gateway of the provider to monitor the networks of cli ents C and D the administrator sets up an address translation to 192 168 1 x also for the own network 11 9 2 Configuration Setting up address translation Configuration of N N mapping succeeds with only few information Since a LAN can be coupled with several other networks via N N different destina tions can have also different address translations for a source IP range The NAT table can contain 64 entries at maximum including the following infor mation Index Unambiguous index of the entry Source address IP address of the workstation or network that should get an alternative IP address Source mask Netmask of source range Remote station Name of the remote station over that the remote net work is reachable New network address P address or address range that should be used for the translation For the new network address the same netmask will be used as the source address already uses For assignment of source and mapping addre
308. e other parameters such as threshold levels and signal level Please refer to the reference handbook for further information on these parameters To configure background scanning in LANconfig go to the Radio tab un der the physical WLAN settings for the desired WLAN interface Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode Frequency band 2 4 GHz 802 119 b Sub bands i a Channel number Channel 10 2 457 GHz gt 2 4 GHz mode 80211976 mixed 5 GHz mode 54MBit s normal mode _ Select the desired diversity setting Only transmit on primary antenna Use the optimal antenna for transmission Transmit on primary and receive on auxiliary antenna Antenna gain Bl dBi TX power reduction pooo dB Access point density Low be Maximum distance pooo km Channel list aia Background scan aso seconds ace rl Enter the background scan interval as the time in which the BAT device cyclically searches the currently unused frequencies of the active band for available access points To achieve fast roaming the scan time is restrict ed to e g a minimum of 260 seconds 2 4 GHz or 720 seconds 5 GHz BAT54 Rail F Release 7 54 06 08 99 Wireless LAN WLAN 3 6 Client mode Under WEBconfig or Telnet the network settings for the logical WLAN interfaces can be found under the following paths Configuration tool Call LANconfig WLAN in
309. e power of the ex ternal antenna is 17 dBm 4 dB 1 db 12 dBm The power received by the antenna is then amplified An AirLancer Ex tender O 18a with an emitting angle of 18 supplies an antenna gain of 18 dBm The total power output from the antenna is thus 12 dBm 18 dBm 30 dBm Note This power emission must be within the legal limits of the country where the antenna is in operation BAT54 Rail F Release 7 54 06 08 115 Wireless LAN WLAN 3 8 Establishing outdoor wireless networks Radio transmission through air is subject to power attenuation from the so called free space loss x which is logarhythmically related to the dis tance d in km between transmitter and receiver x 100 20 log d dB in the 2 4 GHz band x 105 20 log d dB in the 5 GHz band A 802 11a transmission over a distance of 4 km results in a free space loss x of x 105 dB 20 log 4 dB 105 dB 12 dB 117 dB A 10 dB safety margin is added to this attenuation so that the total loss for this example can be taken as 127 dB This loss between the transmitting and receiving antenna is subtracted from the output power of the transmitting antenna 30 dBm 127 dBm 97 dBm This determines the reception power at the receiving antenna The receiving end also has amplifying and attenuating elements If the same antenna is used as at the transmitter the antenna gain is 18 dB and the loss from cable again 4m lightning
310. e rapid spanning tree protocol In networks with many switches and bridges many physical connections can exist between two stations that are connected to the network These redun dant data paths are desirable because they can offer alternative paths to the desired destination in case individual network paths fail On the other hand these multiple connections can also lead to loops or cause network stations to receive multiple frames Both occurrences negatively impact free data traf fic performance in the network The Spanning Tree Protocol STP enables an analysis of the network at the layer 2 level and as such offers solutions for intelligent path selection be tween two network stations below the routing layer By discovering redun dant paths between network stations STP builds a unique structure in which loops and double packets can be avoided To this end so called Bridge Pro tocol Data Units BPDUs are sent as a multicast to a specific MAC address The BPDUs allow redundant paths to be discovered as well as the distance and the data rate available on this connection Using these values the Span ning Tree Protocol calculates a priority also called route or path costs with which the various connections are to be treated The low priority connections are disabled and are therefore no longer available for clients Through the re duction of non redundant connections between the clients the protocol builds a tree which unambiguously de
311. e resolution If there is a DNS server for name resolution in the LAN which interchanges the assignment of IP addresses to names with the DHCP server then the de vice can be accessed by the name BAT lt MAC address gt e g BAT 00a057xxxxxx BAT54 Rail F 132 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools 101 x File Edit View Favorites Tools Help Back gt G A A Qsearch Gejravorites media 4 B g Address http LANCOM 00a057000944 v Go Links a al Note The MAC address can be found on a label at the bottom of the device If there is no DNS server in the LAN or it is not linked to the DHCP server then the device can not be reached by the name The following options remain in this case Figure out the DHCP assigned IP address of the BAT by suitable tools and contact the device directly with this IP address Use LANconfig Connect a PC with a terminal program via the serial configuration in terface to the device 4 4 3 Telnet Launching Telnet Start configuration using Telnet e g from the Windows command line with the command C gt telnet 10 0 0 1 Telnet will then establish a connection with the device using the IP address After entering the password if you have set one to protect the configuration all configuration commands are available Note Linux and Unix also provide Telnet over SSL encoded connections Depending on your distri
312. e respective rule is an Accept action and that the packets will thus be transmitted A maximum bandwidth is simply defined by a limit rule which discards by a Drop action all packets which exceed the defined bandwidth Examples Qcds32 Minimum bandwidth of 32 kbps for each connection Lgds256 d Maximum bandwidth of 256 kbps for all connections glo bally Note Further information about defining Firewall rules can be found in chap ter Firewall gt page 249 9 7 3 Adjusting transfer rates for interfaces Note Devices with built in ADSL SDSL modem resp with an ISDN adapter make these settings independently for the respective interface For a BAT model with Ethernet and ISDN interface these settings have to be made solely for the Ethernet interface BAT54 Rail F Release 7 54 06 08 329 Quality of Service 9 7 QoS configuration LANconfig Data rate restrictions for Ethernet DSL and DSLoL interfaces are entered in LANconfig under configuration field Interfaces on index card WAN within the settings for the different WAN interfaces Interface settings DSL 1 2 x IV DSL interface enabled Downstream rate 786 kBit s Cancel Upstream rate 128 kBit s External overhead 36 byte k y An Ethernet WAN DSL cable interface can be switched off completely in this dialogue As upstream and downstream rate the gross data rates are entered which are usually a little bit higher than the net d
313. e wireless connection WPA version WPA 1 or WPA 2 MAC address Hardware address of the WLAN client BAT54 Rail F Release 7 54 06 08 215 LANtools network management 5 8 Visualization of larger WLANs TX rate Transmission data rate RX rate Reception data rate Last event e g Authentification successful RADIUS successful IP addresss of the WLAN clients A WLANmonitor Pie AccessPort View Tools 7 qk we crows Access Ports Carts 5 8 3 Add access points If an access point was not recognized automatically it can be added to the list manually with the menu item File Add access point In the following window enter the IP address or the name of the access point the adminis trator name and the corresponding password Address a Please enter the IP address or name of the sg device to be monitored here P mm z m Authentication EN If a password is needed to access the device enter the password here Administrator Password Note The administrator may only be specified if an administrator account has been configured in the device 5 8 4 Organize access points The BAT WLANmonitor lets you organize all of the available access points in a manner that is independent of their physical location This helps to maintain an overview of the network and is particularly useful when localizing prob lems Further WLAN information can be called up according to the groups You can group your
314. earches its data sets for an entry matching the user name it uses the associated password and the CHAP challenge from the NAS to com pute the CHAP response If this computed response and the answer sent by the client via the NAS correspond then the RADIUS server sends a RADIUS accept otherwise it sends a RADIUS reject BAT54 Rail F Release 7 54 06 08 511 More services 12 10 Extensions to the RADIUS server MS CHAP The NAS passes the user name the MS CHAP challenge and the MS CHAP password characteristics The method continues in the same way as CHAP although the responses are computed with the MS CHAP algorithm RFC 2433 MS CHAPv2 The NAS passes the user name the MS CHAP challenge and the MS CHAPv2 response The method continues in the same way as CHAP and MS CHAP although the responses are computed with the MS CHAPv2 algorithm RFC 2759 Furthermore the RADIUS server transmits an MS CHAPv2 confirmation once the authentication was suc cessful This confirmation contains the server s response to the client s challenge so enabling a mutual authentication EAP The NAS passes the user name and an EAP message Unlike the methods outlined above EAP is not stateless i e in addition to sending an access accept or access reject the RADIUS server issues its own challenge before authentication is completed EAP itself is a modular au thentication protocol that accommodates various methods of authentica tion 12 10 2EAP authentic
315. ecessary under following cir cumstances The device is switched on or a coldstart is done In this case the data base is empty the device cannot select a channel out of the whitelist If the device has been operating for 24 hours the whitelist entries are deleted In this case the data base has to be refilled Note To prevent the 60 second scanning procedure initiating to an unsuit able time the time when the database is deleted can be adjusted with WEBconfig or Telnet under the menu setup Interfaces WLAN Radio Settings The cron commands can be used for defining the time e g 1 6 13 fora DFS scan at 1 a m 6 a m and 1 p m or 0 23 4 for a DFS scan every four hours from 0 a m to 11 p m Precondition is the correct program time of the device Note As of LCOS 7 20 the limitation requiring 5 GHz operations with DFS to be interrupted for one minute every 24 hours as required for outdoor radio paths for example no longer applies The connection can now be operated for any length of time on the channel selected by the DFS algo rithm until either a radar signal is detected or the radio cell is restarted e g by changing the device configuration firmware upload or restart The validity of the result of the one minute scan is still limited to 24 hours For this reason restarting the radio cell or the detection of a radar signal can cause a one minute interruption if the last scan was more than 24 hours ago because the device
316. ecise alignment of the antennas is of considerable importance in es tablishing P2P connections The more central the receiving antenna is locat ed in the ideal line of the transmitting antenna the better are the actual performance and the effective bandwidth If the receiving antenna is out side of this ideal area however significant losses in performance will be the result The current signal quality over a P2P connection can be displayed on the de vice s LEDs or in the LANmonitor in order to help find the best possible align ment for the antennas Right clicking with the mouse on Point to point activates the option Adjusting Point to Point WLAN Antennas BAT54 Rail F 102 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections 0 x File Device View Tools Help LANCOM olala lal alela S el alal zl epee Ag LANCOM 1811 Wireless DSL H y WAN connections None el AY Wireless LAN Syst ink i ystem in Sa Note The Point to point entry is only visible in the LANmonitor if the moni tored device has at least one base station defined as a remote station for a P2P connection LANconfig Wireless LAN General gt Physical WLAN settings gt Point to Point In the dialog for setting up point to point connections LANmonitor prompts for the information required to establish the P2P connection Is the P2P connection configured at both ends remote base station de fined with MA
317. ection mechanism NetBIOS Network Basic Input Output System Non routable network protocol for local networks developed by IBM and later taken over by Microsoft NTBA Network Termination Basic Adaptor The NTBA network termination adapter is respon sible in an ISDN base connection for the translation of the connection created by the tele phone company to the S0 bus OFDM Orthogonal Frequency Divison Multiplex PEAP Protected EAP EAP variant for mutual authentication PKI Public Key Infrastructure PPP Point to Point Protocol network protocol for connections between two computers PPP is based on TCP IP PPTP Point to Point Tunneling Protocol Network protocol for the construction of virtual private networks over the Internet Point to Multi Multiple WLAN stations log into a base station and constitute a common network with the point WLAN wired stations Point to Point Two base stations connect two wired networks over WLAN point to point operation WLAN enables coupling of networks even across streets without cables QoS Quality of Service see also IP Quality of Service RADIUS Remote Authentication Dial In User Service authentication and monitoring protocol on the application level for authentication integrity protection and accounting for network access RC4 Streaming cipher process by Ron Rivest Ron s Code RFC Request for Comments Router Intelligent network components comparable with a post office which can determine from
318. ed if they apply for an inter face over which the packet is to be sent Please refer to section Redi rect function page 82 for further information In the third step the action associated with the applicable rule is carried out 3 5 3 Redirect function The Redirect function With the Redirect action IPv4 packets can not only be transferred and dropped they can also be communicated specifically to a particular destina tion As a general rule the destination IP address of the packet is replaced by the Redirect IP address entered The destination MAC address of the packet is replaced by the MAC address determined by ARP and associated with the Redirect IP address In order for the redirected packets to find the correct sender on their return trip a dynamic table is compiled with automatic filter rules that apply to pack ets leaving via this interface This table can be viewed under Status gt LAN Bridge gt Connection table Rules in this table have a higher priority than oth er matching rules with the Transfer or Drop actions BAT54 Rail F Release 7 54 06 08 91 Wireless LAN WLAN 3 5 Extended WLAN protocol filters Example application Clients within wireless networks often have one aspect in common a high degree of mobility Consequently clients are not necessarily always connect ed to the same access point but frequently change between access points and the related LANs The redirect function assists WL
319. ed into the user table and these can be authen ticated by the RADIUS server without reference to other databases This user table is used for local requests to the RADIUS server i e for requests with user name but no realm User name User name Password User password Limit auth methods This option allows you to place limitations on the authentication methods permitted for the user Values PAP CHAP MSCHAP MSCHAPv2 EAP All Default All Forwarding server The table of forwarding servers contains up to 16 realms with the associated forwarding destinations Realm Character string identifying the forwarding destination IP address IP address of the RADIUS server to which the request is to be forwarded Port Open port for communications with the forwarding server Secret Password required for accessing the forwarding server Backup Alternative forwarding server in case the first forwarding server is not available EAP options for the RADIUS server EAP tunnel server This realm refers to the entry in the table of the forwarding server that is to be used for tunneled TTLS or PEAP requests BAT54 Rail F 516 Release 7 54 06 08 More services 12 11 RADSEC TLS check username TLS authenticates the client via certificate only If this option is activated the RADIUS server additionally checks if the username in the certificate is contained in the RADIUS user table 12 11RADSEC RADIUS has become established
320. eded limit more than 0 packets transmitted or received on a con nection actions drop block source address for 1 minutes send syslog message Notification by email If the email system of the BAT is activated then you can use the comfortable notification by email The device sends an email to the administrator as soon as the firewall executes the appropriate action FROM BAT_Firewall MyCompany com TO Administrator MyCompany com SUBJECT packet filtered Date 9 24 2002 15 06 46 The packet below Src 10 0 0 37 4353 cs2 Dst 192 168 200 10 80 ntserver TCP 45 00 00 2c ed 50 40 00 80 06 7a a3 Oa 00 00 25 E P 2 c0 a8 c8 Oa 11 01 00 50 00 77 5e d4 00 00 00 00 BWP aie 60 02 20 00 74 b2 00 00 02 04 05 b4 ut matched this filter rule BLOCKHTTP and exceeded this limit more than 0 packets transmitted or received on a connection because of this the actions below were performed drop block source address for 1 minutes send syslog message send SNMP trap send email to administrator BAT54 Rail F Release 7 54 06 08 275 Firewall 8 3 The BAT Firewall Sending the email from the BAT to the administrator only works if the right email address is entered Under LANconfig you can enter the email address in the configuration area Firewall QoS under the tab General Configure Firewall QoS Se General Rules Dos IDS v Firewall QoS enabled r General settings To the ema
321. eed at first a way to access your PCs and data In principle the following ways are open as long as they are neither blocked nor protected Via the central Internet connection e g via routers Via decentral connections to the Internet e g modems of single PCs or mobile phones on notebooks Via wireless networks operating as a supplement to wired networks Note In this chapter we only deal with the ways via the central Internet con nection via the router Note For hints on the protection of wireless networks please refer to the re spective chapters of this user manual configuration resp of the appropri ate device documentation 8 1 3 The methods Normally strangers have of course no access to your local area network or to the workstations belonging to it Without the appropriate access data or pass words nobody can thus access the protected area If spying out of these ac cess data is not possible the attackers will try another way to achieve their goals A fundamental starting point is to smuggle data on one of the allowed ways for data exchange into the network which opens from the inside the access for the attacker Small programs can be transferred on a computer by appen dices in e mails or active contents on web pages e g in order to lead after wards to a crash The program uses the crash to install a new administrator on the computer which can then be used from distance for further actions in the LAN If the
322. efined by entries in the routing table 11 7 7 Virtual routers With interface dependent filtering in combination with policy based routing virtual routers can be defined for every interface Example Two separate IP networks are used by the Development and Sales depart ments Both networks are connected to different switch ports although they use the same network 10 1 1 0 255 255 255 0 Sales should be able to en ter the Internet only whereas Development should also have access to a partner company s network 192 168 1 0 255 255 255 0 The result is the following routing table where the Development dept has tag 2 Sales has tag 1 IP address IP netmask Rtg tag Peer or IP distance Masquerading Active 192 168 1 0 255 255 255 0 2 PARTNER 0 no yes 192 168 0 0 255 255 0 0 0 0 0 0 0 0 no yes 255 255 255 25 0 0 0 0 2 INTERNET 2 yes yes 5 255 255 255 25 0 0 0 0 1 INTERNET 2 yes yes 5 If Development and Sales were in IP networks with different address ranges then it would be no problem to assign the routing tags with firewall rules Since both departments are in the same IP network the only available meth od of assignment is with network names BAT54 Rail F 408 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services Tag assignment can be carried out directly in the network definition SALES 10 1 1 1 255 255 255 0 LAN 2 strict Intranet 1 0 Alternati
323. eful Packet Inspection SPI or briefly Stateful Inspection enhances the packet filter approach by checking further connection state information Be side the more static table with the permitted ports and address ranges a dy namic table will be kept up in this variant in which information about the connection state of the individual connections is held This dynamic table en ables to first block all endangered ports and to selectively open only if re quired a port for a permitted connection adjusted by source and destination address The opening of ports is always made from the protected network to the unprotected one that means mostly from LAN to WAN Internet Data packets that do not belong to one of the tracked session of the connection state table will be automatically discarded Stateful Inspection direction dependent checking The filter sets of a Stateful Inspection Firewall are contrary to classical port filter Firewalls dependent on their direction Connections can only be established from source to their destination point The other direction would require an explicit filter entry as well Once a connection has been established only the data packets belonging to this connection will be transmitted in both directions of course So you can block in a reliable way all traffic not belonging to a known session not coming from the local network Additionally the Stateful Inspection is able to track from the connection se
324. egister card General Do you make use of a Deny All Firewall strategy For maximum security and control you prevent at first any data transfer through the Firewall Only those connections which are explicitly desired have to allowed by the a dedicated Firewall rule then Thus Trojans and certain Email viruses loose their communication way back The Firewall rules are summarized in LANconfig under Firewall Qos on the register card Rules BAT54 Rail F Release 7 54 06 08 245 Security 7 2 The security checklist Have you activated the IP masquerading IP masquerading is the hiding place for all local computers for connec tion to the Internet Only the router module of the unit and its IP address are visible on the Internet The IP address can be fixed or assigned dynamically by the provider The computers in the LAN then use the router as a gateway so that they themselves cannot be detected The router separates Internet and intranet as if by a wall The use of IP mas querading is set individually for each route in the routing table The rout ing table can be found in the LANconfig in the IP router configuration section on the Routing tab Have you excluded certain stations from access to the router Access to the internal functions of the devices can be restricted using a special filter list Internal functions in this case are configuration sessions via LANconfig WEBconfig Telnet or TFTP Th
325. egrated ADSL modem automatically reports back to the BAT how many data packets it is still able to receive and thus brakes the data stream already within the router As a result the queues will automatically fill up BAT54 Rail F 316 Release 7 54 06 08 Quality of Service 9 3 The queue concept Different is the case if an Ethernet interface represents the connection to the WAN From the BAT s point of view the connection to the Internet via an ex ternal broadband modem looks like an Ethernet segment On the distance from the BAT to the DSL modem data will be transferred with full LAN speed of 10 or 100 Mbps Because of an equal input and output speed no natural congestion will be produced then Furthermore the Ethernet between the BAT and the broadband modem does not report anything about the capacity of the connection The consequence a congestion will only be happen within the broadband modem But because no queues are deployed therein sur plus data will be lost Thus a prioritization of preferred data is not possible n x 64 kBps i 54 MBps y 100 MBps 100 MBps 128 KBps dropped data To solve this problem the transfer rate of the BAT s WAN interface will be reduced artificially This interface will thereby be adjusted to the transfer rate that is available for the actual data transport towards the WAN For a stan dard DSL connection the DSL interface is thus adjusted in the BAT to the appropriate up
326. el of this route will be reduced if the entry ad dressed has a higher distance up to 14 Unfavorable routes like this will only be used if no other route to the remote station in question can be found Configuration of the routing table Configuration tool Run LANconfig IP router gt Routing Routing table WEBconfig Expert Configuration gt Setup gt IP router gt IP routing table Terminal Telnet cd setup IP router IP routing table An IP routing table can for example look like this IP address Netmask Routing Tag Router Distance Masquerading Active 192 168 120 255 255 255 0 MAIN 2 Off yes 0 0 192 168 125 255 255 255 0 NODE1 3 Off yes 0 0 192 168 130 255 255 255 0 191 168 140 1 0 Off yes 0 0 23 What do the various entries on the list mean IP addresses and netmasks This is the address of the destination network to which data packets may be sent and its associated network mask The router uses the network mask and the destination IP address of the incoming data packets to check whether the packet belongs to the destination network in question The route with the IP address 255 255 255 255 and the network mask 0 0 0 0 is the default route All data packets that cannot be routed by other routing entries are sent over this route Routing Tag With the routing tag the selection of the target route can be controlled more easily Therefore not only the target
327. el script sessions 5 3 6 Scripting commands 5 3 7 WLAN configuration with the wizards in LANconfig 5 4 Group configuration with LANconfig 5 4 1 Create a group configuration 5 4 2 Update device configurations 5 4 3 Update group configurations 5 4 4 Using multiple group configurations BAT54 Rail F Release 7 54 06 08 143 143 145 148 150 150 151 153 155 156 159 160 161 162 165 166 166 169 170 171 172 173 175 177 179 181 181 182 183 186 190 190 194 196 197 199 200 200 5 5 Rollout Wizard 201 5 5 1 General settings in the Rollout Wizard 201 5 5 2 Variables 202 5 5 3 Actions to be executed by the Rollout Wizard 203 5 5 4 Actions for managing the Rollout Wizard 204 5 6 Display functions in LANmonitor 205 5 7 LANmonitor know what s going on 208 5 7 1 Extended display options 209 5 7 2 Enquiry of the CPU and Memory utilization over SNMP 210 5 7 3 Monitor Internet connection 210 5 7 4 Tracing with LANmonitor 212 5 8 Visualization of larger WLANs 214 5 8 1 Start the WLANmonitor 215 5 8 2 Search for access points 215 5 8 3 Add access points 216 5 8 4 Organize access points 216 5 8 5 Rogue AP and rogue client detection with the WLANmonitor 217 5 9 Messaging 222 6 Diagnosis 225 6 1 Trace information for advanced users 225 6 1 1 How to start a trace 225 6 1 2 Overview of the keys 225 6 1 3 Overview of the parameters 226 6 1 4 Combination commands 227 6 1 5 Trace filters 227 6 1 6 Exampl
328. elease 7 54 06 08 87 Wireless LAN WLAN 3 5 Extended WLAN protocol filters 3 5 1 Protocol filter parameters The protocol table can accommodate up to 128 entries Create an entry in the protocol list for each protocol that requires special handling Enter the fol lowing values Name freely selectable name for the filter entry maximum 16 characters DHCP source MAC Enabling of DHCP address tracking Yes The rule applies if the source MAC address of the packet is listed in the table under Status gt LAN Bridge Statistics gt DHCP Table as an address which obtained an IP address using DHCP No The rule applies if this is not the case Irrelevant The source MAC address is not considered Note If DHCP address tracking is enabled any IP addresses usually en tered are disregarded Please refer to DHCP address tracking page 92 for further information Destination MAC address The MAC address of the client to which the packet is to be sent If no destination MAC address is entered the filter is applied to all pack ets Protocol e g 0800 for IP If 0 is entered as the protocol the filter applies to all packets IP network and IP netmask The IP address of the network mask to which this filter applies Only those IP packets whose source and destina tion IP addresses lie within this network are captured by the rule If no network is entered the filter applies to all packets Sub protocol e g 6 for TCP If 0 is
329. end so the desired data to the client unauthorized incoming connection Dest port 4322 Source port 20 By IP 80 146 204 15 gt But if another workstation from the Internet tries to use the just opened port 4322 of the LAN to file itself data from its port 20 on the protected client the Firewall will stop this try because the IP address of the attacker does not fit to the permitted connection Note After the successful data transfer the entries disappear automatically from the dynamic table and the ports will be closed again Moreover a Firewall with Stateful Inspection is mostly able to re assemble the received data packets that means to buffer the individual parts and to as semble them again to an complete packet Therefore complete IP packets can be checked by the Firewall rather than individual parts only BAT54 Rail F 256 Release 7 54 06 08 Firewall 8 2 What is a Firewall This porter is making a definite better job When somebody in this company orders a courier he must also inform the porter that he is expecting a courier when he will be arriving and what information should be found on the delivery note Only when this information matches the logbook entries of the porter the courier may pass If the courier brings not only one packet but rather two only the one with the correct delivery note will pass Likewise a second cou rier demanding access to the employee will be rejected too E A
330. ent examples for the operation of virtual LANs on behalf of this background BAT54 Rail F 338 Release 7 54 06 08 Virtual LANs VLANs 10 2 This is how a VLAN works Management and user traffic on a LAN Several hot spots are installed on an university campus so that students equipped with notebooks and WLAN cards have access to the Internet and to the server of the library The hot spots are connected to the university LAN Via this LAN the administrators also access the base stations to carry out several management tasks via SNMP By setting up a virtual LAN between the base stations and the administrator s switch management data is shielded against all public traffic on the LAN Different organizations on one LAN The flexibility of the modern world of work raises new challenges for admin istrators concerning planning and maintenance of network structures The occupation of the rooms by leaseholders changes permanently in public of fice buildings and also inside of a company teams are often newly assem bled In both cases the individual units must have an independent protected LAN But this task is very burdensome to realize by hardware changes or even not at all because e g only one single central cabling exists in the office building BAT54 Rail F Release 7 54 06 08 339 Virtual LANs VLANs 10 3 Configuration of VLANs Company Company A A sales accounts dep VLAN ID 3 5 VLAN ID 11 VLAN ID
331. enter a special WEP key for the respective logical WLAN interface or a passphrase when using WPA PSK The passphrase or the password for the WPA PSK method is entered as a string of at least 8 and up to 63 ASCII characters Note Please be aware that the security of this encryption method depends on the confidential treatment of this passphrase Passphrases should not be made public to larger circles of users BAT54 Rail F 58 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters The WEP key 1 that applies only to its respective logical WLAN interface can be entered in different ways depending on the key length Rules of the entry of the keys can be found in the description of the WEP group key Rules for entering WEP keys page 62 WPA session key type If 802 11i WPA PSK has been entered as the encryption method the pro cedure for generating a session or group key can be selected here AES the AES method will be used TKIP the TKIP method will be used AES TKIP the AES method will be used If the client hardware does not support the AES method TKIP will be used Authentication If the encryption method was set as WEP encryption two different methods for the authentication of the WLAN client are available The Open system method does not use any authentication The data packets must be properly encrypted from the start to be accepted by the access point With the Shared key
332. eparately for each access method as follows ISDN administrative account LAN Wireless LAN WLAN WAN e g ISDN DSL or ADSL For network based configuration access further restrictions can be made e g that solely specified IP addresses or dedicated LANCAPI clients are al lowed to do so Additionally all following internal functions are separately se lectable LANconfig TFTP WEBconfig HTTP HTTPS SNMP Terminal Telnet Note The use of the internal functions with a WAN interface of devices with VPN can be restricted merely for the VPN connection Restrictions on the ISDN administrative account As long as no MSN configuration is entered a non configured BAT accepts the calls on all MSNs As soon as the first change in the configuration ist saved the device only accepts calls on the configuration MSN Note If no configuration MSN ist entered when configuring the first time the remote configuration ist switched off and the device ist protected from the access over the ISDN line Change to the register card Admin in the Management configuration ar ea BAT54 Rail F 240 Release 7 54 06 08 Security 7 1 Protection for the configuration Configure Management z General Admin Costs R m Device Configuration Main device password eee Number MSN fiemeg SC Further Administrators J Password required for SNMP read permission r Configuration login lock Lock configuration after
333. er always to the physical con nection Indicating parameter W for WAN sending direction is not re quired here and hence will be ignored if existing The following example shows a setting for Voice over IP telephony Rule Source Destination Action Protocol VOIP IP addresses of IP tele IP addresses of IP tele Qcds32 Prt256 UDP phones in the LAN all phones in the LAN all ports ports This rule defines the minimum bandwidth for sending and receiving to 32 Kbps forces and reduces the PMTU while sending and receiving to packets of 256 byte size For the TCP connection the maximum segment size of the local workstation is determined to 216 so that the server will send packets of maximum 256 byte reduction of the PMTU in sending and receiving direc tion 9 8 QoS for WLANs IEEE 802 11e With the extension to the 802 11 standard 802 11e Quality of Service can be provided for transfers via WLAN Among others 802 11e supports the pri oritization of certain data packet types This extension is an important basis for the use of voice applications in WLANs Voice over WLAN VoWLAN The WiFi alliance certifies products that support Quality of Service according to 802 11 e and refer to WMM WiFi Multimedia formerly known as WME or Wireless Multimedia Extension WMM defines four categories voice video best effort and background which make up separate queues to be used for prioritization The 802 11e standard set
334. erentiate on the well known port between re quests and acknowledges then it sends the response packets to the source port of the sender of the original request but uses as its own source port a free port on which it reacts now only to those packets which belong to the data communication Client port Connection Server port 12345 Request 69 12345 Response 54321 A 12345 Ack Data 54321 12345 Data Ack 54321 lt q While the data communication takes place now over the ports 12345 and 54321 the server on the well known port 69 can accept further requests If the BAT pursues a Deny All strategy the answer packets of an entry of the port filter Firewall which permits only a connection to port 69 of the server would simply be discarded In order to prevent this when creating the entry in the connection state database the destination port of the connection is kept free at first and set only with the arrival of the first answer packet whereby both possible cases of an UDP connection are covered BAT54 Rail F Release 7 54 06 08 263 Firewall 8 3 The BAT Firewall TCP connections TCP connections cannot be tracked only by examination of the ports With some protocols e g FTP PPTP or H 323 examinations of the utilizable data are necessary to open all later negotiated connections and to accept only those packets belonging really to the connections This corresponds to a sim plified version of IP mas
335. erface ISDN remote Analog dail in with BAT Modem software WLAN Outband configuration Adapter Kit Inband Terminal pro No Yes No No gram Telnet Yes No No No TFTP Yes No Yes Yes Note Please note that all procedures access the same configuration data For example if you change the settings in LANconfig this will also have a direct effect on the values under WEBconfig and Telnet Please observe the following hints when using a terminal program over the serial interface The models BAT54 F and BAT54 F X2 feature a reduced serial inter face Rx TX ground only hence the hardware handshake has to be deactivated The BAT54 Rail featurees a fully fledged serial interface which sup ports the hardware handshake of the terminal program Caution If the hardware handshake is not well configured some char acters may get lost while transmitting script or configuration files result ing in a damaged device configuration In contrast the firmware upload will work even with wrong configured hardware handshake because the X Modem protocol ensures a se cure data transmission 4 3 Searching and configuring devices Note Always switch on your device first before starting the PC for configura tion A Router or an Access Point can be configured in the following ways provid ed that the model is equipped with the according interface Via the local network LAN Via the wireless network WLAN if the WLAN encryption
336. es of traces 228 6 1 7 Recording traces 228 6 2 SYSLOG storage in the device 229 6 2 1 Activate SYSLOG module 230 6 2 2 Configuring the SYSLOG client 230 6 2 3 Read out SYSLOG messages 231 6 3 The ping command 232 6 4 Monitoring the switch 233 6 5 Cable testing 234 BAT54 Rail F 6 Release 7 54 06 08 7 Security 7 1 Protection for the configuration 7 1 1 Password protection 7 1 2 Login barring 7 1 3 Restriction of the access rights on the configuration 7 2 The security checklist 8 Firewall 8 1 Threat analysis 8 1 1 The dangers 8 1 2 The ways of the perpetrators 8 1 3 The methods 8 1 4 The victims 8 2 What is a Firewall 8 2 1 Tasks of a Firewall 8 2 2 Different types of Firewalls 8 3 The BAT Firewall 8 3 1 How the BAT Firewall inspects data packets 8 3 2 Special protocols 8 3 3 General settings of the Firewall 8 3 4 Parameters of Firewall rules 8 3 5 Alerting functions of the Firewall 8 3 6 Strategies for Firewall settings 8 3 7 Hints for setting the Firewall 8 3 8 Configuration of Firewall rules 8 3 9 Firewall diagnosis 8 3 10 Firewall limitations 8 4 Intrusion Detection 8 4 1 Examples for break in attempts 8 4 2 Configuration of the IDS 8 5 Denial of Service 8 5 1 Examples of Denial of Service Attacks 8 5 2 Configuration of DoS blocking 8 5 3 Configuration of ping blocking and Stealth mode 9 Quality of Service 9 1 Why QoS BAT54 Rail F Release 7 54 06 08 237 237 237 239 240 244 249 249 24
337. ese regular interruptions messaging can be disabled at the time when the re connect oc curs First of all an action is required to force the re connect to occur at a fixed time generally at night when the Internet connection is not in use The entry de fines for example 03 00h and the Internet connection is broken with the command do other manual disconnect internet With two more cron commands set setup wan action table 1 yes no the corresponding entry in the action table is switched off three minutes before 03 00h and switched on again three minutes after 03 00h The number 1 fol lowing the path to the action table is an index that stands for the first entry in the table Yes Realtime 0 00 03 do other manual disc Yes Realtime 0 57 02 set setup wan actior Cancel t a Yes Realtime 0 wll E BAT54 Rail F 224 Release 7 54 06 08 Diagnosis 6 1 Trace information for advanced users 6 Diagnosis 6 1 Trace information for advanced users Trace outputs may be used to monitor the internal processes in the router during or after configuration One such trace can be used to display the indi vidual steps involved in negotiating the PPP Experienced users may inter pret these outputs to trace any errors occurring in the establishment of a connection A particular advantage of this is The errors being tracked may stem from the configuration of your own router or that of the remote site Note The trace output
338. ese three time values is only recommended for those with exact knowledge of the Spanning Tree protocol An adjustment can be useful in order to optimize reaction times after topology changes or to achieve stable performance in networks with many bridge hops Transmit Hold Count Number of BPDUs which can be transmitted by RSTP before a one sec ond pause commences Default 6 Note When using classical STP the transmit hold count has no effect Port Table The port table can be used to set the following values separately for all avail able ports LAN wireless LAN point to point connections Mark as edge port Marks the port as an edge port which is not connected to any further bridges but to workstations or servers only Edge ports switch immediately into the forwarding state Default Off Note Edge ports continue to be monitored by RSTP If a port of this type re ceives BPDUs then its status as an edge port is removed Priority Defines the priority of the port In the case of multiple network paths with identical path costs the priority value decides which port is used If priority values are identical then the port to be taken is the first in the list Values 0 to 255 where a higher value means a lower priority Default 128 Note So as to maintain compatibility with RSTP this value may only be ad justed in steps of 16 owing to the fact that RSTP uses only the upper 4 bits of this 16 bit value Path Cost Override T
339. essages generate a high data DEBUG volume and interfere with the normal operation of the device They should therefore be disabled during normal operation and should only be acti vated for troubleshooting After you have set all the parameters confirm the entries with OK The SYSLOG client is then entered with its parameters into the SYSLOG ta ble Facilities All messages from BAT can be assigned to a facility with the Facility map ping button and then are written to a special log file by the SYSLOG client with no additional input Example All facilities are set to local7 Under Linux in the file etc syslog conf the entry local7 var log bat log writes all outputs of the BAT to the file var log bat log 12 6Time server for the local net BAT routers can apply exact information of time either over ISDN or over public time servers on the internet NTP Server with Open Access policy The BAT can then provide the detected time for all stations in the local net work BAT54 Rail F 486 Release 7 54 06 08 More services 12 6 Time server for the local net 12 6 1 Configuration of the time server under LANconfig To provide the current time in the local network your BAT has to regularly ap ply the time from a time server For this so called real time clock click in the configuration area Date amp time on the tab Synchronization Under NTP set tings open the list of time servers by clicking on the
340. esses DNS forwarding gt page 474 The firewall rules of the gateways must be adjusted such that if neces sary authorized stations resp networks from the outside are permitted to set up connections VPN rules for loopback addresses in order to transmit the newly assigned IP addresses through an according VPN tunnel Note The IP address translation takes place in the BAT between firewall and IP router on one hand and the VPN module on the other hand All rules related to the own network use therefore the unmapped original ad dresses The entries of the remote network use the mapped addresses of the remote side valid on the VPN connection BAT54 Rail F Release 7 54 06 08 431 Routing and WAN connections arget address VPN services X over PPTP VPN 11 9 N N mapping LAN interfaces C LE w DE IP router DF IP Redirect i F E Configuration with different tools LANconfig With LANconfig you adjust the address translation for the configuration range IP router on register card N N Mapping 432 BAT54 Rail F Release 7 54 06 08 Routing and WAN connections 11 9 N N mapping 21x Configure fir Router z General Routing Masq NN Mapping N N Address Mapping The N N NAT table contains rules to map the source addresses of single stations or complete networks to the specified IP addresses You have to specify those mapping rules for every remote
341. et this option for the 2 4 GHz band by selecting the drop down list 2 4 GHz mode for the 5 GHz band in the appropriate list 5 GHz mode below Physical WLAN settings WLAN interface 2 x Operation Radio Super A G Point to Point Client mode Frequency band 5 GHz 802 11a v Subbands 1 Ba Channel number Automatic Choice 2 4 GHz mode 5 GHz mode 54MBit s normal mode Select the desired diversity gt 4MBit s normal mode 108MBit s turbo mode Only transmit on primary antenna Le Antenna gain Transmission power reduction Where the transmission power of an antennae exceeds the levels permitted in the country of operation the power must be attenuated accordingly The field Antenna gain is for the gain of the antenna minus the actual ca ble loss For an AirLancer Extender O 18a antenna with a gain of 18dBi and a 4m cable with a loss of 1dB m the Antenna gain would be entered as 18 4 14 This value for true antenna gain is dynamically used to cal culate and emit the maximum permissible power with regards to other pa rameters such as country data rate and frequency band In contrast to this the entry in the field Tx power reduction causes a static reduction in the power by the value entered and ignores the other param eters Also see Establishing outdoor wireless networks page 112 Antenna gain E dBi TX power reduction fo dB Note The transmission power reduction simply
342. etermining the available selection of addresses The IP address can be taken from the address pool selected start ad dress pool to end address pool Any valid addresses in the local network can be entered here BAT54 Rail F Release 7 54 06 08 467 More services 12 1 Automatic IP address administration with dX Configure TCP IP z General Addresses DHCP BOOTP DNS DNS Fiter DHCP server enabled auto bd m Addresses for DHCP clients First address fi 92 168 2 50 Last address fi 92 168 2 90 Netmask 255 255 255 0 Broadcast fo 0 0 0 Default gateway fi 92 168 2 100 Forwarding of DHCP queries Server address foc gt Adapt se E IDEARON I Place Cancel If 0 0 0 0 is entered instead the DHCP server automatically determines the particular addresses start or end from the IP or intranet address set tings in the TCP IP module using the following procedure If only the Intranet address or only the DMZ address is entered the start or end of the pool is determined by means of the associated net work mask If both addresses have been specified the Intranet address has prior ity for determining the pool From the address used Intranet or DMZ address and the associated network mask the DHCP server determines the first and last possible IP address in the local network as a start or end address for the address pool If the router has neither an Intranet address nor an DMZ
343. etting the transmission power reduction is described in the section Radio settings page 66 3 9 Bandwidth limits in the WLAN The bandwidths that are available can be limited so that they can be better distributed among several participants in the WLAN This bandwidth limit is available for wireless ISPs for example who want to provide their customers with a defined bandwidth Note Unlike bandwidth management using QoS Quality of Service this procedure does not allow a minimum bandwidth but an exactly defined maximum bandwidth instead Even if more bandwidth were actually avail able due to low traffic from other network stations only the bandwidth specified here is provided to the user The settings differentiate between operating a device as an access point or in client mode 3 9 1 Operating as an access point In the access point operating mode the maximum permitted bandwidths can be specified in Tx and Rx direction for the WLAN clients that register with the access point The values of the maximum Tx and Rx bandwidths are entered in kbps in the MAC access list A value of 0 indicates that there is no inten tion to restrict the bandwidth in this transmission direction The bandwidth that is actually provided is determined from the value that is entered here and the value that is transmitted by the client BAT54 Rail F Release 7 54 06 08 117 Wireless LAN WLAN 3 9 Bandwidth limits in the WLAN Note The signifi
344. ettings are stored to it Use configuration file The activates the usage of the lanconf ini from the given directory With this option activated changes to the program settings are saved to the ini file selected here Possible values On off and selection of the settings file Default Off Note The file you select must be a valid LANconfig settings file Caution If neither of the two options is activated the ini file from the pro gram directory will be used instead 5 2 2 Directory structure LANconfig uses a directory structure for a clear overview when managing multiple devices Folders dedicated to projects or customers can be set up to organize the relevant devices Create a new folder by clicking on the parent directory with the right mouse key and selecting New Folder from the context menu Just use the mouse to drag and drop the devices into the appropriate fold er Devices can also be moved from one folder to another in this way Note The arrangement of devices in folders effects only the display of the devices within LANconfig The organization of the folders has no influence on the configuration of the devices BAT54 Rail F 170 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig r LANconfig File Edit Device View Tools Help alale eal B E Aa ERa l LANconfig Description Address Device Status Progress E Cliento1 PLC PPP 10 1 1 31 Ok E Clien
345. ettings are subordinate to the global com munications settings This allows for example the use of a protocol to be restricted centrally BAT54 Rail F 178 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig Configuration of the specific communication settings For configuring the specific communications settings the properties dialog of a device is opened via the context menu right click on mouse General m Interface Network connection TCP IP Serial port Dial Up connection Phone number he Hang up after 20 seconds I Check the status of this device at startup I Search and update firmware at tartup Communication protocols and ports M HTTPS M HTTP M TFTP _ IV Prefer check via TFTP faster HTTPS HTTP TFPT Select the communications protocols as described in the global settings In the fields under the protocols the port to be used can be entered using the following default values HTTPS 443 HTTP 80 TFTP 69 Prefer checks via TFTP Preferred checking via TFTP as described in the global settings Caution For all specific communications settings the global settings are considered to be superordinate A protocol can therefore only be used for operating a device when it is also activated in the global settings 5 2 8 LANconfig behavior at Windows startup LANconfig can be automatically started when the operating system starts BAT54 Ra
346. etwork are translated into the BAT Router s public IP address at the transition to the Internet In a DMZ fixed public IP addresses are often used as no masking takes place For each remote station the IP routing table can be used to set whether BAT54 Rail F Release 7 54 06 08 387 Routing and WAN connections 11 6 Advanced Routing and Forwarding masking should take place for the intranet area only or for the DMZ as well Apart from masking network type also influences the automatic genera tion of VPN rules These rules are automatically generated for intranets only and not for DMZ type networks Networks can be marked as Intranet or as DMZ to enable control over these options Disabled The network is disabled Intranet The network is an intranet DMZ The network is a DMZ Note Networks of the type DMZ are visible to all other networks indepen dent of any interface tags this is useful as the DMZ often hosts public servers such as web servers etc The DMZ networks themselves can only see networks with the same interface tag and any other DMZ net works of course VLAN ID VLAN ID for the network Several separate networks can be operated over a single logical inter face Each network is assigned with its own VLAN ID The physical inter face of the BAT Router for data streams from networks with different VLAN IDs as one these streams are separated for their virtual networks by a VLAN capable switch Fo
347. evice switches it s own DHCP server off changes to the DHCP client mode and obtains the IP address from the DHCP server in the LAN This prevents the uncon figured device from assigning addresses not in the local network when switched on BAT54 Rail F 466 Release 7 54 06 08 More services 12 1 Automatic IP address administration with The device then enables its own DHCP server if no other DHCP serv ers are found If at a later point of time a further DHCP server is switched on in the LAN the device automatically changes back into the DHCP client mode client The DHCP server is switched off the device acts like a DHCP cli ent and obtains the address information from a different DHCP server in the LAN Note Only use this setting if assured that a further DHCP server is active in the LAN and takes over the assigned IP address information forwarding The DHCP server is active and the device accepts the re quests from the DHCP clients in the local network The device does not respond to these requests itself but forwards them to a central DHCP server Whether the DHCP server is active or not can be seen in the DHCP statistics The default setting for this condition is auto 12 1 3 How are the addresses assigned IP address assignment Before the DHCP server can assign IP addresses to the computers in the network it first needs to know which addresses are available for assignment Three options exist for d
348. ewall is an extremely flexible and powerful tool In order to help you to creating individual Firewall rules you ll find in the following some hints for your specific application For BAT devices with VoIP functions that were already integrated or added in with a software option the ports required for voice connections are acti vated automatically BAT54 Rail F Release 7 54 06 08 281 Firewall 8 3 The BAT Firewall The default settings of the Firewall On delivery there is exactly one entry in the Firewall rule table WINS This rule prevents unwanted connection set ups on the default route gen to the Internet by the NetBIOS protocol Windows networks send inquiries in reg ular intervals into the network to find out if known stations are still available This leads in case of a time based account of a network coupling to unwant ed connection set ups Note The BAT can prevent this by the integrated NetBIOS proxy also for net work couplings by pretending an answer for the concerned resource until a real access takes place Security by NAT and Stateful Inspection If no further Firewall rule will be entered the local area network is protected by the interaction of Network Address Translation and Stateful Inspection Only connections from the local area network produce an entry in the NAT table whereupon the BAT opens a communication port The Stateful Inspec tion supervises communication via this port Only packets
349. ey 2 0x0000000000 Cancel Private WEP settings Key 3 length fso bit WEP64 x This is where you can specify for each physical wireles Key 3 oxoo00000000 interface those WEP group keys 2 to 4 that are used the logical wireless LAN networks in common Key 4 length Jao bit WEP64 7 WEP Group Keys Kev 4 oxooo0000000 Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the group keys for the physical WLAN interface under the following paths WEBconfig Expert configuration Setup Interfaces WLAN Interfaces Group Keys Terminal Telnet cd Setup Interfaces WLAN Interfaces Group Keys BAT54 Rail F Release 7 54 06 08 61 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Rules for entering WEP keys WEP keys can be entered as ASCII characters or in hexadecimal form The hexadecimal form begins with the characters 0x The keys have a length de pending on the WEP method Method ASCII HEX WEP 64 5 characters 10 characters Example aR45Z Example 0x0A5C1B6D8E WEP 128 13 characters 26 characters WEP 152 16 characters 32 characters The ASCII character set includes the characters 0 to 9 a to z A to Z and the following special characters 1 H amp lt gt 4_ The HEX form uses the numbers 0 to 9 and the letters A to F to display each character as a character pair which is why twice the number of charac te
350. f Idx Current index so that the table can be polled also via SNMP System time ell time in UTC codification will be transformed on displaying of the table into clear exi Src address Source address of the filtered packet Dst address Destination address of the filtered packet Prot Protocol TCP UDP etc of the filtered packet Src p Source port of the filtered packet only with port related protocols Dst p Destination port of the filtered packet only with port related protocols Filter Rule Name of the rule which has raised the entry 296 BAT54 Rail F Release 7 54 06 08 Firewall 8 3 The BAT Firewall Element Element meaning Limit Bit field which describes the crossed limit which has filtered the packet The following values are defined at present 0x01 Absolute number 0x02 Number per second 0x04 Number per minute 0x08 Number per hour 0x10 Global limit 0x20 Byte limit if not set it concerns a packet related limit 0x40 Limit applies only in receiving direction 0x80 limit applies only in transmission direction Threshold Exceeded limit value of the trigger limit Action Bit field which specifies all implemented actions At present the following values are defined 0x00000001 Accept 0x00000100 Reject 0x00000200 Connect filter 0x00000400 Internet Default route filter 0x00000800 Drop 0x00001000 Disconnect 0x00004000 Block source address 0x00020000 Block destination ad
351. f ISDN adapters CCK Code Complementary Keying type of modulation used by DSSS Client Any computer equipped with a wireless LAN adapter wireless LAN card which uses services provided by other participants in the wireless network CSMA CA Carrier Sense Multiple Access with Collision Avoidance access procedure to the radio channel used under 802 11 CRC Cyclic Redundancy Check process for detecting bit errors Data throughput Speed at which you can surf on the Internet depends on the bandwidth and the number of users DHCP Dynamic Host Configuration Protocol DNS Domain Name Service computers communicate with computers in remote networks using IP addresses DNS servers translate names into IP addresses without DNS serv ers you would have to remember all IP addresses and couldn t work with names e g www hirschmann com BAT54 Rail F Release 7 54 06 08 529 Appendix 13 5 Glossary Domain area of network closed to outside gt Intranet Download Download downstream denotes the direction of dataflow in a WAN Downstream is the Downstream direction from the head end or Internet to the participant connected to the network DS Distribution System DSL Digital Subscriber Line DSL procedures include all procedures for digital broadband use of telephone lines such as ADSL HDSL SDSL VDSL and so on which are also called xDSL DSSS Direct Sequence Spread Spectrum code multi
352. f DHCP tracking is enabled on an interface packets received on this interface from HDCP servers are automatically dropped 3 6 Client mode To connect individual devices with an Ethernet interface into a wireless LAN BAT devices with a WLAN module can be switched to client mode where upon they act as conventional wireless LAN adapters and not as access points AP The use of client mode therefore allows devices fitted with only an Ethernet interface such as PCs and printers to be integrated into a wire less LAN BAT54 Rail F Release 7 54 06 08 93 Wireless LAN WLAN 3 6 Client mode WLAN device in client mode N WLAN device in AP mode Note Multiple WLAN clients can register with a WLAN device in AP mode which is not the case for a WLAN device in client mode 3 6 1 Basic configuration Setting the operating mode BAT Wireless Routers can be operated in two different operating modes As an access point it forms the link between WLAN clients and the cabled LAN In client mode the device itself locates the connection to another access point and attempts to register with a wireless network In this case the de vice serves to link a cabled network device to an access point over a wire less connection Note Some models can only operate in the WLAN client operating mode Setting of the operating mode on these devices is thus redundant Client mode is enabled in the LANconfig Wireless LAN configuration
353. f login failures Lock configuration for E minutes r Configuration access ways Here you can specify the access rights for each network and each supported configuration protocol separately In addition you can limit access to the unit to certain stations Access rights v Access stations Enter as call number within Device configuration a call number of your connection which is not used for other purposes Enter alternatively the following instruction set setup config farconfig EAZ MSN 123456 Note The ISDN administrative account is excluded as only configuration method from in the following described restrictions of network access methods l e all on the Admin MSN incoming connections are not limited by the access restrictions of remote networks Note If you want to completely switch off the ISDN remote management leave the field with Admin MSN empty BAT54 Rail F Release 7 54 06 08 241 Security 7 1 Protection for the configuration E Limit the network configuration access The access to the internal functions can be controlled separately for access es from the local or from remote networks for all configuration services sep arately The configuration access can generally be permitted or forbidden a pure read access or if your model is equipped with VPN also can be per mitted only over VPN PE 2x Configure Management kd General Admin Costs R m Device
354. failure 5 4 IV Entry active Lock configuration for E minutes Access rights m Configuration access ways Function Rights for HT TREE Here you can specify the access rights for each network and each supported configuration protocol separately In addition you can limit access to the unit to certain stations Access rights v Access stations Abbrechen Basic Wizard IV Security Wizard IV Internet Wizard I RAS Wizard LAN LAN Wizard M Provider Selection JV WLAN Linktest IV Adjustment of Date and Time IV Search of Further Devices in LAN Enter the following values gt Name for the new administrator with password gt Access rights gt Function rights Note You can temporarily deactivate the entries without having to delete them completely with the button Entry active BAT54 Rail F Release 7 54 06 08 153 Configuration and management 4 8 Managing administrators rights WEBconfig Telnet or terminal program Under WEBconfig Telnet or a terminal program you will find the settings for the serial interface under the following paths Configuration tool Menu Table WEBconfig Expert configuration gt Setup Config Admin table Terminal Telnet Setup Config Admin table The different user groups are represented by the following values Description Rights Supervisor Supervisor member of all groups Admin RW Local administrator with read and write access
355. figuration with WEBconfig or Telnet Under WEBconfig or Telnet you can set the settings for the point to point connections under the following paths WEBconfig Eper configuration Setup gt Interfaces WLAN Interfac esP Interpoint Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Interpoint Settings BAT54 Rail F Release 7 54 06 08 105 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections When configuring point to point connections an alternative to the MAC ad dresses is to use the station names of the remote stations First of all the station name is entered into the point to point settings in the Wireless Routers or Access Points gt LANconfig Wireless LAN General Physical WLAN settings gt Point to point gt WEBconfig Setup gt Interfaces WLAN interpoint settings Note For models with multiple WLAN modules the station name can be en tered separately for each physical WLAN interface Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode Point to Point operation mode Off This access point can only communicate with mobile stations On This access point can also communicate with other access points to connect several local wireless networks Exclusive This access point can only communicate with other access points mobile stations cannot connect to this access point pure WLAN bridge S
356. fines all of the connections that arise from a central switch root bridge The BPDUs are sent regularly in the network in order to check the availability of the connections If a connection fails then the network analysis is triggered again the possible paths and the corresponding priorities are redefined After initialization all ports are initially in the blocking state in which only BP DUs are exchanged The ports subsequently switch to the states of listen ing and then learning before reaching forwarding which allows payload data to be exchanged via the ports BAT54 Rail F 456 Release 7 54 06 08 Routing and WAN connections 11 17 The rapid spanning tree protocol 11 17 1Classic and rapid spanning tree The early version of the spanning tree protocol compliant with IEEE 802 1D here referred to as classic spanning tree had the problem that changes to topology after a connection failure were implemented very slowly Depending on the complexity of the network the classic spanning tree takes between 20 seconds and a minute to establish new routes For many network services a failure of this length of time is unacceptable The spanning tree protocol was improved and published as the Rapid Span ning Tree Protocol RSTP initially as the IEE 802 1t w standard and later as a part of the newly published IEEE 802 1D Even though the classic span ning tree protocol was thus withdrawn it continues to be supported by LCOS 11 17
357. fines the validity of a range of user accounts Once de fined the realm is a suffix to the user name separated by an character as follows user realm The realm can be seen as a pointer to the RADIUS server where the user account is managed The realm is removed from the string prior to the search of the RADIUS server s user table Realms allow entire networks which are mutually trustworthy to work with common RADIUS servers located in part ner networks and to authenticate users who move between these networks BAT54 Rail F Release 7 54 06 08 513 More services 12 10 Extensions to the RADIUS server The LCOS RADIUS server stores any connected RADIUS servers along with their associated realms in a forwarding table The realm is searched for in this table in connection with the communicated user name If no entry is found the request is answered with an access reject An empty realm is treated as a local request i e the LCOS RADIUS server searches its own user tables and generates its response accordingly To support the processing of realms the LCOS RADIUS server uses two spe cial realms Default realm This realm is used where a realm is communicated for which no specific forwarding server has been defined Importantly a cor responding entry for the default realm itself must be present in the for warding table Empty realm This realm is used when no realm is communicated but the user name only In the default state the for
358. five events that were triggered either by a Firewall rule the DoS or the IDS system with activated SNMP LANmonitor option ait File Device View Tools Help jp NHAMEL_HOME Jy DSL Line Connected to 1UND1 El Protocol PPP 9 Network protocol TCP IP Connection time 13 minutes and 32 seconds fi Sending 8149 byte s receiving 7879 byte s ISDN Line 1 Not ready ISDN Line 2 Not ready S e Firewall 1 29 2004 9 11 54 in 1 29 2004 9 11 54 intrud Firewall Event Log Le 169 254 164 169 1048 to 255 255 255 255 69 Packet dropped 1 28 2004 14 49 19 Do5 Refresh P7 0 0 1 80 to 80 146 66 127 1926 Packet dropped 1 28 2004 14 33 13 DoS protection TCP 7 0 0 1 80 to 80 146 66 127 1744 Packet dropped 1 26 2004 19 17 48 DoS protection TCP oe from 127 0 0 1 80 to 80 146 80 98 1653 Packet dropped 1 26 2004 18 21 24 DoS protection TCP packet from 127 0 0 1 80 to 80 146 80 98 1384 Packet dropped H E System information A new window with the complete logging table opens by clicking the right mouse button in the Firewall Event Log context menu Page 295 All lists and tables described in this section can be found under the following menu options Configuration tool Run WEBconfig Expert Configuration Status IP Router Statistics Terminal Telnet Status IP Router Statistics The Firewall table If an event occurred that had to be logged in either way i e a l
359. for the DSLoL interface I DSLol interface enabled Mode auto o d Cancel Downstream rate jooo kBit s Upstream rate boo kBit s External overhead bpo byte LAN interface any v VLAN ID jl ti SCS BAT54 Rail F 346 Release 7 54 06 08 Virtual LANs VLANs 10 6 VLAN tags on layer 2 3 in the Ethernet 10 6VLAN tags on layer 2 3 in the Ethernet VLAN tags enable a simple form of QoS control even when using switches that cannot evaluate IP headers The IEEE 802 1p standard defines a priority tag in the VLAN header with a length of 3 bits which correspond to the first 3 bits of the DSCP fields Differentiated Services Code Point DiffServ and or the precedence in the TOS field Type of Service The processing of VLAN tagged packets requires that packets in the receive direction are re garded differently to packets in the send direction Upon receipt of a tagged Ethernet packet it may be processed in one of three ways The VLAN tag is ignored The VLAN tag is always copied to the DiffServ or TOS field The VLAN tag is copied to the DiffServ or TOS field if this is not marked already i e the precedence is 000 When a packet is transmitted over Ethernet the VLAN tag can be set de pending on the precedence This should only happen if the recipient of the tag can understand it i e tagged packets can be received Tags are thus only set for packets which are sent to addresses from which the BAT already received tagged p
360. formance features described here are binding only if they have been expressly guaran teed in the contract This publication has been created by Hirschmann Automation and Control GmbH according to the best of our knowledge Hirschmann reserves the right to change the con tents of this manual without prior notice Hirschmann can give no guarantee in respect of the correctness or accuracy of the details in this publication Hirschmann can accept no responsibility for damages resulting from the use of the network components or the associated operating software In addition we refer to the conditions of use specified in the license contract Printed in Germany 30 6 2008 Hirschmann Automation and Control GmbH Stuttgarter StraRe 45 51 72654 Neckartenzlingen Tel 49 1805 141538 Contents 1 Preface 15 2 System design 19 2 1 Introduction 19 3 Wireless LAN WLAN 21 3 1 What is a Wireless LAN 21 3 1 1 Standardized radio transmission by IEEE 21 3 1 2 Operation modes of Wireless LANs and base stations 25 3 2 Development of WLAN security 33 3 2 1 Some basic concepts 33 3 2 2 WEP 35 3 2 3 WEPplus 37 3 2 4 EAP and 802 1x 37 3 2 5 TKIP and WPA 40 3 2 6 AES and 802 11i 42 3 2 7 Summary 44 3 3 Protecting the wireless network 45 3 3 1 LEPS BAT Enhanced Passphrase Security 46 3 3 2 Standard WEP encryption 48 3 3 3 Background WLAN scanning 49 3 4 Configuration of WLAN parameters 52 3 4 1 WLAN security 53 3 4 2 General WLA
361. frame Mail server Masked connections Maximum bandwidth Mbit Memory utilization MIB2 MIC Microsoft Network Minimum bandwidth Reception Sending MLPPPoE Modem Monitoring MS CHAP MTU Multi SSID Multilink PPP MLPPP Multi PPPoE Multithreading N N N mapping Central mapping Configuration Decentralized mapping DNS forwarding Firewall Loopback address NAT table Network coupling via VPN Routing table VPN rule NAT NBNS server 540 429 531 49 531 28 337 477 375 312 315 531 210 523 531 470 312 313 315 314 314 415 369 208 434 435 453 31 78 435 415 171 425 429 430 429 431 431 431 430 427 431 431 425 465 470 BAT54 Rail F Release 7 54 06 08 Index Net data rate NetBIOS NetBIOS networks NetBIOS proxy Network Address Translation Network coupling Network management Network names NTBA NTP clients server NTP server 0 OFDM Outband configuration via Outband Overhead P Packet dump Partial configuration Passphrase Security passwd Password Password protection PEAP Period of validity Physical LAN Physical sending direction Physical WLAN interface Ping Ping blocking ping command Ping of Death PKI PMTU reduction Point to Multipoint WLAN Point to Point WLAN Point to Point connection Point to Point Tunneling BAT54 Rail F Release 7 54 06 08 23 226 473 2 210 237 466 317 531 473 282 4
362. from a server with the IP address 192 168 2 200 is loaded onto the device LoadFirmware s 192 168 2 200 f LCOS 500 LC 1811 5 00 0019 upx The following example shows how a script matching to the MAC address from a server with the IP address 192 168 2 200 is loaded onto the device LoadScript s 192 168 2 200 f L m lcs If the case that the parameters s and or f are not entered the device uses standard values which are set under the directory setup config TFTP Cli ent Config address Config filename Firmware address Firmware filename It is recommendable to use the standard values as long as the configuration and firmware update is continually saved under the same name and directo ry Using this procedure the current files can be loaded with the commands LoadConfig and LoadFirmware 4 4 5 SNMP The Simple Network Management Protocol SNMP V 1 as specified in RFC 1157 allows monitoring and configuration of the devices on a network from a single central instance There are a number of configuration and management programs that run via SNMP Commercial examples are Tivoli OpenView from Hewlett Packard SunNet Manager and CiscoWorks In addition numerous programs also ex ist as freeware and shareware Your BAT can export a so called device MIB file Management Information Base for use in SNMP programs Configuration tool Run WEBconfig Get Device SNMP MIB in main menu TFTP tftp 10 0 0 1 get readmib filel BAT54 Ra
363. ftware for devices from Hirschmann is constantly being further devel oped We have fitted the devices with a flash ROM which makes child s play of updating the operating software so that you can enjoy the benefits of new features and functions No need to change the EPROM no need to open up the case simply load the new release and you re away 4 6 1 This is how Hirschmann FirmSafe works Hirschmann FirmSafe makes the installation of the new software safe The used firmware is not simply overwritten but saved additionally in the device as a second firmware Therewith your device is protected against the results of a power blackout or a disconnection while installing the firmware Of the two firmware versions saved in the device only one can ever be active When loading a new firmware version the active firmware version is not over written You can decide which firmware will be activated after the upload Immediate The first option is to load the new firmware and activate it im mediately The following situations can result The new firmware is loaded successfully and works as desired Then all is well The device no longer responds after loading the new firmware If an error occurs during the upload the device automatically reactivates the previous firmware version and reboots the device Login To avoid problems with faulty uploads there is the second option with which the firmware is uploaded and also immediately booted BAT5
364. g a mistake The IEEE standard specifies that up to four different WEP keys can exist in one WLAN The sender encodes the number of the WEP key used in the en crypted packet along with the initial vector so that the receiver can use the appropriate key The idea behind this was that old keys in a WLAN could gradually be exchanged for new keys in that stations which had not yet re ceived the new key could still use an old key during a transition period One of the chief weakness of WEP is the length of the initial vector which is far too short As mentioned previously the repetition of a key with RC4 pre sents a significant security loophole which with a length of just 24 bits can occur within just a few hours depending on the data rate Since particular por tions of the encrypted data packets can quickly offer conclusive information about the key an eavesdropper only needs to process a small amount of the data traffic with specialized sniffer tools in order to crack the key These weaknesses unfortunately degraded WEP to an encryption scheme which at best could be used to protect a home network against accidental eavesdrop pers BAT54 Rail F 36 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of WLAN security 3 2 3 WEPplus As explained in the previous section the use of weak IV values was the problem which weakened the WEP process most A first quick shot to se cure WLANs against this kind of program was the s
365. g depends on the Internet provider s product range If available the user has access to the sum of the band widths of all of the bundled channels Multilink PPPoE can also be used for bundling PPP connections BAT54 Rail F Release 7 54 06 08 415 Routing and WAN connections 11 8 Load balancing Note This version of channel bundling provides bandwidths that are a mul tiple of the smallest bundled channel This means that it is especially effi cient when channels are all of the same bandwidth The direct bundling of different bandwidths means that the channels with the higher data rates suffer from a loss in effective bandwidth When bundling MLPPPoE for DSL channels behaves in the same way as the well known MLPPP for ISDN channel bundling One TCP connection di 4 ka vided between two DSL Mee A ia i Eia E eaa ee Ken lt External ADSL modem Load balancing Load balancing involves the dynamic division of TCP connections between independent DSL connections The user has access to the sum of the bandwidths of the bundled channels but the individual TCP con nections are limited to the bandwidth offered by the DSL connection allo cated to it Two TCP connections divided Pa between two DSL ports Note Unlike direct channel bundling load balancing offers the true sum of all bundled bandwidths This version is thus highly effective for combining different bandwidths BAT54 Rail F 416 Release
366. ge User defined values can be set for the beginning and the end of the automat ic daylight saving time change Daylight saving time changes Edit Entry 2 x Event Begin Day factor ca Day of week Sunday ba Month March he Hour 2 Minute 0 Time is in Jlocal standard time 1 Configuration tool Call LANconfig Date amp time gt General Daylight saving time WEBconfig Telnet Expert configuration gt Setup gt Time gt DST clock changes Index First second third fourth last second to last third to last fourth to last The time change will take place on this recurring day of the month Day of week Monday to Sunday The day on which the change will take place Month January to December The month on which the change will take place Hour 0 to 23 The hour in which the change will take place Minute 0 to 59 The minute in which the change will take place BAT54 Rail F 490 Release 7 54 06 08 More services 12 7 Scheduled Events Time type Local standard time or UTC Defines the time zone the data refers to Caution In the last hour of daylight saving time or the first hour that fol lows in standard time it is possible for time entries to be ambiguous If the time is acquired via ISDN or set manually during this time then it is always assumed that the time entry is in daylight saving time 12 7Scheduled Events 12 7 1 Regular Execution of Commands This feature is inten
367. gement 4 8 Managing administrators rights Command Supervisor Local administrator Remark unsetenv Vd Vd delete rm Vd oY readmib vd vd WLA Vd oY set Vd Vd All other commands such as cd Is trace etc can be used by all users The user must possess at least write access to be able to operate commands that cause changes to the system e g do or time Note The commands listed above are not available in all LCOS versions or BAT models 4 8 5 HTTP tunnel In some cases it can be useful to enable temporary HTTP access to a station within a LAN For example if questions come up concerning network devices such as a BAT VP 100 the Support department is best able to assist with di rect access to the device in the customer s LAN The standard method for ac cessing LAN devices via inverse masquerading port forwarding sometimes requires a special configuration of the firewall changes are made which if they are not deleted again afterwards can represent a security risk As an alternative to permanent access which is based on port forwarding a temporary HTTP access can be set up that automatically closes again after certain periods of inactivity To this end a support staff member requiring ac cess to a device in the customer s network for example creates an HTTP tunnel providing this access Note This access only applies to the IP address that was the source of the HTTP tunnel Network access
368. ginal WPA standard specifies only TKIP Michael as an improved encryption method With the further development of the 802 1 1i standard the AES CCM method described below was added In a WPA net work it is now possible for some clients to communicate with the access point using TKIP while other clients use AES 3 2 6 AES and 802 111 In mid 2004 the IEEE approved the long awaited 802 11i standard that plac es the entire security concept of WLAN on a new basis As mentioned in the last section WPA has already implemented a whole series of concepts from 802 11i so in this section we will only describe the components which are new compared to WPA AES The most obvious extension is the introduction of a new encryption process namely AES CCM As the name already hints this encryption scheme is based on DES s successor AES in contrast to WEP and TKIP which are both based on RC4 Since only the newest generation of WLAN chips contain AES hardware 802 11i continues to define TKIP but with the opposite pre requisites any 802 1 1i compliant hardware must support AES while TKIP is optional in WPA that was exactly the other way around BAT54 Rail F 42 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of WLAN security The suffix CCM denotes the way in which AES is used in WLAN packets The process is actually quite complicated for which reason CCM is only sensibly implemented in hardware software based implementations are
369. gt Stations WEBconfig Telnet Expert configuration gt Setup gt WLAN gt RADIUS access check Note To use the RADIUS functionality for WLAN clients the option Transfer data from the listed stations authenticate all others via RADIUS or filter them out must be selected for the Filter stations parameter BAT54 Rail F Release 7 54 06 08 507 More services 12 9 RADIUS Server IP address Specify here the IP address of your RADIUS server from which users are managed centrally Server port default 1 812 Specify here the port used for communication to your RADIUS server Key shared secret Specify here the key to be used for coding data The key must also be configured on the RADIUS server Backup server IP address default 1 812 Specify here the IP address of your backup RADIUS server from which users are managed centrally Backup server port Specify here the port used for communication to your backup RADIUS server Backup key Specify here the key to be used for coding data The key must also be configured on the backup RADIUS server Note The generic values for retry and timeout must also be configured see Configuration of RADIUS as authenticator or NAS gt page 502 Dial in using 802 1x and RADIUS WLAN clients can use the 802 1x protocol for network registration The BAT access point can use this protocol to forward the registration to the RADIUS server The MAC address is used for user identifica
370. h RIP 2 packets RIP accept from these networks This option defines if RIP routes are to be learned in this network Propagate to other networks This option defines whether the associated network is to be propagated to other networks Default routing tag The standard routing tag for this interface Routes with a routing tag set with the interface tag are propagated by the interface with the tag config ured here Routes that are received at the interface with the standard rout BAT54 Rail F 400 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services ing tag configured here are written to the RIP table with the interface s tag Unmarked routes tag 0 are not propagated over this interface unless the interface itself is marked with tag O Note The default routing tag in the list of RIP networks is different to that in the WAN RIP list In the WAN all routes set with the standard tag 0 are propagated into the WAN with the tag configured there In the LAN on the other hand routes with the interface tag are propagated with the tag set here Similarly routes with the tag configured here which are received at the interface are internally given the interface tag Furthermore if the in terface tag is set those routes set with the default tag 0 are not propa gated Routing tag list Comma separated list max 33 characters of routing tags which are to be accepted at the interface If the list is em
371. h i j Switch teaeeeeeeeeeceeeeeeeeed LAN L g DSL alll PX over PPTP VPN DSLo W DMZ j E R E 4 Notes regarding the respective modules and interfaces gt The IP router takes care of routing data on IP connections between the interfaces from LAN and WAN BAT54 Rail F Release 7 54 06 08 19 System design 2 1 Introduction With IP redirect requests in the LAN are redirected to a specific computer The firewall with the services Intrusion Detection Denial of Service and Quality of Service encloses the IP router like a shield All connec tions via the IP router automatically flow through the firewall as well BAT devices provide either a separate LAN interface or an integrated switch with multiple LAN interfaces as interfaces to the LAN BAT Router access points resp BAT routers with wireless modules offer additionally one or depending on the respective model also two wireless interfaces for the connection of Wireless LANs Depending on the model every wireless interface can build up to eight different wireless networks multi SSID A DMZ interface enables for some models a demilitarized zone DMZ which is also physically separated within the LAN bridge from other LAN interfaces The LAN bridge provides a protocol filter that enables blocking of dedicat ed protocols on the LAN Additionally single LAN interfaces can be sep arated by the isolated
372. hard ware compression or the use of QoS compliant with 802 11e You also con trol the settings for the diversity behavior here Logical WLAN networks Each WLAN module can support up to eight logical WLAN networks for mo bile WLAN clients to register with The following parameters have to be set when configuring a logical WLAN network The network name SSID Open or closed radio LAN Encryption settings MAC filter Client bridge operation Filter settings Point to point settings The configuration of P2P connections involves setting not only the operating mode but also the station name that the Access Point can connect to Also the role as Master or Slave is set here Along with the settings for the Access Point itself also to be defined is the remote site that the Access Point can contact via the P2P connection For further information please refer to section Point to point connections 5 4 Group configuration with LANconfig When managing multiple devices it can be very helpful to upload a selection of configuration parameters into a group of devices at once as opposed to setting each and every parameter manually in the individual devices e g with identical client rights in WLAN access points Importing complete config uration files is not a viable alternative since device specific parameters such as the IP address are uploaded as well Group configuration with LANconfig enables the easy import of partial configur
373. he time at 0 and the retries at 0 11 10 3Assignment of IP addresses via PPP In order to connect computers using TCP IP as the network protocol all par ticipating computers require a valid and unique IP address If a remote station does not have its own IP address such as the individual workstation of a telecomputer the BAT assigns it an IP address for the duration of the con nection enabling communications to take place This type of address assignment is carried out during PPP negotiation and implemented only for connections via WAN In contrast the assignment of addresses via DHCP is normally used within a local network Note Assignment of an IP address will only be possible if the BAT can iden tify the remote station by its call number or name when the call arrives i e the authentication process has been successful Examples Remote access Address assignment is made possible by a special entry in the IP routing table 255 255 255 255 is specified as the network mask as the IP address to be assigned to the remote site in the Router name field In this case the router name is the name with which the remote site must identify itself to the BAT In addition to the IP address the addresses of the DNS and NBNS serv ers Domain Name Server and NetBIOS Name Server including the backup server from the entries in the TCP IP module are transmitted to the remote station during this configuration So that everything functi
374. he LAN is supposed to be available for stations on the internet e g FTP server the IP address of the FTP server is not visible either A connection to this FTP server from the internet in not possible To enable the access to such a server exposed host in the LAN the IP ad dress of the FTP server must be entered with all services that are also sup posed to be available from outside the LAN If a computer sends a packet from the Internet to for example an FTP server on the LAN from the point of view of this computer the router appears to be the FTP server The router reads the IP address of the FTP server in the LAN from the entry in the ser vice table The packet is forwarded to this computer All packets that come from the FTP server in the LAN answers from the server are hidden behind the IP address of the router BAT54 Rail F 372 Release 7 54 06 08 Routing and WAN connections 11 4 IP masquerading Source 80 123 123 123 Target 80 146 74 146 Port 21 The only small difference is that Access to a service port in the intranet from outside must be defined in advance by specifying a port number The destination port is specified with the intranet address of for example the FTP server in a service ta ble to achieve this gt When accessing the Internet from the LAN on the other hand the router itself makes the entry in the port and IP address information table Note The table concerned can hold up to 2
375. he advantage of using soft retries at the expense of hard retries is that the rate adaption algorithm immediately begins the next series of hard retries with a lower datarate Default 0 BAT54 Rail F 86 Release 7 54 06 08 Wireless LAN WLAN 3 5 Extended WLAN protocol filters 3 5 Extended WLAN protocol filters With the protocol filter you can influence the handling of certain protocols during transfer from the WLAN to the LAN The use of appropriate rules al lows the definition of which data packets should be inspected interfaces for which the filter applies and which action should be performed on the data packets Configuration Follow the paths below for protocol filter configuration parameters LANconfig WLAN security Protocols WEBconfig Expert configuration gt Setup gt LAN Bridge Protocol table Terminal Telnet cd Setup LAN Bridge Protocol table Configure fwLan Security 7 General Stations Protocols WEP IEEE 802 1 Filter protocols The protocol filters can be used to control the transfer drop or redirect of specific protocols between LAN wireless LAN and Point to Point links i ual Nene tcl ye ree per at rt ee ee a2 ae ea t i Name HTTP Protocol 0800 Cancel Subtype 6 First port 80 ait pe a ee C Interface list wlan 1 2 Action Drop packets C Pass packets Redirect packets to the following IP address BAT54 Rail F R
376. he client EAP method also be sure to observe the corresponding setting for the WLAN client operation mode The client EAP method setting has no function on logical WLAN networks other than WLAN 1 Indoor function for WLAN channels When selecting the frequency band 2 4 or 5 GHz among other things you must determine the channels which may possibly be used for transmission From these possible channels under automatic channel selection a Wireless Router selects a free channel for example in order to avoid inter ference with other radio signals In some countries there are special regulations on the frequency bands and channels which may be used for WLAN for indoor and outdoor operation For example in France not all available channels in the 2 4 GHz band may be used in outdoor operation In some countries the DFS procedure is required for outdoor operation in the 5 GHz band in order to avoid interference from radar systems With the option indoor only a BAT Wireless Router can be restricted exclu sively to operation in closed buildings This restriction on the other hand al lows the channels to be managed more flexibly under automatic channel selection 2x Configure WLAN Interfaces General Security Stations 802 11i WEP IEEE 802 1 r General This is where you can program common settings for all wireless LAN interfaces Country Unknown bee IV ARP handling I Broken LAN link detection disables WLAN in
377. he configured MAC address For the second connection a locally managed unambiguous MAC address will be calculated from the user defined MAC address BAT54 Rail F Release 7 54 06 08 419 Routing and WAN connections 11 8 Load balancing When using channel bundling the configured MAC address is used for the first connection for all other bundle connections the locally managed MAC addresses based on the user defined MAC address will be calculated If one of your connections is charged via the MAC address configure this MAC address for the separately charged connection only For all other connections you should use another address 11 8 2 Direct DSL channel bundling For the bundling of DSL connections the DSL ports to be used are entered into the DSL Broadband Peers list Only the number of DSL ports is entered separated by commas if multiple ports are used 1 2 4 or as a range 1 4 All that is required for PPPoE bundling is to activate bundling in the relevant layer and to use the port list to assign the relevant ports 11 8 3 Dynamic load balancing If the Internet provider does not directly support bundling then multiple nor mal DSL connections can be coupled with a load balancer First of all the DSL accesses are set up for the necessary DSL ports These are then cou pled with a load balancing table This list assigns a virtual balancing connec tion the connection that is entered into the routing table to the other real
378. he router take from received IP RIP packets When the router receives such IP RIP packets it incorporates them in its dy namic routing table which looks something like this IP address IP netmask Time Distance Router 192 168 120 0 255 255 255 0 1 2 192 168 110 1 192 168 130 0 255 255 255 0 5 3 192 168 110 2 192 168 140 0 255 255 255 0 1 5 192 168 110 3 What do the entries mean IP address and network mask identify the destination network the distance shows the number of routers between the transmitter and receiver the last column shows which router has revealed this route This leaves the Time The dynamic table thus shows how old the relevant route is The value in this column acts as a multiplier for the intervals at which the RIP packets arrive A 1 therefore stands for 30 seconds a 5 for about 2 5 minutes and so on New information arriving about a route is of course designated as directly reachable and is given the time setting 1 The value in this column is auto matically incremented when the corresponding amount of time has elapsed The distance is set to 16 after 3 5 minutes route not reachable and the route is deleted after 5 5 minutes Now if the router receives an IP RIP packet it must decide whether or not to incorporate the route contained into its dynamic table This is done as fol lows The route is incorporated if it is not yet listed in the table as long as there is enough space
379. hernet 10 MBit 100 2000000 Ethernet 100 MBit 19 200000 Ethernet 1000 MBit 4 200000 WLAN 2 MBit 500 12500000 WLAN 11 MBit 140 4000000 WLAN 54 MBit 35 900000 WLAN 108 MBit 25 450000 Note If path costs for a port were manually entered then the configured val ue appears in this column Information in the RSTP port statistics The RSTP port table can be used to inspect the following values for all avail able ports LAN wireless LAN point to point connections 462 BAT54 Rail F Release 7 54 06 08 Routing and WAN connections 11 17 The rapid spanning tree protocol Role Root or Non root bridge Learning Port in learning state Forwarding Port in forwarding state Edge port Port defined as an edge port Protocol version Classic or Rapid Costs Setting for this port s cost BAT54 Rail F Release 7 54 06 08 463 Routing and WAN connections 11 17 The rapid spanning tree protocol BAT54 Rail F 464 Release 7 54 06 08 More services 12 1 Automatic IP address administration with 12 More services An BAT offers a number of services for the PCs in the LAN These are central functions that can be used by workstation computers They are in particular Automatic address administration with DHCP Name management of computers and networks with DNS Logging of network traffic with SYSLOG Recording of charges Office communications functions with LANCAPI Time server 12 1 Automatic IP address administrati
380. his parameter controls the priority of paths with equal value The value set here is used to make the selection instead of the computed path costs Particular values 0 switches path cost override off Default 0 BAT54 Rail F 460 Release 7 54 06 08 Routing and WAN connections 11 17 The rapid spanning tree protocol 11 17 4Status reports via the Spanning Tree Protocol The current STP values can be viewed via Telnet in the LAN Bridge Status Configuration tool Call WEBconfig Telnet Expert Configuration gt Status gt LAN Bridge gt Spanning Tree General status information Bridge ID This is the ID for the device that is being used by the Spanning Tree algo rithm It is composed of the user defined priority upper 16 bits and the device MAC address lower 48 bits Root Bridge The ID for the device that is currently elected root bridge Root Port The port that can be used to reach the root bridge from this device If the device itself is the root bridge it is displayed with the special value 255 Root Path Cost The path costs of all hops added together in order to reach the root bridge from this device Protocol version The protocol version currently set for determining network topology Path Cost Computation The protocol version currently set for computing path cost Bridge Priority Current setting for bridge priority Information in the port table The port table can be used to inspect the following
381. hows basic system information testmail Sends an e Mail Parameter see testmail time Set time DD MM YYYY hh mm ss trace Configures the trace output system for several modules see How to start a trace gt page 225 who List active sessions writeconfig Accept a new configuration in readconfig syntax All subsequent lines are inter preted as configuration values until two blank lines in a row are encountered writeflash Load new firmware via TFTP l Repeat previous command lt num gt Repeat command lt num gt lt prefix gt Repeat last command beginning with lt prefix gt lt blank gt Comment PATH Qualifier for a menu or parameter separated by or Stands for upper level stands for current level VALUE Possible input NAME stands for an empty input Sequence of _0 9 A Z first character must not be numeric case does not matter All commands and directory item names may be abbreviated as long as no ambiguity exists For example it is valid to shorten the sysinfo command to sys ora cd Management to c ma Not allowed would be cd s since that could mean either cd Setup or cd Status Names with blanks in them must be enclosed in double quotes Additionally there is a command specific help function available by call ing functions with a question mark as the argument i e entering ping displays the options for the built in P
382. hts are required Command Description beginscript Begins script mode In this state following entered commands are not directly transmitted into the configuration RAM of the BAT but into the script memory of the device BAT Scripting gt page 181 cd path Change the current directory Certain abbreviations exists e g cd can be abbreviated to cd etc del name Delete the table entry with the index lt name gt BAT54 Rail F 134 Release 7 54 06 08 Configuration and Command management 4 4 Configuration using different tools Description default r path Resets single parameters tables or hole indexes Shows PATH on the directory of the index the option r recursive must be entered dir path list path Is path Il path Display the contents of a directory The detached parameter a additionally to the contents of the request shows the SNMP ID Thereby the output begins with the SNMP ID of the device followed by the SNMP ID of the present menu In front of the single entries you can then find the SNMP IDs of the subitems do path parameters Execute the action path in the current directory Additional parameters can be entered echo lt ARG gt Display argument on the console exit quit x Close the console session feature lt code gt Unlock the feature with the specified feature code flash Yes No The changes
383. iately 520 ro intruder de Immediately 68 bo intruder de Immediately 520 ro intruder de Immediately 68 bo intruder de Immediately 520 ro intruder de Immediately 137 n intruder de Immediately 520 ro intruder de Immediately 68 bo intruder de Immediately 520 ro intruder de Immediately 68 bo intruder de Immediately 520 ro intruder de i Immediately If you call up the logging table via WEBconfig it looks like the following de piction Expert Confiquration amp Status amp P router statistics Log table Idx System time Src address Dst address Prot 0001 1 29 2004 16 10 53 169 254 164 169 224 0 0 2 2 0002 1 29 2004 16 09 43 169 254 164 169 234 1 4 9 2 0003 1 29 2004 9 11 58 169 254 164 169 255 255 255 255 17 0004 1 28 2004 14 49 23 127 0 0 1 0005 1 28 2004 14 33 17 127 0 0 1 0006 1 26 2004 19 17 52 127 0 0 1 0007 1 26 2004 18 21 28 127 0 0 1 nnn 19RINNA 17 29 41 AITANA The table contains the following values 80 146 66 127 6 80 146 66 127 6 80 146 80 98 6 6 R 80 146 80 98 Anar ANAA 0 0 1048 80 80 80 80 an 0 0 69 1926 1744 1653 1384 1077 Src port Dst port Filter rule intruder detection 00000001 intruder detection 00000001 intruder detection 00000001 DoS protection DoS protection DoS protection DoS protection NaS nratartinn Limit Thresholc 00000001 00000001 00000001 00000001 nannnnnns Ppooo TD oo
384. ifier of variables that are referenced during the execution of actions Identifiers are not required for fields that are not used by users to enter their data e g label Possible values Maximum 64 alphanumerical characters Default blank Title Name of the variable as displayed by the Rollout Wizard in WEBconfig Possible values Maximum 64 alphanumerical characters Default blank Type Name of the variable as displayed by the Rollout Wizard in WEBconfig Possible values Label Integer String Password Checkmark Label Text that is displayed to provide explanations of the other vari ables Min Value and Max Value are of no further significance for these entries Integer Allows the entry of a positive integer number between 0 and p32 aN By entering the Min Value and Max Value the range of entries can be limited Also a default value can be defined This default value must be between the Min and Max Values String Enables text to be entered By entering the Min Value and Max Value the length of the string can be limited Also a default value can be defined This default text must be shorter than the maximum length otherwise it will be truncated Password splayed while being entered Entering a password has to be repeated The Rollout Wizard will execute no actions if the pass words do not agree BAT54 Rail F 202 Release 7 54 06 08 LANtools network management 5 5 Rollout Wizard Checkmark Simple option that
385. ight C LANCOM Systems Ver 2 06 0001 22112006 16 30 i i I start Kmodem Upload z Connected 0 01 41 autodetect 1152008 N 1 SCROLL CAPs Num Capture Print echo di The device now expects a firmware upload To initiate this in Hypertermi nal you click on Transfer Send file and select X Modem as the transfer protocol Note Uploading the firmware in this way completely deletes the configura tion which is returned to its ex factory settings Consequently this option should only be used if the configuration password is no longer available 4 7 How to reset the device If you have to configure the device regardless of possible existing settings or if a connection to the device configuration failed you can put back the de vice into the factory default state with a Reset To do so push the Reset but ton until the device LEDs will light up approx 5 seconds Reset switch according to the model type on the front or rear panel Config COM Reset Antenna Main Note After applying the reset the device will start fresh with factory defaults All settings will be lost Therefore you should save the current configura tion if possible before the reset BAT54 Rail F 148 Release 7 54 06 08 Configuration and management 4 7 How to reset the device Note Please notice that also the WLAN encryption settings of the device will get lost in case of a reset and the standard WEP key comes int
386. ights Enter the name or IP address of the device that is to be temporarily avail able via HTTP Create TCP HTTP Tunnel Enter the host name resp IP address and TCP port of the device you want to reach then click on Create to create the tunnel connection Host Name IP address 192 168 1 1 TCP Port so Routing Tag 0 Create 08 13 07 17 32 Search Select a port for the HTTP tunnel and if applicable enter the routing tag of the IP network in which the device is located and confirm your entries with Create The dialog that follows displays a confirmation of the newly created tunnel and provides a link to the device Tunnel Creation Succeeded The tunnel was successfully created Click here to ccess the device The tunnel will be removed automatically if not used for 1410065407 seconds 08 1 3 07 17 33 Search Deleting the tunnel prematurely The newly created HTTP tunnel is deleted automatically if the tunnel remains inactive for the duration of the tunnel idle timeout To delete the tunnel earlier click on Expert Configuration Status TCP IP HTTP to access the list of active tunnels and delete the one you no longer require Note Although active TCP connections in this tunnel are not terminated im mediately no new connections can be established BAT54 Rail F 158 Release 7 54 06 08 Configuration and management 4 9 Named loopback addresses 4 9 Named loopback addresses A BAT Rou
387. iginal packet 88 16 95 192 UDP 17 DatPort 8 03 08 00 25 25 260 TOW Rx WAN LCS Sre IP 10 1 1 11 Eeho request ID 1671 Seq 0 4 tram 2008 03 08 00 25 25 260 rom Tx MAM Les IP 10 1 1 11 Eeho reply ID 1671 Seq O tram 2008 03 08 0 040 rom Rx MAM Les P 10 1 1 9 Echo request ID 312 Seq 29740 tram 2008 03 08 00 25 30 040 TOP Tx WAN LCS Dest IP 10 1 1 9 Echo reply ID 312 Seq 29740 JO00ooosoco0o0o000000000000g0 5 8 Visualization of larger WLANs With BAT WLANmonitor you can centrally monitor the status of a wireless network WLAN It presents information about the entire network in general and detailed information about individual access points and logged in clients WLANmonitor can also collect access points into groups These groups may consist of access points gathered in buildings departments or at particular locations In particular with large WLAN infrastructures this helps to keep an overview of the entire network BAT54 Rail F 214 Release 7 54 06 08 LANtools network management 5 8 Visualization of larger WLANs 5 8 1 Start the WLANmonitor WLANmonitor is a component of LANmonitor Start WLANmonitor from LANmonitor using the menu item Tools WLANmonitor by using the cor responding button in the LANmonitor button bar or directly with Start gt Programme gt Hirschmann gt BAT gt Hirschmann WLANmonitor ioxi Fie Device View Tools Help alal slal ale
388. igital Subscriber Line technologies XOR Logical operation exclusive OR 532 BAT54 Rail F Release 7 54 06 08 Index 14 Index Numerics 1 1 mapping 802 1 1i PMK caching VoIP 802 11x Rekeying A AAL 5 Access Control List Access point Access points Access protection via TCP IP Access router Address administration IP address administration Address pool Administrator s access ADSL AES AES CCM Antenna gain Antenna power AT commands ATM ATM adaptation layer Authentication Authentication process TLS TTLS Authentication with EAP 802 1X in client mode Auto reconnect B Background scanning Bandwidth BAT54 Rail F Release 7 54 06 08 429 33 43 43 39 369 54 529 215 240 529 465 467 151 226 529 34 529 42 69 111 449 226 369 33 37 438 442 39 39 75 440 49 529 533 Index Blowfish Bonk Bridge Broadband Broadcast Brute force BSS Cc Callback according to RFC 1570 for Microsoft CBCP Callback procedure fast callback Capability CAPI CCK Chaining Client Client mode Collision domain Command line interface Command line reference Computer names Configuration procedure SNMP Configuration files Configuration interface configuration updates CRC CRON service CSMA CA D D channel Data throughput Denial of Service Attacks Bonk Fragrouter LAND 534 34 307 529 529 529 239 529 443 44 442 473 529 529 532 529 31 71 93
389. igure gt Fire wall gt General gt Ping blocking No entry in polling table and keep The holding time of the VPN tunnel under Con alive in configured figure gt VPN gt Connection list gt Names is set to Short hold 9999 sec However the required ICMP polling is missing Please add them under Configure gt Communication gt Remote Sites gt Polling Table As remote site enter the VPN remote device for the IP address enter an IP address from the LAN at the remote site Dynamic VPN predefined x The fee limit under Configure gt Costs gt Fees charge limit exceeded Limit ISDN was reached Please reboot the device BAT54 Rail F 520 Release 7 54 06 08 Appendix 13 1 Error messages in LANmonitor Message Initiator Responder Dynamic VPN preset time limit x The time limit under Configure gt Costs gt exceeded Time limit ISDN was reached Please reboot the device Dynamic VPN no ISDN call x The ISDN call number for the remote device for number for negotiator channel dynamic VPN is missing Please enter the call number under Configure gt Communication gt Remote sites gt Name list ISDN gt Name Dynamic VPN Multiple connec While establishing multiple ISDN connections a tions on ISDN interface for negoti limit was reached Please check under Config ator channel not allowed ure gt
390. il F 138 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools 4 4 6 Encrypted configuration with SSH access In addition to the option to configure a BAT with Telnet or a terminal program LCOS version 4 00 and later provides an additional option of access via SSH With a suitable SSH client such as PuTTy you can set up an encrypted con nection to the device and thus prevent the data being transferred during con figuration from being intercepted within the network Start PuTTy for example and enter the BAT device s IP address as the host name Use the command prompt that follows to log in by entering your user data Xl PuTTY Configuration xil Category E Session IL Basic options for your PuTTY session l Logging Specify your connection by host name or IP address fg Terminal Keyboard Host Name or IP address Port Bell 192 168 2 100 22 S Features Protocol B Window C Raw C Telnet Rlogin SSH Appearance p Behaviour r Load save or delete a stored session Translation Saved Sessions Selection VPN_NHAMEL Connection No 002 LAN Col ide Default Settings El Connection Proxy B VPN_NHAMEL f Telnet Alternatively you can use LANconfig under Tools gt Options Extras to en ter your SSH client as an external program then start the SSH access with a right mouseclick on the device and open WEBconfig Console session gt Open SSH session BAT54 Rail F
391. il F Release 7 54 06 08 179 LANtools network management 5 2 Project management with LANconfig Configuring the behavior of LANconfig at startup The following parameters are used to configure the startup behavior of LANconfig Le 2x General Startup Communication Extras rm Set up new devices 4 WV Launch Setup Wizard when a new oh unconfigured device is found Extemal programs Telnet client fielnet exe SSH client Automatic retry Attempts fi Time interval fi a Minutes Application Windows startup stat LANconfig never gt R start LANconfig never Dialog language start LANconfig always start LANcontfig like before Configuration tool Call LANconfig Options gt Extras Application Windows system startup Start LANconfig never LANconfig does not start automatically with the operating system and it has to be started manually Start LANconfig always LANconfig always starts automatically after Windows starts successfully Start LANconfig like last time LANconfig starts in the program in the same status as when Windows was shut down the last time If LANconfig was active then it will be started again if inactive LANconfig will not be automatically restarted Note When changing to a setting that enables LANconfig to be started au tomatically an change is made to the operating system s registry Person al firewalls on the computer or the operating system
392. il address of the administrator the rule defined messages will be sent Administrator email admin company de Under WEBconfig or Telnet you can find the administrator email address as follows WEBconfig Expert Configuration gt Setup gt IP Router gt Firewall Terminal Telnet Setup IP Router Firewall To send an email an the required settings must be entered under LANconfig in the configuration area Log amp Trace under the tab SMTP Account BAT54 Rail F 276 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Configure Log amp Trace v SNMP SYSLOG SMTP Account SMTP Options With the Simple Mail Transfer Protocol SMTP your device can inform you about specific events e g Denial of Service attacks r General settings This is the server to which the device will post email messages SMTP Server smpt provider com SMTP Port 25 Sender Email address admin company com r Authentication Here you can specify the necessary SMTP account data User name 12345678 User Password pme al Under WEBconfig or Telnet the SMTP settings can be reached as follows WEBconfig Expert Configuration Setup SMTP Terminal Telnet Setup SMTP E Notification by SNMP trap If as notification method dispatching SNMP traps was activated see also SNMP page 138 then the first line of the logging table is sent away as enterprise specific trap 26 This trap contains
393. ill take place Only relevant if the interval is monthly Day of week The weekday on which caching will take place Only relevant if the interval is weekly Hour The hour on which caching will take place 0 to 23 BAT54 Rail F Release 7 54 06 08 483 More services 12 5 The SYSLOG module Minute The minute in which caching will take place 0 to 59 12 5The SYSLOG module The SYSLOG module gives the option of recording accesses to the BAT This function is of particular interest to system administrators because it al lows a full history of all activities to be kept To be able to receive the SYSLOG messages you will need an appropriate SYSLOG client or daemon In UNIX Linux the SYSLOG daemon which is in stalled by default generally does the recording It reports either directly through the console or writes the protocol to a SYSLOG file In Linux the file etc syslog conf directs which facilities this expression will be explained later should be written to which log file Check in the configuration of the daemon whether network connections are explicitly monitored Windows does not have any corresponding system functions You will need special software that fulfills the function of a SYSLOG daemon 12 5 1 Setting up the SYSLOG module Configuration tool Run Table LANconfig Management Log amp Trace WEBconfig Expert Configuration Setup gt SYSLOG Terminal Telnet cd setup SYSLOG 12 5 2 Exam
394. imple notion that the weak IV values are known and that they could simply be skipped during encryp tion since the IV used is after all transmitted in the packet this procedure would be completely compatible with WLAN cards which didn t understand this extension dubbed WEPplus A true improvement in security would nat urally only result once all partners in the WLAN were using this method In a network equipped with WEPplus a potential attacker again has the chore of listening to the entire data traffic waiting for IV repetitions simply waiting for the few packets with weak IVs is no longer an option This raises the bar for an attacker once again Objectively speaking WEPplus is a slight improvement it is suitable for home use provided that the key of reconfig ured often enough For use in a professional environment however this is not sufficient 3 2 4 EAP and 802 1x Obviously an add on like WEPplus can t eliminate the basic problem of too short IVs without changing the format of packets on the WLAN thus render ing all existing WLAN cards incompatible There is however a possibility of solving several of our problems with one central change no longer use the formerly fixed WEP key but to negotiate them dynamically instead As the process to be used for this purpose the Extensible Authentication Protocol has emerged As the name suggests the original purpose of EAP is authen tication that is the regulated access to a
395. ing the switch The data transmission over the switch of the devices only takes place on the port the target computer is attached to Therefore the connections on the oth er ports are not visible BAT54 Rail F Release 7 54 06 08 233 Diagnosis 6 5 Cable testing For monitoring data traffic between ports the ports must be set to monitor mode In this state all data is issued that is transmitted over the switch of the devices between stations of the LAN and WAN LANconfig For the configuration with LANconfig open the Ethernet switch settings in the configuration area Interfaces on the register LAN with the button Ethernet Ports Ethernet Ports LAN 1 2 xi Ethernet Port LAN 1 Interface Verwendung Jian fw Abbrechen Ubertragungsart MDI Mode DSL 3 J Daten bertragung 2wig 5 4 unterbinden Private Myra d den anderen WEBconfig Telnet or terminal program Under WEBconfig or Telnet resp a terminal program you can find the ether net switch settings with the following directories Configuration tool Directory Table WEBconfig Expert Configuration gt Setup gt Interfaces Ethernet Ports Terminal Telnet Setup Interfaces Ethernet Ports 6 5 Cable testing A cabling defect might have occurred if no data is transmitted over LAN or WAN connection although the configuration of the devices does not show any discernible errors BAT54 Rail F 234 Release 7 54 06 08 Diagnosis 6
396. ings button on the WAN tab Configure i Interfaces LAN Wireless LAN WAN VLAN M WAN settings This is where you can make further settings for each WAN interface Interface settings 24 interface 2 x Interface settings 4 a 3 DSL interface On Configure the operating of the serial interface 24 pheme 3f ISDN 50 bus Operating Off only outband d Configure the commands and PEE EAD optional external modem conn Data rate 115200 Bit s Request modem ID fis 2 E BAT54 Rail F 446 Release 7 54 06 08 Routing and WAN connections 11 14 serial interface Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the settings for the serial interface under the following paths Configuration tool Menu Table WEBconfig Expert Configuration gt Setup gt Interfaces gt V24 Interface Terminal Telnet Setup Interfaces V24 Interface Note As long as the BAT is set to modem mode a terminal program oper ating over the serial interface will display the AT commands that the BAT device transmits while attempting to identify a connected modem In the terminal program press the return key repeatedly until the modem identi fication is interrupted and start the configuration session 11 14 5Configuration of modem parameters The operation of a modem at the serial interface requires the following set tings Request modem ID Default aT16 Reset comman
397. int connections IEEE 802 11i can be used to attain a significant increase in the security of WLAN point to point connections All of the advantages of 802 11i such as the simple configuration and the powerful encryption with AES are thus avail able for P2P mode as are the improved security of the passphrase from the BAT Enhance Passphrase Security LEPS Encryption with 802 11i WPA To activate the 802 11i encryption for a correctly configured P2P connection adjust the settings for the first logical WLAN network in the appropriate WLAN interface i e WLAN 1 if you are using the first WLAN card for the P2P connection WLAN 2 if you are using the second card e g as with an access point with two WLAN modules Activate the 802 11i encryption Select the method 802 11i WPA PSK BAT54 Rail F Release 7 54 06 08 107 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections gt Enter the passphrase to be used Note The passphrases should consist of a random string at least 22 charac ters long corresponding to a cryptographic strength of 128 bits When set as P2P Master the passphrase entered here will be used to check the Slave s authorization to access When set as P2P Slave the access point transfers this information to register with the remote site Configuration with LANconfig For configuration with LANconfig you will find the encryption settings under the configuration area Wireless LAN on the 802 1
398. inten tion of a station in the LAN to establish a connection to a mail server As a result the needed port will be opened for a short time 20 seconds solely for the authentication inquiry This behavior of the Firewall in TCP Stealth mode can be suppressed specif ically with the parameter Always mask authentication port too Note The activation of the option Mask authentication port can lead to con siderable delays for the dispatch and receipt of e g emails or news A mail or a news server which requests any additional information from the user with the help of this service runs first into a disturbing timeout before it begins to deliver the mails This service needs thus its own switch to hide and or to hold it conformingly The problem thereby is however that a setting which hides all ports but re jects the ident port is unreasonable alone by the fact that rejecting the ident port would make the BAT visible BAT54 Rail F Release 7 54 06 08 267 Firewall 8 3 The BAT Firewall The BAT offers now the possibility to reject ident inquiries only by mail and news servers and to discard those of all other PCs For this the ident inquir ies of the respective servers are rejected for a short time 20 seconds when a mail SMTP POP3 IMAP 2 or a news server NNTP is calling up When the timeout is exceeded the port will be hidden again 8 3 4 Parameters of Firewall rules In this section we describe th
399. ion The scripting function can store the entire configuration in RAM only so that restarting the device will cause the configuration to be deleted The configuration is not written to the non volatile flash memory A loss of power because the device has been relocated will cause the entire configuration to be deleted Scripting gt page 181 BAT54 Rail F Release 7 54 06 08 247 Security 7 2 The security checklist BAT54 Rail F 248 Release 7 54 06 08 Firewall 8 1 Threat analysis 8 Firewall For most companies and many private users a work without the Internet is no longer conceivable E mail and web are indispensable for communication and information search But each connection of the workstations from the own local network to the Internet represents however a potential danger Un authorized users can try to see your data via this Internet connection to mod ify it or to manipulate your PCs Therefore this chapter covers an important topic the firewall as defensive measure against unauthorized access Besides a brief introduction to the topic of Internet security we show you which protection a BAT is able to offer you by right configuration and how to make the needed specific settings 8 1 Threat analysis To plan and to realize suitable measures to guarantee security it is advisable to know first all possible sources of danger Which imminent dangers exist for the own LAN resp the own data Which are the ways int
400. ion is executed an entry in a block list is made by which all packets which are sent at the respective computer and port get rejected For the close port object a timeout can be given in sec onds minutes or hours which is inserted directly behind the object ID This time value is composed of the designator of the time unit h m s for hour minute and second and the actual time Thus e g pm10 closes a port for 10 minutes If no time unit is provided then implicitly minutes apply and thus p10 is equivalent to pm10 If the Deny host action is executed then the sender of the packet is registered in a block list Starting from this moment all packets received from the blocked server will be rejected Also the Deny host object can be provided with a time out which is formed similarly to the CLOSE port option If you want to limit e g the permissible data rate for a connection to 8 kbps and to lock out the aggressor committing a flooding attempt and furthermore send at the same time an email to the administrator then the description of the object for the action reads as follows Expert Configuration 2 Setup amp P router module amp Firewall Object table Name CLOSE_ON_FLOODING Description a lcds8 d lgbs100 h10 ml Reset This description permits traffic a at the beginning A simple a at the beginning of the description is equivalent to a lp0 a accept if the limit was exceeded on zero packets i e
401. ion of workstations it may be neces sary to use a different broadcast address In this case the broadcast address is entered into the DHCP module BAT54 Rail F Release 7 54 06 08 395 Routing and WAN connections 11 7 Changes in other services Note We recommend that only experienced network specialists change the pre setting for the broadcast address Errors in the configuration here can lead to costly connections being established Default 0 0 0 0 broadcast address is determined automatically Standard gateway As standard the BAT Router issues its own IP address as the gateway address to computers making requests If necessary the IP address of another gateway can be entered here Default 0 0 0 0 the IP address of the BAT Router in this network is taken as the gateway Name server addresses The addresses for the name servers for this network are defined here DNS default IP address of the DNS name server for the forwarding of DNS requests Default 0 0 0 0 The IP address of the BAT Router in this network is communicated as the DNS server if the DNS server is activated for this network The the DNS server is not active for this network then the IP address in the global TCP IP settings is communicated as the DNS server DNS backup IP address of the backup DNS name server for the forwarding of DNS requests in the event that the first nameserver should fail Default 0 0 0 0 The IP address from the global TCP IP setti
402. ion password You record the traces by clicking on Transmit Capture text Enter the path of the directory where the text file is to be saved Now change back to the dialog window and enter the required trace command To stop the trace click on the HyperTerminal menus Transmit gt Stop text capture 6 2 SYSLOG storage in the device SYSLOG protocols the activities of a BAT device To extend the output of the SYSLOG information over an appropriate SYSLOG client the 100 most re cent SYSLOG messages are stored in the device s RAM This means that the SYSLOG messages can be viewed directly on the device to help with di agnosis BAT54 Rail F Release 7 54 06 08 229 Diagnosis 6 2 SYSLOG storage in the device 6 2 1 Activate SYSLOG module The SYSLOG module must first be activated for the protocol to be recorded Additionally an appropriate SYSLOG client must be configured Configuring the SYSLOG client gt page 230 LANconfig For configuration with LANconfig you will find the SYSLOG module under the configuration area Log amp Trace on the SYSLOG tab Configure flog amp Trace hee SNMP SYSLOG SMTP Account SMTP Options System Event Logging IV Send information about system events to the SYSLOG clients in the following list SYSLOG clients Facility mapping WEBconfig Telnet or terminal program Under WEBconfig Telnet or a terminal program you will find the SYSLOG module under th
403. ipher Algorithm With Explicit IV 2406 IP Encapsulating Security Payload ESP 2407 The Internet IP Security Domain of Interpretation for ISAKMP 2408 Internet Security Association and Key Management Protocol ISAKMP 2409 The Internet Key Exchange IKE 2410 The NULL Encryption Algorithm and Its Use With IPsec 2412 The OAKLEY Key Determination Protocol 2451 The ESP CBC Mode Cipher Algorithms 2516 A Method for Transmitting PPP Over Ethernet PPPoE 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5 3280 Internet X 509 Public Key Infrastructure Certificate and Certificate Revocation List CRL Pro 528 file BAT54 Rail F Release 7 54 06 08 Appendix 13 5 Glossary 13 5Glossary 802 11 Wireless LAN specification of the IEEE data rate up to 2 Mbps in 2 4 GHz ISM band FHSS and DSSS infrared spectrum communications also planned 802 11a Extension to 802 11 data rate up to 54 Mbit s in 5 GHz band OFDM 802 11b Extension to 802 11 data rate up to 11 Mbit s in 2 4 GHz band high market penetration DSSS CCK 802 11g Extension to 802 11 data rate up to 54 Mbit s in 2 4 GHz band OFDM and DSSS 802 11h 802 11a customization data rate up to 54 Mbit s in 5 GHz band in area of transmission power and frequency management for use in Europe OFDM 802 11i Future 802 11 extension with additional security features 802 1x Specification of a port based authentication mechanism from the IEEE AES
404. is enabled User data reported by clients is checked exclusively by the RADIUS server In order to use the return call control from RADIUS a user must be set up on the RADIUS server for each telephone number to be authenti cated The user name corresponds to the telephone number and the user password is the CLIP password specified here BAT54 Rail F 506 Release 7 54 06 08 More services 12 9 RADIUS gt CLIP password Password for return call control Note The generic values for retry and timeout must also be configured see Configuration of RADIUS as authenticator or NAS page 502 They are under PPP on the same page as PPP parameters E Dial in using WLAN and RADIUS When using a RADIUS server for the authentication of WLAN clients the RA DIUS server uses the MAC address to check client authorizations Configure WLAN Security x General Stations Protocols 802 11i WEP IEEE 802 1 m Filter stations Data traffic between the wireless LAN and your local network can be restricted as required by excluding individual stations or only enabling specified stations Filter function filter out data from the listed stations transfer all other data Stations m Authentication via RADIUS Server IP address aoo Server port haz Shared secret DO O i yO Backup server IP address fo 0 0 0 Backup server port fi B12 Backup server secret l Abbrechen LANconfig WLAN Security
405. is not aware of channels identified as free and available for immediate use As with earlier versions of LCOS the configuration item DFS rescan hours makes it possible to force the one minute scan to take place at a time of day when the wireless network is not being used BAT54 Rail F Release 7 54 06 08 67 Wireless LAN WLAN 3 4 Configuration of WLAN parameters The radio channel selects a portion of the conceivable frequency band for data transfer DFS 2 ETSI 301 893 V1 3 1 The ETSI standard 301 893 version 1 3 1 is the latest set of regulations con cerning the operation of 5 GHz wireless LANs In the context of the wireless LAN modules used in the BAT Wireless Routers and BAT Access Points this standard is also referred to as DFS 2 This standard makes tougher demands on the radar detection patterns used when operating 5 GHz WLANs The standard applies to all devices brought into circulation after April 01 2008 Devices brought into circulation before this date do not have to meet this standard In particular devices with older WLAN chips two or three chip modules do not have to meet this standard and as such do not have to be upgraded Hirschmann supplies LCOS firmware of the versions 7 30 for the current Wireless Routers and Access Points and 7 52 for BAT Wireless L 310agn and BAT Wireless L 305agn with DFS 2 support These firmware versions have different threshold values for radar pattern recognition than with
406. is table is empty by default and so access to the router can therefore be obtained by TCP IP using Telnet or TFTP from computers with any IP address The filter is acti vated when the first IP address with its associated network mask is entered and from that point on only those IP addresses contained in this initial entry will be permitted to use the internal functions The circle of authorized users can be expanded by inputting further entries The filter entries can describe both individual computers and whole networks The access list can be found in LANconfig in the TCP IP configuration sec tion on the General tab Is your saved BAT configuration stored in a safe place Protect the saved configurations against unauthorized access in a safe place A saved configuration could otherwise be loaded in another device by an unauthorized person enabling for example the use of your Internet connections at your expense BAT54 Rail F 246 Release 7 54 06 08 Security 7 2 The security checklist Have you encoded the radio network and secured it with an ACL With 802 111 WPA or WEP you can encode your data in the radio net work with different kinds of encoding methods as for AES TKIP or WEP Hirschmann recommends the most secure encoding with 802 11i and AES If the used WLAN client adapter does not provide these use the TKIP or at least WEP Make sure that your device when using the encod ing function has at least one passphrase or WE
407. ishing this proof is known as authentication Integrity Once access is provided one would like to ensure that data packets reach the receiver without any falsification that is that no one can change the packets or insert other data into the communication path The manipulation of data packets themselves cannot be prevented but changed packets can indeed be identified using suitable checksum processes and then discarded Confidentiality Quite separate from access security is confidentiality that is unauthorized third parties must not be able to read the data traffic To this end the data are encrypted This sort of encryption process is exemplified by DES AES RC4 or Blowfish Along with encryption of course there must also be a corre sponding decryption on the receiving end generally with the same key a so called symmetric encryption process The problem naturally then arises how the sender can give the key to the receiver for the first time a simple transmission could very easily be read by a third party who could then easily decrypt the data traffic In the simplest case this problem is left to the user that is one simply as sumes that the user can make the key known at both ends of the connection In this case one speaks of pre shared keys or PSK More sophisticated processes come into play when the use of pre shared keys is impractical for instance in an HTTP connection built over SSL in this case the user ca
408. itch for SNMP access in the configuration area Management on the General tab BAT54 Rail F 176 Release 7 54 06 08 LANtools network management 5 2 Project management with LANconfig dX Configure Management hd General Interfaces Wireless LAN Admin Costs VLAN Device Configuration Number MSN Further Administrators IV Password required for SNMP read permission T R login lock WEBconfig Telnet or terminal program Under WEBconfig Telnet or a terminal program you will find the settings for the SNMP read access under the following paths Configuration tool Menu T able WEBconfig Expert configuration Setup gt Config gt Password required for SNMP read access Terminal Telnet Setup Config Password required for SNMP read access 5 2 7 Device specific settings for communications protocols With LANconfig all device actions are conducted using the TFTP protocol Since this protocol has disadvantages compared to other protocols when transmitting large volumes of data the protocols HTTPS and HTTP can also be used as alternatives The use of the protocols can be set either globally for all devices managed by a LANconfig or specifically for each individual device The global settings overwrite the specific settings here therefore in the specific device set tings only the settings allowed in the global configuration can take effect BAT54 Rail F Release 7 54 06 08 177
409. ited offline for any BAT device firmware option and software version New Configuration File 2 x Select the device that you want to create a new S configuration file for Device type LANCOM 1621 ADSL ISDN Firmware version 3 00 hd Software options Leased line CIVPN 1 connection WPN 25 connections E Backup copies of configuration With this function you can create backup copies of the configuration of your BAT E Convenient series configuration However even when you are faced with the task of configuring several BAT of the same type you will come to appreciate the function for saving and re storing configurations In this case you can save a great deal of work by first importing identical parameters as a basic configuration and then only making individual settings to the separate devices BAT54 Rail F 142 Release 7 54 06 08 Configuration and managemer 6 New firmware with Hirschmann FirmSafe Running function Configuration tool Run LANconfig Device Configuration Management gt Save to File Device Configuration Management gt Restore from File Edit gt New Configuration File Edit gt Edit Configuration File Device Configuration Management gt Print WEBconfig Save Configuration gt Load Configuration in main menu TFTP tftp 10 0 0 1 get readconfig filel tftp 10 0 0 1 put filel writeconfig 4 6 New firmware with Hirschmann FirmSafe The so
410. ith cable bound Ethernet connection DSL or cable modem In this operation mode the base station offers all functions of a complete IP and IPX router as well The base station serves in this connec tion variant as gateway to the Internet The router checks for all received data packets whether they need to be transferred to another network or worksta tion The router itself establishes the connections as required The integrated Stateful Inspection Firewall prevents effectively the penetra tion of undesired data traffic into the own network by permitting incoming data only as reaction to outgoing data traffic For accessing the Internet the IP masquerading function of the router hides all workstations of the LAN behind a single public IP address The real identities IP addresses of the individual workstations remain concealed Firewall filters of the router permit specific IP addresses protocols and ports to be blocked With MAC address filters it is also possible to specifically control the access of workstations in the LAN to the IP routing function of the device BAT54 Rail F 28 Release 7 54 06 08 Wireless LAN WLAN 3 1 What is a Wireless LAN base station DSL modem or any broadband connection VPN pass through VPN technology VPN Virtual Private Network is more and more frequently in use to protect sensitive data The BAT base station is able to route and mask simultaneously the encrypted data between a
411. ith the variation set to zero the CRON job will be executed at the set time BAT54 Rail F 494 Release 7 54 06 08 More services 12 8 PPPoE Servers Note Real time based rules can only be executed if the device has a time from a relevant source e g via NTP 12 8PPPoE Servers 12 8 1 Introduction In accordance with the widespread availability of DSL PPPoE clients have now been widely integrated into all operating systems These can be used to log on to the network as well as to manage access rights to services such as the Internet e mail or remote stations PPPoE can only be used on a network segment As it is what is known as a Layer 2 technology PPPoE can only be used within a network segment i e it cannot be used across IP subnets The PPPoE connection cannot be established across network segment limits such as via a router After a user logs on to the LAN e g username Purchasing password secret using a specified PPPoE logon further rights can be regulated via the firewall This enters the PPPoE user name as a remote station in the firewall With a deny all rule and a PPPoE rule in the following format user Anyone can be permitted to use the Internet with Web and FTP Source Anyone Target All stations Services WWW FTP 12 8 2 Example application All employees in the Purchasing department must first authenticate them selves to the BAT using PPoE IP routing PAP check in order to acces
412. ive data in the Internet is not be prevented by a Fire wall If data once reaches the unsecured net beyond the Firewall then it is exposed to well known dangers Despite using a Firewall any confidential in formation such as contracts passwords development information etc should be transmitted only over protected connections i e by using suitable data encryption and VPN connections 8 4 Intrusion Detection A Firewall has the task to examine data traffic across borders between net works and to reject those packets which do not have a permission for trans mission Beside attempts to access directly a computer in the protected network there are also attacks against the Firewall itself or attempts to out wit a Firewall with falsified data packets Such break in attempts are recognized repelled and logged by the Intrusion Detection system IDS Thereby it can be selected between logging within the device email notification SNMP traps or SYSLOG alarms IDS checks the data traffic for certain properties and detects in this way also new attacks proceeding with conspicuous patterns 8 4 1 Examples for break in attempts Typical break in attempts are falsified sender addresses IP Spoofing and port scans as well as the abuse of special protocols such as e g FTP in or der to open a port on the attacked computer and the Firewall in front of it IP Spoofing With IP Spoofing the sender of a packet poses itself as another computer
413. l 18 11 08 2006 12 27 58 ClientO1 18 08 2006 15 46 03 Client02 18 08 2006 15 46 03 Client03 18 08 2006 15 45 20 Client04 2 4GHz 11 Nor 18 08 2006 15 45 20 Client01 Network04 2 4GHz 11 Nor 12 NA INNA 15454A Fiant Motueka 24H S WWF Note If a parameter is changed on an AP e g the security settings then it is displayed again as a newly discovered AP 21I E Rogue client detection The WLANmonitor presents all of the clients found into predefined subgroups under Rogue Client Detection while displaying the following information gt Time of first and last detection gt MAC address of the client Network name Note No configuration of the BAT Wireless Router is necessary to make use of rogue client detection BAT54 Rail F Release 7 54 06 08 219 LANtools network management 5 8 Visualization of larger WLANs The WLANmonitor uses the following groups for sorting the clients that are found All clients List of all found clients grouped as follows clients are colored according to their group New clients New unknown clients are automatically grouped here clients displayed in yellow Rogue clients Clients identified as rogue and in need of urgent observa tion clients displayed in red Unknown clients Clients which are to be further analyzed clients dis played in gray Known clients Clients which are not a threat clients displayed in gray Own clients New affiliated clients associated with access points moni t
414. l time operations of a BAT 5 3 3 Generating script files A script for a BAT configuration exists in the form of a conventional text file These include any necessary comments and of the all of the commands as used e g with a Telnet console to set the configuration There are two differ ent ways to generate a script file gt The script can be generated entirely with a text editor gt The configuration or a section of it is read out of a device stored as a script file and then altered with a suitable text editor BAT54 Rail F Release 7 54 06 08 183 LANtools network management 5 3 Scripting Read out the configuration via the console Log on to the console with Supervisor rights Switch to the branch of the configuration tree that you wish to read out At the command prompt execute the command readscript Observe the optional command extensions Scripting commands page 190 Using the Clipboard copy and paste the required text section into a text editor and adapt the script to your requirements Via TFTP from the command line interface DOS box The configuration commands can be read out directly from the command line interface via TFTP To do this open up a DOS box for example Enter the following command at the prompt C gt tftp IP address get PASSWORDreadscript path script lcs IP address is the address of the device containing the configuration commands you wish to read out PASSWORD is the
415. la aa BI CN SEVPN_NHAMEL 4 WAN connections 1 E YPN connections 1 H A Wireless LAN 8 Firewall 6 17 2005 9 49 35 intruder detection Packet dropped Alternatively WLANmonitor can be started from the console with the com mand installation path lanmon wlan we LANCO AR Systens 5 8 2 Search for access points After starting WLANmonitor commence a search for available access points via the menu item File Find access points The access points found are listed in the middle column Also shown here is the main information for each access point such as the name number of registered clients the frequency band and channels being used Name of the access point Number of the connected clients Used frequency band Used channel IP address of the access point The right hand column client list lists the clients that are logged in to the se lected access point The following information is shown for each client Connection quality as a bar chart Identification The name of the logged in client in as far as this is entered into the access list or a RADIUS server LANconfig WLAN Security gt Stations Stations Telnet Setup WLAN Access List WEBconfig Expert Configuration Setup gt WLAN gt Access List Signal Connection signal strength Access point Name of the access point that the client is logged on to SSID Identifier for the WLAN network Encryption Type of encryption used for th
416. lag Flag meaning 00000001 TCP SYN sent 00000002 TCP SYN ACK received 00000004 TCP waiting for ACK of the server 00000008 all open connection 00000010 TCP FIN received 00000020 TCP FIN sent 00000040 TCP RST sent or received 00000080 TCP session will be re established 00000100 FTP passive FTP connection will be established 00000400 H 323 belonging to T 120 connection 00000800 connection via loopback interface 00001000 checking concatenated rules 00002000 rule is catenated 00010000 destination is on local route 00020000 destination is on default route 00040000 destination is on VPN route 00080000 physical connection is not established 00100000 source is on default route 300 BAT54 Rail F Release 7 54 06 08 Firewall 8 3 The BAT Firewall Flag Flag meaning 00200000 source is on VPN route 00800000 no route for destination 01000000 contains global actions with condition Port block list Address protocol and port of a destination station are filed in the port block list if blocking of the destination port on the destination station was selected as a filter s packet action This table is likewise a sorted semi dynamic table Sorting is done according to address protocol and port The table contains the following elements Element Element meaning Address Address of the station to which the blocking should apply Protocol Used protocol TCP UDP etc The protocol is decimally indicated
417. ld be set as required for the entire group When the configuration dialogue is closed LANconfig will request that you save the partial configuration file to a location of your choice Note The group configuration then saves all parameters to a partial config uration file Those parameters which were not changed are also set to the standard values Use the scripting function Scripting gt page 181 to read out non standard settings from a device and transfer them to other devices if required The link to the partial configuration file appears in the list of entries and has the description Group Configuration The name of the group config uration can be changed via the Properties To do this click on the entry with the right hand mouse key and select Properties from the context menu LANconfig WLAN File Edit Device View Tools Help alala allel el Sls gales El Nene eeen ass LANconfig A WLAN a alala H2 Description Address Device Status SALANCOM Group Wireless 5 00 Group Configuration GPLANCOM DSL I 1611 Office 192 168 2 101 Group update recommended SS VPN_NHAMEL 192 168 2 100 Group update recommended Group Configuration Properties 2 x General Information General Description Group Configuratior Note The group configuration is a link to the partial configuration file Please note that changes to the partial configuration file will
418. lds of application The following table gives information about the permitted use and corresponding transmission powers within the EU 5 15 5 25 30 13 Indoor 5 15 5 25 60 14 Indoor va 5 15 5 25 200 23 Indoor va va 5 25 5 35 200 23 Indoor va va 5 470 5 725 1000 30 Indoor Outdoor va va Note Other regulations may apply to use in other countries Please refer to the current wireless network regulations for the country in which you want to operate a wireless LAN device and make sure you configure the coun try in which you are operating the device in the WLAN settings BAT54 Rail F Release 7 54 06 08 123 Wireless LAN WLAN 3 10 WLAN according to 802 11h BAT54 Rail F 124 Release 7 54 06 08 Configuration and management 4 1 Configuration tools and approaches 4 Configuration and manage ment This section will show you the methods and ways you can use to access the device and specify further settings You will find descriptions on the following topics Configuration tools Monitoring and diagnosis functions of the device and software Backup and restoration of entire configurations Installation of new firmware in the device 4 1 Configuration tools and approaches BAT are flexible devices that support a variety of tools i e software and ap proaches in the form of communication options for their configuration First a look at the approaches You can connect to an BAT with three different access meth
419. le with trace results for viewing in the trace module Saves the current trace results to a file O Clears the current display or trace results gt Starts outputting the trace results as produced by the current config uration and automatically switches to the trace result display mode As soon as the trace results are returned the other buttons are de activated Stops the output of trace results Switches to the mode for configuring the trace output BAT54 Rail F Release 7 54 06 08 213 LANtools network management 5 8 Visualization of larger WLANs Switches to the mode for displaying the trace output OE LAMCOM 1831 Wireless OSL Traces PE Ge Gat ru SQ2 H O gt Bm 4 How to setg tten The nrbe of generated tacenemazes car be seduced ty Seiny ites Oty mesnazes tat bitoni Wacenesnage a searched forthe substings that ae defined nthe Mendes to ether stow ome Ee St Cras rer comples Asmauaren of faan a a concatenated st d wires Sine Be rdatal len a p i be Eemeren Tee Coronet wen Geeta sogea OR ataton forte folowing meng bt meet if cee se CEET aeter 9 ogee AND elatcn tor he folowing ergai ery 1 CS aeae sogea NOT aiio the mang a fandn syra 1 T neted n ma taen hans woan n Pa ennaa oo a7 T2700 tecahom w oriy oeste messages Sat cortan ether of he ntng r TOP pot BT nonme a fee a P Foe oe LOW nx MAN BELGACOM Sre IP smous 4 or
420. lead to changes in that group configuration BAT54 Rail F 198 Release 7 54 06 08 LANtools network management 5 4 Group configuration with LANconfig Use an existing partial configuration file There are cases where it is more effective to use a different folder structure in LANconfig than that required for group configuration Devices in location specific folders can indeed be set up with the same group configurations To avoid having to create the same partial configuration for every folder links to a common partial configuration file can be created in multiple folders To use an existing partial configuration file for a group configuration click on the appropriate folder with the right hand mouse key and select Add group configuration from the context menu In the subsequent dialog select the existing partial configuration file to create a link to this file in the folder Note Please note that changes to the partial configuration file will lead to changes in that group configuration in various folders 5 4 2 Update device configurations By selecting or updating a folder LANconfig checks the configuration of the devices in this folder for agreement with the settings in the active group con figuration In case of discrepancy from the group configuration the device status informs that Group update recommended To load the group configuration into the WLAN device drag the group con figuration entry onto the appropriate de
421. lease 7 54 06 08 Security 7 1 Protection for the configuration 7 Security You certainly would not like any outsider to have easy access to or to be able to modify the data on your computer Therefore this chapter covers an impor tant topic safety The description of the security settings is divided into the following sections Protection for the configuration Password protection Login barring Access verification Securing ISDN access At the end of the chapter you will find the most important security settings as a checklist It ensures that your BAT is excellently protected Note Some further LCOS features to enhance the data security are de scribed in separate chapters Firewall page 249 IP masquerading gt page 369 Virtual LANs VLANs gt page 335 7 1 Protection for the configuration A number of important parameters for the exchange of data are established in the configuration of the device These include the security of your network monitoring of costs and the authorizations for the individual network users Needless to say the parameters that you have set should not be modified by unauthorized persons The BAT thus offers a variety of options to protect the configuration 7 1 1 Password protection The simplest option for the protection of the configuration is the establish ment of a password BAT54 Rail F Release 7 54 06 08 237 Security 7 1 Protection for the configuration Note As l
422. led channels will be established in the given order only in case of error will the channels be tested in ascending order With a port range the channels are always established in ascending order In the list of Ethernet ports the ports must be switched to DSL port In the layer used for the connection a bundling method has to be ac tivated that is also supported at the remote site BAT54 Rail F 418 Release 7 54 06 08 Routing and WAN connections 11 8 Load balancing To configure channel bundling for an internal ADSL interface the ADSL port 0 is entered into the list of ports at the top of the list e g 0 1 2 3 as port list or 0 3 as port range In the remote device the communications layer must be set to Layer 1 AAL 5 Note An entry in the peer list can contain various ports e g ADSL and Eth ernet but it can only reference one communications layer in which just one layer 1 protocol can be defined For bundled communications over ADSL and Ethernet ports however two different layer 1 protocols are re quired For this reason layer 1 is set to AAL 5 in these cases As only one ADSL interface can exist in the devices all of the interfaces bundled into this are automatically changed to layer 1 with ETH for Ethernet DSL ports This automatic change of the layer can only succeed if the ADSL interface is the first one to be selected for bundled connections For devices with a built in ADSL modem and an additional Ethe
423. ll other ap plications Note For correct functioning of this mechanism the sum of the configured minimum bandwidth must not exceed the effectively available transmis sion bandwidth Dynamic bandwidth management also for reception For receiving bandwidth control packets can be buffered and only belatedly confirmed Thus TCP IP connections regulate themselves automatically ona smaller bandwidth Each WAN interface is assigned a maximum reception bandwidth This bandwidth will be accordingly degraded by every QoS rule that guarantees a minimum bandwidth of reception on this interface If the QoS rule has been defined connection related the reserved band width will be unblocked immediately after releasing the connection and the maximum available bandwidth will increase accordingly on the WAN interface If the QoS rule has been defined globally then the reserved bandwidth will be unblocked only after the ending of the last connection BAT54 Rail F 314 Release 7 54 06 08 Quality of Service 9 3 The queue concept 9 2 2 Limited maximum bandwidths Hereby you limit e g the entire or connection related maximum bandwidth for server accesses An example You operate both a Web server and a local network on a shared Internet ac cess To prevent that your productive network LAN is paralyzed by many Internet accesses to your Web server all server accesses are limited to half of the available bandwidth Furthermore in order to guara
424. ller units This additional fragmentation can cause losses in the data transfer speeds This problem can be avoided by entering a fixed MTU for each remote site BAT54 Rail F Release 7 54 06 08 453 Routing and WAN connections 11 16 WAN RIP 11 15 1 Configuration WEBconfig Telnet or terminal program Under WEBconfig Telnet or a terminal program you will find the MTU list for a maximum of 16 entries under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt WAN gt MTU list Terminal Telnet Setup WAN MTU list The table contains the following entries Device name Name of the remote device It can be a physical or a virtual PPTP VPN remote station MTU MTU to be used for the connection 11 15 2Statistics Under Status WAN statistics you will find the MTU statistics recorded for all current connections The table is partially dynamic and begins with 16 en tries Like the MTU list under Setup WAN it contains two columns with the remote name and the MTU Remote site MTU Remark INET 1200 The INET remote site is the Internet connection and a forced MTU of 1200 bytes MULTI 1492 MULTI is a PPPoE connection for which the MTU was negotiated and is conse quently 1492 bytes TESTVPN 1100 TESTVPN is a VPN connection established via the Internet An assumed over head of 100 bytes is taken for VPN connections and consequently the MTU here is 1100 bytes T
425. lout Wizard exec set setup name MyLANCOM mailto Enables an e mail to be sent upon entry of the address subject and body text for example mailto admin mylancom de subject Rollout body LANCOM setup com pleted Note To make use of the mail function an SMTP account must be set up in the device http and http Enables a Web site to be accessed for example to carry out an action there lt http http gt user pass hostname port Variables in the actions When actions are executed the values as defined with the Rollout Wizard can be referenced To this end the variable s identifier is used for the action with a leading percent char acter The identifier must be enclosed by curly brackets if other alpha numeric characters are included in the action The following example sets the name of the device to the format Site branch if the location of the device is being queried as a variable with the identifier Location exec set setup name Location Branch For variables of the type Integer or String the value as entered by the user is used In the case of variables of the type Checkmark 1 switched on or 0 switched off is used Note If the expression for the action contains spaces then the expression must be enclosed by quotation marks Default blank 5 5 4 Actions for managing the Rollout Wizard Renumber variables Renumber actions As explained above variables and actions are displayed or proces
426. lso known as scaling As a result of the constant exchange of information between the routers such a router theoretically has no limits to the transmission options available to it Configuration of IP RIP function Configuration tool Menu table LANconfig IP router General RIP options WEBconfig Expert Configuration gt Setup gt IP router gt RIP config Terminal Telnet setup IP router RIP config In the field RIP support or RIP type the following selection is possible off IP RIP is not used default RIP 1 RIP 1 and RIP 2 packets are received but only RIP 1 packets are sent RIP 1 compatible RIP 1 and RIP 2 packets are received RIP 2 packets are sent as an IP broadcast RIP 2 Similar to RIP 1 compatible except that all RIP packets are sent to the IP multicast address 224 0 0 9 The entry under RIP 1 mask or R1 mask can be set to the following values BAT54 Rail F 364 Release 7 54 06 08 Routing and WAN connections 11 2 IP routing class default The network mask used in the RIP packet is derived directly from the IP address class i e the following network masks are used for the network classes Class A 255 0 0 0 Class B 255 255 0 0 Class C 255 255 255 0 address The network mask is derived from the first bit that is set in the IP address entered This and all high order bits within the network mask are set Thus for example the add
427. lved hosts can occur in the status data base These can be initiated also only from one side unless in the port filter Firewall exists a dedicated entry for the opposite direction 8 3 3 General settings of the Firewall Apart from individual Firewall rules which ensure the entries in the filter con nection and block lists some settings apply generally to the Firewall Firewall QoS enabled Administrator email gt Page 265 Fragments Page 265 BAT54 Rail F 264 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Re establishing of the session Page 265 Ping blocking Page 266 Stealth mode Page 267 Mask authentication port gt Page 267 Firewall QoS enabled This option switches on or off the entire Firewall including Quality of Service functions Note Please notice that the N N mapping functions N N mapping page 425 are only active when the Firewall has been switched on Administrator email One of the actions a Firewall can trigger is alerting of an network administra tor via email The administrator email is the email account to which the alerting mails are sent to Fragments Some attacks from the Internet try to outsmart the Firewall by fragmented packets packets split into several small units One of the main features of a Stateful Inspection like in the BAT is the ability to re assemble fragmented packets in order to check afterwards the entire IP packet You c
428. ly defined Pinging a router in a remote network thus provides monitoring for the entire connection and not just the section to the Internet provider A ping interval is defined for the remote site in the polling table Further for the event that replies are missed the number of retries before the transmis sion of a new LCP request is defined Should the transmitter not receive any reply to the retries the target for the ping requests is classified as unavail able Up to four different IP addresses can be entered for each remote site that will be checked in the remote network in parallel Only if all of the IP addresses are unavailable is the connection considered to have failed Note With the ICMP polling an entire connection can be monitored from end to end Polling Table New Entry 2 x Remote site LANCOM Co IP address 1 213 217 69 69 Cancel IP address 2 0 0 0 0 IP address 3 foooo 8 IP address 4 foooo OO Ping interval 0 seconds Retries fo Source IP address LOOPBACK_1 X Configuration tool Menu Table LANconfig Communication gt Remote Sites Polling Table WEBconfig Telnet Expert configuration gt Setup gt WAN gt Polling table Peer Name of the remote station which is to be checked with this entry IP address 1 4 IP addresses for targeting with ICMP requests to check the remote site BAT54 Rail F 160 Release 7 54 06 08 Configuration and management 4 9 Named loopback add
429. ly delete the corresponding entries On the WINS configuration tab the Use DHCP for WINS Resolution option must also be selected if you want to use Windows networks over IP with name resolution using NBNS servers In this case the DHCP server must also have an NBNS entry BAT54 Rail F 470 Release 7 54 06 08 More services 12 1 Automatic IP address administration with Priority for computer overwriting an assignment If a computer uses parameters other than those assigned to it e g a different default gateway these parameters must be set directly on the workstation computer The computer then ignores the corresponding parameters as signed to it by the DHCP server Under Windows 98 this is accomplished through the properties of the Net work Neighborhood Click Start Settings Control Panel Network Select the TCP IP entry for your network adapter and open Properties You can now enter the desired values by selecting the various tabs Checking of IP addresses in the LAN Configuration tool Run Table WEBconfig Expert Configuration Setup DHCP Table DHCP Terminal Telnet setup DHCP table DHCP The DHCP table provides a list of the IP addresses in the LAN This table contains the assigned or used IP address the MAC address the validity the name of the computer if available and the type of address assignment The Type field specifies how the address was assigned This field can as sume the followi
430. m parameters can be found in the LANconfig configuration area Interfaces on the WAN and Modem tab SSS SSS Configure Interfaces 7 Configure Interfaces E LAN Wireless LAN WAN Modem VLAN LAN Wireless LAN WAN Modem yLAN gt WAN settings m Modem settings This is where you can make further settings for each WAN Continuation of the commands and options that are used interface optional external modem connected to the serial interface AT polling cycletime seconds z AT polling count 5 Modem settings F 3 Ring count 1 E3 To use an external modem connected to the serial interface you have to select the correct operating mode of Initialize answer command the V 24 WAN interface Answer command Request modem ID fis Initialize dial command Reset command eF Dial command DT Initialize command Loi M150 0 Escape sequence Deactivate echo com feo Wait after escape seg 1 000 milliseconds Further commands and options used for an optional external modem connected to the serial interface can be configured on Disconnect command H the page Modem BAT54 Rail F 448 Release 7 54 06 08 Routing and WAN connections 11 14 serial interface Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the modem parameters under the following paths Configuration tool Menu Table WEBconfig Expert Configuration gt Setup gt I
431. ment d marketing Accounting stations base station 10 2 1 Frame tagging In order to shield or if necessary to priorities data traffic of a virtual LAN against the other network users data packets must have an additional fea ture a tag That s why the respective process is also called frame tag ging Frame tagging must be realized such that the following requirements are ful filled Data packets with and without frame tagging must be able to exist in par allel on a physical LAN Stations and switches in a LAN which do not support VLAN technology must ignore the data packets with frame tagging and or treat them as normal data packets The tagging is realized by an additional field within the MAC frame This field contains two important information for the virtual LAN BAT54 Rail F 336 Release 7 54 06 08 Virtual LANs VLANs 10 2 This is how a VLAN works VLAN ID A unique number describes the virtual LAN This ID defines the belonging of data packets a logical virtual LAN With this 12 bit value it is possible to define up to 4094 different VLANs VLAN IDs 0 and 4095 are reserved resp inadmissible Note VLAN ID 1 is used by many devices as the Default VLAN ID Con cerning unconfigured devices all ports belong to this Default VLAN How ever this assignment can also be changed by configuration The port table page 341 Priority The priority of a VLAN tagged
432. ment of all pending TCP connections to this channel Subsequently all of the configured bundle connections will successively be established As soon as at least two bundle connections are active new TCP connections will be divided among the active bundle connections Should establishment of the bundling connection fail then attempts will be made to establish other bundle connections one after the other As soon as one of the bundle connections is established all of the pending TCP connections will be directed to this channel Spreading the data load Two basic methods are available for balancing the data load If the channel s bandwidth is known then the connections will be as signed to the channel with the lowest workload in percent If the bandwidth is not known then a differentiation is made according to the type of connection required a TCP connection or VPN or PPTP con nections from the BAT If a TCP connection requests a channel then the one with the lowest absolute workload will be chosen If a VPN or PPTP connection requests a channel then the connec tions will be equally spread between all available channels Note For the most effective use of load balancing the bandwidth should be entered into the list of WAN interfaces under LANconfig in the configura tion area Interface on the WAN tab under the button Interface settings Telnet Setup Interfaces DSL WEBconfig Expert configuration gt Setup gt Interfaces
433. mmands and script files There are two basic methods of uploading the script commands to the inter mediate memory of the BAT BAT54 Rail F 186 Release 7 54 06 08 LANtools network management 5 3 Scripting The commands can be manually entered at a console in script mode with the command beginscript In this way the commands are written directly from the console to the intermediate memory After all of the commands are ready they are processed by entering the command exit and are then transferred to the RAM The required command sequence can be saved to a text file This text file is then sent to the intermediate memory by using an appropriate tool LANconfig terminal program TFTP If the necessary commands are in cluded in the file the transfer of the configuration to the RAM will be start ed automatically There are various ways to upload script files to BAT devices the choice of which depends upon the configuration tool that you prefer to use Command input via console session Telnet SSH In a console session a script can be uploaded to the device via the Clip board Open your script with any text editor and transfer the configuration com mands to the Clipboard Log on to the console with Supervisor rights Start the script mode with the command beginscript of Telnet 192 168 2 100 Minimize root UPN_NHAMEL a pte Llen WLAN il gt beginscript O Maximize BEscript gt lang Deutsch BH ript gt f lash
434. mode Due to VLAN functions virtual LANs may be installed in the LAN bridge which permit the operating of several logi cal networks on a physical cabling Applications can communicate with different IP modules NetBIOS DNS DHCP server RADIUS RIP NTP SNMP SYSLOG SMTP either via the IP router or directly via the LAN bridge The functions IP masquerading and N N mapping provide suitable IP address translations between private and public IP ranges or also be tween multiple private networks Provided according authorization direct access to the configuration and management services of the devices WEBconfig Telnet TFTP is pro vided from the LAN and also from the WAN side These services are pro tected by filters and login barring but do not require any processing by the firewall Nevertheless a direct access from WAN to LAN or vice ver sa using the internal services as a bypass for the firewall is not possible The IPX router and the LANCAPI access on the WAN side only the ISDN interface Both modules are independent from the firewall which controls only data traffic through the IP router The VPN services including PPTP enable data encryption in the Internet and thereby enable virtual private networks over public data connections Depending on the specific model either xDSL Cable ADSL or ISDN are available as different WAN interfaces The DSLoL interface DSL over LAN is no physical WAN interface but more
435. more objects can be defined hierarchically So one can first define objects for TCP and UDP pro tocols then objects for e g FTP TCP ports 20 and 21 HTTP TCP port 80 and DNS TCP UDP port 53 All these single objects can be assembled subsequently into a new object which contains all previously de fined single objects then Stations and services can be described according to the following rules in the object table Description Object ID Examples and notes Local network L Remote stations H Name must be in DSL ISDN PPTP or VPN remote site list Host name D Note advice for host names gt Page 272 MAC address E 00 A0 57 01 02 03 IP address A A10 0 0 1 10 0 0 2 AO all addresses Netmask M M255 255 255 0 Protocol TCP UDP ICMP etc P P6 for TCP Service port S S20 25 for ports 20 to 25 Equal identifier can generate comma separated lists as for example host lists address lists A10 0 0 1 10 0 0 2 or hyphen separated ranges like port ranges S20 25 The occurrence of a 0 or an empty string repre sents the any object amp Setup ay P router module d Firewall Expert Configuration Object table Name FTP Description P6 S21 Reset Note When configuring via console Telnet or terminal program the com bined parameters port destination source must be embraced with in verted commas character BAT54 Rail F Release 7 54 06 08
436. n Europe the European Commis sion issued the ETSI 301 893 standard on July 11 2005 The member states of the EU are obliged to implement this by October 31 2005 Instead of the three sub bands described in the 802 11a h standards 5150 5350 MHz 5470 5725 MHz and 5725 5875 MHz for the Uk the ETSI 301 893 standard regulates the three following areas with different specifications 5150 5250 MHz 5250 5350 MHz 5470 5725 MHz The guidelines focus on preventive measures for avoiding disruptions to oth er systems that use the same frequency band This includes radar equipment that counts as primary applications The secondary applications such as WLAN have to change the frequency as soon as a conflict is detected Dynamic Frequency Selection DFS BAT54 Rail F 120 Release 7 54 06 08 Wireless LAN WLAN 3 10 WLAN according to 802 11h Dynamic Frequency Selection DFS was stipulated to prioritize primary applications DFS initially assumes that no channel is available in the corresponding frequency band The WLAN device selects an arbitrary channel at the start and performs what is known as a Channel Availability Check CAC Before sending to a channel for 60 seconds Channel Observation Time COT a check is run to see if a different device is already working on this channel and the channel is therefore occupied If this is the case then a different channel is checked by the CAC If not then the WLAN device can perform
437. n and blocking can be configured here un der WEBconfig or Telnet WEBconfig Expert Configuration Setup IP Router Module Firewall Terminal Telnet Setup IP Router Module Firewall However always active are the following protection mechanisms gt Address examination against IP Spoofing gt Blocking of broadcasts into local area network against Smurf and Co 8 5 3 Configuration of ping blocking and Stealth mode LANconfig Parameters for ping blocking and Stealth mode can be set with LANconfig under Firewall QoS on register card General Configure Firewall QoS bd General Rules DoS IDS M Firewall QoS enabled General settings Default VPN rules Create automatically x To the email address of the administrator the rule defined messages will be sent Administrator email m Precautions Fragments Re assemble 7 Session recovery Denied for default route 7 Ping Blocking Off E Stealth mode Dff Ne 0 F Always mask authentic ae Ms WAN only Default route onl BAT54 Rail F Release 7 54 06 08 309 Firewall 8 5 Denial of Service WEBconfig Telnet With WEBconfig or Telnet the suppression of responses can be configured here WEBconfig Expert Configuration Setup IP Router Module Firewall Terminal Telnet Setup IP Router Module Firewall BAT54 Rail F 310 Release 7 54 06 08 Quality of Service 9 1 Why QoS 9 Quality of Service This chapter de
438. n indicates if tagged data packets with any VLAN IDs should be accepted even if the port itself is not belonging to the same VLAN ID Default ID This VLAN ID has two functions Untagged packets received on this port are provided with this VLAN ID Example for a port table If tagging for sent packets is switched on this VLAN ID will not be as signed to the packets If a packet with this VLAN ID is received it will be passed on without this ID although tagging has been switched on Port Use Allow Allow Default ID tagging untagged frames all VLANs LAN 1 On On On 1 WLAN 1 Off On Off 1 WLAN 2 Off On Off 1 P2P 1 Off On Off 1 P2P 2 Off On Off 1 P2P 3 Off On Off 1 P2P 4 Off On Off 1 P2P 5 Off On Off 1 P2P 6 Off On Off 1 10 3 3 Configuration with LANconfig Parameters for virtual networks can be set with LANconfig under Interfaces on the register card VLAN The definition of the used virtual networks can be accessed via the button VLAN table 342 BAT54 Rail F Release 7 54 06 08 Virtual LANs VLANs 10 3 Configuration of VLANs ix Configure Interfaces h LAN Wireless LAN WAN Modem VLAN M VLAN settings A Attention These settings are sensefull only in a VLAN network You should change it only if the consequences are known It is simply possible here to lockout yourself from this router The device will potentially be reachable afterwards
439. n not be compatible to IEEE 802 11a The transmission distances of IEEE 802 11g products are comparable with those of IEEE 802 11b products Turbo mode With the 802 11g standard in turbo mode the transfer rate can be increased to a maximum of 108 Mbps by using two radio channels But as a 2 4 GHz band uses less channels than the 5 GHz band the turbo mode limits in this case the options of channels Transfer rates The indicated transfer rates are always to be interpreted as gross data rates i e the entire protocol overhead as for example the complex protocols to se cure the radio transmission is included in the indicated transfer rates The net data transfer rate can be thus lower than the indicated gross data rates typically over up to the half for all IEEE 802 11 standards mentioned above BAT54 Rail F Release 7 54 06 08 23 Wireless LAN WLAN 3 1 What is a Wireless LAN Ranges The actually obtained distances for radio transfers depend strongly on the in dividual environment In particular influences of noise and obstacles have an effect on the range Decisive is an optimal placement of the radio stations both network adapters and base stations For further increase of the trans fer distance we recommend the operation with additional antennas IEEE standards In order to guarantee a maximum of compatibility Hirschmann Systems fully complies with the industry standards of the IEEE described in the preceding p
440. n path Antennae do not emit their signals linearly but within an angle that depends on the model in question The spherical expansion of the signal waves is characterized by constructive and destructive interference between these waves at certain distances perpendicular to the line of sight between trans mitter and receiver The areas where the waves amplify or cancel them selves out are known as Fresnel zones BAT54 Rail F 112 Release 7 54 06 08 Wireless LAN WLAN 3 8 Establishing outdoor wireless networks Fresnel zone 3 Fresnel zone 2 Distance 4 Fresnel zone 1 To ensure an optimal signal reception between transmitter and receiver the Fresnel zone 1 should remain free from any obstruction Any disturbances from elements protruding into this zone will significantly reduce the effective signal power The object not only screens off a portion of the Fresnel zone but the resulting reflections also lead to a significant reduction in the signal reception The radius R of Fresnel zone 1 is calculated with the following formula as suming that the signal wavelength A and the distance between transmitter and receiver d are known R 0 5 V A d The wavelength in the 2 4 GHz band is approx 0 125m in the 5 GHz band approx 0 05 m Example With a separating distance of 4 km between the two antennae the radius of Fresnel zone 1 in the 2 4 GHz band is 17 m in the 5 GHz band 7 m To ensure that the Fresnel zone 1 remains
441. n t retrieve a key from a remote web server quite so eas ily In this case so called asymmetric encryption methods such as RSA can be used that is to decrypt the data a different key is used than the one used to encrypt it meaning that key pairs are used Such methods are however much slower than symmetric encryption methods which leads to a two phase solution The sender possesses an asymmetric key pair It transmits the public part of the key pair i e the key for encryption to the receiver as a certificate for example Since this part of the key pair cannot be used for decryption there are no misgivings with regard to security BAT54 Rail F 34 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of WLAN security The receiver selects any symmetrical key This symmetrical key that is used both for encryption and for decryption must now be securely trans mitted to the sender It is encrypted with the sender s public key and re turned to the sender The only way that the symmetrical key can be decrypted again is with the sender s private key Potential eavesdroppers observing the key exchange cannot decrypt this information and conse quently the transmission of the symmetrical key is secure This method can be used for the safe transmission of symmetrical keys via the Internet In the following sections we will see these methods again sometimes in modified form 3 2 2 WEP WEP is an abbreviation for Wired Equivalen
442. n with the WLANmonitor WLAN devices that make unauthorized attempts at accessing a WLAN by posing as an access point or client are called rogues Rogue clients are computers equipped with WLAN adapters that are lo cated within the range of a WLAN and attempt to log on to one of the ac cess points for example in order to use the Internet connection or in order to receive access to secured areas on the network BAT54 Rail F Release 7 54 06 08 217 LANtools network management 5 8 Visualization of larger WLANs An example of rogue APs are access points that a company s employees connect to the network without the knowledge or permission of the system administrators thereby consciously or unconsciously making the network vulnerable to potential attackers via unsecured WLAN access Not quite as dangerous but disruptive all the same are access points that belong to third party networks yet are within the range of the local WLAN If such devices also use the same SSID and channel as the local AP default set tings then local clients could attempt to log on to external networks Unidentified access points within the range of the local network frequently pose a possible threat and security gap At the very least they are a distur bance and so they need to be identified to decide whether further measures in securing the local network need to be introduced Information about the cli ents within range of your network is automatically stored to an
443. namic and permanently mov ing The filter list is made of the Firewall rules The containing filters are static and only changed when Firewall rules are added edited or deleted Thus all lists which are consulted by the Firewall to check data packets fi nally base on the Firewall rules Parameters of Firewall rules gt page 268 8 3 2 Special protocols One important point during the connection tracking is the treatment of proto cols that dynamically negotiate ports and or addresses over which further communication is done Examples of these kinds of protocols are FTP H 323 or also many UDP based protocols Thereby it is necessary that further con nections must be opened additionally to the first connection See also Dif ferent types of Firewalls gt page 253 BAT54 Rail F 262 Release 7 54 06 08 Firewall 8 3 The BAT Firewall UDP connections UDP is actually a stateless protocol nevertheless one can speak regarding UDP based protocols also of a only short term connection since UDP mostly carries Request Response based protocols with which a client di rects its requests to a well known port of a server e g 53 for DNS which in turn sends its responds to the source port selected by the client Client port Connection Server port 12345 Request 53 12345 Response 53 lt _ __ However if the server wants to send larger sets of data e g TFTP and would not like or can not diff
444. nd etc logouts and any errors that occurred during this BAT54 Rail F Release 7 54 06 08 163 Configuration and management 4 9 Named loopback addresses Connections Messages about establishment and termination of con nections and any errors that occurred display trace Accounting Accounting information stored after termination of a con nection user online time transfer volumes Administration Messages on changes to the configuration remotely executed commands etc Router Regular statistics about the most frequently used services breakdown per port number and messages about filtered packets routing errors etc Priority 164 Alert This is a collection of messages of interest to the administrator general SYSLOG priority PANIC ALERT CRIT Error At this level all error messages which can occur under normal conditions are communicated no special attention is required by the administrator e g connection errors general SYSLOG priority ERROR Warning This level communicates messages which do not compro mise normal operating conditions general SYSLOG priority WARN ING Information At this level all messages are sent that have a purely informational character e g accounting general SYSLOG priority NOTICE INFORM Debug Communication of all debug messages Debug messages generate large data volumes and can compromise the device s oper ation For this reason they should be disabled for normal
445. nd port to an IP address from the LAN as the target and the port map port to be used in the LAN Note If 0 is entered for the map port the ports used in the LAN will be the same as those used in the WAN If a port range is to be mapped then the map port identifies the first LAN port to be used For example mapping the port range 1200 to 1205 to the internal map port 1000 means that the ports 1000 to 1005 will be used for data transfer in the LAN Note Port mapping is static meaning that two ports or port ranges cannot be mapped to the same map port of a target computer in the LAN The same port mapping can be used for different target computers LANconfig When using LANconfig for the configuration you will find the service list in the configuration area IP Router on the Masq tab under the button Service list BAT54 Rail F Release 7 54 06 08 375 Routing and WAN connections 11 4 IP masquerading VPN_NHAMEL Configuration 21x Configure fir Router 7 General Routing Masq nen Mapping p Masada optione TCP aging o0 seconds First port Last port Address Map port Active Comment UDP aging 20 seconds 3 389 3 389 192 168 211 12 345 Yes ICMP aging fi 0 seconds IPSec aging 2000 seconds Fragment aging E seconds Inverse masquerading p a m ia Service list Edit Entry You can make individual services a WebServer for in a pone outside your network by s
446. nd the settings for the PP PoE server under the following paths WEBconfig Expert configuration Setup gt PPPoE server Terminal Telnet Setup PPPoE servers gt Operating The Operating button switches the server on or off The de fault value is Off gt Service The name of the service offered is entered under Service This enables a PPPoE client to select a certain PPPoE server that is entered for the client Session limit The Session limit specifies how often a client can be logged on simultaneously with the same MAC address Once the limit has been reached the server no longer responds to the client queries that are received Default value is 1 maximum value 99 A Session limit of 0 stands for an unlimited number of sessions BAT54 Rail F Release 7 54 06 08 499 More services 12 9 RADIUS Name list Different parameters such as shorthold time and MAC ad dress can be assigned to users in the name list Note A MAC address of 000000000000 means that the user may log on with any MAC address If a MAC address is entered then the PPP nego tiation is terminated if the user logs on from a different MAC address The user s shorthold time is set after the logon If no entry exists then the time belonging to user DEFAULT is used In addition to this table an entry has to be made in the PPP table in which the password the rights IP IPX NetBIOS and other PPP param eters LCP polling are entere
447. ndwidth kbit x per second x 4 a Add Edit A an E Per connection Global Fragmentation of other packets May Packetsize Byte Reduction of PMTU PHTU Bytes According to your selection of the DSCP type BE CS AF EF the valid val ues can be adjusted in additional drop down lists Alternatively the DSCP decimal value can be entered directly A table listing valid values can be found under What is DiffServ page 313 WEBconfig Telnet For configuration with WEBconfig or Telnet the parameters are entered at the following places into a new Firewall rule Configuration tool Run WEBconfig Setup IP router Firewall Rule list Telnet Setup IP router Firewall Rule list The Firewall rule is extended by condition d and the DSCP Differentiated Services Code Point The code point can either be indicated with its name CSO CS7 AF11 to AF 43 EF or BE or its decimal resp hexadecimal de piction Expedited Forwarding can therefore be indicated as dEF d46 or d0x2e Furthermore collective names CSx resp AFxx are possible Examples LcdsO dAFxx A Accept secured transmission on DiffServ AF limit O Qcds32 dEF Minimum bandwidth for DiffServ EF of 32 kbps BAT54 Rail F Release 7 54 06 08 327 Quality of Service 9 7 QoS configuration Fprw256 dEF PMTU reduction for reception for DiffServ EF to 256 bytes
448. nect the device to a computer On the computer start a terminal program such as Hyperterminal Open a connection with the settings 115200bps 8n1 hardware hand shake RTS CTS In the terminal program s welcome screen press the Return key until the request to enter the password appears Enter the serial number that is displayed under the firmware version and press Return again Please observe the following hints when using a terminal program over the serial interface The models BAT54 F and BAT54 F X2 feature a reduced serial inter face Rx TX ground only hence the hardware handshake has to be deactivated The BAT54 Rail featurees a fully fledged serial interface which sup ports the hardware handshake of the terminal program Caution If the hardware handshake is not well configured some char acters may get lost while transmitting script or configuration files result ing in a damaged device configuration In contrast the firmware upload will work even with wrong configured hardware handshake because the X Modem protocol ensures a se cure data transmission BAT54 Rail F Release 7 54 06 08 147 Configuration and management 4 7 How to reset the device Outband 115200 Bit s 0K LANCOM L 54ag Wireless Ver 7 26 0002 19 09 2007 SN 013020600159 Copyright c LANCOM Systems Connection No 001 Outband 115200 Bps Password System is going down We FLASHROM Upload LANCOM L S4ag Wireless Copyr
449. nection with LCP see the following section This is specified in multiples of 10 seconds i e 2 for 20 seconds for instance The value is simultaneously the time between two verifications of the connection to CHAP Enter this time in minutes The time must be set to 0 for remote sites using a Windows operating system Retr Number of retries for the check attempt You can eliminate the effect of short term line interference by selecting multiple retries The connection will only be dropped if all attempts are unsuccessful The time interval between two retries is 1 10 of the time interval between two checks Simultaneously the number of the Configure requests that the router maximum sends before it assumes a line error and clears the connection itself Conf Fail Term These parameters are used to affect the way in which PPP is implemented The param eters are defined in RFC 1661 and are not described in greater detail here You will find troubleshooting instructions in this RFC in connection with the router s PPP statistics if you are unable to establish any PPP connections The default settings should generally suffice These parameters can only be modified via LANconfig SNMP or TFTP 11 11DSL Connection with PPTP Some DSL providers enable dial in over PPTP Point to Point Tunneling Protocol instead of PPPoE PPTP is an extension of PPP partly developed by Microsoft With PPTP it is possible to build up a
450. nein X Close ript gt scr iptdcd Setup interfaces WLAN interfaces inte Mark script set WLAN 1 2 yes BRI three Defaults Gop script gt set WLAN 1 2 yes BRI four 5 scr ipt t gt Properties Lae script gt flash ja Select All script gt script gt done script gt exit Scroll root UPN_NHAMEL Paste the commands from the Clipboard following the script prompt script gt In Telnet for example with a right mouse click on the upper frame of the window Entering the command exit executes of the configuration commands Note If the command exit is already included in the commands after past ing the execution of the configuration will be carried out automatically im mediately after pasting BAT54 Rail F Release 7 54 06 08 187 LANtools network management 5 3 Scripting Upload script with TFTP client During a console session e g via Telnet or SSH TFTP commands can be used to upload script files to the device directly from a TFTP server Log on to the console with Supervisor rights Enter the following command at the prompt gt loadscript s IP address f script lcs IP address is the address of the TFCTP server where the script file is stored script Ics is the name of the script file on the TFTP server Upload script with LANconfig LANconfig has the option to upload a script either to a single device or to mul tiple devices simultaneously Click on a device with the right mouse key and use the
451. nerated for IP networks with the same interface tag The net work type must also be set to Intranet Values 0 to 65 535 Default 0 Particular values 0 untagged BAT54 Rail F 390 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services Note Untagged networks with the interface tag 0 can see all other net works Tagged networks on the other hand can only see networks with the same interface tag Networks of the type DMZ are visible to all other networks irrespective of the interface tag being used Because the networks generally host web servers for example any limitation on accessibility would be senseless Comment Comment on the defined network 64 characters 11 7Changes in other services A change of network definition influences a number of internal services in the BAT Router such as the DHCP server RIP NetBIOS proxy etc because these services have to behave differently at the various interfaces For exam ple the DHCP server has to be able to distribute addresses suitable for the network or the NetBOIS proxy is not to be active in the DMZ For this reason these services have to be configurated separately for each network 11 7 1 DHCP server The DHCP server in the BAT Router can assign the necessary address in formation such as IP addresses netmask gateway or name server to the cli ents in the network The BAT Router can also operate as a DHCP relay agent and as a DHCP
452. net The LAN workstations only see the proxy the workstations of the Internet likewise This physical separation of LAN and WAN makes it quite difficult for attackers to intrude into the protected network Applied to the porter example the packet will be left at the gate the courier is not allowed to enter the company premises The porter takes the packet will open it after checking address and delivery note and will control also the content When the packet has taken these hurdles successfully then the company internal courier will bring it himself to the addressee of the compa ny He became proxy of the courier on company premises The other way around all employees wanting to send a packet have to inform the porter which has to collect the packet at the workstation place and which will hand over the packet to the ordered courier at the gate Note Functions of Application Gateways are not supported by the BAT mainly because of the high hardware demands BAT54 Rail F 258 Release 7 54 06 08 Firewall 8 3 The BAT Firewall 8 3 The BAT Firewall After general explanations concerning the dangers of the Internet and the tasks and types of Firewalls this chapter describes special functions of the BAT Firewall and concrete configurations For BAT devices with VoIP functions that were already integrated or added in with a software option the ports required for voice connections are acti vated automatically 8 3 1 How the BA
453. net under the following paths Configuration tool Menur able WEBconfig Expert configuration Setup gt WLAN module gt Access list Terminal Telnet Setup WLAN module Access list 3 7 6 Geometric dimensioning of outdoor wireless network links The following basic questions must be answered when designing wireless links What antennas must be used for the desired application How must the antennas be positioned to ensure a problem free connec tion What performance characteristics do the antennas need to ensure suffi cient data throughput within the legal limits BAT54 Rail F Release 7 54 06 08 109 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections E Positioning the antennas Antennas do not broadcast their signals linearly but within an angle that de pends on the model in question The spherical expansion of the signal waves results in amplification of or interference to the effective power output at cer tain intervals of the connection between the transmitter and receiver The ar eas where the waves amplify or cancel themselves out are known as Fresnel zones Fresnel zone 3 Radius R Fresnel zone 2 Distance d Fresnel zone 1 l X SE ce 5 ANTENNA a OBSTRUCTION The Fresnel zone 1 must remain free from obstruction in order to ensure that the maximum level of output from the transmitting antenna reaches the re ceiving antenna Any obstructing element protruding into this zone will
454. network mode Compatibility mode Country setting DFS method Frequency band IBBS Indoor function infrastructure network IPSec over WLAN Keep client connection alive Maximum distance Multi SSID Network settings Network types Operation mode Point to point connections Point to Point mode Protocol filter Protocol filters Radio settings BAT54 Rail F Release 7 54 06 08 26 25 29 26 333 532 532 70 54 26 63 75 49 95 26 63 66 95 26 71 73 79 68 62 66 66 72 76 26 84 72 70 26 79 72 65 70 26 55 87 66 547 Index Redirect Roaming Rogue AP detection Rogue client detection Scan bands Signal quality display via LEDs Subband Transmission power reduction Turbo mode WEP group keys WLAN interface logical physical WLAN security 802 11i 802 1x AES EAP Sniffer tools TKIP WEP WEPplus WPA WLANmonitor Rogue client detection WPA X Group Key Handshake procedure Key handshake Master Secret Michael Pairwise Key Passphrase Rekeying TKIP X 509 certificate xDSL XOR 548 82 91 49 49 217 217 72 77 66 69 69 60 78 64 33 42 37 42 37 36 40 35 37 40 214 217 33 40 532 41 40 41 40 40 41 41 41 40 517 532 532 BAT54 Rail F Release 7 54 06 08
455. networks IGMP Information concerning Internet Group Management Protocol WLAN Information concerning wireless networks IAPP Trace for Inter Access Point Protocol shows information concerning WLAN roaming DFS Trace for Dynamic Frequency Selection Bridge Information concerningWLAN bridge EAP Trace for EAP Spgtree Information concerning Spanning Tree Protokoll LANAUTH LAN authentication e g Public Spot VPN Status IPSec and IKE negotiation VPN Packet IPSec and IKE packets 6 1 4 Combination commands This combination command brings up the following display for the trace All all trace outputs Display status and error outputs Protocol PPP outputs TCP IP IP Rt IP RIP ICMP and ARP outputs IPX SPX IPX Rt RIP SAP IPX Wd SPX Wd and NetBIOS outputs Time displays the system time in front of the actual trace output Source includes a display of the protocol that has initiated the output in front of the trace Any appended parameters are processed from left to right This means that it is possible to call a parameter and then restrict it 6 1 5 Trace filters Some traces such as the IP router trace or the VPN trace produce a large number of outputs The amount of output can become unmanageable The trace filters allow you to sift out the information that is important to you BAT54 Rail F Release 7 54 06 08 227 Diagnosis 6 1 Trace information for advanced users A trace fil
456. nfiguration commands in the script file initially effect the configuration that is stored in the device s RAM only The flash mode then determines whether or not the changes are to be made to the flash memory as well BAT54 Rail F 182 Release 7 54 06 08 LANtools network management 5 3 Scripting gt In Flash Yes mode standard the configuration commands are directly written to the device s flash memory and are thus non volatile i e boot re sistant Since the flash mode is always ON with the other methods of configuration console without script LANconfig or WEBconfig the con figuration changes are written first to the RAM memory and then immedi ately to the flash memory Configuration for operating the BAT Configuration in Configuration in Script commands EVIT RAM deleted Flash ON flash not deleted the script memo upon booting upon booting script memory Normal eo Beginseript ia S gt In Flash No mode the data are written to RAM only and are thus available only until the next boot gt During the boot process the device reads the configuration data from the flash memory The configuration in the RAM can be written to the flash memory at any time with the command Flash Yes While operating BAT devices work with the information stored in the RAM configuration The script commands stored in the intermediate memory are just like the configuration in the flash memory of no relevance to the rea
457. ng as a DHCP server in the network Errors in the configuration e g invalid pool limits will cause the DHCP server to be deactivated Note Only use this setting if you are certain that no other DHCP server is active in the LAN Client mode The DHCP server is deactivated the device behaves as a DHCP client and obtains its address from another DHCP server in the LAN Note Only use this setting if you are certain that another DHCP server is in the LAN and actively assigning IP addresses Relay requests The DHCP server is active and receives requests from DHCP clients in the LAN The device does not respond to requests but forwards them to a central DHCP server elsewhere in the network DHCP relay agent mode Default Automatic Broadcast bit check This setting decides whether the broadcast bit from clients is to be checked If the bit is not checked then all DHCP messages are sent as broadcasts Default Off BAT54 Rail F 394 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services Addresses for DHCP clients The start and end addresses define the address pool which is available to the clients When a client is activated in the network and requests an IP address by DH CP the device with an activated DHCP server will offer to issue an address This address is selected from the pool of valid IP addresses A computer which received an IP address in the past requests this address again and as
458. ng values new The computer has made its initial request The DHCP server verifies the uniqueness of the address that is to be assigned to the computer unknown While verifying uniqueness it was determined that the address has al ready been assigned to another computer Unfortunately the DHCP serv er has no means of obtaining additional information on this computer static A computer has informed the DHCP server that it has a fixed IP address This address can no longer be used dynamic The DHCP server assigned the computer an address BAT54 Rail F Release 7 54 06 08 471 More services 12 2 Vendor Class and User Class Identifier on 12 2Vendor Class and User Class Identifier on the DHCP Client The DHCP client in BAT can insert additional information in the DHCP re quest sent which simplify request recognition within the network The vendor class identifier DHCP option 60 shows the device type The vendor class ID is always transmitted The user class identifier DHCP option 77 displays a user defined string which can be entered under Setup DHCP or in LANconfig in the configura tion area under TCP IP on the DHCP tab in the User Class ID field de fault empty The user class ID is only transmitted when the user has configured a value New Configuration for LANCOM L 54g Wireless Configure TCPAP hadi General Addresses DHCP BOOTP DNS DNS Fiter DHCP server enabled Auto hd Ad
459. nges directly to the subsidiary device The WAN RIP table has been extended for configuring the triggered update in the WAN RFC 2091 This setting defines whether updates should be carried out in line with RFC 2091 Possible values Yes No Default No Gateway IP address for the next available router Possible values Valid IP address Default 0 0 0 0 Special values If 0 0 0 0 is entered the gateway address is deter mined from PPP negotiation Note In a router at the central location RFC 2091 can be switched off and the gateway can remain on 0 0 0 0 because the central location always observes the requests from the subsidiaries Note The BAT automatically reverts to standard RIP if the indicated gateway does not support RFC 2091 BAT54 Rail F Release 7 54 06 08 403 Routing and WAN connections 11 7 Changes in other services Poisoned reverse Poisoned reverse prevents routing loops from forming An update is sent back to the router that propagated the route to inform it that the network is unreachable at the associated interface However this has a significant disadvantage over WAN connections The central location transmits a high number of routes which would then suffer from route poisoning so leading to a heavy load on the available bandwidth For this reason poisoned reverse can be manually activated for every LAN WAN interface The LAN and WAN RIP tables have been extended for the configuration of poisoned reverse
460. ngs is communicated as the backup DNS server NBNS default IP address of the NetBIOS name server for the forwarding of NetBIOS requests Default 0 0 0 0 The IP address of the BAT Router in this network is communicated as the NBNS server if the NetBIOS proxy is activated for this network The the NetBIOS proxy is not active for this network then the IP address in the global TCP IP settings is communicated as the NBNS server NBNS backup IP address of the backup NBNS name server for the forwarding of NBNS requests in the event that the first nameserver should fail BAT54 Rail F 396 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services Default 0 0 0 0 The IP address from the global TCP IP settings is communicated as the backup NBNS server Forwarding DHCP requests Server address This is where the IP address for the superordinate DHCP server is entered when the mode Relay requests is selected Caching of server responses This option allows the responses from the superordinate DHCP server to be stored in the BAT Router Subsequent requests can then be answered by the BAT Router itself This option is useful if the superordinate DHCP server can only be reached via a connection which incurs costs Adaption of server responses to the local network This option allows the responses from the superordinate DHCP server to be adapted to the local network When activated the BAT Router adapts the re
461. ning Src addr Source address of the connection Dst addr Destination address of the connection Protocol Used protocol TCP UDP etc The protocol is decimally indicated Src port Source port of the connection The port is only indicated with port related protocols TCP UDP or protocols which own a comparable field ICMP GRE Dst port Destination port of the connection with UDP connections this one is occupied only with the first answer Timeout Each entry ages out with the time of this table thus the table does not overflow with died con nections Flags In the flags the condition of the connection and further internal information are stored in a bit field gt Page 300 As conditions the following values are possible new establish open closing closed rejected corresponding to the TCP flags SYN SYN ACK ACK FIN FIN ACK and RST UDP connections know the conditions new open and closing the last one only if the UDP connection is linked with a condition afflicted control path This is e g the case with protocol H 323 Src route Name of the remote station over which the first packet has been received Dst route Name of the remote station where the first packet will be sent to Filter rule Name of the rule which has generated the entry determines also the actions to be executed when a suitable packet is received Meaning of the flags of the connection list F
462. not a member of this VLAN Values On off Default On Port VLAN ID This port ID has two functions Untagged packets received at this port in Mixed or Ingress mixed mode are assigned to this VLAN as are all ingress packets received in Never mode In the Mixed mode this value determines whether outgoing packets receive a VLAN tag or not Packets assigned to the VLAN defined for this port are given no VLAN tag all others are given a VLAN tag Values 1 to 4094 Default 1 BAT54 Rail F Release 7 54 06 08 351 Virtual LANs VLANs 10 8 VLAN Q in Q tagging BAT54 Rail F 352 Release 7 54 06 08 Routing and WAN connections 11 1 General information 11 Routing and WAN connections This chapter describes the most important protocols and configuration en tries used for WAN connections It also shows ways to optimize WAN con nections 11 1General information WAN connections are used for the following applications Internet access LAN to LAN coupling Remote access 11 1 1 Bridges for standard protocols WAN connections differ from direct connections for example via the LANCAPI in that the data in the WAN are transmitted via standardized net work protocols also used in the LAN Direct connections on the other hand operate with proprietary processes that have been specially developed for point to point connections Via WAN connections a LAN is extended and with direct connections only one individual PC establishes a
463. not make use of client certificates and it utilizes the existing TLS tunnel to authenticate the client The LCOS RADIUS server supports the following TTLS methods PAP CHAP MSCHAP MSCHAPv2 EAP preferably EAP MD5 EAP PEAPVO defined in draft kamath pppext peapv0 00 txt Similar to TTLS PEAP is based on TLS and works with an EAP negotiation inside the TLS tunnel Note Please note that although PEAP enables the use of any authentication method the LCOS RADIUS server only supports MSCHAPv2 for tunnel ing At this time authentication methods cannot be suppressed The EAP suppli cant and the RADIUS server negotiate the EAP method with the standard EAP mechanism Clients requesting a non EAP method will be rejected by the RADIUS server 12 10 3RADIUS forwarding In the case of multi layer EAP protocols such as TTLS or PEAP the actual internal authentication can be carried out by a separate RADIUS server Thus an existing RADIUS server can continue to be operated to provide user tables even though it is not EAP TLS capable itself In this situation the TLS TTLS PEAP tunnel is managed from the LCOS RADIUS server The configuration of multi layer protocols of this type is an element of a gen eral method for the forwarding of RADIUS requests whereby a LCOS RADI US server can also be used as a RADIUS proxy The concept of realms is the basis for request forwarding and the proxy function A realm is a charac ter string which de
464. now available as a script file and can be al tered as required Please observe the following hints when using a terminal program over the serial interface The models BAT54 F and BAT54 F X2 feature a reduced serial inter face Rx TX ground only hence the hardware handshake has to be deactivated The BAT54 Rail featurees a fully fledged serial interface which sup ports the hardware handshake of the terminal program Caution If the hardware handshake is not well configured some char acters may get lost while transmitting script or configuration files result ing in a damaged device configuration In contrast the firmware upload will work even with wrong configured hardware handshake because the X Modem protocol ensures a se cure data transmission Download script from device Installations with multiple BAT devices often profit from the automatic execu tion of certain configuration tasks The scripting function in BAT enables en tire sets of commands for device configuration to be stored in a single file a script for transfer to one or more devices in one step BAT54 Rail F Release 7 54 06 08 185 LANtools network management 5 3 Scripting Note Detailed information about scripting can be found under the section scripting in the chapter on Network Management with LANtools in the user manual configuration In addition to manually setting a script and console read outs script files can also be read out from
465. ns that the user data must be entered before information about the device status etc can be accessed over SNMP BAT54 Rail F Release 7 54 06 08 175 LANtools network management 5 2 Project management with LANconfig LANmonitor User information can be entered in LANmonitor separately for each device To do this click with the right hand mouse key on the required device select the Options point from the context menu and enter your user data dX General Advanced m Information Device LANCOM 1811 Wireless DSL Sy Vendor LANCOM Systems GmbH IP address 192 168 2100 Authentication gt Enter your configuration access data for the device here Administrator localadmir Password oo Note The administrator may only be specified if an administrator account has been configured in tis aikas Access rights in LANmonitor depend on the rights possessed by the user A supervisor has full access to the information in LANmonitor and can ex ecute actions such as closing a connection among others A local administrator also has full access to the information in LANmonitor and can execute actions such as closing a connection among others A user with read only rights can view the information in LANmonitor but cannot take any actions such as closing a connection A user without rights has no SNMP access to the device s information LANconfig For configuration with LANconfig you will find the sw
466. nsion by roaming function The area in which mobile stations can get in touch with a base station is called radio cell If the range of a radio cell is not sufficient any longer to serve all mobile sta tions of a wireless network several base stations can be brought in action It is possible to change from a radio cell into another one without interruption of the network connection The transmission of roaming information and data between the base stations is enabled by the wired LAN connection BAT54 Rail F Release 7 54 06 08 27 Wireless LAN WLAN 3 1 What is a Wireless LAN Mobile station leaves ra changes into radio cell B dio cell A and ell B gt connection via LAN workstation radio cell A radio cell B In the example above the roaming function of the mobile station enables the access to the workstation in radio cell A also after changing into radio cell B After the radio cell change the base station in radio cell B passes on the data of the mobile station via LAN to the base station in radio cell A From there they arrive via radio at the workstation in radio cell A In this way the connec tion between both devices remains existing at any time A Wireless LAN can consist of as many as desired radio cells Thus the ex tension of a Wireless LAN is unlimited Base station as router The BAT Wireless Router base station possesses a WAN connector for all current broadband modems w
467. nt Recipient s e mail addresses admin company com An e mail shall be sent automatically without further user interaction Hence it is necessary that an e mail application is configured as standard mail application The authentication data has to be stored in the account settings Furthermore it has to be assured that an other application is permitted to send an e mail using this e mail application MS Outlook Express and Mozilla Thunderbird are possible e mail applications To test the E mail notification it is possible to send Send test e mail a test e mail Abbrechen Configuration tool Call WLANmonitor Tools gt Options gt Alerts E mail messaging Activate this option if you would like the WLANmonitor to report unknown or unconfigured access points via e mail Recipient e mail addresses Enter the e mail address es of the administrators here that should be informed in the event of rogue AP detection Multiple e mail addresses should be separated by commas Note In order to send e mail alerts the computer on which WLANmonitor is running requires a standard e mail client MS Outlook Express or Mozilla Thunderbird that allows automatic mail transmission to be configured and running BAT54 Rail F Release 7 54 06 08 221 LANtools network management 5 9 Messaging Send a test e mail Some mail clients require a confirmation from the user before sending via third party applicati
468. ntee that your server ser vices are available equally to many users at the same time a certain maxi mum bandwidth per each server connection is set Combination possible Minimum and maximum bandwidths can be used together in combination Thus the available bandwidth can be distributed accordingly depending on your requirements e g on certain user groups or applications 9 3 The queue concept 9 3 1 Queues in transmission direction Quality of Service requirements are realized in LCOS by using different queues for the data packets For the transmission side the following queues are utilized Urgent queue This queue is always processed at first before all others The following data packets are handled here Packets with ToS Low Delay Packets with DiffServ Expedited Forwarding All packets that have been assigned a certain minimum bandwidth as long as the guaranteed minimum bandwidth is not exceeded TCP control packets can be likewise dispatched by this queue prefer entially see SYN ACK speedup page 365 Urgent queue II This is for all packets that have been assigned a guaranteed minimum bandwidth but whose connection has exceeded this minimum band width BAT54 Rail F Release 7 54 06 08 315 Quality of Service 9 3 The queue concept As long as the interval for the minimum bandwidth is not exceeded i e up to the end of the current second all packets in this queue are treated without further
469. nterface which sup ports the hardware handshake of the terminal program Caution If the hardware handshake is not well configured some char acters may get lost while transmitting script or configuration files result ing in a damaged device configuration In contrast the firmware upload will work even with wrong configured hardware handshake because the X Modem protocol ensures a se cure data transmission BAT54 Rail F Release 7 54 06 08 189 LANtools network management 5 3 Scripting 5 3 5 Multiple parallel script sessions The BAT can manage multiple simultaneous script sessions Just as multiple console sessions can be run simultaneously on a single device different scripts can also access the BAT at the same time Parallel script sessions are especially useful in the following scenarios Script initiates a time delayed reboot of the device after 30 minutes for example A second script is active during the device s run time and changes its configuration for test purposes the flash mode is deactivated for this If the changes in configuration from script make the device un attainable then the restart prompted by script 30 minutes later causes these changes to be rejected When using different scripts for partial configurations multiple scripts can started simultaneously for example with cron jobs The individual config uration tasks do not need to be delayed until the previous script has com ple
470. nterfaces gt Modem Parameters Terminal Telnet Setup Interfaces Modem parameters Entering special characters in the console For a GPRS dial up the initialisation strings require the entry of inverted commas and equal signs Certain special characters can be correspond ingly marked with a leading backslash space Example cgdcont 1 IP internet t d1 de As an alternative the entire command sequence can be enclosed within in verted commas In this case those inverted commas which are inside the surrounding inverted commas must be preceded by a backslash Example cgdcont 1 IP internet t d1 de 11 14 6Direct entry of AT commands The command sendserial AT allows you to use Telnet to send a character string directly to a modem that is connected to the BAT This function allows you to send any AT commands to the modem Note Sending AT commands ist possible in the internal modem state idle or Modem ready only The responses can be found in the serial trace Trace output page 450 BAT54 Rail F Release 7 54 06 08 449 Routing and WAN connections 11 14 serial interface 11 14 7Statistics Statistics about activities of the serial interface can be accessed with a termi nal program or Telnet under Status Modem Status The statistics show the following states the type of modem identified the status of its last connection e g the transfer rate the transfer protocol used or the e
471. o effect again The wireless configuration of a device with WLAN interface will only succeed after a reset if the standard WEP key is programmed into the WLAN adapter The reset button offers two basic functions boot restart and reset to the factory settings which are called by pressing the button for different lengths of time Some devices simply cannot be installed under lock and key There is con sequently a risk that the configuration will be deleted by someone pressing the reset button too long With the suitable setting the behavior of the reset button can be controlled accordingly Configuration tool Call WEBconfig Telnet Expert configuration gt Setup gt Config Reset button This option controls the behavior of the reset button when it is pressed Ignore The button is ignored Note Please observe the following notice The settings Ignore or Boot only makes it impossible to reset the configuration to the factory settings using the reset button If the password is lost for a device with this setting there is no way to access the configuration In this case the serial commu nications interface can be used to upload a new firmware version to the device this resets the device to its factory settings which results in the de letion of the former configuration Instructions on firmware uploads via the serial configuration interface are available here page 147 Boot only A press of the button pr
472. oS is using the first three bits to describe the priorities precedence 0 to 7 as well as four further bits the ToS bits to optimize the data stream e g Low Delay and High Reliability This model is rather inflexible and this is why it has been used quite rarely in the past The DiffServ model uses the first 6 bits to make distinctions of different class es Up to 64 gradings are thus possible Differentiated Services Code Point DSCP which enable a finer priorisation of the data stream To ensure downward compatibility with ToS implementations the previ ous precedence levels can be depicted with the Class Selectors CSO to CS7 Thereby the level CSO denotes so called Best Effort BE and stands for usual transfer of data packets without special treatment The Assured Forwarding classes are used for a secured transfer of data packets The first digit of the AF class describes each the priority of the transfer 1 to 4 the second digit the drop probability 1 to 3 Packets with AFxx marking are transferred in a secured way and thus not dropped Finally the class Expedited Forwarding marks those packets that shall be transferred preferentially before all other packets Code DSCP Dec Code DSCP Dec Code DSCP Dec point bits point bits point bits cso 000000 0 AF11 001010 10 AF33 011110 30 BE CS1 001000 8 AF12 001
473. ods according to the connections available Through the connected network LAN as well as WAN inband Through the configuration interface config interface on the rear of the router also known as outband Remote configuration via ISDN access or modem analog or GSM with BAT Modem Adapter Kit What is the difference between these three possibilities On one hand the availability Configuration via outband is always available Inband configuration is not possible however in the event of a network fault Remote configuration is also dependent on an ISDN connection BAT54 Rail F Release 7 54 06 08 125 Configuration and management 4 2 Configuration software On the other hand whether or not you will need additional hardware and soft ware The inband configuration requires one of the computers already avail able in the LAN or WAN as well as only one suitable software such as LANconfig or WEBconfig see following section In addition to the configura tion software the outband configuration also requires a the computers with a serial port The preconditions are most extensive for ISDN remote configura tion In addition to an ISDN capable BAT an ISDN card is needed in the con figuration PC or alternatively access via LANCAPI to an additional BAT that is ISDN capable 4 2 Configuration software Situations in which the device is configured vary as do the personal require ments and preferences of the person doing the configu
474. of the configuration with the commands in the command line are written directly into the boot resistent Flash memory of the devices flash yes If the update of the configuration is inhibited by the Flash flash no the changes are only saved in the RAM and are deleted when booting flash Yes No page 193 history Shows a list of the previously executed commands With the command the command of the list with the number is directly executed For instance 3 specifies the third command of the list killscript Deletes the not yet processed contents of a script session The script session is specified by it s name Scripting gt page 181 loadconfig Load the configuration via TFTP client into the device loadfirmware Load firmware via TFTP client into the device loadscript Load script via TFTP client into the device passwd Change the passwords passwd n new old Change Password without prompt ping IP address Issues an ICMP echo request to the specified IP address readconfig Display the complete configuration of the device in readconfig syntax readmib Display SNMP Management Information Base readscript n d c m path Display all commands and parameters which are important for the configuration of the BAT in present state Scripting gt page 181 repeat VALUE lt com mand gt repeats command every VALUE seconds until
475. of the remote sites Configuration with LANconfig For configuration with LANconfig you will find the settings for P2P connec tions under the configuration area Interfaces on the Wireless LAN tab Note The configuration of the P2P connections can also be carried out with the WLAN Wizards in LANconfig Click on the button Physical WLAN settings to open the corresponding WLAN interface and select the tab for Point to Point Activate the suitable point to point operation mode here and set the chan nel selection scheme to either Master or Slave If the peers of the P2P connections are to be identified via their station names then enter a unique name for this WLAN station Operation Radio Performance Point to Point Client mode Point to Point operation mode Off This access point can only communicate with mobile stations On This access point can also communicate with other access points to connect several local wireless networks Exclusive This access point can only communicate with other access points mobile stations cannot connect to this access point pure WLAN bridge Station name P2P_MASTER G Configure the Point to Point partners outside this dialog in the corresponding table T Do not forward among P2P links on the same interface Channel Selection Scheme Master Close the physical WLAN settings and open the list of Point to point partners For each of the maximum of six P2P connection
476. og action was specified with the receipt of a packet or a report by e mail Syslog or SNMP was generated then this event is held in the logging table BAT54 Rail F Release 7 54 06 08 295 Firewall 8 3 The BAT Firewall If you call up the logging table via LANmonitor it looks like the following de piction S LC_ PN_M_LCSTEST Firewall Event Log Event Log View lite L system tne ___ Source address pest adress Prot source x Dest p Piter rue Limit 1 2 4 2004 12 12 41 10 1 1 i 2 214 2004 12 11 40 10 1 3 2 4 2004 12 06 45 10 1 4 2 4 2004 12 05 44 10 1 5 2 4 2004 12 02 32 10 1 e 2 4 2004 12 01 31 10 1 2 4 2004 12 00 04 10 1 ea 2 4 2004 11 59 03 10 1 2 4 2004 11 55 08 10 1 10 2 4 2004 11 54 07 10 1 11 2 4 2004 11 48 05 10 1 i2 2 4 2004 11 47 04 10 1 2 13 214 2004 11 45 00 10 1 rt ae ae b iL 11 11 il 11 al al all All Al Al All 224 0 0 9 255 255 255 255 224 0 0 9 255 255 255 255 224 0 0 9 255 255 255 255 224 0 0 9 10 1 255 255 224 0 0 9 255 255 255 255 224 0 0 9 255 255 255 255 224 0 0 9 17 U 17 U 17 U 17 U 17 U 17 U i7 Us 17 U 17 U 17 U 17 U 17 U 17 U 520 ro 67 bo 520 ro 67 bo 520 ro 67 bo 520 ro 137 n 520 ro 67 bo 520 ro 67 bo 520 ro 520 ro intruder de Immediately 68 bo intruder de Immed
477. ogical networks to be sepa rated from one another even though they use the same physical medium Ethernet The differences between routing tags and interface tags Routing tags as assigned by the firewall and interface tags as defined by the IP networks have a great deal in common but also some important dif ferences The router interprets both tags in the same way Packets with the inter face tag 2 are valid for routes with the routing tag set to 2 in the routing table and all routes with the default route tag 0 The same routes ap ply for packets which the firewall has assigned with the routing tag 2 Thus the interface tag is used in the same way as a routing tag Interface tags have the additional ability to delimit the visibility or acces sibility between different networks In principle only networks with the same interface tag are visible to one another and thus able to interconnect Networks with the interface tag 0 have a special significance they are in effect supervisor networks The networks can see all of the other networks and can connect to them Networks with an interface tag not equal to 0 cannot make connections to supervisor networks however Networks of the type DMZ are visible to all other networks indepen dent of any interface tags this is useful as the DMZ often hosts public servers such as web servers etc The DMZ networks them selves can only see networks with the same interface tag
478. ompts a restart regardless of how long the it is held down Reset or boot standard setting Press the button briefly to restart the device Pressing the button for 5 seconds or longer restarts the device and resets the configuration to its factory settings All LEDs on the device light up continuously Once the switch is released the device will restart with the restored factory settings Caution This hard reset causes the device to start with the default facto ry settings all previous settings are lost Caution Note that resetting the device leads to a loss on the WLAN en cryption settings within the device and that the default WEP key is active again BAT54 Rail F Release 7 54 06 08 149 Configuration and management 4 8 Managing administrators rights 4 8 Managing administrators rights Multiple administrators can be set up in the configuration of the BAT each with differing access rights For a BAT up to 16 different administrators can be set up Note Besides these administrators set up in the configuration there is also the root administrator with the main password for the device This ad ministrator always has full rights and cannot be deleted or renamed To log in as root administrator enter the user name root in the login window or leave this field empty As soon as a password is set for the root administrator in the device s con figuration then WEBconfig will display the button Login that starts the login
479. on BAT54 Rail F 318 Release 7 54 06 08 Quality of Service 9 4 Reducing the packet length Mig Lay The FTP transfer uses quite large data packets of 1500 byte whereas the Voice over IP connection sends packets of e g 24 byte net in relatively short intervals If FTP packets are in the sending queue of the BAT just at the mo ment when a VoIP packet is to be transferred then the VoIP packet can only be sent after the line is free again Depending on the transfer rate of the con nection this may cause a noticeable delay of the speech transmission it be Lay SJ This annoying behavior can be compensated if all data packets which are not belonging to the connection preferred by QoS do not exceed a certain packet length While doing so the data packets of the FTP connection will be divided into such small sections that the time critical VoIP connection is able to deliver the packets without noticeable delay within the required time slots A resulting delay has no disadvantageous effect to the TCP secured FTP transfer BAT54 Rail F Release 7 54 06 08 319 Quality of Service 9 5 QoS parameters for Voice over IP applica Two different procedures exist to influence the packet length The BAT can inform the peers of a data connection that they should only send data packets up to a certain length Thereby an appropriate PMTU Path Maximum Transmission Unit is enforced on the sending side
480. on Access point Client WLAN station has reconnected was previously signed in to another access point RADIUS access check for Access point Checking of RADIUS access to the WLAN station was suc WLAN station succeeded cessful RADIUS access check for Access point Checking of RADIUS access to the WLAN station was WLAN station failed unsuccessful BAT54 Rail F Release 7 54 06 08 523 Appendix 13 3 Radio channels WLAN traps Operating mode Explanation Disassociated WLAN sta Access point WLAN station was signed off due to a request from the sta tion due to station request tion Rejected association from Access point The sign on of the WLAN station was rejected WLAN station WLAN card hung reset Access point or WLAN card stopped reset ting client 13 3Radio channels 13 3 1 Siea channels in the 2 4 GHz frequency an In the frequency range from 2400 to 2483 MHz are up to 13 channels avail able The following overview shows which channels are supported by the dif ferent regions EU WORLD The last column shows which channels can be used without overlapping Frequency range 2400 2500 MHz no overlapping with Channel No EU ETSI WORLD ETSI FCC 1 2412 2412 6 11 2 2417 2417 7i 3 2422 2422 8 4 2427 2427 9 5 2432 2432 10 6 2437 2437 1 11 7 2442 2442 2 8 2447 2447 3 9 2452 2452 4 10 2457 2457 5 11 2462 2462 1 6 12 2467 13 2472
481. on tool Call LANconfig Firewall QoS Rules gt Stations WEBconfig Telnet Expert Configuration gt Setup gt IP Router gt Firewall gt Rules Example Two local networks COMPANY and HOME are to be billed separately and so they use two Internet access accounts INTERNET BIZ and INTERNET HOME Both networks have web servers which are to be accessible from the Internet This scenario is covered by the following rules Name Protocol Source Target Action HTTP COMPANY TCP Hinternet biz Lcompany S80 a HTTP PRIV TCP Hinternet home Lhome S80 a INET COMPANY ANY Lcompany Hinternet biz a INET PRIV ANY Lhome Hinternet home a BAT54 Rail F Release 7 54 06 08 407 Routing and WAN connections 11 7 Changes in other services The rule HTTP COMPANY forces all incoming HTTP connections arriving via the INTERNET BIZ connection for the company network to be direct ed over the interface COMPANY Correspondingly the rule HTTP PRIV forces incoming HTTP packets ar riving over the connection INTERNET HOME to be forwarded to the in terface HOME For outgoing connections the rule INET COMPANY forwards outgoing packets from the company network to the connection INTERNET BIZ Similarly the rule INET PRIV forces the the remote site INTERNET HOME to be used for all packets which are received from the home net work The networks for the connections INTERNET BIZ and INTERNET HOME are d
482. on with DHCP In order to operate smoothly in a TCP IP network all the devices in a local network must have unique IP addresses They also need the addresses of DNS servers and NBNS servers as well as that of a default gateway through which the data packets are to be routed from addresses that are not available locally In a smaller network it is still conceivable that these addresses could be en tered manually in all the computers in the network In a larger network with many workstation computers however this would simply be too enormous of a task In such situations the DHCP Dynamic Host Configuration Protocol is the ideal solution Using this protocol a DHCP server in a TCP IP based LAN can dynamically assign the necessary addresses to the individual stations The BAT devices have a build in DHCP server which assigns the IP address es in the LAN Ifa DHCP server already exists in the local network the device in DHCP client mode can alternatively get the required address information from the other DHCP server 12 1 1 The DHCP server As a DHCP server the BAT can administer the IP addresses in its TCP IP network In doing so it passes the following parameters to the workstation computers IP address BAT54 Rail F Release 7 54 06 08 465 More services 12 1 Automatic IP address administration with network mask broadcast address standard gateway DNS server NBNS server period of validity for the parameters assigned
483. onfig TCP IP gt DHCP gt DHCP networks WEBconfig Telnet Expert configuration gt Setup gt DHCP gt Network list gt Network name The name of the network which the DHCP server settings apply to gt DHCP server operating DHCP server operating mode in this network Depending on the operating mode the DHCP server can enable disable itself The DHCP statistics show whether the DHCP server is enabled No DHCP server is permanently switched off BAT54 Rail F Release 7 54 06 08 393 Routing and WAN connections 11 7 Changes in other services Automatic With this setting the device regularly searches the local network for other DHCP servers The LAN Rx Tx LED flashes briefly when this search is in progress If another DHCP server is discovered the device switches its own DHCP server off If the BAT Router is not configured with an IP address then it switches into DHCP client mode and queries the LAN DHCP server for an IP address This prevents unconfigured devices being introduced to the network from unintentionally assigning addresses If no other DHCP server is discovered the device switches its own DHCP server on If another DHCP server is activated later then the DHCP server in the BAT Router will be deactivated Yes DHCP server is permanently switched on When this value is entered the server configuration validity of the address pool is checked If the configuration is correct then the device starts operati
484. onfiguration was successful Upload failed timeout The reading of the firmware or configuration failed maximum time was exceeded Upload failed incomplete The reading of the firmware or configuration failed incomplete configuration Upload failed bad device The reading of the firmware or configuration failed wrong device Configuration download started Output of the configuration was started Download succeeded Output of the configuration was successful Console login Login to configuration successful Console logout Logout from configuration was successful Firewall trap Information about a firewall event Connection status WAN connection status VPN Connection status Status of VPN connection WAN Ethernet UP DOWN WLAN traps WAN interface available or not available Operating mode _ Explanation WLAN Scan started Access point or The WLAN station has started a scan for free radio channels client Started WLAN BSS ID Access point The WLAN station has created a new radio cell Joined WLAN BSS ID Client The WLAN station has found a radio cell Authenticated WLAN sta tion Access point The authentication of a client WLAN station was successful Deauthenticated WLAN station Access point The client WLAN station has signed off Associated WLAN station Access point Client WLAN station connected Reassociated WLAN sta ti
485. ong as a password hasn t been set anyone can change the con figuration of the device For example your Internet account information could be stolen or the device could be reconfigured in a way that the pro tection mechanisms could by bypassed Note Note If a password has not been set the Power LED flashes until the devices have been configured correctly Tips for proper use of passwords We would like to give you a few tips here for using passwords Keep a password as secret as possible Never write down a password For example the following are popular but completely unsuitable Notebooks wallets and text files in computers It sounds trivial but it can t be repeated often enough don t tell anyone your password The most secure systems surrender to talkativeness Only transmit passwords in a secure manner A selected password must be reported to the other side To do this select the most secure method possible Avoid Non secure e mail letter or fax Informing people one on one is preferable The maximum security is achieved when you personally enter the password at both ends Select a secure password Use random strings of letters and numbers Passwords from common lan guage usage are not secure Special characters such as amp _ make it difficult for potential attackers to guess your password and in crease the security of the password Note Capital and small letters are distinguished in the configuration pass
486. ons Test the alarm function with this button 5 9 Messaging The action table contains the following variables for control over messaging when certain events occur in the BAT a WAN IP address of the WAN connection relating to the action H Host name of the WAN connection relating to the action h as h except the hostname is in small letters c Connection name of the WAN connection relating to the action n Device name s Device serial number m Device MAC address as in Sysinfo t Time and date in the format YYYY MM DD hh mm ss Example Broken connection alert as an SMS to a mobile telephone The placeholder t allows the current time of an event to be incorporated into a message For example an alert about the interruption of an important VPN connection can be sent by e mail or as an SMS to a system administrator s mobile telephone The following requirements have to be met for messaging The status of the VPN connection must be monitored for example by means of dead peer detection DPD BAT54 Rail F 222 Release 7 54 06 08 LANtools network management 5 9 Messaging The BAT has to be configured as an NTP client in order to have the cur rent system time An SMTP account must be set up for transmitting e mails Once these requirements are fulfilled messaging can be set up This is done with a new entry in the action table e g with LANconfig under Communica tion General gt Action table
487. ons parts of the network or the entire LAN by which the stations can contact other networks then BAT54 Rail F Release 7 54 06 08 425 Routing and WAN connections 11 9 N N mapping Some protocols FTP H 323 exchange parameters during their protocol ne gotiation which can have influence on the address translation for the N N mapping For a correct functioning of the address translation the connection information of these protocols are tracked appropriately by functions of the firewall in a dynamic table and are additionally considered to the entries of the static table Note The address translation is made outbound i e the source address is translated for outgoing data packets and the destination address for in coming data packets as long as the addresses are located within the de fined translation range An inbound address mapping whereby the source address is translated instead of the destination address needs to be realized by an appropriate outbound address translation on the re mote side 11 9 1 Application examples The following typical applications are described in this section gt Coupling of private networks utilizing the same address range gt Central remote monitoring by service providers E Network coupling An often appearing scenario is the coupling of two company networks which internally use the same address range e g 10 0 0 x This is often the case when one company should get
488. ons Agency www open gov uk radiocom Ireland Iceland 526 Commission for Communications Regula tion ComReg Post and Telecom Administration PTA www comreg ie www pta is BAT54 Rail F Release 7 54 06 08 Appendix 13 3 Radio channels Country Organization Link Italy L Autorit per le garanzie nelle communi WWW aQ com it cazioni AGC Latvia Telecommunication State Inspection www vei lv Liechtenstein Amt f r Kommunikation AK www ak li Lithuania Radio Administration www rrt It Luxembourg Institut Luxembourgeois des T l commu www etat lu ILT nications ILT Netherlands Onafhankelijke Post en Telecommuni catie Autoriteit OPTA www opta nl Agentschap Telecom www agentschap tele com nl Ministerie Economische Zaken www ez n Norway Norwegian Post and Telecommunications www npt no Authority NPT Austria Rundfunk und Telekom Regulierungs www rtr at GmbH Bundesministerium f r Verkehr Innova www bmvit gv at tion und Technologie Poland Urzad Regulacji Telekomunikacji URT www urt gov pl Portugal Autoridad Nacional De Comunicagdes www anacom pt ICP Anacom Sweden National Post and Telecom Agency www pts se Switzerland Bundesamt f r Kommunikation www bakom ch Slowenia Agencija za telekomunikacije radiodifuzijo www atrp si in posto Spain Comision del Mercado de las Telecomuni WWW cmt eS caciones CMT Czechia Czech Telecommuni
489. ons of the LAN That guar antees that no cracked server of the DMZ becomes a security risk for the LAN DMZ Local network FTP server T Web server vA E m v Some BAT models support this structure by a separate LAN interface only used for the DMZ Looking at the path of data through the BAT then the func tion of the Firewall for shielding the LAN against the DMZ becomes visible Internet BAT54 Rail F 280 Release 7 54 06 08 Firewall 8 3 The BAT Firewall LAN interfaces VPN services a Lesl eee ee i 1 i Lal 1 J WAN interfaces j l connection via LAN 7 i IP router f H D IP Redirect 1 i 1 3 H 1 i D E ee gt IPX over PPTP VPN A direct data exchange between LAN and DMZ via LAN bridge is not possible if a dedicated DMZ port is used The path from LAN to DMZ and vice versa is therefore only possible through the router and thus also only through the Firewall This shields the LAN against inquiries from the DMZ similar to the LAN against inquiries from the Internet Note The shielding of the DMZ against the Internet on one side and the LAN on the other is solved in many network structures with two separate Fire walls When using a BAT with DMZ port only one device for this setup is needed which e g results in a clearly simplified configuration 8 3 7 Hints for setting the Firewall The BAT Fir
490. ons properly the remote site must also be adjusted in such a way that it can obtain the IP address and the name server from the BAT This can be accomplished with Windows dial up networking through the settings in the TCP settings under IP address and DNS configuration This is where the options IP address assigned by server and Specify name server addresses are activated Internet access BAT54 Rail F Release 7 54 06 08 437 Routing and WAN connections 11 10 Establishing connection with PPP If Internet access for a local network is realized via the BAT the assign ment of IP addresses can occur in a reverse manner Configurations are possible in which the BAT does not have a valid IP address in the Inter net and is assigned one by the Internet provider for the duration of the connection In addition to the IP address the BAT also receives informa tion via the DNS server of the provider during the PPP negotiation In the local network the BAT is only known by its internal valid intranet address All workstations in the local network can then access the same Internet account and also reach e g the DNS server Windows users are able to view the assigned addresses via LANmonitor In addition to the name of the remote station the current IP address as well as the addresses of DNS and NBNS servers can be found there Options such as channel bundling or the duration of the connection are also displayed 11 10 4Settings in the
491. operations and only used for trouble shooting general SYSLOG priority DEBUG BAT54 Rail F Release 7 54 06 08 LANtools network management 5 LANtools network manage ment The LANtools consisting of LANconfig and LANmonitor are ideally suited to configuring and monitoring BAT devices in complex application scenarios Multiple routers and or wireless access points in a network can be adminis tered from a central location as can devices in remote networks for exam ple when a service company maintains a device located with the customer Network management with the LANtools primarily involves the following functions Device configuration Management of configurations i e save and restore the settings Carries out updates to the latest firmware versions Activates additional software options Monitors device status Connection monitoring including VPN Monitoring of firewall actions BAT54 Rail F Release 7 54 06 08 165 LANtools network management 5 1 Switch UI language 5 1 Switch Ul language The language for the LANconfig LANmonitor or WLANmonitor graphical user interface can be set to German or English options 2X TT 2 General Startup Communication Extras General Alerting rm Set up new devices IV Rogue AP Detection activated 3 Launch Setup Wizard when a new M Rogue Client Detection activated SeN unconfigured device is found Application language External programs 3 Language English
492. or a terminal program you will find the access list for the wireless network under the following paths WEBconfig Expert configuration gt Setup gt WLAN gt Access list Terminal Telnet Setup WLAN Access list 3 3 2 Standard WEP encryption As of LCOS version 4 00 WEP128 encryption is activated for every uncon figured device as standard If your device has one or more WLAN interfaces you can also carry out the wireless configuration from a computer with a WLAN card To use a WLAN client to connect to a new BAT access point for wireless configuration the WLAN client must be programmed with the 13 character standard WEP key BAT54 Rail F 48 Release 7 54 06 08 Wireless LAN WLAN 3 3 Protecting the wireless network The standard WEP key consists of the first letter L followed by the LAN MAC address of the access point in ASCII characters The LAN MAC ad dresses of the BAT devices always begin with the character string OOA057 You will find the LAN MAC address on a sticker on the base of the device Only use the character string labelled as MAC address that starts with 00A057 The other addresses that may be found are not the LAN MAC ad dress MAUA UINDVUINM l N EAR EE A device with the LAN MAC address OFB9BF thus has a standard WEP key of LOOA0570FB9BF This key is entered into the Private WEP settings of the device for each logical WLAN network as Key 1 Note
493. or the logical WLAN interfaces can be found under the following paths WEBconfig Expert configuration gt Setup gt Interfaces gt WLAN gt Network Terminal Telnet Setup Interfaces WLAN Network settings E Encryption settings For access to a WLAN the appropriate encryption methods and key must be set in the client station To enter the key change to the 802 11i WEP tab under LANconfig in the Wireless LAN configuration area From WPA private WEP settings se lect the first WLAN interface from the list of logical WLAN settings BAT54 Rail F Release 7 54 06 08 97 Wireless LAN WLAN 3 6 Client mode WPA or Private WEP settings Edit Entry 2 x Interface Wireless Network 1 Co IV Encryption activated z Method Key 1 length weP128 104bit Key 1 passphrase LOOAOS7OFBSEF WPA Session Key Type naes gt WPA version Wai Authentication Open system recor Default key kyi H Client EAP method TLS e2 Enable encryption and match the encryption method to the settings for the access point In WLAN client operating mode the BAT device can authenticate itself to another access point using EAP 802 1X For this select the desired client EAP method here Note that the selected client EAP method must match the settings of the access point that the BAT Wireless Router is attempt ing to log onto Under WEBconfig or Telnet the network settings for the logical WLAN interfaces can be f
494. ored by WLAN monitor are automatically grouped here APs displayed in green The clients that have been found can be placed into a corresponding group depending on their status You can set up your own network groups within the individual groups by using the context menu right mouse button except for the group All clients Activating rogue AP and rogue client detection The functions for rogue AP and rogue client detection can be switched on or off in WLANmonitor Options o 2 x General Alerting IV Rogue AP Detection activated IV Rogue Client Detection activated Application language Language English v Configuration tool call WLANmonitor Tools gt Options General Rogue AP detection activated Activate this option if WLANmonitor is to display unknown or unconfigured access points Rogue client detection activated Activate this option if WLANmonitor is to display unknown or unconfigured clients BAT54 Rail F 220 Release 7 54 06 08 LANtools network management 5 8 Visualization of larger WLANs Configuring the alert function in the WLANmonitor The WLANmonitor can inform the administrator automatically via e mail whenever an unknown or unconfigured access point is discovered options zx General Alerting m E mail Notification In particular events there may be sent a notification per e mail IV Rogue AP detection has found an unknown or unconfigured Access Poi
495. ormation will be transmitted encrypted Wiclese LAN cotwerk MASS nS Re p p WPA or Pi te WEP setti Edit Entr 2 x wireless LAN network MultiSSID a aeit Eg Interface WLAN 1 Wireless re LWPS or Private WEE Select 802 111 Enhanced Security with Advanced Encryption Standard WPA AES or Standard Wired Eryn standard WP Interface Encryption activated Method Key 1 C Yes Access only For stations with encryption Lkey recommended WO o WEPG4 40 bit WLAN 1 2 letwork2 Yes and required 802 111 WPA PSK C Yes Access also for stations without encryption WLAN 1 3 Wireless Network 3 Yes and required 802 111 WPA PSK allowed WLAN 1 4 Wireless Network4 Yes and required 802 11i WPA PSK iio No encryption WLAN 1 5 Wireless NetworkS Yes and required 802 11i WPA PSK genra WLAN 1 6 Wireless Network Yes and required WEP128 104 bit Method Key 1 length WwEP64 40 bit E WLAN 1 7 Wireless Network7 No WEP64 40 bit Key 1 passphrase Ox0000000000 WPA Session Key Type TKIP z Authentication Open system recomme Default key Key 1 zi OK A Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the individual key settings for logical WLAN networks under the following paths WEBconfig Expert configuration Setup Interfaces gt WLAN Interfaces Encryp tion Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Encryption Settings
496. ort the most up to date methods of en cryption and security for data that is transferred via WLAN The IEEE standard 802 11i WPA stands for the highest degree of security that is currently available for WLAN connections This standards uses a new encryption procedure AES CCM which in combination with other methods achieves levels of security equalled only by VPN connections until now When using AES capable hardware the transmissions are much faster than with comparable VPN security WEP is also supported to ensure compatibility with older hardware WEP Wired Equivalent Privacy is the encryption method originally incorporat ed in the 802 11 standard for the encryption of data in wireless transmis sion This method uses keys of 40 WEP64 104 WEP128 or 128 bits WEP152 in length A number of security loopholes in WEP have come to light over time and so the latest 802 1 1i WWPA methods should be used wherever possible Note Further information about the 802 11i and WPA standards are avail able under Development of WLAN security gt page 33 BAT54 Rail F Release 7 54 06 08 57 Wireless LAN WLAN 3 4 Configuration of WLAN parameters The tab 802 11i WEP in the configuration area WLAN Security is used for setting the encryption parameters for each logical WLAN Open the list with the button for WPA or Private WEP settings Type of encryption First of all select the type of encryption for the individual logical W
497. ory of the victim is exhausted Teardrop The Teardrop attack works with overlapping fragments After the first frag ment another one is sent which overlaps completely within the first one i e the end of the second fragment is located before the end of the first If due to the indolence of the IP stack programmer it is simply counted new end old end when determining the number of bytes to copy for the reassembly then a negative value results resp a very large positive value by which dur ing the copy operation parts of the memory of the victim are overwritten and thereupon the workstation crashes The Firewall has again two possibilities Either the Firewall reassembles and rejects if necessary the entire packet or it holds only minimum offset and maximum end of the packet and rejects all fragments whose offset or end fall into this range In the first case the imple mentation within the Firewall must be correct so that the Firewall does not become the victim itself In the other case half reassembled packets accu mulate again at the victim BAT54 Rail F 306 Release 7 54 06 08 Firewall 8 5 Denial of Service Bonk Fragrouter Bonk is a variant of the Teardrop attack which targets not at crashing the at tacked computer but to trick simple port filter Firewalls which accept also fragmented packets and thus to penetrate into the network being protected During this attack the UDP or TCP Header of the first fragmen
498. os The LAN s entire Internet traffic is diverted to a proxy without entering the proxy address into the browsers As the users do not notice the proxy routing the scenario is named transparent proxy Source local Net Source Proxy Destination all ort 80 orl Destination all Data packet with Port 80 target addressin Action Transfer Internet Tag 1 Action Transfer Tag 0 Data packet rout ed to the Internet Firewall rule Firewall rule R Data packet with desti Data packet with desti rain e271 exractoriroutngtabe Tara ora IP address Netmask Rt Tag Router 255 255 255 255 0 0 0 0 E Proxy 255 255 255 255 0 0 0 0 Jo Internet With load balancing the data traffic for selected protocols is diverted over a certain DSL port that uses an additional external ADSL modem A server in the local network is only supposed to be accessible from the WAN via a fixed IP address this is routed via a certain WAN interface VPN traffic is forwarded to a VPN tunnel with dynamic end points by using the routing tag 0 the company s remaining Internet traffic is diverted to another firewall by means of another suitable routing tag Suitable entries can be made in the firewall to select channels according to information other than just the destination IP address These entries are sup plemented with a special routing tag that is used to control the channel se lection with the routing table For example a r
499. ot running simultaneously 9 5 QoS parameters for Voice over IP applications An important task when configuring VoIP systems is to guarantee a sufficient voice quality Two factors considerably influence the voice quality of a VoIP connection The voice delay on its way from sender to addressee as well as the loss of data packets which do not arrive or do not arrive in time at the addressee The International Telecommunications Union ITU has exam ined in extensive tests what human beings perceive as sufficient voice qual ity and has published as the result in the ITU G 114 recommendation BAT54 Rail F 320 Release 7 54 06 08 Quality of Service 9 5 QoS parameters for Voice over IP applica For BAT devices with VoIP functions that were already integrated or added in with a software option the QoS settings for SIP calls are defined auto matically acket loss Jitter 20 10 5 100 ms 150 ms 300 ms Delay In case of a delay of not more than 100 ms and a packet loss of less than 5 the quality is felt like a normal telephone connection In case of more than 150 ms delay and less than 10 packet loss the telephone user per ceives still a very good quality Up to 300 ms and 20 some listeners feel this quality like still suitable beyond that the connection is considered as no more suitable for voice transmission Apart from the average delay time also a variation in this delay is perceived by
500. ote site CHAP rejected a CHAP reject was received after a CHAP chal lenge PPP login from remote site timeout PPP CHAP RX Remote did not send CHAP response PPP login at remote site timeout PPP CHAP TX Remote did not respond to CHAP response Time limit exceeded exactly like fee limit Connection establishment failed Layer 1 no HDLC flags found Connection establishment failed Layer 2 X 75 V 110 not working DSL line error Layer 1 13 1 2 VPN error messages Cable not connected Note For correct evaluation of error messages for VPN connections at least LCOS version 3 22 must be installed on both BAT devices BAT54 Rail F Release 7 54 06 08 519 Appendix 13 1 Error messages in LANmonitor A VPN connection is always either an outgoing or an incoming connection To make searching for the error faster and more efficient the error messages are different for the initiator and the responder The initiator is the remote de vice which initiates the connection The responder is the device which re ceives the connection After the error message is read out look in the appropriate menu item on the corresponding remote Example For the error message IKE or IPSec establishment timeout Initiator no di rect error can be determined The responder however has determined an error like No proposal matched Responder IPSec which it send to an SNMP client LANmonitor
501. ound under the following paths Configuration tool Call WEBconfig Telnet Expert configuration gt Setup gt Interfaces gt WLAN gt Encryption gt WLAN 1 3 6 2 Advanced configuration Roaming Roaming is defined as the transfer of a WLAN client to another access point once the connection to the access point used so far can no longer be kept alive To allow roaming at least one additional access point must be within range of the client it must provide a network with an identical SSID and matching radio and encryption settings BAT54 Rail F 98 Release 7 54 06 08 Wireless LAN WLAN 3 6 Client mode Under normal circumstances the WLAN client would only log onto another access point if the connection to the access point used up to that point was lost completely hard roaming Soft roaming on the other hand enables the client to use scan information to roam to the strongest access point With the background scanning function the BAT device in client mode can gather in formation on other available access points prior to the connection being lost In this case the client is not switched to another access point once the exist ing connection has been lost completely but rather when another access point within its range has a stronger signal To enable soft roaming change to Setup gt Interfaces gt WLAN gt Roaming in WEBconfig or Telnet and select the physical WLAN interface Enable soft roaming and if required set th
502. oved for the WLAN To this end the MAC filter is set to positive i e the data from clients entered here will be transmitted Note The passphrases should consist of a random string at least 22 charac ters long corresponding to a cryptographic strength of 128 bits LANconfig When using LANconfig for the configuration you will find the list of stations approved for the WLAN in the configuration area WLAN Security on the Sta tions tab under the button Stations BAT54 Rail F Release 7 54 06 08 47 Wireless LAN WLAN 3 3 Protecting the wireless network lx Configure WLAN Security 7 General Stations Protocols ano 11iAWEP IFFF an 1x zixl m Filter stations Data afic between the wi Physical address Name Passphrase Comment can be restricted as require 0010c6252a3F Mueller sdfmu745jfnopwIJF MC 54g LS only enabling specified stat 00306526ac19 Newmann lrit78tjfpwer Powerbook Cancel i 00904b6a551b Scott aw reHUI amp ettgf Dell Filter function filter out data from the li 3 transfer data from the lis z via RADIUS or filter the Add Edit Copy Remove J EE m Authentication via RADIUS Physical address 00904b6a551b OK Server IP address fo 0 0 0 Name scott Cancel Server port fi B12 Passphrase optional aw reHUI amp ettgf Shared secret Comment l Dell Abbrechen WEBconfig Telnet or terminal program Under WEBconfig Telnet
503. owing places WEBconfig Setup IP router Routing method Telnet Setup IP router Routing method Feature settings for routing method values are the following gt Standard The ToS DiffServ field is ignored gt TOS The ToS DiffServ field is considered as ToS field the bits Low de lay and High reliability will be evaluated gt DiffServ The ToS DiffServ field is interpreted as DiffServ field and eval uated as follows CSx including CSO BE normal transmission AFxx secured transmission EF preferred transmission E DiffServ in Firewall rules The code points from the DiffServ field can be evaluated by Firewall rules for further control of QoS parameters such as minimum bandwidth or PMTU re duction LANconfig The parameters for evaluating the DiffServ fields are adjusted when defining the QoS rule in LANconfig BAT54 Rail F 326 Release 7 54 06 08 Quality of Service 9 7 QoS configuration General Actions QoS Stations Service i m Quality of Service Quality of Service 2 x a The Quality Of Service table describes anar j Conditions Gel amount of minimal bandwidths fragmentatior reduction of PMTU actions which assure th I Action only for default route i e internet tchi ket ted preferred TENI POSSES AS OVA RIRES V Action only for DiffServ CP AF if2 vils x I Action only for send packets IV Action only for received packets 2 A Action Grant minimum ba
504. packets arrive with a larger delay than it can be balanced by the jitter buffer the packets will be dis carded and will increase the packet loss The larger the jitter buffer the smaller is the loss Conversely the entire delay will increase with the jitter buffer size That means for configuration that the jitter buffer should be selected as small as the quality can be considered still as sufficient In detail delay is determined especially by the codec used the resulting packet size and the available bandwidth In comparison satellite quality Processing Serialization Propagation Jitter buffer E az ae 150ms gt The time for processing is determined by the used codec For a sampling time of 20 ms exactly each 20 ms a new packet is generated Times for compression can mostly be neglected BAT54 Rail F 322 Release 7 54 06 08 Quality of Service 9 5 QoS parameters for Voice over IP applica The time for handing over the packet to the interface is defined by the quo tient of packet size and available bandwidth Packet size in bytes 1 64 128 256 512 1024 1500 56 Kbps 0 14 9 18 36 73 146 215 64 Kbps 0 13 8 16 32 64 128 187 128 Kbps 0 06 4 8 16 32 64 93 256 Kbps 0 03 2 4 8 16 32 47 512 Kbps 0 016 1 2 4 8 16 23 768 Kbps 0 010 0 6 1 3 2 6 5 11 16 1536 Kbps 0 005 0 3 0 6 1 3 3 5 8 A 512 byte packet of an FTP connection occupies the line at 128 Kbps upstream for at least 32 ms
505. pecifyin First port ss C x Services p Nill sees 3 909 Care Intranet address fiszt68 2 11 oo Map port fiza IV Entry active Comment Do o yO LANCOM mo Abbrechen WEBconfig Telnet or terminal program Under WEBconfig Telnet or a terminal program you will find the service list for the wireless network under the following paths WEBconfig Expert configuration Setup gt IP router gt Masquerading Service table Terminal Telnet Setup IP router Masquerading Service table 11 4 4 De Militarized Zone DMZ Locally the router can manage two different IP address sections the intranet LAN and the De Militarized Zone DMZ The DMZ has it s own area which is used for reachable servers in the internet BAT54 Rail F 376 Release 7 54 06 08 Routing and WAN connections 11 4 IP masquerading Intranet LAN public IP LAN IP 80 146 74 146 10 0 0 1 DMZ IP 192 168 2 1 DMZ The option Masq in the Service list informs the router if the local intranet or DMZ addresses should be hidden behind the IP address of the router IP Masquerading switched off No masquerading is performed This variation is for internet accesses with several static IP addresses enter under DMZ IP address and DMZ netmask to link only servers to the in ternet or e g to link two intranet subnets via VPN masking Intranet and DMZ default This setting has the effect that all local addresses are masked Additionally to the Intr
506. ple configuration with LANconfig Create SYSLOG client Start LANconfig Under Management select the Log amp Trace tab Turn the module on and click SYSLOG clients In the next window click Add First enter the IP address of the SYSLOG client and then set the sources and priorities BAT54 Rail F 484 Release 7 54 06 08 More services SYSLOG clients New Entry 2 xi IP address Source IV System IV System time IV Connections Cancel We IV Login IT Console login I Accounting J Administration I Router Priority IV Alert IV Error V Warning IV Information J Debug 12 5 The SYSLOG module SYSLOG comes from the UNIX world in which specified sources are predefined BAT assigns its own internal sources to these predefined SYSLOG sources the so called facilities The following table provides an overview of the significance of all news sources that can be set in the BAT The last column of the table also shows the alignment between the internal sources of the BAT and the SYSLOG facilities Source Meaning Facility System system messages boot processes timer system etc KERNEL Login messages regarding login and logout of a user during the PPP negotia AUTH tion and errors occurring during this process System time messages regarding changes to the system time CRON Console messages regarding console logins Telnet outband etc logouts and AUTHP
507. plex band spreading process Dynamic DNS IPsec VPN implementation which allows the transparent connection of local networks into a VPN solution even when their routers work with dynamic addresses dial up EAP Extensible Authentication Protocol EAP MD5 EAP variant which uses password for one sided authentication EAP TLS EAP Transport Layer Security EAP variant which uses certificates for mutual authentica tion EAP TTLS EAP Tunneled Transport Layer Security EAP variant which uses certificates for mutual authentication EIRP Effective Isotropic Radiated Power ESS Extended Service Set ESSID Extended Service Set Identity network name of the wireless LAN Ethernet Strand or star formed physical transport medium all stations can send simultaneously collisions are detected and corrected through the network protocol FHSS Frequency Hopping Spread Spectrum frequency skipping band spread procedure Firewall Protective mechanism for an Intranet against attacks from outside Frequency Number of oscillations per second given in Hertz 1 Hz 1 oscillation per second GHz Gigahertz 1 billion Hertz or oscillations per second FTP File Transfer Protocol enables data transfer between different systems and simple file manipulation FTP is based on the TCP transmission protocol Frequency band Contiguous frequency range which has the same transmission properties Radio frequency Every radio application uses globally regulated radio
508. plicated that they were basically impractical for home use or smaller installations After the problems with WEP became public knowledge the IEEE began with the development of the standard IEEE 802 11i As an interim solution the WiFi Alliance defined the Wifi Protected Access WPA standard WPA uses the following changes TKIP and Michael as replacement for WEP A standardized handshake procedure between client and access point for determination transmission of the session key A simplified procedure for deriving the Master Secret mentioned in the last section which can be performed without a RADIUS server Negotiation of encryption procedure between access point and client TKIP TKIP stands for Temporal Key Integrity Protocol As the name suggests it involves an intermediate solution for temporary use until a truly strong en cryption procedure is introduced but which deals with the problems of WEP never the less A requirement of this method was compatibility with existing WEP RC4 hardware Encryption makes use of components familiar from WEP but benefits from decisive improvements with the Michael hash from improved encryption and the TKIP method for calculation of the RC4 key Furthermore the inter nally incremented IV transmitted in clear text in the packet is 48 bits long in stead of 24 thus the problem with the repeating IV value is practically excluded As a further detail TKIP also mixes the MAC address of the sende
509. possible but would result in significant speed penalties due to the processors com monly used in access points In contrast to TKIP AES only requires a 128 bit key with which both the en cryption and protection against undetected changes to packets is achieved Furthermore CCM is fully symmetric i e the same key is used in both com munications directions a standards compliant TKIP implementation on the other hand requires the use of different Michael keys in the send and receive directions so that CCM is significantly simpler in use than TKIP Similar to TKIP CCM uses a 48 bit Initial Vector in each packet an IV rep etition is impossible in practice As in TKIP the receiver notes the last IV used and discards packets with an IV which is equal to or less than the com parison value Pre authentication and PMK caching 802 11i is intended to help with the use of WLAN for speech connections VoIP in enterprise networks Especially in connection with WLAN based wireless telephony quick roaming switching from one access point to anoth er without lengthy interruptions is of special significance In telephone con versations interruptions of 100 milliseconds are irritating but the full authentication process over 802 1x including the subsequent key negotia tion with the access point can take significantly longer For this reason the so called PMK caching was introduced as a first mea sure The PMK serves as the basis for key
510. pplication Gateway By checking of contents on application level Application Gateways increase the address checking of the packet filters and the connection monitoring of the Stateful Packet Inspection The Application Gateway runs mostly ona separate workstation because of the high demands to the hardware perfor mance This workstation is between the local network and the Internet Seen from both directions this workstation is the only possibility to exchange data with the respective other network There doesn t exist any direct connection between these two networks but just to the Application Gateway Internet Application gateway The Application Gateway is thus a kind of proxy for each of the two networks Another term for this constellation is the dualhomed gateway because this workstation is so to speak at home in two networks For each application to be allowed through this gateway an own service will be set up e g SMTP for mail HTTP for surfing the Internet or FTP for data downloads BAT54 Rail F Release 7 54 06 08 257 Firewall 8 2 What is a Firewall This service accepts data received by either one of the two sides and depicts it to the respective other side What seems to be at first sight a needless mir roring of existing data is on closer examination the far reaching concept of Application Gateways It never exists a direct connection e g between a cli ent of the local network and a server of the Inter
511. propriate keys or passphrases into the access point and the WLAN clients Encryption settings page 57 and WEP group keys page 60 Regularly change the WEP key Also change the standard key Encryp tion settings page 57 in the configuration Alternatively you can use a cron job to automatically change the key every day for example Reg ular Execution of Commands page 491 The passphrases for 802 11i or WPA do not have to be changed regularly as new keys are generated for each connection anyway This is not the only reason that the encryp tion with 802 11i AES or WPA TKIP is so much more secure that the now aged WEP method If the data is of a high security nature you can further improve the WEP encryption by additionally authenticating the client with the 802 1x method IEEE 802 1x EAP gt page 83 or activate an additional encryption of the WLAN connection as used for VPN tunnels IPSec over WLAN page 84 In special cases a combination of these two mechanisms is possible BAT54 Rail F Release 7 54 06 08 45 Wireless LAN WLAN 3 3 Protecting the wireless network Note Further information is available from our web site www hir schmann com under Support gt FAQ 3 3 1 LEPS BAT Enhanced Passphrase Security LEPS remedies the security issues presented by global passphrases The modern encryption methods WPA and IEEE 802 1 1i provide data traffic in the WLAN with far improved
512. proved security against break ins and eavesdropping over any WEP variant For larger installations in which such a passphrase would have to be made known to too large a user community for it to be kept secret EAP 802 11i is used in combination with the key handshake described here BAT54 Rail F Release 7 54 06 08 41 Wireless LAN WLAN 3 2 Development of WLAN security Negotiating the encryption method Since the original WEP definition specified a fixed key length of 40 bits the registration of a client at an access point only had to communicate wheth er encryption should be used or not Key lengths exceeding 40 bits require that the key length is announced WPA provides a mechanism with which cli ent and access point can agree on the encryption and authentication proce dures to be used The following information is made available The encryption method to be used for broadcasts in this network also the type of group key Each client wanting to register in a WPA WLAN must support this procedure Here besides TKIP WEP is also still allowed in order to support mixed WEP WPA networks in a pure WPA network TKIP will be selected A list of encryption methods which the access point provides for the pair wise key here WEP is explicitly disallowed A list of authentication methods a client may use to show itself to the WLAN as authorized for access possible methods are currently EAP 802 1x or PSK As mentioned the ori
513. psulation according to RFC 2684 Sev eral protocols can be transmitted over the same VC Virtual Channel VC MUX Multiplexing with ATM by establishing additional VCs according to RFC 2684 Layer 3 The following options are available for the switching layer or network layer Transpar No additional header is inserted ent PPP The connection is established according to the PPP protocol in the synchronous mode i e bit oriented The configuration data are taken from the PPP table Asyn Like PPP only the asynchronous mode is used This means that PPP functions cPPP character oriented with All options can be run with their own script if desired The script is specified in the script script list DHCP Assignment of the network parameters via DHCP BAT54 Rail F 368 Release 7 54 06 08 Routing and WAN connections 11 4 IP masquerading Parameter Meaning Layer 2 In this field the upper section of the security layer Data Link Layer is configured The follow ing options are available Transpar No additional header is inserted ent PPPoE Encapsulation of the PPP protocol information in ethernet frames PPPoE The PPP negotiation runs via Ethernet The PPP packets are encapsulated in Ethernet frames for this purpose This process is frequently used for DSL connec tions Options Here you can activate the compression of the data to be transmitted and the b
514. ption is then XOR d byte by byte with this byte stream The receiver simply repeats this procedure with the same key and in the same order to produce the original data packet again BAT54 Rail F Release 7 54 06 08 35 Wireless LAN WLAN 3 2 Development of WLAN security However RC4 has one serious disadvantage one may only use a particular RC4 key once for a single packet as two different packets that have been coded with the same RC4 key potentially provide the basis to reproduce the original data As it would be impracticable for the user to enter a new code key for every data packet WEP combines this key with an additional internal key the initial vector IV This is automatically changed from packet to pack et The IEEE standard originally foresaw a relatively short key length of 40 bits which was probably oriented towards the then existing US export restrictions on strong cryptography this variant in combination with the 24 bits of the IV is usually referred to as WEP64 Most WLAN cards today support a variant in which the user can configure a 104 bit key which results in a 128 bit long RC4 key correspondingly this is often called WEP128 More seldom are key lengths of 128 bits WEP152 or 232 bits WEP 256 In principle RC4 can work with key lengths of up to 2048 bits WEP keys of up to 2024 bits although in practice key lengths reach a simple limit at which the user can manage to enter the columns of digits without makin
515. pty all tags are accepted If at least one entry is in the list then only the tags in this list are accepted Fur thermore the only routes to be propagated are those with the tags given here This also considers any translation via the standard routing tag Caution The routing tag list in the table of RIP networks corresponds to the one in the WAN RIP table with the one difference that a translation via the standard routing tag is considered This means for example that in the case of an interface tag 1 and the standard routing tag 0 the tag 0 has to be included in the routing tag list because it is internally changed to tag 1 when it is received Conversely the internal tag 1 is changed to the external tag 0 on transmission The measure is necessary so that a virtualized router can also work with routers which do not have tagging support The default setting has Intranet and DMZ in the table whereby RIP is deactivated for these entries Timer settings The Routing Information Protocol RIP regularly provides neighboring rout ers with updates on the available networks and the associated metrics hops RIP uses various timers to control the exchange of routing informa tion WEBconfig Setup gt IP router RIP Parameters Update interval The time between two regular updates A random value of 5 seconds is always added to this value Possible values 0 to 99 seconds BAT54 Rail F Release 7 54 06
516. querading but without addresses or ports to be re mapped here It is sufficient to pursue the negotiation to open appropriate ports and link them with the main connection so that these ports are closed likewise with the closing of the main connection and traffic on the secondary connection keeping open also the main connection ICMP connections For ICMP two cases must be differentiated The ICMP request reply connec tions like to be used with ping and the ICMP error messages which can be received as an answer to any IP packet ICMP request reply connections can be clearly assigned to the identifier used by the initiator i e in the status database an entry will be provided with the sending of an ICMP request which lets through only ICMP replies with the correct identifier All other ICMP replies will get discarded silently In ICMP error messages the IP header and the first 8 bytes of the IP packet on behalf UDP or TCP headers can be found within the ICMP packet With the help of this information the receipt of an ICMP error message triggers au tomatically the search for the accessory entry in the status database The packet passes only if such an entry exists otherwise it is discarded silently Additionally potentially dangerous ICMP error messages redirect route are filtered out Connections of other protocols For all other protocols no related connections can be followed up i e with them only a connection between invo
517. r 11 7 11 Assigning logical interfaces to bridge groups 11 7 12 Remote bridge 11 7 13 PPPoE Servers 11 8 Load balancing 11 8 1 DSL port mapping 11 8 2 Direct DSL channel bundling 11 8 3 Dynamic load balancing 11 8 4 Static load balancing 11 8 5 Configuration of load balancing 11 9 N N mapping 11 9 1 Application examples 11 9 2 Configuration 11 10 Establishing connection with PPP 11 10 1 The protocol 11 10 2 Everything 0 k Checking the line with LCP 11 10 3 Assignment of IP addresses via PPP 11 10 4 Settings in the PPP list 11 11 DSL Connection with PPTP 11 12 Extended connection for flat rates Keep alive 11 13 Callback functions 11 13 1 Callback for Microsoft CBCP 11 13 2 Fast callback 11 13 3 Callback with RFC 1570 PPP LCP extensions 11 13 4 Overview of configuration of callback function 391 391 398 399 400 406 407 408 409 410 412 413 414 415 415 417 420 420 421 422 425 426 430 434 434 436 437 438 439 440 440 441 442 443 443 BAT54 Rail F Release 7 54 06 08 11 14 serial interface 444 11 14 1 Introduction 444 11 14 2 System requirements 445 11 14 3 Installation 445 11 14 4 Set the serial interface to modem operation 446 11 14 5 Configuration of modem parameters 447 11 14 6 Direct entry of AT commands 449 11 14 7 Statistics 450 11 14 8 Trace output 450 11 14 9 Configuration of remote sites for V 24 WAN interfaces 450 11 14 10 Configuration of a backup connection on the
518. r 0 0 0 0 if the filter should apply to packets from all networks Q start Start source port of the packets to be filtered BAT54 Rail F 298 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Entry Description Q end End source port of the packets to be filtered Makes up the port range together with the start source port in which the filter takes effect If start and end port are 0 then the filter is valid for all source ports Dst MAC Ethernet destination address of the packet to be filtered or 000000000000 if the filter should apply to all packets Dst Destination address or 0 0 0 0 if the filter should apply to all packets address Dst mask Destination network mask which determinates the destination network together with the desti nation IP address or 0 0 0 0 if the filter should apply to packets to all networks Z start Start destination port of the packets to be filtered Zend Destination port of the packets to be filtered Makes up the port range together with the start destination port in which the filter takes effect If start and end port are 0 so the filter is valid for all destination ports Action Into this column the main action is unveiled as a text which will be executed when the first limit has been exceeded The first limit can be also an implicit limit e g if only one limit for the restriction of the throughput was configured Then an implicit limit linked with
519. r configurations from the device list in LANconfig All of the configurations can be processed in parallel BAT54 Rail F Release 7 54 06 08 171 LANtools network management 5 2 Project management with LANconfig aio File Edit Device View Tools Help alala Sae Sis SR Slale ZIP LANconfig Name Description E Ciento ep 1621AnnexA 10 1 140 160 Open Config Dialog 2 Clentoz 10 1 140 159 Open Config Dialog 40960 bytes E officeo1 Samay ISDN 10 1 80 247 Ok offices Calvin 10 1 80 149 ok E Internal Hobbes 10 1 80 150 Ok pLc1621 Internet 10 1 80 125 ok SLCPPP 10 1 1 31 Ok SPLC_RAS 10 11 12 ok DLC_VPN_M_LCSTEST 10 1 1 10 Ok HOME 192 168 2100 Ok Ux 10 1 80 245 ok a 10 1 62 100 Ok 4ag 10 1 10 187 ok General Interfaces Security Costs 4ag 10 1 10 188 Ok 4ag 10 1 10 189 ok as niania o Ei Device name D Location BI Administrator Configure Management pa 10 General in Date amp Time n Log amp Trace gt Communication TCP IP 1621AnnerA Information IP Router PA 7 Firewall QoS Eao Device type LANCOM 1621 ADSL ISDN c VPN Hardware release A IPX SPX GReichel s A NetBIOS Firmware version 3 30 0031 26 01 2004 Serial number 859530980220 Least Cost Router r Information Device type LANCOM 1621 ADSL ISDN Hardware release A Firmware version 3 30 0031 26 01 2004 Serial number 089540209081 Cancel Note Cut and paste
520. r each network marked by a VLAN ID the BAT Router has an IP address in that network so that it can be access via IP The VLAN ID ensures the correct assignment of IP networks and VLANs Note In certain cases the BAT Router does not need an IP address such when a VLAN is only used as a bridge between WLAN and LAN On oc casion it can even be undesirable for the BAT Router to be accessible within this VLAN For example A central BAT Router provides connectivity to an access point with three logical WLANs for intranet guest access and Voice over IP The intranet remains untagged the guest access is given VLAN ID 1 and VoIP is given VLAN ID 2 Based on the VLAN IDs the central router permits users in the intranet to access the Internet and via VPN to the headquarters visitors in the guest WLAN only have access to the Inter net BAT54 Rail F 388 Release 7 54 06 08 Routing and WAN connections 11 6 Advanced Routing and Forwarding Internet VPN headquar Values 0 to 4094 0 Untagged Default 0 A packet with a VLAN tag arriving at the interface is assigned to its corre sponding network Conversely the BAT Router sends packets from this network via the interface with the corresponding VLAN tag Consequently the network is only accessible for packets which originate from the same VLAN Note By configuring the wrong VLAN ID an administrator who does not have access to that VLAN can lock him herself out of the BAT Router
521. r into the calculation of the key This ensures that the use of identical IVs by different senders cannot lead to identical RC4 keys and thus again to attack possibil ities The Michael hash does not however represent a particularly tough crypto graphic hurdle if the attacker can break the TKIP key or get encrypted pack ets past the CRC check via modifications similar to those for WEP then not many barriers remain For this reason WPA defines countermeasures if a WLAN card detects more than two Michael errors per minute both the client and the access point break data transfer off for one minute afterwards rene gotiating TKIP and Michael keys BAT54 Rail F 40 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of WLAN security The key handshake In the discussion of 802 1x it was already noted that EAP 802 1x provides a possibility to inform the client at the outset of a session of the key valid for it WPA now places that on a standardized basis and considers the session key option offered by modern access points that in addition to the four glo bal keys assigns each registered client with a session key that is used ex clusively with data packets to or from that client The key handshake under WPA involves first of all the exchange of the pairwise keys and then the group keys After a successful group key handshake the access point can release the cli ent for normal data transfer The access point is free to perform
522. r whether it is sufficient that only one of the parallel established HTTP connections exceeds the threshold value For absolute values it is additionally possible to specify whether the counter belonging to it will be reset to zero when the limit has been reached Note In any case data will be transferred if a limit has not been reached yet With a trigger value of zero a rule becomes immediately active as soon as data packets arrive for transmission on the specified connection Packet action The Firewall has three possibilities to treat a filtered packet Transmit The packet will be transferred normally Drop The packet will be discarded silently Reject The packet will be rejected the addressee receives an appropri ate message via ICMP Further measures om The Firewall does not only serve to discard or accept the filtered data pack ets but it can also take additional measures when a data packet has been registered by the filter The measures here are divided into the fields proto colling notification and prevent further attacks Send a Syslog message Sends a message via the SYSLOG module to a SYSLOG client as defined in configuration field Log amp Trace Send an email message Sends an email message to the administrator using the account specified in the configuration field Log amp Trace SNMP LANmonitor Sends a SNMP trap that will be analyzed e g by LANmonitor Note Each of these three mes
523. ration BAT routers thus feature a broad selection of configuration software LANconfig nearly all parameters of the BAT can be set quickly and with ease using this menu based application Outband inband and remote configuration are supported even for multiple devices simultaneously WEBconfig this software is permanently installed in the router All that is required on the workstation used for the configuration is a web browser WEBconfig is thus independent of operating systems Inband and remote configuration are supported SNMP device independent programs for the management of IP net works are generally based on the SNMP protocol It is possible to access the BAT inband and via remote configuration using SNMP Terminal program Telnet an BAT can be configured with a terminal program via the config interface e g HyperTerminal or within an IP net work e g Telnet TFTP the file transfer protocol TFTP can also be used within IP net works inband and remote configuration The following table shows how you can use the configuration Configuration LAN WAN Config Interface ISDN remote Analog dail in with BAT Modem software WLAN Outband configuration Adapter Kit Inband LANconfig Yes Yes Yes Yes WEBconfig Yes No Yes Yes SNMP Yes No Yes Yes BAT54 Rail F 126 Release 7 54 06 08 Configuration and management 4 3 Searching and configuring devices Configuration LAN WAN Config Int
524. ration with LANconfig Note Local administrators with write access can also edit the admin table However a local administrator can only change or create entries for users with the same or less rights than himself It follows that a local administra tor cannot create a supervisor access and assign himself those rights Local administrator with read access Can read the configuration with Tel net or a terminal program but cannot change any values The administra tors can be assigned certain configuration options via their function rights None Cannot read the configuration The administrators can be assigned certain configuration options via their function rights Function rights Function rights can be used to grant the following options to users Basic Settings Wizard Security Settings Wizard Internet Connection Wizard Selection of Internet Provider Wizard RAS Account Wizard LAN LAN Connection Wizard Change time and date Search for further devices WLAN link test a b Wizard 4 8 2 Administrators access via TFTP and SNMP The additional access possibilities for administrators are generally used for configuring the device with Telnet terminal programs or SSH access How ever the other administrators can also access the device via TFTP or SNMP Access with LANconfig A user with supervisor rights can login to LANconfig by entering his user data into the Password field of the login window in the combination lt User name gt lt
525. re wall action to be executed For each Firewall rule there is an additional on off switch a priority the option for a linkage with other rules and an activation of the rule for VPN connections General information concerning these pa rameters can be found in section Parameters of Firewall rules gt page 268 The definition of the Firewall rules can be composed of entries of the object table for protocols services stations Page 290 and of entries of the ac tion table for Firewall actions Page 292 It can also contain direct descrip tions in the appropriate LCOS syntax e g P6 for TCP Expert Configuration 2 Setup amp P router module Firewall Rule table Name JALOW HTTP Prat TCP Source LOCALNET oo Destination ANYHOST 580 443 591 808 8080 Action seso Linked No Prio pooo Active Yes YPN rule No 7 xl Note For direct entering of rule parameters in LCOS syntax the same guide lines apply as described in the following sections for protocols source and destination as well as for Firewall actions Object table The object table defines elements and objects that apply to the rule table of the Firewall Objects can be Single PCs MAC or IP address host name Entire networks Protocols Services ports or port ranges e g HTTP Mail amp News FTP BAT54 Rail F 290 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Any combination of these elements is possible Further
526. re and manufacturers LCOS describes the device independent operating system BAT stands as generic term for all BAT routers and BAT Router Access Points Hirschmann stands as shortened form for the manufacturer Hirschmann Automation and Control GmbH Germany Validity The present user manual configuration applies to all BAT routers and BAT Router Access Points with firmware version 7 54 or better The functions and settings described in this user manual configuration are not supported by all models and or all firmware versions Illustrations of devices as well as screenshots always represent just exam ples which need not necessarily correspond to the actual firmware version Security settings For a carefree use of your device we recommend to carry out all security set tings e g Firewall encryption access protection charge lock which are not already activated at the time of purchase of your device The LANconfig wiz ard Check Security Settings will support you accomplishing this Further in formation regarding this topic can be found in chapter Security gt page 237 We ask you additionally to inform you about technical developments and ac tual hints to your product on our Web page www hirschmann com and to download new software versions if necessary This documentation was created by several members of our staff from a variety of departments in order to en sure you the best possible
527. re valuable information is suspected Such information would be e g the results of research departments which are gladly seen by industrial spies Or on the other hand bank servers on which big money is distributed Secondly also networks of smaller organizations are endangered which perhaps are only interesting to special groups On the workstations of tax consultants lawyers or doctors do slumber certainly some information quite interesting for third persons Last but not least also workstations and networks are victims of attackers which obviously offers no use for the attackers Just the script kiddies testing out their possibilities by youthful ambition are sometimes just searching for defenceless victims in order to practise for higher tasks The attack against an unprotected apparently not interesting workstation of a private person can also serve the purpose to prepare a basis for fur ther attacks against the real destination in a second step The worksta tion of no interest becomes source of attacks in a second step and he attacker can disguise his identity All things considered we can resume that the statistical probability for an at tack to the network of a global player of the industry may be higher than to a midget network of the home office But probably it is only a matter of time that a defenceless workstation installed in the Internet will perhaps even acci dentally become the victim of attacks BAT54 R
528. relay server As a DHCP relay agent the BAT Router forwards DHCP requests to an other DHCP server As DHCP relay server the BAT Router processes DHCP requests for warded from DHCP relay agents BAT54 Rail F Release 7 54 06 08 391 Routing and WAN connections 11 7 Changes in other services E Activating the DHCP server for an interface The DHCP server can be separately activated or deactivated for each logical interface cra General Addresses DHCP BOOTP DNS DNS Fiter r DHCP client server The interfaces which should be applied to the DHCP server settings is selected in this table In this table y ileak network they WLAN 1 Wireless Network Lon Y P2P 1 1 Point to Point 1 1 On Y P2P 1 2 Point to Point 1 2 On LANconfig TCP IP gt DHCP gt Port table WEBconfig Telnet Expert configuration gt Setup gt DHCP gt Ports BAT54 Rail F 392 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services E Configuring DHCP networks DHCP settings can be made for any IP network which has been defined al ready DHCP networks New Entry Default gateway foooo 8 87 p Name server addresses Primary DNS ooo o Secondary DNS ooo Primary NBNS foooo 8 8 Secondary NBNS foooo 8 Forwarding of DHCP queries Server address 0 0 0 0 7 Place server replies in intermediate storage F Adapt server replies to the local network LANc
529. ress 127 128 128 64 yields the IP network mask 255 255 255 192 class address The network mask is formed from the IP address class and a part attached after the address procedure Thus the above mentioned address and the network mask 255 255 0 0 yield the IP network mask 255 128 0 0 Note Routers with RIP capabilities dispatch the RIP packets approximately every 30 seconds The router is only set up to send and receive RIPs if it has a unique IP address The IP RIP module is deselected in the default setting using the IP address xxx xxx xxx 254 11 2 5 SYN ACK speedup The SYN ACK speedup method is used to accelerate IP data traffic With SYN ACK speedup IP check characters SYN for synchronization and ACK for acknowledge a given preference within the transmission buffer over sim ple data packets This prevents the situation that check characters remain in the transmission queue for a longer time and the remote station stop sending data as a result The greatest effect occurs with SYN ACK speedup with fast connections e g ADSL when data quantities are simultaneously transferred in both direc tions at high speed The SYN ACK speedup is activated at the factory BAT54 Rail F Release 7 54 06 08 365 Routing and WAN connections 11 3 Configuration of remote stations Switching off in case of problems Due to the preferred handling of individual packets the original packet order is changed Although TCP IP does not ensure
530. resses Note If no IP address is entered for a remote site that can be checked with a ping then the IP address of the DNS server that was determined during the PPP negotiation will be checked instead Ping interval The time entered into the polling table defines the time interval between ping requests If the value 0 is entered then the standard value of 30 seconds applies Values 0 to 65 535 0 Use default Default 30 seconds Retries If no reply to a ping is received then the remote site will be checked in shorter intervals The device then tries to reach the remote site once a second The number of retries defines how many times these attempts are repeated If the value 0 is entered then the standard value of 5 retries applies Values 0 to 255 0 Use default Default 5 retries Loopback address Sender address sent with the ping this is also the destination for the answering ping The following can be entered as the loopback address Name of a defined IP network INT for the IP address in the first network with the setting Intranet DMZ for the IP address in the first network with the setting DMZ Note If the list of IP networks or loopback addresses contains an entry named DMZ then the associated IP address will be used Name of a loopback address Any other IP address 4 9 2 Loopback addresses for time servers BAT Routers can retrieve time information from public time servers in the In
531. ription during configuration This name is used at no other place VLAN ID This number marks the VLAN unambiguously Possible values range from 1 to 4094 Port list All BAT interfaces belonging to the VLAN are entered into this list As ports can be entered LAN n for all Ethernet ports of the device WLAN n for point to station WLAN ports P2P n for point to point WLAN ports Given a device with a LAN interface and a WLAN port e g ports LAN 1 and WLAN 1 can be entered In case of port ranges the individual ports must be separated by a tilde P2P 1 P2P 4 Note The available ports can be found in the port table Seite 341 Example for a network table Name VLAN ID Port list Default 1 LAN 1 WLAN 1 WLAN 2 Sales 2 LAN 1 WLAN 1 Marketing 3 LAN 1 WLAN 2 10 3 2 The port table The port table configures the individual ports of the device for use by the VLAN The table has got an entry for each port of the device with the follow ing values Port Name of the port not editable BAT54 Rail F Release 7 54 06 08 341 Virtual LANs VLANs 10 3 Configuration of VLANs Use tagging This option indicates whether data packets should be tagged on this port The tagging refers only to data packets sent over this port Allow untagged frames This option indicates whether untagged data packets are passed on which have been received on this port Allow all VLANs This optio
532. rity loopholes in WEP encryption became public knowledge the presentation of short term solutions such as WEPplus and the intermedi ate steps like WPA the IEEE committee has now presented the new WLAN security standard 802 11i The TKIP procedure used by WPA is based on the older RC4 algorithm the foundation of WEP AES is the first important and conclusive step towards a truly secure encryption system 802 11i AES have confined the practical and theoretical security loopholes in previous methods to history The AES procedure provides security on a level that satisfies the Federal In formation Standards FIPS 140 2 specifications that are required by many public authorities Hirschmann equips its 54Mbps products with the Atheros chip set featuring a hardware AES accelerator This guarantees the highest possible level of encryption without performance loss The user friendly pre shared key procedure entry of a passphrase of 8 63 characters in length makes 802 11i quick and easy for anybody to set up Professional infrastructures with a larger number of users can make use of 802 1x and RADIUS servers In combination with further options such as Multi SSID and VLAN tagging it is possible to provide highly secure networks for multiple user groups and with different levels of security VLAN tagging is available as of LCOS version 3 32 Multi SSID is available as of LCOS 3 42 Hirschmann provides the PSK procedure as of the LCOS version 3 50 80
533. rnet in terface DSL or DSLoL it is clear which ports are used for bundling In this case it is not necessary to enter the ports into the peer list These devices always internally assume a port list 0 1 so that the in ternal ADSL interface is the first one to be used for bundling Note For Multi PPPoE Direct DSL channel bundling page 420 multi ple PPPoE connections share one physical DSL connection With Multi DSL several PPPoE connection are divided between the available DSL interfaces The maximum possible number of parallel connections is lim ited to 8 channels Allocation of MAC addresses to the DSL ports If a BAT uses switch ports to gain access to multiple DSL WAN interfaces an appropriate number of MAC addresses must be used to differentiate the DSL ports As there are cases where the required MAC address depends upon the remote station which for example uses the MAC address to deter mine the DSL access charge the MAC addresses are defined for the logical DSL remote stations and not for the physical DSL ports The following options are available for setting the MAC address Global Global system MAC address Local The unique locally managed MAC address is calculated from the global address User defined A MAC address that can be freely defined by the user Note Every DSL connection contains its own MAC address If two remote stations are configured with identical MAC addresses the first connection uses t
534. rohibited in certain countries To operate the BAT Access Points while observing the regulations in various countries all physical WLAN interfaces can be set up for the country where they are op erated 1 WLAN module operation The WLAN modules can be operated in various operating modes gt Asa base station Access Point mode the device makes the link be tween WLAN clients and the cabled LAN Parallel to this point to point connections are possible as well In Managed Mode the Access Points also accept WLAN clients into the network although the clients then join a WLAN infrastructure that is con figured by a central WLAN Controller In this operating mode no further WLAN configuration is necessary as all WLAN parameters are provided by the WLAN Controller gt In client mode the device itself locates the connection to another Access Point and attempts to register with a wireless network In this case the de vice serves for example to link a cabled network device to an Access Point over a wireless connection In this operating mode parallel point to point connections are not possible For further information please refer to section Client Mode BAT54 Rail F Release 7 54 06 08 195 LANtools network management 5 4 Group configuration with LANconfig Physical WLAN settings Along with the radio channels the physical WLAN settings can also be used to activate options such as the bundeling of WLAN packets TX Burst
535. rom another source The current user s user directory can be chosen or indeed any other lanconf ini from any location By selecting the user directory users can save their personal settings even if they don t have a write authorization for the program directory Selecting an alternative storage location can be used for example to transfer program settings to any other LANconfig installation or to save the program settings to a central location in the network for use by multi ple users The parameters for configuration can be found under the following paths LANconfig Options Application Le 2 General Startup Communication Application Baras r Startup Windows startup start LANconfig like before 7 Language Dialog language English v Program settings Use user specific setting IV Use configuration file C Docoments and Settings nhamel E Browse Use user specific settings Activates the use of the lanconf ini file in the current user s directory User Application Files BAT LANconfig With this option activated changes to the program settings are saved to this ini file Possible values On off Default Off BAT54 Rail F Release 7 54 06 08 169 LANtools network management 5 2 Project management with LANconfig Note If this option is activated in parallel with the Use configuration file op tion then the file selected here will be used when the program starts and changes made to the program s
536. rotocol by the LCP echo request and the associated LCP echo reply The LCP echo re quest is a query in the form of a data packet which is transferred to the remote station along with the data The connection is reliable and stable if a valid re sponse to this request for information is returned LCP echo reply This re quest is repeated at defined intervals so that the connection can be continually monitored What happens when there is no reply First a few retries will be initiated to exclude the possibility of any short term line interference The line will be dropped and an alternative route sought if all the retries remain unanswered If for example the high speed connection refuses to work an existing ISDN port can open the way to the Internet as a backup Note During remote access of individual workstations with Windows operat ing systems we recommend switching off the regular LCP requests since these operating systems do not reply to LCP echo requests BAT54 Rail F 436 Release 7 54 06 08 Routing and WAN connections 11 10 Establishing connection with PPP Note The LCP request behavior is configured in the PPP list for each indi vidual connection The intervals at which LCP requests should be made are set by the entries in the Time and Retr fields along with the number of retries that should be initiated without a response before the line can be considered faulty LCP requests can be switched off entirely by setting t
537. rror detection method used internal state of modem management e g device detection interface deactivated modem initialization modem ready connection establishment modem in data mode These messages may be very helpful for debugging purposes 11 14 8Trace output The command trace serial allows you to start the trace output for the serial interface in a Telnet session when a BAT has a modem connected The output shows all messages ex changed up until the establishment of data transfer between the modem and the BAT 11 14 9Configuration of remote sites for V 24 WAN interfaces To establish a connection to a remote station via the modem connected to the serial interface a corresponding entry in the remote site list ISDN serial must be generated The remote sites list ISDN serial contains the following information Name Name of the remote device Telephone number Telephone number that reaches the remote site The field can be left empty if calls are to be received only BAT54 Rail F 450 Release 7 54 06 08 Routing and WAN connections 11 14 serial interface gt Hold time This time defines how long a connection is kept active even if no more data is being transferred If a zero is entered the connection will not be interrupted automatically A hold time of 9999 means that the connection is permanently held open If it is interrupted then the connec tion will be actively opened up again This behavior is known a
538. rs in the LAN the public IP address to communicate with remote stations in the Internet The computers in the LAN use the router as a gateway but are recognizable themselves The router divides the intranet from the internet BAT54 Rail F Release 7 54 06 08 369 Routing and WAN connections 11 4 IP masquerading 11 4 1 Simple masquerading E How does IP masquerading work Masquerading makes use of a characteristic of TCP IP data transmission which is to use port numbers for destination and source as well as the source and destination addresses When the router receives a data packet for trans fer it now notes the IP address and the sender s port in an internal table It then gives the packet its unique IP address and a new port number which could be any number It also enters this new port on the table and forwards the packet with the new information Source 10 0 0 100 Target 80 123 123 123 Source 80 146 74 146 Port 3456 Target 80 123 123 123 IP 10 0 0 100 QS internal IP 10 0 0 1 public IP 80 146 74 146 10 0 0 100 3456 The response to this new packet is now sent to the IP address of the router with the new sender port number The entry in the internal table allows the router to assign this response to the original sender again BAT54 Rail F 370 Release 7 54 06 08 Routing and WAN connections 11 4 IP masquerading Source 80 123 123 123 Target 10 0 0 100 Source 80 123 123 123 Target 80 146 74 1
539. rs is required to display a HEX key Select the length and the format ASCII or HEX of the key depending on the best option available in the wireless network cards that register with your WLAN If the encryption in an access point is set to WEP 152 some clients may not be able to log into the WLAN as their hardware does not support the key length 3 4 2 General WLAN settings Country setting Regulations for the operation of WLAN cards differ from country to country The use of some radio channels is prohibited in certain countries To limit the operation of the BAT access points to the parameters that are allowed in var ious countries all physical WLAN interfaces can be set up for the country where they are operated Configuration with LANconfig For the configuration with LANconfig the country settings can be found in the configuration area Interfaces on the tab Wireless LAN in the group Gener al BAT54 Rail F 62 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configure Interfaces ad LAN Wireless LAN WAN Modem VLAN General This is where you can make settings for all wireless LAN interface in common Germany pe a IV ARP handling Ghana J Broken LAN link detect Greece Guatemala This group includes two other parameters in addition to the country setting ARP handling Mobile stations in the wireless network that are on standby do not answer the ARP
540. rt list Port table Priority Shielding of SNMP traffic Use of a central cabling BAT54 Rail F Release 7 54 06 08 225 225 225 213 212 23 211 283 208 216 311 143 532 532 317 438 369 368 335 335 342 342 341 339 337 342 337 337 347 339 341 341 341 341 337 339 339 545 Index Use tagging VLAN D VLAN ID Voice over WLAN Voice over IP VoIP VoIP see Voice over IP VoWLAN VPN Client Gateway Network coupling with N N mapping Remote maintenance via N N mapping Ww WAN WAN layer WEBconfig HTTPS WECA WEP Explanation of the process Private WEP settings RC4 Sniffer tools WEP group keys WEP encryption WEP key dynamic WEPplus Limits WiFi Wi Fi Alliance WiFi Alliance Wi Fi Multimedia WiFi Protected Access Wildcards WINS Address Wired Equivalent Privacy Wireless LAN 546 311 126 131 145 57 60 342 341 337 333 313 378 333 532 284 284 427 427 532 368 532 131 532 532 35 57 35 36 61 48 37 37 37 532 333 532 333 40 418 470 35 BAT54 Rail F Release 7 54 06 08 Index Ad hoc operation modes Wireless bridge Wireless LANs Infrastructure network Wireless Multimedia Extension WISP WLAN Access point density ACL ad hoc mode ARP handling Authentication with EAP 802 1X in client mode Background scanning Bands scanned bridge mode Broken link detection Channel number Client mode client mode Client Bridge Unterstitzung Closed
541. rtain protocols are reduced rather than all packets glo bally on that interface For BAT devices with VoIP functions that were already integrated or added in with a software option fragmentation and PMTU reduction can be set separately for SIP calls LANconfig The length reduction of the data packets is set in LANconfig when defining the QoS rule General Actions QoS Stations Service 2 f ality of Service x E 2x g The Quality O Service table describes an Conditions be amount of minimal bandwidths fragmentatic 5 ae a e E J Action only for default route i e internet matching packets are routed preferred I Action only for DiffServ CP BE IV Action only for send packets I Action only for received packets m Action Grant minimum bandwidth ea Add Edit ii eee ya Fragmentation of other packets OOOO Bytes Reduction of PMTU PMTU Bytes WEBconfig Telnet For configuration with WEBconfig or Telnet the reduction is entered at the following places in a new Firewall rule by parameter P for PMTU reduction Path MTU MTU Maximum Transmission Unit and F for the fragment size Configuration tool Run WEBconfig Setup IP router Firewall Rule list Telnet Setup IP router Firewall Rule list BAT54 Rail F 332 Release 7 54 06 08 Quality of Service 9 8 QoS for WLANs IEEE 802 1 1e Note PMTU reduction and fragmentation ref
542. rtain way by the access point It may be necessary for example to operate a public wire less network without any encryption simultaneous to a protected 802 11i WPA or WEP encrypted wireless network that excludes unauthorized par ties The Multi SSID function of the BAT access points is ideally suited to scenar ios like this This function enables a physical WLAN interface of an access point to be assigned with more than one SSID Up to eight different logical radio cells each with its own SSID can be supported by a single WLAN in terface SSID PUBLIC P 5 LAN BAT54 Rail F 32 Release 7 54 06 08 Wireless LAN WLAN 3 2 Development of WLAN security 3 2 Development of WLAN security The WLAN standards WPA and 802 11i are currently redeeming the reputa tion of WLAN security an issue which has recently been under attack The processes incorporated into the original standard proved insufficient in prac tice This lack led on the one hand to a series of proprietary extensions of the standard like CKIP from Cisco or KeyGuard from Symbol Technologies and on the other hand to solutions which offered the required security on higher protocol layers with tools like PPTP or IPSec All these processes are quite functional but they introduce limitations for instance those relative to interoperability or data transmission rates In the standard 802 11i released in Summer 2004 the IEEE Committee has redefined the topi
543. ruders take for the access to your network Note We denote the intrusion into protected networks in the following as at tack according to the general usage and the intruder thus as attacker 8 1 1 The dangers The dangers in the Internet arise in principle from completely different mo tives On the one hand the perpetrators try to enrich themselves personally or to damage the victims systematically By the ever increasing know how of the perpetrators the hacking became already a kind of sports in which young people often measure who takes at first the hurdles of Internet securi ty Regardless of the individual motivation the intention of the perpetrators mostly leads to the following aims Inspect confidential information such as trade secrets access informa tion passwords for bank accounts etc Use of LAN workstations for purposes of the attackers e g for the distri bution of own contents attacks to third workstations etc Modify data of LAN workstations e g to obtain even further ways for ac cess BAT54 Rail F Release 7 54 06 08 249 Firewall 8 1 Threat analysis Destroy data on the workstations of the LAN Paralyze workstations of the LAN or the connection to the Internet Note We restrict ourselves in this section to the attacks of local networks LAN resp to workstations and servers in such LANs 8 1 2 The ways of the perpetrators In order to undertake their objectives the perpetrators n
544. s WLAN Interfaces Radio Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Radio settings Point to point connections Access points are not limited to communications with mobile clients they can also transfer data from one access point to another On the Point to Point tab for the physical interface settings you can allow the additional exchange of data with other access points You can select from BAT54 Rail F 70 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Physical WLAN settings WLAN interface 2 x Operation Radio Super A G Point to Point Client mode Point to Point operation mode Dff This access point can only communicate with mobile stations On This access point can also communicate with other access points to connect several local wireless networks Exclusiv This access point can only communicate with other access points mobile stations can not connect to this access point pure WLAN bridge I Do not forward among P2P links on the same interface Channel Selection Schem Access point 1 foooooooooooo Annase nnint 2 Innn Point to point Off The access point only communicates with mobile cli ents Point to point On The access point can communicate with other access points and with mobile clients Point to point Exclusive The access point only communicates with other access points The input fields are for the MAC addre
545. s a 10 1 80 172 VPN_FTHEINEN VPN connection 3 938 KB OKB 15 days and 5 hours BAcs voip VPN_ETRABER VPN connection 17 761 KB 12 425 KB 14 days and 8 hours c_vpn_m_ethout VPN_TNIO VPN connection 189 KB 386 KB 13 days and 14 hours Bics data VPN_MPLUM VPN connection 3 758 KB 40 226 KB 11 days and 22 hours Bics voip VPN_MPLUM YPN connection 40 205 KB 34 121 KB 11 days and 10 hours 3 10 1 80 172 VPN_TNIO VPN connection 112 KB OKB 11 days and 10 hours E ic_vpn_m_ethout VPN_MBAGSIK VPN connection 5 659KB 240 474 KB 11 days and 3 hours INTERNET Dial up DSL 68 508 KB 87 882 KB 10 days and 20 hours VPN_TNIO VPN connection 82 152 KB 286 546 KB 10 days and 18 hours VPN_ETRABER VPN connection 443 863 KB 1 658 MB 10 days and 17 hours PN_MPLUM YPN connection 389 063KB 536 872 KB 9 days and 11 hours gt BAT54 Rail F 206 Release 7 54 06 08 LANtools network management 5 6 Display functions in LANmonitor gt Name or IP address of the station gt Remote station used to establish the connection Type of connection e g DSL or VPN gt Number of connections gt Data volume sent and received gt Online time gt Activity log The activity log is a detailed list of the connections via WAN WLAN VPN LANCAPI and a b port and a list of firewall activities The detailed information recorded includes E LC_ PN_M_LCSTEST Activity Log loj xj File View Tools Date and time Source Message 2 4 2004 3 17 34 AM YPN No connection to PN_C
546. s enter either the MAC address of the WLAN card at the remote station or enter the WLAN station s name depending on the chosen method of identification BAT54 Rail F 104 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections 2x Point to Point partners P2P 1 1 Point to Point 1 1 I Enable this Point 2 Point channel Enter the WLAN access point to be interconnected via Recognize by MAC address Station name Q If you use recognition by MAC address enter the WLAN adapter s MAC address and not the device MAC address MAC address I Station name P2P_SLAVE Danger Please observe that only the MAC addresses of the WLAN cards at the other end of the connections are to be entered here Not the access point s own MAC address and not the MAC addresses from any other in terfaces that may be present in the access points You will find the WLAN MAC address on a sticker located under each of the antenna connectors Only use the string that is marked as the WLAN MAC or MAC ID The other addresses that may be found are not the WLAN MAC address but the LAN MAC address Alternatively you will find the MAC addresses for the WLAN cards in the de vices under WEBconfig Telnet or a terminal program under the following paths WEBconfig Expert configuration Status gt WLAN statistics Inter face statistics Terminal Telnet Status WLAN statistics Interface statistics Con
547. s via bridge groups or with the interface assignment Any BAT54 Rail F 386 Release 7 54 06 08 Routing and WAN connections 11 6 Advanced Routing and Forwarding The networks are defined in a table A unique name for the networks is set along with definitions for the address range and interface assignment The network name allows the identification of networks in other modules DHCP server RIP NetBIOS etc and to enable control over which services are available in which networks Network name saes Co IP address fooor Gaal Netmask 255 255 2550 Network type intranet VLAN ID pooo Interface assignment Any X Address check Loose RE Interface tag b O y Comment LO O y y Configuration tool Call LANconfig TCP IP General gt IP networks WEBconfig Telnet Expert configuration gt Setup gt TCP IP gt Network list Network name Unique name 16 characters for referencing the network from other mod ules DHCP server RIP NetBIOS etc By default the networks Intranet and DMZ are preset Note If a network is deleted or renamed all references to this network have to be corrected e g DHCP RIP NetBIOS IP address BAT Router s IP address in this network Netmask Corresponding netmask Network type The type of network decides the the masking of IP addresses if packets are received over the corresponding interface Intranets are often masked the private IP addresses used in this n
548. s are somewhat smaller thereby allowing somewhat faster operation Generating key pairs The pairs consisting of public and private keys can be generated with the help of OpenSource software OpenSSH for example The following com mand from a Linux operating system creates a key pair from the public part id_rsa pub and the private part id_rsa ssh keygen t rsa BAT54 Rail F 140 Release 7 54 06 08 Configuration and management 4 4 Configuration using different tools Entering users into the public key The public keys are generated in the following syntax lt Encryption algorithm gt lt Public key gt lt User gt Further users In order to grant access to additional users with this key the respective user names are simply attached to the existing key file Installing the private key on the SSH client The private part of the key must be installed on the SSH client Refer to the documentation for information on the steps required for your SSH client Load public key into the BAT Router The public key s can be uploaded to the BAT Router using WEBconfig For this select the entry Upload certificate or file on the WEBconfig start page In the following dialog select the type of key SSH RSA key or SSH DSA key select the file and enter the password if required Entering the Upload command initiates the transfer to BAT Configuring the authentication methods The authentication methods permitted for SSH access c
549. s are slightly delayed after the actual event but are always in the correct sequence This will not usually hamper interpretation of the displays but should be taken into consideration if making precise analyses 6 1 1 How to start a trace Trace output can be started in a Telnet session Set up a Telnet connection to your device The command to call up a trace follows this syntax trace code parameters The trace command the code the parameters and the combination com mands are all separated from each other by spaces 6 1 2 Overview of the keys This code in combination with the trace causes the following displays a help text switches on a trace output switches off a trace output switches between different trace outputs toggle no code displays the current status of the trace BAT54 Rail F Release 7 54 06 08 225 Diagnosis 6 1 Trace information for advanced users 6 1 3 Overview of the parameters Note The available traces depend individually on the particular model and canbe listed by entering trace with no arguments on the command line This parameter brings up the following display for the trace Status status messages for the connection Error error messages for the connection IPX router IPX routing PPP PPP protocol negotiation SAP IPX Service Advertising Protocol IPX watchdog IPX watchdog spoofing SPX watchdog SPX watchdog spoofing
550. s is where you can make further settings for your physical wireless LAN interface Physical WLAN settings v This is where you can make further settings for each logical wireless LAN network MultiSSID Fj WAN network 2 off LR 3A WLAN network 3 OFF 78 Logical WLAN settings On 3 BAT54 Rail F Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Network settings Enablingf The switch WLAN network enabled enables the logical WLAN to be switched on or off separately Set the SSID Define an unambiguous SSID network name for each of the logical wireless networks on the Network tab for the logical interfaces Only network cards that have the same SSID can register with this wireless network Logical WLAN settings WLAN interface 1 Network 2 x Network Transmission Interf ca Network name SSID WLAN_SSID I This radio network cannot be accessed with the network name ANY closed network IV MAC filter enabled Maximum count of clients 0 J Client Bridge Support WLAN interface 1 Network 1 Abbrechen Closed network mode You can operate your wireless LAN either in public or private mode A wire less LAN in public mode can be contacted by any mobile station in the area Your wireless LAN is put into private mode by activating the closed network function In this operation mode mobile stations that do not know the network name SSID
551. s keep alive 2 Hold time Is ignored Layer name The layer V 24 DEF is selected for the connection over the serial WAN interface The layer is preset and does not need further con figuration The layer V 24_DEF uses the following settings vy Encapsulation Transparent Layer 3 APPP asynchronous PPP Layer 2 Transparent Options none vV vV Y Layer 1 SERIAL shows that the serial interface is being used for con nections via the layer V 24_DEF Configure Communication e General Remote Sites Protocols RADIUS Call Management This is where to configure the individual remote sites to which you want your router to establish connections and transfer data Name list DSL Name list ISDN serial ee oe ee can be reached in this list RoundRobin list Name Phonenumber Short hold _ Short hold 2 Cal DEFAULT co LCS 90 seconds 90seconds LCS off In this table you can specify up to 4 IP addresses for each remot site This IP addresses will be traced to check the connection Polling Table Add Edt Copy _ Rer The remote site list with the remote sites for the modem atthe serial interface can be found under the following paths LANconfig Communication gt Remote sites gt Name list ISDN WEBconfig Expert configuration gt Setup gt WAN P Dialup Peers Terminal Telnet Setup WAN Dialup Peers BAT54 Rail F Release 7 54 06 08 451 Routing and WAN
552. s network all of which use the BAT Router as superordinate DHCP server then the assignment of IP ad dresses and standard gateway to the clients can take place as follows DHCP networks New Entry J 2 x Network name 10 1 1 Co DHCP server enabled Yes bal Cancel J Evaluate broadcast bit Addresses for DHCP cients First address 10 1 1 100 Last address 10 1 1 105 Netmask 255 255 255 0 Broadcast 0 0 0 0 Default gateway fio 4 1 1 Caution To operate as DHCP relay server it is imperative that the ad dress pool and the netmask are given DNS resolution of names learned via DHCP The DNS server considers the interface tags when resolving names learned via DHCP i e the only names to be resolved are those which were learned from a network with the same interface tag as the requesting computer If the request arrives from an untagged network then all names are resolved in cluding those that were learned via tagged networks Similarly all names that were learned from untagged networks are visible for tagged networks Names learned from relay agents are handled as though they were learned from an untagged network i e these names are visible to all networks BAT54 Rail F 398 Release 7 54 06 08 Routing and WAN connections 11 7 Changes in other services 11 7 3 NetBIOS proxy For security reasons the behavior of the NetBIOS proxy has to be adjusted to the relevant networks for example beca
553. s of the configuration Instead of the entire configuration smaller sections of it can be read out from a device instead e g just the firewall settings Just as with com plete configurations sections can be edited and transferred to one or more devices This allows the particular settings in a device to be uploaded to other models or devices with a different version of the firm ware Automized configuration updates The centralized storage of configuration scripts in combination with scheduled LCOS commands cron jobs can be used to keep vital sec tions of the configuration in multiple devices up to date e g the encryp tion settings for a WLAN Convenient roll out for larger installations The installation of multiple devices at different locations can be very eas ily controlled from a central location Even employees without administra tor rights can then set up the devices with a single command Storage of configuration to volatile memory only Scripting commands can store configuration changes in RAM only whereby storage of configuration information to the non volatile flash memory is prevented This ensures that the configuration is available only until the next system boot so that in case of theft for example sen sitive elements of the configuration cannot fall into the wrong hands BAT54 Rail F Release 7 54 06 08 181 LANtools network management 5 3 Scripting Configuration changes in test mode The same mechanism allows ch
554. s operation mode when you are operating the BAT Wireless Router in access point mode Client signal strength In this operation mode this LED displays the signal strength of the access point with which the BAT Wireless Router has registered itself as a client The faster the LED blinks the better the signal Select this operation mode only if you are operating the BAT Wireless Router in client mode P2P1 to P2P6 signal strength In this operation mode the LED dis plays the signal strength of respective P2P partner with which the BAT Wireless Router forms a P2P path The faster the LED blinks the bet ter the signal 3 4 5 The logical WLAN interfaces Every physical WLAN interface can support up to eight different logical wire less networks Multi SSID Parameters can be defined specifically for each of these networks without the need of additional access points Configuration with LANconfig For configuration with LANconfig you will find the settings for the logical WLAN interface under the configuration area Interfaces on the Wireless LAN tab Open the list of logical WLAN interfaces by clicking on the button Logical WLAN settings and select the required logical interface MM x Configure Interfaces 2 LAN Wireless LAN WAN Modem VLAN General This is where you can make settings for all wireless LAN interface in common Country Germany nd IV ARP handing JT Broken LAN link detection Interfaces Thi
555. s priorities by referring to the VLAN tags or in the absence of these by the DiffServ fields of IP packets Delay times jitter are kept below 2 milliseconds a magnitude which is inaudible to the human ear 802 11e controls access to the transfer medium with EDCF the Enhanced Distributed Coordination Function Note Priorities can only be set if the WLAN client and the access point both support 802 11e or WMM and also if the applications are able to mark the data packets with the corresponding priorities BAT54 Rail F Release 7 54 06 08 333 Quality of Service 9 8 QoS for WLANs IEEE 802 11e A BAT access point can activate 802 11 e for each of its physical WLAN net works separately Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode r Super A G IF Use T burst Bundling of WLAN frames J Use hardware compression The 108 MBit s turbo mode can be switched on the Radio page r Quality of Service M Enable QoS G Data packets with the highest priority are forwarded before packets with lower priority On disabled QoS the packet priorisation is not taken into account All packets are treated equal LANconfig Interfaces gt Wireless LAN gt Physical WLAN settings Performance WEBconfig Telnet Expert Configuration gt Setup gt Interfaces gt WLAN gt Performance BAT54 Rail F 334 Release 7 54 06 08 Virtual LANs VLANs 1
556. s the Internet Constraint The BAT can be accessed directly by the users in the LAN as a router firewall and gateway i e there are no other routers in between them The computers in Purchasing are assigned with an IP address from a certain address range e g 192 168 100 200 to 192 168 100 254 from the list of ad dresses for dial in connections LANconfig gt TCP IP Addresses Note The BAT itself is in a different IP address range BAT54 Rail F Release 7 54 06 08 495 More services 12 8 PPPoE Servers tz Configure TCPAP 7 General Addresses DHCP BOOTP DNS DNS Fiter Here you can specify the addresses assigned to the remote sites when dialing in Address pool for in dialing accesses First address fi 92 168 100 200 Last address fi 92 168 100 254 r Name server addresses To prevent users from bypassing the authentication a DENY ALL rule is de fined in the firewall to stop local connections from being established The user Purchasing is then entered into the PPP list LANconfig Commu nication Protocols without a user name but with a password which is to be used by all staff members in the department and authentication encrypted is set up as CHAP Both IP routing and NetBIOS Windows Networking are to be activated for this PPP user PPP list New Entry 2 x Remote site PURCHASING gt User name Cancel Password IV Activate IP routing V Activate NetB
557. s two networks at once In the first step a Ping ICMP echo Request packet with a falsified sender address is sent to the broadcast address of the first network whereupon all workstations in this network answer with an ICMP echo Reply to the falsified sender address which is located in the second network If the rate of incom ing echo requests is high enough as well as the number of answering work stations then the entire incoming traffic of the second network is blocked during the attack and moreover the owner of the falsified address cannot re ceive normal data any more during the attack If the falsified sender address is the broadcast address of the second network also all workstations are blocked in this network too In this case the DoS recognition of the BAT blocks passing packets which are addressed to the local broadcast address LAND The land attack is a TCP packet that is sent with set SYN flag and falsified sender address to the victim workstation The bottom line is that the falsified sender address is equal to the address of the victim With an unfortunate im plementation of TCP the victim interprets the sent SYN ACK again as SYN and a new SYN ACK is sent This leads to a continuous loop which lets the workstation freeze In a more up to date variant the loopback address 127 0 0 1 is taken as sender address but not the address of the attacked workstation Sense of this deception is to outwit personal firewalls
558. sage measures leads automatically to an en try in the Firewall event table Disconnect Cuts the connection over which the filtered packet has been received BAT54 Rail F Release 7 54 06 08 273 Firewall 8 3 The BAT Firewall Note On the occasion the physical connection will be cut off e g the Inter net connection not only the logical connection between the two involved PCs Lock source address Blocks the IP address from that the filtered packet has been received for a given time Lock target port Blocks the destination port to that the filtered packet has been sent for a given time Quality of Service QoS Apart from the restrictions for the transfer of data packets the Firewall can also concede a special treatment to certain applications QoS settings use features of the Firewall to specifically identify data packets of certain connec tions or services Note For further information about QoS and the appropriate configuration please see chapter Quality of Service page 311 8 3 5 Alerting functions of the Firewall This paragraph describes the Firewall alerts in detail that are sent on securi ty relevant events The following message types are available Email notification SYSLOG report SNMP trap Alerts are triggered either separately by the intrusion detection system by the denial of service protection or by arbitrary trigger conditions specified in the Firewall The specific parameters for
559. sages BAT54 Rail F 162 Release 7 54 06 08 Configuration and management 4 9 Named loopback addresses SYSLOG clients New Entry 2 x IP address 10 1 1 88 Lo Source IP address LOOPBACK1 he oe Source IV System I Login IV System time IV Console login M Connections J Accounting I Administration Tl Router Priority M Alert M Error ig T Information I Debug Configuration tool Menu Table LANconfig Log amp Trace SYSLOG SYSLOG clients WEBconfig Telnet Expert configuration gt Setup gt SYSLOG gt SYSLOG table IP address IP address of the SYSLOG client Loopback address Sender address entered into the SYSLOG message No answer is expected to a SYSLOG message The following can be entered as the loopback address Name of a defined IP network INT for the IP address in the first network with the setting Intranet DMZ for the IP address in the first network with the setting DMZ Note If the list of IP networks or loopback addresses contains an entry named DMZ then the associated IP address will be used Name of a loopback address Any other IP address Source System System messages boot events timer system etc Logins Messages concerning the user s login or logout during the PPP negotiation and any errors that occur during this System time Messages about changes to the system time Console logins Messages about console logins Telnet Outba
560. se as a client Tx stands for Send data and Rx stands for Receive data BAT54 Rail F 118 Release 7 54 06 08 Wireless LAN WLAN 3 10 WLAN according to 802 11h Configuration with LANconfig The maximum bandwidths for a device in client mode are entered in LANconfig in the Interfaces configuration area on the Wireless LAN tab page for the Physical WLAN Settings on the Client Mode tab page Physical WLAN settings WLAN interface 1 internal 2 xi Operation Radio Super AG Point to Point Client mode Network types Infrastructure be I Create IBSS IV Keep client connection alive Scan bands All e Preferred BSS I Address Adaption I Client Bridge Support TX bandwidth limit 1 000 AX bandwidth limit 1 000 Configuration with WEBconfig Telnet or SSH Under WEBconfig Telnet or SSH client you will find the client settings under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt Interfaces gt WLANP Client modes Terminal Telnet Setup Interfaces WLAN Client Modes 3 10WLAN according to 802 11h 3 10 1 Standards IEEE standards In November 2002 the 5 GHz band was released for private use in Germany and opened up the path for significantly faster WLAN connections according to the IEEE 802 11a standard which had already been available for a while The wider use of 5 GHz WLANs was however restricted by its exclusive use in closed
561. section explains the structure of the IP routing table of an Hirschmann router as well as the additional functions available to sup port IP routing 11 2 1 The IP routing table The IP routing table is used to tell the router which remote station which oth er router or computer it should send the data for particular IP addresses or IP address ranges to This type of entry is also known as a route since it is used to describe the path of the data packet This procedure is also called static routing since you make these entries yourself and they remain un changed until you either change or delete them yourself Naturally dynamic routing also exists The routers use the routes in this way to exchange data between themselves and continually update it automatically The IP router looks at the static and the dynamic routing table when the IP RIP is activated BAT54 Rail F Release 7 54 06 08 355 Routing and WAN connections 11 2 IP routing You also use the IP routing table to tell the router the length of this route s path so that it can select the most suitable route in conjunction with IP RIP where there are several routes to the same destination The default setting for the distance to another router is 2 i e the router can be reached directly All devices which can be reached locally such as other routers in the same LAN or workstation computers connected via proxy ARP are entered with the distance 0 The quality lev
562. security from eavesdroppers than the older WEP can It is very easy to handle a passphrase as a central key a RADIUS server such as that for 802 1x installations is not required However the use of WPA and IEEE 802 11i still has some weak spots A passphrase applies globally for all WLAN clients The passphrase may fall into unauthorized hands if treated carelessly The leaked passphrase then offers any attacker free access to the wire less network This means in practice that Should the passphrase go missing or an em ployee with knowledge of the passphrase leaves the company then the passphrase in the access point really needs to be changed in every WLAN client too As this is not always possible an improvement would be to have an individual passphrase for each user in the WLAN instead of a global pass phrase for all WLAN clients In the case mentioned above the situation of an employee leaving the company requires merely his personal passphrase to be deleted all others remain valid and confidential With LEPS LANCOM Enhanced Passphrase Security there is an efficient method that makes use of the simple configuration of IEEE 802 11i with passphrase but that avoids the potential security loopholes that come with global passphrases LEPS uses an additional column in the ACL access control list to assign an individual passphrase consisting of any 8 to 63 ASCII characters to each MAC address The connection to the access point and the s
563. sed in the order of their index Occasionally variables actions with neighboring index numbers require a new entry to be entered between them With this action the indices can automatically be renumbered with a certain interval between them When being executed the arguments can be defined with the start value and increment This action renumbers the entries starting with the start value and continuing with the increment as chosen If the start value and BAT54 Rail F 204 Release 7 54 06 08 LANtools network management 5 6 Display functions in LANmonitor increment are not defined both are set automatically to 10 If no argu ments are entered the action renumbers the indices with 10 20 30 etc 5 6 Display functions in LANmonitor LANmonitor supports the administration of the BAT applications by offering a range of functions that simplify the surveillance of devices at widely dis persed locations The overview of devices monitored by LANmonitor already shows the most important information about the status of the devices lo xi File Device View Tools Help LC1621 Internet DSL Line 1 Not ready Error ISDN Connection establishment Failed D channel layer 2 0x0082 E ISDN Line 1 Ready E ISDN Line 2 Ready E DSLol Line Ready 3 n Packet dropped 5 1 2004 14 34 43 DoS protection UDP packet from 127 0 0 1 68 to 255 255 255 255 67 Packet dropped 4 12 2003 9 59 28 intruder detection Packet of protocol 0 from 1
564. serial in terface 452 11 14 11 Contact assignment of BAT modem adapter kit 453 11 15 Manual definition of the MTU 453 11 15 1 Configuration 454 11 15 2 Statistics 454 11 16 WAN RIP 454 11 17 The rapid spanning tree protocol 456 11 17 1 Classic and rapid spanning tree 457 11 17 2 Improvements from rapid spanning tree 457 11 17 3 Configuring the Spanning Tree Protocol 458 11 17 4 Status reports via the Spanning Tree Protocol 461 12 More services 465 12 1 Automatic IP address administration with DHCP 465 12 1 1 The DHCP server 465 12 1 2 DHCP on off auto client or forwarding 466 12 1 3 How are the addresses assigned 467 12 2 Vendor Class and User Class Identifier on the DHCP Client 472 12 3 DNS 473 12 3 1 What does a DNS server do 473 12 3 2 DNS forwarding 474 12 3 3 Setting up the DNS server 475 12 3 4 URL blocking 478 12 3 5 Dynamic DNS 479 12 4 Accounting 481 BAT54 Rail F Release 7 54 06 08 11 12 5 The SYSLOG module 484 12 5 1 Setting up the SYSLOG module 484 12 5 2 Example configuration with LANconfig 484 12 6 Time server for the local net 486 12 6 1 Configuration of the time server under LANconfig 487 12 6 2 Configuration of the time server with WEBconfig or Telnet 488 12 6 3 Configuring the NTP clients 488 12 7 Scheduled Events 491 12 7 1 Regular Execution of Commands 491 12 7 2 CRON jobs with time delay 492 12 7 3 Configuring the CRON job 493 12 8 PPPoE Servers 495 12 8 1 Introduction 495 1
565. service provider So the LAN administrator of the service provider has an up to date view of the state of the devices at any time The individual networks can be structured very differently Clients A and B in tegrate their branches with own networks via VPN connections to their LAN client C operates a network with several public WLAN base stations as hot spots and client D has got an additional router for ISDN dial up accesses in his LAN Note The networks of client A and B use different address ranges in the re spective head office and the connected branches A standard network coupling via VPN is therefore possible between these networks In order to avoid the effort to building up its own VPN tunnel to each individual subnetwork of the clients A and B the service provider makes only one VPN connection to the head office and uses the existing VPN lines between head office and branches for communication with the branches BAT54 Rail F 428 Release 7 54 06 08 Routing and WAN connections 11 9 N N mapping Traps from the networks report to the service provider whether e g a VPN tunnel has been build up or cut if an user has been tried to log in three times with a wrong password if an user has been applied for a hot spot or if some where a LAN cable has been pulled out of a switch Note A complete list of all SNMP traps supported by BAT can be found in the appendix of this user manual configuration SNMP Traps page
566. sion that follows A collision between the very short RTS packets is improbable although the use of RTS CTS leads to an increase in overhead The use of this procedure is only worthwhile where long data packets are being used and the risk of col lision is higher The RTS threshold is used to define the minimum packet length for the use of RTS CTS The best value can be found using trial and error tests on location Long preamble for 802 11b Normally the clients in 802 11b mode negotiate the length of the preamble with the access point Long preamble should only be set when the clients require this setting to be fixed 3 4 6 Additional WLAN functions Apart from the different encryption methods 802 11i AES WPA TKIP or WEP and the closed network a variety of other functions exist for securing the operation of a wireless network The Redirect function provides the con venient control over the connection of WLAN clients in changing environ ments As this function has significance to other modules of the BAT LCOS the configuration parameters are to be found outside of the WLAN settings Redirect function Clients within wireless networks often have one main aspect in common a high degree of mobility The clients are thus not always connected to the same access point but frequently change between access points and the re lated LANs BAT54 Rail F 82 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters
567. software There are various ways of carrying out a firmware upload all of which pro duce the same result LANconfig WEBconfig Terminal program TFTP al All settings will remain unchanged by a firmware upload All the same you should save the configuration first for safety s sake with Device Configu ration Management gt Save to File if using LANconfig for example Before uploading you should also save a version of the current firmware If you do not have the firmware as a file you can download it from www hir schmann com If the newly installed release contains parameters which are not present in the device s current firmware the device will add the missing values using the default settings LANconfig When using LANconfig highlight the desired device in the selection list and click on Device Firmware Upload or click directly on the Firmware Up load button Then select the directory in which the new version is located and mark the corresponding file LANconfig then tells you the version number and the date of the firmware in the description and offers to upload the file The firmware you already have installed will be replaced by the selected release by clicking Open You also have to decide whether the firmware should be permanently acti vated immediately after loading or set a testing period during which you will activate the firmware yourself To activate the firmware during the set test pe riod click
568. spaces and the relatively low transmission power BAT54 Rail F Release 7 54 06 08 119 Wireless LAN WLAN 3 10 WLAN according to 802 11h With the 802 11h enhancement in September 2003 the private use of the 5 GHz band was finally possible even outside closed spaces To protect mil itary applications in the 5 GHz band the DFS Dynamic Frequency Selec tion and TPC Transmission Power Control procedures were prescribed Moreover the use of DFS and TPC can achieve significantly higher transmis sion powers maximum 1000 mW than the other standards that were previ ously valid ETSI standards ETSI adopted the first standard for controlling remote data transfers back in 1996 under the name of Hiperlan High Performance Radio Local Area Net works The first version Hiperlan Type 1 was intended for use in the fre quency range of 5 15 to 5 30 GHz with a transmission rate of 20 MBit s As no manufacturers took up this standard Hiperlan initially had no practical sig nificance With the new version Hiperlan Type 2 in 2000 ETSI introduced a WLAN so lution that operates in the 5 GHz band similarly to IEEE 802 11a and also provides a gross data rate of 54 MBps However as the frequencies and the OFMD modulation method that was also used for 802 1 1a overlapped it was necessary to adapt the standards between IEEE and ETSI to avoid disrup tions to the systems European harmonization To standardize the use of the 5 GHz band i
569. specified DNS server are addressed A typical application for special DNS forwarding results for a home worksta tion The user wants to be able to connect to the company intranet and direct ly to the Internet at the same time The requests sent into the intranet must be routed to the company DNS server and all other requests to the DNS server of the provider BAT54 Rail F 474 Release 7 54 06 08 More services 12 3 DNS General DNS forwarding All DNS requests that cannot be resolved in another way are forwarded to a DNS server This DNS server is determined according to the following rules Initially the router checks whether a DNS server has been entered in its own settings If it is successful there it obtains the desired information from this server Up to two higher level DNS servers can be specified LANconfig TCP IP gt Addresses gt Primary DNS Secondary DNS WEBconfig Expert Configuration Setup gt TCP IP gt DNS default gt DNS backup Terminal Telnet setup TCP IP DNS default setup TCP IP DNS backup If no DNS server is entered in the router it will attempt to reach a DNS server over a PPP connection e g from the Internet provider to get the IP address assigned to the name from there This can only succeed if the address of a DNS server is sent to the router during PPP negotiation The default route is established and the DNS server searched for there if no connection exists This procedure does not req
570. sponses from the superordinate DHCP server by replacing the fol lowing entries with its own address or local configured addresses Gateway Netmask Broadcast address DNS server NBNS server Server ID This option is worthwhile if the superordinate DHCP server does not per mit the separate configuration for DHCP clients in another network Multiple networks at one interface With the configuration of IP and DHCP networks multiple networks with dif ferent DHCP settings can be active at a logical interface In this case the DHCP settings for the first suitable network are applied A prioritization of net works may be necessary here BAT54 Rail F Release 7 54 06 08 397 Routing and WAN connections 11 7 Changes in other services 11 7 2 DHCP relay server A BAT Router is not limited to forwarding DHCP requests to superordinate DHCP servers it can also function as a central DHCP server DHCP relay server In order for a BAT Router to be provided as a DHCP relay server to other net works the relay agent IP address GI address is entered as the network name in the table of IP networks If the same network is being used by several relay agents e g multiple ac cess points are forwarding requests to a central DHCP server then the GI address can also be abbreviated with a If for example clients in the re mote network 10 1 1 0 255 255 255 0 are to be assigned with addresses and several relay agents are available in thi
571. sses of the WLAN cards for the point to point connections up to 7 Note Please observe that only the MAC addresses of the WLAN cards at the other end of the connections are to be entered here Not the access point s own MAC address and not the MAC addresses from any other in terfaces that may be present in the access points Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you can set the settings for the point to point connections under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup gt Interfaces gt WLAN Interfaces gt Interpoint Settings Terminal Telnet cd Setup Interfaces WLAN Interfaces Interpoint Settings Client mode If the BAT Wireless Router device is operating as a client the tab Client mode can be used for further settings that affect the behavior as a client BAT54 Rail F Release 7 54 06 08 71 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Physical WLAN settings WLAN interface 1 internal 2 x Operation Radio Super A G Point to Point Client mode Network types Infrastructure IT Create IBSS IV Keep client connection alive Scan bands 24 GHz only Preferred BSS oooo00000000 I Address Adaption I Client Bridge Support Network types Network types controls whether the station can register only with infrastruc ture networks or also with adhoc networks Further information abou
572. sses the following hints apply Source and mapping can be assigned arbitrarily for the translation of sin gle addresses Thus for example it is possible to assign the mapping ad dress 192 168 1 88 to a LAN server with the IP address 10 1 1 99 For translation of entire address ranges the station related part of the IP address will be taken directly only appended to the network related part of the mapping address Therefore in an assignment of 10 0 0 0 255 255 255 0 to 192 168 1 0 a server of the LAN with IP address 10 1 1 99 will get assigned the mapping address 192 168 1 99 Note The address range for translation must be at minimum as large as the source address range Note Please notice that the N N mapping functions are only effective when the firewall has been activated Firewall QoS enabled gt page 265 BAT54 Rail F 430 Release 7 54 06 08 Routing and WAN connections 11 9 N N mapping Additional configuration hints By setting up address translation in the NAT table the networks and work stations become only visible under another address at first in the higher net work compound But for a seamless routing of data between the networks some further settings are still necessary Entries in the routing tables for packets with new addresses to find the way to their destination DNS forwarding entries in order that inquiries about certain devices in the respective other networks can be resolved into mapped IP addr
573. ssignment of the BAT Modem Adapter Kit dif fers from other commercial adapters like null modem cables or the like The use of uncompliant accessories will cause serious damage on the BAT and or the modem For further details please refer to the Contact as signment of BAT modem adapter kit gt page 453 BAT54 Rail F Release 7 54 06 08 445 Routing and WAN connections 11 14 serial interface 11 14 4Set the serial interface to modem operation The operation of the serial interface requires the operating mode and bitrate to be set Operating mode default outband Outband In this mode the serial interface is only used for configura tion with a terminal program Modem In the Modem setting the device attempts to find a modem connected to the serial interface If this is successful then the modem can be used as an additional WAN interface If a computer running a terminal program is detected then the device automatically switches the interface into outband mode Interlink Direct connection between two BAT devices Bitrate default 115 200 bps Set the maximum bitrate supported by your modem The serial interfaces of BAT devices support data rates of 19 200 bps 38 400 bps 57 600 bps up to a maximum of 115 200 bps Configuration with LANconfig The settings for the serial interface as a WAN interface can be found in the LANconfig configuration area Interfaces Select the V 24 interface with the Interface sett
574. station interface parameters ISDN telepho munications layer Terminal gt user name l Selecting the correct route A data packet from a computer initially finds the path to the Internet through the IP address of the receiver The computer sends the packet with this address over the LAN to the router The router determines the remote station in its IP routing table via which the target IP address can be reached e g Provider_A BAT54 Rail F 354 Release 7 54 06 08 Routing and WAN connections 11 2 IP routing Connection data for the remote station Using these names the router checks the names list and finds the neces sary connection data for provider A Included in these connection data are for instance the WAN interface DSL ISDN through which the pro vider is connected to protocol information or the necessary number for an ISDN call connection The router also obtains the user name and pass word required for login from the PPP list Establishing the WAN connection The router can then establish a connection to provider via a WAN inter face It authenticates itself with a user name and password Transmission of data packets As soon as the connection is established the router can send the data packet to the Internet 11 2IP routing An IP router works between networks which use TCP IP as the network pro tocol This only allows data transmissions to destination addresses entered in the routing table This
575. statistics The WLANmonitor presents the scan results quite conveniently and also offers additional functions such as access point group ing or automatic notification via e mail whenever a new WLAN device ap pears Note Further information can be found under Rogue AP and rogue client detection with the WLANmonitor page 217 BAT54 Rail F 50 Release 7 54 06 08 Wireless LAN WLAN 3 3 Protecting the wireless network Configuring the background scan When configuring the background scan a time period is defined in which all available WLAN channels are to be scanned once for the receiving beacons Physical WLAN settings WLAN interface 2 x Operation Radio Performance Point to Point Client mode Frequency band 2 4 GHz 802 119 b Sub bands Foo y Channel number Channel 10 2 457 GHz gt 2 4 GHz mode 802 1a b mixed gt 5 GHz mode 54MBit s normal mode v Select the desired diversity setting Only transmit on primary antenna C Use the optimal antenna for transmission Transmit on primary and receive on auxiliary antenna Antenna gain Bp dBi TX power reduction pooo dB Access point density Low ei Maximum distance pooo km Channel list Background scan aso seconds Configuration tool LANconfig WEBconfig Telnet WLAN interfaces Physical WLAN settings gt Radio Expert configuration gt Setup gt Interfaces gt WLAN gt Radio settings Background scan interv
576. strategy default Deny access from 123 45 67 2 to All stations in local network BAT54 Rail F 378 Release 7 54 06 08 Routing and WAN connections 11 5 Demilitarized Zone DMZ With a Deny All strategy see Set up of an explicit Deny All strategy page 283 Allow access from All stations in local network to 123 45 67 2 11 5Demilitarized Zone DMZ A demilitarized zone DMZ makes certain routers in a network accessible from the Internet These computers in the DMZ are generally used to offer Internet services such as e mail or similar services The rest of the network should of course be unaccessible for attackers on the Internet In order to allow this architecture data traffic between the three zones Inter net DMZ and LAN must be analyzed by a firewall The firewall s tasks can also be consolidated in a single device router For this the router needs three interfaces that can be monitored separately from each other by the fire wall LAN interface WAN interface DMZ interface 11 5 1 Assigning interfaces to the DMZ To configure the DMZ the corresponding interface is defined as the DMZ in terface Configuration with LANconfig Ethernet ports are defined in LANconfig in the configuration area Interfaces on the LAN tab under Ethernet ports Ethernet Ports LAN 1 i 21x Cancel Ethernet Port Interface usage Transfer mode MDI mode DSL 3 J Suppress data commut DS
577. stream rate e g 128 kbps Data rates indicated by providers are mostly likely net rates The gross data rate which is available for the interface is a little bit higher than the net data rate guaranteed by the provider If you know the gross data rate of your provider you can enter this value for the interface and slightly in crease in this way the data throughput However with entering the net data rate you play safe in any case 9 3 2 Queues for receiving direction Apart from the data transfer rate in transmission direction the same consid eration applies also to the receiving direction Due to its 10 or 100 Mbps Eth ernet interface the BAT s WAN interface is fed by clearly fewer data from the broadband modem than would actually be receivable All data packets re ceived on the WAN interface are transferred to the LAN with equal rights BAT54 Rail F Release 7 54 06 08 317 Quality of Service 9 4 Reducing the packet length In order to be able to prioritize incoming data as well thus an artificial brake must be added also in this direction Like already incorporated for the up stream direction the data transfer rate of the interface is therefore adapted to the provider s offer in the downstream direction For a standard DSL con nection thus e g a downstream rate of 768 kbps applies Again the gross data rate can be entered here if known Reducing the receiving bandwidth makes possible to treat received data pa
578. stronger access point Default 15 BAT54 Rail F 100 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections Note Other contexts require the value of signal strengths in dB The follow ing conversion applies 64dB 100 32dB 50 OdB 0 No roaming threshold This threshold refers to the field strength in percent Field strengths exceeding the value set here are considered to be so good that no switch ing to another access point will take place Default 45 Forced roaming threshold This threshold refers to the field strength in percent Field strengths below the value set here are considered to be so poor that a switch to another access point is required Default 12 Connect threshold This value defines field strength in percent defining the minimum that an access point has to show for a client to attempt to associate with it Default 0 Connect hold threshold This threshold defines field strength in percent A connection to an access point with field strength below this value is considered as lost Default 0 3 7 IEEE 802 11i for point to point connections in the WLAN BAT Wireless access points serve not only as central stations within a wire less network they can also operate in point to point mode to bridge longer distances For example they can provide a secure connection between two networks that are several kilometers apart without direct cabling or expen sive leased lines
579. suming the DHCP server has not assigned this number to another comput er in the meantime it will attempt to issue this address again The DHCP server also checks the LAN to confirm that the selected address is free Once the address is confirmed as unique then it is assigned to the requesting computer Note The factory settings include the IP networks Intranet and DMZ al though there are no settings for IP addresses and netmasks The device is ina special operating mode It then uses the IP address 172 23 56 254 and the address pool 172 23 56 253 for assigning IP addresses to the network Start address The first IP address in the pool available to the clients If no address is entered here the DHCP takes the first available IP address from the net work as determined by network address and netmask Default 0 0 0 0 End address The last IP address in the pool available to the clients If no address is entered here the DHCP takes the last available IP address from the net work as determined by network address and netmask Default 0 0 0 0 Netmask Corresponding netmask for the address pool available to the clients If no address is entered here the DHCP server uses the netmask from the cor responding network Default 0 0 0 0 Broadcast As a rule broadcast packets in a local network have an address which results from the valid IP addresses and the netmask In special cases e g when using subnets for a select
580. t 3 1 1 Standardized radio transmission by IEEE IEEE 802 11 BAT network products comply with the IEEE 802 11 standards These stan dard s family represents an extension to the already existing IEEE standards for LANs of which IEEE 802 3 for Ethernet is the most popular one Within the IEEE 802 11 family different standards exist for the radio transmission in different frequency ranges and with different speeds BAT base stations and WLAN client adapters support according to their respective type different standards IEEE 802 11a with up to 54 Mbps transfer rate in the 5 GHz band up to 108 Mbps in turbo mode complement to standard IEEE 802 11b with up to 11 Mbps transfer rate in the 2 4 GHz band IEEE 802 11g with up to 54 Mbps transfer rate in the 2 4 GHz band up to 108 Mbps in turbo mode complement to standard BAT54 Rail F Release 7 54 06 08 21 Wireless LAN WLAN 3 1 What is a Wireless LAN IEEE 802 11a 54 Mbps IEEE 802 11a describes the operation of Wireless LANs in the 5 GHz fre quency band 5 15 GHz to 5 75 GHz with up to 54 Mbps maximum transfer rate The real throughput depends however on the distance and or on the quality of the connection With increasing distance and diminishing connect ing quality the transmission rate lowers to 48 Mbps afterwards to 36 Mbps etc up to a minimum of 6 Mbps The distance of transmission ranges from up to 125 min open expanses in buildings typically up to 25 m The
581. t This command enables individual parameters tables or entire menu trees to be reset to their factory settings Syntax default r PATH BAT54 Rail F 192 Release 7 54 06 08 LANtools network management 5 3 Scripting This command returns the parameters addressed by the PATH to their factory settings If PATH indicates a branch of the menu tree then the option r recursive must be entered Note Supervisor rights are necessary to execute this command beginscript The command beginscript switches a console session into script mode In this state commands entered are not transferred directly to the BAT s configuration RAM but initially to the device s script memory The com mands will only be transferred to and started in the configuration RAM via a script session by executing the command exit Note Supervisor rights are necessary to execute this command show script The command show script displays the content of the most recently exe cuted script and an overview of the currently running scripts The names displayed in this output can be used to interruption scripts early kill script gt page 193 Telnet 192 168 2000 00 hoot GUPN_NHAMEL Starting SEn ipt Show scrip current punnning script found R4 Sleep expires in 11491 exit Last executed script vat Head executed AILAN interfaces interfaces netuork settings WLAN 1 2 yes BRI WLAN one WLAN 1 2 yes BRI WLANtwo flash j
582. t up whether additional channels are negotiated for data exchange or not Some protocols like e g FTP for data transfer T 120 H 225 H 245 and H 323 for netmeeting or IP telephony PPTP for VPN tunnels or IRC for chatting signalize when establishing the connection from the LAN to the In ternet by a particular used source port whether they are negotiating further ports with the remote station The Stateful Inspection dynamically adds also these additional ports into the connection state list of course limited to the particular source and destination addresses only BAT54 Rail F Release 7 54 06 08 255 Firewall 8 2 What is a Firewall Let s have once again a look at the FTP download example When starting the FTP session the client establishes a connection from source port 4321 to the destination port 21 of the server The Stateful Inspection allows this first set up as long as FTP is allowed from local workstations to the outside In the dynamic connection state table the Firewall enters source and desti nation and the respective port Simultaneously the Stateful Inspection can inspect the control information sent to port 21 of the server These control signals indicate that the client requires a connection of the server from its port 20 to port 4322 of the client The Firewall also enters these values into the dynamic table because the connection to the LAN has been initiated from the client Afterwards the server can s
583. t Privacy The primary goal of WEP is the confidentiality of data In contrast to signals which are transmitted over cables radio waves spread out in all directions even into the street in front of the house and other places where they really aren t desired The problem of undesired interception is particularly obvious in wireless data transmission even though it can also arise in larger installations with wired networks however access to cables is far more easily restricted than is the case with radio waves During the development of the WLAN security standard the IEEE Committee did not intend to develop a perfect encryption method Such high security encryption methods are for instance required and also used in electronic banking in this case however the applications themselves use high quality encryption methods and it would be unnecessary to repeat this effort at the radio transmission level With the new security standards only those appli cations which normally work without encryption in wired LANs should be pro vided with sufficient security against eavesdropping by unauthorized third parties WEP is a symmetrical method of encryption and uses RC4 algorithm as its basic encryption technology a process already well known in other areas and considered highly secure RC4 uses a key between 8 and 2048 bits in length which is used to generate a pseudo random series of bytes using a predetermined process The data packet for encry
584. t configuration Setup gt IEEE802 1x Ports Terminal Telnet cd Setup IEEE802 1x Ports IPSec over WLAN Only with the VPN Option Not available with all BAT devices With the help of the IPSec over WLAN technology in addition to the security measures described already a wireless network for the exchange of espe cially sensitive data can be optimally secured To this end the BAT Wireless Router access point is upgraded to a VPN gateway with the VPN Option In addition to the encryption per 802 111 WPA or WEP the BAT Wireless Router now offers the possibility of encrypting wireless connections with an IPSec based VPN BAT54 Rail F 84 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters The beaconing table Settings in the beaconing table influence the transmission of beacons by the access point in AP mode In part this can influence the roaming behavior of clients and in part this serves to optimize the MultiSSID mode for older WLAN clients Configuration tool Call WEBconfig Telnet Expert Configuration gt Setup gt Interfaces gt WLAN gt Beaconing Beacon period This value defines the time interval in Kus between beacon transmission 1 Kus corresponds to 1024 microseconds and is a measurement unit of the 802 11 standard 1 Kus is also known as a Timer Unit TU Smaller values result in a shorter beacon timeout period for the client and enable quicker roaming in case of failure of an a
585. t is overwritten by skillful choice of the fragment offset Thereby simple port filter Firewalls accept the first packet and the appropriate fragments while overwriting the first packet s header by the second fragment Thus suddenly a permissible packet is created which rather actually should be blocked by the Firewall Concerning this occurrence the Firewall can itself either reassemble or filter only the wrong fragment and all following leading to the problems already indicated by either one of the other solutions above Note By default installation all items are configured as secure i e maximal 100 permissible half open connections by different workstations see SYN Flooding at most 50 half open connections of a single computer see Portscan of fragmented packets to be reassembled 8 5 2 Configuration of DoS blocking LANconfig Parameters against DoS attacks are set in the LANconfig in the configuration tool Firewall QoS on the register card DoS BAT54 Rail F Release 7 54 06 08 307 Firewall 8 5 Denial of Service Configure Firewall QoS Peal General Rules DoS Jibs m Denial Of Service Detection Halfopen connections are such that are still in negotiation If their amount to a specific host grows above the here given value a Denial of Service attack will be detected and the DoS actions defined below will be executed Maximum halfopen connections 100 DoS Packet action C Transmit
586. t is provided by the AC Layer name Select the layer name for the connection The configuration of this layer is described in the following section VPI Virtual Path Identifier VCI Virtual Channel Identifier The value for VCI and VPI are advised to you by your provider Standard values for the combination of VPI and VCI are 0 35 0 38 1 32 8 35 8 48 Dialup Peers Name See DSL Broadband Peers Phonenumber A Phonenumber is only then required if the remote station must be called This field can remain empty if only incoming calls should be accepted Several phonenumbers for the same remote station can be entered in the RoundRobin list Short hold See DSL Broadband Peers Short hold 2 The second B channel is cut down if it is not used for the set duration Layer name See DSL Broadband Peers Note Callback The automatic callback provides a secure connection and decreases the costs for the caller Further information can be found in the next section Callback functions gt page 440 Please note following points when editing the peer list If two identical peer lists e g DSL Broadband Peers list and Dialup Peers list are entered the BAT when connecting to the remote station uses the faster interface The other interface is then used as a back up If nor the access concentrator neither the service is specified the rout er connects to the first AC that answers the query
587. t these network types can be found under The ad hoc mode gt page 26 and The infrastructure network page 26 Create IBBS If the station can establish an IBBS Independent Basic Service Set mean ing an adhoc network then the station can connect to other WLAN clients For the connection of devices with a client station this is mostly unwanted or not required Keep client connection alive This option ensures that the client station keeps the connection to the access point alive even when the connected devices do not send any data packets If this option is switched off the client station will automatically log off from the wireless network if no packets are transferred over the WLAN connection within a given time Scan bands This defines whether the client station scans just the 2 4 GHz just the 5 GHz or all of the available bands for access points Preferred BSS ID If the client station is only supposed to log in on a certain access point you can enter the MAC address of the WLAN card from the access point BAT54 Rail F 72 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Address Adaption In client mode the client station usually replaces the MAC addresses con tained in the data packets of the connected devices with the own MAC ad dress The access point on the other side of the connection therefore only sees the MAC address of the client station but not the MAC ad
588. tability of the device no further VPN connections should be established No rule matched IDs unknown x IKE The incoming VPN connection could not be connection or wrong ID e g IP assigned to a remote device Please check the network definition following parameters ID type does not match see this document incorrect network definition VPN rules do not match see VPN RULES No proposal matched x IPsec x IPsec The devices cannot agree on a matching pro posal Please check the settings under Config ure gt VPN gt IKE gt IKE Proposals and under Configure gt VPN gt IPSec parameters gt IPSec proposal lists IPSec PFS group mismatch 522 Please check the PFS Perfect Forward Sequence under Configure gt VPN gt Con nection parameters gt VPN remote identifica tion gt PFS Group BAT54 Rail F Release 7 54 06 08 Appendix 13 2 SNMP Traps 13 2SNMP Traps MIB2 Traps Explanation coldstart Device was restarted by switching power off and on warmstart LCOS was restarted for instance by a software reboot authentication failed console login failed Enterprise specific Traps Login failed during access to the configuration Explanation Firmware upload started Firmware upload was started Configuration upload started The reading of the firmware or configuration was started Upload succeeded The reading of the firmware or c
589. tation name P2P_MASTER G Configure the Point to Point partners outside this dialog in the corresponding table T Do not forward among P2P links on the same interface Channel Selection Scheme Master x In the point to point configuration select the identification by station name and enter the name of the corresponding station gt LANconfig Wireless LAN General Point to point partners gt WEBconfig Setup gt Interfaces WLAN interpoint peers BAT54 Rail F 106 Release 7 54 06 08 Wireless LAN WLAN 3 7 IEEE 802 11i for point to point connections Point to Point partners P2P 1 1 Point to Point 1 2 x I Enable this Point 2 Point channel Co Enter the WLAN access point to be interconnected via Point to Point connection here Cancel Recognize by MAC address Station name If you use recognition by MAC address enter the WLAN adapter s MAC address and not the device MAC address MAC address Station name P2P_SLAVE 3 7 3 Access points in relay mode Access points equipped with two wireless modules can be used to establish wireless bridges across multiple stations Each wireless module is configured as a Master and then Slave in turn Note The use of relay stations each equipped with two WLAN modules si multaneously solves the problem of the hidden station by which the MAC addresses of the WLAN clients are not transferred over multiple sta tions 3 7 4 Security for point to po
590. te If a different hop count is to be used then all devices in the network have to use the same max hop count figure also in the case of RIP over WAN connections Number of routes propagated in a packet The number of routes propagated in one packet is specified by RFC as 25 This is because fragmentation is just avoided with this number it must be possible to transmit unfragmented UDP packets with 512 bytes As a packet with an MTU of 1500 bytes could be used to propagate up to 90 routes it is possible to configure the number of routes propagated in a packet Routes per frame The number of routes that can be propagated in a single packet Possible values 1 to 90 Default 25 11 7 5 Automatic generation of VPN rules When using multiple local networks the automatic generation of VPN rules also has to be set up very precisely for each network The definition of net works with automatically generated VPN rules uses the interface tag which is given for every network This tag enables the allocation of local network to VPN route Every packet received at a local interface is marked with the in terface tag and forwarded along a route with the same tag or with the default tag 0 For automatic VPN rule generation all networks are taken up that Have the tag O or Fulfill the two conditions as follow The network has the same interface tag as the IP routing table entry for the VPN connection not to be confused with the routing t
591. ted lcdsr Transmit Limit restriction to the sending direction this affects in the context with above lim lgdst option itations In the ID object column examples are indicated lcdst Note If an action is given without any associated limit then implicitly a pack et limit is assumed that is immediately exceeded with the first packet Packet action Packet action Description Object ID Accept The packet will be accepted a Reject The packet will be rejected with the corresponding error message r Drop The packet will be discarded silently d These packet actions can be combined arbitrarily If you choose absurd or ambiguous actions e g Accept Drop then the more secured action will be taken here Drop Further measures Measure Description Object ID Syslog Gives a detailed notification via SYSLOG s Mail Sends an email to the administrator m SNMP Sends a SNMP trap n Close port Closes the destination port for a given time p Deny host Locks out the sender address for a given time h Disconnect Disconnects the connection to the remote site from which the packet t was received or sent Zero limit Resets the limit counter to 0 again upon exceeding of the trigger thresh z old Fragmentation Forces a fragmentation of all packets not matching to the rule f BAT54 Rail F Release 7 54 06 08 293 Firewall 8 3 The BAT Firewall If the close port act
592. ted its processing 5 3 6 Scripting commands readscript In a console session the command readscript generates a text dump of all commands and parameters that are required for the configuration of the BAT in its current state In the simplest case the BAT lists only com mands that are relevant to those parameters that no longer have the fac tory settings Syntax readscript n d c m PATH Note Supervisor rights are necessary to execute this command BAT54 Rail F 190 Release 7 54 06 08 LANtools network management 5 3 Scripting Example For a BAT that is set up only for Internet by call via ISDN the command readscript will produce the following console output assuming that there are no further restrictions it i LANCOM DSL I 1611_ Office i Uer 4 30 0018 30 05 2005 1 SN 000590300080 Copyright lt c LANCOM Systems Connection No 2 CLAN root flash No cd Setup WAN Dialup Remote Peers del add DEFAULT ou 20 add ARCOR 0192070 30 cd Setup WAN Layer TRANS bnd cmpr HDLC64K TRANS none TRANS bnd cmpr TRANS none LC TRANS none TRANS none TRANS none ETHER none ETHER DH none TRANS none ARCO TRANS none HDLC64K R cd Setup WAN PPP DEFAULT PAP we 5 ARCOR none 5 set Setup LAN Connector 32 set Setup TCP IP Intranet Address 192 168 2 161 icd_ Setup IP Router I P Rout ing Table 192 168 0 0 255 255 0 0 172 16 80 80 255 240 0 0 180 0 0
593. tempt to log on to external networks Unidentified access points within the range of the local network frequently pose a possible threat and security gap At the very least they are a distur bance Therefore background scanning identifies rogue APs and helps to decide whether further measures in securing the local network need to be in troduced Fast roaming for WLAN clients However the background scanning method can be used for objectives other than rogue AP detection A BAT Wireless Router in client mode that logs it self on to another access point can also use the roaming procedure in a mo bile installation This is the case for example when a BAT Wireless Router used in an industrial application scenario is mounted to a forklift that navi gates its way through multiple warehouses with separate access points Un der normal circumstances the WLAN client would only log on to another access point when the connection to the access point it had been using until that moment was lost With the background scanning function the BAT Wireless Router using the client mode can collect information about other available access points in advance Then the client is not switched to another access point when the existing connection has been completely lost but rather when another access point within its range has a stronger signal Evaluating the background scan The information on the access points found can be viewed in the BAT Wireless Router
594. ter can be set with up to 16 loopback addresses with which it can be addressed for example for the management of large network structures To use the loopback addresses for certain networks e g in the context of Ad vanced Routing and Forwarding these addresses can be assigned with routing tags To simplify the identification in other configuration units the loopback addresses can be given freely definable names Name LOoPBACK_1 Co IP address 10 0 0 995 83 Cancel Routing tag fo Configuration tool call LANconfig TCP IP gt General gt Loopback addresses WEBconfig Telnet Expert configuration gt Setup gt TCP IP gt Loopback list Name A freely definable name for the loopback address Values Maximum 16 characters Loopback address Loopback address for the device Routing tag Routing tag of the loopback address Loopback addresses with the rout ing tag 0 untagged are visible to all networks Loopback addresses with a different routing tag are only visible to networks with the same routing tag Values 0 to 65 535 0 Untagged Default 0 BAT54 Rail F Release 7 54 06 08 159 Configuration and management 4 9 Named loopback addresses 4 9 1 Loopback addresses with ICMP polling Similar to LCP monitoring ICMP polling transmits regular requests to a re mote site Ping commands are transmitted and the answers to them are mon itored Unlike LCP monitoring the target site for ICMP pings can be free
595. ter is activated by adding the parameter that induces the follow ing filter description In filter description uses of the following perators Operator Beschreibung space OR The filter applies if one of the operator occurs in the trace output AND The filter applies if the operator occurs in the trace output Not The filter applies if the operator does not occur in the trace output e the output must match the search string exactly An operator can be entered as any string of characters such as the name of aremote station protocols or ports The trace filter then processes the output according to the operator rules much like an Internet search engine Exam ples of the application of filters can be seen under Examples of traces page 228 6 1 6 Examples of traces This code in combination with the trace causes the following trace displays all protocols that can generate outputs during the configuration and the status of each output ON or OFF trace all switches on all trace outputs trace all switches off all trace outputs trace protocol display switches on the output for all connection protocols together with the status and error messages trace all icmp switches on all trace outputs with the exception of the ICMP protocol trace ppp displays the status of the PPP trace ipx rt display toggles between the trace outputs for the IPX router and the displ
596. terface Ro only mode m Interfaces This is where you can program further settings for your physical Configuration tool Call LANconfig WLAN interfaces gt General WEBconfig Telnet Expert configuration gt Setup gt WLAN Indoor only default off In the 5 GHz band in ETSI countries the channel selection is limited to the channels 36 40 44 and 48 in the frequency range 5 15 to BAT54 Rail F 76 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters 5 25 GHz At the same time the DFS function is turned off and the mandatory interruption after 24 hours is no longer in effect This restriction reduces the risk of interruption due to false radar detections In the 2 4 GHz band in France the channels 8 to 13 are also permitted although these channels are permitted solely for indoor operation Note Activating the indoor only function can only be relied upon if the coun try in which the access point is being operated has been set Caution Activating the indoor only function is only permitted when the access point and all connected clients are located in a closed space Signal quality display via LEDs When setting up point to point connections or operating the device as a WLAN client the best possible positioning of the antennas is facilitated if the signal strength can be recognized at different positions The WLAN link LED can be used for displaying the signal quality during the
597. terface simply by using VLAN IDs Although the data traffic for the various VLANs flows via a common logical interface the VLAN ID ensures that the different VLANs remain strictly separated From the perspective of the BAT Router the VLANs are completely separate interfaces meaning that a single logical interface becomes multiple logical interfaces for the BAT Router and each of these interfaces can be addressed individually For devices with WLAN modules the individual logical interfaces can be grouped together This is handled by the LAN bridge which regu lates data transfer between the LAN and WLAN interfaces The forma tion of bridge groups BRG allows multiple logical interfaces to be addresses at once and they appear as a single interface to the BAT Router in effect achieving the opposite of the VLAN method In the final stage the ARF forms a connection between the logical inter faces with VLAN tags and the bridge groups on the one side and the IP networks on the other For this reason an IP network is configured with a reference to a logical network with VLAN ID if applicable or to a bridge group Furthermore for each IP network an interface tag can be set with which the IP network can be separated from other networks without hav ing to use firewall rules The definition of routing tags for IP networks as described above is one of the main advantages of Advanced Routing and Forwarding This option allows virtual routers to
598. terfaces Physical WLAN settings Radio WEBconfig Telnet Expert configuration gt Setup gt Interfaces gt WLAN gt Radio settings 3 6 3 The roaming table The roaming table contains various threshold values which influence the pre cise control over the BAT Wireless Router s behavior when roaming in the Client operating mode Configuration tool call WEBconfig Telnet Expert Configuration gt Setup gt Interfaces gt WLAN gt Roaming Soft roaming This option enables a client to use scan information to roam to the stron gest access point soft roaming Roaming due to connection loss hard roaming is unaffected by this The roaming threshold values only take effect when soft roaming is activated Beacon miss threshold This defines how many access point beacons can be missed before an associated client starts searching again Higher values will delay the recognition of an interrupted connection so a longer time period will pass before the connection is re established The smaller the value set here the sooner a potential interruption to the connection will be recognized the client can start searching for an alter native access point sooner Default 4 Note Values which are too small may cause the client to detect lost connec tions more often than necessary Roaming threshold This value is the percentage difference in signal strength between access points above which the client will switch to the
599. termines whether time control is based on real time or on the device s operating time gt Real time These rules evaluate all time date information gt Operation time These rules only evaluate the minutes and hours since the last time the device was started Default Real time BAT54 Rail F Release 7 54 06 08 493 More services 12 7 Scheduled Events Minutes Hours Week days Month days Months The values minutes to months define the times when a command is to be executed With no value entered it is not included in the controlling For each parameter a comma separated list of values can be entered or alternatively a range of minimum and maximum values The syntax of the Week day field corresponds with the usual CRON inter pretation 0 Sunday Monday Tuesday Wednesday Thursday Friday 6 Saturday Command The command to be executed or a comma separated list of commands Any BAT command line function can be executed O AON Owner An administrator defined in the device can be designated as owner of the CRON job If an owner is defined then the CRON job commands will be executed with the rights of the owner Default root Variation This parameter specifies the maximum delay in minutes for the start of the CRON job after the set start time The actual delay time is determined ran domly and lies between 0 and the time entered here Default 0 Values 0 to 65535 seconds Particular values W
600. the data transfer between user groups according to individual stations or the protocol being used Further the key for the WLAN encryption is set here General settings Communications between the WLAN clients Depending on the application it may be required that the WLAN clients con nected to an access point can or expressly cannot communicate with oth er clients You can centrally define the permissible communication for all physical and logical networks and consider the three following cases in do ing so Allow data traffic This setting allows all WLAN clients to communicate with other stations in their own and in other available wireless networks Do not allow data traffic between stations that are logged on to this access point In this case WLAN clients can only communicate with mobile sta tions located in other available wireless networks but not with the stations in their own WLAN Do not allow data traffic This last variant prevents all communications be tween the WLAN clients Roaming In addition to controlling the communication between the clients you can de fine whether the mobile stations in the wireless network can change to a neighboring access point roaming Monitor stations In particular for public WLAN access points public spots the charging of us age fees requires the recognition of stations that are no longer active Moni toring involves the access point regularly sending packets to logged in st
601. the different alerting types such as the relevant email account can be set at the following places Configuration tool Run LANconfig Log amp Trace SMTP Account gt SNMP gt SYSLOG WEBconfig Expert Configuration gt Setup SMTP SNMP Module SYSLOG Module Terminal Telnet Setup SMTP resp SNMP Module or SYSLOG Module An example Let us assume a filter named BLOCKHTTP which blocks all access to a HTTP server 192 168 200 10 In case some station would try to access the server nevertheless the filter would block any traffic from and to this station and inform the administrator via SYSLOG also BAT54 Rail F 274 Release 7 54 06 08 Firewall 8 3 The BAT Firewall SYSLOG notifications If the Firewall drops an appropriate packet a SYSLOG notification is created see Setting up the SYSLOG module page 484 as follows PACKET_ALERT Dst 192 168 200 10 80 Src 10 0 0 37 4353 TCP port filter Ports are printed only for port based protocols Station names are printed if the BAT can resolve them directly without external DNS request If the SYSLOG flag is set for a filter entry s action then this notification becomes more detailed Then the filter name the exceeded limit and the filter action carried out are printed also For the example above this should read as PACKET_ALERT Dst 192 168 200 10 80 Src 10 0 0 37 4353 TCP port filter PACKET_INFO matched filter BLOCKHTTP exce
602. the dynamic speed adjustment Broadcast rate The defined broadcast rate should allow the slowest clients to connect to the WLAN even under poor reception conditions A higher value should only be set here if all clients are able to connect faster RTS threshold The RTS threshold prevents the occurrence of the hidden station phenom enon Network coverage access point 1 Network coverage access point z Here the three access points and are positioned such that no direct wireless connection between the two outer devices is possible If sends a packet to is not aware of this as it is outside of s coverage area may also try during the transmission from to send a packet to as well because has no knowledge of the medium in this case the wireless con nection being blocked A collision results and neither of the transmissions from nor to will be successful The RTS CTS protocol is used to pre vent collisions BAT54 Rail F Release 7 54 06 08 81 Wireless LAN WLAN 3 4 Configuration of WLAN parameters CTS signal from o can also RTS signal from to 2 received by S gas ae 1 To this end precedes the actual transmission by sending an RTS packet to that answers with a CTS The CTS sent by is now within listening distance of so that can wait with its packet for The RTS and CTS signals each contain information about the time required for the transmis
603. the earlier it will be placed in the according filter list Note For complex rule types please check the filter list as described in sec tion Firewall diagnosis gt page 295 BAT54 Rail F 268 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Observe further rules There are requirements to a Firewall which cannot be covered by a single rule If the Firewall is used to limit the Internet traffic of different departments in own IP subnetworks individual rules cannot e g illustrate the common upper limit at the same time If to everyone of e g three departments should be granted a bandwidth of maximal 512 kbps but the entire data rate of the three departments should not exceed a limit of 1024 kbps then a multi level checking of the data packets must be installed Ina first step it will be checked if the actual data rate of the individual de partment does not exceed the limit of 512 kbps In a second step it will be checked if the data rate of all departments to gether does not exceed the overall limit of 1024 kbps Normally the list of the Firewall rules is applied sequentially to a received data packet If a rule applies the appropriate action will be carried out The check ing by the Firewall is terminated then and no further rules will be applied to the packet In order to reach a two stage or multi level checking of a data packet the Observe further rules option will be activated for the rules If a Firewall
604. the human ear Delay differences of the voice information from sender to addressee jitter are still tolerated up to 10 ms and values beyond consid ered as irritating Accordingly a VolP connection should be configured such that the criteria for good speech quality are met Packet loss up to 10 delay up to 150 ms and jitter up to 10ms gt Jitter can be removed in the receiving station by an appropriate buffer In this buffer jitter buffer the packets are stored intermediately and passed on at a constant rate to the addressee By this intermediate buffering the delay variations due to individual transmission times of the individual packets can be removed gt The delay is influenced by several components BAT54 Rail F Release 7 54 06 08 321 Quality of Service 9 5 QoS parameters for Voice over IP applica Time of processing packeting coding and compression by the sender and the addressee duration of handing over the packet from applica tion to the interface serialization and the time for transmitting via the WAN distance propagation contribute to the fixed part of delay gt The variable part is determined by the jitter resp by the setting of the jitter buffer These two parts together compose a delay which should ideally not exceed 150 ms Delay lt 150 ms Propagation gt Apart from the general loss by network transmission the packet loss is significantly influenced by the jitter buffer If
605. the protocol filter This function known as Redirect is described in detail in the section Redirect function page 82 Configuration with LANconfig For configuration with LANconfig you will find the protocol filter under the con figuration area WLAN Security on the Protocols tab BAT54 Rail F Release 7 54 06 08 55 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Cee Configure whan Security 7 General Stations Protocols WEP IEEE 802 1 Filter protocols The protocol filters can be used to control the transfer drop or redirect of specific protocols between LAN wireless LAN and Point to Point links al 2x Name Protocol Subtype First port Last port Interface list Ar Nae HTTP OK HTTP oed 80 80 wlan 1 2 r Protocol ooo Cancel Subtype 6 First port 80 Last port 80 Ea lt Interface list wlan 1 2 Action Drop packets Pass packets Redirect packets to the Following IP address Make an entry in the protocol list for each protocol that requires special han dling Enter the following values A name of your choice for the filter entry Protocol number e g 0800 for IP If no protocol is entered the filter will be applied to all packets Subprotocol e g 6 for TCP If no subprotocol is entered the filter will be applied to all packets of the entered protocol Port start and port end e g each 80 for HTTP If no ports are entered then
606. this filter will be applied to all ports of the appropriate protocol sub protocol Note Lists of the official protocol and port numbers are available in the Inter net under www iana org Action for the data packets Let through Reject Redirect and state the target address List of interfaces that the filters apply to Redirect address when the Redirect action is selected BAT54 Rail F 56 Release 7 54 06 08 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Example Name _ Protocol Sub Start port End Interface list Action Redirect IP type port address ARP 0806 0 0 0 WLAN 1 2 Let through 0 0 0 0 DHCP 0800 17 67 68 WLAN 1 2 Let through 0 0 0 0 TELNET 0800 6 23 23 WLAN 1 2 Redirect 192 168 11 5 ICMP 0800 1 0 0 WLAN 1 2 Let through 0 0 0 0 HTTP 0800 6 80 80 WLAN 1 2 Redirect 192 168 11 5 ARP DHCP ICMP will be let through Telnet and HTTP will be redirected to 192 168 11 5 all other packets will be rejected Note As soon as an entry is made in the protocol filter all packets not match ing the filter will be automatically rejected Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you will find the protocol filter under the following paths Configuration tool Menu Table WEBconfig Expert configuration gt Setup gt LAN Bridge gt Protocol table Terminal Telnet cd Setup LAN Bridge Protocol Table Encryption settings Access points of the BAT range supp
607. tion Note Please refer to EAP and 802 1x gt page 37 for further information on the 802 1 x protocol RADIUS server New Entry 2 x Name RADIUS1 esy Server IP address 10 1 1 1 Cancel is Server port 1 812 Shared secret veto Backup server hal Configuration tool LANconfig WEBconfig Telnet WLAN Security gt IEEE 802 1X RADIUS server Expert configuration gt Setup gt IEEE802 1x gt Radius server BAT54 Rail F 508 Release 7 54 06 08 More services 12 9 RADIUS Name In this table each RADIUS server needs a unique name The name DEFAULT is reserved for all WLAN networks that use an authentication process in line with IEEE 802 1x and that have not specified their own RADIUS server By using the name defined in the Key 1 passphrase field each WLAN network using authentication in line with IEEE 802 1x can be assigned its own RADIUS server Server IP address Specify here the IP address of your RADIUS server from which users are managed centrally Server port Specify here the port used for communication to your RADIUS server Key shared secret Specify here the key to be used for coding data The key must also be configured on the RADIUS server Backup server Name of the backup server from the list of RADIUS servers configured so far Note The generic values for retry and timeout must also be configured see Configuration of RADIUS as authenticator or NAS gt page 50
608. tive data connections BAT54 Rail F 260 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Host block list gt Port block list gt Connection list gt Filter list When a data packet should be routed via the IP router the Firewall uses the lists as follows The first check is whether the packet was coming from a workstation be longing to the host block list If the sender is blocked the packet will be discarded If the sender is not blocked in this list the port block list will be checked if the used port protocol combination on the destination PC is closed In this case the packet will be discarded If sender and destination are not blocked in the first two lists then it will be checked whether a connection entry exists for this packet in the con nection list If such an entry exists then the packet will be handled as noted in this list If no entry has been found for the packet then the filter list will be searched whether a suitable entry exists and the action indicated in this list will be carried out If the action intends to accept the packet then an entry is made in the connection list as well as for any further actions Host blocked Port blocked Active connection LAN interfaces VPN services 2 s se e8 g E 9 1 best r i Mea E WAN interfaces 3 L i 1 i i H connection via LAN g y aoe j IP router DE IP Redirect H
609. to a specific VLAN Recheck cycle default 0 Once a WLAN client is logged on after authentication by RADIUS it remains active until it logs off itself or is logged off by the RADIUS server By specifying a recheck cycle minutes the RADIUS server can regu larly check whether the WLAN clients logged in are still in the access list If a WLAN client is removed from the access list it remains logged in to the WLAN up to the point when the recheck cycle runs again Note A recheck cycle of 0 disables regular checking WLAN clients remain logged in until they log themselves out 12 10Extensions to the RADIUS server 12 10 1New authentication method Up to version 6 30 the LCOS RADIUS server supported PAP as an authen tication method only i e the RADIUS client henceforth referred to as the NAS Network Access Server passed on the user name and password and the server responded with an access accept or access reject This is just one of a range of authentication methods which can be processed by RADIUS With LCOS version the RADIUS server in the BAT supports additional meth ods of authentication PAP The NAS passes the user name and password The RADIUS server searches its data sets for an entry matching the user name compares the password and responds with a RADIUS accept or RADIUS reject CHAP The NAS passes the user name the CHAP challenge and char acteristics of the password but not the password itself The RADIUS server s
610. tom con nection setup is taken back when there is an incoming call from the called remote station and on the other hand the function is activated with this setting to be able to react to the rapid callback procedure In other words in order to be able to use rapid callback the caller must be in the Looser mode while the party being called must discontinue callback with fast BAT54 Rail F Release 7 54 06 08 443 Routing and WAN connections 11 14 serial interface Note The setting Name offers the greatest security when an entry is made into the number list as well as the PPP list The setting fast offers the fast est callback method between two Hirschmann routers Note With Windows remote stations the Name setting must be selected 11 14serial interface Note This section refers only to devices with a serial configuration interface 11 14 1Introduction Internationally analog telephone connections are just as common in the business world as the predominant ISDN connections in Germany The op eration of international networks thus places particular demands on remote maintenance options and for high availability of the gateways and thus re quires different interfaces than the ISDN common in Germany Apart from conventional analog telephone lines mobile telephone networks such as GSM or GPRS may in certain cases represent the only way of providing re mote maintenance without broadband or other cabled access
611. tor know what s going on LANmonitor automatically creates a new entry in the device list and initial ly displays the status of the transfer channels Start your Web browser and enter any web page you like LANmonitor now shows a connection being established on one channel and the name of the remote site being called As soon as the connection is established a plus sign against the communication channel entry indicates that further information on this channel is available Click on the plus sign or double click the appropriate entry to open a tree structure in which you can view various information 5 Device View Tools Help jp LCVPN_M_ VPN Connections T LCYPN_M_ Accounting Information H DSL Line E ISDN Lit view Saved Accounting Information ISDN Li Y S lt 3 Firewall 2 6 2003 23 45 49 intruder detection Packet dropped 2 6 21 45 49 intruder detection Packet of protocol 50 From 10 98 100 11 0 to 10 1 1 10 0 Packet dropped H B VPN conn H E System information fp LC1621 Internet fp 16214nnexB ap LC_RAS In this example you can determine from the PPP protocol information the IP address assigned to your router by the provider for the duration of the connection and the addresses transmitted for the DNS and NBNS server Under the general information you can watch the transmission rates at which data is currently being exchanged with the Internet To break the connection manually click on the a
612. toz Sple wrls e201 10 1 10 183 Ok E officeo1 Sple wrls 2316 10 1 10 184 Ok a 7 eas ple wrls e201 54m 10 110 186 Ok internal Qple e214 L54aq 10 1 10 187 Ok ple e308 L54aq 10 1 10 188 Ok Qple e310 L54ag 10 1 10 189 Ok 9LC1621 Internet 10 1 80 125 Ok amp pCalvin 10 1 80 149 Ok pHobbes 10 1 80 150 Ok amp pWLansrv 10 1 80 245 Ok GP AMay_ISDN 10 1 80 247 Ok Sp Yueksel 10 1 82 100 Ok 10 1 140 159 Reading config 41472 bytes eo 1621 Anne File Edit Device View Tools Help _ i See za je 1 29 2004 1 04 4 1621AnnexB ke ed a lalel EE BA je aai H 1 29 2004 1 04 4 1621AnnexB i Name 1 29 2004 1 04 5 1621AnnexB ClientO1 Sple wrls e201y m Ciento 7 wrls e316 off PR Del wrls e201 54m Rename 1 29 2004 1 05 5 16214nnexB 1 29 2004 1 06 1 16214nnexB izai amp off Interne 1 29 2004 1 06 1 1621 nnexB e308 L54ag amp pic e310 L54ag SaLC1621 Internet Ps Note The directory structure in the left margin of the LANconfig window can be switched on and off with the F6 function key or by using the menu View gt Folder Tree 5 2 3 Multithreading The management of larger projects can be aided by simultaneously opening up configuration windows for multiple devices to compare similarities and dif ferences LANconfig allows multiple configuration dialogs to be opened at the same time multithreading After opening the configuration for a device simply open up furthe
613. ts R Device Configuration Main device password fee Number MSN fi 23454 _Futhe Access stations Lees eee 192 168 2 100 255 255 255 255 m Configuration login lock Lock configuration after 5 Lock configuration for 5 m Configuration access ways Here you can specify the access rights f Edit Copy Remove each supported configuration protocol st you can limit access to the unit to certai Access rights F Access stations By default this table does not contain entries Thus the device can be ac cessed over TCP IP from computers with arbitrary IP addresses With the first entry of a IP address as well as the associated net mask the filter is ac tivated and solely the IP addresses contained in this entry are entitled to use the internal functions then With further entries the number of the entitled ones can be extended The filter entries can designate both individual com puters and whole networks With WEBconfig for Telnet you reach the configuration of the access list with the following runs Configuration tool Run WEBconfig Expert Configuration Setup TCP IP Access list Terminal Telnet setup TCP IP access list BAT54 Rail F Release 7 54 06 08 243 Security 7 2 The security checklist 7 2 The security checklist In the following checklist you will find an overview of the most important se curity functions That w
614. ty Here the public community can be selected or one of either the master password or a combination of user name and password divided by a colon can be se lected Note The community public corresponds with the rights of a local adminis trator with read only access as long as the SNMP read access without password is enabled Password protection for SNMP read only access page 175 If this access is not allowed then the public community will have access to no menus at all Otherwise the same limitations on rights apply for the menus as with Telnet BAT54 Rail F 152 Release 7 54 06 08 Configuration and management 4 8 Managing administrators rights 4 8 3 Configuration of user rights LANconfig When using LANconfig for the configuration you will find the list of adminis trators in the configuration area Management on the Admin tab under the button Further administrators Configure Management z General Interfaces Wireless LAN Admin Costs VLAN m Device Configuration Further Administrators Main Device Password Administrator Active Access rights Basic Wiz Security wiz Internet w Number MSN v Administrator Yes Restricted On Further Administrators _ Further Administrators New Entry J Password required for SNMP read permission Administrator Administrator M r Configuration login lock EA Password oe Lock configuration after E login
615. ubsequent en cryption with IEEE 802 11i or WPA is only possible with the right combination of passphrase and MAC address This combination makes the spoofing of the MAC addresses futile and LEPS thus shuts out a potential attack on the ACL If WPA or IEEE 802 111 is used for encryption the MAC address can indeed be intercepted but this method never transmits the passphrase over wireless This greatly increases the difficulty of attacking the WLAN as the combination of MAC address and passphrase requires both to be known before an encryption can be negotiat ed BAT54 Rail F 46 Release 7 54 06 08 Wireless LAN WLAN 3 3 Protecting the wireless network LEPS can be used both locally in the device and centrally managed with a RADIUS server LEPS works with all WLAN client adapters available on the market without any modification Full compatibility to third party products is assured as LEPS only involves configuration in the access point Note An additional security aspect LEPS can also be used to secure single point to point P2P connections with an individual passphrase Even if an access point in a P2P installation is stolen and the passphrase and MAC address become known all other WLAN connections secured by LEPS remain secure particularly when the ACL is stored on a RADIUS server Configuration The configuration of LEPS merely involves the assignment of an individual passphrase to the MAC address of each client that is appr
616. uency space of 5 13 to 5 805 GHz up to 19 channels are available in Europe divided into frequency ranges to which different condi tions of use can apply 5150 5250 MHz channels 36 40 44 and 48 5250 5350 MHz channels 52 56 60 and 64 5470 5725 MHz channels 100 104 108 112 116 120 124 128 132 136 and 140 5725 5875 MHz channels 147 151 155 and 167 Note Note that the frequency ranges and radio channels in the 5725 to 5875 MHz range can only be used in Great Britain The following overview shows which channels may be used in the different regions Channel Frequency ETSI EU FCC US Japan 36 5 180 GHz yes yes yes 40 5 200 GHz yes yes yes 44 5 220 GHz yes yes yes 48 5 240 GHz yes yes yes 52 5 260 GHz yes yes no 56 5 280 GHz yes yes no 60 5 300 GHz yes yes no 64 5 320 GHz yes yes no 100 5 500 GHz yes no no 104 5 520 GHz yes no no 108 5 540 GHz yes no no 112 5 560 GHz yes no no BAT54 Rail F 122 Release 7 54 06 08 Wireless LAN WLAN 3 10 WLAN according to 802 11h 116 5 580 GHz yes no no 120 5 600 GHz yes no no 124 5 620 GHz yes no no 128 5 640 GHz yes no no 132 5 660 GHz yes no no 136 5 680 GHz yes no no 140 5 700 GHz yes no no 3 10 3 Frequency ranges for indoor and outdoor use The use of the methods described in ETSI 301 893 for reducing mutual inter ference in the 5 GHz band TPC and DFS is not stipulated for all fie
617. uire you to have any knowledge of the DNS serv er address Entering the Intranet address of your router as the DNS server for the workstation computers is sufficient to enable you obtain the name as signment This procedure also automatically updates the address of the DNS server Your local network always receives the most current information even if for example the provider sending the address changes the name of his DNS server or you change to another provider 12 3 3 Setting up the DNS server The settings for the DNS server are contained in the following menu or list Configuration tool Run Table LANconfig TCP IP gt DNS WEBconfig Expert Configuration Setup gt DNS Terminal Telnet cd setup DNS Proceed as follows to set the DNS server Switch the DNS server on WEBconfig P Operating Terminal Telnet set operating on BAT54 Rail F Release 7 54 06 08 475 More services 12 3 DNS Enter the domain in which the DNS server is located The DNS server uses this domain to determine whether the requested name is located in the LAN Entering the domain is optional WEBconfig P Domain Terminal Telnet set domain yourdomain com Specify whether information from the DHCP server and the NetBIOS module should be used WEBconfig gt DHCP usage gt NetBIOS usage Terminal Telnet set DHCP usage yes set NetBI0S usage yes Configure TCP IP z Activated DNS server in the TCP IP
618. ule Provider table WEBconfig Setup gt IEEE802 1x RADIUS server BAT54 Rail F Release 7 54 06 08 517 More services 12 11 RADSEC BAT as a RADIUS server Ifa BAT operates as a RADIUS server the RADSEC port for receiving logins can be set up In addition to that the protocol to be used RADIUS RADSEC or all can be set for each of the RADIUS clients in the client list This allows for example RADIUS to be used for LAN based clients and the more robust RADSEC via TCP to be used for registrations arriving over the Internet 12 11 2Certificates for RADSEC Separate X 509 certificates are required for TLS encryption of the RADSEC connection The individual certificates root certificate devices certificate and private key can be uploaded to the device individually or as a PKCS 12 con tainer WEBconfig Upload certificate or file Upload Certificate or File Select which file you want to upload and its name location then click on Start Upload File Type ane Ce pem crt cer BASE64 Fie Namatanai Private Key key BASE64 unencrypted Passphrase if required SSH RSA Key key BASE64 unencrypted Caution Files are not bei PH 2 cama es tai unencrypted be checks are performed by the individu VPN Root CA Certificate pem crt cer BASE64 p error messages can be seen in the VPN s VPN Device Certificate pem crt cer BASE64 Start Upload VPN Device Private Key key BAS
619. ule adds the routing tag 2 to the entire data traffic for a local group of computers defined by an IP address range Alternatively certain protocols receive a different supplementary routing tag The diagram demonstrates the application of policy routing with load balanc ing BAT54 Rail F 358 Release 7 54 06 08 Routing and WAN connections 11 2 IP routing Data packet with Firewall IP destination address er a eee x a Data packet with IP des tion address IP rout lt nation address IP routin ing tag and DSL po tag IP rout ing table IP address Routing tag gt Remote station peer list Remote station gt DSL port connection parame ters communication layer gt When establishing a connection the firewall initially checks if the packets for transmission fit to a rule which contains a routing tag The routing tag is entered into the data packet gt The IP routing table combines the routing tag and destination IP address to determine the appropriate remote station The IP routing table is pro cessed from top down in the usual fashion gt Ifan entry is found corresponding to the network then the second step is to check the routing tag The required remote station can be found with the help of the appropriate routing tag Note If the routing tag has a value of 0 default then the routing entry ap plies to all packets gt Internal services implicitly use the default tag
620. ult 3 This value specifies how many authentication attempts are made in total before a Reject is issued BAT54 Rail F Release 7 54 06 08 503 More services 12 9 RADIUS E RADIUS accounting Accounting for a logical WLAN network can be enabled from a RADIUS serv er by enabling the RADIUS Accounting option in the logical WLAN settings for the network Logical WLAN settings WLAN network 1 2 x Network Transmission l V WLAN network enabled Network name SSID WLAN_SSID JV This radio network cannot be accessed with the network name ANY closed network MAC filter enabled Maximum count of clients fo Client Bridge Support No ha IV RADIUS accounting Abbrechen LANconfig Interfaces Wireless LAN gt Logical WLAN settings WEBconfig Telnet Expert configuration gt Setup gt RADIUS module BAT54 Rail F 504 Release 7 54 06 08 More services 12 9 RADIUS Dial in using PPP and RADIUS When dialing in using the PPP protocol Point to Point protocol RADIUS can be used to check client access authorizations A client can dial in to the network from anywhere The resulting data transmission between client and authenticator is encrypted Configure i Communication i General Remote Sites Protocols RADIUS Call Management m Authentication via RADIUS RADIUS server Server IP address jooon Server port fisiz2 Shared secret Po PPP operation Deactivated gt
621. unctions ensuring e g certain bandwidths with QoS Connection page 271 The option This rule is used to create VPN rules enables to utilize the information about source and destination networks of this rule also to define VPN networks gt Actions Here the Firewall actions are defined consisting of condition trigger packet action and further measures General Actions Gos Stations Service l m ctions Trigger Actions Set AES a The actions table describes an arbitrary amot lg actions that will be executed if special rule rr amounts of data or packages willbe exceed Action only if not connected m Conditions I Action only for default route i e internet Jimmediately Reject SNMP T Action only for DiffServ CP BE x 32kb s Drop T Action only for send packets 256 kb s Transfer Trigger Actions T Action only for received packets AA e e kbit x fad per second 7 I Reset counter Per connection C Global m Packet Action Transmit C Drop Reject m Further Measures OK Lo N I Send Syslog message J Send email message MV SNMP fie LANmonitor J Disconnect I Lock source address J Lock target port gt QoS Here you can assign minimum bandwidths for data packets speci fied by according Firewall rules see also Defining minimum and maxi mum bandwidths gt page 328 BAT54 Rail F Release 7 54 06 08 287
622. undling of chan nels The selected option only becomes active when it is supported by both the ports used and the selected Layer 2 and Layer 3 protocols Layer 1 In this field the lower section of the security layer Data Link Layer is configured The follow ing options are available AAL 5 ATM adaptation layer ETH 10 Transparent Ethernet as per IEEE 802 3 HDLC Securing and synchronization of the data transfer as per HDLC in the 7 or 8 bit mode V 110 Transmission as per V 110 with a maximum of 38 400 bps Modem Modem transmission requires Fax Modem option 11 4IP masquerading One of today s most common tasks for routers is connecting the numerous workstation computers in a LAN to the network of all networks the Internet Everyone should have the potential to access for example the WWW from his workstation and be able to fetch bang up to date information for his work So that not every single computer with it s IP address in known on the entire internet IP masquerading is used to hide all computers located in an intra net IP masquerading demands two points from a router On the one hand a valid IP address in the local network on the other hand a valid and public IP address in the internet static or assigned by the provider Because these two addresses are not allowed to exist in one logical net the router must have two IP addresses the intranet IP address to communicate with compute
623. use it normally is not to be active within the DMZ For this reason the NetBIOS proxy can be configured sep arately for each network NetBIOS networks New Entry 2 x Network name INTRANET he ox IV NetBIOS proxy enabled for this network Cancel Workgroup INTERN Configuration tool Call LANconfig NetBIOS gt General NetBIOS networks WEBconfig Telnet Expert configuration gt Setup gt NetBIOS gt Networks Network name Name of the network that the NetBIOS proxy is to be activated for NetBIOS proxy operating for the network This option defines if the NetBIOS proxy is active for the selected network or not Workgroup The workgroup or domain used by the network clients With multiple work groups mentioning one workgroup suffices Note In the default setting Intranet and DMZ are entered into this table the NetBIOS proxy is activated for the intranet and deactivated for the DMZ As soon as a network has an interface tag then the only names hosts and groups visible from this network are those in a network with the same tag or which are accessible via a suitably tagged with the same tag WAN route An untagged network sees all names Similarly all names learned from un tagged networks are visible to all networks The DNS server considers the interface tags when resolving names i e the only names resolved by DNS are those learned from a network with the same tag The special role played by untagged
624. uter124 10 1 21 00 A0 57 11 4 De pRouter118 10 1 2 Add Device Ins 00 A0 57 11 2 Add Device Ins On pRouter125 10 1 2 Find Devices F3 00 A0 57 11 Find Devices Foal re SpRouter126 10 1 2 N Devens F5 00 A0 57 10 4 FS Siler SpRouter127 10 1 2 Update All Devices with Firmware 00 A0 57 11 4 a vs SpRouter120 10 1 2 OO AO S7 11 E Se amp Router122 10 1 21 00 40 57 11 VE pRouter121 10 1 21 O0 A0 57 11 2 On S PRouter119 10 1 21 00 A0 57 11 E Sy gt So1611 PPP 10 1 1 00 A0 57 19 vi 2Device s 5 2 5 Manual and automatic searches for firmware updates To make the update of BAT devices with new firmware as convenient as pos sible the firmware files for the various BAT models and LCOS versions are ideally saved to a central archive directory The search for new versions of the firmware in this directory can either be initiated manually or automatically after starting LANconfig BAT54 Rail F Release 7 54 06 08 173 LANtools network management 5 2 Project management with LANconfig E Automatic search for firmware updates The directory where LANconfig is to search for the updates is set under Tools gt Options Extras It is also possible to set up LANconfig to search the firmware archive and to check if any of the devices found require an up date With this option activated starting LANconfig automatically displays all of the devices for which new updates are available CT 2x General
625. values for all available ports LAN wireless LAN point to point connections Priority The priority of this port taken from the port configuration State The current status of the port BAT54 Rail F Release 7 54 06 08 461 Routing and WAN connections 11 17 The rapid spanning tree protocol Disabled no packets can be sent or received through this port This occurs when the port has either been disabled manually or when it has a negative link status Listening Intermediate state on the way to enabling Only Spanning Tree packets are listened to data packets are ignored and are also not forwarded to this port Learning Further intermediate state As opposed to listening addi tional MAC addresses from data packets entering this port are learned but data packets are still not forwarded Forwarding the port is completely active data packets are received and forwarded in both directions Blocking Spanning Tree has identified this port to be redundant and disabled it for data traffic Root The ID for the root bridge that can be reached through this port Bridge This is the ID for the bridge through which the root bridge can be reached Costs This value defines the costs for this port The value is determined by the port technology Ethernet WLAN etc and the bandwidth Examples of values used are Transfer technology Costs of Classic Spanning Tree Costs of Rapid Spanning Tree Et
626. ve all its IP address it applies for an extension ahead of time that it is generally sure to be granted The computer loses its address only if it is switched off when the period of validity expires For each request a host can ask for a specific period of validity However a DHCP server can also assign the host a period of validity that differs from what it requested The DHCP module provides two settings for influencing the period of validity Maximum lease time in minutes Here you can enter the maximum period of validity that the DHCP server assigns a host If a host requests a validity that exceeds the maximum length this will nevertheless be the maximum available validity The default setting is 6000 minutes approx 4 days Default lease time in minutes Here you can enter the period of validity that is assigned if the host makes no request The default setting is 500 minutes approx 8 hours Precedence for the DHCP server request assignment In the default configuration almost all the settings in the Windows network environment are selected in such a way that the necessary parameters are requested via DHCP Check the settings by clicking Start Settings Con trol Panel Network Select the TCP IP entry for your network adapter and open Properties Check the various tabs for special entries such as for the IP address or the standard gateway If you would like all of the values to be assigned by the DHCP server simp
627. ve the devices that are to be grouped into it with the mouse Then click on the folder with the right hand mouse key and select the en try New group configuration from the context menu After selecting the group type and the firmware version the LANconfig configuration di alogue opens up with a reduced selection of configuration options BAT54 Rail F Release 7 54 06 08 197 LANtools network management 5 4 Group configuration with LANconfig LANconfig WLAN x File Edit Device View Tools Help lanl e e lt E New Configuration for LANCOM Group Wireless 2 gt alas Sale sll shal alel Heelal eala ic ia a a LANconfig Name Description Configure interfaces om New Folder Ins 1611 Office 192 168 2 1 Delete Del 192 168 2 1 Rename F2 r General Wireless LAN VLAN This is where you can make settings for all wireless LAN interface in common figuration Add Group Configuration Country L Select the group that you want to create a new group I ARP handling connec Nelar T Broken LAN link detection Som Inte Interfaces Firmware version 5 00 This is where you can make further settings for your physical wireless LAN interface Software options _ Public Spot i Physical WLAN settings v 4 This is where you can make further settings for each logical me wireless LAN network MultiSSID 6 6 2005 9 58 2 VPN_NHAMEL SS Logical WLAN settings The parameters here shou
628. vely the assignment of tags can be carried out with a combination of network definitions and firewall rules The networks are defined as follows Network name iP address Netmask VLAN ID Interface Source check Type Rtg Tag DEVELOP 10 1 1 1 255 255 255 0 LAN 1 strict Intranet 0 MENT 0 SALES 10 1 1 1 255 255 255 0 LAN 2 strict Intranet O 0 Routing tags can be used to define the following firewall rules Name Protocol Source Target Action Linked Prio Rtg tag DEVELOP ANY Ldevelop ANY a yes 255 2 MENT ment HOST SALES ANY Lsales ANY a yes 255 1 HOST Important for these rules is the maximum priority 255 so that these rules are always checked first Since filtering is still possible by services the option Linked has to be set in the firewall rule 11 7 8 Default routes filter It is possible for firewall rules to take effect only if the sender or receiver can be accessed over the default route Because the function of the virtual router is based on checks of the interface tags not only the untagged default routes but also routes other than default routes have to be included When a packet is received at a WAN interface then the WAN interface is considered by the firewall to be a default route if either a tagged or an untagged default route refers to this WAN interface If a packet is received at a LAN interface and is to be routed to a WAN interface then this WAN
629. ver the following reasons speak for locating the DNS server directly in the BAT BAT can automatically distribute IP addresses for the computers in the lo cal network when in DHCP server mode In other words the DHCP server already knows the names and IP addresses of all of the computers in its own network that were assigned IP addresses via DHCP With the dy namic address assignments of a DHCP server an external DNS server might have difficulties in keeping the associations between the names and IP addresses current When routing Microsoft Networks via NetBIOS the BAT also knows the computer names and IP addresses in the other connected NetBIOS net works In addition computers with fixed IP addresses can also enter themselves in the NetBIOS table and thus be known by their names and addresses The DNS server in the BAT can also be used as an extremely convenient filter mechanism Requests for domains can be prohibited throughout the LAN for subnetworks or even for individual computers simply by spec ifying the domain name BAT54 Rail F Release 7 54 06 08 473 More services 12 3 DNS How does the DNS server react to the request When processing requests for specific names the DNS server takes advan tage of all of the information available to it First the DNS server checks whether access to the name is not prohibited by the filter list If that is the case an error message is returned to the re questing computer stating that
630. vice entry After successfully transfer ring the parameters the device status will change to OK LANconfig WLAN File Edit Device View Tools Help alale aael sls ola ale aae aal al Description Address Device Status Progre S2LANCOM Group Wireless 5 00 Group Configuration ee LANCOM DSL I 1611 Office 192 168 2 101 Ok fae VPN_NHAMEL 192 168 2 100 Ok Note It is also possible to use the partial configuration for a device as a group configuration Simply drag the device entry onto the group configu ration entry BAT54 Rail F Release 7 54 06 08 199 LANtools network management 5 4 Group configuration with LANconfig 5 4 3 Update group configurations Apart from manually changing the parameters in a group configuration the current configuration of a device can be used as the basis for a group config uration One device is thus declared as Master for all other devices in the same file To take over the values from a current device configuration for a group con figuration simply drag the entry for this device onto the desired group config uration All of the parameters defined in the group configuration are then overwritten by the values in the device configuration The next time that LANconfig checks the devices it will find that the configu rations in the other devices no longer agrees with the new group configura tion this will be displayed by the device status r LANconfig Central Site
631. w in certain application scenarios the point of view can alternatively be changed to the flow of the physical data stream Note The differentiation between sending and receiving direction applies only to the installation of maximum bandwidths For a guaranteed mini mum bandwidth as well as for fragmentation and PMTU reduction always the physical data transfer via the respective interface applies as the direc tion 9 7 QoS configuration 9 7 1 Evaluating ToS and DiffServ fields ToS or DiffServ LANconfig For configuration with LANconfig select the configuration field IP router Ad just on index card General whether the Type of service field or alternatively the DiffServ field is to be observed for prioritization of data packets When both options are turned off the ToS DiffServ field will be ignored BAT54 Rail F Release 7 54 06 08 325 Quality of Service 9 7 QoS configuration Configure fiPRouter General Routing Masq N N Mapping IV IF router enabled Routing options IV Use Proxy ARP to tie remote stations into the LAN J7 Forward packets within the local network I Transfer ICMP packets secured IV Pass on TCP SYN and ACK packets preferentially J Note the Type OF Service field in IP packets IV Internret the DiffServ field in IP nackets WEBconfig Telnet For configuration with WEBconfig or Telnet your decision for the evaluation of the ToS or DiffServ fields are entered at the foll
632. wall blocks completely the communication between the protected network and the rest of the world In a second step the administrator opens address ranges or ports which are necessary e g for daily communication with the Internet This approach ensures superior security for the LAN security compared to the Allow All strategy but may lead especially in its initial stages to difficulties for the users After activation of the Deny All strategy some things just may behave differently than before some stations may not reached any more etc Firewall with DMZ The demilitarized zone DMZ is a special range of the local network which is shielded by a Firewall both against the Internet and against the normal LAN All stations or servers that should be accessible from the unsecured network Internet should be placed into this network These include for ex ample own FTP and web servers The Firewall protects at first the DMZ against attacks from the Internet Addi tionally the Firewall protects also the LAN against the DMZ To do so the Firewall is configured in this way that only the following accesses are possi ble Stations from the Internet can access to the servers in the DMZ but no access from the Internet to the LAN is possible BAT54 Rail F Release 7 54 06 08 279 Firewall 8 3 The BAT Firewall gt The stations of the LAN can access the Internet as well as servers in the DMZ gt Servers of the DMZ have no access to the stati
633. warding table has no entries i e the default and empty realms are empty This means that all requests are treated as local re quests and any realms which are communicated are ignored To operate the LCOS RADIUS server purely as a forwarding server or RADIUS proxy the default and empty realms must be set to a value that corresponds with a serv er defined in the forwarding table Please note that the forwarding of RADIUS requests does not alter the user name No realm is added changed or removed The next server may not be the last one in the forwarding chain and the realm information may be re quired by that server to ensure that forwarding is carried out correctly Only the active RADIUS server which processes the request resolves the realm from the user name and only then is a search made of the table containing the user accounts Accordingly the LCOS RADIUS server resolves the realm from the user name for processing requests locally The processing of tunneled EAP requests using TTLS and PEAP makes use of a special EAP tunnel server which is also in the form of a realm Here you select a realm that will not conflict with other realms If no EAP tunnel server is defined then the LCOS RADIUS server forwards the request to itself meaning that both the internal and the external EAP authentications are han dled by the LCOS RADIUS server itself BAT54 Rail F 514 Release 7 54 06 08 More services 12 10 Extensions to the RADIUS server 12 10
634. which belong ex actly to this connection may communicate via this port For accesses from the outside to the local network results thus an implicit Deny All strategy Transmitting firewall rules with scripts With the help of scripts firewall rules can easily be transmitted to device and software Scripting page 181 Example scripts are saved in the BAT KnowledgeBase under www hirschmann com support Note If you operate a web server in your LAN that has been permitted ac cess to this service from the outside see IP masquerading gt page 369 stations from the Internet can establish from the outside connections to this server The inverse masquerading has priority over the Firewall in this case as long as no explicit Deny All rule has been set BAT54 Rail F 282 Release 7 54 06 08 Firewall 8 3 The BAT Firewall Set up of an explicit Deny All strategy For maximum protection and optimum control of the data traffic it is recom mended to prevent first any data transfer by the Firewall Then only the nec essary functions and communication paths are allowed selectively This offers e g protection against so called Trojans and or e mail viruses which set up actively an outgoing connection on certain ports Deny All The most important Firewall rule The Deny All rule is by far the most important rule to protect local networks By this rule the Firewall operates according to the principle All actions
635. wing limitations are available Limit Description Object ID Data abs Absolute number of kilobytes on the connection after which the action is exe lcd cuted Data rel Number of kilobytes second minute hour on the connection after which the lcds action is executed lcdm lcdh Packet abs Absolute number of packets on the connection after which the action is executed lcp Packet rel Number of packets second minute hour on the connection after which the action lcps is executed lcpm lcph Global data Global data abs Absolute number of kilobytes received from the destination lgd abs station or sent to it after which the action is executed 292 BAT54 Rail F Release 7 54 06 08 Firewall 8 3 The BAT Firewall Limit Description Object ID Global data Number of kilobytes second minute or hour received from the destination station lgds rel or sent to it after which the action is executed lgdm lgdh Global Absolute number of packets received from the destination station or sent to it lgp packet abs after which the action is executed Global Number of packets second minute or hour received from the destination station lgps packet rel or sent to it after which the action is executed lgpm lgph Receive Limit restriction to the direction of reception this affects in the context with above lgdsr option limitations In the ID object column examples are indica
636. wireless LAN interface in common Country Germany IV ARP handling IT Broken LAN link detection r Interfaces This is where you can make further settings for your physical wireless LAN interface Physical WLAN settings This is where you can make EMMAA ta d KUSAGA wireless LAN network MultiSSID Logical WLAN settings WLAN card operation Operation mode BAT Wireless Router devices can be operated in two basic operation modes gt As an access point it forms the link between the WLAN clients and the cabled LAN In Client mode the device seeks another access point and attempts to register with a wireless network In this case the device serves to link a cabled network device to another access point over a wireless connec tion Select the operation mode from the tab Operation If the WLAN interface is not required it can be completely deactivated Physical WLAN settings WLAN interface 2 x Operation Radio Super A G Point to Point Client mode V WLAN interface enabled WLAN operation mode Access Point x Access Point Station Client mode s BAT54 Rail F Release 7 54 06 08 65 Wireless LAN WLAN 3 4 Configuration of WLAN parameters Configuration with WEBconfig or Telnet Under WEBconfig or Telnet you can set the operation mode for the physical WLAN interface under the following paths Configuration tool Menu Table WEBconfig Expert configuration Setup
637. within the local network Expert Configuration Setup gt IP router gt Loc routing Terminal Telnet set setup IP router Loc routing on Local routing can be very helpful in isolated cases however it should also only be used in isolated cases For local routing leads to a doubling of all data packets to the desired target network The data is first sent to the default rout er and is then sent on from here to the router which is actually responsible in the local network BAT54 Rail F Release 7 54 06 08 361 Routing and WAN connections 11 2 IP routing 11 2 4 Dynamic routing with IP RIP In addition to the static routing table Hirschmann routers also have a dynam ic routing table Unlike the static table you do not fill this out yourself but leave it to be dealt with by the router itself It uses the Routing Information Protocol RIP for this purpose All devices that support RIP use this protocol to exchange information on the available routes What information is propagated by IP RIP A router uses the IP RIP information to inform the other routers in the network of the routes it finds in its own static table The following entries are ignored in this process Rejected routes with the 0 0 0 0 router setting Routes referring to other routers in the local network Routes linking individual computers to the LAN by proxy ARP Although the entries in the static routing table are set manually this informa tion changes
638. work TCP IP Transmission Control Protocol Internet Protocol family of protocols ARP ICMP IP UDP TCP HTTP FTP TFTP used mainly in the Internet although it is making headway in intranets as well TKIP Temporal Key Integrity TLS Transport Layer Security TPC Transmission Power Control Upload Upload upstream denotes the direction of dataflow in a WAN upstream is the direction Upstream from the node connected to the network to the head end Internet Chaining Concatenation of bit sequences VPN Virtual Private Network a VPN is a network consisting of virtual connections over which non public or company internal data can be transmitted securely even if public network infrastructures are used WAN Wide Area Network network connection over long distances e g over ISDN with a BAT router WECA Wireless Ethernet Compatibility Alliance alliance of manufacturers of wireless LAN com ponents based on IEEE 802 11 renamed the WiFi Alliance WEBconfig Web based configuration interface for BAT devices WEP Wired Equivalent Privacy WiFi Wireless Fidelity marketing concept generated by the WECA WiFi Alliance Alliance of manufacturers of wireless LAN components based on IEEE 802 11 formerly the WECA WLAN Wireless Local Area Network local radio network WPA WiFi Protected Access name for security mechanisms beyond IEEE 802 11 generated by the WiFi Alliance WISP Wireless Internet Service Provider xDSL xDSL stands for the family of D
639. xed peri ods With flat rates there is no longer any reason to disconnect On the con trary New e mails should be reported directly to the PC the home workplace is to be continuously connected to the company network and users want to be able to reach friends and colleagues via Internet messenger services ICQ etc without interruption This means it is desirable to continuously maintain connections With the BAT the Keep alive function ensures that connections are always established when the remote station has disconnected them Configuration of Keep alive function The keep alive procedure is configured in the peer list If the holding time is set to 0 seconds a connection is not actively disconnect ed by the BAT The automatic disconnection of connections over which no data has been transmitted for a longer time is deactivated with a holding time of 0 seconds then However connections interrupted by the remote site are not automatically re established with this setting With a holding time of 9 999 seconds the connection is always re established after any disconnection Additionally the connection is re established after a reboot of the device auto reconnect 11 13Callback functions The BAT supports automatic callback via its ISDN port BAT54 Rail F 440 Release 7 54 06 08 Routing and WAN connections 11 13 Callback functions In addition to callback via the D channel the CBCP Callback Control Protocol specified b
640. y User ID D 8 User ID Challenge Challenge Login data Login data Q Session key Q Global key 12 9 2 Configuration of RADIUS as authenticator or NAS The RADIUS protocol is supported by BAT devices in a range of different ap plications For each of these cases there is a specific set of parameters which may be configured independently of other applications There are also gen eral parameters which need to be configured for each of these applications Not all devices support all applications BAT54 Rail F 502 Release 7 54 06 08 More services 12 9 RADIUS E General settings General settings apply to all RADIUS applications Default values have been selected such that they need not usually be changed 21x Configure Communication hd General Remote Sites Protocols RADIUS Call Management m Authentication via RADIUS RADIUS server Deactivated Server IP address aoo Server port fsz Shared secret Po PPP operation Deactivated gt CLIP operation Deactivated CLIP password siz m General settings Timeout oo 8 milliseconds Retries Booo WEBconfig Telnet Expert configuration gt Setup gt RADIUS module gt Timeout default 5 000 This value specifies how many milliseconds should elapse before retry ing RADIUS authentication Note With PPP authentication using RADIUS please note that the device dialing accepts the RADIUS timeout configured here gt Retries defa
641. y mode only shows the settings required under normal circumstances gt The Complete configuration display mode shows all available configura tion options Some of them should only be modified by experienced users Select the display mode in the View Options menu BAT54 Rail F Release 7 54 06 08 129 Configuration and management 4 4 Configuration using different tools Double clicking the entry for the highlighted device and then clicking the Configure button or the Device Configure option reads the device s cur rent settings and displays the General configuration selection The integrated Help function The remainder of the program s operation is self explanatory or you can use the online help You can click on the Help button top right in any window or right click on an unclear term at any time to call up context sensitive help Management of multiple devices LANconfig supports multi device remote management Simply select the de sired devices and LANconfig performs all actions for all selected devices then one after the other The only requirement The devices must be of the same type In order to support an easy management the devices can be grouped togeth er Therefore ensure to enable Folder Tree in the View menu and group the devices by drag an drop into the desired folders Note LANconfig shows only those parameters that are suitable for multi de vice configuration when more than one devic
642. y Microsoft and callback via PPP as per RFC 1570 PPP LCP extensions are also offered There is also the option of a particularly fast callback using a process PCs with Windows operating system can be called back only via the CBCP 11 13 1Callback for Microsoft CBCP With Microsoft CBCP the callback number can be determined in various ways The party called does not call back The party called allows the caller to specify the callback number itself The party called knows the callback numbers and only calls these back Via CBCP it is possible to establish connection to the BAT from a PC with Windows operating system and also to be called back by this PC Three pos sible settings are selected in the remote sites list via the callback entry as well as the calling number entry Remote sites ISDN serial New Entry 2 x Phonenumber 123456 Cancel Short hold time 20 seconds Short hold time bundle 20 seconds Layer name pve Automatic callback No callback Call back the remote site Call back the remote site Fast procedure Call back the remote site after name verification Wait for callback from remote site No callback For this setting the callback entry must be set to off when configuring via WEBconfig or in the console Callback number specified by caller For this setting the callback entry must be set to Call back the remote site after name verification or must have the value Nam
643. y elements of the devices as well as instruc tions for basic configuration by means of the wizards You are now reading the user manual configuration The user manual configuration describes all functions and settings of the current version of LCOS the operating system of all BAT routers and BAT Router Access Points The user manual configuration refers to a certain software version but not to a special hardware It completes the user s manual and describes topics in detail which are valid for several models simultaneously These are for example Systems design of the LCOS operating system Configuration Management Diagnosis Security Routing and WAN functions Firewall Quality of Service QoS Virtual Local Networks VLAN Wireless Networks Further server services DHCP DNS charge management BAT54 Rail F Release 7 54 06 08 15 Preface LCOS the operating system of BAT devices All BAT routers and BAT Router Access Points use the same operating sys tem LCOS The operating system is not attackable from the outside and thus offers high security The consistent use of LCOS ensures a comfortable and constant operation of all BAT products The extensive feature set is available throughout all BAT products provided respective support by hard ware and continuously receives further enhancements by free regular soft ware updates This user manual configuration applies to the following definitions of soft ware hardwa
644. yer 2 PPPoE Service Options Channelbundling fai Layer name INT_PPPOE kd Layer 1 ETH hi MAC address type Local hd MAC address DSL ports 1 2 Dynamic load balancing with multiple DSL connections The first step in setting up dynamic load balancing is to define the Internet accesses e g INET1 and INET2 with the aid of the LANconfig Wizard To distribute Internet traffic across different DSL interfaces the individual remote stations are assigned to different DSL ports in LANconfig under Communication Remote sites Remote sites DSL Telnet Setup WAN DSL broadband peers WEBconfig Expert configuration Setup gt WAN gt DSL broadband peers Name Short hold Access concentrator Service Layer name MAC address type MAC address DSL ports OK INET1 300 seconds INET1 Local 1 econds cal 2 Cancel 4 2l Edit Copy Remove BAT54 Rail F Release 7 54 06 08 423 Routing and WAN connections 11 8 Load balancing The two DSL remotes are the assigned to a new virtual remote site IN TERNET in the load balancing list in LANconfig via IP router Routing gt Load balancing Telnet Setup IP router Load balancer WEBconfig Expert configuration gt Setup gt IP router Load balancer AE Name INTERNET OK Bundle 1 INET1 Routing table Edit Entry 2 x Bundle 2 INET2 TP addresst 255 255 255 255 OK Bundle 3 Netmask 0 0 0 0 ere Bundle 4 ir
645. ype Of Service The TOS DiffServ field is regarded as a TOS field the bits low delay and high reliability will be evaluated DiffServ The TOS DiffServ field is regarded as a DiffServ field After evaluating the precedence packets with the code points AFxx are saved and packets with the code points EF receive preferential treat ment All other packets are transmitted as normal Layer2 Layer3 tagging The setting for Layer2 Layer3 tagging regulates the behavior when a data packet is received 348 Off VLAN tags are ignored On Priority bits in the VLAN tag are always copied to the precedence of the DSCP Automatic Priority bits in the VLAN tag are only copied to the DSCP precedence if this is 000 BAT54 Rail F Release 7 54 06 08 Virtual LANs VLANs 10 7 VLAN tags for DSL interfaces Layer2 Layer3 tagging The setting for Layer3 Layer2 tagging regulates the behavior when a data packet is transmitted Off VLAN tags are not generated On VLAN tags with priority bits originating from the DSCP precedence will be generated if the recipient has sent at least one tagged packet 10 7VLAN tags for DSL interfaces Some DSL networks use VLAN tags in the same way as they are used in lo cal networks to differentiate between logical networks on shared transmis sion media The BAT Router can process these VLAN tags correctly if a VLAN ID is defined for each DSL remote site Remote sites DSL New Entry 2 x
Download Pdf Manuals
Related Search