Future Systems FGT100 VPN GATEWAY User Manual FCC040401

Future Systems, Inc. VPN GATEWAY FCC040401

Contents

Users Manual 2

4-1 CChhaapptteerr 44 OOppeerraattiinngg SSeeccuuwwaayyGGaattee 110000 『Chapter4. Operating SecuwayGate 100 』covers various system maintenance features, including how to check the LED displays, how to replace the whole or a part of SecuwayGate 100, and how to change IP addresses in SecuwayCenter 2000, and how to change security policies in SecuwayGate 100. The LED displays of SecuwayGate 100 help you identify the current status of SecuwayGate 100 with regard to connection, operation, and hardware failure. Depending on the status of the device you identified, you may need to take appropriate actions, such as editing the properties of the SecuwayGate 100 or replacing the device with a new one.
4-2 Chapter 4 Operating SecuwayGate 2000 The SecuwayGate 100 log is stored in RAM and SecuwayCenter 2000 log is stored in the Center Log MSSQL database. The SecuwayGate 100 sends its log in response to regular requests by SecuwayCenter 2000, ever minute. SecuwayCenter 2000 stores the received SecuwayGate 100 logs in the Gate Log MSSQL database. There is separation between the Center Logs and the Gate Logs
4-3 4.1 LED Status When SecuwayGate 100 is in a normal state, the Power LED and Secure LED are ‘ON’. The Net LED, which represents the transmission state of the rear-panel network interface, blinks in a normal state. z When SecuwayGate 100 is a in normal state LED Display Initial State (Factory-Default) Power LED ON Alarm LED ON Secure LED OFF It represents the initial factory default for installing SecuwayGate 100. LED Display Normal State (After Setup) Power LED ON Alarm LED OFF Secure LED ON It indicates that the initial setup has been completed with the Smart card issued from SecuwayCenter 2000 and SecuwayCenter 2000 has been found. The normal state of each LED is as shown in the left pane. The Net LED on the front panel keeps blinking according to the transmission state of the network interface port located on the rear side of the device. If the port is not physically connected to a line or a device, the Net LED is ‘OFF’, not blinking. z When an error occurred in SecuwayGate 100 LED Error & Troubleshooting Secure LED blinks Indicates that the SecuwayGate 100 failed to receive a set of security settings from SecuwayCenter 2000 when it attempted to initiate a communication with Secuway Center 2000 as soon as it completed the configuration setup. Check the cable connection to the Net port of SecuwayGate 100 and the service status of SecuwayCenter 2000.
4-4 Chapter 4 Operating SecuwayGate 2000 LED Error & Troubleshooting Secure LED is OFF Indicates that no security policy is applied to SecuwayGate 100. If the Secure LED is turned off during the normal service mode, it implies that SecuwayGate 100 is incapable of acting in accordance with the security policies set in SecuwayCenter 2000. It means you need to create a new Smart card (or file) in SecuwayCenter 2000 and initialize SecuwayGate 100 with a new Smart card. The Secure LED is often turned off automatically when the SecuwayGate 100 administrator presses the Emergency Erase button by mistake, or when the security policies were not stored in SecuwayGate 100, due to a hardware problem. If there is a problem with the hardware, please contact our service center and request for a hardware checkup and maintenance service. Net LED is OFF If the Net LED is not blinking, it means that the network interface is not in service. Check the cable connection to the Net port of SecuwayGate 100. Alarm LED is ON Indicates SecuwayGate 100 is in factory-default settings or SecuwayGate 100 configuration settings were erased by the act of pressing the Emergency Erase button. Issue a new Smart card (or file) from SecuwayCenter 2000 to initialize SecuwayGate 100.
4-5 4.2 SecuwayGate 100 Replacement Procedures If the current SecuwayGate 100 system is defective and needs a replacement, follow the replacement procedures below. Step 1 To replace SecuwayGate 100 with a new one, turn on the new system, and insert the existing smart card for initial configuration. If the new SecuwayGate 100 system has been used in other place, it has to be initialized using the emergency erase switch before inserting the smart card. Be sure to press the emergency erase switch while the system is turned off to initialize the system. Step 2 Insert the existing smart card for initial configuration issued by SecuwayCenter 2000, which has been used to initialize the previous SecuwayGate 100 system, and turn on the system. Check cable connectivity for communication between SecuwayCenter 2000 and SecuwayGate 100 at this time, and check that the LED for cable connection on rear side is lit. When the new SecuwayGate 100 system is turned on, the system will read and save the information on the smart card automatically. If SecuwayGate 100 does not read the smart card automatically, turn off the system, press the emergency erase switch, and turn on the system again, as the system may not have been properly initilized.
4-6 Chapter 4 Operating SecuwayGate 2000 Step 3 Check that smart card is successfully read through that the LED status is normal.
4-7 4.3 SecuwayGate 100 IP Address Change Procedures No SecuwayGate 100 console command can change the current IP address of SecuwayGate 100. Only the administrator of SecuwayCenter 2000 is authorized to change the IP address of SecuwayGate 100. The SecuwayCenter 2000 administrator can change the IP address of SecuwayGate 100 in the following ways. 1. Start the SecuwayCenter 2000 (run SecuwayCenter 2000 Server → Secuway Center 2000 Client.) and select SecuwayGate 100 of which IP address you want to change. 2. Double-click the selected SecuwayGate 100 and move to the ‘IP Address’ step. The ‘IP Address’ window appears. Select the tab (Net1, Net2, Net3, and Net4) for the port. Enter the new IP address in the ‘IP Address’ field, and click [Next]. Click [OK] in the window that appears after you click [Next]. Note that you have just edited the database information, and now you need to send the new IP information to SecuwayGate 100. 3. To send the new IP information to SecuwayGate 100, right-click SecuwayGate 100 in which you have changed the IP address Disabled on the 3 Port System
4-8 Chapter 4 Operating SecuwayGate 2000 from the SecuwayCenter 2000 menu and ‘Resend Information’ from the popup menu list. 4. Before you can use the changed IP address in SecuwayGate 100, you need to restart SecuwayGate 100.
4-9 4.4 Security Policy Change Procedures To apply a changed security policy to SecuwayGate 100 after changing the security policy in SecuwayCenter 2000, select <Security Policy> → <Apply> from the menu of SecuwayCenter 2000 while the communication between SecuwayCenter 2000 and SecuwayGate 100 is working properly. For more detailed procedures, refer to the SecuwayCenter 2000 Guide.
4-10 Chapter 4 Operating SecuwayGate 2000 4.5 Content Security Content security applies the state analysis method to the application-level to analyze and control the contents of the packet. It refers to a function to prevent or convert the access by analyzing the inbound packets and outbound packets. Among various content security schemes, SecuwayGate 100 supports FTP filtering, HTTP content filtering, and SMTP filtering. The packet filters implemented in a firewall examine and control the incoming packets with the user-specified filtering rules. SecuwayGate 100 filters all the incoming and outgoing packets, except a few types of special packets including broadcasting packet and Non-IP packet. In general, three types of content security measures are widely used: Packet Filtering, Application-level Proxy, and State analysis. SecuwayGate 100 employs the State analysis method. These three types of filtering methods are briefly explained below. z Packet Filtering Packet filtering refers to the technology that collects the IP header (which usually contains source IP, destination IP, and port number) and protocol (e.g. TCP, UDP, ICMP, etc.) header and determines which network packets to allow through the firewall in accordance with the predefined security policies. Most routers have packet filtering as a built-in feature, and most firewall solutions provide this feature as well. - Strengths Because of its simplicity, packet filtering is easy to implement. Since a few basic rules need to be applied to check packets, packet filtering is also very fast. Its transparent operation presents another strength to users. Sender Application Session Transport Network Link Physical Packet-filtering Firewall Packet Filtering Network Link Physical Application Session Transport Network Link Physical Receiver
4-11 - Weaknesses With packet filtering, it is impossible to implement a sophisticated filtering rule for complicated network or service. Since it passes or drops according to the limited number of simple access control rules, packet filtering is too simple to act as a firewall and to protect the internal resources effectively from the external intrusions. z Application-level Proxy Application-level Proxy acts as a link between an external network (the client) and a specific internal resource (the application server). Acting as an application server to the client and as a client to the application server, the application-level proxy intermediates the communication between the two entities, as if the client directly communicates with the application server. The application server only recognizes that it is communicating with a client of the proxy server , and does not have further information about the specific client. - Strengths In an application-level proxy firewall environment, only the proxy server is known to the external network, which enables complete non-disclosure of the internal computer network system (e. g. IP address). - Weaknesses Since a separate proxy server is required for each application service Application Proxy Firewall Sender Receiver Application Session Transport Network Link Physical Application Session Transport Network Link Physical Application Session Transport Network Link Physical
4-12 Chapter 4 Operating SecuwayGate 2000 (e.g. FTP proxy server, TELNET proxy server, HTTP proxy server), it is required to implement a proxy server for each internet service provided by your organization. If your organization decides to introduce a new internet service, it may be impossible or may take a long time to implement the relevant proxy server, especially when the internet service your organization implements is not made of an industry-standard protocol or unknown source codes. It is also disadvantageous that each application requires a separate user authentication process. In addition, the client software or user module needs to be modified in most cases. z State analysis State analysis does more than simply filter packets with the information within the packet headers. It interprets and examines the whole contents of a packet, from the network layer to the application layer. It keeps track of incoming packets over a period of time and determines whether to allow the packets to pass through the firewall. For example, the first packet received in a session is compared with the pre-configured set of access rules and the packet information is added to the state analysis table. Once it is determined whether to pass the first packet through the firewall, and the following packets are automatically passed or dropped according to the results of the state analysis. When the session is closed, the state information entry in the state analysis table is deleted, but a set of derivative access rules from the analysis results is reflected the state to enable dynamic packet filtering. Application Session Transport Network Link Physical Application Session Transport Network Link Physical Application Session Transport Network Link Physical Maintain state analysis table
4-13 You can also gather similar state information from the application data of a stateless protocol(e.g. UDP or RPC) packet. If an application service requires inspection against all application data, it is also possible to apply additional application-level processing to each packet for inspection. In short, state analysis basically adopts the packet filtering technique and imitates application-level proxy technique to interpret and filter application data with far less overload than the application-level proxy. In comparison with the application-level proxy, a state analysis-based firewall offers a similar filtering capability but with much more enhanced performance. The transparent packet filtering feature for user applications is also a good reason to choose state analysis. Based on this state analysis technique, SecuwayGate 100 offers you highly efficient filtering mechanism and powerful content security.
5-1 CChhaapptteerr 55 CCoonnssoollee CCoommmmaannddss In order to use the console commands in SecuwayGate 100, you must connect the PC to the Console port at the rear of the SecuwayGate 100. 『Chapter 5 Console Commands 』describes how to log in to SecuwayGate 100 and use console commands with the Hyper Terminal program.
5-2 Chapter 5 Console Commands 5.1 Connecting SecuwayGate 100 z Step 1. Running Hyper Terminal Program Connect the console port of SecuwayGate 100 and the connector linked to the serial port of a laptop or PC. SecuwayGate 100 PC used to execute console commands A Administrators connect to SecuwayGate 100 from a host in the protected network or form a PC installed with SecuwayClient 2000 Once you have established the connection, execute the Hyper Terminal program by selecting <Start>Æ <Programs>Æ <Accessories>Æ <Communications>Æ <Hyper Terminal> in the PC, which you will use as a console window. z Step 2. Configuring Hyper Terminal Environment Once the Hyper Terminal is executed, select an icon and configure the connection environment in the order of ‘Connection name’ Æ ‘COM port’ Æ ‘Port properties’ - Connection name entry
5-3 In this example, we entered “Upgrade” for the connection name. You may choose any name you want. Then click OK. The following dialogue box for setting the port to use for the connection will appear. - Com port setting Select the port to connect. For connecting to the console port, direct connection to COM1 or COM2 is usually selected. After checking the actually connected port, click OK. Then the environment for the port to connect will be set as follows. - Setting environment for the connection port When you select the port, the following dialogue box for setting environment for the port will appear. Configure it as shown in the figure. Be sure to set the bit per second to 38400 and select None for the Flow control. Otherwise normal connection is disabled for some
5-4 Chapter 5 Console Commands cases. Therefore you should set it just as indicated in the following figure. z Confirming Correct Connection After finishing the hyper-terminal settings, you will be able to log on as shown below. For login ID and password, you may enter the ones that have been previously issued from the master token issuer in SecuwayCenter 2000. The SecuwayGate 100 will only accept 3 failed login attempts for the Security Administrator account, and will the deny login attempts for a period of five minutes. This functionality can be disabled by the Security Administrator for that SecuwayGate 100, if required.(see “sv
5-5 command” in chapter 5 Console Commands) When the SecuwayGate 100 Security Administrator account is inactive for 2 minutes, then it will logoff automatically.
5-6 Chapter 5 Console Commands 5.2 How to Use Commands You can use console commands when your PC is connected to the console port of SecuwayGate 100 or when a remote PC is enabled to connect to a Telnet program from the outside. A Administrators connect to SecuwayGate 100 from a host in the protected network or from a PC installed with SecuwayClient 2000 The term ‘SecuwayGate’ mentioned in this document is a common designation of SecuwayGate 2000, SecuwayGate 1000, SecuwayGate 100 and RenoGate. The List of Commands Command Purpose addlog SecuwayGate forcibly generates a dummy log, and transmits the log to SecuwayCenter 2000. The log is used for verifying normal operation of log transmission. advanced When functions are executed such as input, correction and deletion of routing scripts, the routing scripts stored in SecuwayCenter 2000 or Flash are executed upon system restarting or receiving the policies, and control operation of different services (daemons). arp The command is similar to Linux arp command. The command displays arp table, and adds or deletes arp entries. arp_hash Caches arp to determine use of arp, and searches for the current arp cache. authinfo Displays the job list under user authentication (e.g., IP address, processing status, error number, timestamp, retrial count and message length) and the information list of user authentication in the active session (i.e., session list of each user ID).
5-7 autoup Automatically upgrades firmware or harmful databases. bypass Ignores the security policies applied to SecuwayGate, and changes communication between specific networks to bypass. This command is available before communication with SecuwayCenter 2000 after entering SecuwayGate setup information. capture Displays brief header information of IP and TCP for packets entered/displayed in/on specific IP or port. Executing this command may degrade performance of the system, and is only recommended for simple packet inspection. The function is released with 'capture 0.' center Displays or changes IP address of SecuwayCenter 2000 currently stored in SecuwayGate. change_ip Changes SecuwayGate IP and SecuwayCenter 2000 IP set on SecuwayGate objects. chk_gateway Searches for a gateway for specific IP on specific interface. cpuinfo Displays information of CPU and system of SecuwayGate. crypto Tests the boards upon acceleration of encryption/decryption. Devices available of testing include FSC2002, Bud-F(FACE), and CAFE. Algorithm test is available for FSC2002 only, and stress test for FACE or cafe only. Every 5000th testing indicates success or failure of encryption/decryption. date Converts the time currently set on the gate into UTC and RTC type, or sets the time. debug Converts the time currently set on the gate into UTC and RTC type, or sets the time. del Erases and initializes the details including IPSec-relevant tables. The table initialized for respective option is as follows: delses Erases the session information.
5-8 Chapter 5 Console Commands dev It is possible to show information of devices and systems, and change attributes (e.g., duplex and speed) of the interface. dhcp dhcp ip Shows or changes allocation information. entry Shows items in the session table. eraseobj Erases the objects containing the security information of SecuwayGate, and initializes SecuwayGate. failover Displays the failover operation mode of the current SecuwayGate on the screen. findcenter Searches for the location (interface number) of SecuwayCenter 2000 communicating with SecuwayGate, or stops searching. get_arp Transmits ARP Request of concerned IP to the specified interface. help Displays a list of available commands. history Shows the commands used on the shell so far. icmp Defines whether allowing ICMP communication or not. The command is only available before communication with SecuwayCenter 2000 after entering the initial setup information. ipconfig Same as existing Linux command. The command is used when showing configuration information of the whole interfaces, setting IP of specific interface or stopping operation. import Initializes SecuwayGate with the initial files of SecuwayGate issued from SecuwayCenter 2000, or enters the certificate. ip_hash Displays device (interface) information of a certain IP on the screen, which is kept for a certain period (as a hash table format). This command is mainly used for verifying IP validity of the concerned device. ip_verify Inspects valid network belonging to IP address. lb Shows the Line Load Balancing status. Inspects the status of the leased line/VPN line/router backup when using the line option. lbinfo Displays user ID and password of a line where Line Load Balancing is set to.. lineinfo Same as lb line command.
5-9 log It is possible to check logs accumulated on SecuwayGate, which have not been transmitted to the log server. lookup The function finds IP address and MAC address corresponding with the host name, and displays the results on the screen. ls Same as the help command. mainfo The function controls starting or aborting MA, and checks the system status information managed by MA. netstat Displays the socket information of SecuwayGate. nvram_info Displays the nvram information. obj Shows the objects of Gate. ping Operates in a manner same as normal ping. Ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (“pings”) have an IP and ICMP header, followed by a “struct timeval” and then an arbitrary number of “pad” bytes used to fill out the packet. pppoe Verify the status of PPPoE. proxy_arp Adds or deletes concerned entries to or from Arp Proxy Table, or searches for the entries from the table and displays the results. proxy_ip Displays the Proxy IP information of the concerned IP on the screen. reset Reboots SecuwayGate. rhosttab The command is relevant to the hash table to seach for SA of the remote host. romc Displays the SecuwayGate flash memory information. route Shows the routing table registered on the system, and adds or deletes routing information. session Shows the session table. set_mac Changes the MAC address of SecuwayGate.
5-10 Chapter 5 Console Commands status Displays the system information of SecuwayGate, statistical information of packets for each protocol, and the packet filtering status. Dependent upon the options, it is possible to verify the detail statistical data, the interface status and the processing rate about transmitted and received packets of the IP/TCP/UDP/ICMP protocols. sv The command controls each flag value. sysbg Displays the system log messages stored in the backup SRAM of SecuwayGate 1000/2000 on the screen. syslog Displays information of IP/port, number of SecuwayCenter 2000 logs and the log types of the server relevant to Syslog. task Viewing the kernel task list ted SecuwayGate performs TED for the gate set on the IPSec gate list based on the IPSec gate list set to SecuwayCenter 2000 or GateAdmin, and manages information of the counterpart gate in the table. The ted command verifies the TED table (or the VPN table) status, or manually performs TED. timereq Tests SecuwayCenter 2000 and the time service. Upon system booting, SecuwayGate first transmits the TimeRequest packets to SecuwayCenter 2000 to synchronize the time with SecuwayCenter 2000. traceroute Plays a role same as the traceroute command on Linux. The Internet is a large and complex aggregation of network hardware, connected together by gateways. Tracking the route one's packets follow (or finding the miscreant gateway that's discarding your packets) can be difficult. Traceroute utilizes the IP protocol `time to l' field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
5-11 trap_buf Once a trap takes place such as memory violation, the command stores the monitor message in the consoles as well as the flash memory in object id 14. Therefore, it is possible to obtain various information by analyzing the dump message. upgrade The command upgrades the firmware. The command first runs the upgrade daemon to the gate, and receives and processes images when firmware files are transmitted to the network. UDP protocol port 9876 is used for upgrade. Please note that data relevant to upgrade is not affected by the security policies. version Displays the firmware version information, the compiling date and the compiling option information of SecuwayGate. view_traffic It is possible to verify the current CPU utilization, memory utilization, number of sessions, and traffics of SecuwayGate. xurl Checks the harmful site database provided from SafeNet for any URL, or inspects the autonomy grade of the concerned URL. The harmful site database contains overseas sites, not domestic sites. xurl_db Manages the harmful site database. ldap Gains access to the LDAP server to search for CRL. p1info Shows the detail information of SA in step 1. pki Shows the PKI information. pic Shows information of PIC operation and SA. PIC is used for authentication of Remote Access Client in GateAdmin environments. sainfo Shows the SA-relevant table. secinfo Shows the IPSec-relevant table. view_tid Displays the TID table on the screen. Detailed Description of each Commands Please refer to “SecuwayGate Console Commads” maual for futher information on how to use SecuwayGate 100 console commands
6-1 CChhaapptteerr 66 UUppggrraaddiinngg FFiirrmmwwaarree The firmware of SecuwayGate 100 can be upgraded, if necessary. The following section describes the firmware upgrading procedures. The administrator can load new firmware to upgrade functions provided by SecuwayGate 100.
6-2 Chapter 5 Console Commands 6.1 Preparations for upgrade Prepare PC with the HyperTerminal program and SecuwayGate 100 firmware loading program Lanload.exe which is included in the installation CD. Cable Connection 1. Connect the serial port of the PC and RS-232C port of SecuwayGate 100 with the console connector as shown in the following figure. (Use normal LAN cable as the connector). 2. Connect any one of the ports Net1, Net2, Net3, and Net4 of SecuwayGate 100 with the LAN port of PC. For explanation purposes, port Net3 is chosen in the figure. LAN Port Serial Port RS-232C Port Net3 Port
6-3 6.2 Loading Firmware Configuring HyperTerminal 1. Select [New Connection], input the name for the connection, and click OK. 2. Configure Modem to Connect to COM1. (This may vary depending on your PC configuration.)
6-4 Chapter 5 Console Commands Setup port Net3onfiguration as shown in the following figure. 3. Click OK, and the HyperTerminal window will be displayed. In the window, press <Enter> key to connect to SecuwayGate 100, and a screen will be displayed allowing ID and password input. 6.3 Logon SecuwayGate 100 1. In the Hyper Terminal window, enter the registered login ID and password. 2. Specify the port number of SecuwayGate 100 used to upgrade the program in the following format (‘upgrade 2’, in this case). Here ‘0’ means the port Net1 on the rear side, and ‘1’, ‘2’, and ‘3’ refer to Net2, Net3, and Net4, respectively. In this case, the Net3 is connected to the internal LAN, therefore you need to type “upgrade 2” when prompted.
6-5
6-6 Chapter 5 Console Commands 6.4 Executing ‘Upgrade’ File The ‘upgrade’ file is used to upgrade the existing firmware of SecuwayGate 100. Two firmware upgrade methods are supported in SecuwayGate 100: Initial and Normal. You can select either upgrade type in the ‘FirmUpgrade’ window, which appears when you execute FirmUpgarde.exe. Initial Refers to upgrading in debug mode. Debug mode is a pre-operation phase in which SecuwayGate 100 is completely reset. If you upgrade a firmware in debug mode, the new firmware is automatically reloaded and adopted in SecuwayGate 100. Normal Refers to upgrading the firmware to SecuwayGate 100 currently in operation. T upgraded firmware is adopted only when the admionistrator resets SecuwayGate 100 manually. “Normal(N)” firmware upgrade type is widely used for its convenience.
6-7 6.4.1 Upgrading Firmware Initial (I) Upgrade Type 1. Reset SecuwayGate 100. When you reboot SecuwayGate 100, press “~” key in the Hyper Terminal window and enter the debug mode. The following figure is displayed: 2.Type “0” to enter the debug mode, and type “0” again. The Gate 100 prompt appears. 3. Type “x 0” and press ‘Enter’.
6-8 Chapter 5 Console Commands 4. Type “ll 2 IP address of SecuwayGate 100” and press ‘Enter’. The “speedo_open ok.” message is displayed. 5. Execute FirmUpgarde.exe in a PC to which SecuwayGate 100 is connected. The ‘FirmUpgrade’ window appears. In the ‘Gate IP Address’ field, enter the IP address of the Net3 port. Select ‘Initial’ for the ‘Upgrade Type’ field. The ‘Upgrade Port’ is already set to ‘9876’. If you edit this value, the system may not work properly. Click [Start].
6-9 6. The ‘FirmUpgarde Configuration’ window appears. Specify the location of the firmware upgrade file in ‘File Name’ by clicking [Browse] and selecting the file. Click [OK]. Firmware Transfers the firmware as well as the DB that blocks harmful sites to SecuwayGate 100. Index Indicates the memory allotment index of SecuwayGate 100. While the index No. 1~8 are pre-assigned to store the firmware, the index No. 9 is assigned to the DB for blocking harmful sites. Usually, No. 1 is used to store the firmware. It is because SecuwayGate 100 starts to check the availability of the firmware with the index No. 1 and loads the first one available in the index. If no Enter the IP address of Net3 port
6-10 Chapter 5 Console Commands firmware is available in the index No. 1, it checks the index in the order of No.2, 3, 4, … 8 to load the first available firmware. The name of a firmware file is either ‘first’ or ‘firm’. If you are updating the firware in initial mode, you must select the firmware named as ‘first’. Click [OK]. The ‘Download’ window appears to show you the process of transmitting the firmware file to SecuwayGate 100 as shown below. Once the file transmission is completed, “Download completed” message appears. If the firmware transmission is completed, you will see the following messages in the Hyper Terminal window, and SecuwayGate 100 is automatically reset.
6-11
6-12 Chapter 5 Console Commands Normal (N) Upgrade Type 1. Execute FirmUpgarde.exe in a PC to which SecuwayGate 100 is connected. The ‘FirmUpgrade’ window appears. In the ‘Gate IP Address’ field, enter the IP address of the Net3 port. Select the ‘Initial’ for ‘Upgrade Type’ field. The ‘Upgrade Port’ is already set to ‘9876’. If you edit this value, the system may not work properly. Click [Start]. 2. The ‘FirmUpgarde Configuration’ window appears. Specify the location of the firmware upgrade file in ‘File Name’ by clicking [Browse] and selecting the file. Click [OK] The name of a firmware file is either ‘first’ or ‘firm’. If you are updating the firware in normal mode, you must select the firmware named as ‘firm’. Enter the IP address of Net3 port.
6-13 Click [Transmit]. The ‘Download’ window appears to show you the process of transmitting the firmware file to SecuwayGate 100 as shown below You can also verify the firmware downloading process in the “Index: 0x1” section of the Hyper Terminal. Once the file transmission is completed, “Download completed” message. 3. If the firmware transmission is completed, execute “reset” in the Hyper Terminal. To apply the ungraded firmware, you must execute “reset”command.
6-14 Chapter 5 Console Commands 4. SecuwayGate 100 is restarted once the firmware has been upgraded.
6-15 6.5 Checking Firmware Loading The version of the firmware can be checked through HyperTerminal on the PC connected to the SecuwayGate 100 console. To check the version of the firmware, type the “version” command.
CChhaapptteerr 77 QQ&&AA AAbboouutt SSeeccuuwwaayyGGaattee 110000 1) I want to change the IP address of the SecuwayGate 100 which is in use. What should I do? In order to change the IP address of the SecuwayGate 100 which is in use, select the [Modification] feature in the [Gate Management (G)] in SecuwayCenter 2000. After changing features, you must send the changed features using [Resend (R)], and in particular when you have changed the IP address, you must run [Gate Restart (T)]. 2) Is it mandatory to use the four ports, i.e., Private, Multi, Public, and Black Zone ports at the rear for their specified purposes? The four ports Net1 (Private), Net2 (Multi), Net3 (Public), Net 4 (Black Zone) are specified for user convenience, and you don’t have to use them for their specified uses. In actual application, the administrator may use the four ports in his/her discretion for operational convenience. Because the four ports at the rear are controlled by valid network setting and security policy in SecuwayCenter 2000, they may not be used for Private, Multi, Public, and Black Zone as specified, but for separating the network into four networks to control each network individually. 3) How can I change the security policy of SecuwayGate 100? AAppppeennddiixx AA QQ&&AA AAbboouutt SSeeccuuwwaayyGGaattee 110000
7-2 Chapter 5 Console Commands After changing the security policy in SecuwayCenter 2000, send it to SecuwayGate 100 on-line. Then the changed security policy will be applied immediately. The SecuwayGate 2000 administrator cannot insert or delete a security policy by accessing through the Console port or Telnet. If the security policy needs to be changed, you must ask the administrator of SecuwayCenter 2000 to do it. 4) When moving the SecuwayGate 100 to another place, what settings should be changed? You must consider the following two cases when moving the system to another place. If the TCP/IP related information is changed, you must change and transmit the IP address or other network information, before moving the SecuwayGate 100 or you must have the initial setting smart card reissued from SecuwayCenter 2000 and then import it into SecuwayGate 100 after moving. 5) How can I stop the use of SecuwayGate 100 in emergency? In order to stop it, you must first discuss with the administrator of SecuwayCenter 2000 or Gate Admin, and then run the [Stop Service] in the [Gate (G)] menu in SecuwayCenter 2000 6) is the meaning of the “Valid network” and the reason of setting it with the issuance of SecuwayGate 100? Valid network is a set of valid IPs of the hosts connected to each interface, i.e., Net1, Net2 and Net3. Valid network must be set in order to decide the paths through which received packets are sent. By setting the valid network, you can also prevent IP Spoofing by verifying the validity of the starting IP address. If the valid network is incorrectly configured, the IP spoofing error message will appear in SecuwayCenter 2000, and it may cause such problems as the data accepted on security policy are transferred to other interfaces and do not arrive at the destination. For details on setting valid network, please refer to the User’s Guide for SecuwayCenter 2000 .
7) It is said that SecuwayGate 100 processes the send/receive packets through the conditional analysis method. How does it manage sessions? In other words, when is the time that the session is registered and deleted? For TCP, the session is registered when the Syn packet is received, and for UDP, it is registered when the Data packet enters. In both cases, the session can be registered only when the security policy is in the “Accept” state in SecuwayGate 100. The time when the session is deleted is different with Firmware versions for TCP. In version 1.5, 2.0 and higher, the session is deleted when the Timeout value of the security policy is exceeded in SecuwayCenter 2000, or FIN or Reset Packet is received. On the other hand, in hardware of versions lower than 1.5,2.0, the session is deleted only when the FIN or Reset Packet is received. Therefore, when the session finishes abnormally in the PC or server, the sessions will be accumulated. For UDP, because the session timeout value is set to 30 seconds regardless of firmware versions, the session will be canceled when packet transmission time exceeds 30 seconds for the session. 8) What types of L4 switches support load balancing by interoperation with SecuwayGate 100 (VPN) equipment? 1) Radware: FireProof 2) Piolink: Pinkbox1016 3) Alton: AD3, 180e 9) When should we reboot SecuwayGate 100 due to modification of information in SecuwayGate 100? 1) When the IP of SecuwayGate 100 is changed. 2) When upgrading firmware. 3) You don’t have to reboot when the valid network is changed. 10) Does the SecuwayGate 100 equipment support line/server load- balancing feature?
7-4 Chapter 5 Console Commands SecuwayGate 100 supports both line load-balancing (LLB) and server load-balancing (SLB). LLB enables the duplication of the Internet lines with two ADSL lines, or with one ADSL line and one dedicated line, enhancing availability of the Internet. LLB decides its line by combination of the starting IP address and destination IP address, and make it possible that all communication will be processed through the remaining line even if one line fails. SLB checks the availability of the homogeneous servers, enabling continuous service. The methods of supporting SLB include: server inspection by using PING to check the activation of the server, server inspection by checking the use of the service, round-robin method for service distribution to servers and the number of sessions method. 11) Does the firewall features of SecuwayGate 100 include blocking of harmful websites? SecuwayGate 100 supports the feature to block harmful websites through HTTP Content filtering function. You can block the access to the hosts containing specific character strings, or to specific directories or files. In addition, the feature of filtering various dangerous scripts (JavaScript, VBScript, etc.) is provided. 12) Can SecuwayGate 100 be operated on other vendors’ NMS program? SecuwayGate 100 supports SNMP V1.0 to enable its operation on other vendor’s NMS’s. However, due to various security problems, not all SNMP functions are supported. Only viewing is allowed for most functions. 13) What should be checked, if file upload fails after going through SecuwayGate 100 using a fixed IP? For ADSL modems, there is a limit in MTU size. It is typical that the size is limited for floating IPs, but not for fixed IPs. Samsung ADSL modems generally fall in this case, but Hyundai ADSL modems are usually configured to limit the MTU size for fixed IPs by default. If
file upload fails on the Internet or into tunnels after installing SecuwayGate 100, the ADSL modem must be checked. You can determine that this is the problem if a file of 1 Kbytes is uploaded but a file of over 2 Kbytes is not uploaded. 14) Which ports are used for various messengers? ICQ / AOL: 5190 MSN: 1863 Chollian (CQM) : 1421 Soft Messenger: 5004 Bluebird: 3300 Netsgo (Minigo): 5004 Yahoo: since Yahoo cannot be controlled by port, you should block cs.yahoo.com or scsa.yahoo.com. However, you must be careful because if you block these two sites, it may not be possible to access yahoo.com itself. For some of the above ports, only the login ports are listed. (If you block only the login port, access is disabled.) 15) Can ADSL fixed and floating lines and the ADSL lines of different vendors be used together? With KT’s ADSL line, line load balancing and fail-over are normally operated for all situations such as fixed/fixed, floating/ floating, and fixed/ floating, as well as with Hanaro Telecom and Thrunet. <Note> - When setting ADSL LLB: For [fixed/fixed] or [fixed/ floating] configuration, the NAT Rule is applied (in fixed IP) to allow access to external Web. However, for floating [/floating] configuration, no extra NAT Rule is required. - When setting ADSL fail-over: it correctly operates for all situations such as modem’ s power off, line cut-off of modem or gate, and serial line cut-off of the modem.
7-6 Chapter 5 Console Commands 16) What is the PIN arrangement of the SecuwayGate 100’s console cable? Numbers marked in the console connector Line color 2 Yellow 3 Green 5 Red 8 Brown
15.Jan. 2004 Future Systems, Inc. 7,8F, Koland Bldg, 1009-1, Daechi-dong, Knagnam-gu, Seoul, 135-851 Korea Tel : +82-2-3468-7777 , Fax : +82-2-3468-7700 Homepage : http://www.future.co.kr

Navigation menu