SnapGearメーカー1.7.8の使用説明書/サービス説明書
ページ先へ移動 of 105
SnapGear VPN Appliance Family User Manual Rev: 1.7.8 May 2nd, 2003 SnapGear, Inc. 7984 South Welby Park Drive #101 Salt Lake City, Utah 84084 Email: support@snapgear.
T able of content s 1. Introducti on ............................................................................................... 1 Document conventions .......................................................................................... 4 Installing and configuring your SnapGear appliance .
6. Firewall .................................................................................................... 58 Incoming access .................................................................................................. 58 Outgoing access .
1. Introduction This chapter provides an overview of your SnapGear appliance’s features and capabilities, and explains how to install and configure your SnapGear appliance. The SnapGear appliance enables small to m edium-sized businesses to securely interconnect computers on your office network to the Internet.
Terminology This section explains terms that are commonly used in this document. Term Meaning ADSL Asymmetric Digital Subscriber Line. A technology allowing high- speed data transfer over existing telephone lines. ADSL supports data rates between 1.5 and 9 Mb/s when receiving data and between 16 and 640 Kb/s when sending data.
Term Meaning millions of people worldwide. The Internet is technically distinguished because it uses the TCP/IP set of protocols. Intranet A private TCP/IP network within an enterprise.
Term Meaning not a full router, a switch partically understands how to route Internet packets. A switch increases LAN efficiency by utilizing bandwidth more effectively. TCP/IP Transmission Control Protocol/Internet Protocol. The basic protocol for Internet communication.
Installing and configuring your SnapGear appliance This manual contains instructions for installing and configuring your SnapGear appliance on your network. The basic steps and related chapters are: Step Chapter 1. Interconnect the SnapGear appliance and PCs on a local area network.
Your SnapGear appliance The following items are included with your SnapGear appliance: • Power adapter • Installation CD • Printed Quick Install guide • Cabling including o 1 normal “straight through” UTP cable (blue color). o 1 “cross-over” UTP cable (either gray or red color) .
The rear panel contains the connector ports for the LAN ( LAN ) and modem ( COM1 , COM2 ), LAN 10BaseT status LEDs, WAN 10BaseT status LEDs, the reset button and power inlet.
Figure 1.3 Netw ork interconnections Introduction 8.
SnapGear appliance features • Software features • Network Address Translation (NAT) firewall that isolates the LAN from the Internet and offers network access control and filtering. Usually a simple form of NAT called masquerading is used. • DHCP server and client that ensure simple and flexible IP network configuration.
Internet link features • Connect to the Internet using an external cable modem, DSL, dial-up or ISDN modem. • Serial ports connect to the Internet using an external modem or ISDN T/A. The LITE2, LITE2+, SME530 and SME550 models have a single serial port.
Environmental features • External power adaptor (voltages/current depend on individual models). • Front panel status LEDs: Power Test. • Operating temperature between 0° C and 40° C. • Storage temperature between -20° C and 70° C. • Humidity between 0 to 95% (non-condensing).
2. Getting st arted Your SnapGear appliance provides a secure, simple gateway to connect PCs and other devices on your local network to the outside world. This chapter provides step-by-step instructions for connecting the SnapGear appliance to your LAN.
Note The following steps detail the initial setup procedure for networks with at least one Windows workstation. If you wish to perform the setup procedure using a Linux box, skip to the section called later in this chapter. New Networks If you do not have an existing LAN, you need to configure one networked PC to get started: 1.
6. If you have chosen to use the static IP reset feature of the SnapGear appliance, choose an address in the range: 192.168.0.0 - 192.168.0.255 (192.168.0/24 prefix) Enter the value into the IP Address field followed by a number (1-254) to identify your PC (e.
Configuring the SnapGear appliance on your network Below is an overview of the steps in initial setup of the SnapGear appliance on your network: 1. Apply power to the SnapGear appliance. When the SnapGear appliance is powered on in factory default mode, it has no LAN IP address.
Note The front of the SnapGear appliance contains activity LEDs that vary slightly between models. These provide information on the operating status of your SnapGear appliance. In particular you should note: The Power/PWR LED is on when power is applied (use only the SnapGear Power Adapter packaged with the unit).
Set up IP addresses To communicate on your network the SnapGear appliance will need an IP address. This is accomplished using the SnapGear Setup Wizard application that ships with your SnapGear CD.
A. Your SnapGear appliance was found on the network. This means either your network is DHCP enabled and another PC on the network has already given it an IP address, or you hav e chosen to boot the SnapGear appliance with an initial, static IP address.
C. Your SnapGear appliance needs an IP address. This means your network is not DHCP enabled and you must perform the following steps: Enter the IP address that you want to assign to your SnapGear appliance. SnapGear Setup Wizard will already have auto-completed the IP address.
Administrative password After an IP address is allocated or the SnapGear appliance has been located, the SnapGear Setup Wizard will prompt you to change the SnapGear appliance administrative password. This password controls access to the SnapGear Management Console web administration pages.
Initial setup using Linux By default, your SnapGear appliance as shipped does not have any IP addresses configured. When the SnapGear appliance is powered on, if it has no LAN IP address all the front panel LEDs except Power will flash (except on LITE+ and LITE2+).
Using an existing local DHCP or BOOTP server If your local network is configured with a DHCP server, the SnapGear appliance will automatically acquire an address when attached to the network. Check your local DHCP server logs to find the address assigned to your SnapGear appliance.
Configuring a new local DHCP or BOOTP server If your network has no DHCP or BOOTP server , you can temporarily configure a local Linux system as a bootp server using the following steps: 1. Edit the /etc/inetd.conf file. 2. Search for the bootpd line.
SnapGear Quick Setup The SnapGear Quick Setup Wizard will guide you through the basic steps for configuring the LAN port for your SnapGear appliance and connecting to the Internet. To start the wizard, click the Quick Setup Wizard link on the SnapGear Appliance Configuration page.
LAN port quick setup The following figure shows the LAN port quick setup: Figure 2.3 LAN port quick setup 1. Enter the name for your SnapGear appliance on the LAN. 2. Select the method for setting the LAN port network address configuration (either DHCP or manual).
ISP connection quick setup The following figure shows the ISP connection quick setup: Figure 2.4 ISP connection quick setup Select Cable Modem, Modem, ADSL, or Direct as the method for connecting to your ISP. Direct connections are where the SnapGear Internet Port is connected to a LAN with another gateway to the Internet.
• The DNS server for your ISP. If you use ADSL (Asymmetric Digital Subscriber Line) to connect to your ISP, you must specify the ADSL connection type. This can be done in one of the following ways: • Allow your SnapGear appliance to autom atically detect your ADSL connection type.
Configuring the PCs on your network To access the Internet, all PCs on your network must have: • The IP address of the SnapGear appliance defined as their default gateway, and • Must use the DNS server provided by the ISP or the DNS proxy on the SnapGear appliance.
If you are using Windows 2000, click Start , Settings , Network and Dial-up Connections , right-click Local Area Connection , click Properties , select Internet Protocol and then click Properties to display the following screen: Figure 2.3 TCP/IP properties You can also manually configure the PCs on your network.
3. Connecting to the Internet This chapter provides step-by-step instruct ions for connecting your SnapGear appliance to your Internet Service Provider (ISP).
Select Internet connection The next step is to select the method for connecting your SnapGear appliance to the Internet. From the SnapGear appliance Config Pages, in the Networking menu, select Connect to Internet and select the method to connect to your local ISP.
Connect to Internet – direct Choosing Direct Connection to the Internet shows the IP Configuration page. See the section called IP configuration. Connect to Internet – modem The following figure shows the Setup modem Internet connection: Connecting to the Internet 32 Figure 3.
Field Description Serial port to dial-out on Select the SnapGear appliance COM (serial) port you will use for the modem that will dial your ISP. This port will be dedicated for the Internet connection; any attempt to dial-in using this COM port will be blocked.
Internet failover SnapGear appliances are designed with the real Internet in mind, which may mean downtime due to ISP equipment or telecommunications network failure. Failures can be caused by removing the wrong plug from the wall, typing in the wrong ISP password or many other reasons.
The following figure shows the failover configuration screen: Figure 3.4 Failover configuration screen The following fields can be configured for the failover connection. Field Description IP Address to ping IP address the SnapGear appliance will ping to determine if the Internet connection is up or down.
Failed connection An Internet connection is considered failed if the SnapGear appliance tests the Internet connection the specified number of times, and fails each time. The SnapGear appliance can test the Internet connection by ensuring that the physical connection was made correctly (i.
Configure PCs to use SnapGear appliance Internet gateway The PCs on your network must be configured to use the SnapGear appliance as the default gateway for Internet access. See the section called Configuring the PCs on your network for more information.
4. Dial-in server configuration SnapGear appliance enables remote and secure access to your office network. This chapter shows how to set up the dial-in features. Your SnapGear appliance can be configured to receive dial-in calls from remote users/sites.
To configure the SnapGear appliance for a dial-in connection: 1. Attach external modems to the relevant SnapGear appliance serial ports. Refer to Chapter 7, Serial Ports and Modem Devices for modem configuration details. 2. Enable and configure the selected SnapGear appliance COM port for dial-in as detailed in Dial-in Setup .
Dial-in setup The following figure shows the dial-in setup: Dial-in server configuration 4 0 Figure 4.1 Dial-in setup To enable and configure Dial-In server for the SnapGear appliance, select Dial-In Setup from the Networking menu.
Field Description Enable Dial-in To enable and configure dial-in, check the relevant COM port box. The selected port is now available for dial-in access. If no COM port is selected, all dial-in attempts will be blocked. The current dial-in status of all COM ports is displayed.
Dial-in user accounts User accounts must be set up before remote users can dial-into the SnapGear appliance. The following figure shows the Dial-in user account creation: Dial-in server configuration 42 Figure 4.
The following figure shows the user maintenance screen: Figure 4.3 User maintenance screen Dial-in server configuration 43.
Account list As new dial-in user accounts are added, they are displayed on the updated Account List. To modify a password for an existing account, select the account in the Account List and enter the new password in the New Password and Confirm fields.
Remote user configuration Remote users can dial-in using the SnapGear appliance using the standard Windows Dial-Up Networking software. Set up a new dial-out connection on the remote PC to dial the phone number of the modem connected to the SnapGear appliance COM port.
An icon is displayed in Dial-Up Networking with your Connection Name. Right click the icon once, and then click File and Properties and click the Server Types tab as shown in the following figure: Figure 4.6 Server ty pes Check the Log on to network and Enable software compression checkboxes.
Dial-in and log on to the remote SnapGear appliance by double-clicking the Connection Name icon. You need to enter the Username and the Password that was set up for the SnapGear appliance dial-in account as shown in the following figure: Figure 4.
Click Next to continue. Figure 4.9 Connection type Select Dial-up to private network as the connection type and click Next to continue. Figure 4.10 Phone number to dial Tick Use dialing rules to enable you to select a country code and area code. This feature is useful when using remote access in another area code or overseas.
Click Next to continue. Figure 4.11 Connection availability Select the option Only for myself to make the connection only available for you. This is a security feature that will not allow any other users who log onto your machine to use this remote access connection: Figure 4.
To launch the new connection, double-click on the new icon on the desktop, and the remote access login screen will appear as in the next figure. If you did not create a desktop icon, click Start, Sett.
5. Network configuration IP configuration Users can set the IP address configuration for both the LAN and Internet interfaces by selecting IP Configuration from the Networking menu as shown in the following figure: Figure 5.
If your SnapGear appliance is configured for a Direct Connection to the Internet, you must also set the IP address for the Internet Interface. Check DHCP assigned if the IP address of the Internet Interface is set via a DHCP server, or enter the IP Address and Netmask if you have a static address for the Internet interface.
Advanced IP configuration The following figure shows the advanced IP configuration: Figure 5.2 Advanced IP configuration The Hostname is a descriptive name for the SnapGear appliance on the network.
The SnapGear appliance can utilize IP Masquerading (a simple form of Network Address Translation, or NAT) where users on the local network effectively share a single external IP address. Masquerading allows insiders to get out, without allowing outsiders in.
DHCP server The following figure shows the DHCP server configuration: Figure 5.3 DHCP server configuration To help keep your network design as simple as possible, your SnapGear appliance can act as a DHCP server for machines on your local network.
Click Configure the server settings on the DHCP Server Configuration screen to: • Check the Enable DHCP server checkbox. • Enter the Gateway Address to be distributed to DHCP clients. This is normally the IP address of the LAN interface of the SnapGear appliance.
Advanced networking Users can perform the following diagnostic tasks on the Advanced Networking screen: • Perform a Ping Test. • Perform a Trace Route Test (not available on LITE and LITE+ due to memory constraints). • View the Interface Configuration.
6. Firewall The SnapGear appliance has a fully featured, stateful firewall. The firewall allows you to control both incoming and outgoing access and to detect intrusion attempts, so that PCs on the office network can have tailored Internet access facilities and be shielded from malicious attacks.
Incoming access – administration services The following figure shows the incoming access configuration page: Figure 6.1 Incoming access configuration By default the SnapGear appliance runs a web adm inistration server and a telnet service. Access to these services can be restricted to specific interfaces.
The SnapGear appliance’s Web Admin pages are usually accessed on the default HTTP port (i.e. port 80). Change the port number if you are allowing Internet access to the web administration page. This will hide your web administration pages from casual web surfers who finds your SnapGear appliance on the Internet.
Port forwarding The following figure shows the port forwarding configuration: Figure 6.3 Port forw arding configuration Port forwarding allows the SnapGear appliance to control access to services provided by machines on your private network from users on the Internet.
Outgoing access Your SnapGear appliance can be configured to restrict network traffic going out the Internet interface. These restrictions can be applied to specific hosts or networks (defined by IP address), or globally across all hosts on your internal LAN.
Use the Add Hosts or Networks section to specify the specific machines or networks to restrict outgoing access as shown in the following figure: Figure 6.5 Outgoing access settings Firewall rules The Firewall Rules configuration page allows firewall experts to view the current firewall rules and add custom firewall rules.
Intrusion detection and blocking The following figure shows the Intrusion Detection and Blocking (IDB) configuration: Figure 6.6 Intrusion detection and blocking configuration IDB operates by offering a number of services to the outside world that are monitored for connection attempts.
The list of monitored network ports can be freely edited. Several shortcut buttons also provide pre-selected lists of services to monitor. The basic button installs a bare bones selection of ports to monitor while still providing sufficient coverage to detect many intruder scans.
Content filtering The SnapGear Content Filtering system limits the types of web-based content accessed. Web-based content featuring profanity, sexually explicit or other objectionable material can be limited or blocked from the following screens.
Firewall 6 7 Figure 6.7 Content filtering.
In the Block List , specify text that will block access to any URL containing that text. For example, if access to websites containing references to “widgets” is a violation, entering that text will block any URL containing “widgets” including http://www.
7. V irtual Private Networking Virtual Private Networking (VPN) enables two or more locations to communicate securely and effectively, usually across a public network (e.
PPTP client setup The SnapGear PPTP client enables the SnapGear appliance to establish a VPN to a remote network running a PPTP server (usually a Microsoft Windows server). To set up a SnapGear PPTP VPN Client, select PPTP VPN Client from the VPN menu and create a new VPN connection by entering: • A descriptive name for the VPN connection.
If the remote VPN is already up and running, check Start Now to establish the connection immediately as shown in the following figure: Figure 7.2 PPTP client configuration The SnapGear appliance supports multiple VPN client connections. Additional connections can be added by following these steps.
PPTP server setup The SnapGear appliance includes a PPTP Server, a virtual private network server that supports up to forty simultaneous VPN tunnels (depending on your SnapGear appliance model). The SnapGear PPTP Server allows remote Windows clients to securely connect to the local network.
Enable and configure the PPTP VPN server The following figure shows the PPTP server setup: Figure 7.3 PPTP server setup To enable and configure your SnapGear appliance’s VPN server, select PPTP VPN Server from the VPN menu in the SnapGear appliance Config Pages .
The following table describes the fields in the VPN Setup screen and the options available when enabling and configuring VPN access. Field Description Enable PPTP Server Check this box to enable PPTP connections to be established to your SnapGear appliance.
Configuring user accounts for VPN server After setting up the VPN server, select Continue and to show the PPTP VPN Server Accounts screen as shown in the following figure: Figure 7.4PPTP VPN server accounts screen Before remote users can set up a VPN tunnel to the SnapGear appliance PPTP server, they must have a user accounts set up.
To delete an existing account, Select the account in the Account List and then check Delete in the Delete or Change Password for the Selected Account field. If a requested change to a user account is successful, the PPTP VPN Setup screen is shown with the change noted.
Configuring the remote VPN client After setting up the SnapGear PPTP VPN server, the remote VPN clients can be configured to securely access the local network. You need to enter the VPN client username and password that your remote users will use to access the SnapGear PPTP VPN from the remote site.
To determine the current SnapGear appliance’s PPTP server IP address, select Diagnostics from the System menu in the main menu bar. The IP address is displayed in the VPN field. Your remote users must know this PPTP IP address to setup a VPN tunnel to the SnapGear appliance.
Windows 95 and Windows 98 From the Dial-Up Networking folder, double-click Make New Connection . Type SnapGear appliance or a similar descriptive name for your new VPN connection. From the Select a device drop-down menu, select the Microsoft VPN Adapter and click Next .
Click TCP/IP Settings . Confirm that the Server Assigned IP Address , Server Assigned Name Server Address , Use IP Header Compression and Use Default Gateway on Remote Network are all selected and click OK . Figure 7.7 VPN client server settings Your VPN client is now set up correctly.
Windows NT From the Dial-Up Networking dialog, click New and select the Basic tab. In the Entry name field, enter SnapGear appliance or a similar descriptive name and click Next . Enter the SnapGear appliance’s PPTP IP address into the Phone Number field.
Windows 2000 To set up VPN access, first setup a Dial Up Networking account to access the Internet. Once you have done this, you are ready to begin. The first thing you need to do is log in as Administrator on your PC.
This displays the Destination Address window: Figure 7.10 Destination address Enter the SnapGear PPTP server’s IP address and click Next . Select the Connection Availability you require on the next window and click Next to display the final window: Figure 7.
Connecting the remote VPN client Firstly, connect to the Internet using the network connection to your ISP. After authenticating the connection to your ISP, select the connection for the SnapGear appliance VPN. For Windows 95/98/2000 , enter the username and password allocated by your SnapGear appliance’s VPN administrator and click Connect .
IPSec setup The SnapGear appliance supports IPSec tunnels as well as PPTP tunnels. To setup your VPN using IPSec, select IPSec from the VPN menu to display the following screen: Figure 7.12 IPSec setup Enable IPSec by clicking the Enable IPSec box underneath the IPSec Setup title and then click Submit .
To add a new IPSec connection click on Add under Add New IPSec Connection to show the following screen: Virtual Private Networking 8 6 Figure 7.13 Add new IPSec connection Enter a descriptive name for the connection in the Connection Name field.
Enter the local gateway settings. Internal subnet/netmask is the private network behind the SnapGear appliance. External IP is the public-network interface that the SnapGear appliance will use for IPSec.
Click Add to complete the IKE setup as shown in the following screen: Figure 7.14 Automatic keying setup Virtual Private Networking 8 8.
Click Submit to add the new IPSec tunnel after selecting the appropriate Automatic Startup , Authorization , Authentication , and Key Configuration . Warning The pre-shared secret must be entered identically at each end of the tunnel. The IPSec tunnel will fail to connect if the pre-shared secret is not identical at both ends.
Checking the Enable Perfect Forward Secrecy of keys checkbox means that an attacker who acquires the SnapGear appliance’s long-term key (i.e. the pre-shared secret or RSA Signature Key Private Secti.
8. System Time server The SnapGear appliance can synchronize its system time with a remote time server using the Network Time Protocol (NTP). Configuring the NTP time server ensures that the SnapGear appliance's clock (in UTC) will be accurate soon after the Internet connection is established.
Diagnostics If you are experiencing problems with your SnapGear appliance, diagnostic information is provided on the SnapGear appliance’s Configuration web pages. To access this information, from the System menu, click Diagnostics . Advanced network diagnostics can be viewed by selecting the Networking menu, then Advanced Networking .
Flash upgrade The SnapGear appliance firmware can be updated with newer versions available from the SnapGear web site (http://www.SnapGear.c om/downloads.html). The firmware is in binary image files ( .bin ) that can be transferred from a PC on the local network directly into the SnapGear appliance’s flash memory.
9. T echnical support The System menu contains an option detaili ng support information for your SnapGear appliance. This page provides basic troubleshooting tips, contact details for SnapGear Support, and links to the SnapGear Knowledge Base as shown in the following figure: Figure 9.
Appendix A – LED st atus p atterns The following table shows the different LED illumination combinations that can indicate possible error conditions. In each case, the LEDs indicated will be on and steady, unless otherwise noted, and all other LEDs will be off.
Appendix B – System Log Access Logging It is possible to log any traffic that arrives at or traverses the SnapGear appliance. The only logging that is enabled by default is to take note of packets that were dropped. While it is possible to specifically log exactly which rule led to such a drop, this is not configured by default.
Commonly used interfaces are: eth0 the LAN port eth1 the WAN/Internet port ppp X e g . ppp0 or ppp1 – a PPP session ipsec X e g . ipsec0 , an IPSec interface The firewall rules deny all packets arriving from the WAN port by default. There are a few ports open to deal with traffic such as DHCP, VPN services and similar.
Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1 OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 .
iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix> This will log any TCP ( -p tcp ) session initiations ( --syn ) that arrive from the IP address/netmask X.X.X.X/XX ( -s ... ) and are going to Y.
iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: " This will result in log output something like this: <12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.
Clearly there are many more combinations possible. It is therefore possible to write rules which log inbound and outbound traffic, or to construct several rules which differentiate between the two.
Appendix B – System Log 102 This message shows the date/time, whether the authentication succeeded or failed, the user attempting authentication (in this case root ) and the IP address from which the attempt was made.
デバイスSnapGear 1.7.8の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
SnapGear 1.7.8をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはSnapGear 1.7.8の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。SnapGear 1.7.8の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。SnapGear 1.7.8で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
SnapGear 1.7.8を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はSnapGear 1.7.8の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、SnapGear 1.7.8に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちSnapGear 1.7.8デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。