This Chapter explains the settings available via the security configuration section of the "Security" menu.
The following advanced configurations are provided.
The Admin Login screen allows you to assign a user name and password to the Broadband VPN Gateway.
You will see a login prompt when you connect to the Broadband VPN Gateway, as shown below.
Enter the "User Name" and "Password" you set on the Admin Login screen above.
This feature is accessed by the Access Control link on the Security menu.
The Access Control feature allows administrators to restrict the level of Internet Access available to PCs on your LAN. With the default settings, everyone has unrestricted Internet access.
To use this feature:
![]() |
Restrictions are imposed by blocking "Services", or types of connections. All common Services are pre-defined. |
To view this screen, select the Access Control link on the Security menu.
Figure 36: Access Control Screen
Group |
|
Group
|
Select the desired Group. The screen will update to display the settings
for the selected Group. Groups are named "Default", "Group 1", "Group 2", "Group
3" and "Group 4", and cannot be re-named.
|
"Members" Button
|
Click this button to add or remove members from the current Group.
See the following section for details of the Group Members
screen.
|
Internet Access |
|
Restrictions
|
Select the desired options for the current group:
|
Block by Schedule
|
If Internet access is being blocked, you can choose to apply the blocking
only during scheduled times. (If access is not blocked, no Scheduling is
possible, and this setting has no effect.)
|
Services
|
This lists all defined Services. Select the Services you wish to block. To
select multiple services, hold the CTRL key while selecting. (On the Macintosh,
hold the SHIFT key rather than CTRL.)
|
Buttons |
|
Members
|
Click this button to add or remove members from the current Group.
If the current group is "Default", then members can not be added or
deleted. This group contains PCs not allocated to any other group.
See the following section for details of the Group Members
screen.
|
Save
|
Save the data on screen.
|
Cancel
|
Reverse any changes made since the last "Save".
|
View Log
|
Click this to open a sub-window where you can view the "Access Control"
log. This log shows attempted Internet accesses which have been blocked by the
Access Control feature.
|
Clear Log
|
Click this to clear and restart the "Access Control" log, making new
entries easier to read.
|
This screen is displayed when the Members button on the Access Control screen is clicked.
Use this screen to add or remove members (PCs) from the current group.
![]() |
PCs not assigned to any group will be in the "Default" group. |
To check the operation of the Access Control feature, an Access Control Log is provided. Click the View Log button on the Access Control screen to view this log.
This log shows attempted Internet accesses which have been blocked by the Access Control function.
Data shown in this log is as follows:
Date/Time
|
Date and Time of the attempted access.
|
Name
|
If known, the name of the PC whose access was blocked. This name is taken
from the Network Clients database
|
Source IP address
|
The IP Address of the PC or device whose access request was blocked
|
MAC address
|
The hardware or physical address of the PC or device whose access request
was blocked
|
Destination
|
The destination URL or IP address
|
For normal operation and LAN protection, it is not necessary to use this screen.
The Firewall will always block DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it - the service is unavailable.
As well, you can use this screen to create Firewall rules to block or allow specific traffic. But Incorrect configuration may cause serious problems.
This feature is for advanced administrators only!
Click the Firewall Rules option on the Security menu to see a screen like the following example. This example contains two (2) rules for outgoing traffic.
![]() |
Since the default rule for outgoing (LAN => WAN) traffic is "Allow", having an "Allow" rule for LAN => WAN only makes sense in combination with another rule. |
Figure 38: Firewall Rules Screen
Rule List |
|
View Rules for ..
|
Select the desired option; the screen will update and list any current
rules. If you have not defined any rules, the list will be empty.
|
Data
|
For each rule, the following data is shown:
|
Add
|
To add a new rule, click the "Add" button, and complete the resulting
screen. See the following section for more details.
|
Edit
|
To Edit or modify an existing rule, select it and click the "Edit"
button.
|
Move
|
There are 2 ways to change the order of rules
|
Delete
|
To delete an existing rule, select it and click the "Delete" button.
|
View Log
|
Clicking the "View Log" button will open a new window and display the
Firewall log.
|
System Rules
|
Clicking the "System Rules" button will open a new window and display the
default firewall rules currently applied by the system. These rules cannot be
edited, but any rules you create will take precedence over the default
rules.
|
Clicking the "Add" button in the Firewall Rules screen will display a screen like the example below.
Figure 39: Define Firewall Rule
Name
|
Enter a suitable name for this rule.
|
Type
|
This determines the source and destination ports for traffic covered by
this rule. Select the desired option.
|
Source IP
|
These settings determine which traffic, based on their source IP address,
is covered by this rule.
Select the desired option:
|
Dest IP
|
These settings determine which traffic, based on their destination IP
address, is covered by this rule.
Select the desired option:
|
Services
|
Select the desired Service or Services. This determines which packets are
covered by this rule, based on the protocol (TPC or UDP) and port number. If
necessary, you can define a new Service on the "Services" screen, by defining
the protocols and port numbers used by the Service.
|
Action
|
Select the desired action for packets covered by this rule:
|
Log
|
This determines whether packets covered by this rule are logged. Select the
desired option.
|
The Logs record various types of activity on the Broadband VPN Gateway. This data is useful for troubleshooting, but enabling all logs will generate a large amount of data and adversely affect performance.
Since only a limited amount of log data can be stored in the Broadband VPN Gateway , log data can also be E-mailed to your PC or sent to a Syslog Server.
Enable Logs |
|
DoS Attacks
|
If enabled, this log will show details of DoS (Denial of Service) attacks
which have been blocked by the built-in Firewall.
|
Internet Connections
|
If selected, Outgoing Internet connections are logged. Normally, the
(Internet) "Destination" will be shown as an IP address. But if the "URL Filter"
is enabled, the "Destination" will be shown as a URL.
|
Access Control
|
If enabled, the log will include attempted outgoing connections which have
been blocked by the "Access Control" feature.
|
Firewall Rules
|
If enabled, the log will details of packets blocked by user-defined
Firewall rules. Logging can be set for each rule individually. Only rules which
have logging enabled will be included.
|
VPN
|
If enabled, the VPN log will record incoming and outgoing VPN
connections.
|
Timezone
|
Select the correct Timezone for your location. This is required for the
date/time shown on the logs to be correct.
|
E-Mail Logs |
|
Send E-mail alert
|
If enabled, an E-mail will be sent immediately if a DoS (Denial of Service)
attack is detected. If enabled, the E-mail address information must be
provided.
|
E-mail Logs
|
You can choose to have the logs E-mailed to you, by enabling either or both
checkboxes. If enabled, the Log will sent to the specified E-mail address. The
interval between E-mails is determined by the "Send" setting.
|
Send
|
Select the desired option for sending the log by E-mail.
|
E-mail Address
|
Enter the E-mail address the Log is to be sent to. The E-mail will also
show this address as the Sender's address.
|
Subject
|
Enter the text string to be shown in the "Subject" field for the
E-mail.
|
SMTP Server
|
Enter the address or IP address of the SMTP (Simple Mail Transport
Protocol) Server you use for outgoing E-mail.
|
Port No.
|
Enter the port number used to connect to the SMTP Server. The default value
is 25.
|
Syslog Server |
|
Enable Syslog
|
If enabled, log data will be sent to your Syslog Server.
|
Syslog Server
|
Enter the IP address of your Syslog Server.
|
Include
|
Select the logs you wish to be included.
|
This screen allows you to set Firewall and other security-related options.
Figure 41: Security Options Screen
SPI Firewall |
|
Enable DoS
Firewall |
If enabled, DoS (Denial of Service) attacks will be detected and blocked.
The default is enabled. It is strongly recommended that this setting be left
enabled.
Note:
|
Threshold
|
This setting affects the number of "half-open" connections allowed.
|
Options |
|
Respond to ICMP
|
The ICMP protocol is used by the "ping" and "trace route" programs, and by
network monitoring and diagnostic programs.
|
Allow IPsec
|
The IPSec protocol is used to establish a secure connection, and is widely
used by VPN (Virtual Private Networking) programs.
|
Allow PPTP
|
PPTP (Point to Point Tunneling Protocol) is widely used by VPN (Virtual
Private Networking) programs.
|
Allow L2TP
|
L2TP is a protocol developed by Cisco for VPNs (Virtual Private
Networks).
|
Allow TFTP firmware upgrade
|
If enabled, TFTP (Trivial FTP) connections can be made to this device.
|
This screen is accessed by the Scheduling link on the Security menu.
Figure 42: Define Schedule Screen
Day
|
Each day of the week can scheduled independently.
|
Session 1
Session 2 |
Two (2) separate sessions or periods can be defined. Session 2 can be left
blank if not required.
|
Start Time
|
Enter the start using a 24 hr clock.
|
Finish Time
|
Enter the finish time using a 24 hr clock.
|
Services are used in defining traffic to be blocked or allowed by the Access Control or Firewall Rules features. Many common Services are pre-defined, but you can also define your own services if required.
To view the Services screen, select the Services link on the Security menu.
Available Services |
|
Available Services
|
This lists all the available services.
|
"Delete" button
|
Use this to delete any Service you have added. Pre-defined Services can not
be deleted.
|
Add New Service |
|
Name
|
Enter a descriptive name to identify this service.
|
Type
|
Select the protocol (TCP, UDP, ICMP) used to the remote system or
service.
|
Start Port
|
For TCP and UDP Services, enter the beginning of the range of port numbers
used by the service. If the service uses a single port number, enter it in both
the "Start" and "Finish" fields.
|
Finish Port
|
For TCP and UDP Services, enter the end of the range of port numbers used
by the service. If the service uses a single port number, enter it in both the
"Start" and "Finish" fields.
|
ICMP Type
|
For ICMP Services, enter the type number of the required service.
|
Buttons |
|
Delete
|
Delete the selected service from the list.
|
Add
|
Add a new entry to the Service list, using the data shown in the "Add New
Service" area on screen.
|
Cancel
|
Clear the " Add New Service " area, ready for entering data for a new
Service.
|