|
|
| YBET | Hardware IT training | Forum informatique | Vente en ligne |
17. Exercise: connection router - firewall hardware with an ADSL RJ45 modem. |
|
17.1. Introduction - 17.2. Modem ADSL Tornado Copperjet 812 - 17.3. Router - Firewall Hardware - Switch - 17.4. Parameter setting network and Internet of the connected PC - 17.5. Log of a connection Internet.
Without the practice, the theory is not used for large thing. This Internet connection sharing exercise takes again the connection and the parameter setting of a router - firewall material with a modem ADSL RJ45 (a router used like bridge, simple modem ADSL), the whole connected to an Ethernet network. This protected professional installation is reserved for the companies.
If you buy a modem directly with your web access supplier, not of problem, it is configured thanks to a specific file. On the other hand, if you buy an equipment outside, you must practically reinvent the wheel, without technical support. The tricks given here will be used to facilitate the life for other connections ADSL. Parameters Internet given below are specific to the Internet Access supplier SKYNET (Belgium).
The modem
ADSL is a
tornado Copperjet 812 of Allied
Data, modem ADSL RJ45 accepting up to 8 Mb/s in down load (Internet towards
PC) if the subscription allows it and integrated router.
Opposite front, 6 Led to post the speed of connection ADSL, 2 for the type of connection, 1 Led for the presence of the ADSL, 1 for the emission and 1 for the reception. A LED posts the presence of an Ethernet connection.
The front face also included a button to take again the starting configuration of the manufacturer (push between 5 and 10 seconds).
Opposite back, a catch of Ethernet connection towards the network or the chart, 1 catch of connection cables telephone for network ADSL.
Two models of connection are proposed.
Maybe, connection with a HUB (or a switch). The apparatus is then used as router ADSL and directly allows the division of connection Internet.
Maybe, connection directly on a PC provided with a chart network Ethernet 10 (or 100). In this case, the apparatus is used as modem ADSL.
We will use a similar connection to the second solution. The second apparatus (a firewall - router Hardware) below will be used him as router and the Tornado router will be used in "Pont mode" (finally like simple modem). Notice the difference in connection to the level of cable RJ45. In the case of a PC, one uses a cross cable RJ45. In our case, as it acts of a router and not of a HUB, we will also use a cross cable.
Modems TORNADO are solid but have a complex documentation systematically and... a configuration using an application software. This often poses problems with the new operating systems (incompatible programs). Modem ADSL must be directly connected on a chart network to be configured. The installation of the program is with the range of any processing user. After the installation, one finds 2 software: one of configuration and a monitor. You can check by the monitor the version hard firmware.
As models itself can be parameterized only of direct connection, let us start with this one.
The use of this modem requires the loading of one profiles (a specific file). Let us click on Edit/new profiles to create such profiles. Once the recorded file, the following window appears. Here all modes of use of this modem. We will see them in turn, with each time the use and the configurations.
This bridge mode allows the connection of the modem like footbridge. In this mode, we use only the modem part of the router, all the other functions are deseabled (login and password, NAT, firewall possible...). In the window, we return:
|
|
1.address IP Lan: defined by the user in class 3 of IP addresses, is 192.168.0.0. to 192.168.255.255. This corresponds to the beach of the internal addresses network. Let us decide for example 192.168.1.2.We will take again this address in all the following cases. 2. Subnet mask: mask sub-network. In the majority of the cases, this mask is 255.255.255.0 3. The address gateway, is the address of the footbridge, typically that of the router: Let us take 192.168.1.1. 4. VPI/VCI. First problem, these data are seldom provided 5. PCR (Peek Cell Misses). This number must lie here between 0 and 500.000. As this represents maximum speed, I type 500000. Notice that in another router, the default value was 864000. 6. Packet Filter: filtering of the data, either no (by defect), or lets pass only packets PPP (Forward), or only IP. Leave by defect in the majority of the cases. Leave the other default settings. 7. DNS relay must be address TCP/IP of the modem in the event of bridged., but it is not necessary in this mode |
 |
This mode makes it possible to make a bridge between a local area network and a network WAN at fixed address IP. The parameters are practically identical, except that: You must specify the address Wan (Internet). In the case of a connection ADSL with address TCP/IP fixes, it is the working method. You can also use in this case the modem out of server DHCP (configuration automatic addresses TCP/IP). The data are identical to the bridged mode for the remainder. |
This mode PPPoA and the PPPoE following is used for a direct connection Internet (case where the modem is directly connected on a network adapter. In Europe, the PPPoE mode and the PPoA mode can both beings employed. This depends on the modem type and of web provider. In theory, the PPPoE mode is used by modems RJ45, PPPoA for modem USB. By configuring a TORNADO 810 (successor of the 812 introduced here, firewall integrated), the configuration on a subscription tiscali.be functioned only with the PPPoA mode.
 |
A large difference compared to the preceding modes, you must type here the login and the password provided by the supplier of access. For recall, the login is a loginfourni@provider In the case of skynet, it will be of the gv52222@SKYNET type. The password is that provided by the supplier of access (provider). Protocol PAP/CHAP is to be tested for each supplier. VPI/VCI is specific to the supplier. NAT (translation of address) must be notched when your address LAN differs from your address WAN, which is in the large majority of the cases the case. The program asks for the type of connection here. In our case, it is Ethernet and us stoppers the address and the usual mask: 198.162.1.2 - 255.255.255.0. This address is necessary for later configuration (case of a direct connection). Type address DNS relay. This one must be the address provided in DNS in the local area network (on each station), but it is not obligatory to type one of them, in particular in the operating systems 2000, XP and superiors who include it automatically. We will see DHCP server later. |
|
|
The configuration is identical to that PPPoA, except the NAT is of notched office and that protocol PAP/CHAP does not exist, which is logical. 1. Username, for example gv52222@SKYNET 2. Password provided by the internet provider or supplier of access 3. VPI/VCI: 8/35, following the supplier of access (more often country). 4. NAT with notching. 5. Ethernet in our case, always address 198.162.1.2.. and under mask 255.255.255.0 6. DNS relay. This one must be the address provided in DNS in the local area network (on each station), but it is not obligatory to type one of them, in particular in the operating systems 2000, XP and superiors who include it automatically. |
These are hybrid modes that I do not see.
|
|
In the case of a connection per router, the mode used is bridged, in the case of a connection by HUB or on line, the mode of connection is PPPoE. The only difference between a direct connection and a connection HUB is related to the footbridge which can be indicated in the configuration of the PC (it is not always necessary). In parameters, to select TCP/IP on chart network and to type address TCP/IP of the footbridge, in our case 200.1.1.1. (do not forget to click on adding). |
And here is for the modem. This part will be enough for all connections modems ADSL. For the small modems, retain at least parameters VPI/VCI.
This mode makes it possible automatically to allot addresses TCP/IP to the stations by modem (attention with the OS 2000 and XP). For the most current cases, this is not necessary.
One finds address DHCP server, finishing by 0 with always under mask 255.255.255.0. The Serveur address is thus 198.162.1.0. For recall, the DHCP makes it possible an apparatus to provide to all the apparatuses connected on the network an address IP.
Arrange determines the beach of address which will be allotted to the stations. In our case, 198.162.1.10 to 198.162.1.30
The Routers address is obligatorily that given to the modem, that is to say 198.162.1.2
|
|
The router - firewall is provided by the firm Zero One Technology. This model is equipped with Switch 4 ports, of a connection towards modem ADSL RJ45 (from where the use above of Copperjet 812), of a router and a firewall integrated hardware. |
Several apparatuses of this type exist in practically all the marks. Some with integrated modem, others without... the choice is sufficiently broad.
These apparatuses are configured by telnet or an interface Web, directly by typing the address of the apparatus in the bar of address Internet To explore. In the apparatus above, you must configure your connection TCP/IP PC to obtain an automatic at least address TCP/IP or to form part of the same group is 192.168.1.X by knowing that by defect the address of the router is 192.168.1.1. In the parameters of connections Internet To explore, do not use a proxy at this stage, if not, you will not have an access to the router (or if not, use "Not for the local addresses" with the address of the router in option).
After having typed the address of the apparatus in the bar, connection is done, with a login and a password specific to the apparatus.
Let us start by configuring connection ADSL.
Use PPPoE Yes (Inevitably).
Username and password are provided by the supplier of access.
The Name Service is sometimes provided by the supplier of access, if not, do not put anything.
"Connect one demand" makes it possible to cut connection (and of reconnected) after 120 minutes, but less is clearly advised.
If subscription ADSL envisages a fixed address TCP/IP Internet, it must have returned in "Fixed Address".
This second part makes it possible to configure the TCP/IP.
Either your address TCP/IP Internet is provided automatically by the supplier of access (Obtain IP address Automatically), or it fixed and is provided by this one.
Primary parameters DNS and secondary are provided by your supplier of access. Those above are those of Skynet.
For Planet Internet, the primary education DNS is 194.119.232.3 and 194.119.232.2. For Tiscali (Belgium), the primary DNS is 212.35.2.1, the secondary DNS is 212.35.2.2. All these parameters can change. Parameters DNS sunken here must correspond to those established in the DNS of your network adapter, under penalty of not being able surfer (but other connections function).
This part makes it possible to configure the router on the internal network. We provide him an address (here 192.180.1.1.) and a mask of sub-network (255.255.255.0)
The address "Defect gateway" is generally that of the router (Lan IP address) and must be indicated in the configuration network of each PC
NAT must always be notched.
Other configuration make it possible to modify the passwords and the internal hour of the router. This last option is used by the function firewall.
Other parameter settings make it possible to use the router out of DHCP server (cf modem), to configure the router in DMZ (zone demilitarized with 2 routers).....
I will not return too much in the details since this one is specific to this apparatus, only the basic configurations.
Inevitably, you authorize protection firewall. By defect, you leave (forward) connections of the LAN (network interns) to Wan (Internet). In the contrary case, it is difficult in the event of blocking which port is blocked.
The following parameter setting makes it possible to block incomplete connections TCP/IP starting from a certain number per minutes (one is never too careful).
The attacks DoS (Denied of Service) are massive attacks of incomplete screens on a given address Internet. The target tries to rebuild the messages lower than 64 bits and finally "collapses" under the workload.
Port 139 is used in NETBIOS by the division of resources Windows the network (with 137 and 138). To avoid the division of resources (hard disk and repertories via Internet): Not.
Enable remote management ... makes it possible to configure the router via Internet, not very advisable, only in limited durations.
The last order makes it possible not to answer the orders of the Ping type coming from Internet (addresses IP scanning, orders DOS Ping).
Other orders make it possible to prohibit beaches of addresses or ports of Lan towards Internet and screw poured.
The following part makes it possible to send a mall at a given address (here mine) if there is an attack or even in the lower case to send by mall the file LOG.
In the parameter setting of this type of firewall, you can block all ports TCP and UDP and open only some of them.
Once the parameter setting carried out on the various apparatuses, remains to connect the installation. The installation is done in two parts, the parameter setting of the internal connection network and the parameter setting of connection Internet.
As for all connections Internet, protocol TCP/IP must be established on your chart network. Let us take again the parameters of configurations of each PC and select the chart network which will be connected (even via switch or HUB) on the router.
By posting properties TCP/IP of this chart network, one obtains the following window
The IP Address makes it possible either to leave the automatic address (by DHCP), or to specify it. In the case of an automatic address, the configuration of the stations is automated. There are thus no risks to have conflicts of address. On the other hand, the specification of an address has several advantages. Firstly, this makes it possible to find via its single address which PC tries indelicate connections. Secondly, while playing on the firewall, one can use the TCP/IP and refuse that certain PC (via their address IP) are connected on Internet. For example, one can authorize addresses 192.168.1.1 to 192.168.1.100 to connect oneself, but not addresses 192.168.1.101 to 192.168.1.255. The mask of sub-network must be always to parameterize into 255.255.255.0. In the case of division with a PC under Microsoft Windows XP, it is almost the only method of possible connection. Notice that if you do not wish that a PC can be connected on Internet, it is enough not to use TPC/IP as protocol, for example to use NETBUI or IPX for connections networks. These PC consequently are completely hidden in the event of intrusion on the network (except by takeover of a remote PC).
The Configuration Wins parameters is of no importance here. Let us interest in the gateway. It must be indicated like that of the router, that is to say in our case: 192.168.1.1. Connection generally goes without but this facilitates connection.
Configuration DNS is not obligatory but of many connections do not function without. By practice, I insert it. It must be identical to that established in the router (if not Internet To explore does not function). The field and host name is of no importance but must be indicated under Windows 98. The parameters below are those of Skynet. Attention, return initially the primary education DNS and then the secondary DNS. Those of Planet Internet are in order 194.119.232.3 and 194.119.232.2.
After having to start again the PC (at least out of Windows 98), it any more but does not remain to parameterize the connection Internet for this division of connection ADSL by router.
To start Internet To explore. If it does not detect connection, to stop the attempt. In small the Tools, select "Options Internet". In the Connections parameters, click on the Configure button.
Notch the box "I want to manually configure my connection or by using a local area network" LAN ". Then "By using a local area network. Leave at this stage the proxy automatically. If your transport is already configured, you do not need more to configure it.
In the same , click on the button "Lan Parameters".
To use the proxy your supplier of access (here Skynet), notch the corresponding box and type the address provided by the FAI. In this case, if you use specific connections (the banking software ISABEL for example) or wish to have access to the configuration of the router starting from this PC, you must notch the box "not to use a server proxy for the local addresses and click on the button" Advanced ".
In the exceptions, type address IP of the router and the various desired exceptions. Once these modifications accepted, your connection functions automatically.
Some precautions nevertheless, strip the box "Check the messages every 30 minutes" in the parameters of your transport. Indeed, as the communication towards Internet is transparent, any program can be connected on Internet when he wants. With this option, connection remains permanently open what can cause risks of safety (even if the firewall protects a broad part of the communications, better is worth to remain careful).
Here some examples of file LOG of the firewall hardware (with address nonpermanent Wan TCP/IP), a digest of different protected systems.
The last address corresponds to the address of the PC of the internal network at the time of connection. All the lines are not inevitably attempts at intrusion via Internet, one finds ports official IANA (but nothing says that it is not a question of another application, of the typical ports with a Trojan, ports used but closed (of type ICQ, MSN messenger...), ICMP attack of no importance (a ping)... Certain orders test on the router, others directly on the PC (addresses of the type 192.168.X.X). The messages come as much in TCP as in UDP
|
FC-CLI |
1371 |
TCP |
Fujitsu Config Protocol |
IANA official port or? |
Kill May 07 07:58:44 2002 - policy rule - TCP [ wan, 213.36.127.59, 192.168.1.152:1371 ] - [ discard ]
A ping, there is which has fun.
Kill May 07 10:37:42 2002 - ICMP
attack - ICMP [ wan, 213.36.100.179, 217.136.190.170:0 ] -
[ discard ]
Kill May 07 10:37:45 2002 - ICMP attack - ICMP [ wan,
213.36.100.179, 217.136.190.170:0 ] -
[ discard ]
From a PC, always the same one. As the attempts at exit occurred more, rather an application which a Trojan (is not necessary to be paranoiac but lucid)
|
6667 |
TCP |
Trinity |
Trojan |
||
|
6667 |
TCP |
WinSatan |
Trojan |
||
|
6667 |
TCP |
Schedule Agent |
Trojan |
||
|
ircd |
6667 |
TCP |
Internet Relay Chat |
IANA |
|
|
ircd |
6667 |
UDP |
Internet Relay Chat |
IANA |
|
|
ircu |
6667 |
TCP |
IRCU |
IANA |
|
|
ircu |
6667 |
UDP |
IRCU |
IANA |
Kill DEC 17 18:27:40 2002 - policy rule - TCP [ lan,
192.168.1.97, 213.177.65.17:6667 ] -
[ discard ]
Kill DEC 17 18:27:42 2002 - policy rule - TCP [ lan,
192.168.1.97, 213.177.65.17:6667 ] -
[ discard ]
...
Plays coming from outside
Kill DEC 17 18:08:08 2002 - policy rule - UDP [ wan,
80.200.150.123,217.136.155.190:27015] -[discard
]
Why not test with PC anywhere
|
pcanywherestat |
5632 |
TCP |
pcANYWHEREstat |
IANA |
||
|
pcanywherestat |
5632 |
UDP |
pcANYWHEREstat |
IANA |
Kill DEC 17 23:11:02 2002 - policy rule - UDP [wan,
217.136.191.74, 217.136.155.190:5632] - [discard]
Unknown but precisely, not official.
Wed DEC 18 13:44:57 2002 - policy rule - TCP [ wan,
193.201.103.100, 192.168.1.27:2193 ] - [ discard ]
Wed DEC 18 20:42:37 2002 - policy rule - TCP [ wan, 80.200.248.200, 192.168.1.7:1223] - [ discard ]
Wed DEC 18 20:42:37 2002 - policy rule - TCP [ wan, 80.200.248.201, 192.168.1.68:1233] - [ discard ]
Fri DEC 20 15:42:00
2002 - policy rule - TCP [ wan, 193.201.103.91,
192.168.1.152:3524 ]
- [ discard ]
Official IANA
Wed DEC 18 14:06:11
2002 - policy rule - TCP [ wan, 80.200.248.200,
192.168.1.4:2845]
- [ discard ]
Wed DEC 18 14:36:18 2002 - policy rule - TCP [ wan,
80.200.248.200, 192.168.1.4:2848] - [ discard ]
Wed DEC 18 15:06:29 2002 - policy rule - TCP [ wan, 80.200.248.200, 192.168.1.4:2851] - [ discard ]
Official IANA for software of control remote of server http://www.folio.com (not sure that it is logical) and always on the same PC in Win2000
Fri DEC 20 16:13:48 2002 - policy rule - TCP [ wan, 80.200.248.200, 192.168.1.27:2242] - [ discard ]
Fri DEC 20 16:28:48 2002 - policy rule - TCP [ wan, 80.200.248.200, 192.168.1.27:2242] - [ discard ]
|
31789 |
UDP |
Hack' a' Tack |
Trojan |
Wed DEC 18 14:40:20 2002 - policy rule - UDP [wan, 217.136.26.127, 217.136.155.190:31789] - [discard ]
Thu DEC 19 01:35:59
2002 - policy rule - UDP [wan,
80.247.133.42, 80.200.156.74:31789] -
[discard]
Thu DEC 19 17:47:39 2002 - policy rule - TCP
[wan, 80.247.133.42, 80.200.156.74:31789] -
[discard]
http://www.phonefree.com
(an employee which has fun?)
Fri DEC 20 16:20:53 2002 - policy rule - TCP [wan, 207.46.106.183,
192.168.1.119:1035] -
[ discard ]
1812,
an official port or CuSeeMe (a video conference software) but which works
whereas nobody is in the company and coming from different addresses sources (Wan).
Sat DEC 21 01:51:00 2002 - policy rule - UDP [ wan,
195.250.78.242, 217.136.154.118:1812] -
[discard]
Sat DEC 21 01:55:26 2002 - policy rule - UDP [ wan,
218.1.36.50, 217.136.154.118:1812] -
[ discard ]
Sat DEC 21 01:57:36 2002 - policy rule - UDP [ wan,
202.54.74.81, 217.136.154.118:1812] -
[ discard ]
A data-processing attack definitely more serious
Sat DEC 21 20:12:49
2002 - tear drop attack - any
[ wan, 192.9.200.32, 217.136.155.185:0] -
[discard]
A TEAR DROP consists in sending information (called OOB = Out Of Band) on wearing of Windows (all poured 32 bits). Information sent is packets TCP which overlaps. When the computer victim receives these packets, it tries to rebuild them. Not arriving there, that causes a planting, a blue screen causing an error of general protection and you have of another choice only to start again the computer. The tear drop, the new tear and the boink (of the similar attacks) can also affect the systems Linux (lower than 2.0.32), mac and Unix.
For found a pretence of localization of the PC which tries the intrusion: tracert 202.54.74.81 for example if this PC is not him also equipped with a firewall
A last remark, the addresses network LINKLOCAL always start with 169.254 and have the following format: 169.254.X.X the addresses network LINKLOCAL are reserved for the private addresses and interns and cannot be used on the computers connected by the Division of connection Internet.
1. Network hardware course - 2. Introduction to communication - 3. Base of transmission - 4. Ethernet - 5. Switch, router, ... Ethernet - 6. Internet connections - 7. Networks servers - 8. SCSI, SAS, RAID - 9. Backup Tape drives, NAS, ... - 10. Hardware Security - 11. Wireless and Wifi - 12. UPS, Inverter, Power Supply - 13 . Corporate network - 14. Alternative technologies - 15. Touch Screen, video projector 17. Exercise: hardware firewall
PC and peripherals equipments course, Network, servers and communication equipment course
ADSL splitter: How to install ADSL filter on the telephone line |
Course: remote connection: Remote connection, communications and safety Internet equipments (Firewall and VPN) |
Course: Ethernet networks: Standards and types of Ethernet networks | Course: Ethernet Concentrators: Hub, switch, routers... |
© YBET 2006
