Lancom Systems 1611+ LS61137 Benutzerhandbuch

LANCOM 1611+

Stateful inspection firewall

Direction-dependant check based on connection information

Paket filter

Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports,
DiffServ attribute); remote-site dependant, direction dependant, bandwidth dependant

Masquerading

Network Address Translation (NAT), N:N mapping for the translation or masking of IP addresses

Port mapping

Provision of services from behind masqueraded computers, for example, to make an internal web server available from the 
outside (inverse masquerading)

Tagging

The firewall marks packets with routing tags, e.g. for policy-based routing

Actions

Forward, drop, reject, block sender address, close destination port, disconnect

Alerting

Via e-mail, SYSLOG or SNMP trap

Traffic shaping

Dynamic bandwidth management with IP traffic shaping

Load balancing

Dynamic reservation of minimum and maximum bandwidths, absolute or connection-related, separate settings for send and
receive directions

DiffServ/TOS

Priority packet queuing based on DiffServ/TOS fields 

Packet size control

Automatic packet size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustment

Intrusion prevention

Monitoring and blockage of login attempts and port scans

IP spoofing

Source IP address check on all interfaces: The only accepted IP addresses belong to the previously defined IP network

Acccess control lists

Filtering of IP or MAC addresses and preset protocols for configuration access and LANCAPI

Denial-of-Service protection

Protection from fragmentation errors and SYN flooding

General

Detailed settings for handling reassembly, PING, stealth mode and AUTH port

URL blocker

Filtering of unwanted URLs based on DNS hitlists and wildcard filters

Password protection

Password-protected configuration access can be set for each interface

Alerting

Warning via e-mail, SNMP-Traps and SYSLOG

Authentication protocols

PAP, CHAP and MS-CHAP as PPP authentication mechanism

Theft protection

Anti-theft ISDN site verification (self-initiated call back and blocking)

VRRP

VRRP (Virtual Router Redundancy Protocol) for vendor-independent backup in case of failure of a device or remote station.
Enables passive standby groups or reciprocal backup between multiple active devices including load balancing and freely 
definable backup priorities

FirmSafe

For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates

ISDN backup

In case of failure of the main connection, a backup connection is established over ISDN; automatic return to the main 
connection

Analog/GSM modem backup

Optional operation of an analog or GSM modem at the serial interface

Load balancing

Static and dynamic load balancing over up to 2 WAN connections; channel bundling with Multilink PPP (if supported by 
network operator)

VPN redundancy

Configuration of redundant WAN connections with optional load balancing

Line monitoring

Line monitoring with LCP echo monitoring, up to 4 addresses for end-to-end monitoring with ICMP polling

Number of VPN tunnels

5 IPSec connections active simultaneously, 25 connections configurable

IKE

IPSec key exchange with Preshared Key or certificate

Certificates

X.509 digital certificate support, compatible with Microsoft Server / enterprise server and OpenSSL, upload of PKCS#12 files via
HTTPS interface

Algorithms

3DES (168 bit), AES (128, 192 or 256 bit), Blowfish (128 - 448 bit), RSA (128 or -448 bit) and CAST (128 bit); MD-5 or SHA-1
hashes

NAT traversal

NAT traversal (NAT-T) support for VPN over routes without VPN passthrough

IPCOMP

VPN data compression based on LZS or deflate compression algorithms for higher IPSec throughput 

LANCOM Dynamic VPN

Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via ISDN B- or D-channel or with
the ICMP or UDP protocol in encrypted form