Lancom Systems 1781EF 62602 Benutzerhandbuch

Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports, DiffServ attribute);
remote-site dependant and direction dependant

Packet filter

Network Address Translation (NAT) based on protocol and WAN address, i.e. to make internal webservers accessible from WAN

Extended port forwarding

N:N IP address mapping for translation of IP addresses or entire networks

N:N IP address mapping

The firewall marks packets with routing tags, e.g. for policy-based routing

Tagging

Forward, drop, reject, block sender address, close destination port, disconnect

Actions

SYSLOG (internally)

Notification

Monitoring and blocking of login attempts and port scans

Intrusion Prevention

Source IP address check on all interfaces: only IP addresses belonging to the defined IP networks are allowed

IP spoofing

Filtering of IP or MAC addresses and preset protocols for configuration access

Access control lists

Protection from fragmentation errors and SYN flooding

Denial of Service protection

Detailed settings for handling reassembly, PING, stealth mode and AUTH port

General

Password-protected configuration access can be set for each interface

Password protection

Alerts via SYSLOG (internally)

Alerts

PAP, CHAP, MS-CHAP and MS-CHAPv2 as PPP authentication mechanism

Authentication mechanisms

Adjustable reset button for 'ignore', 'boot-only' and 'reset-or-boot'

Adjustable reset button

For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates

FirmSafe

Backup of VPN connections across different hierarchy levels, e.g. in case of failure of a central VPN concentrator and re-routing to multiple distributed
remote sites. Any number of VPN remote sites can be defined (the tunnel limit applies only to active connections). Up to 32 alternative remote
stations, each with its own routing tag, can be defined per VPN connection. Automatic selection may be sequential, or dependant on the last
connection, or random (VPN load balancing)

VPN redundancy

Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP polling

Line monitoring

Max. number of concurrent active IPSec and PPTP tunnels (MPPE): 5 (25 with VPN 25 Option). Unlimited configurable connections. Configuration
of all remote sites via one configuration entry when using the RAS user template or Proadaptive VPN.

Number of VPN tunnels

Integrated hardware acceleration for ESP encryption and decryption (data path)

Hardware accelerator

Integrated, buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any case

Realtime clock

Generates high-quality randomized numbers in software

Random number generator

IPSec key exchange with Preshared Key or certificate (in software)

IKE

X.509 digital self signed certificates (no CA support), compatible with OpenSSL, upload of PKCS#12 files via SCP. Secure Key Storage protects a
private key (PKCS#12) from theft

Certificates

Configuration of all VPN client connections in IKE ConfigMode via a single configuration entry

RAS user template

Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-site connections.
Propagation of routes via RIPv2 if required

Proadaptive VPN

AES (128, 192 or 256 bit) and HMAC with SHA-1 / SHA-256 hashes

Algorithms

NAT-Traversal (NAT-T) support for VPN over routes without VPN passthrough

NAT-Traversal

90 Mbps

1418-byte frame size UDP

123 Mbps

1518-byte frame size UDP

IP-Router

Router

Separate processing of 16 contexts due to virtualization of the routers. Mapping to VLANs and complete independent management and configuration
of IP networks in the device. Automatic learning of routing tags for ARF contexts from the routing table

Advanced Routing and Forwarding

LANCOM 1781EF (CC)

Features as of: LCOS 8.70 CC