Lancom Systems 7111 VPN LS61055 Benutzerhandbuch
Produktcode
LS61055
LANCOM 7111 VPN
Firewall
Stateful inspection firewall
Direction- dependant check based on connection information
Packet filter
Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports,
DiffServ attribute); remote- site dependant, direction dependant, bandwidth dependant
DiffServ attribute); remote- site dependant, direction dependant, bandwidth dependant
Masquerading
Network Address Translation (NAT), N:N mapping for the translation or masking of IP addresses
Port mapping
Provision of services from behind masqueraded computers, for example, to make an internal web server available from the
outside (inverse masquerading)
outside (inverse masquerading)
Tagging
The firewall marks packets with routing tags, e.g. for policy- based routing
Actions
Forward, drop, reject, block sender address, close destination port, disconnect
Messaging
Via e- mail, SYSLOG or SNMP trap
Quality of Service
Traffic shaping
Dynamic bandwidth management with IP traffic shaping
Bandwidth reservation
Dynamic reservation of minimum and maximum bandwidths, absolute or connection- related, separate settings for send and
receive directions
receive directions
DiffServ/TOS
Priority packet queuing based on DiffServ/TOS fields
Packet- size control
Automatic packet- size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustment.
Layer 2/Layer 3 tagging
Automatic or fixed translation of layer- 2 priority information (802.11p- marked Ethernet frames) to layer- 3 DiffServ attributes in
routing mode. Translation from layer 3 to layer 2 with automatic recognition of 802.1p- support in the destination device.
routing mode. Translation from layer 3 to layer 2 with automatic recognition of 802.1p- support in the destination device.
Security
Intrusion Prevention
Monitoring and blockage of login attempts and port scans
IP spoofing
Source IP address check on all interfaces: The only accepted IP addresses belong to the previously defined IP network
Access Control lists
Filtering of IP or MAC addresses and preset protocols for configuration access and LANCAPI
Denial of Service protection
Protection from fragmentation errors and SYN flooding
General
Detailed settings for handling reassembly, PING, stealth mode and AUTH port
URL blocker
Filtering of unwanted URLs based on DNS hitlists and wildcard filters
Password protection
Password- protected configuration access can be set for each interface
Alerts
Alerts via e- mail, SNMP- Traps and SYSLOG
Authentication mechanisms
PAP, CHAP and MS- CHAP as PPP authentication mechanism
Anti- theft
Anti- theft ISDN site verification over B or D channel (self- initiated call back and blocking)
High availability / redundancy
VRRP
VRRP (Virtual Router Redundancy Protocol) for non- proprietary backup in case of failure of a device or remote station. Enables
passive standby groups or reciprocal backup between multiple active devices including load balancing and freely definable
backup priorities
passive standby groups or reciprocal backup between multiple active devices including load balancing and freely definable
backup priorities
FirmSafe
For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates
ISDN backup
In case of failure of the main connection, a backup connection is established over ISDN; automatic return to the main connection
Analog/GSM modem backup
Optional operation of an analog or GSM modem at the serial interface
Load balancing
Static and dynamic load balancing over up to 4 WAN connections; channel bundling with Multilink PPP (if supported by network
operator)
operator)
VPN redundancy
Control of up to 16 redundant VPN gateways for high availability or load balancing
Line monitoring
Line monitoring with LCP echo monitoring, dead- peer detection and up to 4 addresses for end- to- end monitoring with ICMP
polling.
polling.
VPN
Number of VPN tunnels
100 IPSec connections active simultaneously, 250 connections configurable. Unlimited number of VPN clients when using RAS
user templates; unlimited number of VPN remote sites when using pro- adaptive VPN with certificate- based VPN site- to- site
coupling.
user templates; unlimited number of VPN remote sites when using pro- adaptive VPN with certificate- based VPN site- to- site
coupling.
Hardware accelerator
Integrated hardware accelerator for the 3DES/AES encryption and decryption
IKE
IPSec key exchange with Preshared Key or certificate
Certificates
X.509 digital certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of PKCS#12 files via
HTTPS interface
HTTPS interface
Certificate revocation lists (CRL)
CRL retrieval via HTTP
RAS user template
Configuration of all VPN client connections in IKE ConfigMode via a single entry
Proadaptive VPN
Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site- to-
site connections. Propogation of dynamically learned routes via RIPv2, if required.
site connections. Propogation of dynamically learned routes via RIPv2, if required.