mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

Multicast Router - LockBox

LockBox (Firewall) Features

An easy-to-use but powerful 'stateful' firewall is embedded in every router. Setting the LockBox ON without any parameters will provide 'normal' client based protection. Multiple 'mode' parameters enable fine tuning of the firewall.

Unique 'hassle-free' ON mode with no parameters defaults to 'Outgoing enabled' and 'ICMP Ping'.

Many users are concerned over the correct configuration of Firewalls in case they accidentally cause serious lock out problems or block desired access. The ZyTrax LockBox can be configured ON with no additional parameters. This defaults to an 'outgoing enabled' service and enables all PCs to response ONLY to an ICMP PING (echo request) operation. Outgoing enabled is the normal mode of operation for 'classic' User to Internet access. "A remote site is able to talk to you, but only if you talked to it first, and only for as long as you are actively talking to it". The LockBox allows Pings (and only Pings) to ensure that you can receive external diagnostic support if required without any reconfiguration. In many cases the act of configuring a Firewall to enable such a support can seriously weaken the firewall. NOTE: The Lockbox does allow you to 'disable' pings.

go up

Supports 9 ‘modes’ of operation:

Outgoing enabled

Requires no additional parameters and is the default mode of operation. Outgoing enabled is the normal mode of operation for 'classic' User to Internet access. "A remote site is able to talk to you, but only if you talked to it first, and only for as long as you are actively communicating with the destination IP.

Outgoing enabled -paired (for auto-support of remote NETBIOS networks).

Requires no additional parameters. Outgoing enabled - paired is the normal mode of operation for 'classic' User to Internet access and who use remote NETBIOS connections. "A remote site is able to talk to you, but only if you talked to it first, and only for as long as you are actively talking to it". Outgoing Enabled - paired allows adjacent pairs or ports to communicate and is required when using NETBIOS over the network. NOTE: you can specifically configure the NETBIOS ports using an 'incoming allowed' mode command to achieve the same result.

Incoming allowed

Indicates that the LockBox™ will allow incoming traffic to a specified IP address(es). The user may subset this list by defining the Source IP address(es), traffic type and port number (or range) to which this feature applies (the originating Host(s)). This mode is typically used to enable an FTP or Web site to be accessed via the firewall.

Destination enabled

Indicates that the LockBox™ will allow outgoing traffic to this destination. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.

Destination disabled

Indicates that the LockBox™ will disallow outgoing traffic to this destination. The user may additionally define the traffic type, an IP address range and port number (or port range) AND may optionally limit the SOURCE IP address(es) for which the destination IP is disallowed.

Destination only (pseudo VPN mode)

Indicates that ONLY the specified destination IP address(es) are allowed. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.

ICMP All

Indicates that the LockBox™ will allow all incoming ICMP messages to the specified destination IP address(es). The user may subset the remote IP address(es) that are allowed to initiate ICMP messages. If no ICMP entry (ICMP Ping, ICMP None or ICMP all) is present the LockBox™ will pass through ALL ICMP echo (PING) requests only. The LockBox™ will also ALLOW the following ICMP messages as a response to the ORIGINAL IP request:

Source Quench
Destination unreachable
Time exceeded

To suppress this behavior an ICMP NONE entry may be used.

NOTE: ICMP Redirects are NOT allowed

ICMP NONE

Indicates that the LockBox™ will NOT ALLOW any ICMP messages to the destination IP address(es). If not specified the LockBox™ WILL ONLY pass ICMP Ping messages.

ICMP PING

Indicates that the LockBox™ will ONLY allow ICMP Ping (Echo) requests to the defined destination IP address(es). The user may further modify the remote IP addresses to which this feature applies.

go up

Up to 16 LockBox ‘rules’ may be defined using source or destination IP address, subnet mask, traffic type, port number (or port range) and ‘mode’.

The LockBox allows up to 16 'rules' (a 'rule' consists of a mode and its optional parameters) allowing significant control over both user-to-network and network-to-user security and behavior.

go up

Advanced packet filtering techniques include a ‘Statefull Firewall’ for TCP, DNS, ICMP etc..

The LockBox uses 'packet filtering' techniques (inspection of each incoming and outgoing packet and application of the user defined rules) and is 'statefull' or 'State Aware'. This means that the LockBox is aware at all times (whenever possible) of the state of the connection. In the case of TCP the firewall is aware of the state of  a TCP connection - opening, open, closing, closed. The Lockbox immediately shuts the firewall when a TCP connection closes or resets. In the case of paired transactions the LockBox shuts the firewall after the paired transaction is completed. In the case of failure a user defined timer value closes the firewall.

go up

Firewall provides an Application Specific Gateway (ASG) for FTP access by recognizing context sensitive commands in the control stream.

Certain protocols use 'secondary' ports or 'spawn' additional ports in their normal operation. FTP is one such protocol. If the LockBox is configured to allow incoming data to port 21 (the FTP control port) then the Lockbox automatically enables the secondary port defined in the PORT/PASV or EPRT command during that FTP session.

go up

Firewall provides an Application Specific Gateway (ASG) for H.323 & SIP access by recognizing context sensitive commands in the control streams.

Certain protocols use secondary ports or 'spawn' additional ports in their normal operation. H.323 and SIP are such protocols. If the LockBox is configured to allow incoming access to port 1720 (the H.323 control port) then the Lockbox will automatically enable all secondary or 'spawned' ports during that H.323 call sequence.

go up

Works with NAT and SuperNAT features.

The LockBox may be configured to operate with NAT in which case all Local IP parameters apply to un-translated IP address(es).

go up

features
general
bandwidth
dhcp
firewall
warp hardware
multicast
nat
isdn protocols
qos
routing
security
hotpools
management
utilities
dual-boot

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

Services

Development Services
Consulting Services
Training Services
Tech Stuff Pages
Open Guides

Display full width page Full width page

Print this page Print this page

SPF Record Conformant Domain Logo

Copyright © 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: July 11 2011.