Steam Packet Radio Logo  
company  | contact us  | products  | support  | solutions  | press  | mail us  | mail page

LockBox (Firewall) Features

ON mode with no parameters defaults to 'Outgoing enabled' mode

Supports 9 ‘modes’ of operation:

Up to 16 LockBox ‘rules’ may be defined.

Advanced packet filtering techniques include a ‘Stateful Firewall’ for TCP, DNS, ICMP etc..

Firewall auto-enables FTP access by recognizing context sensitive commands in the control stream.

Firewall auto-enables H.323/SIP access by recognizing context sensitive commands in the control streams.

Works with NAT and SuperNAT features.

Unique 'hassle-free' ON mode with no parameters defaults to 'Outgoing enabled' and 'ICMP Ping'

Many users are concerned over the correct configuration of Firewalls in case they accidentally cause serious lock out problems or block desired access. The Air-Frame LockBox can be configured ON with no additional parameters. This defaults to 'outgoing enabled' mode AND enables responses to ICMP PINGs (echo requests).

'Outgoing enabled' is the normal mode of operation for User to Internet (browse) access. "A remote site is able to talk to you, but only if you talked to it first, AND only for as long as you are actively talking to it".

The LockBox additionally allows ICMP Ping requests (and only Ping requests) through the firewall to ensure that you can receive external diagnostic support if required without any reconfiguration. In many cases the act of configuring a 'classic' Firewall to enable such ICMP support can seriously weaken the firewall. NOTE: The Lockbox can also be configured to 'disable' pings.

Supports 9 ‘modes’ of operation:

The LockBox provides for 9 distinct modes of operation:

Outgoing enabled
Outgoing enabled - NETBIOS
Incoming allowed
Destination enabled
Destination disabled
Destination only (pseudo VPN mode)
ICMP All
ICMP None
ICMP PING

Outgoing Enabled:

Requires no additional parameters and is the default mode of operation. Outgoing enabled is the normal mode of operation for 'classic' User to Internet access. "A remote site is able to talk to you, but only if you talked to it first, and only for as long as you are actively talking to it".

Outgoing enabled-NETBIOS.

Requires no additional parameters. Outgoing enabled - NETBIOS is the normal mode of operation for User to Internet (browse) access and users of remote NETBIOS connections.

'Outgoing enabled' provides for "A remote site is able to talk to you, but only if you talked to it first, and only for as long as you are actively talking to it". The additional NETBIOS parameter enables NETBIOS interworking via the Lockbox™ over the network. NOTE: you can specifically configure the NETBIOS ports using an 'incoming allowed' mode command to achieve the same result.

Incoming allowed

Indicates that the LockBox™ will allow incoming traffic to a specified IP address(es). The user may subset this list by defining the Source IP address(es), traffic type and port number (or range) to which this feature applies (the originating Host(s)). This mode is typically used to enable an FTP or Web site to be accessed via the firewall.

Destination enabled

Indicates that the LockBox™ will ALLOW outgoing traffic to this destination. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.

Destination disabled

Indicates that the LockBox™ will disallow outgoing traffic to this destination. The user may additionally define the traffic type, an IP address range and port number (or port range) AND may optionally limit the SOURCE IP address(es) for which the destination IP is disallowed.

Destination only (pseudo VPN mode)

Indicates that ONLY the specified destination IP address(es) are allowed. The user may subset this destination by traffic type, IP address range and port number of port range AND may optionally limit the SOURCE IP address(es) that may access this destination.

ICMP All

Indicates that the LockBox™ will allow all incoming ICMP messages to the specified destination IP address(es). The user may subset the remote IP address(es) that are allowed to initiate ICMP messages. If no ICMP entry (ICMP Ping, ICMP None or ICMP all) is present the LockBox™ will pass through ALL ICMP echo (PING) requests only. The LockBox™ will also ALLOW the following ICMP messages as a response to the ORIGINAL IP request:

  • Source Quench
  • Destination unreachable
  • Time exceeded

To suppress this behavior an ICMP NONE entry must be used.

NOTE: ICMP Redirects are NOT allowed.

ICMP NONE

Indicates that the LockBox™ will NOT ALLOW any ICMP messages to the destination IP address(es). If not specified the LockBox™ WILL ONLY pass ICMP Ping messages.

ICMP PING

Indicates that the LockBox™ will ONLY allow ICMP Ping (Echo) requests to the defined destination IP address(es). The user may further modify the remote IP addresses to which this feature applies.

Up to 16 LockBox ‘rules’ may be defined using source or destination IP address, subnet mask, traffic type, port number (or port range) and ‘mode’.

The LockBox allows up to 16 'rules' (a 'rule' consists of a mode and its optional parameters) allowing significant control over both user-to-network and network-to-user security and behavior.

Advanced packet filtering techniques include a ‘Stateful Firewall’ for TCP, DNS, ICMP etc..

The LockBox uses 'packet filtering' techniques (inspection of each incoming and outgoing packet and application of the user defined rules) and is 'stateful' or 'State Aware'.

In the case of TCP the LockBox™ is constantly aware of the state of a TCP connection - opening, open, closing, closed, reset. The Lockbox™ immediately shuts the firewall when a TCP connection closes or resets.

UDP and ICMP are 'stateless' connections and 'classic' 'stateful' firewalls can perform very badly. The Lockbox™ inspects this traffic for paired transactions. In the case of paired transactions (e.g. DNS requests and certain ICMP transactions). The LockBox™ immediately shuts the firewall after the paired transaction is completed. In the case of failure a user defined timer value closes the firewall. For all other UDP transactions the LockBox™ shuts the firewall after a user defined period (defaults to 10 seconds).

Firewall auto-enables FTP access by recognizing context sensitive commands in the control stream.

Certain protocols use secondary ports or 'spawn' additional ports in their normal operation. FTP is one such protocol. If the LockBox™ is configured to allow incoming data to port 21 (the FTP control port) then the Lockbox™ automatically enables the secondary port defined in the PORT/PASV or EPRT commands during that FTP session.

The LockBox™ auto-enables H.323/SIP access when the relevant primary ports are enabled by recognizing context sensitive commands in the control streams and enabling the secondary ports.

Certain protocols use secondary ports or 'spawn' additional ports in their normal operation. H.323 and SIP are two such protocols. If the LockBox is configured to allow incoming access to port 1720 (the H.323 control port) then the Lockbox will automatically enable all secondary or 'spawned' ports during that H.323 call sequence. Similarly with SIP.

Works with NAT and SuperNAT features.

The LockBox may be configured to operate with NAT and SuperNAT in which case all Local IP parameters apply to un-translated IP address(es).


Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
 
site by zytrax
web-master at steampacketradio.com
Last modified: July 11 2011.

features
overview
bandwidth
compression
dhcp
firewall
hotpools
lan power
management
multicast
nat
qos
radio systems
radio range
roaming
routing
security
smart bridge
smart set
utilities
vpn

Resources

pricing
total costs
user density