Network security - Firewall setting

You probably know that you need firewall security; in fact, you may even already have a firewall management program in place. But what exactly is firewall security, and what does firewall management entail?

The word firewall originally referred literally to a wall, which was constructed to halt the spread of a fire. In the world of computer firewall protection, a firewall refers to a network device which blocks certain kinds of network traffic, forming a barrier between a trusted and an untrusted network. It is analogous to a physical firewall in the sense that firewall security attempts to block the spread of computer attacks.

How Does Firewall Management Work?

A firewall management program can be configured one of two basic ways:

* A default-deny policy. The firewall administrator lists the allowed network services, and everything else is denied.
* A default-allow policy. The firewall administrator lists network services which are not allowed, and everything else is accepted.

A default-deny approach to firewall security is by far the more secure, but due to the difficulty in configuring and managing a network in that fashion, many networks instead use the default-allow approach. Let's assume for the moment that your firewall management program utilizes a default-deny policy, and you only have certain services enabled that you want people to be able to use from the Internet. For example, you have a web server which you want the general public to be able to access. What happens next depends on what kind of firewall security you have.

Below is a firewall security script, has been tested with Kerio Personal Firewall, may this rule can accepted to others firewall:

LSA Shell (lsass.exe) -> Ask - Permit - Ask - Ask
Windows NT Logon Application (winlogon.exe) -> Ask - Permit - Ask - Ask (log)
Userinit Logon Application (userinit.exe) -> Ask - Permit - Ask - Ask
Generic Host Process (svchost.exe) -> Ask - Permit - Ask - Ask (log)
Microsoft File & Printer Sharing -> Deny All (For LAN can be: Ask - Permit - Ask - Ask)
Any Other Application -> Deny - Ask - Deny - Ask (log & alert). invisible mode
Internet Browser Application -> ask - deny - deny - permit (log)
Kaspersky AntiVirus/ Kaspersky Internet Security -> ask - deny - deny - permit (log)
FTP Manager Application -> permit - permit - permit - permit (log & alert)
Yahoo Messenger -> deny - ask - deny - permit (log & alert)


Below is the rule script for Filter packet in Ferio Firewall or Tiny firewall and may can accepted to others firewall:

RULE 1
Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: IP number (Your ISP DNS server)
Port type: Single
Port number: 53
Action PERMIT

RULE 2
Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY

RULE 3
Description: Back Orifice Block (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 54320,54321,31337
Remote Address Type: Any
Port type: Any
Action DENY

RULE 4
Description: Netbus Block (Logged)
Protocol: TCP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 12456,12345,12346,20034
Remote Address Type: Any
Port type: Any
Action DENY

RULE 5
Description: RPCSS (Logged)
Protocol: UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 135
Remote Address Type: Any
Port type: Any
Action DENY

RULE 6
Description: Block Low Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 1
Last port number: 79
Remote Address Type: Any
Port type: Any
Action DENY

RULE 7
Description: Block High Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 5000
Last port number: 65535
Remote Address Type: Any
Port type: Any
Action DENY

RULE 8
Description: Block Outbound Unauthorized Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY
Nb: Kaspersky Antivirus 6 & Kaspersky Internet Security 6 usage, the remote port address choose Any)

RULE 9
Description: Block Inbound Unknown Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

RULE 10
Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Address Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY

RULE 11
Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY

RULE 12
Description: Out Block Ping and Trace Route ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY

RULE 13
Description: Block Common Ports (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports:
113,79,21,80,443,8080,143,110,25,23,22,42,53,98
Remote Address Type: Any
Port type: Any
Action DENY

RULE 14
Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT

RULE 15
Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

RULE 16
Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

RULE 17
Description: Bootpc (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 68
Remote Address Type: Any
Port type: Any
Action DENY

RULE 18
Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT

RULE 19
Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

RULE 20
Description: Internet Explorer-Web browsing (logged)
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: Any
List of ports: Any
Action PERMIT

RULE 21
Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT

RULE 22
Description: Yahoo Messenger
Protocol: TCP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => yahoomessenger.exe
Remote Address Type: Any
Port Type: List of ports
List of ports: 443,80,5050
Action PERMIT

RULE 23
Description: Yahoo Messenger
Protocol: UDP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => yahoomessenger.exe
Remote Address Type: Any
Port Type: single
List of ports: 3478
Action PERMIT

RULE 24
Description: Download Manager (logged)
Protocol: TCP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => (your download manager file)
Remote Address Type: Any
Port Type: List of ports
List of ports: 80,21
Action PERMIT


For filter packet setting on Local Area Network (LAN) can added with below rule script to allow NetBIOS access at specific port:

RULE 15a
Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT

RULE 16b
Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT

ROUTER Configuration (part: III end)

Cisco Basic Router

The basic component of cisco is :

1. Processor

2. Memory :

* Read only Memory (ROM) : This is like a rom at the pc, got standard program inside the rom and will run on booting process.

* Flash memory : Keeping Operation system of the Cisco called IOS
* Random access memory (RAM) : Using for buffering, storage and others.
* Non volatile RAM (NVRAM) : Keeping configuration from IOS when Cisco boot.

3. Interface :
The interface of cisco router is :

interface using format name dan number on IOS, The number started from zero (0). But the assigning the number belong to the type of the router. For the Cisco Router the interface modul is fixed:

For the Cisco Router 7500 series with versatile Interface processor, where is the modul got ethernet slot, the assigning system more specific and be carefully. Ethernet4/0/1 means port number 2 at 1st adapter in slot 4.

Console Console

Cisco Router have console port at behind the hadware. This port console be function for direct communication access into the Cisco router. The standard console port using serial asynchronous EIA/TIA-232, the others name is RS-232.

For the console port connector belong to the router type. For the Low end to middle router, using RJ45 connector, for the other Routers class using DB25 connector.

Auxiliary port

Cisco router have auxiliary port. port auxiliary using standard serial connection same with console port using serial asynchronous EIA/TIA-232 direct connection to Cisco router. Port auxiliary also for alternative access to the cisco router via modem, Administrator can used this serial when the network path from the router got problem.

Configuration File
Two type IOS configuration:
1. Existing configuration from the RAM
2. Startup configuration under NVRAM

We can change the configuration even the IOS active or running. The changes effected directly, but don't forget must save to NVRAM as startup once we changes the configure under running system.

Configure Cisco Router under PC

To configure Cisco Router from PC, need software communication called Emulation software terminal. This software function is sended the command into Cisco router. This software is has been installed included your Windows system.

Next step you have to setup the emulation software setting.

9600 baud
8 data bits
No parity
1 stop bit
No flow control

You can also connect to the router using telnet, but you must set the router IP first.

Router command mode:
This is some command of Cisco.



Started to setup new cisco:

To start configuration of Cisco, we must go under configure command.
The step to configure using the emulation software connected with console port of Cisco router is:

When the router boot up, Generally will be shown and asked you to confirm. Answer with : No

Would you like to enter the initial configuration dialog [yes] : no
.
.
router>

Router prompt default is router> called user EXEC mode. Mode router>

router> We can changes display like dos command.

Router>
1600>
1700>

Under User EXEC mode can see all the command with type ?

router> ?

To let you know the syntax type:

Router> ?
Router> show ?
Router>show conf?

Access the mode must know the to enter the configure command:

1700> enable
password: ******
router #

For configure :

Router# configure terminal
Router (config) #

Once you changes the configure, save the configuration into NVRAM:

Router# copy running-config startup-config
Building configuration . . .

Save result:

[OK]
router#

The next step for configuration is:
• Global parameter configuration
• Security Configuration
• Fast ethernet interface configuration
• Serial interface configuration
• Dynamic routing configuration
• Command-line access to the router

Global parameter configuration:

To start router configuration, we must set configure with – enable :

Router> enable
Router #

Step to configure global parameter router :



Security configuration setting,



INTERFACE FAST ETHERNET configuration

See the router prompt . . . has been changes with above



Serial INTERFACE setting



Dynamic routing parameter setting



COMMAND-LINE access configuration



To save all configuration :

1700# writ3e memory

To check configuration status:

stc# show interface ser0
Serial0 is up, line protocol is up
Hardware is PowerQUICC Serial
Description: leased line to headquarters
Interface is unnumbered. Using address of FastEthernet0 (192.168.20.1)
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Closed
.
.
.

make sure serial and protocol line is up.

We do the same setting in LTX side. The different is only on the router IP, we assign LTX IP : 192.168.10.1
Assign the ip for each modem before Router check with your provider.

LTX access internet must route to STC network, because direct access into Internet from STC network.

This is only basic to connect between different network, for security firewall must set into the router.

ROUTER Configuration (part: II)

Static and Dynamic Routers

For routing between routers to work efficiently in an internetwork, routers must have knowledge of other network IDs or be configured with a default route. On large internetwork, the routing tables must be maintained so that the traffic always travels along optimal paths. How the routing tables are maintained defines the distinction between static and dynamic routing.

Static Routing

A router with manually configured routing tables is known as a static router. A network administrator, with knowledge of the internetwork topology, manually builds and updates the routing table, programming all routes in the routing table. Static routers can work well for small internetworks but do not scale well to large or dynamically changing internetworks due to their manual administration.

Static routers are not fault tolerant. The lifetime of a manually configured static route is infinite and, therefore, static routers do not sense and recover from downed routers or downed links.

A good example of a static router is a multihomed computer running Windows 2000 (a computer with multiple network interface cards). Creating a static IP router with Windows 2000 is as simple as installing multiple network interface cards, configuring TCP/IP, and enabling IP routing.

Dynamic Routing

A router with dynamically configured routing tables is known as a dynamic router. Dynamic routing consists of routing tables that are built and maintained automatically through an ongoing communication between routers. This communication is facilitated by a routing protocol, a series of periodic or on-demand messages containing routing information that is exchanged between routers. Except for their initial configuration, dynamic routers require little ongoing maintenance, and therefore can scale to larger internetworks.

Dynamic routing is fault tolerant. Dynamic routes learned from other routers have a finite lifetime. If a router or link goes down, the routers sense the change in the internetwork topology through the expiration of the lifetime of the learned route in the routing table. This change can then be propagated to other routers so that all the routers on the internetwork become aware of the new internetwork topology.

The ability to scale and recover from internetwork faults makes dynamic routing the better choice for medium, large, and very large internetworks.

A good example of a dynamic router is a computer with Windows 2000 Server and the Routing and Remote Access Service running the Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) routing protocols for IP and RIP for IPX.

TCP/IP Interior Routing Protocols (RIP, OSPF, GGP, HELLO, IGRP, EIGRP)

Modern TCP/IP routing architecture groups routers into autonomous systems (ASes) that are independently controlled by different organizations and companies. The routing protocols used to facilitate the exchange of routing information between routers within an AS are called interior routing protocols (or historically, interior gateway protocols). Since most network administrators are responsible for routers within a particular organization, these are the routing protocols you are most likely to deal with unless you become a major Internet big-shot.

One of the benefits of autonomous systems architecture is that the details of what happens within an AS are hidden from the rest of the internetwork. This means that there is no need for universal agreement on a single "language" for an internet as is the case for exterior routing protocols. As a network administrator for an AS, you are free to choose whatever interior routing protocol best suits your networks. The result of this is that there is no agreement on the use of a single TCP/IP interior routing protocol. There are several common ones in use today, though as is usually the case, some are more popular than others.

TCP/IP Routing Information Protocol (RIP, RIP-2 and RIPng):

The most popular of the TCP/IP interior routing protocols is the Routing Information Protocol (RIP). The simplicity of the name matches the simplicity of the protocol—RIP is one of the easiest to configure and least resource-demanding of all the routing protocols. Its popularity is due both to this simplicity and its long history. In fact, support for RIP has been built into operating systems for as long as TCP/IP itself has existed.

In this section I describe the characteristics and operation of the TCP/IP Routing Information Protocol (RIP). There are three versions of RIP: RIP versions 1 and 2 for IP version 4 and RIPng (next generation) for IP version 6. The basic operation of the protocol is mostly the same for all three versions, but there are also some notable differences between them, especially in terms of the format of messages sent.

For this reason, I have divided my description of RIP into two subsections. In the first, I describe the fundamental attributes of RIP and its operation in general terms for all three versions. In the second, I take a closer look at each version, showing the message format used for each and discussing version-specific features as well.

Open Shortest Path First (OSPF):

Interior routing protocols using a distance-vector routing algorithm, such as the Routing Information Protocol (RIP), have a long history and work well in a small group of routers. However, they also have some serious limitations in both scalability and performance that makes them poorly-suited to larger autonomous systems or those with specific performance issues. Many organizations that start out using RIP quickly found that its restrictions and issues made it less than ideal.

To solve this problem, a new routing protocol was developed in the late 1980s that uses the more capable (and more complex) link-state or shortest path first routing algorithm. This protocol is called Open Shortest Path First (OSPF). It fixes many of the issues with RIP and allows routes to be selected dynamically based on the current state of the network, not just a static picture of how routers are connected. It also includes numerous advanced features, including support for a hierarchical topology and automatic load sharing amongst routes. On the downside, it is a complicated protocol, which means it is often not used unless it is really needed. This makes it the complement of RIP and is the reason they both have a place in the spectrum of TCP/IP routing protocols.

Gateway-to-Gateway Protocol (GGP):

GGP is a MILNET protocol specifying how core routers (gateways) should exchange reachability and routing information. GGP uses a distributed shortest-path algorithm. The Gateway-to-Gateway Protocol is obsolete.

HELLO:

HELLO protocol is an early version of routing protocol for TCP/IP network using a distance-vector algorithm. HELLO does not use hop count as a metric. Instead, it attempts to select the best route by assessing network delays and choosing the path with the shortest delay. HELLO protocols also contain routing information in the form of a set of destinations that the sending router is able to reach and a metric for each. The HELLO protocol was developed in the early 1980s and documented in RFC 891. The name “HELLO” is capitalized and it should not be confused with the hello process used by a few protocols.

IGRP: Interior Gateway Routing Protocol:

The Interior Gateway Routing Protocol (IGRP) is a routing protocol to provide routing within an autonomous system (AS). In the mid-1980s, the most popular interior routing protocol was the Routing Information Protocol (RIP). Although RIP was quite useful for routing within small- to moderate-sized, relatively homogeneous internetworks, its limits were being pushed by network growth. The popularity of Cisco routers and the robustness of IGRP encouraged many organizations with large internetworks to replace RIP with IGRP.

EIGRP: Enhanced Interior Gateway Routing Protocol:

Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of IGRP. IGRP is Cisco's Interior Gateway Routing Protocol used in TCP/IP and OSI internets. It is regarded as an interior gateway protocol (IGP) but has also been used extensively as an exterior gateway protocol for inter-domain routing.

ROUTER Concept:

Before we know more about how to configure Cisco Router, we have to know the basic rule of routing concept, how to assigned IP number, subnetting, netmasking and others related to the routing concept.

Example:

Host A : 192.168.1.9 (C network class subnet : 192.168.1.xxx)
Host B : 192.168.1.10 (C network class subnet : 192.168.1.xxx)
Host C : 192.168.5.8 (C network class subnet : 192.168.5.xxx)
Host D : 192.168.6.5 (C network class subnet : 192.168.6.xxx)

A Host able to communicate with B Host (see the subnet)

A Host to C Host or A Host to D Host cannot communicate (see the subnet)

B Host to C Host or B Host to D Host cannot communicate (see the subnet)

The question:

How to connect between A host and C Host ?

Answer:

We can connect between different subnet Host with ROUTER.

How to run new Router to connect between different host ? (see my case)

Case :
We have two factory with different area and of course got network each factory. My Boss need to connect between factory, let's say Factory Stc and factory Ltx. Stc Factory is a data central and as a gateway for internet connection, because no internet connection around location of Ltx factory. (see the scheme picture)




What we have to do once get the router...?

to be continued....!

ROUTER Configuration (part: I)

The first question is, what’s Router ?

Router is A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP’s network. Routers are located at gateways, the places where two or more networks connect.

Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts.

So how to connect between above network?
This posting will explain the mechanism, router basic command and Interior Routing Protocol that we called IRP.

I wrote this based on my tested and implemented at my office using Cisco Router 805 Series since 2002 until now and so far is working well.
TCP/IP Concept: what is tcp/ip ?

TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It canbe used as a communications protocol also in a private network (either an intranet or an extranet). When you are set up with direct access to the Internet, your computer is provided with a copy of the TCP/IP program just as every other computer that you may send messages to or get information from also has a copy of TCP/IP.

TCP/IP is a two-layer program. The higher layer, Transmission Control Protocol, manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, Internet Protocol, handles the address part of each packet so that it gets to the right destination.
Each gateway computer on the network checks this address to see where to forward the message. Even though some packets from the same message are routed differently than others, they'll be reassembled at the destination.

TCP/IP uses the client/server model of communication in which a computer user requests and is provided a service (such as sending a Web page) by another computer (a server) in the network. TCP/IP communication is primarily point-to-point, meaning each communication is from one point (or host computer) in the network to another point or host computer. TCP/IP and the higher-level applications that use it are collectively said to be "stateless" because each client request is considered a new request unrelated to any previous one (unlike ordinary phone conversations that require a dedicated connection for the call duration). Being stateless frees network paths so that everyone can use them continuously. (Note that the TCP layer itself is not stateless as far as any one message is concerned. Its connection remains in place until all packets in a message have been received.)

Many Internet users are familiar with the even higher layer application protocols that use TCP/IP to get to the Internet. These include the World Wide Web's Hypertext Transfer Protocol (HTTP), the File Transfer Protocol (FTP), Telnet (Telnet) which lets you logon to remote computers, and the Simple Mail Transfer Protocol (SMTP). These and other protocols are often packaged together with TCP/IP as a "suite."

Personal computer users with an analog phone modem connection to the Internet usually get to the Internet through the Serial Line Internet Protocol (SLIP) or the Point-to-Point Protocol (PPP). These protocols encapsulate the IP packets so that they can be sent over the dial-up phone connection to an access provider's modem.

Protocols related to TCP/IP include the User Datagram Protocol (UDP), which is used instead of TCP for special purposes. Other protocols are used by network host computers for exchanging router information. These include the Internet Control Message Protocol (ICMP), the Interior Gateway Protocol (IGP), the Exterior Gateway Protocol (EGP), and the Border Gateway Protocol (BGP).

Routing: what Is Routing?

Routing is a process of moving a packet of data from source to destination. Routing is usually performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables messages to pass from one computer to another and eventually reach the target machine. Each intermediary computer performs routing by passing along the message to the next computer. Part of this process involves analyzing a routing table to determine the best path.

Routing is often confused with bridging, which performs a similar function. The principal difference between the two is that bridging occurs at a lower level and is therefore more of a hardware function whereas routing occurs at a higher level where the software component is more important. And because routing occurs at a higher level, it can perform more complex analysis to determine the optimal path for the packet. Want to know more about routing.

to be continued.....

Cisco router 805 specification

We used this router since 2002 until now.

Cisco 805 Series Serial Router

The Cisco 805 Serial Router offers enhanced network security and reliability through the power of Cisco IOS^® Software technology tailored for small offices.

Figure 1

The Cisco 805 Serial Router gives small offices enhanced security, superior reliability, and safe investment with low cost of ownership.

The Cisco 805 Serial Router extends the power of Cisco IOS Software technology to small offices. Cisco IOS Software offers enhanced security, reliability, and safe investment, combined with low cost of ownership, to enable customers to benefit from increased productivity, simplified communication, and reduced costs (Figure 1). The Cisco 805 Serial Router enables customers to benefit from value-added services such as managed network services, virtual private networks (VPNs), point-of-sale (POS) applications, and secure Internet access.

Benefits of Using Cisco 805 Serial Router

Taking advantage of its expertise and leadership in Internet solutions, Cisco Systems offers solutions for small-office routing solutions that provide secure and reliable access to the Internet or corporate networks.

Enhanced Security

The Cisco 805 Serial Router has enhanced security features such as an integrated stateful firewall and IP Security (IPSec) encryption to enable VPNs. These features allow small offices and telecommuters to conduct business over the Internet while protecting valuable resources.

Superior Reliability

Because the Cisco 805 Serial Router is based on the same proven Cisco IOS Software technology used throughout the Internet, small offices can depend on it just as enterprise customers take advantage of Cisco reliability. In addition, a Cisco 805 Serial Router provides Internet access to multiple users without being tied to a server or dedicated PC. This means if a server on the LAN crashes, other users remain connected to the Internet.

Safe Investment and Low Cost of Ownership

The Cisco 805 Serial Router offers memory options that can be upgraded in the field so the latest networking features can be added when necessary. With an advanced processor and memory architecture, they can support future applications as customer networking needs expand. Table 1 provides a summary of Cisco 805 Serial Router hardware features.

With Cisco IOS Software, customers using the Cisco 805 Serial Router can reduce operational costs for training, management, installation, and deployment.

Table 1 : Summary of Cisco 805 Serial Router Hardware features.

Feature	Details
LAN	One 10BASE-T (RJ-45)
WAN	Serial port compatible with EIA/TIA-232, EIA/TIA-449, EIA/TIA-530, EIA/TIA-530A, X.21, and V.35 standards (Both data terminal equipment [DTE] and data communications equipment [DCE])
Console port	RJ-45
LAN port	One Ethernet

Product Features

Security

To take advantage of the unprecedented opportunities offered by communications and commerce over the Internet, companies need to secure private information. Cisco Secure Integrated Software provides many technologies to build a custom security solution. The elements of security services include perimeter security, identity, monitoring, privacy, firewalls, IPSec encryption, and VPNs.

Standard Security

Perimeter security refers to the control of traffic entry and exit between network boundaries, such as between private networks, intranets, extranets, or the Internet. Cisco IOS Software perimeter security technologies provide a highly flexible, superior solution with features such as:

•Standard and extended access control lists (ACLs)

•Lock and key (dynamic ACLs)

•Router and route authentication, authorization, and accounting (AAA) protocols such as Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP), and MS-CHAP

•Network Address Translation (NAT) (including multi-NAT)

•Token card authentication with Cisco Secure authentication

NAT eliminates the need to re-address all hosts with existing private network addresses and hides internal addresses from public view. For businesses that want to allow selected access to the network, NAT can be configured to allow only certain types of data requests such as Web browsing, e-mail, or file transfers.

Enhanced Security

•Dynamic firewall—Companies increasingly rely on internal networks and servers to access company data. To use the Internet as a key business tool, companies must connect their internal networks to the Internet, while keeping sensitive internal data secure. Company data can be protected against unauthorized access with stateful firewalls. The integrated Cisco IOS Firewall Feature Set is a stateful firewall that provides:

–Stateful (dynamic) ACLs (application or context based)

–Java blocking

–Denial-of-service attack detection and prevention

–Real-time alerts and audit trails

Dynamic firewalls provide these vital enhanced security features. The term firewall is used by many vendors, but not uniformly referred to as stateful firewalls. Firewalls that are not dynamic do not provide these enhanced security features.

Encryption and Tunneling

The Cisco 805 Serial Router provides IPSec encryption technology to enable small offices and telecommuters to deploy VPNs. IPSec encryption provides privacy, integrity, and authenticity for transmission of sensitive information over the Internet. The unique end-to-end Cisco offering allows customers to implement IPSec encryption transparently into the network without affecting individual PCs. The Cisco 805 Serial Router with IPSec encryption allows significant cost savings by using the Internet to create secure connections between small offices and teleworkers. As a component of the Cisco VPN solution, the Cisco 805 Serial Router supports:

•IPSec tunneling with 128- or 56-bit Data Encryption Standard (DES or Triple DES [3DES])

•Layer 2 Tunneling Protocol (L2TP)

•Generic routing encapsulation (GRE)

Manageability

The Cisco 805 Serial Router supports management by a wide range of platforms and applications. Cisco ConfigMaker (Microsoft) and CiscoView (UNIX) applications provide superior capabilities for configuration and security management, as well as performance and fault monitoring. The Cisco 805 Serial Router supports centralized administration and management using Simple Network Management Protocol (SNMP), Telnet, or local management through the router console port.

Safe Investment

Small offices with limited time, money, and staff need to know their technology investments are safe. Field-expandable DRAM and Flash memory allow small offices to take advantage of new Cisco IOS Software feature enhancements. And because the Cisco 805 Serial Router incorporates an advanced processor and memory architecture, it can support future applications as customer networking needs expand.

Companies using the Cisco 805 Serial Router can take advantage of Cisco industry-leading support options that help to ensure the router stays up and running. These support services include:

•Cisco IOS Software updates in features such as protocol, security, and bandwidth

•Full access to Cisco.com for technical assistance and product information

•Twenty-four-hour access to the industry's largest dedicated technical support staff, with the first 90 days included at no charge

Installation and Configuration Tools

The Cisco 805 Serial Router also supports configuration with the Cisco ConfigMaker application. Cisco ConfigMaker is a software tool designed to configure a small network of Cisco routers, switches, hubs, and other network devices from a single PC using Windows 95, 98, 2000, or NT 4.0. It is designed for resellers and network administrators of small and medium-sized businesses that are proficient in LAN and WAN fundamentals and basic network design.

For additional setup ease, the Cisco 805 Serial Router has color-coded ports and cables to help users make proper connections. Quick Reference Guide documentation provides easy-to-follow installation instructions. Key features and benefits of the Cisco 805 Serial Router are defined in Table 2, and Table 3 lists Cisco 805 Serial Router hardware specifications.

Table 2 Cisco 805 Serial Router Key Features and Benefits

Feature	Benefit
Standard Security
PAP, CHAP, MS-CHAP, and ACLs	•Protects network from unauthorized access
Route and router authentication	•Accepts routing table updates from only known routers, ensuring no corrupt information from unknown sources is received
Enhanced Security
Cisco IOS Firewall feature set	•Offers internal users secure, per-application dynamic ACLs for all traffic across perimeters •Defends and protects router resources against denial-of-service attacks •Checks packet headers and drops suspicious packets •Protects against unidentified, malicious Java applets •Details transactions for reporting on a per-application, per-feature basis
IPSec encryption (DES and 3DES)	•Ensures data integrity and authenticity of origin by using standards-based encryption •Provides security for all users on the LAN without configuring individual PCs
Superior Reliability
Cisco IOS Software technology	•Proven technology that is used throughout the backbone of the Internet
Standalone router	•Provides Internet access to multiple users without being tied to a server or dedicated PC; if one user on the LAN crashes, other users can still access the Internet
Management
Cisco Configmaker, SNMP, Service Assurance (SA) Agent, TACAS+	•Graphical user interface (GUI)-based windows configuration tools for novice users •Remote management and monitoring by way of SNMP or Telnet and local management through console port
Safe Investment
Field-expandable memory	•Allows customers to add features as networking needs expand
Advanced processor and memory architecture	•Ensures the platform can support processor-intensive applications
World-class support	•Helps customers keep their Cisco 805 serial routers running all the time
Low Cost of Ownership
Lower operational costs	•Allows customers to use existing knowledge of Cisco IOS Software for installation and manageability
Bandwidth Optimization
Quality of service (QoS) and Weighted Fair Queuing	•Ensures consistent response times for multiple applications by allocating bandwidth intelligently •Gives the most important applications priority use of the WAN line
Choice of encapsulation (Point-to-Point Protocol [PPP], High-Level Data Link Control [HDLC], Frame Relay)	•Ensures compatibility with existing network
"Snapshot" routing for IP and Internetwork Packet Exchange (IPX)	•Allows efficient use of available bandwidth
X.25 packet data	•Permits data transfer over X.25 networks
Simplified Setup and Installation
NAT	•Lets businesses conserve valuable IP addresses •Reduces time and costs by reducing IP address management
Cisco IOS Software Easy IP	•Enables true mobility-client IP addresses are transparently configured via the Cisco IOS Dynamic Host Control Protocol (DHCP) server each time a client powers up
Color-coded ports and cables and Quick Start Reference Guide	•Helps users make proper connections •Provides easy-to-follow installation instructions

Table 3 Cisco 805 Serial Router Hardware Specification

Feature	Description
10BASE-T Ethernet port	Provides connection to a 10BASE-T (10 Mbps) Ethernet network, compatible with a 10/100-Mbps device
Serial port	Provides connection to EIA/TIA-232, EIA/TIA-449, EIA/TIA-530, EIA/TIA-530A, X.21, and V.35 DTE or DCE
RJ-45 console port	Provides connection to terminal or PC for software configuration and for router troubleshooting
Flash memory	Router provides 4 MB of Flash memory
DRAM	Router provides 8 MB of DRAM1
Ease of installation	Color-coded ports and cables reduce the chance of error
Cisco IOS Software	Router supports a subset of Cisco IOS Software
Cable lock	Provides a way to physically secure router
Locking power connector	Locks power connector in place
Wall-mount feature	Brackets on router bottom provide a way to mount router on wall or vertical surface

Cisco IOS Software Feature Sets

Five Cisco IOS Software feature sets are available on the Cisco 805 Serial Router:

•IP

•IP/Plus

•IP/FW

•IP/VPN

•IP/VPN/IPX/Plus

Technical Specification

Description	Design Specification
Physical Dimensions
Dimensions (H x W x D)	2.0 x 9.7 x 8.3 in. (5.1 x 24.6 x 21.1 cm)
Weight (does not include desktop power supply)	1.5 lb (0.66 kg)
Environmental Operating Ranges
Nonoperating temperature	-4 to 149°F (-20 to 65°C)
Nonoperating humidity	5 to 95%, relative humidity
Nonoperating altitude	0 to 15,000 ft (4570 m)
Operating temperature	32 to 104°F (0 to 40°C)
Operating humidity	10 to 85%, relative humidity
Operating altitude	0 to 10,000 ft (3000m)
Power
AC input voltage	100 to 240 VAC
Frequency	50 to 60 Hz
Power consumption	20W

Regulatory Approvals

Safety Standards	EMI Standards	PTT Standards
UL 1950	CFR 47, part 15, class B	CTR2
CSA 22.2 No. 950	ICES, Issue 2, class B	TC 130
TUV-GS to EN 60950:1992 with Amendments A1 through A4	VCCI class 2	(CE168_X_)
IEC 60950 with Amendments A1 through A4 and all country deviations	AZ/NRZ 3548 class B	JATE
TS-001:1997	EN 55022, IEC 1000-3-3
IEC 1000-4-2 level 4
AS/NZS 3260 with Amendments A1 through A4	IEC 1000-4-3 level 3
IEC 1000-4-4 level 3
EN 300 047	IEC 1000-4-5 level 3
EN 41003
IEEE 802.3