The Netopia router offers a variety of security features. An understanding of the functionality of these features, and the ways in which they interplay, is necessary for effective security design. This Quick Guide provides an overview of the Netopia router's basic security features, and an understanding of how they can be utilized to meet some common security needs. Topics covered include: Network Address Translation, Filter Sets and Password Protection.

Please Note: If your router is currently running Netopia Residential Firmware with a web "GUI" configuration menu, this technote is not applicable to you. Most 3300 Series Netopia Gateways can be upgraded to Enterprise level firmware. Click Here! to purchase the upgrade key.

Firmware References:

• v8.2 R1 (and up) - 3300 Enterprise Series
• v5.3.7   (and up) - 4000 Series
• v4.8.2   (and up) - R-Series

Before You Start

Telnet into the Netopia router's Main Menu at 192.168.1.1 (if using the default IP setting). If your network has a different IP addressing scheme, modify this accordingly. Click Here! for instructions on using telnet and Hyperterminal (serial connection).

Login with the user name and password. The Superuser login is required to save changes. If you are unsure of this, contact your network administrator.

Don't forget to press the Enter key to save any entries. Hitting the back space, delete or tab without first hitting enter will undo any changes.

The Esc key will take you back towards the main menu screen.

Once you have completed your configuration, you should reboot the Netopia to save and apply your changes.

The Netopia Main Menu Interface

PLEASE NOTE: IP addressing examples presented in this and all Netopia Technotes and Quick Guides are strictly for illustrative purposes. Please be sure to adjust your configuration parameters according to your network design and information from your service provider(s).

Network Address Translation

(NAT), a specification implemented in the Netopia router (detailed in RFC1631), allows for a private, non-routable block of network addresses (i.e. 192.168.1.x, 10.x.x.x, 172.16-31.x.x), to be used on the Ethernet interface of the router. This allows the router to use a single IP address (assigned statically or dynamically) or subnet for the router's WAN interface without necessitating a routed block for the Netopia's Ethernet interface. (NOTE: The Netopia is a "Full IP" router and must be configured with an Ethernet block on a different IP subnet than the Local Wan IP address; they can be routable [public] or non-routable [private]).

Due to the manner in which NAT performs this translation, enabling NAT also renders the Ethernet interface of the router remotely unreachable. When NAT is enabled, it is essentially acting as a firewall by keeping remote traffic from entering your network. Only traffic requests that are initiated from your LAN will be routed back to your network.

Keep in mind, however, that servers on your LAN that need to be accessed remotely will require port mapping through NAT. Also note that configuring port mapping does decrease your measure of security, as the redirected ports are now passed through to the LAN. This is accomplished with Address Forwarding or with Port Forwarding.

PLEASE NOTE: In some cases your ISP may assign your router a non-routable WAN IP address. The National Internet Commission (NIC) unroutable address spaces are defined as the following:

• 10.x.x.x
• 172.16.x.x-172.31.x.x
• 192.168.x.x

In most cases these addresses, when private IP's used on the WAN interface, fall in the 172.16.x.x through 172.31.x.x range, and they present certain special considerations as regards the router's configuration. See the Related Documents above for additional resources.

Filter Sets

The Netopia's filter sets allow filtering by IP address, protocol, and port number. Filter sets can be configured with a good deal of flexibility to meet the needs of your network. It is recommended that you read our NIR_052: Firewall Features and Configuration technote before designing and implementing a firewall.

The Netopia comes pre-configured with a Basic Firewall designed to block incoming traffic. (This filter set allows only ICMP and return traffic on TCP and UDP ports above 1023.) Note that the Basic Firewall comes as a pre-configured template, but that it is NOT ENABLED by default.

To Enable the Basic Firewall:

1. Go to Quick Menus -> Change Connection Profiles.
2. Hit Enter on your internet connection profile.
3. Go to IP Profile Parameters -> Filter Set.
4. Hit Enter to select the Basic Firewall.
5. Hit Enter again to save the setting.
6. If you are using 4.8 or later firmware you will need to escape to the previous screen and Commit your changes.

Keep in mind that if you intend to enable the Basic Firewall, servers that need to be accessed remotely, will only be accessible if you add input rules to the Basic Firewall in order to allow specific traffic into your LAN. Again, remember, that your measure of security will be inversely proportional to the number of ports you render accessible. Although, the filter sets, unlike NAT allow the additional security of IP filtering.

(PLEASE NOTE: Once you enable the Basic Firewall you will no longer be able to access the router screens from the internet. To allow remote telnet access to the Netopia, you need to add an input filter rule allowing traffic on TCP port 23 with a destination IP of the WAN IP address of your router. The subnet mask would be 255.255.255.255)

Also note that if you have both NAT and the Basic Firewall enabled, in order to allow specific traffic into your network, you would need to both map these ports through NAT AND create rules in the Basic Firewall. For incoming traffic NAT processes occur in the router before the firewall is reached so the destination IP addresses specified in your filter rules would be the LAN IP's.

For example, let's imagine a router with NAT enabled, the Basic Firewall enabled and an Ethernet IP address of 192.168.1.1 and a public address of 172.20.10.216. A Web server on this router's LAN with an IP address of 192.168.1.8 needs to be accessed remotely. A Server List entry would be added to map TCP 80 to 192.168.1.8 (see technote URLs in NAT section), and the input filter set of the Basic Firewall would be amended to look as follows:

Note: There is an exception prior to firmware 4.8.2. The input filter rule for telnet must have a destination address of the ethernet LAN address, not the public WAN.

Password Protection

It is recommended that you password protect your router. Unless your router has been pre-configured by your service provider and password protected, it will not be protected by default. Also, unless you have a filter set ENABLED blocking remote telnet access to your router (i.e. Basic Firewall will do this), your router's configuration screens are accessible via the WAN interface. Once you have password protected your router, no one will be able to access the configuration without the correct Username and Password. There is no default password so document the Username and Password carefully! (NOTE: This information is case sensitive.)

To password protect your router:

1. From the MAIN MENU select Easy Setup.
2. Arrow down to Next Screen and hit enter. Repeat until you are at the Easy Setup Configuration screen.
3. Enter a 'Write Access Name'(Up to 11 characters) and hit enter.
4. Enter a 'Write Access Password (Up to 11 characters) and hit enter.
5. Once you restart the router, this username and password will be needed to regain access to the Netopia's configuration screens.

OR

1. From the MAIN MENU select: System Configuration->Security...
2. Select 'Add User' and hit enter.
3. Enter a 'Name'(Up to 11 characters) and hit enter.
4. Enter a 'Password'(Up to 11 characters) and hit enter
5. Select 'Add /Name Password Now' and hit enter.
6. Once you restart the router, this username and password will be needed to regain access to the Netopia's configuration screens.

NOTE:

• You can add a total of 4 users including any user account created by completing the Easy Setup Security Configuration screen.
• To change a username and password, you must delete the old user and add a new user.
• Only the first username and password in the 'Show Users' list will allow access to the Netopia's Web interface.

If you have NAT enabled and wish to block remote access to the Username and Password prompt via telnet, you can do so by exporting telnet to a private IP that is unused on your LAN. To export telnet follow the port mapping technote URL in the Network Address Translation section of this document appropriate to your firmware version. (Note:You can also enable a filter set which blocks telnet access, although, remember, if you have servers mapped through NAT, your firewall will also require configuration to open these ports.)

Conclusion

This document has provided an overview of several security options of the Netopia router.