NG-UTM adopts object-oriented management for the entire device. After defining all objects or targets, administrators proceed to prohibit or allow them in control rules.
In addition to traditional address tables, applications, and URLs as management targets, even ZONE, interface addresses, routing tables, and specified gateways can be management targets.
The purpose of setting management targets is to enable administrators to identify the purpose and usage of each rule when creating control rules more easily.
Administrators can also directly input IP addresses and ports in control rules without setting any management targets.
NG-UTM supports both IPv4 and IPv6 address modes. The blue buttons displayed above the MENU indicate the current mode.
represents the IPv4 address mode being displayed/set, while represents the IPv6 address mode being displayed/set.
Clicking on the gray button (such as ) directly switches the display and settings to the other mode.
These two buttons apply to the entire system, allowing for switching at any time. The settings interface will switch to the selected IPv4 or IPv6 mode accordingly.
Predefined address tables make the creation of control rules clearer and more straightforward. Each address table consists of a single IP address, an IP subnet, or an IP range.
• Assist
This feature is only available for IPv4 use.
Whenever any device has network packets passing through NG-UTM, whether external or internal, the system will record it, making it convenient for administrators to create address tables.
Clicking on the icon represented by will display all recorded computer names, IP addresses, and MAC addresses, even including fixed IP addresses obtained from the DHCP server.
After selecting the IP or MAC address to add, pressing the will include it in the address table.
After clicking the button, you can start creating address tables. First, select the configuration method, each of which has its own purpose:
1、IP Address
For both IPv4 and IPv6, using only an IPv4 or IPv6 address to identify users. Suitable for networks where each computer uses a fixed IP address.
Computer Name: Name of this IP address, e.g., “John’s Computer”.
IP Address: Enter the IP address, e.g., 192.168.1.1.
2、IP and MAC Address
Only valid for IPv4, binding users using IPv4 address and MAC address.
Computer Name: Name of this IP address, e.g., “John’s Computer”.
IP Address: Enter the IPv4 address, e.g., 192.168.1.1.
MAC Address: Real MAC address of this computer, e.g., 00:01:02:03:04:05.
DHCP: In a DHCP environment, you can use the DHCP server to assign a fixed IP address to the same MAC address.
Checking this means this computer will be assigned a fixed IPv4 address by the DHCP server. See section 6-1-3. DHCP Static IP for reference.
3、MAC Address
Only valid for IPv4. Binding users using only the MAC address, regardless of their IP address.
Computer Name: Name of this IP address, e.g., “John’s Computer”.
MAC Address: Real MAC address of this computer, e.g., 00:01:02:03:04:05.
4、IP / Mask
For both IPv4 and IPv6, using an IPv4 or IPv6 address along with a subnet mask to identify an entire area of users.
Computer Name: Name of this IP address, e.g., “All computers in Engineering Department”.
IP Address: Enter the IP address, e.g., 192.168.1.1.
Subnet Mask: Select the appropriate subnet mask, e.g., 255.255.255.0/24.
5、IP Address Range
For both IPv4 and IPv6, using the starting and ending IP addresses of an IPv4 or IPv6 range to identify an entire area of users.
Computer Name: Name of this IP address, e.g., “All computers in Engineering Department”.
Start IP: Enter the starting IP address of this range, e.g., 192.168.1.1.
End IP: Enter the ending IP address of this range, e.g., 192.168.1.100.
This example represents 100 IPv4 addresses for all computers in the Engineering Department.
6、User Customed Domain
For both IPv4 and IPv6, using a Domain to identify an entire area of users, suitable for external network servers or networks with Domain Name Resolution (DNS).
Computer Name: Representative name of this domain, e.g., “John’s Home”.
Domain: Enter domain information. You can enter multiple domain data, each line represents one, and wildcard * is supported, e.g., .example.com or example.com..
7、Default Domain Blacklist
Computer Name: Representative name of this domain, e.g., “John’s Home”.
Default List: Select a pre-set blacklist group to make it a source or destination network object that can be controlled within the rules.
Domain Test: Enter a suspicious URL and click “Test” to see if this URL is in the default blacklist.
8、Outer Link List
Computer Name: Representative name of this link, e.g., “John’s Home”.
URL: Input a hyperlink path that provides downloading of txt or csv files.
Each address table represents a single IP address or IP subnet. After creating individual address tables, they can be further grouped into address table groups. The members of an address table group can consist of both address tables and other address table groups.
After clicking the button, you can start creating address table groups.
【Group Name】: The name of this address table group such as “Computers on 2F”.
【All Members】: Displays the names of all address tables that have been created.
【Select Members】: Select the address tables to be included in this address table group, then click to add them.
【All Other Groups】: Display the address table groups that have already been created.
【Select Other Groups】: Select the address table groups to be included in this address table group, then click to add them.
【User-defined】: If address table have not been created beforehand, they can also be manually added here. Multiple entries are allowed, with each entry on a separate line.
TCP and UDP protocols provide various services, each with a TCP port or UDP port number representing it, such as TELNET (23), FTP (21), SMTP (25), POP3 (110), and so on.
In the “Assist Selection” section, users can select services from a basic service table, including commonly used predefined TCP services or UDP services. These services cannot be modified or deleted.
Users can also set appropriate TCP port and UDP port numbers according to their own needs in the custom service table.
When defining custom services, the client port range is generally set to 1024:65535, and the server port number is set between 0:65535.
The services defined in the service table are slightly different from those defined in applications.
For example, HTTP protocol is defined as TCP 80 Port in the service table, representing the HTTP protocol.
However, in actual operation, packets on TCP 80 Port may not necessarily be HTTP (Web), and sometimes HTTP does not necessarily need to be on TCP 80 Port.
The HTTP protocol defined in applications does not care about the source and destination port numbers. If the packet content executes the HTTP (Web) protocol, it is acceptable. Therefore, application-based protocol recognition is more accurate.
System administrators can add service group names in the “Service Table > Service Group” option and include the services they want to provide.
With the functionality of service groups, administrators can simplify many processes when creating control rules.
For example, if 10 different IP addresses can access 5 different services on a server, such as HTTP, FTP, SMTP, POP3, and TELNET.
Without using the service group function, a total of 10x5=50 control rules need to be established. However, by applying service group names to the service options, only one control rule is required.
The detailed explanation of the service table icons, which are commonly used throughout NG-UTM:
Icon
Introduction
Any service.
TCP service such as Gopher、ICQ、Ident、LDAP、NTTP over SSL、PPTP、SFTP、SSH、Terminal、WINFRAME、AFPoverTCP、FTP、H323、L2TP、MSN Messenger、POP2、SMTP over SSL、Yahoo、AOL、Finger、HTTP、IMAP over SSL、LDAP Admin、NNTP、POP3 over SSL、RLOGIN、SMTP、VNC、BGP、GNUTella、HTTPS、IMAP、LDAPover SSL、POP3、Real Audio、Telnet、WAIS
UDP service such as DNS、TFTP、NTP、SNMP、IKE、SYSLOG、RIP、UUCP and so on.
When creating a new service group, this page has 8 blank fields. Administrators start adding service items to the service table starting from number 1 sequentially.
If there are more service items to be added to this service group than 8, pressing will add additional blank fields.
Service and Service Group Name: Identify the name of this service group, such as Mail Server.
Assist: Select the built-in basic service table. (Figure 5-5)
Protocol: Select whether this service uses TCP, UDP, TCP&UDP, or a custom communication protocol.
Port(s): The start and ending port numbers used by the communication service.
For example, SMTP only uses TCP 25, fill in 25:25. POP only uses TCP 110, fill in 110:110. If filled in as 0:65535, it means all port numbers are satisfied, which is equivalent to .
• Assist
Clicking on will bring up a new window displaying the NG-UTM’s built-in basic service table for administrators to select from.
TCP, UDP, or other communication protocols can be selected from the menu at the top left of the window to switch to the desired communication protocol.
Figure 5-5 Assisting Selection Basic Service Table¶
【TCP】: Commonly used TCP services such as SSL, HTTP and so on
【UDP】: Commonly used UDP services such as DNS, SNMP and so on
【Others】: Other less frequently utilized service types, such as TFTP and RDP.
➤ After creating a new service group, NG-UTM will list all the defined service groups, along with the ports they utilize.
NG-UTM provides system administrators with the ability to set up time schedules. Administrators can pre-define activation times based on actual requirements and apply these schedules to regulations, enabling these regulations to take effect within specific time frames. The same regulatory rule can be applied with different time schedules, resulting in two distinct regulations to manage different time requirements.
Pressing the button to add a new time schedule.
There are 3 types of scheduling modes for time schedule settings:
- Mode One: Weekly scheduling, setting the effective time for each day.
- Mode Two: Custom start dates, end dates and times.
- Mode Three: Utilizing a graphical selection to set up time.
【Schedule Name】: Identify the name of this time schedule, for example, Daytime Rule, Nighttime Rule.
【Setting Mode】: There are 3 modes to choose from.
· Mode One: Weekly scheduling, setting the time range for each day to take effect.
There are three options: Disable, All Day, and Start Time to End Time. Setting the start time to 00:00 and the end time to 00:00 represents all day. ( Figure 5-7)
· Mode Two: Custom start dates, end dates and times. Administrators set up a schedule that will be effective on specific dates, for example, from July 1, 2016, to December 31, 2016. ( Figure 5-8)
· Mode Three: Using a graphical selection method to define weekly active times. Unlike Mode One, this mode allows for setting multiple active time intervals within a single day. For example, on Monday to Friday, the time is set as 06:00-11:59 and 13:00-20:59, while Saturday and Sunday are set for the entire day.
➤ In the policy list, the appearance of the icon indicates that this policy will only take effect during specific time.
NG-UTM enables the management of transmission speeds for network service packets passing through interfaces. Through pre-defined bandwidth tables, administrators can precisely control the Zone Out (TX) / Zone In (RX) traffic for each regulation passing through a ZONE. Additionally, incorporating the concept of bandwidth priority enables swift passage of network packets with higher priority.
There are 2 modes of configuration available:
One is bandwidth management for each regulation while the other is bandwidth management for each source IP address within a regulation.
In bandwidth management, due to the interconnected nature of ZONE interfaces across the network, it is essential to define the Zone Out (TX) / Zone In (RX) traffic for each ZONE in advance. For example, if ZONE 1 includes 2 physical ports, Port A and Port B, each with a connection speed of 1Gbps, and a bandwidth table is selected with an internet service of 10Mbps applied to each source IP address. This configuration means that regardless of whether the traffic comes from Port A or Port B, as long as it belongs to this ZONE, the Zone Out (TX) / Zone In (RX) traffic will be limited to 10Mbps.
The maximum network speed for each interface is set here, including Zone Out (TX) and Zone In (RX) traffic.
Incoming network packets to physical ports are considered Zone In (RX) traffic, while outgoing network packets from physical ports to downstream devices are considered Zone Out (TX) traffic.
Such configuration works well on symmetric internal networks or switches where upload and download speeds are the same. However, there may be directional issues on asymmetric WAN-type networks. It’s important to consider the upload and download speeds provided by the service provider, which are opposite for the NG-UTM device receiving network packets. Therefore, for WAN-type networks such as ADSL, special attention is required when setting ZONE speeds.
Check the box in the table to enable bandwidth management for this interface. By default, NG-UTM sets all Zone Out (TX) and Zone In (RX) traffic to 1Gbps (1024Mbps=1024000Kbps) and lists all physical ports included in this ZONE. Administrators can modify these speeds to match the actual network conditions. After saving, these configured values become the upper speed limit when setting up bandwidth tables.
【QoS Name】: Identify the name of this bandwidth table, for example, Daytime Internet Access, Nighttime Open Access.
【Priority】: When there is a remaining bandwidth available on the interface, NG-UTM will allocate the remaining bandwidth to users based on priority, giving them a chance to reach the maximum bandwidth set. A lower number indicates higher priority.
【Setting Mode】: There are 2 modes to choose from, Basic Mode and Advanced Mode.
· Basic Mode
This mode operates on a per-Zone basis, regardless of how many physical interfaces within each Zone. For example, it is suitable for applying this mode when setting up separate WAN Zones for each WAN line.
This mode operates based on physical network interfaces for bandwidth control. For example, if 3 lines are bundled into one WAN ZONE, choosing this mode will separate each line for individual management by administrators.
【Select Bandwidth Mode】: There are 2 modes to choose from, “Per Policy Based” (default) and “Per Source IP Based”. Detailed explanations are as follows:
· Per Policy Based
When the bandwidth table is applied to regulations, the total number of network packets entering the regulation, whether IPv4 or IPv6, is limited to the bandwidth table setting. In other words, all source IP addresses entering the regulation share the bandwidth allocated by this bandwidth table.
For example, if both 192.168.1.2 and 192.168.1.3 meet the conditions of a bandwidth table set at 10Mbps / 10Mbps, and 192.168.1.2 is utilizing 9.9Mbps / 9.9Mbps, then 192.168.1.3 can only be allocated 0.1Mbps / 0.1Mbps of bandwidth.
· Per Source IP Based
When the Qos rule is applied to the policy, each source IP address regardless of IPv4 or IPv6, can use the bandwidth table setting. In other words, each IP address is allocated the bandwidth set by the bandwidth table. For example, if both 192.168.1.2 and 192.168.1.3 meet the conditions of a bandwidth table set at 10Mbps / 10Mbps, then 192.168.1.2 can utilize up to 10Mbps / 10Mbps, and 192.168.1.3 can also utilize up to 10Mbps / 10Mbps of bandwidth.
In this mode, it is important to consider whether the total number of IP addresses and the total allocated bandwidth from bandwidth tables exceed the maximum speed provided by the interface. For example, if this policy is estimated to conclude 100 IP addresses, each allocated 20Mbps. Then when all 100 IP addresses are online and utilizing their maximum allocated bandwidth, the total bandwidth would be 100 * 20Mbps = 2000Mbps = 2G, which exceeds the maximum value of 1Gbps for the interface. Such a scenario would result in inaccurate bandwidth allocation.
【Interface - Minimum】: Select the interface to apply the Qos rule. The system will remind the setter of the maximum network speed. At this point, the set value represents the bandwidth that this regulation’s users can use when NG-UTM’s network is congested.
【Interface - Maximum】: The system will remind the setter of the maximum network speed. At this point, the set value represents the bandwidth that this regulation’s users can use based on priority when NG-UTM’s network is not congested.
note
When setting up bandwidth tables, it is crucial to pay attention to the configured interface, as NG-UTM is based on interface management. If the bandwidth is set on the ZONE0 interface in the bandwidth configuration, but applied to other ZONEs in the rules, it will result in inaccurate management of IP addresses or services.
NG-UTM is a UTM (Unified Threat Management) system based on DPI (Deep Packet Inspection), through which all traffic is classified and managed. DPI technology is used to manage applications, offering more precise control compared to traditional TCP/UDP port-based methods.
Taking encrypted websites using HTTPS as an example, SSL encryption technology ensures secure browsing even after data passes through the Internet (SSL encryption typically utilizes TCP port 443 for communication).
In the past, managing HTTPS websites involved simply blocking outbound TCP 443, preventing internal access to encrypted sites. However, due to security concerns, many network communication software applications now employ SSL encryption technology, such as SSL VPNs. Blocking TCP 443 would consequently disrupt both HTTPS and SSL VPN usage.
To identify such applications more accurately, simple port-based classification is insufficient for modern network requirements. Therefore, NG-UTM implements DPI technology, which examines packet contents at a deeper level beyond TCP/UDP port numbers. It assesses packet contents to determine the services being executed, making its judgement more accurate than traditional firewalls.
NG-UTM can currently identify over 900 types of applications and employs automatic feature value updates. These updates occur periodically without a fixed schedule, ensuring the application database remains current. Administrators only need to set up automatic update options, and the system takes care of the rest. These applications also appear in statistical analysis reports.
To keep up with the cloud era nowadays, many websites offer Software as a Service (SAAS). In other words, users can access these sites and utilize services without installing any local software. For example, services like WebQQ and WebSkype often use HTTPS or IPV4/IPV6 dual addressing. Blocking IPV4 addresses alone does not prevent access to IPV6 addresses. Moreover, with SSL encryption, traditional firewalls or UTMs typically cannot block such SAAS websites or services, causing management challenges for network administrators. In such cases, NG-UTM’s URL management functionality (refer to Section 5-6) can be utilized to effectively manage these SAAS services.
Managing over 900 types of applications is complex. Therefore, NG-UTM categorizes applications into 17 major groups based on their attributes.
Administrators first select from these 17 categories and then choose the specific applications they want to manage. Once selected, they can create groups and apply them in firewall rules.
• Application Control Information
Access to application features in NG-UTM requires additional authorization. After authorization expires, the system stops updating feature values, which may potentially leading to inaccurate control settings by administrators.
Established applications need to be assigned specific roles in firewall rules (check on Chapter 4. POLICY ) to determine their usage. For example, creating an application group and selecting which members should apply to this group in the firewall rules specify whether to allow or block access.
• Add Application Control
Administrators can add multiple applications or include various services within an application group. Click on to add an application group:
【Group Name】: Identify the name of the application group, such as “Internet Access Group” or “Restricted Services.”
【Action】: For each application control, there are three options:
· DROP: Blocks applications matching the feature values.
· DROP + Log: Blocks applications matching the feature values and logs the usage details.
· QoS: Applies bandwidth management mechanisms to applications matching the feature values. For example, limit the network bandwidth to 500Kbps for applications like LINE/SKYPE.
【Search】: Enter keywords to search for specific applications.
【Selected Items】: Display selected applications when checkboxes are checked. The options can be collapsed to avoid interference during operations.
【Select Applications】: Options under each category can be selected individually or collectively. Selected items are color-coded, and the number of selections is displayed next to the category name.
Once the administrator configures the service groups they intend to manage, they apply them within the rule sets. Regardless of whether the action is being allowed or denied, any application item that meets the criteria will be logged. Administrators can also use the control log to query which services are permitted or prohibited during specific time period.
NG-UTM’s URL management not only handles traditional HTTP (Web) sites but also manages HTTPS SSL encrypted sites. Administrators can set up blacklists and whitelists for HTTP sites, and the system provides default blacklist databases that administrators can add to at any time. These databases are updated automatically, adding, or removing entries as needed. Unlike HTTP management, HTTPS encrypted sites can only be blacklisted, which means some specific URLs are prohibited.
Managing the websites that users browse not only enhances productivity but also filters out malicious sites in advance, preventing users from accidentally downloading malicious software or viruses, thus ensuring network security.
When users attempt to visit blacklisted URLs, the system automatically redirects their browser to a predefined blocking page, notifying users that the site has been blocked. Administrators can create different URL management mechanisms and apply different blocking messages. These blocking records are also logged, allowing administrators to review them later.
NG-UTM redirects users’ browsers to a default or customed blocking page when the URLs are listed in the blacklist. Administrators can customize the appearance of the blocking page for different blacklisted URLs.
Group Name: Identify the name of this blacklist for blocking, e.g., Restricted Sites.
Enable Custom Page Blocking: Not selected by default; all blocking pages will use the default page blocking settings in 5-6-3. Other Settings. When enabled, the system expands the following settings for administrators to modify.
Blocking Result Page Settings: Click the view button to preview the current blocking page settings.
Theme: Text displayed in the yellow block, e.g., Restricted Sites.
Content: More detailed explanatory text to be displayed, e.g., Access to this site is prohibited and will be investigated.
List: Lists all black and white lists for administrators to select from.
Note
Completed URL configurations will be displayed in a table under URL Settings.
The management rules set here are just management objects; they still need to be applied to specific IP addresses in Chapter 4. POLICY.
NG-UTM operates in two modes for its WEB database: one is the blacklist database, and the other is the WEB database. Administrators can only choose one mode, and mode switching requires deleting all previously configured data.
1. WEB Database:
Provided by ShareTech partners, this database offers more detailed and comprehensive categorization, including blacklisted or malicious sites. The system is divided into six major categories and continuously updates the latest site lists. Enabling this database requires an additional authorization code. If unsure which group a website should be categorized under, administrators can click the adjacent URL Test button to test.
A whitelist consists of accessible URLs. When a whitelist is applied, the next rule following the whitelist will prohibit all HTTP traffic, which means that only URLs on the whitelist can be accessed, and all others will be blocked. Conversely, the blacklist operation prevents access to URLs listed in the blacklist while allowing access to all others.
Name: Identify the name of this blacklist/whitelist, e.g., Restricted Internet Access, Only Allowed During Office Hours.
List Mode: Specify whether it’s a blacklist or whitelist.
Match Mode: Offer two matching modes: “Exact” and “Fuzzy”. In “Exact” mode, the URL must match entirely, while in “Fuzzy” mode, partial keyword matches are sufficient.
To block all related yahoo sites, use the wildcard *, e.g., yahoo.com.*.
- Fuzzy Mode: Entering yahoo will block all URLs containing yahoo. However, this increases the likelihood of false positives, as unrelated sites like abcyahoo and yahooabc may also be blocked. In this case, using the wildcard * provides more flexibility.
• Sandstorm Service
Applying Sandstorm’s controlled URLs to the blacklist allows adjustment of the level of restricted URLs within 6-6. Sandstorm. Click on icon to test URLs against the Sandstorm database.
• Customed Black and White List Settings
The source of the blacklist can be manually entered by administrators or selected from the system’s built-in blacklist database. Additionally, blacklists can be established for IPV4/IPV6 and even HTTPS. Each entry should be on a separate line, and multiple entries can be added by inserting line breaks.
URL Blacklist: Enter the URLs to blacklist, e.g., tw.news.yahoo.com/sports/ or www.pchome.com.tw.
Besides the URLs, URI information can also be included. When selecting full matching, only specific content of the website will be blocked while allowing access to others.
IPV4 IP Blacklist: Enter IPV4 addresses to blacklist, e.g., 11.12.13.14 or 22.23.24.25.
IPV6 IP Blacklist: Enter IPV6 addresses to blacklist, e.g., 2001:b030:8102:bd::1 or 2001:b030:8102:2001::1.
Domain Blacklist: Determine black lists and white lists based on domain name. Special character “*” can be used to include all subdomains of the target domain.
Upload Extension Blacklist: Supports input of Content-Type or file extensions (preceded by a dot) for uploads. For example:
application/octet-stream or .doc
Download Extension Blacklist: Supports input of Content-Type or file extensions (preceded by a dot) for downloads. For example:
application/octet-stream or .doc
• Default Blacklist Settings
This item appears only when the list mode is set to “Blacklist”. When “Whitelist” is selected, this item is hidden. Administrators can either manually enter blacklists or choose from 11 categories of default blacklist databases provided by the system, based on actual needs.
To avoid duplication between manually entered blacklists and the database, NG-UTM provides URL testing functionality. Click the icon next to default blacklist settings to enter testing mode. For example, in Figure 5-22, entering yahoo.com.tw to test its presence in the default blacklist database results in “Not Found.”
NG-UTM’s blacklist settings support combinations of groups, including grouping. For example, if two blacklist groups—Blacklist A and Blacklist B—are created in advance, when adding Blacklist C, besides its own built-in blacklist, it can also include all blacklist settings from Blacklist A and Blacklist B. When the list mode is “Blacklist,” all blacklist groups are displayed for selection by the administrator. When the list mode is “Whitelist,” only whitelist groups are shown.
When users attempt to access blacklisted websites, NG-UTM displays a warning message. The text of the message can be customized by administrators. Administrators can pre-design warning messages or assign different warning messages to each blacklisted site.
Default Warning Message
The system’s default blacklist blocking warning settings are in “Other Settings” under “Default Block Page Settings.” The details are as follows:
Once administrators define the URLs to be managed and apply them to the control regulations, all URL entries that meet the conditions, whether allowed or prohibited, will be logged. Administrators can query based on these conditions.
DNS filter provides internet protection for users. When users query domain names configured by administrators on the DNS filter, the system responds with 0.0.0.0 to prohibit access.
DNS filter is usually paired with Sandstorm service to prevent users from inadvertently accessing malicious websites.
Sandstorm: Enable blocking of URLs from Sandstorm with medium to high risk of malicious software. When users query these URLs, the system responds with 0.0.0.0.
Exact Match: Define URLs to block with exact matching. Matching is done exactly as entered.
For example: Enter www.123abc.com; when users query this URL, the system responds with 0.0.0.0, but other URLs like mail.123abc.com will resolve normally.
Fuzzy Match: Define URLs to block with fuzzy matching. Matching is done by partial match.
For example: Enter 123abc.com; all other URLs under 123abc.com like www.123abc.com or mail.123abc.com will be blocked.
Built-in SPI technology proactively intercepts and blocks hacker attacks, including DOS, DDOS, UDP Flood, etc., and can even resist fast-moving virus attacks, ensuring the security of internal users.
But what if attackers are not coming from the outside but from within?
ICSA does not define such attack pattern, but such arbitrary attacks do exist.
ShareTech applies the concept of reasonable traffic and connection numbers, considering that the same computer will not generate too many connections simultaneously.
In case of exceeding reasonable traffic and connection numbers, combined with the use of control regulations, the firewall have to block the excess connections.
• Common Hacker Attack Methods (Denial of Service Attacks)
1. SYN Attack:
SYN Flood is one of the most popular methods of DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks. It exploits a TCP protocol flaw by sending many fake TCP connection requests, causing the targeted resource to be exhausted (CPU overload or insufficient memory).
2. ICMP Attack:
ICMP (Internet Control Message Protocol) is a packet defined in the TCP/IP communication protocol, mainly used to transmit simple control signals on the network.
ICMP DoS attacks mainly include Ping of Death and Smurf attacks.
3. UDP Attack:
By utilizing the UDP protocol, attackers send many fake UDP connection requests, causing the targeted resource to be exhausted (CPU overload, full bandwidth, or insufficient memory).
4. Land Attack:
This attack utilizes IP Spoofing to send a series of SYN packets to the target host, making the target host system mistakenly believe that these packets are sent by itself.
As the target host processes these packets, it cannot respond to itself with SYN-ACK packets, leading to system crashes.
5. Smurf Attack:
Smurf Attack is named after the program Smurf, which originally launched this type of attack.
This attack method combines IP spoofing and ICMP reply methods to flood the target system with a large amount of network traffic, causing the target system to deny service to legitimate systems.
6. Tear Drop Attack:
The Teardrop attack exploits vulnerabilities in IP packet reassembly. When data is transmitted over a network, IP packets are often fragmented into many small fragments.
Each fragment has similar structure as the original packet, except for some offset information. Teardrop creates some IP fragments that contain overlapping offset values.
When these fragments arrive at the destination and are reassembled, it may cause some systems to crash.
7. Ping of Death Attack:
“Ping of Death” is caused by sending oversized ping requests (ICMP echo requests), causing a buffer overflow, and resulting in abnormal operation or system crashes.
For protection against DOS or DDOS attacks, NG-UTM provides settings for three protocols: SYN, ICMP, and UDP. Administrators can adjust the values as needed:
Permanently Block: If the same source IP triggers various detections more than a certain number of times, it will be permanently blocked. The judgement count can be viewed in 5-8-2. Attack Log. The blocked list will be displayed in the “Release IP Block” link.
• SYN Attack Detection Setting
Maximum Allow Flow: The maximum number of packet requests per second that each external IP address protected by the firewall can withstand.
The default value is 10,000 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
Maximum Flow for Each Source IP: The number of packets per second that can be transmitted from the same IP address on the network.
The default value is 100 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
Block Time when Source Address Exceeds Maximum: Once the firewall detects an attack, it will automatically discard packets from the attacker’s IP address for a certain period, defaulting to 60 seconds.
• ICMP Attack Detection Setting
Maximum Allowed Flow: Default value is 10,000 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
Maximum Flow for Each Source IP: Default value is 100 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
Block Time when Source Address Exceeds Maximum: Once the firewall detects an attack, it will automatically discard packets from the attacker’s IP address for a certain period. The default period is 60 seconds.
• UDP Attack Detection Setting
Maximum Allow Flow: Default value is 10,000 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
** Maximum Flow for Each Source IP**: Default value is 100 packets/second. If exceeded, the firewall will consider the protected IP address to be under attack.
Block Time when Source Address Exceeds Maximum: Once the firewall detects an attack, it will automatically discard packets from the attacker’s IP address for a certain period, defaulting to 60 seconds.
• IP Address Block
Enter the source or destination IP addresses to be blocked. Traffic from these addresses cannot pass through the firewall’s protection mechanism, and all connection requests from these networks will be rejected.
For example, set 192.168.1.1 or 192.168.1.1/24.
• IP Address Exception
Enter the source or destination IP addresses to be exempted from the firewall’s protection mechanism. All connection requests from these networks will be accepted, even if their network packet quantity may be significantly higher than the set value.
• Other Items
In addition to detecting SYN, ICMP, and UDP attacks, UTM provides administrators with the ability to block common network attack methods.
These protection rules can be applied to NG-UTM’s interface addresses or to each control regulation. If attacks from the internet exceed the set value, NG-UTM will automatically block the attacker’s IP address, ensuring the network security of network devices.
NG-UTM logs all attack behaviors, and administrators can search for attack types, attack source IP addresses, and attacked IP addresses.
The system will provide detailed information including the attack time, attack type, protocol, port, attack source IP address, and attacked IP address.
NG-UTM offers internet authentication settings that require users to enter a username and password to access the internet. Authentication can be done via HTTP or HTTPS.
Administrators can pre-define the web page users see before and after authentication.
Additionally, administrators can redirect users to a predefined URL while browsing.
There are four sources of accounts for NG-UTM authentication:
1. Local built-in users, represented by “L”.
2. External Radius Server, represented by “R”.
3. External POP3 server, represented by “P”.
4. External AD server, represented by “A”.
Using these four account sources, administrators can establish the authentication mechanism and set the priority of authentication account sources. | For example, if both local users and AD servers have accounts named “Peter” and the authentication account source priority is set to “A,L,P,R”, the password must match the AD server.
After creating a user group, administrators can apply specific user groups in control policies. When specific source IP addresses need internet access, NG-UTM requests users to enter their username and password before granting access.
➤ To ensure proper internet authentication operation, follow these steps:
【Authentication】>【Page Settings】>【Account Source Determination】>【Create User Groups】>【Apply Policy】
NG-UTM uses common settings for authentication, and each user group can apply these settings. However, administrators can still configure different settings for different accounts. Here’s the explanation:
Authentication Port: The port number used during internet authentication operation. Default is TCP 82.
Authentication Page: The IP address used for the authentication page when users perform internet authentication. It can be the default gateway of each user or a custom IP address.
Allow Connection: Checking this option allows connections to the authentication port from IP addresses that haven’t undergone internet authentication or e-whiteboard control.
Authentication Connection Protocol: The protocol used for the authentication page. Choose between HTTP and HTTPS.
Maximum Concurrent Connections: The maximum number of IP addresses and authentication server requests that can occur simultaneously. Default is 256 IP addresses, configurable from 10 to 256.
Idle Timeout: The time after which users are required to re-authenticate if they have been idle. Default is 60 minutes, configurable from 1 to 1000.
Re-login after Timeout: The time each user can use the network after successful authentication. Default is 24 hours, configurable from 0 to 24. Setting to 0 disables this feature, and authentication connections remain valid unless the reauthentication idle timeout mechanism is triggered.
Allow Password Change: Allow users to change their authentication source password after successful authentication. Disabled by default. When enabled, users can modify their passwords.
Deny Multi-login: When enabled, each account and password allow only one IP address to log in. If another IP address requests access with the same account and password, NG-UTM’s authentication mechanism rejects it. Disabled by default, which means that the same account can log in from different IP addresses.
Temporary Block After Failed Logins: To prevent unauthorized attempts to log in, administrators can specify the number of failed logins attempt after which an account is temporarily locked out from authentication. Default is 0, meaning unlimited attempts.
IP Blocking Period: When administrators enable this feature, this mechanism becomes effective. It specifies how long an IP address remains locked out after exceeding the specified number of failed login attempts. Default is set to 0, which means these IP remain blocked indefinitely.
Permanent Block After Failed Logins: When the same account exceeds the specified number of failed login attempts, it gets permanently locked out. Default is 0, which means that the feature is disabled.
Not Show Block Page: When checked, NG-UTM doesn’t display a block message to users if too many authentication failures occur. Checking this option enhances internet authentication’s ability to block malicious programs.
Unlocked IP Blocks: List out IP addresses blocked by the system. Administrators can unblock these addresses.
Account Expiration Notification: This feature applies only to built-in local accounts. It notifies administrators a specified number of days before an account with a set expiration date expires. Default is 0, which means that notifications are sent on expiration day.
Delete Expired Account: This feature applies only to built-in local accounts. After an account’s expiration, the system automatically deletes the account. Default is 0, which means that the feature is disabled. If set to 3, the account is deleted three days after expiration.
Authentication Mode Setting: Define the priority order of authentication for the system’s four built-in account sources. The default is “L,A,P,R”, but administrators can customize the sequence.
In this section, administrators can set up some information to appear on users’ browsers during internet authentication, allowing the bulletin board to effectively convey messages to users.
• Default Page Setup
These settings will apply to the entire page configuration.
Redirect successfully authenticated users to: Specify an URL to open in the user’s browser upon successful login such as a company website, news site, or notification page. It is blank by default, which means that users are directed to their browser’s homepage after successful authentication.
Display a Read Page: Determine whether a client-side login screen appears before users enter their credentials. Users must confirm reading the page below before entering the input window.
Display Logout Page After Successful Login: Display a window for logging out after successful login.
Default Language: The system automatically detects device language, falling back to this setting if detection fails. Options include English, Traditional Chinese, and Simplified Chinese.
Page Color Settings: Customize the block and text colors of the client-side login screen. (Refer to Figure 5-30 for reference)
• Client-Side Login Screen Settings
Figure 5-30: Authentication Login Screen and Preview¶
Subject: Text displayed in the subject area. For example, “Please enter your username and password.”
Content: Text displayed in the content area. For example, “This is the authentication system of ABC Company.”
Upload Logo: Customize the logo displayed in the logo area. The default is the logo of ABC Information.
Login Preview: After saving settings, administrators can preview the screen to ensure it meets expectations. In the preview screen, click the “Accept” button to complete the login screen configuration.
• Client-Side After Login Screen Settings
Figure 5-31: Authentication After Login Screen and Preview¶
Logged-in Message: Message that displayed to users after successful login. For example, “Please do not abuse network resources.”
Logged-in Preview: After saving settings, administrators can preview the screen to ensure it meet the expectations. The preview screen displays several messages, including the user’s current IP address, logout, and password change.
Change Password: When the account source is a built-in local user, users can change the password of the authentication account on the post-login screen.
• Apply Bulletin Layout
NG-UTM can integrate the authentication login screen with the bulletin board. In this case, the login screen adopts the style of the bulletin board configuration, but the subject, content, and logo data can be determined by administrators. Before enabling this feature, you need to create groups in 5-10. Bulletin Board.
Click to add Bulletin Board settings:
Figure 5-32: Authentication Login with Bulletin Board¶
Notes: The name of this service. For example, “Authentication + Bulletin board.”
IP Address: The IP address where this feature applies. For example, 192.168.1.1.
Netmask: Subnet mask, for example, 255.255.255.0/24 for an IPv4 C Class.
Apply Bulletin: Choose a pre-configured group from “Management Target > Bulletin Board.”
Display Authentication Login Screen on Bulletin: Choose whether to embed the subject, content, and logo set on the login page into the bulletin.
➤ After adding it, they will be displayed in the “Apply Bulletin board Layout Settings” table under “Page Settings.”
Here, you can view and adjust all settings, change priorities, modify settings, and NG-UTM provides a preview function where you can click the computer or mobile version to preview the screen.
Name: The name of the new account, for easy identification of the user, e.g., John Smith, maximum 16 characters.
Account: The account used for authentication, limited to alphanumeric characters, maximum 16 characters.
Password: The password used for authentication, which can be made more secure by:
| · Using letters and numbers.
| · Using special characters (e.g., @, but commas and colons are not allowed).
| · Mixing uppercase and lowercase (passwords are case-sensitive, 3 to 16 characters, not the same as the username).
Password Strength: The system automatically detects password strength based on the input, for reference by administrators.
Confirm Password: Re-enter the password for confirmation.
Require Password Change on Next Login: Whether users can change their passwords after logging in. Default setting is disallowed.
Account Expiration Date: Set the expiration date for the account’s use. The system automatically displays dates for administrators to choose from. If no date is selected, it means the account never expires.
Two-Factor Authentication: When enabled, users must enter a verification code generated by Google Authenticator in addition to their original password to log in.
• User List
Completed local user accounts are listed here for modification and query operations:
Expired Log: All expired accounts.
Search by Account/Name: NG-UTM provides search functionality for both accounts and names.
Import/Export: Built-in local account data can be imported and exported for easier preservation.
NG-UTM allows authentication accounts to be integrated with POP3 mail server accounts, eliminating the need for users to remember multiple account passwords.
Domain Name: The name of the server’s domain, e.g., for the account Jean@abc.com, the POP3 domain name is abc.com.
Server: The IP address of the server or the A record name of the domain, e.g., 9.9.9.9 or pop.abc.com.
Append Domain to Login Account: Whether to append the server’s domain name to the authentication account, default is not appended.
For example, if an account is jean@abc.com, when choosing not to append the domain, the authentication account is jean; when choosing to append, the authentication account becomes jean@abc.com.
Protocol: There are 2 authentication protocols to choose from, POP3 and IMAP.
When choosing IMAP, remember to ensure that the authentication server’s IP address and domain point to the corresponding IMAP server.
Security: Whether to use encryption protocols when communicating authentication mechanisms, the default setting is none.
Administrators can select encryption methods such as TLS or SSL based on the connection method provided by the server.
Port: The communication port used for authentication, default is 110 for POP3, 443 for TLS/SSL.
Certification: Whether to ignore warnings when the selected port is encrypted.
Connect Test: After configuring the above information, administrators can test whether the settings work properly.
Clicking the connect test button will prompt administrators to enter a POP3/IMAP account, and the system will respond with the test result.
★[Two-Factor Authentication]: When enabled, users must enter a verification code generated by Google Authenticator in addition to their original password to log in.
NG-UTM allows authentication accounts to be integrated with external Radius server accounts, eliminating the need for users to remember multiple account passwords.
RADIUS Name: The name of this RADIUS server, e.g., my_radius.
RADIUS Server: The IP address or domain name of this RADIUS server, e.g., 192.168.1.100 or radius.abc.com.
RADIUS Server Port: The port used by NG-UTM to communicate with the RADIUS server, default is 1812.
Shared Secret: The secret used by NG-UTM to communicate with the RADIUS server. Authentication fails if the secret is incorrect.
Interface: NG-UTM uses zones as interfaces. However, not every interface can communicate with the RADIUS server, so you need to select an interface that can communicate with the RADIUS server.
If not specified, NG-UTM will communicate with the server according to the default routing table.
Connection Test: After configuring the above information, administrators can test whether the settings work properly.
Clicking the connection test button will prompt administrators to enter a RADIUS server account, and the system will respond with the test result.
★Two-Factor Authentication: When enabled, users must enter a verification code generated by Google Authenticator in addition to their original password to log in.
NG-UTM allows authentication accounts to be integrated with external AD server accounts, eliminating the need for users to remember multiple account passwords.
★2-Step Verification Setting: Once enabled, besides entering the original password, you need to input a verification code generated by Google Authenticator to log into the account.
AD Address: The IP address of the AD server, e.g., 192.168.1.1.
AD Domain Name: The domain name of the AD server, maximum 16 characters, e.g., ad.abc.com.
AD Login Account: The AD administrator account with account management permissions, maximum 16 characters, e.g., administrator.
AD Login Password: The password of the AD administrator with account management permissions.
Connection Test: After entering the above information, administrators can click the connection test button to check if the settings are correct.
Ignore the AD Group: Built-in groups within the AD server, where users do not have account authentication functionality.
Ignore the AD User: Built-in users within the AD server, who cannot log into the authentication mechanism.
Group Name: The name of the user group, can be any combination of text, e.g., Engineering Department Group.
Authentication Settings: There are 2 modes to choose from:
One is the predefined Shared Settings while the other is Custom Settings, which change settings based on different users. For detailed explanations, please refer to 5-9-1. Authentication Setting.
Select User Type to Edit: Users can be selected from different options.
· Local Users: Select users from all users and add the selected users.
· External POP3, IMAP Server: Select a pre-established POP3, IMAP server and add the selected users.
· External RADIUS Server: Select a pre-established RADIUS server and add the selected users.
Authentication log for each user group, whether successful or unsuccessful. Administrators can query based on IP address, account, connection status, or the source of authentication accounts.
There are 6 possible authentication result statuses: login Success, login Fail, logout Success, idle logout, login Timeout, and admin Kick-out.
List the current user utilizing internet authentication, including group name, user account, user IP, user MAC address, and kick-outs along with group kick-out records.
In the past, when most companies needed to communicate with employees, they either posted notices or notified via email. For important messages, emergency broadcasts or communication through department heads were utilized. However, in this era where the internet deeply influences our lives, the web has become the optimal tool for swiftly conveying messages.
For most office workers, the first thing they do when they arrive at work is to open their computers. However, they often deal with some miscellaneous tasks before starting their work.
Therefore, if important messages are notified via email, there might be a delay before they are seen.
ShareTech webpage bulletin board feature requires users to confirm viewing important company announcements before they can proceed to browse the web or use instant messaging tools.
All important information must be confirmed by reviewing the company’s announcements before activation.
While webpage bulletin boards may not replace emails as the primary notification system, they can allow those accustomed to browsing the web to receive the latest corporate messages more promptly.
➤ To ensure the proper functioning of the bulletin board, the operational steps are as follows:
[Create User Groups] > [Layout] > [Enforce Regulations]
Group Name: The name of this user group, it can be any combination of text, for example, Engineering Department Bulletin board.
Interval for Message Popup: Specifies how often the bulletin board message will reappear on the user’s webpage, default is 24 hours, input range 1-65535.
Block All External Connections Before Reading Messages: Checking this means that when the bulletin board message appears on the user’s webpage, they must click the “Read” button on the bulletin board to browse the internet normally.
After read bulletin, url redirect: Determines whether to redirect the user’s webpage to a specific URL such as the company’s website after reading the bulletin board message. Blank represent disable to this function.
Created groups will be displayed in the group list. Click Layout.
NG-UTM provides four templates for bulletin boards for administrators to choose from. After selecting a template, proceed with the template setup:
A. Basic Template
The main difference between the desktop version and the mobile version is the layout size. Click the button above the template setup to switch between them.
The basic template has 3 sections: Title, Content, and “I Have Read” button. Remember to save settings before previewing.
Title: Enter the title text of this bulletin board, or set it to hidden (if both the title and read button are hidden, then this bulletin board will only display images).
Picture Display: Only one image can be displayed in the mobile version, while the desktop version can be set to display 1/4/9 images.
Picture Transform: The images in the bulletin board picture area change every few seconds, default is 30 seconds.
Picture Size: Administrators can choose default or custom picture size.
Select Mode: Desktop version function, choose whether images should be randomly displayed or displayed in the order set in picture management.
Picture Management: Upload and save images before managing them.
When the Select Mode is set to random for all, you can select which images to display on this bulletin board.
When the Select Mode is set to custom, you can select which images to display for each image number according to the set Picture Display.
For example: If 6 pictures are uploaded, and Picture Display is set to 4 images, and Picture Transform is set to 3 seconds.
If Select Mode is set to random for all; in Picture Management, select 6 images, then this bulletin board will randomly display 4 pictures every 3 seconds.
And if Select Mode is set to custom; in Picture Management, you can set which images to display for each picture number from 1 to 4.
Hide Button: Decide whether to hide the read button. If the read button is hidden, clicking anywhere on the image by the user indicates that it has been read.
Button Text: Decide whether to change the text of the read button, click “Custom” to input text.
Background Color: Choose an appropriate background color.
C. Image-text Template
The main difference between the desktop version and the mobile version lies in the layout and the size of images that can be displayed.
The image and text template consist of 3 sections: Title area, image + text area, and read button. Save settings before previewing.
Title: Enter the title text of this bulletin board, or set it to hidden (if both the title and read button are hidden, then this bulletin board will only display images and text).
Image-text Display: The image and text area display how many sets of images + text, default is 3 sets.
Image-text Transform: The image and text area change every few seconds, default is 30 seconds.
Picture Size: Administrators can choose default or custom image size.
Select Mode: Choose whether images should be randomly displayed or displayed in the order set in image management.
Hide Button: Decide whether to hide the read button. If the read button is hidden, clicking anywhere on the image by the user indicates that it has been read.
Button Text: Decide whether to change the text of the read button, click “User Define” to input text.
Group Management: A text and image group must be added first before it can be operated.
Background Color: Choose an appropriate background color.
Add Text and Image Group: Add text and images to be displayed on the bulletin board.
D. Path Linking
Upload customed pages or data existing on the internet as samples for the bulletin board.
Regardless of the method, you can click on the original code in the web sample and modify it to suit the administrator’s preferences.
In this mode, the settings for both the desktop and mobile versions are the same.
• Type One, HTTP Upload
Pre-set files are uploaded via HTTP, and then how they should be displayed is determined.
File Management: Based on the uploaded files, decide whether to display them statically or randomly.
Web page Transform: The images in the image area change every few seconds, default is 30 seconds.
Button Text: Decide whether to change the text of the read button, click “User Define” to input text.
• Type Two, FTP Server
NG-UTM retrieves files from a fixed directory on the FTP server specified by the administrator and displays them on the bulletin board based on the configured information.
IP Address: IP address of the FTP server, for example, 192.168.10.
Folder Name: Fetch files from a specific folder on the FTP server, specify the folder directory, for example: publicepaper.
Username: Enter username to log into the FTP server.
Password: Password to log into the FTP server, click “Connect Test” after entering to test if the input data is correct.
Auto Update Time: How often to log into the FTP server to check for new files.
Update now: Immediately check the directory of the FTP server for new files.
File Management: Based on the uploaded files, decide whether to display them statically or randomly.
Web Page Transform: The images in the image area change every few seconds, default is 30 seconds.
Button Text: Decide whether to change the text of the read button, click “User Define” to input text.
• Type Three, Samba
NG-UTM retrieves files from a fixed directory on the Samba server (network neighborhood) specified by the administrator and displays them on the bulletin board based on the configured information.
IP Adress: IP address of the Samba server, for example: 192.168.10.
Folder Name: Fetch files from a specific folder on the Samba server, specify the folder directory, for example, publicepaper.
** Username**: Account to log into the Samba server.
Password: Password to log into the Samba server, click “Connect Test” after entering to test if the input data is correct.
Auto Update Time: How often to log into the Samba server to check for new files.
Update now: Immediately check the directory of the Samba server for new files.
File Management: Based on the uploaded files, decide whether to display them statically or randomly.
Web Page Transform: The images in the image area change every few seconds, default is 30 seconds.
Button Text: Decide whether to change the text of the read button, click “User Define” to input text.
Wherever one goes, traces are left behind; wherever one reads, information is recorded. The NG-UTM web bulletin board function not only provides enterprises with an excellent information dissemination tool.
More importantly, it can record all instances of users browsing messages, meticulously documenting the topics, and browsing times of users reading bulletin board messages.
If there is a need to remind users again, they can be removed, prompting users to read the messages again.
represents the IPv4 address mode being displayed/set, while 
represents the IPv6 address mode being displayed/set.
) directly switches the display and settings to the other mode.
button, you can start creating address tables. First, select the configuration method, each of which has its own purpose:
button, you can start creating address table groups.
to add them.
will add additional blank fields.
.
will bring up a new window displaying the NG-UTM’s built-in basic service table for administrators to select from.
icon indicates that this policy will only take effect during specific time.
icon to test URLs against the Sandstorm database.
