Skip to end of metadata
Go to start of metadata

Host Firewall Service

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Do you need to protect a device (like a microscope) or an old system (that Windows 98 computer collecting science data) that doesn't have a firewall? You can use the Linksys Firewall Protection to guard these devices and systems.

    Basic and Advanced instructions will use a Cyber Security supplied, preconfigured Linksys router.
    Customized instructions will show you how to get your Linksys router to match the Cyber Security Linksys router configuration.
    Basic is aimed for a quick and simple deployment.

    You will begin with a general configuration, found in Custom tab. When completed, you will continue with a use case-specific configuration. There are two use cases presented.

    1. The first case, Use Case #1: No Ports Open and No Services Provided, covers the use where the device or system to be protected will have no open ports and will not provide any services.
    2. The second case, Use Case #2: Open Ports and Services Provided, is where the device or system will have open port(s) and provide service(s).

    Finally, you will test and verify all the configurations made. Instructions are in located in the Testing & Verifying tab.

    If you have a case that is unique or have any questions, please contact Cyber Security at security@lbl.gov.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Basic

    Overview

    The purpose is to protect a device, such as a microscope, or system, such as a Windows 98 computer, which does not have built-in firewall capability and does not need to be accessed off-site. If off-site access is required, go to Advanced tab or Customize tab.

    The instruction presented below assume you using a Cyber Security configured Linksys router. Contact Cyber Security at security@lbl.gov to request a cyber security configured router.

    The Required steps will walk you through getting the router connected to the Lab's network and to the device or system that requires protection. Optional steps provide a guide to configuring the router's host name and administrator password via the router's web-based configuration page.

    #Required

    1. Connecting the Router to LBNL's Network
    2. Connecting the Device or System to the Router
    3. Power On the Router and Device or System

    #Optional

    1. Accessing the Linksys Router's Web-based Configuration Page
    2. Assigning a Host Name
    3. Changing Administrator Password

    Required

    Connecting the router to LBNL's network

    Take the line that is connected to LBNL's network and plug it into the Internet port on the router.

    Internet port

    Connecting the Device or System to the Router

    With one end of the Ethernet cable connected to the device or system, connect the other end to one of the router's four, numbered (1-4) interfaces as shown below.

    Reference: Connecting devices on a Linksys router.

    Power On the Router and Device or System

    With the provided power adapter, plug it in to the router’s Power port and to a power outlet.

    Power on the device or system that you are protecting.

    The LED lights for Power, Ethernet, and Internet on the front of the router should be lit.


    1.Power 2.Ethernet 3.Internet

    Test your device or system to verify that it is working the same as before you introduced the router. If everything is working, you are done. Please consider completing one or both of the optional steps presented below.

    If there are any questions, please send them to security@lbl.gov.

    Optional

    These optional steps are given to aid in the identification and protection of the router.

    1. Assigning a Host Name
    2. Changing Administrator Password

    To complete these tasks, you need to access the router's web-based configuration page. Instructions are provide below.

    Accessing the Linksys Router's Web-based Configuration Page
    1. Power on the router.
    2. Connect any computer that has a wired network interface card and is configured for DHCP with a Ethernet cable to the one of the router's local/private interfaces which are numbered 1 - 4.
    3. Launch a Web browser from the computer you connected to the router.
    4. Enter the Router's IP address, 192.168.1.1 (default on Linksys Routers), in the address bar of the web browser.
    5. When prompted, enter admin in the Password field, leaving the Name field blank and click OK to continue.

      Default password is *admin.

    You are now able to access the router's web-based configuration page.

    Example of Linksys router built-in web-based setup page.
    Reference: Accessing the router's web-based setup page


    Now you are ready to assign a host name and/or change the administrator password.

    Assigning the Router a Host Name

    Assigning the router a specific host name will allow Cyber Security ability to locate the device, and notify the owner in case there is abnormal behavior detected.

    From the Basic Setup page, locate the field for Host Name as shown below. By default, this field is blank.

    Router basic setup page with host name field blank.

    Enter your LBL user name appending it with -linksys, in the text field for the Host Name of your router without any spaces or any other special characters other than the hyphen. Numbers are OK to use. By using an User Name, the owner is easily identifiable and therefore be contacted when a need arises.

    Router host name format: username-linksys

    Click on the Save Settings button located at the bottom of the page to save your changes.

    Save settings button


    Confirmation message

    You have just assigned your router a host name.

    If there are any questions, please send them to security@lbl.gov.

    Changing Administrator Password

    In order to protect your router from unauthorized access, you should change the password to something other than its default.

    One recommendation is to set the router password to serial number (S/N) of the router itself. The S/N can be located on the bottom side of the router, usually below the model number.

    Go to Finding the Model Number of your Linksys Device page to find out how to locate the serial number.

    Once the serial number has been located, from the web-based configuration page, click on Administration. From the Management page, enter the S/N in the Router Password field and the Re-enter to confirm field. To save, click on Save Settings button at the bottom of the page.

    Router Password
    Reference: Changing the Linksys router's administrator password.

    If there are any questions, please send them to security@lbl.gov.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Advanced

    Overview

    Utilize a preconfigured Linksys router by Cyber Security to guard your device or system does not or can not provide host-based firewall. In addition to the preconfiguration, to meet the needs of the device or system as identified by you

    1. Do you have services to provide?
      Yes. Continue on with Question #2.
      No. Click on the Basic tab for instructions.
    2. Do those services require off-site access?
      Yes. Continue on to Question #3.
      No. Click here for DHCP configuration.
    3. Do you provide web server?
      Yes. Click here for Static configuration.
      No. Click here DHCP configuration.

    Configuring Router for LBNL's DHCP

    The following instructions are for a device or system being protected will allow open ports and provide services.

    All the instructions are based on starting off with a Cyber Security preconfigured Linksys Router.

    Receiving an IP address from LBNL's DHCP server

    This will allow the router to communicate on the network.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there. Instructions are provide in the Getting Started tab under Accessing the Linksys Router's Web-based Configuration Page section.

    For the Linksys router to be able to receive an IP address from LBNL's DHCP server, its Internet Connection Type setting must be set to Automatic Configuration - DHCP as shown in the image below. This may be set by default, if so, there is nothing you need do, if not, then choose this setting and then Save Settings button at the bottom of the page.


    This will allow the router to receive an IP address from LBNL's DHCP server once it is connect.


    Saving changes.

    Host Name

    Assigning the Router a Host Name

    Assigning the router a specific host name will allow Cyber Security ability to locate the device, and notify the owner in case there is abnormal behavior detected.

    From the Basic Setup page, locate the field for Host Name as shown below. By default, this field is blank.

    Router basic setup page with host name field blank.

    Enter your LBL user name appending it with -linksys, in the text field for the Host Name of your router without any spaces or any other special characters other than the hyphen. Numbers are OK to use. By using an User Name, the owner is easily identifiable and therefore be contacted when a need arises.

    Router host name format: username-linksys

    Click on the Save Settings button located at the bottom of the page to save your changes.

    Save settings button


    Confirmation message

    You have just assigned your router a host name.

    Connecting the router to LBNL's network

    Take the line that is connected to LBNL's network and plug it into the Internet port on the router.

    Internet port

    Connecting the Device or System to the Router

    With one end of the Ethernet cable connected to the device or system, connect the other end to one of the router's four, numbered (1-4) interfaces as shown below.

    Reference: Connecting devices on a Linksys router.

    Power On the Router and Device or System

    With the provided power adapter, plug it in to the router’s Power port and to a power outlet.

    Power on the device or system that you are protecting.

    The LED lights for Power, Ethernet, and Internet on the front of the router should be lit.


    1.Power 2.Ethernet 3.Internet

    Test your device or system to verify that it is working the same as before you introduced the router. If everything is working, you are done.

    If there are any questions, please send them to security@lbl.gov.

    Configuring a Static IP

    Configuring the Linksys Router Public Interface

    Specifications
    The Linksys router will be configured for a static IP address assigned by LBLnet and the router will be acting as the DHCP server for the clients that are being protected by it. For information on obtaining a static IP address, visit LBLnet web site; at https://iprequest.lbl.gov/

    The Linksys router's public (Internet) interface will be assigned a static IP address.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there.

    For the Linksys router to be configured with a static IP address, the Internet Connection Type needs to be set to Static IP. This can be done by clicking on the drop-down menu and choosing Static IP.

    After selecting Static IP, you'll see several fields appear such as:

    Internet IP Address

    Subnet Mask

    Gateway

    Static DNS 1

    Static DNS 2

    Static DNS 3

    These are all the required fields, with the exception of Static DNS 3 which is optional.

    The following steps will show you how to get the information to populate the fields.

    Internet IP Address

    Starting with the Internet IP Address field, enter the static IP that you were assigned by LBLnet. For example, 128.3.10.79.

    Subnet Mask and Gateway

    Information about LBL's Subnet Mask and Gateway can be found at [https://commons.lbl.gov/display/itdivision/IP+Subnet+Addresses+at+LBNL] .

    To get the proper Subnet Mask and Gateway address from the LBLnet page, you need to know the physical location of the device to be protected. For example, the device is located in Building 50B on the 2nd floor. You search for that location in the Use column and find Building 50B: Computing/Graphics Lab (floors 1+2+3). To the left of the Use column, are the Subnet, 128.3.10.0/23, and the Gateway, 128.3.11.1, in their respective columns.

    The /23 from 128.3.10.0/23 is the Subnet mask. Translate /23 into dotted decimal notation, which is 255.255.254.0. This is the number you'll enter into the Subnet mask field. Click on this link for a reference chart: [http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_9-1/91_ip_fig_03_lg.jpg]

    For the Gateway field, enter the Gateway address of 128.3.11.1, which is in-between the Subnet and Use columns.

    DNS

    To find information about LBNL's DNS, go to the Domain Name Service Configuration page at [http://www-lblnet.lbl.gov/dns-conf.html]

    There are four DNS configurations:

    1. LBNL Main Site (lbl.gov)
    2. ALS (lbl.gov)
    3. JGI-PSF Walnut Creek (jgi-psf.org)
    4. NERSC (nersc.gov).

    Choose the one that matches the physical location of the device. If the device is located in Building 50B, you'll choose to use the LBNL Main Site (lbl.gov) DNS configuration.

    For Static DNS 1 field, enter 128.3.34.186 (Primary Name Server).
    For Static DNS 2 field, enter 131.243.64.2 (Secondary Name Server).

    Reference

    Below is an example for your reference of the all the information entered.

    To save your configuration, click Save Settings at the bottom of the page.

    Configuring the Linksys Router Private Interfaces

    To configure the router's private interfaces, you will define a private address space and disable the DHCP server.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there.

    Locate the Network Setup section. To configure the private interfaces of the router, you will need to define the private IP address space by entering 10.1.1.1 in the Local IP Address field and use the Subnet Mask of 255.255.255.0. These settings will specify the private (local) network.

    Note that after setting the Local IP Address to 10.1.1.1 the web-based configuration page will now be accessed with this IP address, 10.1.1.1, and not 192.168.1.1 (default).

    Next, disable DHCP server by clicking on the Disable radio button for DHCP Server.

    Click Save Setting button to save your configuration. See image below for reference.

    Configuring an Open Port and Service

    This step demonstrates how to make services available over the Internet. For the purposes of this demonstration, the service that will be provided is Secure Shell (SSH).

    From the router's web-based configuration page, click on Applications & Gaming. You should now see the Single Port Forwarding page. If not, click on Single Port Forward from the sub-navigation. See image below for reference.

    Begin by entering SSH in the Application text field. For the remaining fields in the SSH row, enter the following:

    External Port

    Internal Port

    Protocol

    To IP Address

    Enable

    22

    22

    TCP

    10.1.1.2

    Check

    External (Public) and Internal (Private) Ports are the port number of the service that the protected device is providing. The standard SSH service port is 22.

    Protocol has three choices:

    1. TCP
    2. UDP
    3. Both

    TCP is SSH's protocol.

    To IP Address is the static IP address that is assigned to protected device which is 10.1.1.2.

    Finally, check the checkbox for the Enable field to activate Port Forwarding for this service.

    Click Save Settings button to complete this step.

    See the image below for reference.

    Verify Static Configuration

    Access the Status page by clicking on Status from the navigation. Check the Router, Local Network, and Wireless Information pages to verify the following items:

    • IP Address, Subnet Mask, Default Gateway, and DNS
    • DCHP Server: Disabled
    • Wireless Mode: Disabled

    Examples are provided below. Of course your information will be different.


    Router Information Page: IP Address, Subnet Mask, Default Gateway, DNS 1 and DNS 2


    Local Network Page: DCHP Server: Disabled


    Wireless Page: Wireless Mode: Disabled

    Connecting the Router to LBNL's Network

    Power the Linksys router.

    Take the line that is connected to LBNL's network and plug it into the Internet port on the router.

    Internet port

    Assuming that the line is an active line, the LED light for Internet on the front of the router should be lit.

    Internet LED light

    Setting up the Device for Static IP Address and DNS

    The device needs to be assigned an IP Address that is in the same local/private network as the router. This is also the IP address that you filled in during the #Configuring an Open Port and Service step, which is 10.1.1.2.

    In addition to the IP address, you will also need to know the Subnet mask, Default gateway, and DNS server values to complete this step.

    The article, Assigning a static IP address on a wired computer: http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=7e4956723e074191bdf33777314ddfd8_3998.xml&pid=80&converted=0, explains this process for both Windows and Macs.

    Connecting the Router and the Device

    Once the router is connected to LBNL's network and the device is set up with a static IP Address, connect the device to one of the router's numbered (1-4) four Ethernet ports with an Ethernet cable.

    The article, Connecting devices on a Linksys router: http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&g=80&vw=1&articleid=3678.

    Finalize

    Having completed this configuration, your final steps are to test and verify. Instruction are found in the Testing & Verifying tab. Click on #top to return to the top of page to complete the final steps.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Custom

    This "Custom" tab contains a how-to on a preconfigured Linksys WRT54GL v1.1 router. In the two tabs, "Use Case #1 and #2", contain descriptions on how to apply the preconfigured router to situations which are most likely encountered at LBNL.

    Reference

    Static IP Address

    For information on obtaining a static IP address, visit LBLnet web site; at https://iprequest.lbl.gov/

    Web Server Registration

    An additional request, the web server must be registered at https://register.lbl.gov/ to be seen by the outside world.

    Questions

    Please send your questions to security@lbl.gov

    Getting Started: Setting Up the Linksys Router

    Overview

    This section covers the general steps in preparing a Linksys router to serve as the guard for a device.

    For all the examples presented, the Linksys WRT54GL v1.1 router with the latest firmware 4.30.15 will be used. Instructions on how to update firmware can be found at: http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=4030.

    Configuration

    Accessing the Linksys Router's Web-based Configuration Page

    1. Power on the router.
    2. Connect any computer that has a wired network interface card and is configured for DHCP with a Ethernet cable to the one of the router's local interfaces which are numbered 1 - 4.
    3. Verify your IP address.
      1. Your IP address should be 192.168.1.100 which is given out through the router by default.
      2. In Windows for example, open a Command Prompt window and type in ipconfig and hit Enter.
      3. The Display should be:
        1. IP Address........ : 192.168.1.100
        2. Subnet Mask....... : 255.255.255.0
        3. Default Gateway... : 192.168.1.1
    4. Launch a web browser from the computer connected to the router.
    5. Enter the router's IP address, which is 192.168.1.1 (default IP address of Linksys routers), into the address bar of the web browser.
    6. When the prompted, enter the Password. User Name field can be left empty.

      Default password is *admin.

    The browser that you launched earlier should now be displaying the Linksys router configuration page as shown below which may differ depending on the firmware of the router.

    Example of Linksys router built-in web-based setup page.

    Reference: Accessing the router's web-based setup page http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=3676

    Disabling the Wireless

    The wireless feature of this router is not needed as part of its role of guarding a device.

    From the router's web-based configuration page, click on Wireless from the navigation and you should see the Basic Wireless Settings page as shown here.

    To disable the wireless feature, select Disabled from the drop-down menu for the Wireless Network Mode. Once Disabled as been selected, save your changes by clicking on the Save Settings button at the bottom of the page. See the example provided below.

    You will receive a confirmation message as shown below. Press Continue to return to the previous page.

    Allowing ICMP

    Allowing ICMP will help in troubleshooting issues.

    From the navigation, click on Security to get to the Firewall settings page. Confirm that the Enable radio button for Firewall Protection is select, which is by default. If not, click on the Enable radio button.

    To allow ICMP, uncheck the box labeled Block Anonymous Internet Requests, then save the changes by clicking on the Save Settings button at the bottom of the page.

    You will receive a confirmation message as shown below. Press Continue to return to the previous page.

    Changing Administrator Password

    As stated above, the default password is "admin" for the Linksys router. To protect the router from unauthorized access, you should change the password to something other than its default.

    One recommendation is to set the router password to serial number (S/N) of the router itself. The S/N can be located on the bottom side of the router, usually below the model number.

    Go to "Finding the Model Number of your Linksys Device", http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=f5e92f12159a47e9bc1a1cbe049a9fd4_3655.xml&pid=80&converted=0 to find out more on how to locate the serial number.

    Once the serial number has been located, click on Administration from the navigation. From the Management page, enter the S/N in the Router Password field and the Re-enter to confirm field. To save, click on Save Settings button at the bottom of the page.

    Reference: Changing the Linksys router's administrator password http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=3976.

    Disabling Remote Management

    To prevent access to the router's web-based configuration from over the Internet, confirm that Remote Management feature is disabled, which is the default. Navigate to Management page by clicking on Administration and then locate Remote Router Access section and confirm that the Disable radio button is selected for Remote Management. If not, select disable and click the "Save Settings" button at the bottom of the page.

    Disabling UPnP

    UPnP stands for Universal Plug and Play. As stated on the Linksys router management help page, UPnP is used by certain programs to automatically open ports for communication. To maintain control over the router, the UPnP feature will be disabled.

    Navigate to Management page by clicking on Administration and then locate UPnP section of the page. On the UPnP line, select the Disable radio button as shown in the image below.

    Click Save Settings button to save the changes that you have made.

    For more information on UPnP, go to "Getting to know UPnP feature of Linksys routers", http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=a7347c8b4e6744dd96864d33ffa79694_17371.xml&pid=96&slnid=6.

    You have now completed the Getting Started stage. Your next step is to select the use case that matches your situation. There are currently two use cases:

    1. Use Case #1: No Open Ports or Services Provided
    2. Use Case #2: Open Ports and Services Provided

    Return to the #top of the page to make your selection and continue with the router configuration.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Use Case #1: No Open Ports and No Services Provided

    Overview

    This configuration assumes that the device or system being protected requires no open ports and will not provide any services.

    All the instructions are based on the assumption that Getting Started: Setting Up the Linksys Router steps were completed.

    Specifications
    The Linksys router will be configured to receive a Dynamic IP address from LBNL's DHCP server and the router will be acting as the DHCP server for the devices that are being protected by it.

    Configuration Use Case #1

    Receiving an IP address from LBNL's DHCP server Case #1

    This will allow the router to communicate on the network.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there. Instructions are provide in the Getting Started tab under Accessing the Linksys Router's Web-based Configuration Page section.

    For the Linksys router to be able to receive an IP address from LBNL's DHCP server, its Internet Connection Type setting must be set to Automatic Configuration - DHCP as shown in the image below. This may be set by default, if so, there is nothing you need do, if not, then choose this setting and then Save Settings button at the bottom of the page.


    This will allow the router to receive an IP address from LBNL's DHCP server once it is connect.


    Saving changes.

    Assigning the Router a Host Name Case #1

    Assigning the router a specific host name will allow Cyber Security ability to locate the device, and notify the owner in case there is abnormal behavior detected.

    From the Basic Setup page, locate the field for Host Name as shown below. By default, this field is blank.

    Enter your EPO appending it with "-linksys", in the text field for the host name of the router. By using an EPO, the owner is easily identifiable and therefore be contacted when a need arises.

    After entering the host name, you must save the setting for it to take effect. Click on the Save Settings button located at the bottom of the page. A reference is locate below.

    You should see a confirmation message of "Setting are successful" as shown below.

    Verify Router Configurations Use Case #1

    Verify that the router has a host name, is set up for DHCP configuration, router's DHCP server is on, and wireless is turned off. After these configurations are confirmed, continue with the next step, Deployment.

    Access the Status page by clicking on Status from the navigation. Check the Router, Local Network, and Wireless Information pages to verify the following items:

    • Host Name: EPO-linksys
    • Configuration Type: Automatic Configuration - DHCP
    • DHCP Server: Enabled
    • Wireless Mode: Disabled

    Examples are provided below. Of course your information will be different.


    Host Name: EPO-linksys, Configuration Type: Automatic Configuration - DHCP


    Local Network Page: DCHP Server: Enabled


    Wireless Page: Wireless Mode: Disabled

    Deployment Use Case #1

    Connecting the router to LBNL's network Case #1

    This step enables the router to request and receiving an IP address from LBNL's DHCP server.

    Power the Linksys router.

    Take the line that is connected to LBNL's network and plug it into the Internet port on the router.

    Assuming that the line is an active line, the LED light for Internet on the front of the router should be lit.

    Confirm the Router's Public IP Address Case #1

    With DHCP configuration set and the router connected to LBNL's network, it should get a public IP address.

    From the web-based configuration page, access the Status page by clicking on Status from the navigation. Check the Router Information page to verify the following items are populated:

    • Domain Name: lbl.gov
    • IP Address
    • Subnet Mask
    • Default Gateway
    • DNS 1
    • DNS 2
    • DNS 3

    Note that IP Address, Subnet Mask, Default Gateway, DNS 1, DNS 2, and DNS 3 will differ based on your physical location.
    An examples is provided below. Of course your information will be different.

    Setting up the Device to Obtain an IP Address Automatically Case #1

    This step will allow the device to be protected to obtain an IP address from the router's DHCP server.

    This article describes this step for Windows and Mac OS computers: "Setting up a computer to obtain an IP address automatically" (http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=4033 ).

    Connecting the Router to Guard the Device Case #1

    Once the router is connected to LBNL's network and the device is set up to for automatic IP Address, connect the device to one of the router's numbered (1-4) four Ethernet ports with an Ethernet cable.

    Article on connecting devices on a Linksys router: "Connecting devices on a Linksys router" (http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&g=80&vw=1&articleid=3678 ).

    Finalize

    Having completed this stage, your final steps are to test and verify. Instruction are found in the Testing & Verifying tab. Click on #top to return to the top of page to complete the final steps.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Use Case #2: Open Ports and Services Provided

    Overview

    This configuration assumes that the device or system being protected will allow open ports and provide services.

    All the instructions are based on the assumption that Getting Started: Setting Up the Linksys Router steps were completed.

    Specifications
    The Linksys router will be configured for a static IP address assigned by LBLnet and the router will be acting as the DHCP server for the clients that are being protected by it. For information on obtaining a static IP address, visit LBLnet web site; at https://www-lblnet.lbl.gov/ under Request & Self-Service.

    Configuration Use Case #2

    Configuring the Linksys Router Public Interface Case #2

    The Linksys router's public (Internet) interface will be assigned a static IP address.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there.

    For the Linksys router to be configured with a static IP address, the Internet Connection Type needs to be set to Static IP. This can be done by clicking on the drop-down menu and choosing Static IP.

    After selecting Static IP, you'll see several fields appear such as:

    Internet IP Address

    Subnet Mask

    Gateway

    Static DNS 1

    Static DNS 2

    Static DNS 3

    These are all the required fields, with the exception of Static DNS 3 which is optional.

    The following steps will show you how to get the information to populate the fields.

    Internet IP Address

    Starting with the Internet IP Address field, enter the static IP that you were assigned by LBLnet. For example, 128.3.10.79.

    Subnet Mask and Gateway

    Information about LBL's Subnet Mask and Gateway can be found at http://www-lblnet.lbl.gov/ip-subnets.html.

    To get the proper Subnet Mask and Gateway address from the LBLnet page, you need to know the physical location of the device to be protected. For example, the device is located in Building 50B on the 2nd floor. You search for that location in the Use column and find Building 50B: Computing/Graphics Lab (floors 1+2+3). To the left of the Use column, are the Subnet, 128.3.10.0/23, and the Gateway, 128.3.11.1, in their respective columns.

    The /23 from 128.3.10.0/23 is the Subnet mask. Translate /23 into dotted decimal notation, which is 255.255.254.0. This is the number you'll enter into the Subnet mask field. Click on this link for a reference chart: http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_9-1/91_ip_fig_03_lg.jpg

    For the Gateway field, enter the Gateway address of 128.3.11.1, which is in-between the Subnet and Use columns.

    DNS

    To find information about LBNL's DNS, go to the Domain Name Service Configuration page at https://commons.lbl.gov/pages/viewpage.action?pageId=77825713

    There are four DNS configurations:

    1. LBNL Main Site (lbl.gov)
    2. ALS (lbl.gov)
    3. JGI-PSF Walnut Creek (jgi-psf.org)
    4. NERSC (nersc.gov).

    Choose the one that matches the physical location of the device. If the device is located in Building 50B, you'll choose to use the LBNL Main Site (lbl.gov) DNS configuration.

    For Static DNS 1 field, enter 128.3.34.186 (Primary Name Server).
    For Static DNS 2 field, enter 131.243.64.2 (Secondary Name Server).

    Reference

    Below is an example for your reference of the all the information entered.

    To save your configuration, click Save Settings at the bottom of the page.

    Configuring the Linksys Router Private Interfaces Case #2

    To configure the router's private interfaces, you will define a private address space and disable the DHCP server.

    From the router's web-based configuration page, go to the Setup page and then click on Basic Setup if not already there.

    Locate the Network Setup section. To configure the private interfaces of the router, you will need to define the private IP address space by entering 10.1.1.1 in the Local IP Address field and use the Subnet Mask of 255.255.255.0. These settings will specify the private (local) network.

    Note that after setting the Local IP Address to 10.1.1.1 the web-based configuration page will now be accessed with this IP address, 10.1.1.1, and not 192.168.1.1 (default).

    Next, disable DHCP server by clicking on the Disable radio button for DHCP Server.

    Click Save Setting button to save your configuration. See image below for reference.

    Configuring an Open Port and Service

    This step demonstrates how to make services available over the Internet. For the purposes of this demonstration, the service that will be provided is Secure Shell (SSH).

    From the router's web-based configuration page, click on Applications & Gaming. You should now see the Single Port Forwarding page. If not, click on Single Port Forward from the sub-navigation. See image below for reference.

    Begin by entering SSH in the Application text field. For the remaining fields in the SSH row, enter the following:

    External Port

    Internal Port

    Protocol

    To IP Address

    Enable

    22

    22

    TCP

    10.1.1.2

    Check

    External (Public) and Internal (Private) Ports are the port number of the service that the protected device is providing. The standard SSH service port is 22.

    Protocol has three choices:

    1. TCP
    2. UDP
    3. Both

    TCP is SSH's protocol.

    To IP Address is the static IP address that is assigned to protected device which is 10.1.1.2.

    Finally, check the checkbox for the Enable field to activate Port Forwarding for this service.

    Click Save Settings button to complete this step.

    See the image below for reference.

    Verify Static Configuration Case #2

    Access the Status page by clicking on Status from the navigation. Check the Router, Local Network, and Wireless Information pages to verify the following items:

    • IP Address, Subnet Mask, Default Gateway, and DNS
    • DCHP Server: Disabled
    • Wireless Mode: Disabled

    Examples are provided below. Of course your information will be different.


    Router Information Page: IP Address, Subnet Mask, Default Gateway, DNS 1 and DNS 2


    Local Network Page: DCHP Server: Disabled


    Wireless Page: Wireless Mode: Disabled

    Deployment Use Case #2

    Connecting the Router to LBNL's Network Case #2

    Power the Linksys router.

    Take the line that is connected to LBNL's network and plug it into the Internet port on the router.

    Assuming that the line is an active line, the LED light for Internet on the front of the router should be lit.

    Setting up the Device for Static IP Address and DNS Case #2

    The device needs to be assigned an IP Address that is in the same local network as the router. This is also the IP address that you filled in during the #Configuring an Open Port and Service step, which is 10.1.1.2.

    Article on assigning a static IP address: http://www6.nohold.net/Cisco2/GetArticle.aspx?docid=7e4956723e074191bdf33777314ddfd8_3998.xml&pid=80&converted=0

    Joining the Router to the Device Case #2

    Once the router is connected to LBNL's network and the device is set up with a static IP Address, connect the device to one of the router's numbered (1-4) four Ethernet ports with an Ethernet cable.

    Need to include DNS settings for device.

    Article on connecting devices on a Linksys router: http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&g=80&vw=1&articleid=3678.

    Finalize

    Having completed this configuration, your final steps are to test and verify. Instruction are found in the Testing & Verifying tab. Click on #top to return to the top of page to complete the final steps.

    Alerts

    Protect your account with MFA, sign up now at go.lbl.gov/mfa

    Testing Public Interface

    The router will attempt to communicate with the Internet

    From the router's web-based configuration page, go to Administration. From sub-cateegories, select Diagnostics.

    From the Diagnostics page, you will execute a Ping Test. This will verify that the router is configured and connected correctly to communicate with the Public.

    Click on the button labeled Ping. See below for reference.

    The Ping Test form page will pop-up. In the IP Address or Domain Name form field, enter pop.lbl.gov. Set the Number of times to Ping to 5 (default).

    Click the Ping button to start the test. See below for reference.

    Wait for a few seconds for the test to complete. If successful, there should be a summary of results like what is shown below.

    If nothing happens after 30 seconds or your results are different from what is shown above, there may be a configuration and/or a physical connection problem. Try running the Ping Test again. If after the second test, you are still not receiving the desired results, go to http://help.lbl.gov or email: help@lbl.gov.

    Verifying Protection

    Now that the router is configured and the device is being protected, contact Cyber Security to perform a scan by completing and submitting the form below.

    Request a Scan

    Cyber Security can perform an individual assessment on one or more systems for you. Simply use the form below to submit your request. No account number needed. A confirmation e-mail will be sent before the scan begins. Once the scan has completed full results will be e-mailed to the requester.

    IP address or hostname:

    Disclaimer: A security scan in no way represents a CPP guarantee of system security or integrity.

    If there are any questions, concerns, or comments, please contact Cyber Security at security@lbl.gov.