Grande Vitesse Systems- Media Server Product Family
Video Server
9000 vtr storage workstations asset management


Worksation

GVS9000 FireWall Application


GVS9000 offers the following Services: Introduction: The following document provides a comprehensive overview of the GVS9000 Firewall, highlighting its key features, functionalities, and benefits. This product overview aims to provide professionals with a detailed understanding of the GVS9000 Firewall's capabilities and its potential value for their organizations.

Overview: The GVS9000 Firewall is a cutting-edge network security solution designed to safeguard critical digital assets and protect against unauthorized access, data breaches, and other cybersecurity threats. Developed with advanced technology and robust security measures, this firewall offers comprehensive protection for modern business networks.

Key Features:

Advanced Threat Detection: The GVS9000 Firewall employs state-of-the-art threat detection mechanisms, including deep packet inspection and intrusion prevention systems, to proactively identify and mitigate potential threats in real time.

Granular Access Control: With its granular access control capabilities, the GVS9000 Firewall enables organizations to define and enforce fine-grained access policies, ensuring that only authorized individuals or systems can access specific network resources.

VPN Connectivity: The firewall supports secure Virtual Private Network (VPN) connectivity, enabling remote workers and branch offices to establish encrypted connections to the corporate network, ensuring secure data transmission across various locations.

Application Filtering: GVS9000 Firewall incorporates robust application filtering capabilities, allowing administrators to control and manage the usage of specific applications, enhancing network security, and optimizing bandwidth allocation.

Centralized Management: The firewall offers a centralized management console, simplifying the configuration and monitoring of multiple firewall instances across the network. This centralized approach streamlines administrative tasks and enhances overall network security.

Benefits:

Enhanced Security: The GVS9000 Firewall's advanced threat detection mechanisms, access control features, and application filtering capabilities collectively fortify network security, minimizing the risk of cyberattacks and data breaches.

Improved Productivity: By effectively managing and controlling network resources, the firewall optimizes bandwidth allocation and ensures that critical applications receive priority, resulting in improved productivity and seamless user experience.

Regulatory Compliance: The GVS9000 Firewall assists organizations in meeting regulatory requirements by implementing stringent security measures, protecting sensitive data, and maintaining compliance with relevant industry standards.

Scalability and Flexibility: Designed to accommodate the evolving needs of organizations, the firewall offers scalability and flexibility, enabling seamless integration with existing network infrastructure and supporting future growth.

Conclusion: The GVS9000 Firewall is a robust and comprehensive network security solution that provides organizations with advanced threat detection, granular access control, VPN connectivity, application filtering, and centralized management capabilities. By deploying this firewall, organizations can enhance their network security posture, improve productivity, achieve regulatory compliance, and effectively manage their network resources.

What operating system does GVS9000 require?

None. It includes its own operating system. Top

How much hard disk space does GVS9000 require?

None. It doesn't use a hard disk. GVS9000 boots and runs from a media diskette.Top

What hardware is required to run GVS9000?

  Intel compatible and AMD CPUs
8 Gb (minimum) 16Gb (preferred) RAM
3.5" SAS disk drive
2 network cards (10Gb, 1000mb or FDDI)
Basic VGA display card
Keyboard (only required for configuration)
Monitor (only required for configuration)
Serial Port
Optional
  Additional network card for Private Service network
Serial Port Com 1-4
Modem (external or internal) for connection
email notification
DSL, T1, T3 and higher connection
Supported Network Cards
10Gbps Ethernet Cards
  3Com Etherlink
3Com 3c 3 EtherLink XL PCIe
IBM Ethernet II PCMCIA (NS chipset)
Intel 10G PRO/10+ (PCIe only)
Novell compatibles
Olicom OC-2183/2185
VMWARE I/O Support
SMC Etherpower Series
1000 Mbps Ethernet Cards
  Accton ENI1203
ASUS PCI-L101-TB
3Com 3c595 EtherLink XL PCI
Compex CPXPCI/32C
D-Link
Intel EtherExpress PRO/100B, PRO/100+
Intel EtherExpress
Linksys EtherPCI
Mylex LN 10G
SMC EtherPower 10GB (SMC 9432)
FDDI
DEC PCI FDDI Adapter (SAS & DAS MMF, SAS UTP)
Top

What kind of network topographies does GVS9000 support?

10Gbps ethernet, 100Gbps ethernet (100GB-TX) and FDDI (UTP, SAS fiber and DAS fiber), PPP (DSL and async modems). The GVS9000 will also support cable modems and xDSL devices attached to the external network interface. Top

How many network connections does GVS9000 support it?

32,000 simultaneous connections. Top

What What kind of performance does GVS9000 offer?

GVS9000 is fast, but since we know of no reasonable tests for comparison, we have no meaningful measurements. If you have a test let us know and we will run it or download a copy of GVS9000 and see how fast it is first hand. Top

What kinds of user licenses are available?

GVS9000 has an unlimited user license. Top

Can GVS9000 support application XYZ?

GVS9000 is transparent to standard TCP and UDP applications. GVS9000 also supports difficult applications that require both inbounds and outbound connections like:
FTP (normal and PASV)
RealAudio/RealVideo
Vxtreme
Vosaic
CU-SeeMe
StreamWorks
VDOLive
VIVOActive
True Speech
NTT AudioLink
NTT SoftwareVision
RSTP Applications
Yamaha MIDPlug
Microsoft PPTP
Microsoft NetShow
ICQ
Quake II
Net2Phone
Other difficult application protocols are constantly being added so please check the GVS9000 website https://www.GVSX.com for updates. Top

Is GVS9000 a firewall?

Yes. GVS9000 is the technological outgrowth of GTA's ICSA (formerly the NCSA) Certified GFX Internet Firewall System. Although the GVS9000 doesn't have all the features and functionality of its parent, it still retains the stateful transparent packet inspection technology of the GFX system. In its default configuration, the GVS9000 does not accept unsolicited connections from the external network. The GVS9000 is an " in-band proxying firewall", which means that TCP and UDP-based applications can pass packets transparently through the GVS9000 system without needing modified (special) clients or servers. We use the term "proxy" because the GVS9000 monitors all communications levels including the application level.
GVS9000 is an ICSA (formerly the NCSA) certified firewall product.

What is the network configuration of the GVS9000?

In its basic configuration the GVS9000 supports two network interfaces. An additional network card can be added to create the optional Private Service network.
In the PPP configuration, the GVS9000 uses an RS-232 interface attached to an async modem or ISDN TA as the External network interface. Any of the other network types are supported on the two remaining network interfaces (Protected or Private Service network). Top

What is the External Network?

The External network is the unprotected network for which no network address translation is performed. The External network is typically connected to the Internet. However, GVS9000 can also be used internally on private networks as an intranet firewall. If connected to the Internet, the external interface must have a registered IP address. GVS9000 provides no security for hosts located on the External network.Top

What is the Protected Network?

The Protected network is the network that is hidden behind the GVS9000 system. The term Protected network is used throughout this manual to refer to the network directly connected to the GVS9000 system. All features and attributes associated with this network also apply to all networks connected to the Protected network. All hosts and IP addresses used on this network are hidden from the External and Private Service networks. Hosts on the Protected Network are not by default accessible from the External network or PSN network. The Tunnel facility can be used to allow external access to hosts and
services on this network. Top

What is the PSN Network?

The Private Service Network (PSN) (also often known as a DMZ network) is an optional service network that is located logically between the External network and the Protected network. The PSN isn't actually between the Protected and External networks, but nearly at a peer level with the Protected network. The PSN, however, is untrusted by the Protected network and by default no unsolicited packets are allowed to pass from the PSN to the Protected network. All hosts on the PSN are hidden from the External network, but completely accessible from the Protected network.
The PSN is used in conjunction with the Tunnel facility to allow external access to hosts and services, such as web servers, FTP servers, email server, etc.. By tunneling to a server on the PSN, an organization can allow public access to services while maintaining network security for the Protected network.
To create a PSN, add and configure a third-supported network card to your GVS9000. Since the PSN is hidden, unregistered IP addresses can be utilized.Top

What is the External Network Interface?

The External network interface is the network device that is attached to the External network (typically the Internet). The External network interface requires a registered or legitimate IP address (if attached to the Internet); only one registered IP address is required for the GVS Box system. The External network interface can have up to 300 IP addresses using IP Aliasing.Top

What is the Protected Network Interface?

The Protected network interface is attached to the Protected network. Any supported network device may be used with the exception of the PPP device. The Protected network interface does not require a registered IP address (RFC-1918; RFC 1918 addresses are recommended). The IP Aliasing The facility may be used on the Protected network interface; with a maximum of 300 IP aliases. Any supported network card may be used, (except for PPP interface).Top

What is the PSN Network Interface?

The Private Service network (PSN;PSN) interface is optional. Any supported network device may be used with the exception of the PPP device. However, if you plan to offer public access to servers, such as a web server, it is highly recommended that you install a PSN interface. For many configurations of the GVS9000 a PSN may not be required, such as on intranets or for outbound access only. The PSN interface does not require a registered IP address (RFC-1918; RFC-1918 addresses are recommended). The IP Aliasing facility may be used on the PSN interface; with a maximum of 300 IP aliases. Any supported network card may be used, (except for PPP interface).Top

What is a Tunnel?

A Tunnel is a GVS9000 facility that allows a host on the External or PSN network to be able to initiate a TCP, UDP or ICMP session with an otherwise inaccessible host (on the PSN or Protected networks) for a specific service. This is done by mapping a visible IP address and port (service) to a target IP address and port (service). This mapping can be performed for all services (host-to-host tunneling) or more typically for a given service. Common tunnels include SMTP (email), FTP, HTTP, SQLnet and telnet. Tunnels can be created to hosts on both the PSN and the Protected network. Only three types of tunnels can be created:
  1. From an IP address+port assigned (can be an IP alias) to the External NIC to a host IP address+port on the Private Service network.
  2. From an IP address+port assigned (can be an IP alias) to the External NIC to a host IP address+port on the Protected network.
  3. From an IP address+port assigned (can be an IP alias) to the Private Service NIC to a host IP address+port on the Protected network.
Top

What is IP Aliasing?

An IP Alias is the GVS9000 facility that allows any network interface to have multiple IP addresses assigned. This facility is useful if multiple targets on the PSN or Protected network are required for the same service (port) via the Tunnel facility (e.g. multiple web servers). GVS9000 supports 300 aliases, which can be applied to any network interface. All IP aliases must be registered or legitimate IP addresses if used on the External network interface (connected to the Internet), although they need not be from the same network.Top

What is NAT?

Network Address Translation, or NAT, is one of the primary features of the GVS9000 system. The NAT facility used in the GVS9000 system is always active by default. NAT is applied to outbound packets only:
  1. Outbound packets from the Protected Network to the External network
  2. Outbound packets from the Protected Network to the PSN.
  3. Outbound packets from the PSN to the External network
The NAT facility can be bypassed via the IP Pass-Through facility if desired. NAT is available in two forms: dynamic translation and static translation. The default NAT form is a dynamic many-to-one scheme, in which packets from all IP addresses located on the source network (PSN or Protected) have their source IP address translated to an IP address assigned to the outbound NIC (External or PSN). This means:
  1. Any packet originating from the Protected network destined for a host that resides external to the External NIC will have its source IP address translated to the IP address of the External NIC.
  2. Any packet originating from the Protected network destine for a host that resides external to the PSN
    NIC will have its source IP address translated to the IP address of the PSN NIC
  3. Any packet originating from the PSN network destined for a host that resides external to the External
    NIC will have its source IP address translated to the IP address of the External NIC.
The other form of NAT that is available, is a static translation method, referred to in the GVS9000 system as Mapping or static mapping. The Mapping facility allows the GVS9000 administrator to specify a static mapping address scheme, such that a given address, network or subnet is mapped to a specific IP alias assigned to a specific network interface. Since the default dynamic NAT will translate IP address to the real IP address of the NIC by default, Mapping is only useful if you have assigned an alias(es) to the target NIC.

Maps are assigned by associating a source address(es) to an alias assigned to a particular network interface (PSN or External). A netmask (not to be confused with the assigned network netmask), is ANDed with the specified source IP address to yield an IP number that is used for comparisons when applying static mapping. Top

What is Mapping?

Mapping is a GVS9000 facility that allows an internal IP address or subnet to be statically mapped to an external IP address during the network address translation process. Typically, mapping is used with targets on the External network interface. Mapping is not useful unless IP aliases have been assigned to the target network interface, since by default all IP addresses on the Protected network are dynamically assigned to the real IP address of the outbound network interface. This release supports 300 static maps.Top

What is IP Pass Through?

IP Pass Through, is essentially the GVS9000 term for “no network address translation.” By default all packets passing through the GVS9000 outbound (to destinations that lie beyond the External or the PSN network interfaces), have NAT applied to them. The IP Pass Through facility provides a means to override the default action of applying NAT and to transfer packets through the GVS9000 without having NAT applied to specific packets. The system creates IP pass-through tunnels, which are determined by user-designed originating IP addresses. These designed IP addresses can be networks, subnets or individual hosts on either the PSN or the Protected networks.
IP pass-through can be selectively applied to packets based on the destination of the packets. The IP Pass Through facility allows the user to specify which network interface(s) will have not NAT applied for a designed IP address(es). So for example, it is possible to apply IP pass-through for specified packets destine to a host external to the PSN NIC, while packets for a host external to the External NIC still have NAT applied.
The IP Pass Through facility can be defined to operate in the following configurations:
  1. For packets from a host(s) on the Protected network outbound through the PSN and External NICs.
  2. For packets from a host(s) on the Protected network outbound through the PSN NIC only.
  3. For packets from a host(s) on the Protected network outbound through the External NIC only.
  4. For packets from a host(s) on the PSN network outbound through the External NIC only
By default IP pass-through designed IP addresses are configured for outbound use only. This default configuration does not allow unsolicited inbound connections to be accepted. Stateful information is maintained about IP pass though sessions that are originated from hosts on the PSN or Protected network outbound to guarantee that only IP packets that are replies to the initiated connections are accepted. If the connection protocol calls for a secondary inbound connection from an external host to be made to the originating internal host, virtual cracks are created to allow the secondary connection. This allows protocols such as FTP to be used without arbitrary inbound connections.
IP pass-through designed IP addresses can also be configured to allow arbitrary external inbound connections to be initiated if desired. When configured to allow such inbound connections, IP pass through filters need to be created to control inbound access.
IP pass-through and NAT can operate at the same time, however, a clear understanding of TCP/IP networking is a must, since these types of configurations can become complex and difficult to understand. Top

How do I control Access?

Filters are a facility that controls network access through and to the GVS9000. Filter rules are applied to all IP packets that are received by or are desirous to pass through the GVS9000 System. The GVS Box system supports three types of filters: Remote Access Filters, Outbound Filters, and IP Pass Through Filters. The built-in implicit rule for the GVS9000 system is, “ That which is not expressly permitted is denied.” Therefore, if no filters of any type were defined, packets would not be allowed to flow to or through (inbound and outbound) the GVS9000 system.
Basic GVS9000 Filter Concepts
  1. Filter order is important because IP packets are processed against the filter sets sequentially. Therefore,
    it is very important to arrange your filters in the proper order, otherwise, you may not achieve the
    desired result.
  2. Filters are boolean in nature; they can only accept or deny a packet.
  3. Outbound Filters control access to IP addresses that reside external to the External network interface
    from hosts on the Protected and PSN networks.
  4. Outbound Filters control access to IP addresses that reside external to the PSN network interface
    from hosts on the Protected network.
  5. Remote Access Filters control access for packets that are directed at one of the IP addresses assigned
    to any GVS9000 network interface.
  6. A Remote Access filter must be in place before a Tunnel can be accessed.
  7. IP Pass Through filters control access both inbound and outbound to IP Pass Through designed IP
    addresses, networks, subnets or hosts.
Each type of filter set may have up to 400 filters.
Each packet is compared to the appropriate filter set (Remote Access, Outbound , or IP Pass Through), starting at filter number one in a specific set. A comparison is performed sequentially against each filter until one of two events occurs:
  1. A filter is matched, in which case the packet is either accepted or denied based on the filter definition
    and any filter actions associated with the filter are performed. No further comparisons are performed.
  2. No filters are matched and the filter list is exhausted. In this case, the packet is rejected.
Top

What comparison parameters are used with filters?

All types of filters (Remote Access, Outbound, and IP Pass Through) use the same filter definition specifications and comparison parameters. The parameters used to perform the filter comparison are:
Source IP Address: The Source IP Address is used in conjunction with the Source Netmask to yield an IP number for comparison to the source IP address in the packet being filtered. The Source Netmask is logically ANDed with an IP packet’s source address, the result is then compared to the masked Source IP Address parameter.
Source Netmask: The source netmask used for filter definitions should not be confused with the “ network netmask” as they have no relation whatsoever. The source netmask is used in a filter definition in conjunction with the Source IP Address and is used in a logical AND operation to yield a set of host IP addresses for comparisons. Specifying a netmask of 255.255.255.255 (all ones) when ANDed with an IP address will yield only that specific address. A netmask specification of 255.255.255.0 will yield a set of 255 addresses.
Source Port: The source port can be: a single port, multiple ports or a range of ports. The specified Source Port(s) are compared to the source port of the IP packet to see if a match exists. If no Source Port is specified then any source port is accepted. Typically the source port for most client protocols is a random value above 1024. Destination IP Address: The Destination IP Address is used in conjunction with the Destination Netmask to yield an IP number for comparisons to the destination IP address in the packet being filtered. The Destination Netmask is logically ANDed with an IP packet’s destination address, the result is then compared to the masked Destination IP Address parameter.
Source Netmask: The destination netmask used for filter definitions should not be confused with the “ network netmask” as they have no relation whatsoever. The destination netmask is used in a filter definition in conjunction with the Destination IP Address and is used in a logical AND operation to yield a set of host IP addresses for comparison. Specifying a netmask of 255.255.255.255 (all ones) when ANDed with an IP address will yield only that specific address. A netmask specification of 255.255.255.0 will yield a set of 255 addresses.
Destination Port: The destination port can be: a single port, multiple ports or a range of ports. The specified Destination Port(s) are compared to the destination port of the IP packet to see if a match exists. If no Destination Port is specified then any destination port is accepted. Destination ports are often called services since certain well-known services have been assigned dedicated port numbers. Historically well know services, typically those provided by servers were defined to be ports in the range from 1 to 1024. However, with the explosive growth of the Internet, this limited range of ports has been expended and new services have ports assigned outside this range.
Network Interface: The network interface parameter allows a filter specification to define which network interface the packet must have arrived on in order to be matched. The valid values for the network interface are:
EXT - External Network interface
PRO - Protected Network interface
PSN - Private Service Network interface
ANY - Any network interface
Protocol: This parameter allows for the specification of a particular IP protocol to be matched. The valid values for the protocol are TCP, UDP, ICMP, ALL, and any protocol a user may add to the user-specified protocol list. If ALL protocols are specified then no ports (source or destination) may be specified. User-specified protocols can only be used with a DENY filter since GVS9000 only supports and routes TCP, UDP, and ICMP. The current use of user-specified protocols is to suppress noisy benign protocols (which are implicitly blocked), from filling up log files. This function is accomplished by creating a Deny filter with the “nolog” option selected.
Time: Although not a comparison parameter, time of day and day of the week are used to enable/disable a filter if a Time Group has been assigned to the filter. Top

What is a Filter Action?

Filter Actions are not a filter parameter for comparisons, however, they are actions to be executed if the associated filter is matched. Filter Actions are:
Email - An email message is generated which includes information about the IP packet which matched the filter, a timestamp of the event, and DNS name resolution (if a DNS server has been defined to the GVS9000 and the IP address can be resolved) and is sent to the email address defined in the email preferences section typically the firewall administrator. If multiple hits on the filter occur within a short span of time, all packets will be detailed in a single email message. A maximum of 50 events will be recorded in each email message, so multiple messages may be generated.
Stop Interface - This action should be used with extreme caution. If the associated filter is matched the network interface on which the packet arrived will be shutdown. No further packets will be received or allowed to be sent out to the interface in question. User intervention is required to bring the interface back up. This can be accomplished in two ways: a system reboot or via the Interfaces dialog on either the Command Console User Interface or via the web browser user interface.
Pager - This filter action requires that an optional modem be attached to one of the supported serial interfaces (COM 1-4). This modem must be dedicated to the pager function. The modem may be either an external or an internal modem card. Only numeric pagers are supported. Because pager systems can vary from country to country there is no guarantee that the pager function will operate in all countries.
If the associated filter is matched and the optional pager facility has been enabled and configured (via the preference dialog), then the defined numeric pager message will be sent by calling the defined telephone number via the pager modem.
SNMP Trap - This filter action will generate a generic SNMP trap and send it to an SNMP management station if the associated filter is matched. The SNMP option must be enabled (via the preference dialog), for this action to operate. The SNMP management station is defined on the SNMP option dialog screen.
Generate ICMP - This filter action will generate a “service unavailable” ICMP message to the source IP address of the matched packet for the associated filter.
Filter Action Notes
  1. Filter actions are not mutually exclusive, so you may select none, one or all of the actions on a given filter.
  2. It is important to understand clearly what each filter action does, since some actions can be rather severe, (i.e. Stop Interface).
  3. Filter actions can be selected on both Accept and Deny filters.
Top

What is a Remote Access filter?

Remote Access Filters control the access of packets that are directed at an IP address assigned (including IP aliases) to any of the network interfaces on the GVS9000 system. Remote Access Filters are primarily used to control access to Tunnels since the source side of a tunnel is always an IP address assigned to a GVS9000 network interface (EXT or PSN). Remember a Tunnel is only a conduit that associates a Protocol, an IP address assigned to a GVS9000 NIC, and a port number to an internal IP address (on the PSN or Protected network) and port number. The Remote Access filter is the facility that accepts or denies access to the Tunnel.
Remote Access filters also process packets destined for services on the GVS9000 such as the web browser user interface and proxy services (email and URL blocking) if enabled. A maximum of 400 Remote Access filters are allowed.Top

What is an Outbound filter?

Outbound Filters control access of packets directed to IP addresses on the External network (typically the Internet) and to the PSN (if one exists). As mentioned previously, the implicit filter rule is “ that which is not expressly permitted is denied” applies to outbound packets as well as inbound packets. When the GVS9000 is initially configured default Outbound filters will be created. The default Outbound filter allows all IP addresses on the Protected network to access any IP address and any service external to the Protected network. If a PSN network interface exists, then an Outbound filter will be created that allows all access to the External network (typically the Internet) from the PSN. These filters can be modified or deleted to suit the local network security policy for external network access.
To allow only specific external services to be accessed simply remove the default Outbound filter(s) and add filters for the allowed services. Any packet destined for a service not matching the allowed services will be rejected by the implicit rule. GVS9000 supports 400 Outbound Filters.Top

What is an IP Pass Through filter?

IP Pass Through Filters control access to and from IP addresses that have been specified as IP pass-through addresses. IP pass-through filters, although similar to the other two filter types (Remote Access and Outbound), is a bit different since they control both inbound and outbound access to/from the designed IP Pass Through addresses. Since IP pass-through addresses are not translated, the GVS9000 functions as a gateway for these addresses and therefore the IP Pass Through Filters utilize IP Pass Through addresses in the filter definitions, not GVS9000 NIC addresses.
If IP pass through host/networks are defined, then pressing the “ Default” button on the IP Pass Through filter screen will create a set of filters based upon the IP pass-through addresses defined. Since IP pass-through host/networks can be defined in a variety of different combinations, the default filters will vary according to the options selected. These generated filters are quite general and should be modified to match your security requirements. 400 IP Pass Through filters is allowed.Top

How does DNS operate with GVS9000?

Since the GVS9000 system provides network transparency for users on the Protected and PSN networks, all DNS queries (outbound) operate normally. Users on the Protected and PSN networks may use an external DNS server for address resolution, however, it cannot be used to resolve protected hosts. Since the GVS9000 system hides all network addresses on both the Protected and PSN networks, providing DNS information about internal hosts to the external network is pointless as none of the IP addresses on these networks are directly accessible from the External network. GVS9000 does not include a DNS server that runs on the system, however, it can utilize a remote DNS server for IP address resolution. When a DNS server is defined on the GVS9000 system, many of the GVS9000 the facility will then accept both hostnames and IP addresses. If you have an internal DNS server then it is suggested that it should be used by the GVS9000 for IP address resolution. Otherwise, any external DNS server can be used.Top

What about VPN support?

The GVS9000 system provides transparent operation of many VPN implementations. Two of the most common VPNs: Microsoft Corporation's PPTP and Data Fellows SSH are supported transparently. Other VPN solutions, such as hardware-based systems typically operate transparently with the GVS9000 system.Top

How do I set up Microsoft's PPTP VPN to work with GVS9000?

Read the online tutorial PPTP and GVS9000. This tutorial contains links to many excellent documents on PPTP and links to PPTP resources.Top

How is Network Address Was translation implemented on the GVS9000?

The NAT facility used in the GVS9000 system is always active and is available in two forms: dynamic translation and static translation. The default NAT form is a dynamic many-to-one scheme, in which all IP addresses located on the Protected network (and all connected networks attached) and the PSN are translated to a single IP address. This single IP address is the primary address of the External network interface. The other form of NAT that is available, is a static translation method, referred to in the GVS9000 system as Mapping. The Mapping facility allows the GVS Box administrator to specify a static mapping address scheme, such that a given address or subnet is mapped to a specific IP address assigned (aliased) to the External network interface.
The GVS9000 performs an automatic many-to-one translation. All packets passing through the GVS9000 with a destination somewhere on the external network (Internet) are translated so that their source IP address is that of the external network interface's IP address. Simply put all packets appear to come from the external network interface. When the reply packet return to the external network interface of the GVS9000 they are inspected, validated and translated back to the address of the originating host on the Protected network. Top

How do I allow someone on the Internet to access my web server?

The recommended method is to place your web server on the GVS9000's PSN network. Then create a tunnel from port 80 on the external network interface on the GVS9000 to port 80 (HTTPs/web3 server) of your web server on the PSN network. The tunnel will only allow connections to the port you specify, so you only expose the services you desire.
If you are not on the Internet or have some degree of trust in the external network you can create a Tunnel to your web server on the Protected network. Once again the Tunnel will only allow access to the specified port, (service) on the target host. Top

How can I receive E-mail through the GVS9000?

  1. External mail server
    In this scenario, the mail server is external to the GVS9000. Since the GVS9000 is transparent to internal users, a host on the Protected the network can connect normally to the mail server as it would on any network. Many PC/Mac systems use POP3 protocol for receiving email and SMTP for sending emails.
  2. Mail server on PSN
    This is a good choice as the mail server is protected from the external network and is only receiving connections from the external network for mail deliveries. The mail server however is completely accessible to the users on the Protected network, for sending and receiving email. In this configuration a Tunnel is created that allows a connection to the mail server on the PSN.
  3. . Internal mail server
    This configuration should be implemented with caution especially when the external network is the Internet. Although the mail server is only listening for inbound mail deliveries any time you allow even the slightest access from an untrusted network you are exposing your network to possible unauthorized intrusion. In this configuration a Tunnel is created that allows a connection to the mail server on the Protected network.
Top

How do I install GVS Box?

GVS9000 boots and runs from a 3.5" 1.44MB media diskette, (no hard disk is required). The GVS9000 runtime and utilities to create the boot disk is supplied on a CD-ROM (ISO 9660 format), which should be readable by most modern computer systems, (DOS/Win, Macintosh, and Unix). Depending upon what kind of system you use to create the GVS9000 boot media diskette the procedure varies, however, the steps are generally the same:
  1. Transfer the GVS9000 runtime disk image to a disk formatted media diskette. (Use one of the
    GVSBox utility programs).
  2. Insert the GVS9000 diskette into the target hardware platform (your GVS9000 system).
  3. Boot the system.
  4. From the GUI interface assign IP addresses, netmasks, and options on your network interfaces. Set the
    default route. Press save.
  5. The system will complete the booting process into full runtime mode.
  6. Make any modifications or additions via the web browser interface.
Top

What about logging?

The GVS9000 supports the Unix syslog logging facility. The Syslog facility can be configured on the GVS9000 to send logging information to a host capable of receiving and processing syslog data. The GVS9000 sends: unauthorized access attempts, system notices, an open connection, close connection, and error conditions to the log host. The log priority level, facility, and information to be logged is configurable.
If you would like to use a Win95/NT system to receive remote logging data, use the GVS9000 remote log client. This client is included in the GVS Box installer package. It is also available separately on the GVS9000 ftp server: syslog.zip Top

How does GVS9000 address IP spoofing?

The GVS9000 performs a test to ensure that packets are received on the expected interface. This feature looks up the route back to the source of received IP packets. If there is no route to the source available, or the packet did not arrive on the expected interface the packet is discarded. The expected interface is the one that would be used to send a packet back to the reported source of the packet. Top

Does GVS9000 protect against denial of service attacks?

Yes, GVS9000 provides protection against denial of services attacks such as Ping of Death, smurf, SYN flood, Land.c, and Teardrop Top

Does GVS9000 support DHCP?

GVS9000 has support for DHCP. DHCP is only available on all network interfaces External, PSN, and Protected interfaces. DHCP is available on the external network primarily for cable modem and xDSL users since dynamic address assignment is used for this type of interface. Top


Grande Vitesse Systems