LANCOM 3550 Wireless
Firewall
Stateful inspection firewall Direction-dependant check based on connection information
Packet filter Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports,
DiffServ attribute); remote-site dependant, direction dependant, bandwidth dependant
Masquerading Network Address Translation (NAT), N:N mapping for the translation or masking of IP addresses
Port mapping Provision of services from behind masqueraded computers, for example, to make an internal web server available from the
outside (inverse masquerading)
Tagging The firewall marks packets with routing tags, e.g. for policy-based routing
Actions Forward, drop, reject, block sender address, close destination port, disconnect
Messaging Via e-mail, SYSLOG or SNMP trap
Quality of Service
Traffic shaping Dynamic bandwidth management with IP traffic shaping
Bandwidth reservation Dynamic reservation of minimum and maximum bandwidths, absolute or connection-related, separate settings for send and
receive directions
DiffServ/TOS Priority packet queuing based on DiffServ/TOS fields
Packet-size control Automatic packet-size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustment.
Layer 2/Layer 3 tagging Automatic or fixed translation of layer-2 priority information (802.11p-marked Ethernet frames) to layer-3 DiffServ attributes in
routing mode. Translation from layer 3 to layer 2 with automatic recognition of 802.1p-support in the destination device.
Security
Intrusion Prevention Monitoring and blockage of login attempts and port scans
IP spoofing Source IP address check on all interfaces: The only accepted IP addresses belong to the previously defined IP network
Access Control lists Filtering of IP or MAC addresses and preset protocols for configuration access and LANCAPI
Denial of Service protection Protection from fragmentation errors and SYN flooding
General Detailed settings for handling reassembly, PING, stealth mode and AUTH port
URL blocker Filtering of unwanted URLs based on DNS hitlists and wildcard filters
Password protection Password-protected configuration access can be set for each interface
Alerts Alerts via e-mail, SNMP-Traps and SYSLOG
Authentication mechanisms PAP, CHAP and MS-CHAP as PPP authentication mechanism
High availability / redundancy
VRRP VRRP (Virtual Router Redundancy Protocol) for non-proprietary backup in case of failure of a device or remote station. Enables
passive standby groups or reciprocal backup between multiple active devices including load balancing and freely definable
backup priorities
FirmSafe For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updates
UMTS backup* Operation of an external UMTS/HSDPA card in the external CardBus slot. Supported cards: See Internet
VPN redundancy Control of up to 16 redundant VPN gateways for high availability or load balancing
Line monitoring Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP
polling.
Notice A UMTS card is not supplied
VPN
Number of VPN tunnels 5 IPSec connections active simultaneously, 25 connections configurable
IKE IPSec key exchange with Preshared Key or certificate
Certificates X.509 digital certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of PKCS#12 files via
HTTPS interface
Algorithms 3DES (168 bit), AES (128, 192 or 256 bit), Blowfish (128 bit), RSA (128 or -448 bit) and CAST (128 bit); MD-5 or SHA-1 hashes
NAT-Traversal NAT-Traversal (NAT-T) support for VPN over routes without VPN passthrough
IPCOMP VPN data compression based on LZS or Deflate compression for higher IPSec throughput
Dynamic DNS (dynDNS) Enables the registration of IP addresses with a dynDNS provider in the case that fixed IP addresses are not used for the VPN
connection
Specific DNS forwarding DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DSN servers in the VPN; external
names are translated by Internet DNS servers.
