LANCOM Systems LCOS 10.92 Security Essentials User Guide

Contents hide
1 LCOS 10.92 Security Essentials
2 Specifications
3 Product Information
4 Product Usage Instructions
4.1 Requirements for using LANCOM Security Essentials
4.2 Quick Start
4.3 Standard Settings in the Content Filter
5 FAQ
5.1 What should I do if the content filter profile needs to be modified?
5.2 How can I ensure effective usage of LANCOM Security Essentials?
5.3 Documents / Resources
5.3.1 References

LCOS 10.92 Security Essentials

Specifications

  • Model: LCOS 10.92
  • Product Name: LANCOM Security Essentials
  • Release Date: 05/2025

Product Information

The LANCOM Security Essentials is a comprehensive security
solution that includes content filtering capabilities to help
manage and control access to websites based on predefined
categories.

Product Usage Instructions

Requirements for using LANCOM Security Essentials

  1. The LANCOM Security Essentials option must be activated.
  2. The firewall must be enabled.
  3. A firewall rule must select the content filter profile.
  4. The selected content filter profile must define a category
    profile and optionally a white and/or blacklist for every time
    period of the day.
  5. If the content filter profile is renamed, the firewall rule
    must also be adjusted.

Quick Start

After installing the LANCOM Security Essentials, follow these
steps:

  1. All settings are preconfigured for quick commissioning.
  2. Check data protection regulations or company policies
    applicable in your country before commissioning.
  3. In LANconfig, access the settings under Content Filter.
  4. Activate the content filter by launching the setup wizard for
    the corresponding device and configuring the content filter.

Standard Settings in the Content Filter

Standard settings in the Content Filter provide basic
configurations for managing website access based on predefined
categories.

FAQ

What should I do if the content filter profile needs to be
modified?

If you need to modify the content filter profile, ensure to
adjust the corresponding firewall rule accordingly to maintain
proper functionality.

How can I ensure effective usage of LANCOM Security
Essentials?

To ensure effective usage, regularly review and update the
category profiles and settings based on your organization’s
requirements and policies.

“`

View Fullscreen

LCOS 10.92
LANCOM Security Essentials
05/2025

LCOS 10.92 Contents
Contents
Copyright……………………………………………………………………………………….3 1 Introduction………………………………………………………………………………….4 2 Requirements for using LANCOM Security Essentials………………………6 3 Quick start……………………………………………………………………………………7 4 Standard settings in the Content Filter……………………………………………8 5 General Settings…………………………………………………………………………10 6 Settings for blocking……………………………………………………………………12
6.1 Block text…………………………………………………………………………………………………………..13 6.2 Error text……………………………………………………………………………………………………………15
7 Override settings…………………………………………………………………………17
7.1 Override text………………………………………………………………………………………………………18
8 Profiles in the Content Filter………………………………………………………..20
8.1 Profiles………………………………………………………………………………………………………………20 8.2 Blacklist addresses (URL)…………………………………………………………………………………..21 8.3 Whitelist addresses (URL)………………………………………………………………………………….22 8.4 Category profiles………………………………………………………………………………………………23
9 Options for the Content Filter………………………………………………………25 10 Additional settings for the Content Filter…………………………………….28
10.1 Firewall settings for the content filter……………………………………………………………….28 10.2 Timeframe……………………………………………………………………………………………………….29
11 BPjM module……………………………………………………………………………..31
11.1 Recommendations for use…………………………………………………………………………………32
2

LCOS 10.92 Copyright
Copyright
© 2025 LANCOM Systems GmbH, Würselen (Germany). All rights reserved. While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery. The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the result of technical development. Windows® and Microsoft® are registered trademarks of Microsoft, Corp. LANCOM, LANCOM Systems, LCOS, LANcommunity, LANCOM Service LANcare, LANCOM Active Radio Control, and AirLancer are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. This document contains statements relating to future products and their attributes. LANCOM Systems reserves the right to change these without notice. No liability for technical errors and/or omissions. This product contains separate open-source software components which are subject to their own licenses, in particular the General Public License (GPL). The license information for the device firmware (LCOS) is available on the device`s WEBconfig interface under “Extras > License information”. If the respective license demands, the source files for the corresponding software components will be made available on a download server upon request. Products from LANCOM Systems include software developed by the “OpenSSL Project” for use in the “OpenSSL Toolkit” (www.openssl.org). Products from LANCOM Systems include cryptographic software written by Eric Young (eay@cryptsoft.com). Products from LANCOM Systems include software developed by the NetBSD Foundation, Inc. and its contributors. Products from LANCOM Systems contain the LZMA SDK developed by Igor Pavlov. LANCOM Systems GmbH A Rohde & Schwarz Company Adenauerstr. 20/B2 52146 Wuerselen Germany www.lancom-systems.com
3

LCOS 10.92 1 Introduction
1 Introduction
With LANCOM Security Essentials, you can filter specific content in your network to prevent access to, for example, illegal, dangerous, or offensive websites. Additionally, you can restrict private browsing on certain sites during working hours. This not only boosts employee productivity and network security but also ensures that full bandwidth is available exclusively for business processes. LANCOM Security Essentials is an intelligent, dynamic website filter. It contacts a rating server that reliably and accurately evaluates websites based on the categories you selected. The functionality of LANCOM Security Essentials is based on checking the IP addresses determined from the entered URLs. For many pages, subdirectories within a domain are also evaluated separately so that different sections of a URL can be rated differently.
5 Users cannot bypass website verification by LANCOM Security Essentials by entering the IP address of a site in the browser. LANCOM Security Essentials checks both unencrypted (HTTP) and encrypted (HTTPS) websites. The BPjM module is part of the LANCOM Security Essentials or can be obtained separately via the LANCOM BPjM Filter Option software license. The BPjM module is published by the Federal Agency for the Protection of Children and Young People in the Media (Bundeszentrale für Kinder- und Jugendmedienschutz) and blocks domains that must not be made accessible to children and adolescents in Germany. The license you purchased for LANCOM Security Essentials applies to a specific device category and a specific time period (either one year or three years). The number of users is unlimited. You will be notified in advance when your license is about to expire.
4 You can test the LANCOM Security Essentials on any router that supports this function. To do so, you must activate a time-limited 30-day demo license once per device. Demo licenses are created directly from within LANconfig. Right-click the device, select Activate Software Option from the context menu, and in the following dialog, click the link next to Need a demo license?. You will automatically be connected to the LANCOM registration server website, where you can select and register the desired demo license for the device.
Category profiles store all settings related to categories. You select from predefined main and subcategories in your LANCOM Security Essentials: 73 categories are grouped into 12 thematic groups, e.g., “Pornography”, “Shopping”, or
4

LCOS 10.92 1 Introduction “Illegal”. Each group allows you to enable or disable the included categories. Subcategories for “Pornography” include “Pornography”, “Sex toys”, “Sexual content”, “Nudity”, “Lingerie”, and “Sex education”. Additionally, administrators can enable an override option for each category during configuration. When override is active, users can temporarily access a blocked site by clicking a corresponding button–but the administrator will receive a notification via e-mail, SYSLOG, and/or SNMP trap. Using the category profile you created, along with the whitelist and blacklist, you can create a content filter profile that can be assigned to users via the firewall. For example, you can create the profile “Employees_Department_A”, which is then assigned to all computers in that department. During installation, LANCOM Security Essentials automatically sets up useful default settings that only need to be activated for initial operation. In subsequent steps, you can further adapt the behavior of LANCOM Security Essentials to your specific use case. Useful default settings are also automatically configured for the BPjM module. For example, there is a default firewall rule in the IPv4 or IPv6 firewall with the system object “BPJM” as the destination station. Define the source stations as the networks that should be protected by the BPjM module. By activating the rule, the BPjM module is started.
5

LCOS 10.92 2 Requirements for using LANCOM Security Essentials
2 Requirements for using LANCOM Security Essentials
The following requirements must be met in order to use LANCOM Security Essentials: 1. The LANCOM Security Essentials option is activated. 2. The firewall must be enabled. 3. A firewall rule must select the content filter profile. 4. The selected content filter profile must define a category profile and optionally a white and/or blacklist for every time
period of the day. To cover different time periods, a content filter profile can consist of multiple entries. If a specific time period is not covered by an entry, unrestricted access to websites will be possible during that time.
5 If the content filter profile is renamed later, the firewall rule must also be adjusted.
6

LCOS 10.92 3 Quick start
3 Quick start
After installing the LANCOM Security Essentials, all settings are preconfigured for quick commissioning.
5 The operation of the LANCOM Security Essentials may be subject to data protection regulations in your country or to company policies. Please check applicable rules before commissioning.
4 In LANconfig, the settings of the LANCOM Security Essentials are listed under Content Filter.
Activate the content filter using the following steps: 1. Launch the setup wizard for the corresponding device. 2. Select the setup wizard for configuring the content filter.
3. Select one of the predefined security profiles (Basic Profile, Corporate Profile, Parental Control Profile): a Basic profile: This profile mainly blocks access to categories such as pornography, illegal, violent or discriminatory content, drugs, spam, and phishing. a Work profile: In addition to the Basic Profile settings, this profile also blocks categories such as shopping, job search, games, music, radio, and certain communication services like chat. a Parental control profile: In addition to the Basic Profile settings, this profile includes stricter blocking for nudity and weapons. If the firewall is disabled, the wizard will enable it. The wizard then checks whether the firewall rule for the content filter is set correctly and adjusts it if necessary. With these steps, the content filter is activated, and the default settings will apply to all stations in the network using the selected content filter profile with empty blacklists and whitelists. Adjust these settings to suit your needs if necessary. The wizard activates the content filter for the time frame ALWAYS.
7

LCOS 10.92 4 Standard settings in the Content Filter
4 Standard settings in the Content Filter
The following elements have been created in the default configuration of the Content Filter: Firewall rule
The preset firewall rule is named CONTENT-FILTER and uses the action object CONTENT-FILTER-BASIC. Firewall action objects
There are three firewall action objects: a CONTENT-FILTER-BASIC a CONTENT-FILTER-WORK a CONTENT-FILTER-PARENTAL-CONTROL These action objects work with the corresponding content-filter profiles. Content filter profiles There are three content filter profiles. All content-filter profiles use the timeframe ALWAYS, the blacklist MY-BLACKLIST and the whitelist MY-WHITELIST. Each content-filter profile uses one of the predefined category profiles: a CF-BASIC-PROFILE: This content-filter profile features a low level of restrictions and works with the category
profile BASIC-CATEGORIES. a CF-PARENTAL-CONTROL-PROFILE: This content-filter profile protects minors (e.g. trainees) from unsuitable
Internet content, and it works with the category profile PARENTAL-CONTROL. a CF-WORK-PROFILE: This content-filter profile is intended for companies wishing to place restrictions on
categories such as Job Search or Chat. It works with the category profile WORK-CATEGORIES.
Timeframe There are two predefined timeframes: a ALWAYS: 00.00-23.59 hrs a NEVER: 00.00-0.00 hrs
Blacklist The preset blacklist is named MY-BLACKLIST and it is empty. Here you can optionally enter URLs which are to be forbidden.
Whitelist The preset whitelist is named MY-WHITELIST and it is empty. Here you can optionally enter URLs which are to be allowed.
8

LCOS 10.92 4 Standard settings in the Content Filter Category profiles There are three category profiles: BASIC-CATEGORIES, WORK-CATEGORIES and PARENTAL-CONTROL. The category profile specifies the categories which are to be allowed and forbidden, and for which one an override can be activated.
9

LCOS 10.92 5 General Settings
5 General Settings
You can make global content filter settings in LANconfig under Content Filter > General:
Activate Content Filter This allows you to activate the content filter.
In case of error This lets you define what happens in the event of an error. For example, if the rating server cannot be reached, this setting determines whether the user can browse freely or if all web access is blocked.
On license expiration The license for using LANCOM Security Essentials is valid for a specific period. You will be reminded of the upcoming license expiration 30 days, one week, and one day in advance (to the email address configured in LANconfig under Log & Trace > General > E-mail addresses > E-mail for license expiry reminder). Here, you can specify whether websites should be blocked or passed through unchecked after license expiration. Based on this setting, the user can either browse freely after the license expires or all web access will be denied.
4 To ensure the reminder is actually sent to the specified email address, you must configure the appropriate SMTP account. On Non-HTTPS via TCP port 443 Forbidden Disallows non-HTTPS traffic on port 443. Allowed Allows non-HTTPS traffic on port 443. TCP port 443 is reserved by default exclusively for HTTPS connections. Some applications that do not use HTTPS still use TCP port 443. In such cases, you can allow TCP port 443 to accept non-HTTPS traffic.
5 If you allow non-HTTPS connections on port 443, the traffic will not be classified but instead generally permitted. By default, non-HTTPS traffic on port 443 is not allowed.
10

LCOS 10.92 5 General Settings
Max. proxy connections Set the maximum number of simultaneous proxy connections allowed. This helps limit system load. A notification is triggered if this number is exceeded. You can configure the type of notification under Content Filter > Options > Event notification.
Proxy processing timeout Specify the time in milliseconds the proxy is allowed for processing. If this time is exceeded, a timeout error page is returned.
Save Content Filter information to flash ROM activated If enabled, this option stores content filter information in the device’s Flash ROM.
Allow wildcard certificates For websites using wildcard certificates (with CN entries such as *.mydomain.de), enabling this function uses the main domain (mydomain.de) for filtering. The filtering process occurs in the following order: a Check the server name in the “Client Hello” (depending on the browser used) a Check the CN in the received SSL certificate a Wildcard entries are ignored a If the CN is not usable, the “Alternative Name” field is evaluated a DNS reverse lookup of the corresponding IP address and evaluation of the resulting hostname a If wildcards are included in the certificate, the main domain is used instead (as described above) a Check the IP address
11

LCOS 10.92 6 Settings for blocking
6 Settings for blocking
You adjust the website-blocking settings here:
LANconfig: Content filter > Blocking / Override > Blocking & error Command line: Setup > UTM > Content-Filter > Global-Settings Alternative blocking URL:
This is where you can enter the address of an alternative URL. If access is blocked, the URL entered here will be displayed instead of the requested web site. You can use this external HTML page to display your company’s corporate design, for example, or to perform functions such as JavaScript routines, etc. You can also use the same tags here as used in the blocking text. If you do not make any entry here, the default page stored in the device will be displayed.. Possible values: a Valid URL address Default: a Blank Alternative error URL: This is where you can enter the address of an alternative URL. In the event of an error, the URL entered here will be displayed instead of the usual web site. You can use this external HTML page to display your company’s corporate design, for example, or to perform functions such as JavaScript routines, etc. You can also use the same tags here as used in the error text. If you do not make any entry here, the default page stored in the device will be displayed.. Possible values: a Valid URL address Default: a Blank Source addr. for alt. block URL: This is where you can configure an optional sender address to be used instead of the one that would normally be automatically selected for this target address. If you have configured loopback addresses, you can specify them here as sender address. Possible values:
12

LCOS 10.92 6 Settings for blocking
a Name of the IP networks whose address should be used a INT for the address of the first Intranet a DMZ for the address of the first DMZ.
5 If there is an interface called DMZ, its address will be taken in this case.
a LB0…LBF for the 16 loopback addresses a GUEST a Any IP address in the form x.x.x.x Default: a Blank
5 The sender address specified here is used unmasked for every remote station.
Source addr. for alt. error URL: This is where you can configure an optional sender address to be used instead of the one that would normally be automatically selected for this target address. If you have configured loopback addresses, you can specify them here as sender address. Possible values: a Name of the IP networks whose address should be used a INT for the address of the first Intranet a DMZ for the address of the first DMZ.
5 If there is an interface called DMZ, its address will be taken in this case.
a LB0…LBF for the 16 loopback addresses a GUEST a Any IP address in the form x.x.x.x Default: a Blank
5 The sender address specified here is used unmasked for every remote station.
6.1 Block text
This is where you can define text to be displayed when blocking occurs. Different blocking texts can be defined for different languages. The display of blocking text is controlled by the language setting transmitted by the browser (user agent).
13

LCOS 10.92 6 Settings for blocking
Language Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language. Examples of the country code: a de-DE: German-Germany a de-CH: German-Switzerland a de-AT: German-Austria a en-GB: English-Great Britain a en-US: English-United States
5 The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text. Possible values: a 10 alphanumerical characters Default: a Blank Text Enter the text that you wish to use as block text for this language. Possible values: a 254 alphanumerical characters Default: a Blank Special values: You can also use special tags for blocking text if you wish to display different pages depending on the reason why the web site was blocked (e.g. forbidden category or entry in the blacklist). The following tags can be used as tag values: a <CF-URL/> for a forbidden URL a <CF-CATEGORIES/> for the list of categories why the web site was blocked a <CF-PROFILE/> for the profile name a <CF-OVERRIDEURL/> for the URL used to activate the URL (this can be integrated in a simple <a> tag or
in a button) a <CF-LINK/> adds a link for activating the override a <CF-BUTTON/> for a button for activating the override a <CF-IF att1 att2> … </CF-IF> to display or hide parts of the HTML document. The attributes are:
a BLACKLIST: If the site was blocked because it is in the profile blacklist a CATEGORY: If the site was blocked due to one of its categories a ERR: If an error has occurred. a OVERRIDEOK: If users have been allowed an override (in this case, the page should display an
appropriate button)
14

LCOS 10.92 6 Settings for blocking
4 Since there are separate text tables for the blocking page and the error page, this attribute only makes sense if you have configured an alternative URL to show on blocking. If several attributes are defined in one tag, the section will be displayed if at least one of these conditions is met. All tags and attributes can be abbreviated to the first two letters (e.g. CF-CA or CF-IF BL). This is necessary as the blocking text may only contain a maximum of 254 characters. a Example: <CF-URL/> is blocked because it matches the categories <CF-CA/>.</p><p>Your content profile is <CF-PR/>.</p><p><CF-IF OVERRIDEOK></p><p><CF-BU/></CF-IF>
4 The tags described here can also be used in external HTML pages (alternative URLs to show on blocking).
6.2 Error text
This is where you can define text to be displayed when an error occurs.
Language Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language. Examples of the country code: a de-DE: German-Germany a de-CH: German-Switzerland a de-AT: German-Austria a en-GB: English-Great Britain a en-US: English-United States
5 The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text. Possible values: a 10 alphanumerical characters Default: a Blank
15

LCOS 10.92 6 Settings for blocking
Text Enter the text that you wish to use as error text for this language. Possible values: a 254 alphanumerical characters Default: a Blank Special values: You can also use HTML tags for the error text. The following empty element tags can be used as tag values: a <CF-URL/> for a forbidden URL a <CF-PROFILE/> for the profile name a <CF-ERROR/> for the error message a Example: <CF-URL/> is blocked because an error has occurred:</p><p><CF-ERROR/>
16

LCOS 10.92 7 Override settings
7 Override settings
The override function allows a website to be accessed even though it is classified as forbidden. The user must click on the override button to request the forbidden page to be opened. You can configure this feature so that the administrator is notified when the override button is clicked (LANconfig: Content filter > Options > Events).
5 If the override type “Category” has been activated, clicking on the override button makes all of the categories for that URL accessible to the user The next blocking page to be displayed has just one category explaining why access to the URL was blocked. If the override type “Domain” has been activated, then the entire domain can be accessed. The settings for the override function are to be found here:
LANconfig: Content filter > Blocking / Override > Override Command line: Setup > UTM > Content-Filter > Global-Settings Override-Active
This is where you can activate the override function and make further related settings. Override duration
The override duration can be restricted here. When the period expires, any attempt to access the same domain and/or category will be blocked again. Clicking on the override button once more allows the web site to be accessed again for the duration of the override and, depending on the settings, the administrator will be notified once more. Possible values: a 1-1440 (minutes) Default: a 5 (minutes) Override type: This is where you can set the type of override. It can be allowed for the domain, for the category of web site to be blocked, or for both. Possible values: Category For the duration of the override, all URLs are allowed that fall under the affected categories (as well as those which would already have been allowed even without the override).
17

LCOS 10.92 7 Override settings
Domain For the duration of the override all URLs in this domain are allowed, irrespective of the categories they belong to. Category-and-Domain For the duration of the override, all URLs are allowed that belong to this domain and also to the allowed categories. This is the highest restriction.
7.1 Override text
This is where you can define text that is displayed to users confirming an override.
Language Entering the appropriate country code here ensures that users receive all messages in their browser’s preset language. If the country code set in the browser is found here, the matching text will be displayed. You can add any other language. Examples of the country code: a de-DE: German-Germany a de-CH: German-Switzerland a de-AT: German-Austria a en-GB: English-Great Britain a en-US: English-United States
5 The country code must match the browser language setting exactly, e.g. “de-DE” must be entered for German (“de” on its own is insufficient). If the country code set in the browser is not found in this table, or if the text stored under that country code is deleted, the predefined default text (“default”) will be used. You can modify the default text. Possible values: a 10 alphanumerical characters Default: a Blank Text Enter the text that you wish to use as override text for this language. Possible values: a 254 alphanumerical characters Default:
18

LCOS 10.92 7 Override settings
a Blank Special values: You can also use HTML tags for blocking text if you wish to display different pages depending on the reason why the web site was blocked (e.g. forbidden category or entry in the blacklist). The following tags can be used as tag values: a <CF-URL/> for the originally forbidden URL that is now allowed a <CF-CATEGORIES/> for the list of categories that have now been allowed as a result of the override (except
if domain override is specified). a <CF-BUTTON/> displays an override button that forwards the browser to the original URL. a <CF-BUTTON/> displays an override link that forwards the browser to the original URL. a <CF-HOST/> or <CF-DOMAIN/> displays the host or the domain for the allowed URL. The tags are of equal
value and their use is optional. a <CF-ERROR/> generates an error message in the event that the override fails. a <CF-DURATION/> displays the override duration in minutes. a <CF-IF att1 att2> … </CF-IF> to display or hide parts of the HTML document. The attributes are:
a CATEGORY when the override type is “Category” and the override was successful a DOMAIN when the override type is “Domain” and the override was successful a BOTH when the override type is “Category-and-Domain” and the override was successful a ERROR when the override fails a OK if either CATEGORY or DOMAIN or BOTH are applicable If several attributes are defined in one tag, the section should be displayed if at least one of these conditions is met. All tags and attributes can be abbreviated to the first two letters (e.g. CF-CA or CF-IF BL). This is necessary as the blocking text may only contain a maximum of 254 characters. a Example:
<CF-IF CA BO>The categories <CF-CAT/> are</CF-IF><CF-IF BO> in the domain <CF-DO/></CF-IF><CF-IF DO>The domain <CF-DO/> is</CF-IF><CF-IF OK> released for <CF-DU/> minutes.</p><p><CF-LI/></CF-IF><CF-IF ERR>Override error:</p><p><CF-ERR/></CF-IF>
19

LCOS 10.92 8 Profiles in the Content Filter
8 Profiles in the Content Filter
Under Content Filter > Profiles you can create content-filter profiles that are used to check web sites for prohibited content. A content-filter profile always has a name and, for various time periods, it activates the desired category profile and, optionally, a blacklist and a whitelist. In order to provide different configurations for the various timeframes, several content-filter profile entries are created with the same name. The content-filter profile is thus made up of the sum of all entries with the same name. The firewall refers to this content-filter profile.
5 Please note that you must make corresponding settings in the firewall in order to use the profiles in the LANCOM Content Filter.
8.1 Profiles
The settings for the profiles are to be found here:
LANconfig: Content filer > Profiles > Profile Command line: Setup > UTM > Content-Filter > Profiles > Profile Name
The profile name that the firewall references must be specified here. Timeframe
Select the timeframe for this category profile and, optionally, the blacklist and the whitelist. The timeframes ALWAYS and NEVER are predefined. You can configure other timeframes under: LANconfig: Date & time > General > Time frame Command line: Setup > Time > Timeframe One profile may contain several lines with different timeframes. Possible values: a Always a Never a Name of a timeframe profile
20

LCOS 10.92 8 Profiles in the Content Filter
5 If multiple entries are used for a content-filter profile and their timeframes overlap, then all pages contained in the active entries will be blocked for that period of time. If multiple entries are used for a content-filter profile and a time period remains undefined, access to all web sites will be unchecked for this period. Blacklist Name of the blacklist profile that is to apply for this content filter profile during the period in question. A new name can be entered, or an existing name can be selected from the blacklist table. Possible values: a Name of a blacklist profile a New name Whitelist Name of the whitelist profile that is to apply for this content filter profile during the period in question. A new name can be entered, or an existing name can be selected from the whitelist table. Possible values: a Name of a whitelist profile a New name Category profile Name of the category profile that is to apply for this content filter profile during the period in question. A new name can be entered, or an existing name can be selected from the category table. Possible values: a Name of a category profile a New name
8.2 Blacklist addresses (URL)
This is where you can configure those web sites that are to be blocked.
LANconfig: Content files > Profiles > Blacklist addresses (URL) Command line: Setup > UTM > Content-Filter > Profiles > Blacklist
21

LCOS 10.92 8 Profiles in the Content Filter
Name Enter the name of the blacklist for referencing from the content-filter profile. Possible values: a Blacklist name
Address (URL) Access to the URLs entered here will be forbidden by the blacklist. Possible values: a Valid URL address The following wildcard characters may be used: a * for any combination of more than one character (e.g. www.lancom.* encompasses the web sites www.lancom.com, www.lancom.de, www.lancom.eu, www.lancom.es, etc.) a ? for any one character (e.g. www.lancom.e* encompasses the web sites www.lancom.eu, www.lancom.es)
5 URLs must be entered without the leading http://. Please note that in the case of many URLs a forward slash is automatically added as a suffix to the URL, e.g. “www.mycompany.de/”. For this reason it is advisable to enter the URL as: “www.mycompany.de*”. Individual URLs are separated by a blank.
8.3 Whitelist addresses (URL)
This is where you can configure web sites to which access is to be allowed.
LANconfig: Content files > Profiles > Whitelist addresses (URL) Command line: Setup > UTM > Content-Filter > Profiles > Whitelist Name
Enter the name of the whitelist for referencing from the content-filter profile. Possible values: a Name of a whitelist Address (URL) This is where you can configure web sites which are to be checked locally and then accepted.
22

LCOS 10.92 8 Profiles in the Content Filter
Possible values: a Valid URL address The following wildcard characters may be used: a * for any combination of more than one character (e.g. www.lancom.* encompasses the web sites
www.lancom.com, www.lancom.de, www.lancom.eu, www.lancom.es, etc.) a ? for any one character (e.g. www.lancom.e* encompasses the web sites www.lancom.eu, www.lancom.es)
5 URLs must be entered without the leading http://. Please note that in the case of many URLs a forward slash is automatically added as a suffix to the URL, e.g. “www.mycompany.de/”. For this reason it is advisable to enter the URL as: “www.mycompany.de*”. Individual URLs are separated by a blank.
8.4 Category profiles
Here you create a category profile and determine which categories or groups should be used to rate web sites for each category profile. You can allow or forbid the individual categories or activate the override function for each group.
LANconfig: Content Filter > Profiles > Categories Command line: Setup > UTM > Content-Filter > Profiles > Category-Profile Category profile
The name of the category profile for referencing from the content-filter profile is entered here. Possible values: a Name of a category profile
23

LCOS 10.92 8 Profiles in the Content Filter
Category settings For each main category and the associated sub-categories, it is possible to define whether the URLs are to be allowed, forbidden or allowed with override only. The following main categories can be configured: a Illegal a Cyberthreats a Pornography a Advertising a Games a Web applications a Shopping a Finance a Religions & occult a Informations a Entertainment & Culture a Miscellaneous
The category profile must then be assigned to a content-filter profile together with a time frame in order to become active. Possible values: a Allowed, forbidden, override
24

LCOS 10.92 9 Options for the Content Filter
9 Options for the Content Filter
Under Content Filter > Options you determine whether you wish to be notified of events and where Content Filter information is to be stored.
Events This is where you define how you wish to receive notification of specific events. Notification can be made by e-mail, SNMP or SYSLOG. For different event types you can specify whether messages should be output and, if so, how many.
E-mail Here, you specify if and how e-mail notification takes place: a No
No e-mail notification is issued for this event. a Immediately
Notification occurs when the event occurs. a Daily
The notification occurs once per day. Notifications can be sent for the following events:
25

LCOS 10.92 9 Options for the Content Filter
Error For SYSLOG: Source “System”, priority “Alert”. Default: SNMP notification License expiry For SYSLOG: Source “Admin”, priority “Alert”. Default: SNMP notification License exceeded For SYSLOG: Source “Admin”, priority “Alert”. Default: SNMP notification Override applied For SYSLOG: Source “Router”, priority “Alert”. Default: SNMP notification Proxy limit For SYSLOG: Source “Router”, priority “Info”. Default: SNMP notification
E-mail recipient An SMTP client must be defined if you wish to use the e-mail notification function. You can use the client in the device, or another client of your choice.
4 No e-mail will be sent if no e-mail recipient is specified.
Content Filter snapshot This is where you can activate the content filter snapshot and determine when and how often it should be taken. The snapshot copies the category statistics table to the last snapshot table, overwriting the old contents of the snapshot table. The category statistics values are then reset to 0.
Interval Here you decide whether the snapshot should be taken monthly, weekly or daily. Possible values: a Monthly a Weekly a Daily
Day of month For monthly snapshots, set the day of the month when the snapshot should be taken. Possible values: a 1-31
4 It is advisable to select a number between 1 and 28 in order to ensure that it occurs every month.
Day of week For weekly snapshots, set the day of the week when the snapshot should be taken. Possible values: a Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday
26

LCOS 10.92 9 Options for the Content Filter Time of day: If you require a daily snapshot, then enter here the time of day for the snapshot in hours and minutes. Possible values: a Format HH:MM (default: 00:00)
27

LCOS 10.92 10 Additional settings for the Content Filter
10 Additional settings for the Content Filter
10.1 Firewall settings for the content filter
The firewall must be activated in order for the Content Filter to function. You can activate the firewall under: LANconfig: Firewall/QoS > General Command line: Setup > IP-Router > Firewall In the default configuration, you will find the firewall rule CONTENT-FILTER that refers to the action object CONTENT-FILTER-BASIC:
5 The firewall rule should be limited to the target services HTTP and HTTPS so that only outgoing HTTP and HTTPS connections are examined. Without this restriction all packets will be checked by the content filter, which could lead to a loss of system performance. A content-filter related firewall rule must contain a special action object that uses packet actions to check the data according to a content-filter profile. In the default configuration you will find the action objects CONTENT-FILTER-BASIC,
28

LCOS 10.92 10 Additional settings for the Content Filter CONTENT-FILTER-WORK and CONTENT-FILTER-PARENTAL-CONTROL, each of which refer to their corresponding content-filter profile:
Example: When a web page is accessed, the data packets pass through the firewall and are processed by the rule CONTENT-FILTER. The action object CONTENT-FILTER-BASIC checks the data packets using the content-filter profile CONTENT-FILTER-BASIC.
10.2 Timeframe
Time frames are used with the Content Filter to define the times when the content-filter profiles apply. One profile may contain several lines with different timeframes. Different lines in a timeframe should complement one another, i.e. if you specify WORKTIME you will should probably specify a timeframe called FREETIME to cover the time outside of working hours. Time frames can also be used to prevent a WLAN SSID from being broadcast permanently. This can be added to the logical WLAN settings. The timeframes ALWAYS and NEVER are predefined. You can configure other timeframes under:
LANconfig: Date & time > General > Time frame 29

LCOS 10.92 10 Additional settings for the Content Filter
Command line: Setup > Time > Timeframe Name
Enter the name of the time frame for referencing from the content-filter profile or by a WLAN SSID. Several entries with the same name result in a common profile. Possible values: a Name of a timeframe Start Here you set the start time (time of day) when the selected profile becomes valid. Possible values: a Format HH:MM (default: 00:00) Stop Here you set the stop time (time of day) when the selected profile ceases to be valid. Possible values: a Format HH:MM (default: 23:59)
4 A stop time of HH:MM usually runs until HH:MM:00. The stop time 00:00 is an exception, since this is interpreted as 23:59:59. Weekdays Here you select the weekday on which the timeframe is to be valid. Possible values: a Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday, Holiday
4 The holidays are set under Date & Time > General > Public holidays.
You can form a time schedule with the same name but with different times extending over several lines:
30

LCOS 10.92 11 BPjM module
11 BPjM module
The BPjM module was setup by Germany’s Federal Review Board for Media Harmful to Minors (BPjM) and blocks websites that should not be accessible to children and young people. This feature is particularly relevant for schools and educational institutions with underage students. DNS-Domains with content that is officially classified as harmful to minors cannot be accessed by the relevant target group. This list is guaranteed to be automatically updated and extended on a regular basis. The BPjM module blocks DNS-Domains that are listed on the official website of the Federal Review Board for Media Harmful to Minors (BPjM) in Germany. Blocking by category and overrides (allow) are not available. The BPjM module is available as part of the LANCOM Content Filter option or separately via the LANCOM BPjM Filter software option. The IPv4 or IPv6 firewalls implement this feature with a default firewall rule that can be activated and configured for each network. For example, it is possible to equip only the students’ network with this filter, but exclude other networks from it. The IPv6 firewall features a new default rule BPJM, which is deactivated by default with the system object “BPJM” as the destination station. A similar rule is available in the IPv4 firewall. The networks to be protected by the BPjM module are specified as source stations.
Further settings can be found in LANconfig under Miscellaneous Services > Services > BPjM filter.
Source address Source address used by the BPjM module to access the server for BPjM signature updates.
31

LCOS 10.92 11 BPjM module
11.1 Recommendations for use
If content filters and BPJM filters are to be used together, both rules must be configured with different priorities so that they are run through one after the other. Likewise, for the first rule, care must be taken to ensure that the item “Observe further rules, after this rule matches” is activated. In rare cases, the BPJM module may block desired domains because only (DNS) domains and not URL directory levels can be checked due to TLS. In this case, these desired domains can be added to the “BPJM Allow list”, e.g. *.example.com. The LANCOM router must serve as DNS server or DNS forwarder in the network, i.e. clients in the local network must use the router as DNS server. In addition, the direct use of DNS-over-TLS and DNS-over-HTTPS (possibly browser-internal) with external DNS servers by clients must be prevented. This can be achieved as follows: a The DHCP server must distribute the router’s IP address as the DNS server (set up by default by the Internet Wizard). a Set up firewall rules that prevent direct use of external DNS servers, for example. by blocking outgoing port 53 (UDP)
for clients from the corresponding source network. a Setting up firewall rules that prevent direct use of external DNS servers supporting DNS-over-TLS, e.g. by blocking
outgoing port 853 (TCP) for clients from the corresponding source network. a Disabling DNS-over-HTTPS (DoH) in the browser.
4 Notes on synchronizing the firewall’s DNS database:
Because the firewall learns its information from client DNS requests, in certain situations the DNS database may not yet be complete. This can happen in the following situations: a A new firewall rule is added, but the client still has a DNS record cached. a Shortly after the router reboots and the client still has a DNS record cached. In these cases, clearing the DNS cache on the client, rebooting the client, or timing out the DNS record on the client will help.
4 If different DNS names resolve to the same IP address, then they cannot be distinguished. In this case, the first rule that references one of these DNS names always applies. This should not be a problem with large service providers. However, it could occur with small websites hosted by the same provider.
32

Documents / Resources

LANCOM Systems LCOS 10.92 Security Essentials [pdf] User Guide
LCOS 10.92, LCOS 10.92 Security Essentials, LCOS 10.92, Security Essentials, Essentials

References

Leave a comment

Your email address will not be published. Required fields are marked *