manualshive.com logo in svg

ZyXEL Communications Broadband Security Gateway P-312, User Manual, Page: 158 / 254

Share
Download
ZyXEL Communications Broadband Security Gateway P-312 User Manual Download Page 158

 P312  Broadband Security Gateway

13-10

What Is a Firewall?

3.

 

Limit who can Telnet into your router.

4.

 

Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could
present a potential security risk. A determined, hostile party might be able to find creative ways to
misuse the enabled services to access the firewall or the network.

5.

 

For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the services
at specific interfaces.

6.

 

Protect against IP spoofing by making sure the firewall is active.

7.

 

Keep the firewall in a secured (locked) room.

13.5.1 Security In General

You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches.
Below are some generalizations about what you can do to minimize them.

1.

 

Encourage your company or organization to develop a comprehensive security plan. Good network
administration takes into account what hackers can do and prepares against attacks. The best defense
against hackers and crackers is information. Educate all employees about the importance of security and
how to minimize risk. Produce lists like this!

2.

 

DSL or cable modem connections are “always-on” connections and are particularly vulnerable because
they provide more opportunities for hackers to crack your system. Turn your computer off when not
being used.

3.

 

Never give out a password or any sensitive information to an unsolicited telephone call or e-mail.

4.

 

Never e-mail sensitive information such as passwords, credit card information, etc. to people without
encrypting the information first.

5.

 

Never submit sensitive information via a web page unless the web site uses secure connections. You can
identify a secure connection by looking for a small “key” icon on the bottom of your browser (Internet
Explorer 3.02 or better or Netscape 3.0 or better). If a web site uses a secure connection, it is safe to
submit information. Secure web transactions are quite difficult to crack.

6.

 

Never reveal your IP address or other system networking information to people outside your company.

7.

 

Be careful of files e-mailed to you from people you do not know. One common way of getting
BackOrifice on a system is to include it as a Trojan horse with other files.

8.

 

Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult
passwords to crack are those with upper and lower case letters, numbers, and a symbol such as % or #.

9.

 

Upgrade your software regularly. Many older versions of software, especially web browsers, have well
known security deficiencies. When you upgrade to the latest versions, you get the latest patches and
fixes.

10.

 

If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers.

11.

 

If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that
cause your system to slowly become unstable or unusable.

Summary of Contents for Broadband Security Gateway P-312

Page 1: ...Prestige 312 Broadband Security Gateway User s Guide Version 3 20 November 2000 ...

Page 2: ...or written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any...

Page 3: ...nce with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the e...

Page 4: ...nce with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment For their ...

Page 5: ...used by household appliances and similar electrical equipment Harmonics 1995 EN 61000 3 3 Disturbance in supply system caused by household appliances and similar electrical equipment Voltage fluctuations 1995 EN 61000 4 2 Electrostatic discharge immunity test Basic EMC Publication 1995 EN 61000 4 3 Radiated radio frequency electromagnetic field immunity test 1996 EN 61000 4 4 Electrical fast trans...

Page 6: ...P312 Broadband Security Gateway vi CE Doc ...

Page 7: ...ser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center refer to the separate Warranty Card for your ...

Page 8: ...ce Based Industrial Park HsinChu Taiwan support zyxel com 1 714 632 0882 800 255 4101 www zyxel com North America sales zyxel com 1 714 632 0858 ftp zyxel com ZyXEL Communications Inc 1650 Miraloma Avenue Placentia CA 92870 U S A support zyxel dk 45 3955 0700 www zyxel dk Scandinavia sales zyxel dk 45 3955 0707 ftp zyxel dk ZyXEL Communications A S Columbusvej 5 2860 Soeborg Denmark support zyxel ...

Page 9: ... via Cable or xDSL Modem 1 3 Chapter 2 Hardware Installation Initial Setup 2 1 2 1 Front Panel LEDs and Back Panel Ports 2 1 2 1 1 Front Panel LEDs 2 1 2 2 Prestige 312 Rear Panel and Connections 2 2 2 3 Additional Installation Requirements 2 3 2 4 Housing 2 4 2 5 Power Up Your Prestige 2 4 2 6 Navigating the SMT Interface 2 5 2 6 1 Main Menu 2 6 2 6 2 System Management Terminal Interface Summary ...

Page 10: ...n 3 9 3 3 3 Configuring the PPTP Client 3 10 3 3 4 PPPoE Encapsulation 3 10 3 4 Basic Setup Complete 3 12 Advanced Applications II Chapter 4 Remote Node Setup 4 1 4 1 Remote Node Profile 4 1 4 1 1 Ethernet Encapsulation 4 1 4 1 2 PPPoE Encapsulation 4 3 4 1 3 PPTP Encapsulation 4 4 4 2 Editing TCP IP Options with Ethernet Encapsulation 4 6 4 2 1 Editing TCP IP Options with PPTP Encapsulation 4 7 4...

Page 11: ...rver 6 15 6 4 3 Example 3 General Case 6 15 6 4 4 Example 4 NAT Unfriendly Application Programs 6 19 Advanced Management III Chapter 7 Filter Configuration 7 1 7 1 About Filtering 7 1 7 1 1 The Filter Structure of the Prestige 7 2 7 2 Configuring a Filter Set 7 4 7 2 1 Filter Rules Summary Menu 7 6 7 2 2 Configuring a Filter Rule 7 7 7 2 3 TCP IP Filter Rule 7 7 7 2 4 Generic Filter Rule 7 12 7 3 ...

Page 12: ...iguration 10 3 10 4 Upload Firmware 10 3 10 4 1 Uploading the Router Firmware 10 3 10 4 2 Uploading Router Configuration File 10 4 10 5 TFTP File Transfer 10 5 10 5 1 Example TFTP Command 10 6 10 6 FTP File Transfer 10 7 10 6 1 Using the FTP command from the DOS Prompt 10 8 Chapter 11 System Maintenance Information 11 1 11 1 Command Interpreter Mode 11 1 11 2 Call Control Support 11 2 11 2 1 Budge...

Page 13: ...of DoS attacks 13 4 13 4 Stateful Inspection 13 6 13 4 1 Stateful Inspection Process 13 7 13 4 2 Stateful Inspection the Prestige 13 8 13 4 3 TCP Security 13 8 13 4 4 UDP ICMP Security 13 9 13 4 5 Upper Layer Protocols 13 9 13 5 Guidelines For Enhancing Security With Your Firewall 13 9 13 5 1 Security In General 13 10 Chapter 14 Introducing the Prestige Firewall 14 1 14 1 SMT Menus 14 1 14 1 1 Vie...

Page 14: ...N to WAN Rules 16 3 16 3 2 WAN to LAN Rules 16 3 16 4 Services Supported 16 4 16 5 Rule Summary 16 6 16 5 1 Creating Editing Firewall Rules 16 8 16 5 2 Source Destination Addresses 16 10 16 6 Timeout 16 12 16 6 1 Factors Influencing Choices for Timeout Values 16 12 Chapter 17 Custom Ports 17 1 17 1 Introduction 17 1 17 2 Creating Editing A Custom Port 17 2 Chapter 18 Logs 18 1 18 1 Log Screen 18 1...

Page 15: ...ry and Index V Chapter 21 Troubleshooting 21 1 21 1 Problems Starting Up the Prestige 21 1 21 2 Problems with the LAN Interface 21 2 21 3 Problems with the WAN interface 21 2 21 4 Problems with Internet Access 21 3 21 5 Problems with the Firewall 21 3 Appendix A PPPoE E Appendix B PPTP G Appendix C Hardware Specifications I Appendix D Important Safety Instructions J Appendix E Firewall CLI Command...

Page 16: ...gure 2 10 Menu 3 LAN Setup 2 12 Figure 2 11 Menu 3 1 LAN Port Filter Setup 2 12 Figure 3 1 Physical Network 3 4 Figure 3 2 Partitioned Logical Networks 3 4 Figure 3 3 Menu 3 LAN Setup 10 100 Mbps Ethernet 3 5 Figure 3 4 Menu 3 2 TCP IP and DHCP Ethernet Setup 3 5 Figure 3 5 Menu 3 2 1 IP Alias Setup 3 7 Figure 3 6 Menu 4 Internet Access Setup Ethernet 3 8 Figure 3 7 Internet Access Setup PPTP 3 10...

Page 17: ... to the Remote Node 6 5 Figure 6 5 Menu 15 NAT Setup 6 6 Figure 6 6 Menu 15 1 Address Mapping Sets 6 7 Figure 6 7 SUA Address Mapping Rules 6 7 Figure 6 8 First Set in Menu 15 1 1 6 9 Figure 6 9 Editing an Individual Rule in a Set 6 10 Figure 6 10 Multiple Servers Behind NAT 6 12 Figure 6 11 Menu 15 2 NAT Server Setup 6 13 Figure 6 12 NAT Example 1 6 14 Figure 6 13 Internet Access NAT Example 6 14...

Page 18: ...1 4 1 1 Generic Filter Rule 7 12 Figure 7 12 Telnet Filter Example 7 14 Figure 7 13 Example Filter Menu 21 1 1 1 7 15 Figure 7 14 Example Filter Rules Summary Menu 21 1 3 7 16 Figure 7 15 Protocol and Device Filter Sets 7 17 Figure 7 16 Filtering LAN Traffic 7 18 Figure 7 17 Filtering Remote Node Traffic 7 18 Figure 8 1 Menu 22 SNMP Configuration 8 1 Figure 9 1 Menu 24 System Maintenance 9 1 Figur...

Page 19: ...net into Menu 24 7 1 10 7 Figure 10 7 Telnet into Menu 24 7 2 System Maintenance 10 8 Figure 10 8 FTP Session Example 10 9 Figure 11 1 Command Mode in Menu 24 11 1 Figure 11 2 Valid Commands 11 1 Figure 11 3 Call Control 11 2 Figure 11 4 Budget Management 11 2 Figure 11 5 Call History 11 3 Figure 11 6 System Maintenance Time and Date Setting 11 5 Figure 11 7 Menu 24 11 Remote Management Control 11...

Page 20: ... Traffic 16 4 Figure 16 3 Firewall Rules Summary First Screen 16 6 Figure 16 4 Creating Editing A Firewall Rule 16 9 Figure 16 5 Adding Editing Source Destination Addresses 16 11 Figure 16 6 Timeout Screen 16 13 Figure 17 1 Custom Ports 17 1 Figure 17 2 Creating Editing A Custom Port 17 3 Figure 18 1 Log Screen 18 1 Figure 19 1 Activate The Firewall 19 2 Figure 19 2 Example 1 E Mail Screen 19 3 Fi...

Page 21: ...2 Local Network Rule Summary 19 10 Figure 19 10 Example 2 Internet to Local Network Rule Summary 19 11 Figure 19 11 Custom Port for Syslog 19 12 Figure 19 12 Syslog Rule Configuration 19 13 Figure 19 13 Example 3 Rule Summary 19 14 Figure 20 1 Content Filtering Screen 20 3 ...

Page 22: ......

Page 23: ...n 3 10 Table 3 6 New Fields in Menu 4 PPPoE screen 3 12 Table 4 1 Fields in Menu 11 1 4 2 Table 4 2 Fields in Menu 11 1 PPPoE Encapsulation Specific 4 4 Table 4 3 Fields in Menu 11 1 PPTP Encapsulation 4 5 Table 4 4 Remote Node Network Layer Options Menu Fields 4 6 Table 4 5 Remote Node Network Layer Options Menu Fields 4 8 Table 5 1 IP Static Route Menu Fields 5 3 Table 6 1 NAT Definitions 6 1 Ta...

Page 24: ...2 Third Party TFTP Clients General fields 10 6 Table 10 3 Third Party FTP Clients General fields 10 9 Table 11 1 Budget Management 11 3 Table 11 2 Call History Fields 11 4 Table 11 3 Time and Date Setting Fields 11 5 Table 11 4 Menu 24 11 Remote Management Control 11 7 Table 13 1 Common IP Ports 13 4 Table 14 1 ICMP Commands That Trigger Alerts 14 3 Table 14 2 Legal NetBIOS Commands 14 3 Table 14 ...

Page 25: ...17 2 Creating Editing A Custom Port 17 4 Table 18 1 Log Screen 18 2 Table 20 1 Content Filtering Fields 20 3 Table 21 1 Troubleshooting the Start Up of your Prestige 21 1 Table 21 2 Troubleshooting the LAN Interface 21 2 Table 21 3 Troubleshooting the WAN interface 21 2 Table 21 4 Troubleshooting Internet Access 21 3 ...

Page 26: ......

Page 27: ...face that you can access from a terminal emulator through the console port or over a telnet connection Note You can configure most features of the P312 via SMT but we recommend you configure the firewall using the Prestige Web Configurator About This User s Manual This manual is designed to guide you through the SMT configuration of your Prestige 312 for its various applications Structure of this ...

Page 28: ...ault settings handy checklists information on setting up your PC and information on configuring your Prestige for Internet access Packing List Card Finally you should have a Packing List Card which lists all items that should have come with your Prestige ZyXEL Web and FTP Server Sites You can access release notes for firmware upgrades and other information at ZyXEL web and FTP server sites Refer t...

Page 29: ...Getting Started I Part I Getting Started Chapters 1 3 are structured as a step by step guide to help you connect install and setup your Prestige to operate on your network and access the Internet ...

Page 30: ......

Page 31: ...tivated all incoming traffic from the WAN to the LAN is blocked The Prestige firewall supports TCP UDP inspection DoS Denial of Services detection and prevention real time alerts reports and logs Note You can configure most features of the P312 via SMT but we recommend you configure the firewall and Content Filters using the Prestige Web Configurator Content Filtering The Prestige can block web fe...

Page 32: ...Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige supports SNMP version one SNMPv1 Auto negotiating 10 100Mbps Ethernet The LAN interface automatically detects if it s on a 10 or a 100 Mbps Ethernet Network Address Translation NAT NAT Network Address Translation NAT RFC 1631 allows the translation of an Int...

Page 33: ... Prestige Firmware via LAN The firmware of the Prestige 312 can be upgraded via the LAN Embedded FTP and TFTP Servers The Prestige s embedded FTP and TFTP Servers enable fast firmware upgrade as well as configuration file backup and restoration 1 3 Applications for Prestige 312 1 3 1 Broadband Internet Access via Cable or xDSL Modem A cable modem or xDSL modem can connect to the Prestige 312 for b...

Page 34: ...adband Security Gateway 1 4 Getting to Know Your Prestige Figure 1 2 Secure Internet Access via DSL You can also use your xDSL modem in the bridge mode for always on Internet access and high speed data transfer ...

Page 35: ...ront Panel The following table describes the LED functions Table 2 1 LED functions LEDs Function Indicator Status Active Description PWR Power Green On The power adapter is connected to the Prestige Off The system is not ready or failed On The system is ready and running SYS System Flashing The system is rebooting Green Off The 10M LAN is not connected On The Prestige is connected to a 10M LAN 10M...

Page 36: ...een Flashing The 10M WAN link is sending receiving packets 2 2 Prestige 312 Rear Panel and Connections The following figure shows the rear panel of your Prestige 312 and the connection diagram Figure 2 2 Prestige 312 Rear Panel and Connections This section outlines how to connect your Prestige 312 to the LAN and the WAN In the case of connecting a Cable Modem you must connect the coaxial cable fro...

Page 37: ...em Connect the WAN port silver on the Prestige to the Ethernet port on the xDSL modem using the cable that came with your xDSL modem Step 3 Connecting the Prestige to the LAN If you have more than one PC you must use an external hub Connect the 10 100M LAN port gold on the Prestige to a port on the hub using a straight through Ethernet cable If you only have one PC you can connect the Prestige to ...

Page 38: ...e The WAN LED and one of the LAN LEDs come on immediately after the SYS LED comes on if connections have been made to the LAN and WAN ports Initial Screen When you power on your Prestige it performs several internal tests as well as line initialization After the tests the Prestige asks you to press Enter to continue as shown Figure 2 3 Initial Screen Entering Password The login screen appears afte...

Page 39: ... ENTER to go to a hidden menu Move the cursor ENTER or Up Down arrow keys Within a menu press ENTER to move to the next field You can also use the Up Down arrow keys to move to the previous and the next field respectively Enter information Fill in or Press the SPACE BAR to toggle You need to fill in two types of fields The first requires you to type in the appropriate information The second allows...

Page 40: ...set up static route 15 NAT Setup Use this menu to configure NAT 21 Filter and Firewall Setup Use this menu to set up filters as well as activate deactivate the firewall 22 SNMP Configuration Use this menu to set up SNMP related parameters 23 System Password Use this menu to setup a new password 24 System Maintenance This menu provides system status diagnostics firmware upload etc 26 Schedule Setup...

Page 41: ...me reason cannot access the SMT menu you will need to reinstall the configuration file Uploading the configuration file replaces the current configuration file with the default configuration file you will lose all configurations that you had before and the speed of the console port will be reset to the default of 9600bps with 8 data bit no parity and 1 stop bit 8n1 The password will be reset to th...

Page 42: ...ead of using your IP address that changes each time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name To use this service you must register with th...

Page 43: ...your router If you want to clear this field just press the SPACE BAR The domain name entered by you is given priority over the ISP assigned domain name zyxel com tw Edit Dynamic DNS Press the SPACE BAR to select Yes or No default Select Yes to configure Menu 1 1 Configure Dynamic DNS discussed next 2 8 2 Configuring Dynamic DNS To configure Dynamic DNS go to Menu 1 General Setup and press select Y...

Page 44: ... to you Enable Wildcard Your Prestige supports DYNDNS Wildcard Press SPACE BAR to toggle between Yes or No This field is N A when you choose DDNS client as your service provider Yes The IP address will be updated when you reconfigure Menu 1 or perform DHCP client renewal Please note that The Prestige supports basic DDNS i e insecure login and password If you have a private WAN IP address then you ...

Page 45: ...amples MAC Address Assigned By Press the SPACEBAR to choose either of the two methods of assigning a MAC Address Choose Factory Default to select the factory assigned default MAC Address Choose IP Address attached on LAN to use the MAC Address of that workstation whose IP you give in the following field Factory Default IP Address This field is applicable only if you choose IP Address attached on L...

Page 46: ...er the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 2 11 Menu 3 1 LAN Port Filter Setup Menu 3 2 is discussed in the next chapter Please read on Menu 3 LAN Setup 1 LAN Port Filter Setup 2 TCP IP and DHCP Setup Enter Menu Selection Number Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters 2 device filters Output Filter Sets pr...

Page 47: ...also Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address ...

Page 48: ...ys follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 3 1 4 RIP Setup RIP Routing Information Protocol RFC1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RI...

Page 49: ...r an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when you sign up If your ISP does give you the DNS server addresses enter them in the DNS Server fields in DHCP Setup The second is to leave this field blank i e 0 0 0 0 in this case the Prestige acts as a DNS proxy Example of network properties for LAN servers with fixed IP Choose an IP 192 168 1 2 19...

Page 50: ... IP Multicasting can be enabled disabled on the Prestige LAN and or WAN interfaces using menus 3 2 LAN and 11 3 WAN Select None to disable IP Multicasting on these interfaces 3 1 7 IP Alias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface The Prestige supports three logical LAN interfaces via its single physical Ethernet interface...

Page 51: ...nter Menu Selection Number Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 TCP IP Setup IP Address 192 68 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Press Space Ba...

Page 52: ...ients along with the IP address and the subnet mask Leave these entries at 0 0 0 0 if they are provided by a WAN DHCP server Follow the instructions in the following table to configure TCP IP parameters for the LAN port Table 3 2 LAN TCP IP Setup Menu Fields Field Description Example TCP IP Setup IP Address Enter the IP address of your Prestige in dotted decimal notation 192 168 1 1 default IP Sub...

Page 53: ...lias Setup as shown next Figure 3 5 Menu 3 2 1 IP Alias Setup Follow the instructions in the following table to configure IP Alias parameters Table 3 3 IP Alias Setup Menu Fields Field Description Example IP Alias Choose Yes to configure the LAN network for the Prestige Yes IP Address Enter the IP address of your Prestige in dotted decimal notation 192 168 2 1 IP Subnet Mask Your Prestige will aut...

Page 54: ...our configuration or press Esc at any time to cancel 3 3 Internet Access Setup You will see three different Menu 4 screens depending on whether you chose Ethernet PPTP or PPPoE Encapsulation 3 3 1 Ethernet Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet The PPPoE choice is for a dial up connection using PPPoE If you choose Ethernet in Menu 4 you wi...

Page 55: ...ind the RoadRunner Server IP if this field is left blank If it does not then you must enter the authentication server IP address IP Address Assignment If your ISP did not assign you a fixed IP address select Dynamic otherwise select Static and enter the IP address subnet mask in the following fields IP Address Enter the fixed IP address assigned to you by your ISP Static IP Address Assignment is s...

Page 56: ...en Field Description Examples Encapsulation Press the SPACE BAR and then press ENTER to choose PPTP The encapsulation method influences your choices for IP Address PPTP Idle Timeout This value specifies the time in seconds that elapses before the Prestige automatically disconnects from the PPTP server 100 default 3 3 4 PPPoE Encapsulation The Prestige supports PPPoE Point to Point Protocol over Et...

Page 57: ...ly PPPoE saves significant effort for both the end user and ISP carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the Prestige rather than individual PC s the machines on the LAN do not need PPPoE software installed since the Prestige does that part of the task Further with NAT all of the LAN s machines will have access I...

Page 58: ...e automatically disconnects from the PPPoE server 100 default 3 4 Basic Setup Complete Well Done You have successfully connected installed and set up your Prestige to operate on your network as well as access the Internet Please note that when the firewall is activated the default policy allows all communications to the Internet that originate from the LAN and blocks all traffic to the LAN that or...

Page 59: ...Advanced Applications II Part II Advanced Applications Advanced Applications Chapters 4 6 describe the advanced applications of your Prestige such as Remote Node Setup IP Static routes and NAT ...

Page 60: ...Remote Node Profile From the Main Menu select menu option 11 to open Menu 11 1 Remote Node Profile There are two variations of this menu depending on whether you choose Ethernet Encapsulation or PPPoE Encapsulation 4 1 1 Ethernet Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet The first Menu 11 1 screen you see is for Ethernet Encapsulation shown n...

Page 61: ...Login This field is applicable for PPPoE encapsulation only Enter the login name assigned by your ISP when the Prestige calls this remote node Some ISPs append this field to the Service Name field above e g jim poellc to access the PPPoE server jim Outgoing My Password Enter the password assigned by your ISP when the Prestige calls this remote node Valid for PPPoE encapsulation only Server IP This...

Page 62: ...hat you specify the correct authentication protocol when connecting to such an implementation Nailed Up Connection A nailed up connection is a dial up line where the connection is always up regardless of traffic demand The Prestige does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the Prestige will try to bring up the connection w...

Page 63: ...be reset For example if we are allowed to call this remote node for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour 1 Nailed Up Connection This field specifies if you want to make the connection to this remote node a nailed up connection For more details please refer to the next section Idle Timeout This value specifies the idle time i e the l...

Page 64: ...nection name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your xDSL Modem N My ISP Schedules You can apply up to four schedule sets here For more details please refer to the Call Schedule Setup chapter Nailed Up Connection This field specifies if you want to make the connection to this remote node a nailed up connection Menu 11 1 Re...

Page 65: ...P IP Subnet Mask If you have a Static IP Assignment enter the subnet mask assigned to you Gateway IP Addr If you have a Static IP Assignment enter the gateway IP address assigned to you Network Address Translation Use the SPACE BAR to toggle between Full Feature None SUA Only See the NAT chapter for a full discussion on this feature SUA Only Metric This field is valid only for PPTP PPPoE encapsula...

Page 66: ...is setting None Version Press the SPACE BAR to select the RIP version from RIP 1 RIP 2B RIP 2M and None Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group The Prestige supports both IGMP version 1 IGMP v1 and IGMP v2 Press the space bar to enable IP Multicasting or select None to disable it See the previous Part for more i...

Page 67: ...AN and each end must have a unique address within the WAN network number If this is the case enter the IP address assigned to the WAN port of your Prestige Note that this is the address assigned to your local Prestige not the remote router Network Address Translation Use the SPACE BAR to toggle between Full Feature None SUA Only See the NAT chapter for a full discussion on this feature SUA Only Me...

Page 68: ... Options Menu press Enter to return to Menu 11 Press Enter at the message Press ENTER to Confirm to save your configuration or press Esc at any time to cancel 4 2 2 Editing TCP IP Options with PPPoE Encapsulation Make sure that Encapsulation is set to PPPoE in Menu 11 1 Then move the cursor to the Edit IP field in Menu 11 1 press the SPACE BAR to toggle No to Yes Press Enter to open Menu 11 3 Netw...

Page 69: ...te Node Filter Input Filter Sets protocol filters 3 device filters Output Filter Sets protocol filters 1 device filters Enter here to CONFIRM or ESC to CANCEL Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 3 device filters Output Filter Sets protocol filters 1 device filters Call Filter Sets protocol filters 1 device filters Enter here to CONFIRM or ESC to CANCEL ...

Page 70: ...ode specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the following diagram through remote node Router 1 However the Prestige is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router ...

Page 71: ...mber of one of the static routes you want to configure Figure 5 3 Menu 12 1 Edit IP Static Route The following table describes the IP Static Route Menu fields Menu 12 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ Enter selection number Menu 12 1 Edit IP Static Route Route 1 Route Name Active No Destination IP Address IP Subnet Mask Ga...

Page 72: ...ediate neighbor of your Prestige that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your Prestige over the WAN the gateway must be the IP address of one of the Remote Nodes Metric Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected ...

Page 73: ......

Page 74: ...in a packet when the packet is still in the local network while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 6 1 NAT Definitions Term Definition Inside This refers to the host on the LAN Outside This refers to the host on the WAN Local This refers to the packet address source or desti...

Page 75: ...AN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and...

Page 76: ...ide world Port numbers do not change for One to One and Many to Many No Overload NAT mapping types The following table summarizes these types Table 6 2 NAT Mapping Types Type IP Mapping SMT abbreviation One to One ILA1 IGA1 1 1 Many to One SUA PAT ILA1 IGA1 ILA2 IGA1 M 1 Many to Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M M ...

Page 77: ...ful to people already familiar with SUA in previous ZyNOS versions 6 1 6 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can talk to three distinct Internet destinations More examples follow at the end of this chapter Figure 6 2 NAT Application 6 2 SMT Menus 6 2 1 Applying NAT in the SMT Menus You a...

Page 78: ...wing table describes the options for Network Address Translation Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Login Server IP N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address Translation SUA Only Press ENTER to Confirm or ESC to Cancel Menu 11 3 Remote Node Networ...

Page 79: ...Setup 6 2 3 Address Mapping Sets and NAT Server Sets Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to machines on the LAN Each remote node must specify which NAT Address Mapping Set to use The Prestige has one remote node and so allows you to configure only 1 NAT Address Mapping Set You can see two NAT Address Mapping sets in Menu 15 1 ...

Page 80: ... in this screen Please note that the fields in this menu are read only The Type Local and Global Start End IPs are normally not for this read only menu configured in Menu 15 1 1 1 described later and the values are displayed here Menu 15 1 Address Mapping Sets 1 NAT_SET 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name SUA Idx Local Start IP Local End IP Gl...

Page 81: ...enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global End IP This is the ending global IP address IGA N A Type These are the mapping types discussed above see Table 6 2 Type Server allows us to specify multiple servers of different types behind NAT to this machine See section 6 4 3 below for some examples Server Note For all Local and Global IPs the End IP address must begin after the IP Start addre...

Page 82: ... 4 rules 5 to 7 will be pushed up by 1 rule so as old rule 5 becomes rule 4 old rule 6 becomes rule 5 and old rule 7 becomes rule 6 The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu 15 1 1 1 described later and the values are displayed here Table 6 5 Menu 15 1 1 Field Description Option Set Name Enter a name for this set of rul...

Page 83: ...ning from rule 1 Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs displayed in Menu 15 1 1 Figure 6 9 Editing an Individual Rule in a Set The following table describes the fields in this screen Table 6 6 Menu 15 1 1 1 configuring...

Page 84: ...ddress beginning before the Start IP address 6 3 NAT Server Sets A NAT server set is a list of inside servers behind NAT on the LAN that you can make visible to the outside world Menu 15 2 NAT Server Sets is used to configure these servers If you re using Ethernet Encapsulation with either RR Manager or RR Toshiba Service Type port 12 set to 1025 non editable as displayed in Figure 6 11 6 3 1 Mult...

Page 85: ...ddress of the server in the IP Address field Step 4 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel Note If you re using Ethernet Encapsulation with either RR Manager or RR Toshiba Service Type then the SMT does not allow you to change the port 1025 entry The most often used port numbers are shown in th...

Page 86: ...o Point Tunneling Protocol 1723 6 4 Examples 6 4 1 Internet Access Only In our Internet access example we only need one rule where all our ILAs Inside Local addresses map to one dynamic IGA Inside Global Address assigned by our ISP Menu 15 2 NAT Server Setup Port IP Address 1 Default 0 0 0 0 2 21 192 168 1 33 3 23 192 168 1 34 4 25 192 168 1 35 5 80 192 168 1 36 6 0 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0...

Page 87: ...on 6 1 4 The SUA Only read only option from the Network Address Translation field in Menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Service Type Standard My Login N A My Password N A Login Server IP N A IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Address N A Network Address T...

Page 88: ...e 6 15 Specifying an Inside Sever 6 4 3 Example 3 General Case In this example we have 3 IGAs from our ISP We have many departments but two have their own FTP server All departments share the same router We want to reserve 1 IGA for each department with an FTP Menu 15 2 NAT Server Setup Port IP Address 1 Default 192 168 1 10 2 0 0 0 0 0 3 0 0 0 0 0 4 0 0 0 0 0 5 0 0 0 0 0 6 0 0 0 0 0 7 0 0 0 0 0 8...

Page 89: ...nd global IP addresses Rule 3 We map our other outgoing LAN traffic to IGA3 Many 1 mapping Rule 4 We also map our third IGA to our web server and mail server on the LAN Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN Our situation looks somewhat like this Figure 6 16 NAT Example 3 Step 1 In this case we need to configure Address Mapping ...

Page 90: ...k like as shown in Figure 6 19 Figure 6 17 Example 3 Menu 11 3 The following figure shows how to configure the first rule Figure 6 18 Example 3 Menu 15 1 1 1 Menu 11 3 Remote Node Network Layer Options IP Address Assignment Dynamic IP Address N A IP Subnet Mask N A Gateway IP Addr N A Network Address Translation Full Feature Metric N A Private N A RIP Direction None Version N A Menu 15 1 1 1 Addre...

Page 91: ... Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action Edit Select Rule Press ENTER to Confirm or ESC to Cancel Menu 15 2 NAT Server Setup Port IP Address 1 Default 0 0 0 0 2 80 192 168 1 21...

Page 92: ... do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 6 21 NAT Example 4 Other applications e g gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications still won t work through NAT even when using One to One and Many to Many No Overload mapping types Follow the steps outli...

Page 93: ...dress Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132 50 3 M M No Ov 2 3 4 5 6 7 8 9 10 Action Edit Select Rul...

Page 94: ...Advanced Management III Part III Advanced Management Chapters 7 12 provide information on Prestige filtering System Information and Diagnosis Transferring Files and Telnet ...

Page 95: ......

Page 96: ...ll filtering is used to determine if a packet should be allowed to trigger a call Remote node call filtering is only applicable when using PPPoE encapsulation Outgoing packets must undergo data filtering before they encounter call filtering as shown in the following figure Figure 7 1 Outgoing Packet Filtering Process For incoming packets your Prestige applies data filters only Packets are processe...

Page 97: ...ules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Three sets of factory default filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming teln...

Page 98: ...ch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 7 2 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port ...

Page 99: ...ress Enter Step 4 Enter a descriptive name or comment in the Edit Comments field and press Enter Step 5 Press Enter at the message Press ENTER to confirm to open Menu 21 1 1 Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 NetBIOS_WAN 7 _______________ 2 NetBIOS_LAN 8 _______________ 3 TEL_FTP_WEB_WAN 9 _______________ 4 10 _______________ 5 _______...

Page 100: ... 0 0 DP 137 N D N 5 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 6 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 N D F Enter Filter Rule Number 1 6 to Configure Press ENTER to Confirm or ESC to Cancel Menu 21 1 2 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 53 N D F 2 Y 3 Y 4 Y 5 Y 6 Y Enter Filter Rule Number 1 6 to Configure Menu 21 3 Filter Rules Summary A Typ...

Page 101: ... matched if ALL rules in it are matched Y means an action can not yet be taken as there are more rules to check which are concatenated with the present rule to form a rule chain When the rule chain is complete an action can be taken N means you can now specify an action to be taken i e forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule...

Page 102: ...figure a filter rule type its number in Menu 21 1 Filter Rules Summary and press Enter to open Menu 21 1 1 for the rule To speed up filtering all rules in a filter set must be of the same class i e protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and d...

Page 103: ...e source route Yes No Destination IP Address Enter the destination IP Address of the packet you wish to filter This field is a don t care if it is 0 0 0 0 IP address Destination IP Mask Enter the IP mask to apply to the Destination IP Addr IP mask Destination Port Enter the destination port of the packets that you wish to filter The range of this field is 0 to 65535 This field is a 0 65535 Menu 21...

Page 104: ...ort None Less Greater Equal Not Equal TCP Estab This field is applicable only when IP Protocol field is 6 TCP If yes the rule matches only established TCP connections else the rule matches all TCP packets Yes No More If yes a matching packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matched a...

Page 105: ...completed filling in Menu 21 1 1 1 TCP IP Filter Rule press Enter at the message Press Enter to Confirm to save your configuration or press Esc to cancel This data will now be displayed on Menu 21 1 1 Filter Rules Summary The following diagram illustrates the logic flow of an IP filter ...

Page 106: ... Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Dest IP Addr Apply DestAddrMask to Dest Addr Not Matched Not Matched Check Src Dest Port Matched Not Matched Figure 7 10 Executing an IP Filter ...

Page 107: ...e comparing the result against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits e g FFFFFFFF To configure a generic rule select Generic Filter Rule in the Filter Type field in the Menu 21 4 1 1 and press Enter to open Generic Filter ...

Page 108: ...u wish to compare The range for this field is 0 to 8 Default 0 Mask Enter the mask in Hexadecimal to apply to the data portion before comparison Value Enter the value in Hexadecimal to compare with the data portion More If yes a matching packet is passed to the next filter rule before an action is taken else the packet is disposed of according to the action fields If More is Yes then Action Matche...

Page 109: ...lters This filter is designed to block outside users telnetting into the Prestige Figure 7 12 Telnet Filter Example Step 1 Enter 21 from the Main Menu to open Menu 21 1 Filter Set Configuration Step 2 Enter the index of the filter set you wish to configure in this case 3 and press Enter Step 3 Enter a descriptive name or comment in the Edit Comments field in this case TELNET_WAN and press Enter St...

Page 110: ...ched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Press the SPACEBAR to choose this filter rule type The first filter rule type determines all subsequent filter types within a set Select Yes to make the rule active 6 is the TCP protocol The port number for the telnet service TCP protocol is 23 See RFC 1060 for port numbers of well known services...

Page 111: ...lter rules are discussed in more detail in the next section When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing Menu 21 1 3 Fil...

Page 112: ... it them Sets of factory default filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls and block incoming telnet FTP and HTTP connections If you do not activate the firewall it is advisable to apply these default filters as shown next 7 6 1 LAN traffic LAN traffic filter sets may be useful to block certain packets reduce traffic and prevent security breaches...

Page 113: ...s protocol filters when using Ethernet encapsulation Filter set 3 TEL_FTP_WEB_WAN blocks telnet FTP and web connections from the WAN Port to help prevent security breaches Apply them as shown in the following figure Figure 7 17 Filtering Remote Node Traffic Menu 3 1 LAN Port Filter Setup Input Filter Sets protocol filters 2 device filters Output Filter Sets Protocol filters device filters Press EN...

Page 114: ...work Keep in mind that SNMP is only available if TCP IP is configured on your Prestige 8 2 Configuring SNMP To configure SNMP enter 22 from the Main Menu to open Menu 22 SNMP Configuration as shown in the figure below The community for Get Set and Trap fields is simply SNMP s terminology for password Figure 8 1 Menu 22 SNMP Configuration Menu 22 SNMP Configuration SNMP Get Community public Set Com...

Page 115: ...gement station public Trusted Host If you enter a trusted host your Prestige will only respond to SNMP messages from this address If you leave the field blank default your Prestige will respond to all SNMP messages it receives regardless of source blank Trap Community Enter the trap community which is the password sent with each trap to the SNMP manager public Trap Destination Enter the IP address...

Page 116: ...ties and upgrades for the system software This chapter describes how to use these tools in detail Select menu 24 in the main menu to open Menu 24 System Maintenance as shown below Figure 9 1 Menu 24 System Maintenance Menu 24 System Maintenance 1 System Status 2 System Information and Console Port Speed 3 Log and Trace 4 Diagnostic 5 Backup Configuration 6 Restore Configuration 7 Upload Firmware 8...

Page 117: ...ts the counters and Esc takes you back to the previous screen The table below describes the fields present in Menu 24 1 System Maintenance Status It should be noted that these fields are READ ONLY and are meant to be used for diagnostic purposes The upper right corner of the screen shows the time and date according to the format you set in Menu 24 10 Figure 11 6 Figure 9 2 Menu 24 1 System Mainten...

Page 118: ...The number of collisions on this port Tx B s Shows the transmission speed in Bytes per second on this port Rx B s Shows the reception speed in Bytes per second on this port Up Time Total amount of time the line has been up LAN Ethernet Address The LAN port Ethernet address IP Address The LAN port IP address IP Mask The LAN port IP mask DHCP The LAN port DHCP role WAN Ethernet Address The WAN port ...

Page 119: ... 3 Menu 24 2 System Information and Console Port Speed 9 2 1 System Information System Information gives you information about your system as shown below More specifically it gives you information on your routing protocol Ethernet address IP address etc Figure 9 4 Menu 24 2 1 System Maintenance Information Menu 24 2 1 System Maintenance Information Name xxx baboo mickey com Routing IP ZyNOS S W Ve...

Page 120: ... shows the IP mask of the Prestige DHCP This field shows the DHCP setting of the Prestige 9 2 2 Console Port Speed You can change the speed of the console port through Menu 24 2 2 Console Port Speed Your Prestige supports 9600 default 19200 38400 57600 and 115200 bps for the console port Use the SPACE BAR to select the desired speed in Menu 24 2 2 as shown below Figure 9 5 Menu 24 2 2 System Maint...

Page 121: ...s of Error and Information Messages Examples of typical error and information messages are presented in the figure below Figure 9 7 Examples of Error and Information Messages 9 3 2 UNIX Syslog The Prestige uses the UNIX syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance Syslog and Accoun...

Page 122: ...ypes CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packet triggered The first 48 bytes or octets and protocol type of the triggering packet is sent to the UNIX syslog server when this field is set to Yes Filter log No filters are logged when this field is set to No Filters with the individual filter Log Filter field set to Yes Menu 21 x x are logged when this field is ...

Page 123: ...gered Packet triggered Message Format sdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx x Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Jul 19 11 28 39 192 168 102 2 ZyXEL Packet Trigger Protocol 1 Data 4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6...

Page 124: ...to Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Jul 19 11 42 44 192 168 102 2 ZyXEL ppp LCP Closing Jul 19 11 42 49 192 168 102 2 ZyXEL ppp IPCP Closing Jul 19 11 42 54 192 168 102 2 ZyXEL ppp CCP Closing 5 Firewall log Firewall Log Message Format sdcmdSyslogSend SYSLOG_FIREWALL SYSLOG_NOTICE buf buf IP Src xx xx xx xx spo xxxx Dst xx xx xx xx dpo xxxx prot rule ...

Page 125: ...s shown next IP Frame ENET0 RECV Size 44 44 Time 17 02 44 262 Frame Type IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168 1 1 Destination IP 0x00000000 0 0 0 0 TCP Header Source Port 0x0401 1025 Destination Po...

Page 126: ...hown in Figure 9 11 LAN DHCP has already been discussed previously The Prestige can act either as a WAN DHCP client IP Address Assignment field in Menu 4 or Menu 11 3 is Dynamic and the Encapsulation field in Menu 4 or Menu 11 is Ethernet or none i e you have a static IP The WAN Release and Renewal fields in Menu 24 4 conveniently allow you to release and or renew the assigned WAN IP address subne...

Page 127: ...n your LAN or WAN Enter its IP address in the Host IP Address field below 2 WAN DHCP Release Enter 2 to release your WAN DHCP settings 3 WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings 4 Internet Setup Test Enter 4 to test the Internet Setup You can also test the Internet Setup in Menu 4 Internet Access Please refer to the Internet Access chapter for more details 11 Reboot System Enter 11...

Page 128: ...ce With many ftp and tftp clients they are as well as seen next ftp put P312 bin ras This is a sample ftp session showing the transfer of the PC file P312 bin to the Prestige ftp get rom 0 MyP312 cfg This is a sample ftp session saving the current configuration to the PC file MyP312 cfg If your t ftp client does not allow you have a destination filename different than the source you will need to r...

Page 129: ... problem still exists e mail or call tech support 10 2 Backup Configuration Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration to your workstation Backup is highly recommended once your Prestige is functioning properly FTP and TFTP are the preferred methods for backing up your current workstation configuration to your computer since FTP and TFTP are fa...

Page 130: ...ration file via the console port There are two components in the system the router firmware and the configuration file as shown below Figure 10 3 Menu 24 7 System Maintenance Upload Firmware 10 4 1 Uploading the Router Firmware Menu 24 7 1 shows you the instructions for uploading the router firmware Follow the procedure below to upload the file Step 1 Enter y at the prompt to go into debug mode St...

Page 131: ...and 1 stop bit 8n1 You will need to change your serial communications software to the default before you can connect to the Prestige again The password will be reset to the default of 1234 also Follow the procedure below to upload the configuration file Step 1 Enter y at the prompt to go into debug mode Step 2 Enter atlc after the Enter Debug Mode message Step 3 Wait for the Starting XMODEM upload...

Page 132: ...ault when the file transfer is complete Step 4 Launch the TFTP client on your workstation and connect to the Prestige Set the transfer mode to binary before starting data transfer Step 5 Use the TFTP client see the example below to transfer files between the Prestige and the workstation The file name for the firmware is ras and for the configuration file is rom 0 rom zero not capital o Menu 24 7 2...

Page 133: ...see in third party TFTP clients Table 10 2 Third Party TFTP Clients General fields Host Enter the IP address of the Prestige 192 168 1 1 is the Prestige default IP address when shipped Send Fetch Press Send to upload the file to the Prestige and Fetch to back up the file on your computer Local File Enter the path and name of the firmware file bin extension or configuration file rom extension on yo...

Page 134: ...u 24 7 1 System Maintenance Upload Router Firmware To upload the router firmware follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your workstation and ras is the remote file name on the r...

Page 135: ... p312 rom to the Prestige and renames it rom 0 See section 10 1 for more information on filename conventions Step 7 Type quit to exit the ftp prompt Menu 24 7 2 System Maintenance Upload Router Configuration File To upload the router configuration file follow the procedure below 1 Launch the FTP client on your workstation 2 Type open and the IP address of your router Then type root and SMT passwor...

Page 136: ...l Local Directory Specify the default local directory path FTP over WAN will not work if 1 You have disabled Telnet service in Menu 24 11 2 You have applied a filter in Menu 3 1 LAN or in Menu 11 5 WAN to block Telnet service 3 The IP you entered in the Secured Client IP field in Menu 24 11 does not match the client IP If it does not match the Prestige will disconnect the Telnet session immediatel...

Page 137: ......

Page 138: ...ial connection See our supplied disk or the zyxel com web site for more detailed information on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Figure 11 1 Command Mode in Menu 24 Figure 11 2 Valid Commands Menu 24 System Maintenance 1 System Status 2 System Info...

Page 139: ...ls will be blocked Call history chronicles preceding incoming and outgoing calls To access the call control menu select option 9 Call Control in Menu 24 to go to Menu 24 9 System Maintenance Call Control as shown in the next table Figure 11 3 Call Control 11 2 1 Budget Management Menu 24 9 1 shows the budget management statistics for outgoing calls Enter 1 from Menu 24 9 System Maintenance Call Co...

Page 140: ...ndex number of the remote node you want to reset just one in this case 1 Connection Time Total Budget This is the total connection time that has gone by within the allocated budget that you set in Menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have gone by Elapsed Time Total Period The period is the time cycle in hours that the allocation budget is reset see Menu 11 1 ...

Page 141: ... chip in the Prestige so we have a software mechanism to get the current time and date from an external server when you power up your Prestige Menu 24 10 does just that it allows you to update the time and date settings of your Prestige The real time is then displayed in the Prestige error logs and firewall logs If you do not choose a time service protocol that your timeserver will send when the P...

Page 142: ...ISP network administrator or use trial and error to find a protocol that works If you select None this is the default value you can enter the time manually but each time the system is booted the time date will be reset to 2000 1 1 0 0 0 Time Server IP Address Enter the IP address of the your timeserver Check with your ISP network administrator if you are unsure of this information Current Time New...

Page 143: ...ne in Menu 24 11 Remote Management Control Enter 11 from Menu 24 to bring up this menu All Telnet and FTP activity both LAN and WAN may be disabled by selecting No press the SPACE BAR to toggle Yes to No in the two fields in this menu If you just wish to block certain users from using these activities then please use filtering see menu 21 1 Figure 11 7 Menu 24 11 Remote Management Control Please n...

Page 144: ...are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen In debug mode you have access to a series of boot module commands for example ATUR for uploading firmware and ATLC for uploading the configuration file already discussed in the chapter on Transferring Files Figure 11 8 Option to Enter Debug Mode Enter ATHE to view all available Prestige boot modu...

Page 145: ... test level w from address x to y z iterations ATWEa b c d write MAC addr Country code EngDbgFlag FeatureBit to flash ROM ATCUx write Country code to flash ROM ATCB copy from FLASH ROM to working buffer ATCL clear working buffer ATSB save working buffer to FLASH ROM ATBU dump manufacturer related data in working buffer ATSH dump manufacturer related data in ROM ATWMx set MAC address in working buf...

Page 146: ...specified telnet connections from the outside will be forwarded to the inside server So to configure the Prestige via telnet from the outside you must first telnet to the inside server and then telnet from the server to the Prestige using its inside LAN IP address If no inside server is specified telnetting to the NAT s IP address will connect to the Prestige directly 12 3 Telnet Capabilities 12 3...

Page 147: ...e LAN To enable Telnet over the WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow Telnet from the WAN Telnet will also not work when 1 You have disabled Telnet service in Menu 24 11 2 You have applied a filter in Menu 3 1 LAN or in Menu 11 5 WAN to block Telnet service 3 The IP you entered in the Secured Client IP field in Menu 24 11 does not match the client IP If it...

Page 148: ...IV Part IV Firewall and Content Filters Chapters 13 20 describe types of firewalls how to configure your Prestige firewall using the Prestige Web Configurator as well as types of Denial of Services DoS attacks and Content Filtering ...

Page 149: ...alls 1 Packet Filtering Firewalls 2 Application level Firewalls 3 Stateful Inspection firewalls 13 1 1 Packet Filtering Firewalls Packet Filtering Firewalls restrict access based on the source destination of the computer network address and the type of application The Prestige has packet filtering capabilities 13 1 2 Application level Firewalls Application level Firewalls restrict access by servin...

Page 150: ...n firewall and is designed to protect against Denial of Service attacks when activated in SMT Menu 21 2 or the Prestige Web Configurator The purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The Prestige can be used to prevent theft destruction and modification of data as well as log events which may be important to the security of your network The Prest...

Page 151: ...ocols that perform specific functions These protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc are identified by an extension number called the TCP port or UDP port For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for requests for information f...

Page 152: ...ket is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the reassembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 thro...

Page 153: ...Attack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 3 A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly f...

Page 154: ...ection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering is called saving the state When the outside system responds to your request the firewall compares the...

Page 155: ...ropped at this point 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then The default action for packets not matching following rules field see Figure 16 3 determine...

Page 156: ...ing these to rules set by the administrator Note The ability to define Prestige Web Configurator Firewall Rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting Firewall Rules Test changes after creating them to make sure they work correctly Below is a brief technical descr...

Page 157: ...packets are never allowed in since they could be used to reroute traffic through attacking machines 13 4 5 Upper Layer Protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is used for sending commands between endpoints and then data connections which are used for transmittin...

Page 158: ... your system Turn your computer off when not being used 3 Never give out a password or any sensitive information to an unsolicited telephone call or e mail 4 Never e mail sensitive information such as passwords credit card information etc to people without encrypting the information first 5 Never submit sensitive information via a web page unless the web site uses secure connections You can identi...

Page 159: ...Is a Firewall 13 11 12 Always shred confidential information particularly about your computer before throwing it away Some hackers dig through the trash of companies or individuals for information that might help them in a social intrusion ...

Page 160: ......

Page 161: ...reen Press the SPACE BAR to toggle No to Yes in the Active field to activate the firewall The firewall must be active to protect against Denial of Service DoS attacks Additional rules may be configured using the Prestige Web Configurator Copyright c 1994 2000 ZyXEL Communications Corp Prestige 312 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter and Firewall Setup 2 WAN Setu...

Page 162: ...ng IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that th...

Page 163: ...et the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Tab...

Page 164: ...uses the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the queue is full the syst...

Page 165: ... port and protocol Reason This field states the reason for the log i e was the rule matched not matched or was there an attack The set and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set Y 01 to 10 Rule...

Page 166: ...e Prestige s filtering and firewall functions 14 3 1 Packet Filtering The router filters packets as they pass through the router s interface according to the filter rules you designed Packet filtering is a powerful tool yet can be complex to configure and maintain especially if you need a chain of rules to filter a service Packet filtering only checks the limited data portion of an IP packet ...

Page 167: ... with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine rep...

Page 168: ......

Page 169: ...case sensitive 4 The PWC times out after 5 minutes of inactivity This is not configurable 5 Please make sure that your web browser is Java and JavaScript enabled You can ONLY configure the firewall via Prestige Web Configurator or CLI command You will not be able to access the Prestige Web Configurator from the WAN if 1 The firewall is activated as the firewall by default blocks all WAN to LAN tra...

Page 170: ...2 Introducing the Prestige Web Configurator Figure 15 2 Prestige Web Configurator Welcome Screen 15 2 Enabling the Firewall Click Firewall then Configuration then the Rule Config tab to enable the firewall as seen in the following screen ...

Page 171: ... on events such as attacks which you may want to know about right away You can choose to generate an alert when an attack is detected in the Attack Alert screen Figure 15 6 check the Generate an alert when attack detected checkbox or when a rule is matched in the creating editing a firewall rule screen see Figure 16 4 When an event generates a report an alert a message is immediately sent to an E ...

Page 172: ...tailed record that you create for packets that either match a rule don t match a rule or both when you are creating editing a firewall rule see Figure 16 4 You can also choose not to create a log for a rule in this screen An attack automatically generates a log Click Firewall Configuration then the E Mail tab to bring up the following screen Figure 15 4 E Mail Screen The following table describes ...

Page 173: ... Prestige as the sender of the e mail messages i e a return to sender address for backup purposes Alert Timer Alert Schedule This pop up menu is used to configure the frequency of log messages being sent as E mail daily weekly hourly only when the log is full or none If the Weekly or the Daily option is selected specify a time of day when the E mail should be sent If the Weekly option is selected ...

Page 174: ...s E mail error messages appear as SMTP action request failed ret where is described in the following table Table 15 2 SMTP Error Messages 1 means prestige out of socket 2 means tcp SYN fail 3 means smtp server OK fail 4 means HELO fail 5 means MAIL FROM fail 6 means RCPT TO fail 7 means DATA fail 8 means mail data send fail 15 3 4 Example E Mail Log An End of Log message displays for each mail in ...

Page 175: ...168 1 4 To 192 168 1 255 match forward 10 04 29 UDP src port 00137 dest port 00137 1 02 122 Apr 7 00 From 192 168 1 4 To 192 168 1 255 match forward 10 04 30 UDP src port 00137 dest port 00137 1 02 123 Apr 7 00 From 192 168 1 1 To 192 168 1 255 match forward 10 04 30 UDP src port 00520 dest port 00520 1 02 124 Apr 7 00 From 192 168 1 110 To 10 10 10 11 match forward 10 04 36 TCP src port 01360 des...

Page 176: ...that the firewall has detected no return traffic The Prestige measures both the total number of existing half open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of existing half open sessions rises above a threshold max incomplete high the Prestige...

Page 177: ...is greater than 0 The Prestige blocks all new connection requests to the host giving the server time to handle the present connections The Prestige continues to block all new connection requests until the Blocking Time expires The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click on th...

Page 178: ...ction attempts rises above this number the Prestige deletes half open sessions as required to accommodate new connection attempts 100 half open sessions per minute The above numbers cause the Prestige to start deleting half open sessions when more than 100 session establishment attempts have been detected in the last minute and to stop deleting half open sessions when fewer than 80 session establi...

Page 179: ...s Enter a number between 1 and 250 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth 10 existing half open TCP sessions Blocking Time When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the...

Page 180: ......

Page 181: ...N to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing network traffic s Source IP address Destination IP address IP proto...

Page 182: ...t users access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to PCs with running FTP servers 4 Does this rule conflict with any existing rules Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the Ru...

Page 183: ...N to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure Policy LAN to WAN Rules you in essence want to limit some or all users from accessing certain services on the WAN See the following figure Figure 16 1 LAN to WAN Traffic 16 3 2 WAN to LAN Rules By default NO incoming connections WAN to LAN are allowed unless you create rules allowing certa...

Page 184: ...on discussed later Next to the name of the protocol two fields appear in brackets The first field indicates the IP port number that defines the service TCP Port UDP Port or ICMP Type The second field indicates the IP protocol type 6 is TCP 17 is UDP or 1 is ICMP Note that there may be more than one IP protocol type For example look at the default configuration labeled DNS UDP TCP 53 means UDP port...

Page 185: ...e RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Sim...

Page 186: ...ssion below refers to both Click on Firewall then Local Network to bring up the following screen This screen is a summary of the existing rules Note the order in which the rules are listed Special Note The ordering of your rules is important as rules are applied in turn Figure 16 3 Firewall Rules Summary First Screen The following table describes the fields in this screen ...

Page 187: ...ewall rule number The ordering of your rules is important as rules are applied in turn The Move field below allows you to reorder your rules Source IP This is the source address of the packet Destination IP This is the destination address of the packet Service This is the service to which the rule applies See Table 16 1 for more information Action This is the specified action for that rule Note th...

Page 188: ...ou may reorder your rules using this function Select by clicking in the Firewall Rule Summary box on the rule you want to move The ordering of your rules is important as rules are applied in turn To Rule Number Type to where you want to move that rule in this box Move Click this command button to move the rule 16 5 1 Creating Editing Firewall Rules To create a new rule click a number No then click...

Page 189: ...e or SrcDelete to delete one Please see the next section for more information on adding and editing source addresses SrcAdd SrcEdit SrcDelete Destination Address Press DestAdd to add a new address DestEdit to edit an existing one or DestDelete to delete one Please see the next information on adding and editing destination addresses DestAdd DestEdit DestDelete Services Please see Table 16 1 for mor...

Page 190: ...his field determines if a log is created for packets that match the rule don t match the rule both or no log is created Match Not Match Both None Alert Check the Alert checkbox to determine that this rule generates an alert when the rule is matched When you have finished click Apply to save your customized settings and exit this screen Cancel to exit this screen without saving or Help for online H...

Page 191: ...to apply to packets with a particular single IP a range of IP addresses e g 192 168 1 10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box Single Address Range Address Subnet Address Any Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter th...

Page 192: ...p on fields in this screen 16 6 Timeout The fields in the Timeout screens are the same for Local and Internet networks so the discussion below refers to both 16 6 1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values see section 15 4 1 Click on either Local Network or Internet then se...

Page 193: ...P312 Broadband Security Gateway Creating Custom Rules 16 13 Figure 16 6 Timeout Screen ...

Page 194: ...a FIN exchange indicating the end of the TCP session 60 seconds Idle Timeout This is the length of time of inactivity a TCP connection remains open before the Prestige considers the connection closed 3600 seconds 1 hour UDP Idle Timeout This is the length of time of inactivity a UDP connection remains open before the Prestige considers the connection closed 60 seconds ICMP Timeout This is the leng...

Page 195: ...s for services not included in the services provided in the scrolling list box in the screen shown in Figure 16 4 For further information on these services please read section 16 4 To configure a custom port click Custom Ports to bring up the following screen Figure 17 1 Custom Ports The next table describes the fields in this screen ...

Page 196: ...efines your customized port Add a New Entry Click this button to create a new service custom port Edit Click this button to edit an existing service custom port Delete Click a custom port in the customized services box then this button to delete that service custom port Help Click this button for HTML Help on fields in this screen When you have finished viewing this screen click another link to ex...

Page 197: ...P312 Broadband Security Gateway Custom Ports 17 3 Figure 17 2 Creating Editing A Custom Port The next table describes the fields in this screen ...

Page 198: ...x TCP UDP Both Port Configuration Type Click the Single radio button to specify one port only or Range radio button to specify a span of ports that define your customized service Single Range Port Number Enter a single port number or the range of port numbers that define your customized service When you have finished click Apply to save your customized settings and exit this screen Cancel to exit ...

Page 199: ... the Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 14 1 1 or via syslog SMT Menu 24 3 2 System Maintenance UNIX Syslog Syslog is an industry standard protocol used for capturing log information for devices on a network 128 entries are available numbered from 0 to 127 Once they are all used the log wraps around and the old logs are lost Figure 18 1 L...

Page 200: ... and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set Y 01 to 10 Rule number 00 is the default rule attack land This is a log is for a DoS attack in this case a land attack Other attack types are ip spoo...

Page 201: ...P312 Broadband Security Gateway Logs 18 3 Field Description When you have finished viewing this screen click another link to exit ...

Page 202: ......

Page 203: ...elnet and mail services The only traffic allowed from the Internet is web service We want to be able to forward all traffic initiated from our local network local network We want to know who accesses our server and send e mail alerts when this happens Our mail account is user zyxel com Another network administrator has an e mail address of user2 zyxel com This is what we do Step 1 Activate the fir...

Page 204: ...ples Firewall Rules Figure 19 1 Activate The Firewall Step 2 Now we configure our E mail screen as follows Click the E Mail tab to bring up the next screen Check here to activate the firewall You may also activate the firewall in SMT menu 21 2 ...

Page 205: ...ernet Configure this screen as shown in Figure 19 3 Step 4 Click DestAdd to configure the destination address as the IP of our server on the LAN See Figure 19 4 Step 5 When you have finished configuring this screen the Rule Summary screen should look like the one inFigure 19 5 Step 6 Click Apply in this screen when you have finished configuring to save your configuration back to the Prestige Enter...

Page 206: ... address as the IP of our server on the LAN See the next screen Click this button when you have finished editing screens Select this service web service from the Available Services list box and click We want to forward the packet when it matches this rule remember the default is to block all packets from the Internet log packets that match this rule and to send alerts when this happens ...

Page 207: ...Rules 19 5 Figure 19 4 Example 1 Destination Address for Traffic Originating From The Internet 10 100 1 2 is the IP of our server on the LAN supporting FTP HTTP Telnet and mail services to which we wish to forward traffic originating from the Internet ...

Page 208: ...5 We want i To send alerts when there is an attack ii To only allow access to the Internet from the HTTP proxy server and our mail server iii To only allow FTP server One to be accessible from the Internet We choose to block packets that don t match the rules specified below We want a log of packets that match this rule in the ACL Default Set The first rule is a default rule to allow DHCP negotiat...

Page 209: ...ant to restrict access to the Internet except for the HTTP proxy server and our mail server First we need to create a custom port for POP3 POP Post Office Protocol is an Internet mail server protocol that provides an incoming message storage system It works in conjunction with the SMTP Simple Mail Transfer Protocol which provides the message transport services required to move mail from one system...

Page 210: ...oxy server and our mail server Click Internet to see the Rule Summary screen Now click an available No rule number radio button then click Edit to bring up the next screen Step 5 Click SrcAdd under the Source Address box and enter the IP of the mail server 192 168 10 2 in the same fashion as what we did in Figure 19 4 Type a name for this custom port and select TCP service Click Apply when you ve ...

Page 211: ...TTP proxy server Step 7 The Rule Summary screen should look like Figure 19 9 Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige This is the IP of our mail server We want to forward packets that match these rules We select these mail services Note that our customized service has an before the name to distinguish it as such Click App...

Page 212: ...een Now click on the DestAdd button under the Destination Address box and enter the IP of FTP server One 192 168 10 3 Follow the same procedure as shown in Figure 19 3 and Figure 19 4 Step 9 On completing the procedure the Rule Summary for this Internet firewall rules should look like the following screen Don t forget to click Apply when you have finished configuring your rule s to save your setti...

Page 213: ...ing are some Internet firewall rules examples to 1 Allow DHCP negotiation between the ISP and the P312 2 Allow a syslog connection from the Internet Step 1 Follow the procedure shown next to first configure a custom port Click Apply to save your settings back to the Prestige This is the IP of our FTP server to which we want to forward traffic from the Internet We want to block all other WAN to LAN...

Page 214: ...Follow the procedures outlined in the previous examples to configure all your rules When finished your rule summary screen should look like the following Custom ports show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom port ...

Page 215: ...312 Broadband Security Gateway Example Firewall Rules 19 13 Figure 19 12 Syslog Rule Configuration This is our Syslog custom port Click Apply when finished This is the address range of the syslog servers ...

Page 216: ...way 19 14 Examples Firewall Rules Figure 19 13 Example 3 Rule Summary Rule 1 Allow DHCP negotiation between the ISP and the P312 Rule 2 Allow a syslog connection from the WAN Click Apply to save your settings back to the Prestige ...

Page 217: ...ther damage 20 1 2 Java Java is a programming language and development environment created by Sun Microsystems for building downloadable Web components or even a sophisticated environment for building Internet and intranet business applications of all kinds Java programmers create Java applets and Java applets run inside what is called a Java VM Virtual Machine Think of the VM as a software box wh...

Page 218: ... that user requests a Web page their Web browser formats the request for the proxy server hiding it from the content filter As a result the user is able to access unfiltered content on the Internet 20 2 Blocking URLs The Prestige may also block specific URLs by filling in the Domain Name field The Prestige looks at the rightmost part of URLs first so when using this feature you should include the ...

Page 219: ...e will appear blank or grayed out Block Web URLs Enter a domain name as discussed above then press Add Domain Name The page reloads and the new domain name appears in the Block Web URLs box When you try to access a web page containing this domain name you will get a message telling you that the content filter is blocking this request To delete a domain name select the domain name in the Block Web ...

Page 220: ...ting Appendices Glossary and Index V Part V Troubleshooting Appendices Glossary and Index Chapter 21 provides information about solving common problems followed by some Appendices a Glossary of Terms and an Index ...

Page 221: ......

Page 222: ...None of the LEDs are on when you power on the Prestige Check the connection between the AC adapter and the Prestige If the error persists you may have a hardware problem In this case you should contact technical support 1 Check to see if the Prestige is connected to your computer s serial port VT100 terminal emulation 9600 bps is the default speed on leaving the factory Try other speeds in case th...

Page 223: ...nd out the verification method used by your ISP If the ISP checks the LAN MAC Address tell the ISP the WAN MAC address of the Prestige The WAN MAC can be obtained from Menu 24 1 In case the ISP does not allow you to use a new MAC you can clone the MAC from the LAN as the WAN MAC and send it to the ISP using Menu 2 WAN Setup We recommend you configure this menu anyway even if your ISP presently doe...

Page 224: ...3 2 and Menu 4 21 5 Problems with the Firewall Problem Corrective Action You can ONLY configure the firewall via Prestige Web Configurator or CI command You will not be able to access the Prestige Web Configurator from the WAN if The firewall is activated as the firewall by default blocks all WAN to LAN traffic To access the Prestige Web Configurator from the WAN when the firewall is activated you...

Page 225: ......

Page 226: ...ices using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN ISDN the switching fabric is already in place 3 It allows the ISP to use the existing dial up model to au...

Page 227: ... PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP Prestige as a PPPoE Client When using the Prestige as a PPPoE client the PCs on the LAN see only Ethernet and a...

Page 228: ...T clients to an NT server in a remote location The pass through feature allows users on the network to access a different remote server using the Prestige s Internet connection In NAT mode the Prestige is able to pass the PPTP packets to the internal PPTP server i e NT server behind the NAT Users need to forward PPTP packets to port 1723 by configuring the server in Menu 15 2 Server Set Setup In t...

Page 229: ...5 to an RFC 2364 server Control PPP connections Each PPTP session has distinct control connection and PPP data connection Call Connection The control connection runs over TCP Similar to L2TP a tunnel control connection is first established before call control messages can be exchanged Please note that a tunnel control connection supports multiple call sessions The following diagram depicts the mes...

Page 230: ...0Mbit Half Duplex Ethernet Specification for LAN 10 100 Mbit Half Full Auto negotiation Console Port RS 232 Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 DTE DTR Pin 5 GND Pin 6 DTE DSR Pin 7 DTE RTS Pin 8 DTE CTS PIN 9 NON See Figure below WAN LAN Cable Pin Layout Straight Through Crossover Switch 1 IRD Adapter 1 OTD Switch 1 IRD Switch 1 IRD 2 IRD 2 OTD 2 IRD 2 IRD 3 OTD 3 IRD 3 OTD 3 OTD 6 OTD 6 ...

Page 231: ...al Code ANSI NFPA 70 8 Do not allow anything to rest on the power cord of the AC adapter and do not locate the product where anyone can walk on the power cord 9 Do not service the product by yourself Opening or removing covers can expose you to dangerous high voltage points or other risks Refer all servicing to qualified service personnel 10 Generally when installed after the final configuration t...

Page 232: ...ay firewall Displays the all the firewall settings including e mail attack and sets rules config display firewall set set Displays current entries of a set configuration including timeout values name default permit and number of rules under it If you don t put after set it will display all the sets rules information config display firewall set set rule rule Displays current entries of a rule in a ...

Page 233: ...s A At tt ta ac ck k config edit firewall attack send alert yes no Activates or deactivates the firewall DOS attack notification e mails config edit firewall attack block yes no Yes to block the traffics when exceeds the threshold of tcp max incomplete No to delete the oldest half open session when exceeds the threshold of tcp max incomplete config edit firewall attack block minute 0 255 Only vali...

Page 234: ...idle TCP session before it is terminated config edit firewall set set log yes no Switches on off the logs for matching default permit R Ru ul le es s config edit firewall set set rule rule permit forward block Edits whether a packet is dropped or allowed through when it meets this rule config edit firewall set set rule rule active yes no Edits whether a rule is enabled or not config edit firewall ...

Page 235: ... and edits a destination address range of traffic which comply to this rule config edit firewall set set rule rule TCP destport single port Selects and edits the destination port of the traffic which comply with this rule For non consecutive port numbers the user may repeat this command line to enter in the multiple port numbers config edit firewall set set rule rule TCP destport range start port ...

Page 236: ...il Removes all the settings for e mail alert config delete firewall attack Resets all the settings for attack to default setting config delete firewall set set Removes the specified set from the firewall configuration config delete firewall set set rule rule Removes the specified rule in a set from the firewall configuration ...

Page 237: ...ption 9 W Plug North American standards Safety standards UL CUL UL1950 CSA C22 2 NO 234 M90 European Union AC Power Adapter model AD 1201200DV Input power AC230Volts 50Hz Output power DC12Volts 1 2A Power consumption 9 W Plug European Union standards Safety standards TUV CE EN 60950 AC Power Adapter model JAD 121200E Input power AC230Volts 50Hz Output power DC12Volts 1 2A Power consumption 9 W Plu...

Page 238: ...ts 50 60Hz 27VA Output power DC12Volts 1 2A Power consumption 9 W Plug Japan standards Safety standards T Mark Australia and New Zealand AC Power Adapter model AD 1201200DS Input power AC240Volts 50Hz 0 2A Output power DC12Volts 1 2A Power consumption 9 W Plug Australia and New Zealand standards Safety standards NATA AS 3260 ...

Page 239: ...ccess to a system Bandwidth This is the capacity on a link usually measured in bits per second bps Bit Binary Digit A single digit number in base 2 in other words either a 1 or a zero The smallest unit of computerized data Brute Force Hacking A technique used to find passwords or encryption keys Force Hacking involves trying every possible combination of letters numbers etc until the code is broke...

Page 240: ...rvice units are actually two separate devices but they are used in conjunction and often combined into the same box The devices are part of the hardware you need to connect computer equipment to digital transmission lines The Channel Service Unit device connects with the digital communication line and provides a termination for the digital signal The Data Service Unit device sometimes called a dig...

Page 241: ...affic flows at the same speed in both directions or asymmetrical the downstream capacity is higher than the upstream capacity DSL connections are point to point dedicated circuits meaning that they are always connected There is no dial up There is also no switching which means that the line is a direct connection into the carrier s frame relay ATM Asynchronous Transfer Mode or Internet connect sys...

Page 242: ...ay A gateway is a computer system or other device that acts as a translator between two systems that do not use the same communication protocols data formatting structures languages and or architecture Hacker Generally a hacker is anyone who enjoys experimenting with technology including computers and networks Not all hackers are criminals breaking into systems Some are legitimate users and hobbyi...

Page 243: ...multiple users on a system to chat over the network Today IRC is a very popular way to talk in real time with other people on the Internet However IRC is also one avenue hackers use to get information from you about your system and your company Moreover IRC sessions are prone to numerous attacks that while not dangerous can cause your system to crash ISP Internet Service Providers provide connecti...

Page 244: ...retapping eavesdropping because the password can be captured and used by someone to log onto the system Password Cracker A program that uses a dictionary of words phrases names etc to guess a password Password encryption A system of encrypting electronic files using a single key or password Anyone who knows the password can decrypt the file Password Shadowing The encrypted password is no visible i...

Page 245: ...IETF Internet Engineering Task Force RFC 1661 through 1663 PPP provides router to router host to router and host to host connections Promiscuous Packet Capture Actively capturing packet information from a network Most computers only collect packets specifically addressed to them Promiscuous packet capture acquires all network traffic it can regardless of where the packets are addressed Protocol A ...

Page 246: ...tor direct and filter information that passes between these networks Because of their location routers are a good place to install traffic or mail filters Routers are also prone to attacks because they contain a great deal of information about a network SAP In NetWare the SAP Service Advertising Protocol broadcasts information about available services on the network that other network devices can ...

Page 247: ... environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems Tempest Illegal interception of data from computers and video signals Terminal A device that allows you to send commands to a computer somewhere else At a minimum this usually means a keyboard and a display screen and some simple circuitry Terminal Software Software that pretends t...

Page 248: ...hat automatically dials phone numbers looking for computers on the other end They catalog numbers so that hackers can call back and try to break in Warez A term that describes Pirated Software on the Internet Warez include cracked games or other programs that software pirates distribute on the Internet Wire Tapping Connecting to a network and monitoring all traffic Most wire tapping features can o...

Page 249: ......

Page 250: ...P 4 4 CLI Commands K COM Component Object Model 20 1 Command Interpreter Mode 11 1 Configuring A POP Custom Port 19 8 Configuring A Rule 19 5 console port 2 3 Console Port 2 3 9 4 9 5 I Content Filtering 20 1 Cookies 20 2 Custom Ports Creating Editing 17 2 Introduction 17 1 Customer Support viii Customized Services 17 2 D DDNS Configuration 2 9 Default Permit Log 16 7 Denial of Service 13 2 13 3 1...

Page 251: ...ypes 13 1 Vs Filters 14 6 Web Configurator 15 1 When To Use 14 7 Flow Control 2 4 Front Panel LEDs 2 1 FTP File Transfer 10 7 FTP Server 1 3 6 17 G General Setup 2 8 H Half Open Sessions 15 8 Hidden Menus 2 5 Housing 2 4 HTTP 6 13 13 1 13 3 13 4 U X AA I IANA 3 1 3 2 ICMP echo 13 5 14 3 idle timeout 4 3 IGMP Internet Group Multicast Protocol 3 3 Initial Screen 2 4 Installation Requirements 2 3 Int...

Page 252: ...tion NAT 1 2 6 1 12 1 O One Minute High 15 10 One Minute Low 15 10 one minute high 15 8 P Packet Filtering Firewalls 13 1 Packet Information 18 2 Packet Triggered 9 7 Packing List Card xxviii PAP 4 4 password 2 4 Password 2 4 2 7 Ping 9 12 Ping of Death 13 4 Playboy 20 2 POP3 13 3 13 4 Port Configuration 17 4 Power Adapter 2 3 PPP log 9 7 PPPoE Encapsulation3 8 3 10 4 1 4 3 4 4 4 9 4 10 PPTP Encap...

Page 253: ...g CD xxviii SYN Flood 13 4 13 5 14 4 SYN ACK 13 5 14 4 Syslog 19 11 Syslog IP Address 9 7 System Information 9 1 9 4 System Maintenance2 6 9 1 9 2 9 3 9 4 9 5 9 6 9 7 9 11 9 12 10 1 10 2 10 3 10 4 10 5 10 8 11 1 11 2 11 3 11 5 System Name 2 9 System Status 9 2 System Timeout 12 2 T TCP Maximum Incomplete 15 8 15 9 15 11 TCP Security 13 8 TCP IP1 2 3 1 3 3 3 4 3 5 3 6 4 6 4 9 7 6 7 7 7 8 7 10 7 13 ...

Page 254: ...0 2 11 21 2 WAN to LAN Rules 16 3 Web Configurator 13 9 Web Proxy 20 2 Welcome screen 15 1 X xDSL modem 1 3 1 4 2 3 2 4 4 3 21 2 21 3 XMODEM protocol 10 2 Z ZyNOS 2 11 6 4 6 6 9 3 9 5 10 1 10 2 ZyNOS F W Version 9 3 9 5 10 1 ZyXEL s Firewall Introduction 13 2 ...

Reviews:

No comments