ZyXEL Communications Prestige 202H Series, User Manual

Share

Page: 259 / 309

ZyXEL Communications Prestige 202H Series User Manual Download Page 259

Prestige 202H User’s Guide

Introduction to VPN/IPSec

25-1

Chapter 25

Introduction to VPN/IPSec

This chapter introduces the basics of IPSec VPNs.

25.1 VPN Overview

A VPN (Virtual Private Network) provides secure communications between sites without the expense of
leased site-to-site lines.

A secure VPN is a combination of tunneling, encryption, authentication, access

control and auditing technologies/services used to transport traffic over the Internet or any insecure network
that uses the TCP/IP protocol suite for communication.

25.1.1 IPSec

Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data
communications across a public network like the Internet. IPSec is built around a number of standardized
cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.

25.1.2 Security Association

A Security Association (SA) is a contract between two parties indicating what security parameters, such as
keys and algorithms they will use.

25.1.3 Other Terminology

Encryption

Encryption is a mathematical operation that transforms data from "plaintext" (readable) to "ciphertext"
(scrambled text) using a "key". The key and clear text are processed by the encryption operation, which
leads to the data scrambling that makes encryption secure. Decryption is the opposite of encryption: it
is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key.

«
...
257
258
259
260
261
...
»

Summary of Contents for Prestige 202H Series

Page 1: ...Prestige 202H ISDN Router User s Guide Version 3 40 August 2003...

Page 2: ...f ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any product...

Page 3: ...ncy energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio televisio...

Page 4: ...mpliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by...

Page 5: ...E Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of m...

Page 6: ...pport zyxel com tw 886 3 578 3942 www zyxel com www europe zyxel com WORLDWIDE sales zyxel com tw 886 3 578 2439 ftp europe zyxel com ZyXEL Communications Corp 6 Innovation Road II Science Based Indus...

Page 7: ...o Know Your Prestige 1 1 1 1 Introducing the Prestige 202H 1 1 1 2 Features 1 1 1 3 Internet Access With the Prestige 1 4 Chapter 2 Hardware Installation 2 1 2 1 Front Panel 2 1 2 2 Rear Panel and Con...

Page 8: ...Setup 6 1 6 1 Ethernet Setup 6 1 6 2 Ethernet TCP IP and DHCP Server 6 2 6 3 Configuring TCP IP Ethernet and DHCP 6 5 6 4 IP Alias 6 6 6 5 IP Alias Setup 6 7 Chapter 7 Internet Access Setup 7 1 7 1 I...

Page 9: ...ommuting Application With Windows Example 10 7 10 7 LAN to LAN Server Application Example 10 10 Chapter 11 Network Address Translation NAT 11 1 11 1 NAT Overview 11 1 11 2 Applying NAT 11 6 11 3 NAT S...

Page 10: ...tom Rules 15 1 15 1 Rules Overview 15 1 15 2 Rule Logic Overview 15 1 15 3 Connection Direction 15 3 15 4 Rule Summary 15 4 15 5 Predefined Services 15 6 15 6 Timeout 15 12 Chapter 16 Customized Servi...

Page 11: ...ion and Console Port Speed 20 3 20 4 Log and Trace 20 5 20 5 Accounting Server 20 9 20 6 Call Triggering Packet 20 10 20 7 Diagnostic 20 11 Chapter 21 Firmware and Configuration File Maintenance 21 1...

Page 12: ...5 2 IPSec Architecture 25 3 25 3 Encapsulation 25 5 25 4 IPSec and NAT 25 6 Chapter 26 VPN IPSec Setup 26 1 26 1 VPN IPSec Overview 26 1 26 2 IPSec Algorithms 26 2 26 3 My IP Address 26 3 26 4 Secure...

Page 13: ...ices and Index V Appendix A Troubleshooting A Problems Starting Up the Prestige A Problems With the ISDN Line B Problems With a LAN Interface B Problems Connecting to a Remote Node or ISP C Remote Use...

Page 14: ...System Security Change Password 3 6 Figure 3 5 Resetting the Router 3 7 Figure 3 6 Example Xmodem Upload 3 8 Figure 4 1 Menu 1 General Setup 4 1 Figure 4 2 Configure Dynamic DNS 4 3 Figure 5 1 Menu 2...

Page 15: ...Route Setup 9 2 Figure 9 3 Menu 12 1 Edit IP Static Route 9 2 Figure 10 1 Menu 13 Default Dial in Setup 10 2 Figure 10 2 Menu 13 1 Default Dial in Filter 10 5 Figure 10 3 Menu 14 Dial in User Setup 1...

Page 16: ...11 Menu 15 2 NAT Server Setup 11 14 Figure 11 12 Multiple Servers Behind NAT Example 11 15 Figure 11 13 NAT Example 1 11 16 Figure 11 14 Menu 4 Internet Access NAT Example 11 16 Figure 11 15 NAT Exam...

Page 17: ...ure 15 3 Firewall Rules Summary First Screen 15 5 Figure 15 4 Creating Editing A Firewall Rule 15 10 Figure 15 5 Adding Editing Source and Destination Addresses 15 12 Figure 15 6 Timeout Screen 15 13...

Page 18: ...re 18 17 Filtering Remote Node Traffic 18 21 Figure 19 1 SNMP Management Model 19 1 Figure 19 2 Menu 22 SNMP Configuration 19 3 Figure 20 1 Menu 24 System Maintenance 20 1 Figure 20 2 Menu 24 1 System...

Page 19: ...ion Example 21 10 Figure 21 12 Successful Restoration Confirmation Screen 21 10 Figure 21 13 System Maintenance Upload Firmware 21 11 Figure 21 14 Menu 24 7 1 Upload System Firmware 21 11 Figure 21 15...

Page 20: ...ure 25 4 Figure 25 4 Transport and Tunnel Mode IPSec Encapsulation 25 5 Figure 26 1 VPN SMT Menu Tree 26 1 Figure 26 2 Menu 27 VPN IPSec Setup 26 2 Figure 26 3 IPSec Summary Fields Illustration 26 4 F...

Page 21: ...Menu 3 2 1 IP Alias Setup 6 8 Table 7 1 Internet Account Information 7 1 Table 7 2 Menu 4 Internet Access Setup 7 2 Table 8 1 Menu 11 1 Remote Node Profile 8 3 Table 8 2 BTR vs MTR for BOD 8 7 Table...

Page 22: ...defined Services 14 2 Table 14 2 E mail 14 5 Table 14 3 SMTP Error Messages 14 6 Table 14 4 Attack Alert 14 9 Table 15 1 Firewall Rules Summary First Screen 15 5 Table 15 2 Predefined Services 15 7 Ta...

Page 23: ...9 1Call Control Parameters 22 3 Table 22 2 Menu 24 9 1 Budget Management 22 5 Table 22 3 Menu 24 9 4 Call History 22 6 Table 22 4 Time and Date Setting Fields 22 7 Table 23 1 Menu 26 1 Schedule Set Se...

Page 24: ...26 11 Telecommuter and Headquarters Configuration Example 26 23 Table 27 1 Menu 27 2 SA Monitor 27 2 Table 28 1 Sample IKE Key Exchange Logs 28 2 Table 28 2 Sample IPSec Logs During Packet Transmissio...

Page 25: ...tructions Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Packing List Card The Packing List Card lists all items that should have c...

Page 26: ...means the space bar UP and DOWN are the up and down arrow keys Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Ap...

Page 27: ...Getting Started I Part I Getting Started This part is structured as a step by step guide to help you connect install and setup your router to operate on your network and access the Internet...

Page 28: ......

Page 29: ...tion describes the router s key features IPSec VPN Capability Establish Virtual Private Network VPN tunnels to connect home office computers to your company network using data encryption and the Inter...

Page 30: ...tion between network devices Your router supports SNMP agent functionality that allows a manager station to manage and monitor the router through the network SNMP is only available if TCP IP is config...

Page 31: ...Protocol Multilink Protocol link layer protocol Dial on Demand The Dial on Demand feature allows the router to automatically place a call to a remote gateway based on the triggering packet s destinat...

Page 32: ...you the expense of unnecessary charges Data Compression Your router incorporates Stac data compression to speed up data transfer Stac is the de facto standard of data compression over PPP links Netwo...

Page 33: ...eature that allows multiple users on the LAN Local Area Network to access the Internet concurrently for the cost of a single user NAT address mapping can also be used for other LAN to LAN connections...

Page 34: ...enge Handshake Authentication Protocol authentication can be used to control remote access You can also use callback for security and or accounting purposes Figure 1 3 Remote Access 1 3 4 Secure Broad...

Page 35: ...Prestige 202H User s Guide Getting to Know Your Prestige 1 7 Figure 1 4 Secure Internet Access and VPN Application...

Page 36: ......

Page 37: ...power is applied to the router and it has boot up properly A green blinking PWR SYS LED indicates the router is performing a system test or rebooting When the router senses low voltage power the PWR S...

Page 38: ...outer and the female end to a serial port COM1 COM2 or other COM port of your computer After the initial setup you can modify the configuration remotely through telnet connections See the chapter on T...

Page 39: ...On Your Router At this point you should have connected the console port the ISDN port the Ethernet port s and the power port to the appropriate devices or lines You can now turn on the router by pushi...

Page 40: ......

Page 41: ...tige via the Console Port Make sure you have the physical connection properly set up as described in the hardware installation chapter When configuring using the console port you need a computer equip...

Page 42: ...d press ENTER Move up to a previous menu ESC Press the ESC key to move back to the previous menu Move to a hidden menu Press SPACE BAR to change No to Yes then press ENTER Fields beginning with Edit l...

Page 43: ...e password the SMT displays the Main Menu as shown Figure 3 2 SMT Main Menu 3 4 1 System Management Terminal Interface Summary Table 3 2 Main Menu Summary NO Menu Title FUNCTION 1 General Setup Use th...

Page 44: ...r router can be used as a dial in server 14 Dial in User Setup Use this menu to configure settings for remote dial in users 15 NAT Setup Use this menu to configure Network Address Translation 21 Filte...

Page 45: ...e Configuration Menu 24 7 System Maintenance Upload Firmware Menu 24 8 Command Interpreter Mode Menu 24 3 1 System Maintenance View Error Log Menu 24 3 2 System Maintenance UNIX Syslog Menu 24 2 1 Sys...

Page 46: ...d press ENTER Note that as you type a password the screen displays an X for each character you type 3 7 Resetting the Prestige If you forget your password or cannot access the SMT menu you will need t...

Page 47: ...ation software session and turn on the Prestige again When you see the message Press Any key to enter Debug Mode within 3 seconds press any key to enter debug mode Step 3 Enter atlc after Enter Debug...

Page 48: ...er then Send File to display the following screen Figure 3 6 Example Xmodem Upload Step 6 After successful firmware upload enter atgo to restart the router Type the configuration file s location or cl...

Page 49: ...r Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note th...

Page 50: ...ard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns or...

Page 51: ...ic DNS service provider WWW DynDNS ORG default Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Yes EMAIL Enter your e mail address mail mailserver USER Enter your...

Page 52: ......

Page 53: ...p FIELD DESCRIPTION Switch Type This read only field displays your switch type DSS 1 B Channel Usage In general this will be Switch Switch default If you are only using one B channel e g your router i...

Page 54: ...ve your configuration or press ESC at any time to cancel 5 2 ISDN Advanced Setup Menus Select Yes in the Edit Advanced Setup field of Menu 2 ISDN Setup to display Menu 2 1 as shown later Switch Type T...

Page 55: ...dapter 2 will be used as the calling party number You only need to fill in these fields if your switch or PABX requires a specific calling party number for outgoing calls otherwise leave them blank Th...

Page 56: ...ur ISDN If you select Yes the router will perform a loop back test to check the ISDN line If the loop back test fails please note the error message that you receive and take the appropriate troublesho...

Page 57: ...plications through many default values that do not need to be programmed It provides a unified interface for applications to access the different ISDN services such as data voice fax telephony etc ISD...

Page 58: ...a shared device and can be used by several different client computers at the same time e g one computer sending a fax another computer doing a file transfer RVS COM has to be installed on each client...

Page 59: ...ng table describes the fields in this screen Table 5 2 Configuring NetCAPI FIELD DESCRIPTION Active This field allows you to enable or disable NetCAPI Press the SPACEBAR to select Yes or No Menu 2 2 N...

Page 60: ...phone number does not match the ISDN DATA number then the call will be routed to NetCAPI Select Called Party Subaddress if you want to direct all incoming calls to the Prestige only when the incoming...

Page 61: ...to apply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 6 2 Menu...

Page 62: ...IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the c...

Page 63: ...refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 6 2 4 RIP Setup RIP Routing Information Protocol allows a router to exchange rout...

Page 64: ...DNS server addresses The first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP does give you the DNS server addres...

Page 65: ...d If set to Relay the router acts as a surrogate DHCP server and relays requests and responses between the remote server and the clients When set to Server the following four items need to be set Serv...

Page 66: ...ddress that you assign Unless you are implementing subnetting use the subnet mask computed by the router 255 255 255 0 RIP Direction Press SPACE BAR to select the RIP direction from Both None In Only...

Page 67: ...ess ENTER to configure the second and third network Press ENTER to open Menu 3 2 1 IP Alias Setup as shown next Figure 6 6 Menu 3 2 1 IP Alias Setup Menu 3 2 1 IP Alias Setup IP Alias 1 No IP Address...

Page 68: ...mask computed by the router 255 255 255 0 RIP Direction Press SPACE BAR and then ENTER to select the RIP direction from Both In Only Out Only Both Version Press SPACE BAR and then ENTER to select the...

Page 69: ...to record your Internet Account Information Table 7 1 Internet Account Information INTERNET ACCOUNT INFORMATION Your device s WAN IP Address if given __________________ DNS Server IP Address if given...

Page 70: ...ed with the login name above My WAN IP Addr Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a unique...

Page 71: ...router uses the PPP Multilink Protocol PPP MP to bundle multiple links in a single connection to boost the effective throughput between two nodes This option is only available if the transfer type is...

Page 72: ...Advanced Applications II Part II Advanced Applications This part describes the advanced applications of your Prestige such as Remote Node Configuration Dial in Configuration and NAT...

Page 73: ...e calculated For example the Prestige may make a call but drop the call after 10 seconds maybe there was no reply but the call would still be charged at a minimum time unit let us say 3 minutes With m...

Page 74: ..._______ 3 ________ 4 ________ 5 ________ 6 ________ 7 ________ 8 ________ Enter Node to Edit Menu 11 1 Remote Node Profile Rem Node Name nodename Active Yes Call Direction Outgoing Incoming Rem Login...

Page 75: ...rom this remote node Call Direction Several other fields in this menu depend on this parameter For example in order to enable Callback the Call Direction must be set to Both Incoming Rem Login Enter t...

Page 76: ...used for outgoing calls Options for this field are CHAP PAP Your Prestige will accept either CHAP or PAP when requested by this remote node CHAP accept CHAP only PAP accept PAP only CHAP PAP Pri mary...

Page 77: ...umber Nailed up Connection This field specifies if you want to make the connection to this remote node a nailed up connection See the following section for more details No Toll Period This is the basi...

Page 78: ...gle connection to boost the effective throughput between two nodes Due to the fragmentation reconstruction overhead associated with MP you may not get a linear increase in throughput when a link is ad...

Page 79: ...add threshold is 30 Kbps and subtract threshold is 60 Kbps The Prestige performs bandwidth on demand only if it initiates the call Addition and subtraction are based on the value set in the BOD Calcu...

Page 80: ...sion The default for this field is No No BACP Your Prestige negotiates the Secondary Phone number for a dial up line from the peer when BACP Bandwidth Allocation Control Protocol is enabled otherwise...

Page 81: ...his parameter specifies the number of seconds where traffic is below the subtraction threshold before your Prestige drops the second link Default 5 sec Once you have configured this menu press ENTER a...

Page 82: ...onnection No Toll Period sec 0 Session Options Edit Filter Sets No Idle Timeout sec 300 Press ENTER to Confirm or ESC to Cancel IP address of the Prestige on LAN 2 Menu 11 1 Remote Node Profile Rem No...

Page 83: ...1 Remote Node Profile You must fill in either the remote Prestige WAN IP address or the remote Prestige LAN IP address This depends on the remote router s WAN IP i e for the remote Prestige the My WA...

Page 84: ...e ISDN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number If this is the case enter the IP address assigned to the ISDN port o...

Page 85: ...o this remote node in its RIP broadcasts If set to Yes this route is kept private and not included in RIP broadcast If No the route to this remote node will be propagated to other hosts through RIP br...

Page 86: ...p to 4 filter sets separated by comma e g 1 5 9 12 in each filter field The default is no filters Note that spaces are accepted in this field The Prestige comes with a prepackaged filter set NetBIOS_W...

Page 87: ...igure 8 8 Menu 11 5 Remote Node Filter Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Call Filter Sets protocol filte...

Page 88: ......

Page 89: ...that is directly connected to a remote node Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instanc...

Page 90: ...This field allows you to activate deactivate this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network numbe...

Page 91: ...represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the c...

Page 92: ......

Page 93: ...h as Bandwidth On Demand Protocol Security etc 10 2 Default Dial in User Setup This section covers the default dial in parameters The parameters in menu 13 affect incoming calls from both remote dial...

Page 94: ...e three options for this field None No CLID is required Required CLID must be available or the Prestige will not answer the call Preferred If the CLID is available then CLID will be used otherwise aut...

Page 95: ...user name and password from the far end that it is dialing to If the remote node requires mutual authentication set this field to Yes No O G Username Enter the login name to be used to respond to the...

Page 96: ...s IP addresses and this field specifies the first one in the pool The IP start address is the start of a series of consecutive IP addresses IP Count 1 2 In this field enter the number 1 or 2 of addres...

Page 97: ...figured number The other is ease of accounting For instance your company pays for the connection charges for telecommuting employees and you use your Prestige as the dial in server When you turn on th...

Page 98: ...or login for example johndoe johndoe Active You can disallow dial in access to this user by setting this field to inactive Inactive users are displayed with a minus sign at the beginning of the name i...

Page 99: ...Otherwise a N A will appear in the field Enter the telephone number to which your Prestige will call back Rem CLID If you enable CLID Authen field in Menu 13 then you need to specify the telephone nu...

Page 100: ...to configure the Default Dial in User Setup to set the operational parameters for all dial in users An example of remote access server for telecommuters is shown next Figure 10 5 Example of Telecommut...

Page 101: ...Link Options Max Trans Rate Kbps 128 Callback Budget Management Allocated Budget min Period hr IP Address Supplied By Dial in User Yes IP Pool Yes IP Start Addr 192 168 250 250 IP Count 1 2 N A Sessio...

Page 102: ...e Default Dial in User Setup to set the operational parameters for incoming calls Additionally you must create a remote node for the router on the remote network see the chapter on Remote Node Configu...

Page 103: ...rrier Access Code Nailed Up Connection No Toll Period sec 0 Session Options Edit Filter Sets No Idle Timeout sec 300 Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Set Call Directio...

Page 104: ...D channel and verifies that the calling number corresponds with that configured in menu 11 If they do the Prestige LAN 2 hangs up and calls the Prestige on LAN 1 back Start dialing for node LAN_2 Hit...

Page 105: ...s Edit Filter Sets No Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Set this field to Required Menu 11 1 Remote Node Profile Rem Node Name LAN_1 Active Yes Call Direction Both Inco...

Page 106: ...lling number does not match the Rem CLID number in Menu 11 1 Figure 10 14 Callback and CLID Connection Test Copyright c 1994 2003 ZyXEL Communications Corp LAN_2 sys trcl call Tracelog type 9080 level...

Page 107: ...f a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the...

Page 108: ...ional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address tra...

Page 109: ...NAT Works 11 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct...

Page 110: ...ge maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers support...

Page 111: ...IGA1 M 1 Many to Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 M M Ov Many to Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 M M No OV Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1...

Page 112: ...ss Setup Figure 11 3 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11 1 Step 1 Enter 11 from the main menu and select a remote node Step 2 Mo...

Page 113: ...o create the mapping table used to assign global addresses to computers on the LAN You can see two NAT Address Mapping sets in menu 15 1 You can only configure Set 1 Set 255 is used for SUA When you s...

Page 114: ...Menu 15 1 Address Mapping Sets SUA Address Mapping Set Enter 255 to display the next screen see also section 11 1 6 The fields in this menu cannot be changed Menu 15 NAT Setup 1 Address Mapping Sets...

Page 115: ...P 0 0 0 0 Global End IP This is the ending global IP address IGA Type These are the mapping types discussed above see Table 11 2 Server allows us to specify multiple servers of different types behind...

Page 116: ...ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in yo...

Page 117: ...select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting a...

Page 118: ...obal IP address IGA This field is N A for One to One Many to One and Server types N A Server Mapping Set Only available when Type is set to Server Type a number from 1 to 10 to choose a server set fro...

Page 119: ...ure refer to your ISP The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the included disk for m...

Page 120: ...e IP address of the server in the IP Address field In the following figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Menu 15 2 NAT Server Setup Rul...

Page 121: ...at any time to cancel Figure 11 12 Multiple Servers Behind NAT Example 11 5 General NAT Examples This section provides some examples with Network Address Translation 11 5 1 Example 1 Internet Access O...

Page 122: ...read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name...

Page 123: ...xample 2 Internet Access with an Inside Server Figure 11 15 NAT Example 2 In this case you do exactly as above use the convenient pre configured SUA Only set and also go to menu 15 2 to specify the In...

Page 124: ...t IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP server for FTP traffic...

Page 125: ...nter 15 from the main menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set Name choose the Edit Action and then enter 1 for the Select...

Page 126: ...192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Server Mapping Set N A Press ENTER to Confirm or ESC to Cancel Press Space Bar to Toggle Menu 11 3 Remote Node Network Layer Options IP Option...

Page 127: ...Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3...

Page 128: ...bers do not change for Many to Many No Overload and One to One NAT mapping types The following figure illustrates this Figure 11 21 NAT Example 4 Other applications such as some gaming programs are NA...

Page 129: ...1 1 1 Address Mapping Rule Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Server Mapping Set N A Press ENTER to Confirm or ESC...

Page 130: ...Firewall III Part III Firewall This part introduces firewalls in general and the Prestige firewall It also explains customized services and logs and gives example firewall rules...

Page 131: ...r a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be impl...

Page 132: ...g that some proxies support See section 12 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 12...

Page 133: ...ls that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by...

Page 134: ...size packet is then sent to an unsuspecting system Systems may crash hang or reboot 1 b Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a n...

Page 135: ...ack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it que...

Page 136: ...t the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source...

Page 137: ...from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the rou...

Page 138: ...r protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the...

Page 139: ...on s state table entry is deleted and the connection s temporary inbound access list entries are deleted 12 5 2 Stateful Inspection and the Prestige Additional rules may be defined to extend or overri...

Page 140: ...nce numbers However at the very minimum they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in o...

Page 141: ...l service such as SNMP or NTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to a...

Page 142: ...as or 8 Upgrade your software regularly Many older versions of software especially web browsers have well known security deficiencies When you upgrade to the latest versions you get the latest patches...

Page 143: ...squerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather...

Page 144: ......

Page 145: ...allow you to activate the firewall and view firewall logs 13 2 Using Prestige SMT Menus From the main menu enter 21 to go to Menu 21 Filter Set and Firewall Configuration to display the screen shown...

Page 146: ...ssions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme cautio...

Page 147: ...tched did not match or was there an attack The set and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X...

Page 148: ......

Page 149: ...Launch your web browser and enter 192 168 1 1 as the URL Step 2 Enter admin as the user name and 1234 default as the password and click Login Step 3 The Site Map screen displays as shown next Figure...

Page 150: ...ick this link to enable the firewall Email Click this link to configure an alert report to be sent to a specific e mail address Alert Click this link to configure alerts to be sent in the event of att...

Page 151: ...N to LAN traffic Logs Click this link to view the firewall s logs 14 2 Enabling the Firewall Click Advanced Setup Firewall and then Config to display the following screen Click the Firewall Enabled ch...

Page 152: ...lert when attack detected checkbox or when a rule is matched in the Rule Config screen see Figure 15 4 When an event generates an alert a message is immediately sent to an e mail account specified by...

Page 153: ...il address to identify the Prestige as the sender of the e mail messages i e a return to sender address for backup purposes returnaddress pre stige com Log Timer Log Schedule This pop up menu is used...

Page 154: ...ror messages appear in SMT menu 24 3 1 as SMTP action request failed ret The are described in the following table Table 14 3 SMTP Error Messages 1 means Prestige out of socket 2 means tcp SYN fail 3 m...

Page 155: ...ed sessions Subject Firewall Alert From Prestige Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP sr...

Page 156: ...pen sessions rises above a threshold max incomplete high the Prestige starts deleting half open sessions as required to accommodate new connection requests The Prestige continues to delete half open r...

Page 157: ...whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click Advanced Setup Firewall and Alert to bring up the next screen...

Page 158: ...d to stop deleting half open sessions when fewer than 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions t...

Page 159: ...When TCP Maximum Incomplete is reached you can choose if the next session should be allowed or blocked If you select the Blocking Time checkbox any new sessions will be blocked for the length of time...

Page 160: ......

Page 161: ...fter you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Not...

Page 162: ...ers that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective 3 Does a...

Page 163: ...of IPs or a subnet 15 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 15 3 1 LAN to WAN Rules The defau...

Page 164: ...lowing figure Figure 15 2 WAN to LAN Traffic 15 4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet so the discussion below refers to both Click on Firewa...

Page 165: ...RIPTION EXAMPLE The default action for packets not matching following rules Should packets that do not match the following rules be blocked or forwarded Make your choice from the drop down list box No...

Page 166: ...is created None None Rules Reorder Move rule number You may reorder your rules using this function Select by clicking on the rule you want to move The ordering of your rules is important as rules are...

Page 167: ...possible by e mail H 323 TCP 1720 Net Meeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS HTTPS is a secured http session often u...

Page 168: ...TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 10...

Page 169: ...ronments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol simila...

Page 170: ...Prestige 202H User s Guide 15 10 Creating Custom Rules Figure 15 4 Creating Editing A Firewall Rule The following table describes the fields in this screen...

Page 171: ...click Edit Available Service Click this button to go to the list of available custom services Action for Matched Packets Should packets that match this rule be blocked or forwarded Make your choice fr...

Page 172: ...2 169 1 50 a subnet or any IP address Select an option from the drop down list box Subnet Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Address...

Page 173: ...to Local Network Set Figure 15 6 Timeout Screen The following table describes the fields in this screen Table 15 5 Timeout Menu FIELD DESCRIPTION DEFAULT VALUE TCP Timeout Values Connection Timeout T...

Page 174: ...is the length of time of inactivity a UDP connection remains open before the Prestige considers the connection closed 60 seconds ICMP Timeout This is the length of time an ICMP session waits for the...

Page 175: ...d services and port numbers not predefined by the Prestige see Figure 15 4 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further i...

Page 176: ...protocol TCP UDP or Both that defines your customized port Port This is the port number or range that defines your customized port Use the Help icon for field descriptions When you have finished viewi...

Page 177: ...ck Back to return to the previous screen When you have finished click Apply to save your customized settings and exit this screen Cancel to return to the previously saved settings Delete to remove thi...

Page 178: ...rule screen and then click a rule number to bring up the Firewall Customized Services Config screen Configure as follows Figure 16 4 Customized Service for MyService Customized services show up with a...

Page 179: ...tlined earlier in this chapter to configure all your rules Configure the rule configuration screen like the one below and apply it Figure 16 5 MyService Rule Configuration This is your MyService custo...

Page 180: ...y screen should look like the following Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the Prestige Figure 16 6 Example Rule Summary Rule 3 Al...

Page 181: ...s that match don t match or both this rule see Figure 15 4 Click Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 13 2 or via syslog SMT Menu 24 3 2 Syste...

Page 182: ...ow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set...

Page 183: ...ced Management This part discusses Filtering SNMP System Information and Diagnosis Firmware and Configuration File Maintenance System Maintenance and Information Call Scheduling Remote Management and...

Page 184: ......

Page 185: ...divided into incoming and outgoing filters depending on the direction of the packet relative to a port Data filtering can be applied on either the WAN side or the Ethernet side Call filtering is used...

Page 186: ...s that follow The following figure illustrates the logic flow when executing a filter rule Data Outgoing Packet Drop packet Built in default Call Filters User defined Call Filters if applicable Initia...

Page 187: ...etch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes Packet intoFilter Filter Set Forward Drop No Check Next Rule Figure 18 2 Filter Rule Process You can apply up...

Page 188: ...ted rules for example all the rules for NetBIOS into a single set and give it a descriptive name You can configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in...

Page 189: ...ER to confirm to open Menu 21 1 x Filter Rules Summary The following shows filter rules summary screens for filter sets 1 through 4 Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Co...

Page 190: ...2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 3 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 N D N 4 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 N D N 5 Y IP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 N D N 6 Y IP Pr...

Page 191: ...bbreviations used in the previous menus Menu 21 1 4 Filter Rules Summary A Type Filter Rules M m n 1 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 21 N D F 2 Y IP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 20 N D F 3 N 4 N 5...

Page 192: ...action to be taken for instance forward the packet drop the packet or check the next rule For the latter the next rule is independent of the rule just checked m Action Matched F means to forward the...

Page 193: ...instance protocol filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for pro...

Page 194: ...d 255 A value of O matches ANY protocol 0 to 255 IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination If Yes the rule app...

Page 195: ...parison to apply to the source port in the packet against the value given in Source Port field Choices are None Less Greater Equal or Not Equal None TCP Estab This applies only when the IP Protocol fi...

Page 196: ...tion for a packet not matching the rule Choices are Check Next Rule Forward or Drop Check Next Rule default When you have completed this menu press ENTER at the prompt Press ENTER to confirm or ESC to...

Page 197: ...ive Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Che...

Page 198: ...ecimal digits to represent a byte so if the length is 4 the value in either field will take 8 digits for example FFFFFFFF To configure a generic rule select an empty filter set in menu 21 1 for exampl...

Page 199: ...l to compare with the data portion More If Yes a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields If More is...

Page 200: ...xact address and port on the wire Therefore the Prestige applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the...

Page 201: ...d Firewall Setup Step 2 Enter 1 to open Menu 21 1 Filter Set Configuration Step 3 Enter the index of the filter set you wish to configure such as 4 and press ENTER Step 4 Enter a descriptive name or c...

Page 202: ...More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Press SPACE BAR to choose this filter rule type The first filter rule type determines all subse...

Page 203: ...ly the example filter set for example filter set 3 in this menu as shown in the next section 18 6 Applying Filters and Factory Defaults Menu 21 1 9 Filter Rules Summary A Type Filter Rules M m n 1 Y I...

Page 204: ...separated by commas for example 3 4 6 11 The factory default filter set NetBIOS_LAN is inserted in the protocol filters field under Input Filter Sets in menu 3 1 in order to prevent local NetBIOS mes...

Page 205: ...t Filter Sets protocol filters 3 4 5 device filters Output Filter Sets protocol filters 1 device filters Enter here to CONFIRM or ESC to CANCEL Apply filter 3 to block Telnet traffic from the WAN filt...

Page 206: ......

Page 207: ...NMP is a member of the TCP IP protocol suite Your Prestige supports SNMP agent functionality which allows a manager station to manage and monitor the Prestige through the network The Prestige supports...

Page 208: ...equest response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an obj...

Page 209: ...ress A blank default field means your Prestige will respond to all SNMP messages it receives regardless of source 0 0 0 0 Trap Community Type the trap community which is the password sent with each tr...

Page 210: ...sent with the port number 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 linkDown defined in...

Page 211: ...f the ports as shown next System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your G SHDSL telephone line status number of packets sent and recei...

Page 212: ...bandwidth used on this channel ALU The ALU Average Line Utilization is a 5 second moving average of usage for this channel Up Time Time this channel has been connected to the current remote node Chan...

Page 213: ...channels since the system has been powered up CPU Load This specifies the percentage of CPU utilization LAN Packet Which Triggered Last Call This shows the first 48 octets of the LAN packet that trig...

Page 214: ...sed ZyNOS F W Version Refers to the ZyNOS ZyXEL Network Operating System system firmware version ZyNOS is a registered trademark of ZyXEL Communications Corporation Country Code This is the country co...

Page 215: ...speed in menu 24 2 2 as shown in the following figure Figure 20 5 Menu 24 2 2 System Maintenance Change Console Port Speed 20 4 Log and Trace Type 3 in menu 24 to open Menu 24 3 Log and Trace This me...

Page 216: ...ix Syslog The Prestige uses the UNIX syslog facility to log the CDR Call Detail Record and system messages to a syslog server Syslog and accounting can be configured in Menu 24 3 2 System Maintenance...

Page 217: ...message to different files in the server Please refer to your UNIX manual for more details Types CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packet Triggered The first...

Page 218: ...Call Terminated Jul 19 11 19 27 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C01 Outgoing Call dev 2 ch 0 40002 Jul 19 11 19 32 192 168 102 2 ZyXEL board 0 line 0 channel 0 call 1 C02 OutCall C...

Page 219: ...S05 R01mF Mar 03 12 00 57 202 132 155 97 ZyXEL GEN 00a0c5f502010080 S05 R01mF Mar 03 12 01 06 202 132 155 97 ZyXEL IP Src 192 168 2 33 Dst 202 132 155 93 TCP spo 01170 dpo 00021 S04 R01mF 4 PPP log PP...

Page 220: ...ge this value unless your network administrator instructs you to do so 1646 Key Specify a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and t...

Page 221: ...gth 20 Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 1...

Page 222: ...This tool hangs up the B1 channel It is only applicable if the B1 channel is currently in use Hang Up B2 Call This tool hangs up the B2 channel It is only applicable if the B2 channel is currently in...

Page 223: ...s option reboots the Prestige Command Mode This option allows you to enter the command mode It allows you to diagnose and test your Prestige using a specified set of commands Manual Call Remote Node I...

Page 224: ......

Page 225: ...ut firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Prestige ftp get rom 0 config cfg This is a sample FTP session saving the current configu...

Page 226: ...load files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to backup the current Prestige configuration...

Page 227: ...nsfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the ftp prom...

Page 228: ...option Normal The server requires a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default...

Page 229: ...I mode by entering 8 in Menu 24 System Maintenance Step 3 Enter command sys stdio 0 to disable the SMT timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the fiv...

Page 230: ...bin extension or configuration file rom extension on your computer Remote File This is the filename on the Prestige The filename for the firmware is ras and for the configuration file is rom 0 Binary...

Page 231: ...s section shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to...

Page 232: ...transfer files from the Prestige to the computer for example put config rom rom 0 transfers the configuration file config rom on your computer to the Prestige See earlier in this chapter for more inf...

Page 233: ...ial communications programs should be similar Step 1 Display menu 24 6 and enter y at the following screen Figure 21 9 System Maintenance Restore Configuration Step 2 The following screen indicates th...

Page 234: ...following the instructions in Menu 24 7 2 System Maintenance Upload System Configuration File for console port WARNING DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR P...

Page 235: ...ur system Then type root and SMT password as requested 3 Type put firmwarefilename ras where firmwarefilename is the name of your firmware upgrade file on your computer and ras is the remote file name...

Page 236: ...es it rom 0 Likewise get rom 0 config rom transfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conve...

Page 237: ...interpreter CI mode by entering 8 in Menu 24 System Maintenance Step 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter command sys stdio...

Page 238: ...FTP or TFTP is faster Any serial communications program should work fine however you must use the Xmodem protocol to perform the download upload 21 4 8 Uploading Firmware File Via Console Port Step 1...

Page 239: ...he configuration upload process has completed restart the Prestige by entering atgo 21 4 10 Uploading Configuration File Via Console Port Step 1 Select 2 from Menu 24 7 System Maintenance Upload Firmw...

Page 240: ...Menu 24 7 2 System Maintenance Upload System Configuration File To upload system configuration file 1 Enter y at the prompt below to go into debug mode 2 Enter atlc after Enter Debug Mode message 3 W...

Page 241: ...Maintenance 21 17 Figure 21 20 Example Xmodem Upload After the configuration upload process has completed restart the Prestige by entering atgo Type the configuration file s location or click Browse t...

Page 242: ......

Page 243: ...ction to the console port although some commands are only available with a serial connection See the included disk or the zyxel com web site for more detailed information on CI commands Enter 8 from M...

Page 244: ...eeds the limit the current call will be dropped and any future outgoing calls will be blocked The blacklist function prevents the Prestige from re dialing to an unreachable phone number It is a list o...

Page 245: ...he Prestige will timeout if it cannot set up an outgoing digital call within the timeout value The default is 30 Retry Counter How many times a busy or no answer telephone number is retried before it...

Page 246: ...9 1 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node When this limit is reached the call will be dropped and further outgoing calls to t...

Page 247: ...that has gone by within the allocated budget that you set in menu 11 1 5 10 means that 5 minutes out of a total allocation of 10 minutes have lapsed Elapsed Time Total Period The period is the time cy...

Page 248: ...om that telephone number 22 3 Time and Date There is a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige Menu 24 10 al...

Page 249: ...ay have to check with your ISP network administrator or use trial and error to find a protocol that works The main differences between them are the format Daytime RFC 867 format is day month year time...

Page 250: ...Current Date This field displays an updated date only when you reenter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time diff...

Page 251: ...igure 23 1 Menu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 are applied in the remote node the...

Page 252: ...the present to 2036 February 5 How Often Should this schedule set recur weekly or be used just once only Press SPACE BAR and then ENTER to select Once or Weekly Both these options are mutually exclusi...

Page 253: ...or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that this schedule prevents a demand call on th...

Page 254: ...t IP No Incoming Telco Option Rem Login Transfer Type 64K Rem Password Allocated Budget min Rem CLID Period hr Call Back No Schedules 1 3 4 11 Outgoing Carrier Access Code My Login Nailed Up Connectio...

Page 255: ...menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 6 You have disabled that service in one of the remote management screens 7 The IP address in the Secured Client IP fie...

Page 256: ...on the command line 24 2 Telnet You can configure your Prestige for remote Telnet access as shown next Figure 24 1 Telnet Configuration on a TCP IP Network 24 3 FTP You can upload and download Presti...

Page 257: ...terface if any by pressing the SPACE BAR Choices are LAN only WAN only All or Disable The default is LAN only Secured Client IP The default 0 0 0 0 allows any client to use this service to remotely ma...

Page 258: ......

Page 259: ...ons for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authe...

Page 260: ...Prestige supports the following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved...

Page 261: ...Prestige 202H User s Guide Introduction to VPN IPSec 25 3 Figure 25 2 VPN Application 25 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Page 262: ...e including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms H...

Page 263: ...for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the orig...

Page 264: ...t the receiving end doesn t know about the NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including h...

Page 265: ...connections 26 1 1 VPN IPSec SMT Menus The VPN IPSec main SMT menu has three main submenus 1 Define VPN policies in menu 27 1 submenus including security policies endpoint IP addresses peer IPSec rou...

Page 266: ...cations where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the informa...

Page 267: ...Secure Gateway Addr is the WAN IP address or domain name of the remote IPSec router secure gateway If the remote secure gateway has a static public IP address enter it in the Secure Gateway Addr fiel...

Page 268: ...6 5 IPSec Summary Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your IPSec rules tunnels Edit or create an IPSec rule by selecting an in...

Page 269: ...1 IPSec Summary FIELD DESCRIPTION EXAMPLE This is the VPN policy index number 001 Name This field displays the unique identification name for this VPN rule The name may be up to 32 characters long but...

Page 270: ...1 2 if is displayed Tunnel IPSec Algorithm This field displays the security protocols used for an SA ESP provides confidentiality and integrity of data by encrypting the data and encapsulating it int...

Page 271: ...p is configured to Range this is the end static IP address in a range of computers on the network behind the remote IPSec router When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to SU...

Page 272: ...Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the Prestige to distinguish between multiple rules for SAs that connect from r...

Page 273: ...ige automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 characters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters...

Page 274: ...ocal ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 26 8 Pre Shared Key A pre shared key identifies a communicating...

Page 275: ...ige automatically re initiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work No Local ID...

Page 276: ...PN tunnel has to be rebuilt if this IP address changes 0 0 0 0 Peer ID Type Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain n...

Page 277: ...y time Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Select RANGE for a specific range of IP addresses Select SUBNET to specify IP a...

Page 278: ...ddresses on a network by their subnet mask SUBNET IP Addr Start When the Addr Type field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Addr T...

Page 279: ...SPACE BAR to choose either IKE or Manual and then press ENTER Manual is useful for troubleshooting if you have problems using IKE key management IKE Edit Key Management Setup Press SPACE BAR to change...

Page 280: ...ready established the IPSec SA stays connected In phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm Choose an authentication algorithm Cho...

Page 281: ...otection It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre shared key authentication 26 10 2 Diffie Hellman DH K...

Page 282: ...s connecting through a secure gateway must have the same negotiation mode Main Pre Shared Key Prestige gateways authenticate an IKE VPN session by matching pre shared keys Pre shared keys are best for...

Page 283: ...renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication...

Page 284: ...12 1 Active Protocol This field is a combination of mode and security protocols used for the VPN These parameters were discussed earlier Table 26 9 Active Protocol Encapsulation and Security Protocol...

Page 285: ...up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any character may be used including spaces but trailing spaces are...

Page 286: ...ces but trailing spaces are truncated N A When you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 26 13 Telecom...

Page 287: ...TELECOMMUTER HEADQUARTERS My IP Address 0 0 0 0 dynamic IP address assigned by the ISP Public static IP address Secure Gateway IP Address Public static IP address or domain name 0 0 0 0 With this IP a...

Page 288: ...s a Prestige at headquarters They can use different IPSec parameters including the pre shared key and the local IP addresses or ranges of addresses can overlap See the following graphic for an example...

Page 289: ...ections An SA times out automatically after one minute if there is no traffic 1 Use the Refresh function to display active VPN connections 2 Use the Disconnect function to cut off active connections T...

Page 290: ...sulating it into IP packets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header p...

Page 291: ...following figure shows a typical log from the VPN connection peer Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv...

Page 292: ...Recv Main Mode request from IP Recv Aggressive Mode request from IP The Prestige has received an IKE negotiation request from the peer Send Symbol Symbol Recv Symbol Symbol IKE uses the ISAKMP protoco...

Page 293: ...emote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule d If the security gateway is 0 0 0 0 the Prestige will use the peer s L...

Page 294: ...t If the Prestige receives a packet with the wrong sequence number it will discard it Inbound packet authentication failed The authentication configuration settings are incorrect Please check them Inb...

Page 295: ...Prestige 202H User s Guide IPSec Log 28 5 Table 28 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID...

Page 296: ...Appendices and Index V Part V Appendices and Index This part provides appendices and an index of key terms...

Page 297: ......

Page 298: ...LEDs turn on when you turn on the Prestige If the error persists you may have a hardware problem In this case you should contact your vendor 1 Check to see if the Prestige is connected to your comput...

Page 299: ...merica only The ISDN loopback test failed If the ISDN initialization is successful then the loopback test should also work Verify the telephone numbers that have been entered in Menu 2 The loopback te...

Page 300: ...CLID Authen and Recv Authen In Menu 14 1 verify the user name and password for the remote dial in user If the remote dial in user is negotiating IP verify that the IP address is supplied correctly in...

Page 301: ...CORRECTIVE ACTION When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the LAN Cannot access the Prestige from t...

Page 302: ...el AA 121A Input Power AC120Volts 60Hz 18W max Output Power AC12Volts 1 0A Power Consumption 8 W Safety Standards UL CUL UL 1310 CSA C22 2 No 223 NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model D...

Page 303: ...Adapter Model AA 121ABN Input Power AC230Volts 50Hz 140mA Output Power AC12Volts 1 0A Power Consumption 8 W Safety Standards ITS GS CE EN 60950 china Standards AC Power Adapter Model DV 121AACCP 5720...

Page 304: ...Gateway xxv Brute force Attack 12 6 BTR See Base Transmission Rate budget control 8 5 10 3 Budget Management 22 2 22 4 22 5 C Call Control 1 4 Call Direction 8 3 Call Filtering 18 1 Call Filters Built...

Page 305: ...ample 14 6 Mail Server 14 5 Mail Subject 14 5 Tab 14 4 EMAIL 4 3 E mail Address 4 3 E mail Alerts 14 5 Enable Wildcard 4 3 Encapsulation 8 8 Enter See Syntax Conventions Entering Information 3 2 Error...

Page 306: ...stallation 2 1 Hidden Menus 3 2 HTTP 11 13 12 1 12 3 12 4 26 13 26 14 HyperTerminal program 21 6 21 9 I i e See Syntax Conventions ICMP echo 12 6 Idle Timeout 8 5 10 9 Incoming Call Support 1 2 Indust...

Page 307: ...s Translation NAT 1 2 11 1 Notice iii O One Minute High 14 10 One Minute Low 14 10 One Minute High 14 8 Online Registration v Outgoing Calling Party Number 5 3 Outgoing Data Call Bumping Support 1 3 P...

Page 308: ...22 7 22 8 Service v 15 2 Service Type 16 3 Set Up a Schedule 23 2 Single User Account 7 3 SMTP Error Messages 14 6 Smurf 12 6 SNMP 1 2 Community 19 3 20 10 Configuration 19 2 Get 19 2 Manager 19 2 MIB...

Page 309: ...14 7 Time and Date Setting 22 6 22 7 Timeout 15 12 15 13 15 14 Toll Period 8 5 Traceroute 12 7 Tracing 1 3 Trademarks ii Troubleshooting A ISDN Line B LAN Interface B Remote Node or ISP C Remote User...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands