manualshive.com logo in svg

ZyXEL Communications Prestige 320W, Support Notes, Page: 60 / 75

Share
Download
ZyXEL Communications Prestige 320W Support Notes Download Page 60

 

 

P320W Support Notes 

 
 

 

All contents copyright (c) 2005 ZyXEL Communications Corporation.   

60

as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems 

by mean of a proxy. A key drawback of this device is performance.   

Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They 

make access control decisions based on IP address and protocol. They also 'inspect' the session data to 

assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful 

Inspection firewalls generally provides the best speed and transparency, however, they may lack the 

granular application level access control or caching that some proxies support.   

What kind of firewall is the P320W?   

1.

 

The P320W's firewall inspects packets contents and IP headers. It is applicable to all protocols 

that understand data in the packet is intended for other layers, from network layer up to the 

application layer.   

2.

 

The P320W's firewall performs stateful inspection. It takes into account the state of connections it 

handles so that, for example, a legitimate incoming packet can be matched with the outbound 

request for that packet and allowed in. Conversely, an incoming packet masquerading as a 

response to a nonexistent outbound request can be blocked.   

3.

 

The P320W's firewall uses session filtering, i.e., smart rules, that enhance the filtering process and 

control the network session rather than control individual packets in a session.   

4.

 

The P320W's firewall is fast. It uses a hashing function to search the matched session cache 

instead of going through every individual rule for a packet.   

Why do you need a firewall when your router has packet filtering and NAT built-in?   

With the spectacular growth of the Internet and online access, companies that do business on the Internet 

face greater security threats. Although packet filter and NAT restrict access to particular computers and 

networks, however, for the other companies this security may be insufficient, because packets filters 

typically cannot maintain session state. Thus, for greater security, a firewall is considered.   

What is Denials of Service (DoS) attack?   

Denial of Service (DoS) attacks is aimed at devices and networks with a connection to the Internet. Their 

goal is not to steal information, but to disable a device or network so users no longer have access to 

network resources.   

There are four types of DoS attacks:   

1.

 

Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop.   

Summary of Contents for Prestige 320W

Page 1: ...Prestige 320W 802 11g Wireless Firewall Router Support Notes Version v1 0 September 2005...

Page 2: ...is PPPoE 51 Does the Prestige support PPPoE 51 How do I know I am using PPPoE 52 Why does my provider use PPPoE 52 Which Internet Applications can I use with the Prestige 52 How can I configure the Pr...

Page 3: ...What kind of firewall is the P320W 60 Why do you need a firewall when your router has packet filtering and NAT built in 60 What is Denials of Service DoS attack 60 What is Ping of Death attack 61 Wha...

Page 4: ...ID 67 What is an ESSID 68 How do I secure the data across an Access Point s radio link 68 What is WEP 68 What is the difference between 40 bit and 64 bit WEP 68 What is a WEP key 68 Will 128 bit WEP c...

Page 5: ...e components needs to be checked before accessing the Internet Before you begin Setting up the Windows Setting up the Prestige router Troubleshooting Before you begin The Prestige is shipped with the...

Page 6: ...work Protocols and click OK 3 TCP IP Configuration Follow these steps to configure Windows TCP IP In the Control Panel Network window click the TCP IP entry to select it and click Properties button In...

Page 7: ...browser to configure it 1 Retrieve Prestige Web Please enter the LAN IP address of the Prestige router in the URL location to retrieve the web screen from the Prestige The default LAN IP of the Prest...

Page 8: ...ght c 2005 ZyXEL Communications Corporation 8 Select Get automatically from ISP if the ISP provides the IP dynamically otherwise select Use Fixed IP address and enter the static IP given by ISP in the...

Page 9: ...potentially changes each time it is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for it...

Page 10: ...Support Notes All contents copyright c 2005 ZyXEL Communications Corporation 10 Port numbers for some common services Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http W...

Page 11: ...the WAN IP of the Prestige When the ISP assigns the Prestige a new IP the Prestige must inform the DDNS server the change of this IP so that the server can update its IP to DNS entry Once the IP to D...

Page 12: ...name that Password Enter the password that the DDNS server gives to you Enable Wildcard Enter the hostname for the wildcard function that the WWW DYNDNS ORG supports Note that Wildcard option is avai...

Page 13: ...psed SNMP variables are defined using the OSI Abstract Syntax Notation One ASN 1 ASN 1 specifies how a variable is encoded in a transmitted data frame it is very powerful because the encoded data is s...

Page 14: ...Traversal operations NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables such as IP routing table in managed de...

Page 15: ...variables within an agent Trap Used by the agent to inform the NMS of some events The SNMPv1 messages contains two part The first part contains a version and a community name The second part contains...

Page 16: ...n RFC 1215 If the machine coldstarts the trap will be sent after booting warmStart defined in RFC 1215 If the machine warmstarts the trap will be sent after booting linkDown defined in RFC 1215 If any...

Page 17: ...reboot for some fatal errors And traps with the message of the fatal code will be sent 4 Configure the Prestige for SNMP The SNMP related settings in Prestige are configured in Management Remote Manag...

Page 18: ...rmal gateway Thus make your backup gateway as an auxiliary backup of your WAN connection Once Prestige detects it s WAN connectivity is broken Prestige will try to forward outgoing traffic to backup g...

Page 19: ...ny type of physical networking media wired or wireless UPnP also supports NAT Traversal which can automatically solve many NAT unfriendly problems By UPnP applications assign the dynamic port mappings...

Page 20: ...ce by URL link So that users can 2 Using UPnP in ZyXEL devices have DHCP client when the device gets connected to the network it will discover DHCP server on network to get an IP address If not then A...

Page 21: ...xample we will introduce how to e example in this support note You can learn how MSN benefit from NAT traversal feature in UPnP in this application note In the diagram su we don t need to setup NAT ma...

Page 22: ...Communications Corporation 22 2 After getting IP address you can go to open MSN application on PC and sign in MSN server 3 Start a Video conversation with one online user 4 On the opposite side your p...

Page 23: ...P320W Support Notes All contents copyright c 2005 ZyXEL Communications Corporation 23 5 Finally your video conversation is achieved...

Page 24: ...Mode 1 What is Infrastructure mode Infrastructure mode sometimes referred to as Access Point mode is an operating mode of an 802 11b Wi Fi client unit In infrastructure mode the client unit can assoc...

Page 25: ...Communications Corporation 25 2 Configuration Wireless Access Point to Infrastructure mode using Web configurator To configure Infrastructure mode of your P320W please follow the steps below a From th...

Page 26: ...please refer to the user s guide for detail or web help located on the page c Finished 3 Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B 100 B 2...

Page 27: ...ns Corporation 27 3 Select Infrastructure from the operation mode pull down menu fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect 4 Click on S...

Page 28: ...P320W Support Notes All contents copyright c 2005 ZyXEL Communications Corporation 28 5 Double click on the AP you want to associated with...

Page 29: ...the selected AP with Infrastructure Mode Wireless MAC Address Filtering 1 MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs ZyXEL s APs...

Page 30: ...u configure the MAC filter you need to know the MAC address of the client first If not knowing what your MAC address is please enter a command ipconfig all after DOS prompt to get the MAC physical add...

Page 31: ...less transmissions are easier to intercept than transmissions over wired networks and wireless is a shared medium everything that is transmitted or received over a wireless network can be intercepted...

Page 32: ...rypt and decrypt the data WEP has defenses against this attack To avoid encrypting two cipher texts with the same key stream an Initialization Vector IV is used to augment the shared WEP key secret ke...

Page 33: ...eed to specify one of the 4 keys as default Key for data encryption To set up the Access Point you will need to set the one of the following parameters o 64 bit WEP key secret key with 5 characters o...

Page 34: ...34 Key settings Select one WEP key as default key to encrypt wireless data transmission 3 Setting up the Station 1 Double click on the utility icon in your windows task bar or right click the utility...

Page 35: ...esn t exist in your task bar click Start Programs IEEE802 11b WLAN Card IEEE802 11b WLAN Card 2 Select the Encryption tab Select encryption type correspond with access point Set up 4 Keys which corres...

Page 36: ...P320W Support Notes All contents copyright c 2005 ZyXEL Communications Corporation 36...

Page 37: ...456789ABCD IEEE 802 1x 1 IEEE 802 1x Introduction IEEE 802 1x port based authentication is desired to prevent unauthorized devices clients from gaining access to the network As LANs extend to hotels a...

Page 38: ...ntrols the physical access to the network based on the authentication status of the client The authenticator acts as an intermediary proxy between the client and the authentication server i e RADIUS s...

Page 39: ...k behind Wireless AP There are two authentication port state on the AP authorized state and unauthorized state By default the port starts in the unauthorized state While in this state the port disallo...

Page 40: ...identity of the client and begins relaying authentication messages between supplicant and the authentication server Each supplicant attempting to access the network is uniquely identified by the authe...

Page 41: ...EAP request identity frame to the 802 1x client to request its identity typically the authenticator sends an initial identity request frame followed by one or more requests for authentication informat...

Page 42: ...Communications Corporation 42 The EAPOL packet contains the following fields protocol version packet type packet body length and packet body Most of the fields are obvious The packet type can have fou...

Page 43: ...hen it wants to terminate its 802 1x session EAPOL Key This is used for TLS authentication method The Wireless AP uses this packet to send the calculated WEP key to the supplicant after TLS negotiatio...

Page 44: ...e wireless AP is the client and the server is the RADIUS server The authenticator includes the RADIUS client which is responsible for encapsulating and decapsulating the Extensible Authentication Prot...

Page 45: ...EAP frames between the supplicant and the authentication server until authentication succeeds or fails If the authentication succeeds the switch port becomes authorized The specific exchange of EAP fr...

Page 46: ...is a MAP to RF contour of RF coverage in a particular facility With wireless system it is very difficult to predict the propagation of radio waves and detect the presence of interfering signals Walls...

Page 47: ...uestion where is wireless coverage needed and where does not and note and take note on the diagram this is information is needed to determine the number of AP required 4 Determine the preliminary acce...

Page 48: ...t s always a good idea to start with putting the access point at the corner of the room and walk away from the access point in a systematic manner Record down the changes at point where transfer rate...

Page 49: ...ess point installation spot if wireless service is required from corner of the room 6 Repeat step 1 5 and now you should be able to mark an RF coverage area as illustrated in above picutre 7 You may n...

Page 50: ...ce area over lap one another So the wireless stations are able to roam For more information please refer to roaming at FAQ Product FAQ What is the P320W 802 11g Wireless Firewall Router The P320W 802...

Page 51: ...device has an Ethernet port you can use the Prestige Besides if your ISP supports PPPoE you can also use the Prestige because PPPoE had been supported in the Prestige What do I need to use the Prestig...

Page 52: ...ts a broad range of existing applications and service including authentication accounting secure access and configuration management Which Internet Applications can I use with the Prestige Most common...

Page 53: ...address is mycompany ispname com Jane and John will be able to send e mail through Prestige Internet Access Sharing Router using jane mycompany ispname com and john mycompany ispname com respectively...

Page 54: ...tically assign IP and DNS addresses to the clients on the local LAN What network interface does the new Prestige series support The Prestige series support 4 10 100M Ethernet LAN port to connect to th...

Page 55: ...bsolute maximum of 1 5 Mbps To create the appearance of faster network access service companies plan to store or cache frequently requested web sites and Usenet newsgroups on a server at their head en...

Page 56: ...to enter that PC s IP in Network WAN Internet Connection Once the MAC is received by the Prestige the WAN MAC will be updated and used for the ISP s authentication 2 Your ISP checks the Host Name Some...

Page 57: ...DHCP to request an IP address What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your computer to be more easily accessed from various locatio...

Page 58: ...stname yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as...

Page 59: ...es stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The P320W supports Network Address Translation NAT which translates the private l...

Page 60: ...the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The P320W s firewall uses session filter...

Page 61: ...ood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response while the targeted system waits for the ACK that follows...

Page 62: ...st modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall Wireless FAQ What is a Wireless LAN Wireless LANs pr...

Page 63: ...ve slower than wired LAN The most popular wired LAN is operated in 100Mbps which is almost 10 times of that of Wireless LAN 10Mbps A faster wired LAN standard 1000Mbps which is 100 times faster become...

Page 64: ...able and DSL modems What is 802 11a 802 11a the second revision of 802 11 that operates in the unlicensed 5 GHz band and allows transmission rates of up to 54Mbps 802 11a uses OFDM orthogonal frequenc...

Page 65: ...e connecting printers to computers and connecting modems or hands free kits to mobile phones Does the 802 11 interfere with Bluetooth devices Any time devices are operated in the same frequency band t...

Page 66: ...icly shared data networks designed to provide coverage in metropolitan areas and along traffic corridors WWANs are owned by a service provider or carrier Data rates are low and charges are based on us...

Page 67: ...vers an FHSS transmission appears to be short duration impulse noise 802 11 may use FHSS or DSSS Do I need the same kind of antenna on both sides of a link No Provided the antenna is optimally designe...

Page 68: ...strator to define a set of respective Keys for each wireless network user based on a Key String passed through the WEP encryption algorithm Access is denied by anyone who does not have an assigned key...

Page 69: ...ks The insertion attacks are based on placing unauthorized devices on the wireless network without going through a security process and review What is Wireless Sniffer An attacker can sniff and captur...

Page 70: ...nt through the interface auto enables 802 1X and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received through the port The authentication process begin...

Page 71: ...and Prompt window type ping followed by the Prestige s LAN IP address 192 168 1 1 is the default and then press ENTER The Prestige should reply Use Internet Explorer 6 0 and later or Netscape Navigato...

Page 72: ...supports to clone the MAC from the first PC the ISP installed to be its WAN MAC To clone the MAC from the PC you need to enter that PC s IP in Network WAN Internet Connection Once the MAC is received...

Page 73: ...plication is not in the table or it is in the table but still does not work please configure the workstation which runs the applications as the SUA default server and try again 3 If it still does not...

Page 74: ...ient IP Cornell 1 1 Cu SeeMe None 7648 client IP White Pine 3 1 2 Cu SeeMe 7648 client IP 24032 client IP Default client IP White Pine 4 0 Cu SeeMe 7648 client IP 24032 client IP Default client IP Mic...

Page 75: ...nd Voice None for Chat File transfer Video and Voice Net2Phone None 6701 client IP Network Time Protocol NTP None 123 server IP Win2k Terminal Server None 3389 server IP Remote Anything None 3996 4000...

Reviews:

No comments