ZyXEL Communications ZyWALL 10/10 User Manual Download Page 273 | Manualshive

Page: 273 / 342

background image

ZyWALL 10/10 II/50 Internet Security Gateway

VPN/IPSec Setup

26-3

Table 26-1 AH and ESP

ESP AH

Select

DES

for minimal security and

3DES

for maximum.

Select

NULL

to set up a tunnel without encryption.

Select

MD5

for minimal security and

SHA-1

for

maximum security.

DES

(default)

Data Encryption Standard (DES) is a widely used method
of data encryption using a private (secret) key. DES
applies a 56-bit key to each 64-bit block of data.

MD5

(default)

MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.

3DES

Triple DES (3DES) is a variant of DES, which iterates
three times with three separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.

SHA1

SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.

26.3 IPSec Summary

Type 1 in menu 27 and then press

[ENTER]

to display

Menu 27.1 — IPSec Summary

. This is a summary

read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and
then configuring the associated submenus.
The following figure helps explain the main fields in menu 27.1.

Figure 26-3 IPSec Summary Fields

Local IP addresses must be static.

«
...
271
272
273
274
275
...
»

Summary of Contents for ZyWALL 10/10

Page 1: ...ZyWALL 10 10 II 50 Internet Security Gateway User s Guide Version 3 50 June 2002...

Page 2: ...shed by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither d...

Page 3: ...uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmf...

Page 4: ...re that compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility desi...

Page 5: ...ehold appliances and similar electrical equipment Harmonics 1995 EN 61000 3 3 Disturbance in supply system caused by household appliances and similar electrical equipment Voltage fluctuations 1995 EN...

Page 6: ...working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including an...

Page 7: ...Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan support zyxel com 1 714 632 0882 800 255 4101 www zyxel com NORTH AMERICA sales zyxel com 1 714 632 0858 ftp z...

Page 8: ...agrams xxvii Preface xxix GETTING STARTED I Chapter 1 Getting to Know Your ZyWALL 1 1 1 1 The ZyWALL 10 10 II 50 Internet Security Gateway 1 1 1 2 Features 1 1 1 3 Applications 1 4 1 3 1 Secure Broadb...

Page 9: ...Resetting the ZyWALL 3 8 3 4 1 Methods of Restoring Factory Defaults 3 8 3 4 2 Procedure To Use The Reset Button 3 9 Chapter 4 General And WAN Setup 4 1 4 1 System Name 4 1 4 2 Dynamic DNS 4 1 4 2 1...

Page 10: ...CED APPLICATIONS II Chapter 7 Remote Node Setup 7 1 7 1 Remote Node Profile 7 1 7 1 1 Ethernet Encapsulation 7 1 7 1 3 PPTP Encapsulation 7 5 7 2 Editing TCP IP Options with Ethernet Encapsulation 7 7...

Page 11: ...7 9 5 3 Example 3 Multiple Public IP Addresses With Inside Servers 9 18 9 5 4 Example 4 NAT Unfriendly Application Programs 9 22 FIREWALLAND CONTENT FILTERS III Chapter 10 Firewalls 10 1 10 1 What Is...

Page 12: ...ement and the Firewall 11 1 11 2 Access Methods 11 1 11 3 Using ZyWALL SMT Menus 11 1 11 3 1 Activating the Firewall 11 1 11 3 2 Viewing the Firewall Log 11 2 Chapter 12 Using the ZyWALL Web Configura...

Page 13: ...ut 13 13 13 6 1 Factors Influencing Choices for Timeout Values 13 13 Chapter 14 Custom Ports 14 1 14 1 Introduction 14 1 14 2 Creating Editing A Custom Port 14 3 Chapter 15 Logs 15 1 15 1 Log Screen 1...

Page 14: ...LL 18 2 18 2 Configuring a Filter Set 18 4 18 2 1 Filter Rules Summary Menu 18 6 18 2 2 Configuring a Filter Rule 18 7 18 2 3 TCP IP Filter Rule 18 7 18 2 4 Generic Filter Rule 18 12 18 3 Example Filt...

Page 15: ...nventions 21 1 21 2 Backup Configuration 21 2 21 2 1 Backup Configuration 21 2 21 2 2 Using the FTP Command from the Command Line 21 3 21 2 3 Example of FTP Commands from the Command Line 21 3 21 2 4...

Page 16: ...em Firmware Upload Using HyperTerminal 21 15 21 4 10 Uploading a Configuration File Via Console Port 21 16 21 4 11 Example Xmodem Configuration Upload Using HyperTerminal 21 16 Chapter 22 System Maint...

Page 17: ...PSec Architecture 25 3 25 2 1 IPSec Algorithms 25 4 25 2 2 Key Management 25 4 25 3 Encapsulation 25 5 25 3 1 Transport Mode 25 5 25 3 2 Tunnel Mode 25 5 25 4 IPSec and NAT 25 5 Chapter 26 VPN IPSec S...

Page 18: ...n 27 1 27 1 Using SA Monitor 27 1 Chapter 28 IPSec Log 28 1 28 1 VPN Initiator IPSec Log 28 1 28 2 VPN Responder IPSec Log 28 2 TROUBLESHOOTING APPENDICES AND INDEX VI Chapter 29 Troubleshooting 29 1...

Page 19: ...ay Table of Contents xix Appendix E Important Safety Instructions I Appendix F Boot Commands J Appendix G Command Interpreter L Appendix H Firewall Commands M Appendix I NetBIOS Filter Commands S Appe...

Page 20: ...d Advanced Applications SMT Menus 3 5 Figure 3 5 Advanced Management SMT Menus 3 6 Figure 3 6 IPSec VPN Configuration SMT Menus 3 7 Figure 3 7 Menu 23 System Password 3 7 Figure 4 1 Menu 1 General Set...

Page 21: ...1 Figure 8 2 Menu 12 IP Static Route Setup 8 2 Figure 8 3 Menu 12 1 Edit IP Static Route 8 2 Figure 9 1 How NAT Works 9 3 Figure 9 2 NAT Application With IP Alias 9 4 Figure 9 3 Menu 4 Applying NAT f...

Page 22: ...10 5 Figure 10 4 Smurf Attack 10 6 Figure 10 5 Stateful Inspection 10 8 Figure 11 1 Menu 21 Filter and Firewall Setup 11 1 Figure 11 2 Menu 21 2 Firewall Setup 11 2 Figure 11 3 Example Firewall Log 11...

Page 23: ...et to Local Network Rule Summary 16 11 Figure 16 11 Custom Port for Syslog 16 12 Figure 16 12 Syslog Rule Configuration 16 13 Figure 16 13 Example 3 Rule Summary 16 14 Figure 18 1 Outgoing Packet Filt...

Page 24: ...UNIX Syslog 20 7 Figure 20 9 Call Triggering Packet Example 20 11 Figure 20 10 Menu 24 4 System Maintenance Diagnostic 20 12 Figure 20 11 WAN LAN DHCP 20 13 Figure 21 1 Telnet into Menu 24 5 21 3 Figu...

Page 25: ...Menu 24 System Maintenance 22 5 Figure 22 7 Menu 24 10 System Maintenance Time and Date Setting 22 5 Figure 23 1 Telnet Configuration on a TCP IP Network 23 1 Figure 23 2 Menu 24 11 Remote Management...

Page 26: ...1 IPSec Summary 26 6 Figure 26 7 Menu 27 1 1 IPSec Setup 26 9 Figure 26 8 Two Phases to set up the IPSec SA 26 13 Figure 26 9 Menu 27 1 1 1 IKE Setup 26 15 Figure 26 10 Menu 27 1 1 2 Manual Setup 26 1...

Page 27: ...p Menu Fields 5 7 Table 5 5 IP Alias Setup Menu Fields 5 8 Table 6 1 Internet Access Setup Menu Fields 6 1 Table 6 2 New Fields in Menu 4 PPTP screen 6 3 Table 6 3 New Fields in Menu 4 PPPoE screen 6...

Page 28: ...Table 13 2 Predefined Services 13 7 Table 13 3 Creating Editing A Firewall Rule 13 10 Table 13 4 Adding Editing Source and Destination Addresses 13 13 Table 13 5 Timeout Menu 13 15 Table 14 1 Custom...

Page 29: ...able 26 1 AH and ESP 26 3 Table 26 2 Telecommuter and Headquarters Configuration Example 26 4 Table 26 3 Menu 27 1 IPSec Summary 26 6 Table 26 4 Menu 27 1 1 IPSec Setup 26 9 Table 26 5 Menu 27 1 1 1 I...

Page 30: ...ZYWALL 10 10 II 50 Internet Security Gateway xxx List of Tables Table 29 6 Troubleshooting Remote Management 29 3...

Page 31: ...ll NAT and VPN A Diagram 2 Single PC per Modem Hardware Configuration C Diagram 3 ZyWALL as a PPPoE Client D Diagram 4 Transport PPP frames over Ethernet E Diagram 5 PPTP Protocol Overview F Diagram 6...

Page 32: ......

Page 33: ...n all platform web based utility that allows you to easily access the ZyWALLs management settings and configure the firewall Use the Help icon in the web configurator for explanations of the fields Mo...

Page 34: ...for you to select one from the predefined choices The SMT menu titles and labels are in Bold Times New Roman font The choices of a menu item are in Bold Arial font A single keystroke is in Arial font...

Page 35: ...Getting Started I Part I Getting Started This part is structured as a step by step guide to help you connect install and setup your ZyWALL to operate on your network and access the Internet...

Page 36: ......

Page 37: ...II 50 Auto negotiating 10 100Mbps Ethernet LAN This auto negotiation feature allows the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention It all...

Page 38: ...ual private networking over public networks such as the Internet The ZyWALL supports one PPTP server connection at any given time Dynamic DNS Support With Dynamic DNS support you can have a static hos...

Page 39: ...9X Windows NT and other systems that support the DHCP client The ZyWALL can now also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server t...

Page 40: ...to the ZyWALL 10 10 II 50 for broadband Internet access via Ethernet port on the modem It provides not only high speed Internet access but secured internal network protection and management as well F...

Page 41: ...tting to Know Your ZyWALL 1 5 1 3 2 VPN Application ZyWALL VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for leased...

Page 42: ......

Page 43: ...and Back Panel Ports 2 1 1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL Figure 2 1 Front Panel The following table describes LED functions Table 2 1 LED D...

Page 44: ...onnected to a 100Mbps LAN 100M LAN LAN Orange Flashing The 100M LAN is sending receiving packets Off The 10M WAN is not connected On The ZyWALL is connected to a 10M WAN 10M WAN WAN Green Flashing The...

Page 45: ...ZyWALL 10 10 II 50 Internet Security Gateway Hardware Installation 2 3 Figure 2 2 ZyWALL 10 Rear Panel and Connections...

Page 46: ...axial cable connector on the back of the cable modem Connect an xDSL modem to the xDSL wall jack See also the Appendices for important safety instructions when making connections to the ZyWALL Step 1...

Page 47: ...L modem Step 3 Connecting the ZyWALL to the LAN For a single computer connect the 10 100M LAN port on the ZyWALL to the Network Adapter on the computer using a straight through Ethernet cable and push...

Page 48: ...Interface Card installed 2 A computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 data bits 1 stop bit flow control set...

Page 49: ...rn on your ZyWALL it performs several internal tests as well as line initialization After the tests the ZyWALL asks you to press ENTER to continue as shown next Figure 3 1 Initial Screen 3 1 2 Enterin...

Page 50: ...the hidden menu Move the cursor ENTER or UP DOWN arrow keys Within a menu press ENTER to move to the next field You can also use the UP DOWN arrow keys to move to the previous and the next field respe...

Page 51: ...ote Node Setup Use this menu to configure detailed remote node settings your ISP is also a remote node as well as apply WAN filters 12 Static Routing Setup Configure IP static routes in this menu 15 N...

Page 52: ...password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 26 Schedule Setup Use this menu to sched...

Page 53: ...ZyWALL 10 10 II 50 Internet Security Gateway Initial Setup 3 5 3 2 3 SMT Menus at a Glance Figure 3 4 Getting Started and Advanced Applications SMT Menus...

Page 54: ...ZyWALL 10 10 II 50 Internet Security Gateway 3 6 Initial Setup Figure 3 5 Advanced Management SMT Menus...

Page 55: ...fault system password by following the steps shown next Step 1 Enter 23 in the main menu to open Menu 23 System Password as shown below Figure 3 7 Menu 23 System Password Step 2 Type in your existing...

Page 56: ...When you turn on the ZyWALL again you will see the initial screen When you see the message Press any key to enter Debug Mode within 3 seconds press any key to enter debug mode To upload the configura...

Page 57: ...begins to blink the defaults have been restored and the ZyWALL restarts Otherwise go to step 2 2 Turn the ZyWALL off 3 While pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET b...

Page 58: ......

Page 59: ...eld and enter it as the ZyWALL System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter i...

Page 60: ...ature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns org and...

Page 61: ...hen you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 4 3 1 Configuring Dynamic DNS To configure Dynamic DNS g...

Page 62: ...lt Host Enter the domain name assigned to your ZyWALL by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password a...

Page 63: ...file ZyNOS configuration file It will not change unless you change the setting in menu 2 or upload a different rom file The following table contains instructions on how to configure your WAN setup Tab...

Page 64: ...s This field is applicable only if you choose the IP Address attached on LAN method Enter the IP address of the computer on the LAN whose MAC you are cloning N A When you have completed this menu pres...

Page 65: ...he LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 2 is discussed in the next chapter Please read on Figure 5 2 Menu 3 1...

Page 66: ...1 33 to 192 168 1 64 This configuration leaves 31 IP addresses excluding the ZyWALL itself in the lower range for other server machines e g server for mail FTP Telnet web etc that you may have DNS Se...

Page 67: ...have decided on the network number pick an IP address that is easy to remember e g 192 168 1 1 for your ZyWALL but make sure that no other device on your network is using that IP The subnet mask spec...

Page 68: ...ticasting then all routers on your network must use multicasting also By default RIP Direction is set to Both and the Version set to RIP 1 5 3 6 IP Multicast Traditionally IP packets are transmitted i...

Page 69: ...gure 5 3 Physical Network Figure 5 4 Partitioned Logical Networks Use menu 3 2 1 to configure IP Alias on your ZyWALL 5 4 TCP IP and DHCP Ethernet Setup Menu From the main menu enter 3 to open Menu 3...

Page 70: ...rting Address This field specifies the first of the contiguous addresses in the IP address pool 192 168 1 33 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Pri...

Page 71: ...Both default Version Press SPACE BAR to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 default Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to est...

Page 72: ...y Out Only or None None Version Press SPACE BAR to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming tr...

Page 73: ...using PPPoE If you choose Ethernet in menu 4 you will see the next screen Figure 6 1 Menu 4 Internet Access Setup Ethernet The following table describes this screen Table 6 1 Internet Access Setup Me...

Page 74: ...address IP Address Assignment If your ISP did not assign you a fixed IP address select Dynamic otherwise select Static and enter the IP address subnet mask in the following fields IP Address Enter the...

Page 75: ...in menu 4 Table 6 2 New Fields in Menu 4 PPTP screen FIELD DESCRIPTION EXAMPLE Encapsulation Press SPACE BAR and then press ENTER to choose PPTP The encapsulation method influences your choices for IP...

Page 76: ...rectly on the ZyWALL 10 10 II 50 rather than individual computer s the computers on the LAN do not need PPPoE software installed since the ZyWALL does that part of the task Furthermore with NAT all of...

Page 77: ...installed and set up your ZyWALL to operate on your network as well as access the Internet When the firewall is activated the default policy allows all communications to the Internet that originate f...

Page 78: ......

Page 79: ...Advanced Applications II Part II Advanced Applications This part covers Remote Node Setup IP Static Route Setup and Network Address Translation...

Page 80: ......

Page 81: ...ally configuring a remote node We will show you how to configure Menu 11 1 Remote Node Profile Menu 11 3 Remote Node Network Layer Options and Menu 11 5 Remote Node Filter 7 1 Remote Node Profile From...

Page 82: ...tion Ethernet Service Type Press SPACE BAR to select from Standard RR Toshiba RoadRunner Toshiba authentication method or RR Manager RoadRunner Manager authentication method Choose one of the RoadRunn...

Page 83: ...the only option for the ZyWALL 10 10 II 50 IP Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 Remote Node Network Layer Options Yes Session O...

Page 84: ...ine where the connection is always up regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the...

Page 85: ...ode for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour 1 Schedules You can apply up to four schedule sets here For more details please refer to...

Page 86: ...name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your xDSL Modem n My ISP Schedules You can apply up to four schedule sets here For m...

Page 87: ...enter the IP address subnet mask in the following fields Dynamic IP Address If you have a Static IP Assignment enter the IP address assigned to you by your ISP IP Subnet Mask If you have a Static IP...

Page 88: ...select the RIP direction from Both None In Only Out Only Please see the RIP Setup section for more information on RIP The default for RIP on the WAN side is None It is recommended that you do not cha...

Page 89: ...d to the remote node 255 255 255 0 My WAN Addr Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a uniq...

Page 90: ...CE BAR to select the RIP version from RIP 1 RIP 2B RIP 2M RIP 1 Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group The ZyWAL...

Page 91: ...r to the Filters chapter For PPPoE or PPTP encapsulation you can also specify remote node call filter sets Figure 7 6 Menu 11 5 Remote Node Filter Ethernet Encapsulation Figure 7 7 Menu 11 5 Remote No...

Page 92: ......

Page 93: ...remote node specifies only the network to which the gateway is directly connected and the ZyWALL has no knowledge of the networks beyond For instance the ZyWALL knows about network N2 in the following...

Page 94: ...c Route Setup Now enter the index number of one of the static routes you want to configure Figure 8 3 Menu 12 1 Edit IP Static Route Menu 12 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 __...

Page 95: ...ss of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over th...

Page 96: ......

Page 97: ...e packet traverses a router e g the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same...

Page 98: ...One and Many to Many Overload mapping see Table 9 2 NAT offers the additional benefit of firewall protection If no server is defined in these cases all incoming inquiries will be filtered out by your...

Page 99: ...How NAT Works 9 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distin...

Page 100: ...1 One to One In One to One mode the ZyWALL maps one local IP address to one global IP address 2 Many to One In Many to One mode the ZyWALL maps multiple local IP addresses to one global IP address Th...

Page 101: ...pecify inside servers of different services behind the NAT to be accessible to the outside world Port numbers do not change for One to One and Many One to One NAT mapping types The following table sum...

Page 102: ...using mapping types as outlined in Table 9 2 1 Choose SUA Only if you have just one public WAN IP address for your ZyWALL 2 Choose Full Feature if you have multiple public WAN IP addresses for your Zy...

Page 103: ...apping Set 1 menu 15 1 see section 9 3 1 for further discussion You can configure any of the mapping types described in Table 9 2 Choose Full Feature if you have multiple public WAN IP addresses for y...

Page 104: ...use the pre configured Set 255 read only A server set is a list of LAN side servers mapped to external ports To use this set one set for the ZyWALL a server rule must be set up inside the NAT Address...

Page 105: ...you want to create SUA Idx This is the index or rule number 1 Local Start IP Local End IP Local Start IP is the starting local IP address ILA see Figure 9 1 Local End IP is the ending local IP addres...

Page 106: ...a rule in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel User Defined Address Mapping Sets Now let s look at Option 1 in menu 15 1 Enter...

Page 107: ...y that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9...

Page 108: ...to select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting...

Page 109: ...pes are Many to One or Server 0 0 0 0 End This is the ending global IP address IGA This field is N A for One to One Many to One and Server types N A Once you have finished configuring a rule in this m...

Page 110: ...e unsure refer to your ISP The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the included disk...

Page 111: ...ing figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 5 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you d...

Page 112: ...ZyWALL 10 10 II 50 Internet Security Gateway 9 16 NAT Figure 9 11 Multiple Servers Behind NAT Example...

Page 113: ...ic IGA Inside Global Address assigned by your ISP Figure 9 12 NAT Example 1 Figure 9 13 Menu 4 Internet Access NAT Example Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Servi...

Page 114: ...9 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 9 5 2 Example 2 Internet Access with an Inside Serve...

Page 115: ...s Rule 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP se...

Page 116: ...on field in menu 4 or menu 11 3 in Figure 9 17 Step 2 Then enter 15 from the main menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set...

Page 117: ...Figure 9 18 Example 3 Menu 15 1 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel...

Page 118: ...tart IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action...

Page 119: ...t numbers do not change for Many One to One and One to One NAT mapping types The following figure illustrates this Figure 9 21 NAT Example 4 Other applications such as some gaming programs are NAT unf...

Page 120: ...apping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Me...

Page 121: ...ilters III Part III Firewall and Content Filters Part III introduces firewalls in general and the ZyWALL firewall It also explains custom ports and logs and gives example firewall rules and an overvie...

Page 122: ......

Page 123: ...loyed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must...

Page 124: ...s support See section 10 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 10 3 Introduction to...

Page 125: ...hare information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions These protocols such as HTTP Web FTP File Tran...

Page 126: ...a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang o...

Page 127: ...a SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN A...

Page 128: ...broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof t...

Page 129: ...are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed thr...

Page 130: ...ever other Telnet traffic initiated from the WAN is blocked 10 5 1 Stateful Inspection Process In this example the following sequence of events occurs when a TCP packet leaves the LAN network through...

Page 131: ...inspected by a firewall rule and the connection s state table entry is updated as necessary Based on the updated state information the inbound extended access list temporary entries might be modified...

Page 132: ...the security policy as is the case with the default policy the connection will be allowed A cache entry is added which includes connection information such as IP addresses TCP ports sequence numbers e...

Page 133: ...ne safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protocol that operates in this way must be supported on a case by case...

Page 134: ...ser Internet Explorer 3 02 or better or Netscape 3 0 or better If a web site uses a secure connection it is safe to submit information Secure web transactions are quite difficult to crack 6 Never reve...

Page 135: ...inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intend...

Page 136: ...nguish traffic originating from an inside host or an outside host by IP address 4 The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e m...

Page 137: ...tructions SMT screens allow you to activate the firewall and view firewall logs CLI commands provide limited configuration options and are only recommended for advanced users please refer to the appen...

Page 138: ...ll sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme c...

Page 139: ...the rule matched not matched or was there an attack The set and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules a...

Page 140: ......

Page 141: ...1 Launch your web browser and enter 192 168 1 1 as the URL Step 2 Enter 1234 default as the password and click Login If a password appears automatically just click Login You should see a screen asking...

Page 142: ...the Firewall 12 3 E mail The E mail screen show next allows you to specify your mail server where e mail alerts should be sent as well as when and how often they should be sent 12 3 1 Alerts Alerts a...

Page 143: ...s in the Log Timer fields in the E mail screen following screen 12 3 2 Logs A log is a detailed record that you create for packets that either match a rule don t match a rule or both when you are crea...

Page 144: ...he ZyWALL as the sender of the e mail messages i e a return to sender address for backup purposes Log Timer Log Schedule This pop up menu is used to configure the frequency of log messages being sent...

Page 145: ...l error messages appear in SMT menu 24 3 1 as SMTP action request failed ret The are described in the following table Table 12 2 SMTP Error Messages 1 means ZyWALL out of socket 2 means tcp SYN fail 3...

Page 146: ...m number of opened sessions Subject Firewall Alert From ZyWALL Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 0...

Page 147: ...g half open sessions rises above a threshold max incomplete high the ZyWALL starts deleting half open sessions as required to accommodate new connection requests The ZyWALL continues to delete half op...

Page 148: ...erts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click on the Attack Alert tab to bring up the next screen Figure...

Page 149: ...han 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open...

Page 150: ...can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field min and all old incomplete...

Page 151: ...test your rules after you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic...

Page 152: ...there users that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective...

Page 153: ...a range of IPs or a subnet 13 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 13 3 1 LAN to WAN Rules...

Page 154: ...reate custom rules to allow it See the following figure Figure 13 2 WAN to LAN Traffic 13 4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet so the discu...

Page 155: ...LD DESCRIPTION OPTIONS General Name This is the name of the firewall rule set Type a name to distinguish the LAN to WAN filter set from the WAN to LAN filter set Name The default action for packets no...

Page 156: ...for more information Action This is the specified action for that rule Note that Block means the firewall silently discards the packet Block Forward Log This field shows you if a log is created for pa...

Page 157: ...ion protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Client BOOTP_SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 24032 A popular videoconferencing solution f...

Page 158: ...sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary conn...

Page 159: ...gin Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Contro...

Page 160: ...creen shown to display the following screen Figure 13 4 Creating Editing A Firewall Rule Table 13 3 Creating Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Source Address Click SrcAdd to add a new...

Page 161: ...kets that match this rule be blocked or forwarded Make your choice from the drop down list box Note that Block means the firewall silently discards the packet Block Forward Log This field determines i...

Page 162: ...ZyWALL 10 10 II 50 Internet Security Gateway 13 12 Creating Custom Rules Figure 13 5 Adding Editing Source and Destination Addresses...

Page 163: ...in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable When you have finished click Apply to save your customized settings and...

Page 164: ...ZyWALL 10 10 II 50 Internet Security Gateway 13 14 Creating Custom Rules Figure 13 6 Timeout Screen...

Page 165: ...e indicating the end of the TCP session 60 seconds Idle Timeout This is the length of time of inactivity a TCP connection remains open before the ZyWALL considers the connection closed 3600 seconds 1...

Page 166: ......

Page 167: ...for services not predefined by the ZyWALL see Figure 13 4 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further information on th...

Page 168: ...the name of your customized port Protocol This shows the IP protocol TCP UDP or Both that defines your customized port Port This is the port number or range that defines your customized port Click a c...

Page 169: ...3 14 2 Creating Editing A Custom Port Click Edit in the previous screen to create a new custom port or edit an existing one This action displays the following screen Figure 14 2 Creating Editing A Cu...

Page 170: ...the drop down list box TCP UDP TCP UDP Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service Single Range Port Number En...

Page 171: ...hat match don t match or both this rule see Figure 13 4 Click on the Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 11 3 or via syslog SMT Menu 24 3 2 S...

Page 172: ...to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set Y 01 to 10 Rule number 00 is the default rule not match 1 01 dest IP This m...

Page 173: ...5 2 Please see the NAT chapter 16 1 1 Example 1 Firewall Rule To Allow Web Service From The Internet Let s say you have one server on the local network with an IP of 10 100 1 2 supporting FTP HTTP Tel...

Page 174: ...all Enabled check box or through SMT menu 21 2 You can only configure the firewall using the web configurator or CI commands see Appendices When the firewall is active the default rules allow all traf...

Page 175: ...y clicking Advanced Firewall Configuration then the E mail tab Configure the E mail screen as follows Figure 16 2 Example 1 E Mail Screen Enter 10 100 1 2 the IP address of the mail server here This i...

Page 176: ...Click Internet and go to the Rule Summary Configure this screen as shown Figure 16 3 Example 1 Configuring a Rule This is an Internet to Local Network rule Move this service to this box by selecting...

Page 177: ...n address as the IP of your server on the LAN Figure 16 4 Example 1 Destination Address for Traffic Originating from the Internet 10 100 1 2 is the IP of our server on the LAN supporting FTP HTTP Teln...

Page 178: ...Summary Screen 16 1 2 Example 2 Small Office With Mail FTP and Web Servers A small office has Log of packets should match this rule in the ACL Default Set Click Apply in this screen when you have fini...

Page 179: ...5 You want i To send alerts when there is an attack ii To only allow access to the Internet from the HTTP proxy server and your mail server iii To only allow FTP server 1 to be accessible from the In...

Page 180: ...ansport services required to move mail from one system to another The current version is called POP3 Click Custom Ports and then click Edit Configure the screen as follows POP3 is now a predefined ser...

Page 181: ...of the mail server 192 168 10 2 in the same fashion as in Figure 16 4 Figure 16 8 Example 2 Local Network Rule 1 Configuration Step 6 Similarly configure another local network to Internet rule allowi...

Page 182: ...the Internet Remember the default Internet to Local Network ACL Set blocks all traffic from the Internet so you want to create a hole for this server Click the Internet link to see its Rule Summary sc...

Page 183: ...le Summary for this Internet firewall rule should look like the following screen Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the ZyWALL Fig...

Page 184: ...rom the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL and allow a syslog connection1 from the Internet Follow the procedure...

Page 185: ...Advanced Management This part provides information on Filter Configuration SNMP Configuration System Information and Diagnosis Firmware and Configuration File Maintenance System Maintenance and Infor...

Page 186: ......

Page 187: ...protocol filters which are discussed later Data filtering screens the data to determine if the packet should be allowed to pass Data filters are divided into incoming and outgoing filters depending o...

Page 188: ...pply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of fact...

Page 189: ...er Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes...

Page 190: ...gle port 18 2 Configuring a Filter Set To configure a filter set follow the procedure below For more information on menus 21 2 and 21 3 please see the firewall chapters Step 1 Select option 21 Filter...

Page 191: ...ummary Figure 18 6 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3...

Page 192: ...hain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the pac...

Page 193: ...col filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and devi...

Page 194: ...ce route option The majority of IP packets do not have source route Yes No Destination IP Address Enter the destination IP Address of the packet you wish to filter This field is ignored if it is 0 0 0...

Page 195: ...e packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This field is applicable only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want...

Page 196: ...the rule Check Next Rule Forward Drop Press SPACE BAR to select properties for fields that do not need to be typed in When you have Menu 21 1 1 1 TCP IP Filter Rule configured press ENTER at the messa...

Page 197: ...Filter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr M...

Page 198: ...against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either f...

Page 199: ...e packet that you wish to compare The range for this field is 0 to 8 0 Default Mask Enter the mask in Hexadecimal notation to apply to the data portion before comparison Value Enter the value in Hexad...

Page 200: ...ss ESC to cancel This data will now be displayed on Menu 21 1 1 Filter Rules Summary 18 3 Example Filter Let s look at an example to block outside users from telnetting into the ZyWALL Please see our...

Page 201: ...23 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Pr...

Page 202: ...our example filter set 3 as shown in Figure 18 15 Step 4 Press ENTER to confirm after you enter the set numbers and to leave menu 11 5 Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP...

Page 203: ...possible to know the exact address and port on the wire Therefore the ZyWALL applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for inc...

Page 204: ...er set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by commas e g 3 4 6 11 Input filter sets filter incoming traffic to...

Page 205: ...affic Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 1 device filters Output Filter Sets protocol filters 1 device filters Call Filter Sets protocol filters 1 device filters Enter her...

Page 206: ......

Page 207: ...etwork Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of TCP IP protocol suite Your ZyWALL supports SNMP agent functionality whic...

Page 208: ...gh which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that...

Page 209: ...thin an agent Trap Used by the agent to inform the manager of some events 19 2 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL can also respond with speci...

Page 210: ...ALL will only respond to SNMP messages from this address If you leave the field set to 0 0 0 0 default your ZyWALL will respond to all SNMP messages it receives regardless of source 0 0 0 0 default Tr...

Page 211: ...thenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with...

Page 212: ......

Page 213: ...ystem Status gives you information on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor you...

Page 214: ...PTION Port This is the WAN or the LAN port Status Shows the port speed and duplex setting if you re using Ethernet Encapsulation and Down line is down idle line ppp idle dial starting to trigger a cal...

Page 215: ...tal time the ZyWALL has been on Name This is the ZyWALL s system name domain name assigned in menu 1 e g System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing This field refer...

Page 216: ...IPTION Name This is the ZyWALL s system name domain name assigned in menu 1 Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version of ZyXEL s Net...

Page 217: ...19200 38400 57600 and 115200 bps for the console port Use SPACE BAR to select the desired speed in menu 24 2 2 as shown below Figure 20 5 Menu 24 2 2 System Maintenance Change Console Port Speed 20 3...

Page 218: ...1 PP17 INFO adjtime task pause 60 seconds 2 Wed Aug 22 21 23 54 2001 PINI INFO SMT Session Begin 3 Wed Aug 22 21 24 26 2001 PP0d INFO No DNS server available 4 Wed Aug 22 21 24 26 2001 PP17 WARN Wrong...

Page 219: ...CE BAR to turn syslog on or off Syslog IP Address Enter the IP Address of the server that will log the CDR Call Detail Record and system messages i e the syslog server Log Facility Press SPACE BAR to...

Page 220: ...l xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C01 Outgo...

Page 221: ...R01mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination port Mar 03 10 39 43 202 132 155 97 ZyXEL G...

Page 222: ...mation prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number action nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1...

Page 223: ...Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168...

Page 224: ...or WAN as shown in Figure 20 11 LAN DHCP has already been discussed The ZyWALL can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 3 is Dynamic and the Encapsulation...

Page 225: ...Enter 2 to release your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings Internet Setup Test Enter 4 to test the Internet Setup You can also test the Internet Setup in Menu...

Page 226: ......

Page 227: ...ension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Z...

Page 228: ...ifferent ways to backup restore and upload files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to bac...

Page 229: ...computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the FTP prompt 21 2 3 Example of FTP Commands from the Command Lin...

Page 230: ...ser ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default remote directory path Initial Local Directory...

Page 231: ...e telnet client and accepts TFTP requests only from this address Step 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance Step 3 Enter command sys stdio 0 to disab...

Page 232: ...en shipped Send Fetch Use Send to upload the file to the ZyWALL and Fetch to back up the file on your computer Local File Enter the path and name of the firmware file bin extension or configuration fi...

Page 233: ...ress any key to return to the SMT menu Figure 21 6 Successful Backup Confirmation Screen 21 3 Restore Configuration This section shows you how to restore a previously saved configuration Note that thi...

Page 234: ...Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your ZyWALL Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and co...

Page 235: ...successful restore process 21 3 3 Restore Using FTP Session Example Figure 21 8 Restore Using FTP or TFTP Session Example Refer to section 21 2 5 to read about configurations that disallow TFTP and F...

Page 236: ...turn to the SMT menu Figure 21 12 Successful Restoration Confirmation Screen 21 4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You c...

Page 237: ...owing screen when you telnet into menu 24 7 2 Menu 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below 1 Launch the FTP client on your workstation...

Page 238: ...he ZyWALL and renames it rom 0 Likewise get rom 0 config rom transfers the configuration file on the ZyWALL to your computer and renames it config rom See earlier in this chapter for more information...

Page 239: ...nts To transfer the firmware and the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to the ZyWALL and log in Because TFTP does not have any security...

Page 240: ...mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destinati...

Page 241: ...the following screen Figure 21 17 Example Xmodem Upload After the firmware upload process has completed the ZyWALL will automatically restart Menu 24 7 1 System Maintenance Upload System Firmware To...

Page 242: ...LL 21 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To uplo...

Page 243: ...tion File Maintenance 21 17 Figure 21 19 Example Xmodem Upload After the configuration upload process has completed restart the ZyWALL by entering atgo Type the configuration file s location or click...

Page 244: ......

Page 245: ...y a serial connection to the console port although some commands are only available with a serial connection See the included disk or the zyxel com web site for more detailed information on CI command...

Page 246: ...he ZyWALL within certain times When the total outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding inco...

Page 247: ...ter 0 to update the screen The budget and the reset period can be configured in menu 11 1 for the remote node Table 22 1 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number...

Page 248: ...fer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This is the length of time of the...

Page 249: ...following screen Figure 22 7 Menu 24 10 System Maintenance Time and Date Setting Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup NTP RFC 1305 Time Server IP Address tic...

Page 250: ...ield displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays an updated date only when you reenter this m...

Page 251: ...ZyWALL 10 10 II 50 Internet Security Gateway System Maintenance Information 22 7 ii When the ZyWALL starts up if there is a time server configured in menu 24 10 iii 24 hour intervals after starting...

Page 252: ......

Page 253: ...ZyWALL for remote management is through an SMT session using the console port Once your ZyWALL is configured you can use telnet to configure it remotely as shown next Figure 23 1 Telnet Configuration...

Page 254: ...Web and FTP services You can customize the service port access interface and the secured client IP address to enhance security and flexibility You may manage your ZyWALL from a remote location via Int...

Page 255: ...er for the remote management service You may change the port number for a service if needed but you must use the same port number to use that service for remote management 23 Menu 24 11 Remote Managem...

Page 256: ...n menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not ma...

Page 257: ...timeout of five minutes three hundred seconds for either the console port or telnet web FTP connections Your ZyWALL will automatically log you out if you do nothing in this timeout period except when...

Page 258: ......

Page 259: ...Call Scheduling and VPN IPSec V Part V Call Scheduling and VPN IPSec Part V provides information about Call Scheduling and VPN IPSec...

Page 260: ......

Page 261: ...nu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 wi...

Page 262: ...Yes and press ENTER to activate the schedule set Yes No Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2036 February...

Page 263: ...he connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced On Forced Down means that the connection is bl...

Page 264: ...riod hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections Authen CHAP PAP Session Options PPTP Edit Filter Sets No My IP Addr Idle Timeout sec 100 Server IP Addr Connection ID Name Press...

Page 265: ...ible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrit...

Page 266: ...support 10 Security Associations and the ZyWALL 50 supports 50 Security Associations SAs Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet wi...

Page 267: ...ZyWALL 10 10 II 50 Internet Security Gateway Introduction to IPSec 25 3 Figure 25 2 VPN Application 25 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Page 268: ...ation algorithms The Encryption algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication algorithms HMAC MD5 RFC 2403 and...

Page 269: ...of the original IP header in the hashing process 25 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide acc...

Page 270: ...including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the r...

Page 271: ...menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connectio...

Page 272: ...y is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but...

Page 273: ...a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES SHA1...

Page 274: ...DNS The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway s WAN IP address changes there may be a delay until the DDNS servers are updated with the remote gateway s new WAN IP a...

Page 275: ...on Figure 26 5 Headquarters ZyWALL Configuration The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management A ZyWALL with Secure Gatewa...

Page 276: ...dr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP address in a range of computers on the LAN behind your ZyWALL When the Addr Type field in Menu 27 1 1 IP...

Page 277: ...DES NULL denotes a tunnel without encryption AH Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is...

Page 278: ...PSec router with which you are making the VPN connection This field displays 0 0 0 0 when you configure the Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 193 81 13 2 Select Command Press SPACE BA...

Page 279: ...name for this VPN rule The name may be up to 32 characters long but only 10 characters will be displayed in Menu 27 1 IPSec Summary Taiwan Active Press SPACE BAR to choose either Yes or No Choose Yes...

Page 280: ...cal and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as lon...

Page 281: ...e Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Use RANGE for a specific range of IP addresses Use SUBNET to specify IP addresses on...

Page 282: ...l and then press ENTER Manual is useful for troubleshooting if you have problems using IKE key management IKE Edit Key Management Setup Press SPACE BAR to change the default No to Yes and then press E...

Page 283: ...Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see section 26 5 5 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set th...

Page 284: ...ommunications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffi...

Page 285: ...re shared keys Pre shared keys are best for small networks with fewer than ten nodes Enter your pre shared key here Enter up to 31 characters Any character may be used including spaces but trailing sp...

Page 286: ...atically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authen...

Page 287: ...t 26 6 1 Active Protocol This field is a combination of mode and security protocols used for the VPN These parameters have been discussed earlier Table 26 6 Active Protocol Encapsulation and Security...

Page 288: ...lds Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any charac...

Page 289: ...ted 123456789abcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal The SPI must be from one to four unique decimal characters 0 to 9 long N A Authentication ALgori...

Page 290: ......

Page 291: ...times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not timeout 27 1 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2...

Page 292: ...ets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity...

Page 293: ...ZyWALL 10 10 II 50 Internet Security Gateway SA Monitor 27 3 Table 27 1 Menu 27 2 SA Monitor FIELD DESCRIPTION EXAMPLE configuration or press ESC at any time to cancel...

Page 294: ......

Page 295: ...on Figure 28 1 Example VPN Initiator IPSec Log Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 0...

Page 296: ...egotiation for outbound from the VPN initiator traffic is not finished yet Send Main Mode request to IP Send Aggressive Mode request to IP The ZyWALL has started negotiation with the peer Recv Main Mo...

Page 297: ...for these phases For example one party may be using 3DES encryption but the other party is using DES encryption so the connection will fail Verifying Local ID failed Verifying Remote ID failed During...

Page 298: ...rrent ZyWALL WAN IP address static or dynamic to set up the VPN tunnel Cannot find Phase 2 SA The ZyWALL cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the p...

Page 299: ...Log 28 5 Table 28 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE...

Page 300: ......

Page 301: ...Troubleshooting Appendices Glossary and Index VI Part VI Troubleshooting Appendices and Index This part provides Troubleshooting followed by some Appendices and an Index...

Page 302: ......

Page 303: ...of the LEDs are on when you turn on the ZyWALL Check the connection between the power adapter and the ZyWALL If the error persists you may have a hardware problem In this case you should contact your...

Page 304: ...fter verifying the MAC address or Host Name or User ID Find out the verification method used by your ISP If the ISP checks the LAN MAC Address tell the ISP the WAN MAC address of the ZyWALL The WAN MA...

Page 305: ...anufacturer of your cable xDSL device about your cable requirement because for some devices may require crossover cable and others a regular straight through cable Cannot access the Internet Verify yo...

Page 306: ...s when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN Refer to th...

Page 307: ...Internet Security Gateway The Big Picture A Appendix A The Big Picture The following figure gives an overview of how filtering the firewall VPN and NAT are related Diagram 1 Big Picture Filtering Fir...

Page 308: ......

Page 309: ...ervices using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning...

Page 310: ...nels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the A...

Page 311: ...separate ATM VC per destination Diagram 4 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a PC to the ANT ADSL Network Termination In...

Page 312: ...the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Diagram 5 PPTP Protocol Overview Microsoft includes PPTP as a par...

Page 313: ...Gateway PPTP G PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using...

Page 314: ......

Page 315: ...100 Mbit Half Full Auto negotiation for the ZyWALL 10 II and 50 Ethernet Specification for LAN 10 100 Mbit Half Full Auto negotiation Console Port RS 232 Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 D...

Page 316: ......

Page 317: ...ltage is correct and stable If the input AC voltage is over 10 lower than the standard may cause the ZyWALL to malfunction 7 Installation in restricted access areas must comply with Articles 110 16 11...

Page 318: ......

Page 319: ...ilable ZyWALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following t...

Page 320: ...mon Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATG...

Page 321: ...unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are encl...

Page 322: ......

Page 323: ...d saves the current firewall settings D Di is sp pl la ay y config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewa...

Page 324: ...ourly daily weekly This command sets how frequently the firewall log is sent via e mail config edit firewall e mail day sunday monday tuesday wednesday thursday friday saturday This command sets the d...

Page 325: ...ig edit firewall attack minute low 0 255 This command sets the threshold of half open sessions where the ZyWALL stops deleting half opened sessions config edit firewall attack max incomplete high 0 25...

Page 326: ...ng the ZyWALL leaves a TCP session open after the firewall detects a FIN exchange indicating the end of the TCP session Config edit firewall set set tcp idle timeout seconds This command sets how long...

Page 327: ...d subnet mask config edit firewall set set rule rule srcaddr range start ip address end ip address This command sets a rule to have the ZyWALL check for traffic from this range of addresses config edi...

Page 328: ...mand to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port This command sets a rule to have the ZyWALL check for UDP traffic with...

Page 329: ...vices such as PPPoE or PPTP NetBIOS packets cause unwanted calls You can configure NetBIOS filters to Block NetBIOS packets from being sent from the LAN to the WAN Block NetBIOS packets from being sen...

Page 330: ...Disabled means that NetBIOS packets are blocked from initiating calls Disabled NetBIOS Filter Configuration Syntax sys filter netbios config type on off where type Identify which NetBIOS filter numbe...

Page 331: ...Y Command sys filter netbios config 1 off This command forwards LAN to DMZ NetBIOS packets Command sys filter netbios config 2 on This command blocks IPSec NetBIOS packets Command sys filter netbios c...

Page 332: ...UL 1950 CSA C22 2 No 234 M90 AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz Output power DC12Volts 1 2A Power consumption 9 W Plug North American standards Safety standards UL CUL...

Page 333: ...nited Kingdom standards Safety standards TUV CE EN 60950 BS7002 Japan AC Power Adapter model JOD 48 1124 Input power AC100Volts 50 60Hz 27VA Output power DC12Volts 1 2A Power consumption 10 W Plug Jap...

Page 334: ......

Page 335: ...Attack 10 6 Budget Management 22 3 C Cable Modem 2 4 2 5 10 2 Call Control 22 2 Call History 22 4 Call Scheduling 24 1 maximum number of schedule sets 24 1 PPPoE 24 3 Precedence 24 1 Precedence Exampl...

Page 336: ...Internet EG 3 16 12 DHCP Negotiation 16 12 Diagnostic 20 11 DNS 5 2 Domain Name 5 2 9 14 20 3 DoS Basics 10 3 Types 10 4 DoS Denial of Service 1 1 Dynamic DNS 4 1 4 3 DYNDNS Wildcard 4 2 E E mail Log...

Page 337: ...Management 11 1 Rule Checklist 13 1 Rule Examples 16 1 Rule Logic 13 1 Rule Precedence 13 4 Rule Security Ramifications 13 2 Rule To Allow Web Service From The Internet 16 1 Services 13 7 SMT Menus 1...

Page 338: ...es 13 2 L LAN Setup 5 1 5 5 LAN to WAN Rules 13 3 LAND 10 4 10 6 Local Network Rule Summary 13 4 log 20 5 Log Facility 20 7 Log Screen 15 1 Logs 15 1 M MAC Address 4 5 29 2 Mail Server 12 4 Main Menu...

Page 339: ...7 5 7 8 Private 5 3 5 4 7 8 7 10 8 3 Private IP Addresses 5 3 R Read Me First xxxiii Real Time Chip 1 3 Rear Panel 2 2 2 3 2 4 Related Documentation xxxiii Relay 5 6 Remote Management Firewall 11 1 Re...

Page 340: ...Configuring 19 3 Community 19 3 Trap 19 4 Trusted Host 19 4 Manager 19 2 MIBs 19 3 SNMP Simple Network Management Protocol 1 2 SNMP Simple Network Management Protocol 19 1 Source Destination Addresse...

Page 341: ...5 13 13 13 14 13 15 Trace 20 5 Traceroute 10 7 Troubleshooting 29 1 Internet Access 29 3 LAN Interface 29 2 WAN Interface 29 2 U UDP ICMP Security 10 10 Unicast 5 4 UNIX Syslog 20 7 Upload Firmware 21...

Page 342: ...ZyWALL 10 10 II 50 Internet Security Gateway JJ Index Introduction 10 2...

Reviews:

No comments

Related manuals for ZyWALL 10/10

Brand: Xylem Pages: 24

Serial GSM Gateway

Brand: SmartSavy Pages: 48

Brand: Exsys Pages: 27

Brand: Bticino Pages: 28

PRESTIGE 660RU Series

Brand: ZyXEL Communications Pages: 14

Brand: NetComm Pages: 2

Brand: JBM electronics Pages: 29

Firebox X Core 1250e Firebox X Peak 5500e

Brand: Watchguard Pages: 10

Brand: LANSITEC Pages: 25

Smart Wireless Gateway 1420

Brand: Emerson Pages: 96

Brand: SmartRG Pages: 122

Ositech Titan II

Brand: Ositech Communications Pages: 4

Brand: Bove Technology Pages: 6

Brand: Wildix Pages: 5

Brand: Exegin Pages: 84

Brand: Perfectone Pages: 39

Brand: Nexo Pages: 95

Brand: InHand Pages: 78

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands