ZyXEL Communications P-660H-TX Скачать руководство пользователя страница 10

Страница: 10 / 89

P-660H-Tx v2 Support Notes

16. How can I protect against IP spoofing attacks?

The P-660H-Tx v2's filter sets provide a means to protect against IP spoofing
attacks. The basic scheme is as follows:

For the input data filter:

•

Deny packets from the outside that claim to be from the inside

•

Allow everything that is not spoofing us

Filter rule setup:

•

Filter type =TCP/IP Filter Rule

•

Active

=Yes

•

Source IP Addr =a.b.c.d

•

Source IP Mask =w.x.y.z

•

Action Matched =Drop

•

Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your
netmask:

For the output data filters:

•

Deny bounce back packet

•

Allow packets that originate from us

Filter rule setup:

•

Filter Type =TCP/IP Filter Rule

•

Active

=Yes

•

Destination IP Addr =a.b.c.d

•

Destination IP Mask =w.x.y.z

•

Action Matched =Drop

•

Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your
netmask.

Содержание P-660H-TX

Страница 1: ...P 660H Tx v2 Series ADSL2 4 port Gateway Support Notes Version3 40 Feb 2007...

Страница 2: ...are Device filters and Protocol filters 8 16 How can I protect against IP spoofing attacks 8 Product FAQ 10 1 How can I manage P 660H Tx v2 10 2 What is the default password for Web Configurator 10 3...

Страница 3: ...all when your router has packet filtering and NAT built in 20 6 What is Denials of Service DoS attack 20 7 What is Ping of Death attack 21 8 What is Teardrop attack 21 9 What is SYN Flood attack 21 10...

Страница 4: ...sing IP Multicast 66 13 Using Bandwidth Management 67 14 Using Zero Configuration 70 15 How could I configure triple play on P 660H Tx v2 73 16 How to configure packet filter on P 660H Tx v2 73 Suppor...

Страница 5: ...4 How do I update the firmware and configuration file You can do this if you access the P 660H Tx v2 as Administrator You can upload the firmware and configuration file to Prestige from Web Condigura...

Страница 6: ...e TFTP client program to put your configuration in file rom 0 in the P 660H Tx v2 7 What should I do if I forget the system password In case you forget the system password you can erase the current co...

Страница 7: ...ddresses and port numbers of the local systems currently using it 10 What is the difference between SUA and Full Feature NAT When you edit a remote node in Web Configurator Advanced Setup Network Remo...

Страница 8: ...ervers do not allow users to login using the same IP address Thus users on the same network can not login to the same server simultaneously In this case it is better to use Many to Many No Overload or...

Страница 9: ...erver Server 1 IP IGA1 Server 2 IP IGA1 14 How many network users can the SUA NAT support The Prestige does not limit the number of the users but the number of the sessions The P 660H Tx v2 supports 2...

Страница 10: ...ve Yes Source IP Addr a b c d Source IP Mask w x y z Action Matched Drop Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the output data...

Страница 11: ...word for the two accounts are Common User Account user Administrator Account 1234 You can change the password after you logging in the Web Configurator Please record your new password whenever you cha...

Страница 12: ...one Internet account and limit only one computer to access the Internet For most Internet users having multiple computers want to share an Internet account for Internet access they have to add another...

Страница 13: ...able 10 When do I need DDNS service When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service The DDNS server allows to a...

Страница 14: ...LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this se...

Страница 15: ...ne the VC throughput is guaranteed by SCR Maximum Burst Size MBS The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs Total bandwidth of the line is dedic...

Страница 16: ...18 What is content filter Internet Content filter allows you to create and enforce Internet access policies tailored to your needs Content filter gives you the ability to block web sites that contain...

Страница 17: ...passed today that can support two way cable modem transmissions and while the figure also grows steadily it will not catch up with telephone lines for many years Additionally many of the older cable...

Страница 18: ...tocols over a single VC it requires extra header information to identify the protocol being carried on the virtual circuit VC The VC based multiplexing needs a separate VC for carrying each protocol b...

Страница 19: ...one existing ADSL connection The different services such as video VoIP and Internet access require different Qulity of Service The high priority is Voice VoIP data The Medium priority is Video IPTV da...

Страница 20: ...vate LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspe...

Страница 21: ...les that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 660H Tx v2 s firewall is fast It uses a hashing function to search th...

Страница 22: ...fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 9 What is SYN Flood attack SYN attack floods a targeted system...

Страница 23: ...he effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the t...

Страница 24: ...urator Telnet over WAN There are four reasons that WWW Telnet from WAN is blocked 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet...

Страница 25: ...can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you m...

Страница 26: ...erated automatically with factory default setting but you can change it in Web Configurator 2 What does the log show to us The log supports up to 128 entries There are 5 columns for each entry Please...

Страница 27: ...uration Advanced Setup Maintenance Logs Log Settings 4 When does the P 660H Tx v2 generate the firewall alert The P 660H Tx v2 generates the alert when an attack is detected by the firewall and sends...

Страница 28: ...nnection To connect your computer to the P 660H Tx v2 s LAN port the computer must have an Ethernet adapter card installed For connecting a single computer to the P 660H Tx v2 we use a Ethernet cable...

Страница 29: ...gure your P 660H Tx v2 as bridge mode We will use Web Configurator to guide you through the related menu 1 Configure P 660H Tx v2 as bridge mode and configure Internet setup parameters in Web Configur...

Страница 30: ...nfigurator Advanced Setup Network LAN We use 192 168 1 1 as the LAN IP for P 660H Tx v2 in this case Step 1 Disactive DHCP Server and apply it Step 2 Assign an IP to the LAN Interface of P 660H Tx v2...

Страница 31: ...the clients via DHCP if it is available For this setup in Windows we check the option Obtain an IP address automatically in its TCP IP setup Please see the example shown below Set up your P 660H Tx v...

Страница 32: ...DHCP settings in Web Configurator Advanced Setup Network LAN 3 Setup the P 660H Tx v2 as a DHCP Relay What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP ser...

Страница 33: ...are configured in Web Configurator Advanced Setup Network NAT Port Forwarding the internal server or client applications can be accessed by using the P 660H Tx v2 s WAN IP Address SUA Supporting Table...

Страница 34: ...2 client IP Default client IP Microsoft NetMeeting 2 1 3 013 None 1720 client IP 1503 client IP Cisco IP TV 2 0 0 None RealPlayer G2 None VDOLive None Quake1 064 None Default client IP QuakeII2 305 No...

Страница 35: ...in Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 660H Tx v2 wi...

Страница 36: ...xed IP address and not be a DHCP client whose IP address potentially changes each time P 660H Tx v2 is powered on In addition to the servers for specific services SUA supports a default server A servi...

Страница 37: ...1 Fill in the service name and server IP Address press button Add 2 If add successfully the Web Configurator will display message Configuration updated successfully at the bottom You can see the port...

Страница 38: ...u must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Networking uses the Internet standard Point to Point PPP to pro...

Страница 39: ...irst dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking...

Страница 40: ...cols from RAS such as IPX TCP IP NetBEUI Set the Internet gateway to P 660H Tx v2 2 PPTP client setup Win9x Add one VPN connection from Dial Up Networking by entering the correct username password and...

Страница 41: ...p connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 660H Tx v2 router in SU...

Страница 42: ...Set Number 1 8 in the pull down menu on the right Network Address Translation SUA Only When you select this option this remote node will use default SUA Address Mapping Set You can see it in CLI by c...

Страница 43: ...ly it When you select SUA Only the P 660H Tx v2 will use a default SUA Address Mapping set for it It has two rules Many to One and Server You can see it in CLI by command ip nat lookup 255 Please note...

Страница 44: ...can only be configured in CLI Now let s begin with Web Configurator Firstly let s come to Web Configurator Advanced Setup Network NAT Address Mapping This menu is for Address Mapping Set 1 you can ed...

Страница 45: ...s is the starting global IP address IGA If you have a dynamic IP enter 0 0 0 0 as the Global Start IP 0 0 0 0 Global IP End This is the ending global IP address IGA This field is N A for One to One Ma...

Страница 46: ...NAT address mapping set and set mapping set name but set name is optional Example ip nat addrmap map 2 Test ip nat addrmap rule rule insert edit type local start IP local end IP global start IP globa...

Страница 47: ...e it to be default value if you don t want this command ip nat server edit rule forwardip IP address Configure the LAN IP address to be forwarded ip nat server edit rule protocol TCP UDP ALL Configure...

Страница 48: ...the Service name Server IP Address Start End Port The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Numbe...

Страница 49: ...ing figure 2 Internet Access with an Internal Server In this case we do exactly as the figure use the convenient pre configured SUA Only set and also go to Web Configurator Advanced Setup Network NAT...

Страница 50: ...the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 200 0 0 1 Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA...

Страница 51: ...ced Setup Network NAT Address Mapping to begin configuring Address Mapping Set 1 We can see there are 10 blank rule table that could be configured See the following setup for the four rules in our cas...

Страница 52: ...map the other clients to IGA3 200 0 0 3 Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 Menu Network NAT Address Mapping should look as follows no...

Страница 53: ...endly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overloa...

Страница 54: ...ieved This solves the problems if your DNS server uses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the P 660H Tx v2 to access the internal server It is...

Страница 55: ...up the DDNS 1 Before configuring the DDNS settings in the P 660H Tx v2 you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for you...

Страница 56: ...shown in figure 3 For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps ar...

Страница 57: ...restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 2 F...

Страница 58: ...om the NMS The default is public Set Community Enter the correct Set Community This Set Community must match the Set community requested from the NMS The default is public Trusted Host Enter the IP ad...

Страница 59: ...you wish to send the syslog Log Facility Select from the 7 different local options The log facility lets you log the message in different server files Refer to your UNIX manual 9 Using IP Alias What...

Страница 60: ...rk LAN IP Alias There are three internal virtual LAN interfaces for the P 660H Tx v2 to route the packets from to the three networks correctly They are enif0 for the major network enif0 0 for the IP a...

Страница 61: ...ond and third networks in Network LAN IP Alias by configuring the P 660H Tx v2 s second and third LAN IP addresses Key Settings IP Alias 1 Active it and enter the second LAN IP address for the P 660H...

Страница 62: ...o prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost path while using low path for batch traffic Load Sharing Network administrator...

Страница 63: ...le Step 2 Suppose we d like to edit the rule like this Policy Set Name Test Active Yes Criteria IP Protocol 6 Type of Service Don t Care Packet length 0 Precedence Don t Care Len Comp N A Source addr...

Страница 64: ...ction gatewaytype 0 Set gateway type for the rule Gateway Address ip policyrouting set action gatewayaddr 192 168 1 254 Set the gateway address for the rule 192 168 1 254 ip policyrouting set criteria...

Страница 65: ...ppose we want to edit a call schedule set like this Call Schedule Set 1 Set name Test Active Yes Start Date yyyy mm dd 2005 12 27 How Often Once Once Date yyyy mm dd 2005 12 27 Start Time hh mm 12 00...

Страница 66: ...mote node will be dropped Enable Dial On Demand The remote node accepts Dial on demand during this period Disable Dial On Demand The remote node denies any demand dial during the period For the existi...

Страница 67: ...IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 1110 a...

Страница 68: ...tocol Some other traffic may not require high bandwidth but they require stable supply of bandwidth such as VoIP traffic The VoIP quality would not be good if all of the outgoing bandwidth is occupied...

Страница 69: ...root Scheduler Choose the principle to allocate bandwidth on this interface Priority Based allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Maximize Bandwidth Usage Check...

Страница 70: ...anaged Bandwidth Check this box if you would like to let this class to borrow bandwidth from it s parents when the required bandwidth is higher than the configured amount Do not check this if you want...

Страница 71: ...some probing patterns system will analyze the packets returned from ISP and decide which services the ISP may provide Because ADSL is based on a ATM network so system have to pre configured a VPI VCI...

Страница 72: ...vpi vci service bit hex wan atm vchunt save Note remote node input the remote node index 1 8 vpi vpi value vci vci value service it s a hex value bit0 PPPoE VC 1 bit1 PPPoE LLC 2 bit2 PPPoA VC 4 bit3...

Страница 73: ...he device LAN Ethernet port with the DSL sync up 2 Open your web browser to access a Web site It should prompt and request for your username password of your ISP account if your ISP provide PPPoE or P...

Страница 74: ...traffic from Ethernet port 1 must be forwarded to PVC1 vice versa The traffic from Ethernet port 2 must be forwarded to PVC2 vice versa The traffic from Ethernet Port3 must be forwarded to PVC3 vice v...

Страница 75: ...em by command sys filter set index set rule Usage set 1 12 rule 1 6 Commonly the preconfigured filter sets are as follows set 2 rule 1 6 set 3 rule 1 set 4 rule 1 sys filter set display For example Th...

Страница 76: ...filter set You could configure a filter rule on demand the newest command is available on release note sys filter set save Usage Don t forget to save the rule everytime you ve configured it Reference...

Страница 77: ...g type 0 3 none match notmatch both Set the log type it could be 0 3 none match not match both sys filter set actmatch type 0 2 checknext forward drop Set the action for match sys filter set actnomatc...

Страница 78: ...port destIP port There are two ways to dump the trace Online Trace display the trace real time on screen Offline Trace capture the trace first and display later The details for capturing the trace in...

Страница 79: ...ble to capture the WAN packet by entering sys trcp channel mpoa00 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Display the brief trace online by entering sys trcd brief Displ...

Страница 80: ...l enet0 bothway Enable the trace log by entering sys trcp sw on sys trcl sw on Wait for packet passing through the Prestige over LAN Disable the trace log by entering sys trcp sw off sys trcl sw off D...

Страница 81: ...rminal Step 1 Initiate a hyper terminal connection from your PC suppose you connected to the LAN port of P 660H Tx v2 Step 2 Click the properties to configure parameters to telnet to the P 660H Tx v2...

Страница 82: ...P 660H Tx v2 Support Notes Step 3 So that after you invoke the relevant commands you could save the logs you ve captured 81 All contents copyright 2006 ZyXEL Communications Corporation...

Страница 83: ...before running the TFTP software Step 2 Type the CI command sys stdio 0 to disable console idle timeout in Command Line Interface CLI Step 3 Run the TFTP client software Step 4 Enter the IP address of...

Страница 84: ...g TFTP to upload download SMT configurations via LAN Step 1 TELNET to your Prestige first before running the TFTP software Step 2 Type the command sys stdio 0 to disable console idle timeout in Comman...

Страница 85: ...urations via LAN c tftp i PrestigeIP put localfile rom 0 Step 5 Download P 660H Tx v2 configurations via LAN c tftp i PrestigeIP get rom 0 localfile Using TFTP command on UNIX Before you begin 1 TELNE...

Страница 86: ...for the firmware is ras and the configuration file is rom 0 Step 1 Use FTP client from your workstation to connect to the Prestige by entering the IP address of the Prestige Step2 Press Enter key to...

Страница 87: ...ame prompt Step 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the remote rom 0...

Страница 88: ...Tx v2 Support Notes Step 4 The Prestige reboots automatically after the uploading is finished Please do not power off the router at this moment 87 All contents copyright 2006 ZyXEL Communications Corp...

Страница 89: ...1 Shows the following commands and all major sub commands 2 exit Exit Subcommand To get the latest CI Command list The latest CI Command list is available in release note of every ZyXEL firmware rele...

Результаты поиска

Содержание P-660H-TX

Отзывы:

Похожие инструкции для P-660H-TX

Бренды по названию

Популярные бренды

ZyXEL Communications P-660H-TX, Поддержка заметок

Результаты поиска

Содержание P-660H-TX

Отзывы:

Похожие инструкции для P-660H-TX

Бренды по названию

Популярные бренды