ZyXEL Communications P-661H Series Скачать руководство пользователя страница 151 | Manualshive

Страница: 151 / 383

ZyXEL Communications P-661H Series Скачать руководство пользователя страница 151

P-661H/HW Series User’s Guide

Chapter 8 Firewalls

151

8.4.2.3 Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints.
Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute
the firewall gaining knowledge of the network topology inside the firewall.

Often, many DoS attacks also employ a technique known as "

IP Spoofing

" as part of their

attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to
magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized
access to computers by tricking a router or firewall into thinking that the communications are
coming from within the trusted network. To engage in IP spoofing, a hacker must modify the
packet headers so that it appears that the packets originate from a trusted host and should be
allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts.

8.5 Stateful Inspection

With stateful inspection, fields of the packets are compared to packets that are already known
to be trusted. For example, if you access some outside service, the proxy server remembers
things about your original request, like the port number and source and destination addresses.
This “remembering” is called

saving the state.

When the outside system responds to your

request, the firewall compares the received packets with the saved state to determine if they
are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN
from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection
allows all communications to the Internet that originate from the LAN, and blocks all traffic to
the LAN that originates from the Internet. In summary, stateful inspection:

• Allows all sessions originating from the LAN (local network) to the WAN (Internet).
• Denies all sessions originating from the WAN to the LAN.

Figure 82

Stateful Inspection

«
...
149
150
151
152
153
...
»

Содержание P-661H Series

Страница 1: ...P 661H HW Series 802 11g Wireless ADSL2 4 port Security Gateway User s Guide Version 3 40 Edition 1 5 2006...

Страница 2: ......

Страница 3: ...ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it c...

Страница 4: ...ions If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interferen...

Страница 5: ...P 661H HW Series User s Guide Certifications 5...

Страница 6: ...hem or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrica...

Страница 7: ...by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other...

Страница 8: ...mark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel...

Страница 9: ...t zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL Ukr...

Страница 10: ...P 661H HW Series User s Guide 10 Customer Support...

Страница 11: ...reless Devices Only 38 1 3 Applications for the ZyXEL Device 39 1 3 1 Protected Internet Access 39 1 3 2 LAN to LAN Application 40 1 4 Front Panel LEDs 40 1 5 Hardware Connection 41 1 6 Splitters and...

Страница 12: ...vices only 66 3 2 1 Manually assign a WPA PSK key 69 3 2 2 Manually assign a WEP key 69 3 3 Bandwidth Management Wizard 72 3 3 1 Screen 1 73 3 3 2 Screen 2 74 3 3 3 Screen 3 75 Chapter 4 WAN Setup 77...

Страница 13: ...up 92 Chapter 5 LAN Setup 95 5 1 LAN Overview 95 5 1 1 LANs WANs and the ZyXEL Device 95 5 1 2 DHCP Setup 96 5 1 2 1 IP Pool Setup 96 5 1 3 DNS Server Address 96 5 1 4 DNS Server Address Assignment 97...

Страница 14: ...126 6 7 2 WMM QoS Priorities 126 6 7 3 Services 127 6 8 QoS Screen 128 6 8 1 ToS Type of Service and WMM QoS 129 6 8 2 Application Priority Configuration 130 Chapter 7 Network Address Translation NAT...

Страница 15: ...2 8 5 2 Stateful Inspection and the ZyXEL Device 152 8 5 3 TCP Security 153 8 5 4 UDP ICMP Security 153 8 5 5 Upper Layer Protocols 154 8 6 Guidelines for Enhancing Security with Your Firewall 154 8 6...

Страница 16: ...cking Time 176 9 11 3 Configuring Firewall Thresholds 177 Chapter 10 Trend Micro Security Services 179 10 1 Trend Micro Security Services Overview 179 10 1 1 TMSS Web Page 179 10 2 Configuring TMSS on...

Страница 17: ...ure Gateway Address 205 13 4 1 Dynamic Secure Gateway Address 205 13 5 VPN Setup Screen 205 13 6 Keep Alive 207 13 7 VPN NAT and NAT Traversal 207 13 8 Remote DNS Server 208 13 9 ID Type and Content 2...

Страница 18: ...Bandwidth for Non Bandwidth Class Traffic 237 15 6 2 Maximize Bandwidth Usage Example 238 15 6 2 1 Priority based Allotment of Unused and Unbudgeted Bandwidth 238 15 6 2 2 Fairness based Allotment of...

Страница 19: ...1 How do I know if I m using UPnP 263 18 1 2 NAT Traversal 263 18 1 3 Cautions with UPnP 264 18 2 UPnP and ZyXEL 264 18 2 1 Configuring UPnP 264 18 3 Installing UPnP in Windows Example 265 18 4 Using...

Страница 20: ...endix A Product Specifications 297 Appendix B About ADSL 301 Introduction to DSL 301 ADSL Overview 301 Advantages of ADSL 301 Appendix C Wall mounting Instructions 303 Appendix D Setting up Your Compu...

Страница 21: ...s of PPPoE 337 Traditional Dial up Scenario 337 How PPPoE Works 338 ZyXEL Device as a PPPoE Client 338 Appendix J Log Descriptions 339 Log Commands 353 Log Command Example 354 Appendix K Wireless LANs...

Страница 22: ...P 661H HW Series User s Guide 22 Table of Contents Appendix L Pop up Windows JavaScripts and Java Permissions 369 Internet Explorer Pop up Blockers 369 Java Permissions 374 Index 377...

Страница 23: ...ion 60 Figure 20 Internet Setup Wizard Manual Configuration 61 Figure 21 Internet Access Wizard Setup ISP Parameters 61 Figure 22 Internet Setup Wizard ISP Parameters Ethernet 62 Figure 23 Internet Se...

Страница 24: ...e 57 Wireless WPA PSK WPA2 PSK 116 Figure 58 Wireless WPA WPA2 117 Figure 59 Wireless LAN Advanced 119 Figure 60 Wireless LAN OTIST 121 Figure 61 Example Wireless Client OTIST Screen 122 Figure 62 Sec...

Страница 25: ...ashboard 180 Figure 101 TMSS Service Summary 180 Figure 102 TMSS 3 Steps 181 Figure 103 TMSS Registration Form 181 Figure 104 Example TMSS Activated Service Summary Screen 182 Figure 105 Example TMSS...

Страница 26: ...54 Figure 144 Remote Management FTP 255 Figure 145 SNMP Management Model 256 Figure 146 Remote Management SNMP 258 Figure 147 Remote Management DNS 259 Figure 148 Remote Management ICMP 260 Figure 149...

Страница 27: ...P IP Properties 311 Figure 189 Windows XP Advanced TCP IP Properties 312 Figure 190 Windows XP Internet Protocol TCP IP Properties 313 Figure 191 Macintosh OS X Apple Menu 314 Figure 192 Macintosh OS...

Страница 28: ...on 367 Figure 212 Pop up Blocker 369 Figure 213 Internet Options 370 Figure 214 Internet Options 371 Figure 215 Pop up Blocker Settings 372 Figure 216 Internet Options 373 Figure 217 Security Settings...

Страница 29: ...Wireless LAN Setup Wizard 1 67 Table 17 Wireless LAN Setup Wizard 2 68 Table 18 Manually assign a WPA key 69 Table 19 Manually assign a WEP key 70 Table 20 Internet Setup Wizard Summary 71 Table 21 Me...

Страница 30: ...57 ICMP Commands That Trigger Alerts 150 Table 58 Legal NetBIOS Commands 150 Table 59 Legal SMTP Commands 150 Table 60 Firewall General 162 Table 61 Firewall Rules 164 Table 62 Firewall Edit Rule 166...

Страница 31: ...nt of Bandwidth Example 239 Table 98 Bandwidth Management Priorities 240 Table 99 Media Bandwidth Management Summary 240 Table 100 Bandwidth Management Rule Setup 242 Table 101 Bandwidth Management Ru...

Страница 32: ...e 143 NetBIOS Filter Default Settings 336 Table 144 System Maintenance Logs 339 Table 145 System Error Logs 340 Table 146 Access Control Logs 340 Table 147 TCP Reset Logs 341 Table 148 Packet Filter L...

Страница 33: ...ntions Enter means for you to type one or more characters Select or Choose means for you to use one of the predefined choices Mouse action sequences are denoted using a comma or right angle bracket Fo...

Страница 34: ...ns or suggestions for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 30...

Страница 35: ...hone Service Models ending in 3 denote a device that works over ISDN Integrated Services Digital Network Models ending in 7 denote a device that works over T ISDN UR 2 Note Only use firmware for your...

Страница 36: ...assword is required or the ZyXEL Device cannot connect to the ISP you will be redirected to web screen s for information input or troubleshooting Any IP The Any IP feature allows a computer to access...

Страница 37: ...nection terminates after a period of no traffic that you configure and PPPoE Dial on Demand the PPPoE connection is brought up only when an Internet access request is made Network Address Translation...

Страница 38: ...akes your ZyXEL Device a cost effective and viable network solution You can connect up to four computers to the ZyXEL Device without the cost of a hub Use a hub to add more than four computers to your...

Страница 39: ...rence or difficulty with channel assignment when there is a high density of APs within a coverage area In this case you can lower the output power of each access point thus enabling you to place acces...

Страница 40: ...ons 1 3 2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application example is shown as follows Figure 2...

Страница 41: ...f The system is not ready or has malfunctioned ETHERNET Green On The ZyXEL Device has a successful 10Mb Ethernet connection Blinking The ZyXEL Device is sending receiving data Amber On The ZyXEL Devic...

Страница 42: ...DSL to your ZyXEL Device 3 Connect the side labeled Line to the telephone wall jack 1 6 2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4KHz while ADSL...

Страница 43: ...P 661H HW Series User s Guide Chapter 1 Getting To Know Your ZyXEL Device 43 Figure 5 Connecting a Microfilter...

Страница 44: ...P 661H HW Series User s Guide 44 Chapter 1 Getting To Know Your ZyXEL Device...

Страница 45: ...Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Exp...

Страница 46: ...ssword Enter a new password between 1 and 30 characters retype it to confirm and click Apply alternatively click Ignore to proceed to the main menu if you do not want to change the password now Note I...

Страница 47: ...file This means that you will lose all configurations that you had previously and the password will be reset to 1234 2 3 1 Using the Reset Button 1 Make sure the POWER LED is on not blinking 2 Press...

Страница 48: ...ns to limit bandwidth usage by application or packet size Logout Click this icon to exit the web configurator Status Use this screen to look at the ZyXEL Device s general device system and interface s...

Страница 49: ...Device Address Mapping Use this screen to configure network address translation mapping rules Security Firewall General Use this screen to activate deactivate the firewall and the direction of networ...

Страница 50: ...nfigure your ZyXEL Device s settings for Simple Network Management Protocol management DNS Use this screen to configure through which interface s and from which IP address es users can send DNS querie...

Страница 51: ...l screen statistics automatically at the end of every time interval or to not refresh the screen statistics Apply Click this button to refresh the status screen statistics Device Information Host Name...

Страница 52: ...sent date and time System Mode This displays whether the ZyXEL Device is functioning as a router or a bridge CPU Usage This number shows how many kilobytes of the heap memory the ZyXEL Device is using...

Страница 53: ...ltaneous transmissions over the same port Full duplex essentially double the bandwidth For the WAN port it displays the downstream and upstream transmission rate For the WLAN port it displays the tran...

Страница 54: ...dress This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address The MAC address is assigned at the factory a...

Страница 55: ...unused bandwidth and the orange color represents the percentage of bandwidth in use Figure 14 Status Bandwidth Status Table 7 Status VPN Status LABEL DESCRIPTION No This is the security association in...

Страница 56: ...stem up Time This is the elapsed time the system has been up Current Date Time This field displays your ZyXEL Device s present date and time CPU Usage This field specifies the percentage of CPU utiliz...

Страница 57: ...nd Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up LAN Port Statistics Interface This field displays the t...

Страница 58: ...eneral Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Retype to...

Страница 59: ...of the web configurator The wizard main screen appears Figure 17 Wizard Main Screen The following table describes the fields in this screen Table 10 Wizard Main Screen LABEL DESCRIPTION INTERNET WIREL...

Страница 60: ...Wait while the device tries to detect your DSL connection and connection type Figure 18 Internet Setup Wizard Connection Test The next screen depends on the results 3 1 1 Automatic Detection The ZyXE...

Страница 61: ...1 2 1 Screen 1 Figure 20 Internet Setup Wizard Manual Configuration Click Back to return to the wizard main screen Click Next to continue to the next screen Click Exit to close the wizard main screen...

Страница 62: ...ox Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET...

Страница 63: ...appear if you select Static IP Address IP Address Enter the static IP address provided by your ISP Subnet Mask Enter the subnet mask provided by your ISP Gateway IP Address Enter the IP address of the...

Страница 64: ...given Password Enter the password associated with the user name above Service Name Type the name of your PPPoE service here Leave this field blank if your ISP did not provide you a PPPoE service Back...

Страница 65: ...he DSL connection Check your hardware connections Table 15 Internet Setup Wizard ISP Parameters PPPoA LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in...

Страница 66: ...Exit to close the wizard main screen and return to the Status screen or the main window 3 2 Wireless Connection Wizard Setup wireless devices only After you configure the Internet access information...

Страница 67: ...SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process...

Страница 68: ...PA and OTIST This option is available only when you enable OTIST in the previous wizard screen Select Manually assign a WPA PSK key to configure a Pre Shared Key WPA PSK Choose this option only if you...

Страница 69: ...etup screen to set up a Pre Shared Key Figure 30 Manually assign a WPA key The following table describes the labels in this screen 3 2 2 Manually assign a WEP key Choose Manually assign a WEP key to s...

Страница 70: ...SCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII characters or 10 26 or 58...

Страница 71: ...you have configured is correct Click Finish to complete and save the wizard setup The following table describes the fields in this screen Table 20 Internet Setup Wizard Summary LABEL DESCRIPTION Retur...

Страница 72: ...sages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 FTP File Transfer Program enables f...

Страница 73: ...e transported over TCP using the default port number 5060 Telnet Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks It...

Страница 74: ...andwidth Management Wizard Configuration Table 22 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth manageme...

Страница 75: ...much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated ban...

Страница 76: ...P 661H HW Series User s Guide 76 Chapter 3 Wizards...

Страница 77: ...ess in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 4 1 1 2 PPP over Ethernet PPPoE Point to Point Protocol over Ethernet provides access control...

Страница 78: ...ver a separate ATM virtual circuit VC based multiplexing Please refer to the RFC for more detailed information 4 1 2 Multiplexing There are two conventions to identify what protocols the virtual circu...

Страница 79: ...dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the ZyXEL Device acts as a DHCP client on the WAN port an...

Страница 80: ...ffic redirect route next In the same manner the ZyXEL Device uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traff...

Страница 81: ...CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate...

Страница 82: ...transfer 4 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers...

Страница 83: ...your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in th...

Страница 84: ...PPPoE PPPoA and ENET ENCAP only Select this if you do not have a dynamic IP address IP Address Enter the static IP address provided by your ISP Subnet Mask ENET ENCAP only Enter the subnet mask provi...

Страница 85: ...mats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M se...

Страница 86: ...not applicable available when you configure the ZyXEL Device to use a static WAN IP address or in bridge mode Select Yes to set the ZyXEL Device to automatically detect the Internet connection setting...

Страница 87: ...e connection Select the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of...

Страница 88: ...Name Enter a unique descriptive name of up to 13 ASCII characters for this connection Mode Select Routing from the drop down list box if your ISP allows multiple computers to share an Internet account...

Страница 89: ...d the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation type except RFC 1483 select Obtain an IP Address Automatically when you have a dynamic IP addre...

Страница 90: ...le 28 More Connections Advanced Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP...

Страница 91: ...onfigure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate...

Страница 92: ...eries User s Guide 92 Chapter 4 WAN Setup Figure 44 Traffic Redirect LAN Setup 4 8 Configuring WAN Backup To change your ZyXEL Device s WAN backup settings click WAN WAN Backup Setup The screen appear...

Страница 93: ...s the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your ZyXEL Device may ping the IP addresses configured in the Check W...

Страница 94: ...the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for direc...

Страница 95: ...immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 5 3 on page 101 to configure the LAN screen...

Страница 96: ...rst is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server...

Страница 97: ...eir instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign y...

Страница 98: ...For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 5 2 2 RIP Setup RIP Routing Inf...

Страница 99: ...ected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the...

Страница 100: ...es to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway whi...

Страница 101: ...ced Setup button in the LAN IP screen The screen appears as shown Table 30 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example 1...

Страница 102: ...obably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting wh...

Страница 103: ...to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from t...

Страница 104: ...ation to the network The ZyXEL Device is the DHCP server for the network IP Pool Starting Address This field is enabled if the ZyXEL Device is a DHCP Server Enter the first of the contiguous addresses...

Страница 105: ...Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pa...

Страница 106: ...ZyXEL Device itself as the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Note Make sure that th...

Страница 107: ...dcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP pack...

Страница 108: ...P 661H HW Series User s Guide 108 Chapter 5 LAN Setup...

Страница 109: ...s the part in the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP E...

Страница 110: ...ally written using twelve hexadecimal characters2 for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other do...

Страница 111: ...etwork has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest...

Страница 112: ...reless network The devices in the wireless network have to support OTIST and they have to be in range of the ZyXEL Device when you activate it See Section 6 5 on page 120 for more details 6 3 Wireless...

Страница 113: ...e configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confi...

Страница 114: ...crypts unicast and multicast communications in a network Both the wireless clients and the access points must use the same WEP key Your ZyXEL Device allows you to configure up to four 64 bit 128 bit o...

Страница 115: ...r a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wirele...

Страница 116: ...between the two is that WPA PSK WPA2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and sym...

Страница 117: ...management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Settin...

Страница 118: ...hanging the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Aut...

Страница 119: ...nter a value between 0 and 2432 If you select the Enable 802 11g mode checkbox this field is grayed out and the ZyXEL Device uses 4096 automatically Fragmentation Threshold It is the maximum data frag...

Страница 120: ...when wireless adapters support it otherwise the ZyXEL Device uses long preamble 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Sel...

Страница 121: ...you use the RESET button the default 01234567 or previous saved through the web configurator Setup key is used to encrypt the settings that you want to transfer Hold in the RESET button for one to fiv...

Страница 122: ...tomatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN General screen Select the Yes checkbox in the OTIST screen and click Start The wirel...

Страница 123: ...s in the wireless network After reviewing the settings click OK Figure 62 Security Key 2 This screen appears while OTIST settings are being transferred It closes when the transfer is complete 3 In the...

Страница 124: ...d to run OTIST again or enter them manually in the wireless client s 5 If you configure OTIST to generate a WPA PSK key this key changes each time you run OTIST Therefore if a new wireless client join...

Страница 125: ...t listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of...

Страница 126: ...a transmission for applications that are sensitive 6 7 2 WMM QoS Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless netwo...

Страница 127: ...be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMee...

Страница 128: ...edia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e...

Страница 129: ...LAN QoS The following table describes the fields in this screen Table 46 Wireless LAN QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device WMM QoS Polic...

Страница 130: ...the WMM QoS priority for traffic bandwidth Modify Click the Edit icon to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the A...

Страница 131: ...rotocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet R...

Страница 132: ...P 661H HW Series User s Guide 132 Chapter 6 Wireless LAN...

Страница 133: ...refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that in...

Страница 134: ...he additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP...

Страница 135: ...address to one global IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address tra...

Страница 136: ...servers using mapping types as outlined in Table 49 on page 136 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP...

Страница 137: ...ervice for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential b...

Страница 138: ...ther information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT 7 4 3 Configuring Servers Behind Port Forwarding Example Let s say y...

Страница 139: ...ilable only when you select SUA Only in the NAT General screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or...

Страница 140: ...here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Clic...

Страница 141: ...and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT Address Mapping to open the following screen Table 53 Port Forwarding Rule Setup LABEL DESCRI...

Страница 142: ...s is the ending Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that...

Страница 143: ...Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the N...

Страница 144: ...Translation NAT Screens Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Tab...

Страница 145: ...ld never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information securi...

Страница 146: ...ewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integ...

Страница 147: ...gured to automatically detect and thwart all known DoS attacks 8 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application p...

Страница 148: ...eardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the or...

Страница 149: ...hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailabl...

Страница 150: ...etBIOS commands are the following all others are illegal All SMTP commands are illegal except for those displayed in the following tables Table 57 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMES...

Страница 151: ...wed through the router or firewall The ZyXEL Device blocks all IP Spoofing attempts 8 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already know...

Страница 152: ...st entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outb...

Страница 153: ...tion packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets...

Страница 154: ...rnet would normally be rejected In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a c...

Страница 155: ...our company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Als...

Страница 156: ...the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e s...

Страница 157: ...ackets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN...

Страница 158: ...ew Note Study these points carefully before configuring rules 9 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a...

Страница 159: ...lect the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Section 9 9 on page 172 for more information on predefined services 9 3 3 3 Sou...

Страница 160: ...ail account that you specify in the Log Settings screen Refer to the chapter on logs for details 9 5 Triangle Route When the firewall is on your ZyXEL Device acts as a secure gateway between your LAN...

Страница 161: ...s allows you to partition your network into logical sections over the same Ethernet interface Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for...

Страница 162: ...Bypass Triangle Route Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network See the appendix for more on triangle route topology Note Allowin...

Страница 163: ...wall rules Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP rese...

Страница 164: ...is drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Destination I...

Страница 165: ...pter 9 Firewall Configuration 165 In the Rules screen select an index number and click Add or click a rule s Edit icon to display this screen and refer to the following table for information on the la...

Страница 166: ...the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Del...

Страница 167: ...vices The following table describes the labels in this screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 62 Fi...

Страница 168: ...Click Security Firewall Rules 2 Select WAN to LAN in the Packet Direction field Table 64 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port...

Страница 169: ...ne becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index...

Страница 170: ...mple Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom ser...

Страница 171: ...rewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService...

Страница 172: ...ries are supported Custom service ports may also be configured using the Edit Customized Services function discussed previously Table 65 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AO...

Страница 173: ...t whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 172...

Страница 174: ...obing to display the screen as shown Figure 96 Firewall Anti Probing SSDP UDP 1900 Simole Service Discovery Protocol SSDP is a discovery service searching for Universal Plug and Play devices on your h...

Страница 175: ...sable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do No...

Страница 176: ...il the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts d...

Страница 177: ...ting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute...

Страница 178: ...ting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP add...

Страница 179: ...web pages based on pre defined web site categories such as pornography gambling etc 10 1 1 TMSS Web Page TMSS is enabled by default on the ZyXEL Device so you should see the following screen after you...

Страница 180: ...Download ActiveX to View TMSS Web Page 2 In the TMSS web page click Service Summary Figure 100 TMSS Web Page Dashboard 3 Click Activate My Services to begin a 3 step process to activate TMSS Figure 1...

Страница 181: ...ration form you will receive an e mail with instructions for validating your e mail address Follow the instructions 7 Download TMSS to each computer behind the ZyXEL Device that you want TMSS to monit...

Страница 182: ...e Trend micro Internet Security TIS 1 package This package contains anti virus software and a license for Parental Control to forbid access to undesirable web site content based on pre defined web sit...

Страница 183: ...ve the ZyXEL Device download the latest scan engine and virus pattern version numbers not the actual software from the Trend Micro web site The ZyXEL Device can then compare version numbers currently...

Страница 184: ...ck Apply to save your customized settings Reset Click Reset to begin configuring this screen afresh Table 68 General TMSS Settings LABEL DESCRIPTION Table 69 TMSS Exception List LABEL DESCRIPTION Exce...

Страница 185: ...tatus This table provides information on all TMSS client computers and the ZyXEL Device itself This field displays the index number of a TMSS client computer or the ZyXEL Device IP Address This field...

Страница 186: ...splays if The ZyXEL Device had no response after an update request There is currently no Trend Micro anti virus installed on the TMSS client The LAN computer is using a UNIX or Macintosh operating sys...

Страница 187: ...ID Web Proxy This is a server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it...

Страница 188: ...t promote offer sell supply encourage or otherwise advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants or chemicals and their related parapher...

Страница 189: ...ernet Options and then the Security tab 2 In the Internet Options window click Custom Level Table 72 Parental Controls Statistics LABEL DESCRIPTION Category All Parental Control categories are display...

Страница 190: ...s Figure 112 Internet Options Security 3 Scroll down to ActiveX controls and plug ins 4 Under Download signed ActiveX controls select the Prompt radio button 5 Under Run ActiveX controls and plug ins...

Страница 191: ...P 661H HW Series User s Guide Chapter 10 Trend Micro Security Services 191 Figure 113 Security Setting ActiveX Controls...

Страница 192: ...P 661H HW Series User s Guide 192 Chapter 10 Trend Micro Security Services...

Страница 193: ...n the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 11 2 Configuring Keyword Blocking Use t...

Страница 194: ...ist of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords f...

Страница 195: ...ox to have the content filtering to be active on the selected day Start TIme Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time w...

Страница 196: ...P 661H HW Series User s Guide 196 Chapter 11 Content Filtering...

Страница 197: ...s for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authent...

Страница 198: ...lowing VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compare...

Страница 199: ...implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC...

Страница 200: ...d forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 12 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP...

Страница 201: ...T in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s...

Страница 202: ...P 661H HW Series User s Guide 202 Chapter 12 Introduction to IPSec...

Страница 203: ...integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or no...

Страница 204: ...t block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x...

Страница 205: ...ed with the remote gateway s new WAN IP address 13 4 1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the secure gatewa...

Страница 206: ...al Key screen is configured to Subnet Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway Addres...

Страница 207: ...Device automatically drops the tunnel after two minutes 13 7 VPN NAT and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode An IPSec VPN using the AH protocol dig...

Страница 208: ...able NAT traversal on both IPSec endpoints Set the NAT router to forward UDP port 500 to IPSec router A Finally NAT is compatible with ESP in tunnel mode because integrity checks are performed over th...

Страница 209: ...ce to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the ZyX...

Страница 210: ...field is used for identification purposes only and does not need to be a real domain name or e mail address Table 81 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the...

Страница 211: ...d because you have to share it with another party before you can communicate with them over a secure connection 13 11 Editing VPN Policies Click an Edit icon in the VPN Setup Screen to edit VPN polici...

Страница 212: ...his check box to activate this VPN policy This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select...

Страница 213: ...ured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as on...

Страница 214: ...ind the remote IPSec router Address Information Local ID Type Select IP to identify this ZyXEL Device by its IP address Select DNS to identify this ZyXEL Device by a domain name Select E mail to ident...

Страница 215: ...has a dynamic WAN IP address the Key Management field must be set to IKE In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addr...

Страница 216: ...n code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resu...

Страница 217: ...d expires The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out then the IPSec router must re...

Страница 218: ...is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent k...

Страница 219: ...r select NO to disable it Local Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 P...

Страница 220: ...lgorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally conside...

Страница 221: ...h Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum securit...

Страница 222: ...Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list b...

Страница 223: ...cal Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this...

Страница 224: ...m fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which c...

Страница 225: ...in this screen 13 17 Configuring Global Setting To change your ZyXEL Device s global settings click VPN and then Global Setting The screen appears as shown Table 87 VPN SA Monitor LABEL DESCRIPTION No...

Страница 226: ...headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local I...

Страница 227: ...ecommuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located a...

Страница 228: ...yXEL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192...

Страница 229: ...Series User s Guide Chapter 13 VPN Screens 229 13 19 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for tha...

Страница 230: ...P 661H HW Series User s Guide 230 Chapter 13 VPN Screens...

Страница 231: ...eyond For instance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t kn...

Страница 232: ...This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is...

Страница 233: ...on Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical t...

Страница 234: ...P 661H HW Series User s Guide 234 Chapter 14 Static Route...

Страница 235: ...the bandwidth of traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause L...

Страница 236: ...The ZyXEL Device has two types of scheduler fairness based and priority based 15 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classe...

Страница 237: ...udgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra ba...

Страница 238: ...Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration c...

Страница 239: ...ted bandwidth even if it takes up all of the interface s available bandwidth This could stop lower priority traffic from being sent The following is an example If you use VoIP and NetMeeting at the sa...

Страница 240: ...ic or video that is especially sensitive to jitter jitter is the variations in delay Mid Typically used for excellent effort or better than best effort and would include important business traffic tha...

Страница 241: ...priority traffic does not get through Note Unless you enable Max Bandwidth Usage the ZyXEL Device only uses up to the amount of bandwidth that you configure here The ZyXEL Device does not use any more...

Страница 242: ...er of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth ma...

Страница 243: ...on Active Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does n...

Страница 244: ...t based network that does not provide a guaranteed quality of service Select H 323 from the drop down list box to configure this bandwidth filter for traffic that uses H 323 Select User defined from t...

Страница 245: ...he bandwidth usage of its bandwidth rules Figure 139 Bandwidth Management Monitor Table 102 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfe...

Страница 246: ...P 661H HW Series User s Guide 246 Chapter 15 Bandwidth Management...

Страница 247: ...if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would sti...

Страница 248: ...me Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type th...

Страница 249: ...address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS serv...

Страница 250: ...P 661H HW Series User s Guide 250 Chapter 16 Dynamic DNS Setup...

Страница 251: ...via Internet WAN only ALL LAN and WAN LAN only Neither Disable Note When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a s...

Страница 252: ...1 2 Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP address when configuring from the WAN Use the ZyXEL Device s LAN IP address when configuring from the LAN 17 1 3 System...

Страница 253: ...ay change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which...

Страница 254: ...net LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Sele...

Страница 255: ...s only available if TCP IP is configured Table 106 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number...

Страница 256: ...Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol ba...

Страница 257: ...warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files CI command sys reboot etc 6b For fatal error A...

Страница 258: ...ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SNMP Configuration Get Community Enter th...

Страница 259: ...L Device s security settings click Advanced Remote MGMT ICMP The screen appears as shown Table 110 Remote Management DNS LABEL DESCRIPTION Port You may change the server port number for a service if n...

Страница 260: ...y to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers...

Страница 261: ...erver IP address or domain name See Table 112 on page 261for detailed descriptions of the commands Figure 149 Enabling TR 069 The following table gives a description of TR 069 commands ras wan tr069 l...

Страница 262: ...e to 1 in order for the ZyXEL Device to send information to CNM Access informInterval sec The duration in seconds of the interval for which the device MUST attempt to connect with CNM Access to send i...

Страница 263: ...How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon...

Страница 264: ...intention 18 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports IGD 1 0 Internet Gat...

Страница 265: ...activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyXEL Device s IP address although you must still enter the password t...

Страница 266: ...tup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 152 Add Remove Programs Windows Setup Communication Components 4 Cl...

Страница 267: ...l Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 153 Network Connections 4 The Windows Op...

Страница 268: ...UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the com...

Страница 269: ...ries User s Guide Chapter 18 Universal Plug and Play UPnP 269 Figure 156 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatic...

Страница 270: ...661H HW Series User s Guide 270 Chapter 18 Universal Plug and Play UPnP Figure 157 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings...

Страница 271: ...ties Advanced Settings Figure 159 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically...

Страница 272: ...tatus Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not...

Страница 273: ...Plug and Play UPnP 273 Figure 162 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and selec...

Страница 274: ...UPnP Figure 163 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device...

Страница 275: ...Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and...

Страница 276: ...n name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or CLI Command Line Interpreter can be left idle before the session times out The defau...

Страница 277: ...e ZyXEL Device Old Password Type the default administrator password 1234 or the existing password you use to access the system for configuring advanced features in this field New Password Type your ne...

Страница 278: ...Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specified be...

Страница 279: ...zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are...

Страница 280: ...P 661H HW Series User s Guide 280 Chapter 19 System...

Страница 281: ...warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You m...

Страница 282: ...Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of th...

Страница 283: ...ject line of the log e mail message that the ZyXEL Device sends Not all ZyXEL Device models have this field Send Log To The ZyXEL Device sends logs to the e mail address specified in this field If thi...

Страница 284: ...s are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11...

Страница 285: ...inutes After a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware...

Страница 286: ...g systems you may see the following icon on your desktop Figure 171 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the uplo...

Страница 287: ...ation Figure 173 Configuration The following table describes the labels in this screen Table 119 Configuration LABEL DESCRIPTION Backup Configuration Backup Click this to save the ZyXEL Device s curre...

Страница 288: ...esktop File Path Enter the location of the file you want to upload or click Browse to find it Browse Click this to find the file you want to upload Upload Click this to restore the selected configurat...

Страница 289: ...or the appendices for details on how to set up your computer s IP address You might have to open a new browser to log in again If the upload was not successful a Configuration Upload Error screen app...

Страница 290: ...P 661H HW Series User s Guide 290 Chapter 21 Tools...

Страница 291: ...Click Maintenance Diagnostic to open the screen shown next Figure 178 Diagnostic General The following table describes the fields in this screen Table 120 Diagnostic General LABEL DESCRIPTION TCP IP...

Страница 292: ...PIs VCIs before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troublesho...

Страница 293: ...ppropriate power source Make sure that the ZyXEL Device and the power source are both turned on Turn the ZyXEL Device off and on If the error persists you may have a hardware problem In this case you...

Страница 294: ...ntication may be through the user name and password the MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct S...

Страница 295: ...configurator Make sure there is not a telnet session running Use the ZyXEL Device s WAN IP address when configuring from the WAN Refer to the instructions on checking your WAN connection Use the ZyXE...

Страница 296: ...P 661H HW Series User s Guide 296 Chapter 23 Troubleshooting...

Страница 297: ...55 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 33 to 192 168 1 64 Dimensions W x D x H 180 x 128 x 36 mm Power Specification 12V AC 1A Built in Switch Four auto negotiating auto MDI MDI X...

Страница 298: ...ent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Mana...

Страница 299: ...ding 1024 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN passthrough Content Filtering Web page blocking by URL keyword Static Routes 16 IP and 4 Brid...

Страница 300: ...P 661H HW Series User s Guide 300 Appendix A...

Страница 301: ...wnload that includes graphics and text As data rates increase the carrying distance decreases That means that users who are beyond a certain distance from the telephone company s central office may no...

Страница 302: ...eds drop significantly as more users go on line because the line is shared 3 ADSL can be always on connected This means that there is no time wasted dialing up the service several times a day and wait...

Страница 303: ...rs of the holes matches what is listed in the product specifications appendix Note Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not scre...

Страница 304: ...P 661H HW Series User s Guide 304 Appendix C...

Страница 305: ...onents you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows N...

Страница 306: ...you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Net...

Страница 307: ...nd click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your inform...

Страница 308: ...P IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window...

Страница 309: ...gure 184 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 185 Windows XP Control Panel 3 Right click Local Area C...

Страница 310: ...then click Properties Figure 187 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address clic...

Страница 311: ...dress type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the I...

Страница 312: ...ows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type th...

Страница 313: ...nnections window Network and Dial up Connections in Windows 2000 NT 11Restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Comma...

Страница 314: ...IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 192 Macintosh OS X Network 4 For statically assigned settings do the following From the Configure box selec...

Страница 315: ...your Linux distribution and release version Note Make sure you are logged in as the root administrator Using the K Desktop Environment KDE Follow the steps below to configure your computer IP address...

Страница 316: ...he Address Subnet mask and Default Gateway Address fields 3 Click OK to save the changes and close the Ethernet Device General screen 4 If you know your DNS server IP address es click the DNS tab in t...

Страница 317: ...ere eth0 is the name of the Ethernet card Open the configuration file with any plain text editor If you have a dynamic IP address enter dhcp in the BOOTPROTO field The following figure shows an exampl...

Страница 318: ...r TCP IP properties Figure 201 Red Hat 9 0 Checking TCP IP Properties DEVICE eth0 ONBOOT yes BOOTPROTO static IPADDR 192 168 1 10 NETMASK 255 255 255 0 USERCTL no PEERDNS yes TYPE Ethernet nameserver...

Страница 319: ...he first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets ma...

Страница 320: ...e host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangem...

Страница 321: ...168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two separa...

Страница 322: ...directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly t...

Страница 323: ...Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID...

Страница 324: ...11 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 139 Eight Subnets SUBNET SUBNET ADDRESS FIRS...

Страница 325: ...etting The following table is a summary for class B subnet planning Table 141 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255...

Страница 326: ...P 661H HW Series User s Guide 326 Appendix E...

Страница 327: ...unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The...

Страница 328: ...P 661H HW Series User s Guide 328 Appendix F...

Страница 329: ...rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information abo...

Страница 330: ...9 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyXEL Device is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send al...

Страница 331: ...nfig edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp t...

Страница 332: ...g edit firewall set set rule rule alert yes no This command sets whether or not the ZyXEL Device sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall...

Страница 333: ...to have the ZyXEL Device check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyXEL Device...

Страница 334: ...P 661H HW Series User s Guide 334 Appendix G...

Страница 335: ...You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS pack...

Страница 336: ...g calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and b...

Страница 337: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Страница 338: ...trator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the m...

Страница 339: ...Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table e...

Страница 340: ...able 146 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was bl...

Страница 341: ...UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 minute...

Страница 342: ...ly packet to the sender Table 150 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the re...

Страница 343: ...filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked category...

Страница 344: ...detected an ICMP echo attack For type and code details see Table 161 on page 351 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack...

Страница 345: ...uring IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote...

Страница 346: ...mote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Ty...

Страница 347: ...er and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase...

Страница 348: ...ject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject...

Страница 349: ...rithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5...

Страница 350: ...red User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which the...

Страница 351: ...achable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4...

Страница 352: ...system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s s...

Страница 353: ...to record Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Not every...

Страница 354: ...05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default policy IGMP W to W ZW 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W ZW 2 06 08 2004...

Страница 355: ...oc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 206 Peer to Peer Communicati...

Страница 356: ...connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network bu...

Страница 357: ...lap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and a...

Страница 358: ...sion It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the...

Страница 359: ...rovide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have...

Страница 360: ...ard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of...

Страница 361: ...IUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point r...

Страница 362: ...ssible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic sessi...

Страница 363: ...rformed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic...

Страница 364: ...WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKIP TKIP uses 128 bit keys that a...

Страница 365: ...ication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP...

Страница 366: ...mple WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and...

Страница 367: ...gure these security features Table 167 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTION METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable with...

Страница 368: ...P 661H HW Series User s Guide 368 Appendix K...

Страница 369: ...king to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop...

Страница 370: ...his setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options...

Страница 371: ...71 Figure 214 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP addre...

Страница 372: ...Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1...

Страница 373: ...et Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is...

Страница 374: ...Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make...

Страница 375: ...de 375 Figure 218 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Cl...

Страница 376: ...P 661H HW Series User s Guide 376 Figure 219 Java Sun...

Страница 377: ...er Class Configuration 241 Bandwidth Manager Monitor 245 Bandwidth Manager Summary 240 Basement 6 Basic wireless security 69 Blocking Time 176 Brute force Attack 149 BSS 355 BW Budget 242 C CA 362 Cab...

Страница 378: ...tacks types of 148 DSL Digital Subscriber Line 301 DSL line reinitialize 292 DSLAM Digital Subscriber Line Access Multiplexer 39 Dust 6 Dynamic DNS 37 247 dynamic DNS 37 Dynamic Host Configuration Pro...

Страница 379: ...nsfer Protocol 285 I IANA 98 IANA Internet Assigned Number Authority 167 IBSS 355 ICMP echo 149 ID Type and Content 209 IEEE 802 11g 38 359 IEEE 802 11i 38 IGMP 99 IKE Phases 216 Independent Basic Ser...

Страница 380: ...otocol Encapsulation 78 My IP Address 204 N Nailed Up Connection 79 NAT 97 138 139 Address mapping rule 143 Application 135 Definitions 133 How it works 134 Mapping Types 135 What it does 134 What NAT...

Страница 381: ...o Interference 4 Radio Reception 4 Radio Technician 4 RADIUS 361 Shared Secret Key 362 RADIUS Message Types 361 RADIUS Messages 361 Receiving Antenna 4 Registered 3 Registered Trademark 3 Regular Mail...

Страница 382: ...tain Cell Rate SCR 86 91 Sustained Cell Rate SCR 80 Sweden Contact Information 9 Swimming Pool 6 SYN Flood 148 149 SYN ACK 149 Syntax Conventions 33 Syslog 171 System Name 276 System Timeout 252 T Tam...

Страница 383: ...48 146 154 159 web configurator screen summary 48 Web Site 8 WEP Wired Equivalent Privacy 39 WEP Encryption 116 WEP encryption 114 Wet Basement 6 Wi Fi Multimedia QoS 126 Wi Fi Protected Access 364 W...

Отзывы:

Нет отзывов