ZyXEL Communications P-794M Скачать руководство пользователя страница 72

Страница: 72 / 119

Prestige 794M User’s Guide

Chapter 6 Firewall

Click

Configuration

Firewall

and

Intrusion

Detection

in the navigation panel to display the

screen as shown.

Note:

The

Intrusion Detection

screen is available when you enable the firewall

feature on the Prestige.

Figure 49

Firewall: Intrusion Detection

SYN/FIN/

RST/ACK

Scan

TCP,
No Existing session

And Scan Hosts more

than five.

Source IP

Scan

Yes

Net Bus

Scan

TCP
No Existing session
DstPort = Net Bus

12345,12346, 3456

Source IP

Scan

Yes

Back Orifice

Scan

UDP, DstPort =

Orifice Port (31337)

Source IP

Scan

Yes

SYN Flood

Max TCP Open

Handshaking Count

(Default 100 c/sec)

Yes

ICMP Flood

Max ICMP Count

(Default 100 c/sec)

Yes

ICMP Echo

Max PING Count
(Default 15 c/sec)

Yes

Table 34

IDS: Detectable Attacks (continued)

NAME

PARAMETER

BLACKLIST

TYPE OF BLOCK
DURATION

DROP PACKET LOG

Содержание P-794M

Страница 1: ...Prestige 794M SHDSL 4 Port Internet Security Gateway User s Guide Version 1 00 10 2005 Edition 1...

Страница 2: ...yXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it co...

Страница 3: ...accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turn...

Страница 4: ...em or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrical...

Страница 5: ...he purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be...

Страница 6: ...ark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel f...

Страница 7: ...ort zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL U...

Страница 8: ...estige 20 1 2 Features 20 1 3 Applications 22 1 3 1 Internet Access 22 1 3 2 Firewall for Secure Broadband Internet Access 23 1 3 3 VPN Application 23 1 3 4 LAN to LAN Application 23 1 4 Hardware Conn...

Страница 9: ...Defaults 38 3 2 2 IP Address and Subnet Mask 38 3 2 3 RIP 39 3 3 The Ethernet Screen 39 3 4 Ethernet Client Filter 40 3 4 1 Ethernet Client Filter Candidates 41 3 5 Port Setting 42 3 6 DHCP 43 3 6 1 I...

Страница 10: ...n level Firewalls 64 6 2 3 Stateful Inspection Firewalls 65 6 3 General Settings 66 6 4 Packet Filter 67 6 4 1 Add a New TCP UDP Packet Filter 69 6 4 2 Add a New Raw Packet Filter 70 6 5 Intrusion Det...

Страница 11: ...ce 96 8 1 Overview 96 8 1 1 Prioritization 96 8 2 IP Throttling 98 8 3 QoS Example 100 8 3 1 Example Prioritization with QoS 100 8 3 2 Rate Limiting with IP Throttling Example 101 8 4 Time Schedule 10...

Страница 12: ...Prestige 794M User s Guide Table of Contents 12 12 1 2 SNMP 110 12 1 2 1 SNMPv3 111 12 1 2 2 SNMP Traps and MIBs 112 12 2 The Device Management Screen 112 12 3 IGMP 115 Index 116...

Страница 13: ...Prestige 794M User s Guide 13 Table of Contents...

Страница 14: ...Figure 17 Status NAT Session 35 Figure 18 Quick Start 36 Figure 19 Quick Start Auto Scan 37 Figure 20 LAN Ethernet 40 Figure 21 LAN Ethernet Client Filter 41 Figure 22 LAN Ethernet Client Filter Activ...

Страница 15: ...Figure 57 VPN PPTP LAN to LAN Connection 81 Figure 58 IPSec Summary 84 Figure 59 IPSec Create 85 Figure 60 VPN L2TP 87 Figure 61 VPN L2TP Create 88 Figure 62 L2TP Remote Access Connection 88 Figure 6...

Страница 16: ...8 LAN DHCP Server DHCP 45 Table 19 LAN DHCP Server DHCP Fixed Host 46 Table 20 LAN DHCP Server DHCP Relay Agent 47 Table 21 WAN ISP 49 Table 22 WAN ISP Edit PPPoE 50 Table 23 WAN Edit Advanced PPP Opt...

Страница 17: ...48 Remote PPTP VPN Dial In Configuration Example 94 Table 49 Remote PPTP VPN Dial In Configuration Example 95 Table 50 QoS Prioritization 97 Table 51 DSCP Mapping 98 Table 52 QoS Outbound Inbound IP T...

Страница 18: ...com for an online glossary of networking terms and additional support documentation User Guide Feedback Help us help you E mail all User Guide related comments questions or suggestions for improvemen...

Страница 19: ...shorthand for for instance and i e for that is or in other words throughout this manual The Prestige 794M may be referred to as the Prestige in this user s guide Graphics Icons Key Prestige Computer N...

Страница 20: ...lows subscribers to select a speed to fit their needs and budgets The Prestige uses the ITU standard PAM16 Line Code complies with G 991 2 and G 994 1 standards 10 100M Auto negotiating Ethernet Fast...

Страница 21: ...The Prestige is a stateful inspection firewall with DoS Denial of Service protection By default when the firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is init...

Страница 22: ...SNMP SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your Prestige supports SNMP...

Страница 23: ...alerts reports and logs Figure 2 Application Firewall 1 3 3 VPN Application The Prestige s VPN feature makes it an ideal cost effective way to connect branch offices and business partners over the Int...

Страница 24: ...Quick Start screen 1 4 1 Front Panel The following figure shows the front panel LEDs Figure 5 Front Panel LEDs The following table describes the LEDs Table 1 Front Panel LEDs LED COLOR STATUS DESCRIP...

Страница 25: ...r crossover Ethernet cable CONSOLE Only connect this port if you want to configure the Prestige via console port Connect one end of the console cable to the console port of the Prestige and the other...

Страница 26: ...irmware versions 2 2 Accessing the Web Configurator 1 Make sure your Prestige hardware is properly connected and prepare your computer computer network to connect to the Prestige refer to the Quick St...

Страница 27: ...dure To Use The Reset Button 1 Make sure the PWR LED is on before you begin this procedure 2 Press the RESET button for more than six seconds and then release it If the SYS LED begins to blink the def...

Страница 28: ...with your Prestige Software Version This is the firmware version the Prestige is currently using MAC Address This is the MAC Media Access Control or Ethernet address unique to your Prestige Home URL...

Страница 29: ...ield In addition the device puts all ones in the target MAC field FF FF FF FF FF FF is the Ethernet broadcast address The replying device which is either the IP address of the device being sought or t...

Страница 30: ...MAC Address This is the MAC address of the device with corresponding IP address above Interface This is the interface name on the Prestige to which a device is connected Static This shows whether the...

Страница 31: ...teway This field displays the IP address of a gateway that this route uses Cost This field displays the cost or hope count for this route Table 5 Status Routing Table continued LABEL DESCRIPTION Table...

Страница 32: ...connection Local Subnet This field displays the IP address and or subnet mask of the local network behind the Prestige Remote Subnet This field displays the subnet mask of the local network behind the...

Страница 33: ...he screen as shown next Note To display and log firewall events enable firewall event logging in the Firewall Log screen Table 9 Status Email Status LABEL DESCRIPTION Email Account Account Name This f...

Страница 34: ...uration screen If this happens simply check the error message here and try configuring the screen again Click Status and Error Log in the navigation panel to display the screen as shown next Figure 16...

Страница 35: ...is field displays the protocol name such as TCP UDP or ICMP of the NAT session Local IP This field displays the local IP address of the NAT session Port local public This field displays the local to p...

Страница 36: ...e than one computer behind the Prestige to access the Internet Select Disable to allow only one user to access the Internet or if computer s behind the Prestige is provided with a public IP address es...

Страница 37: ...rovided enter the IP addresses of the DSLAM device or a gateway 3 Click Start to begin the scanning process 4 When the auto scan is complete and successful a screen displays Select your option from th...

Страница 38: ...cit DNS server address es read the embedded web configurator help regarding what fields need to be configured 3 2 2 IP Address and Subnet Mask Similar to the way houses on a street share a common stre...

Страница 39: ...estige unless you are instructed to do otherwise 3 2 3 RIP RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers By default the Pres...

Страница 40: ...ed on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Prestige RIP The RIP field controls the format and the broadcasting method of the RIP pa...

Страница 41: ...Filter Active PC in LAN Table 14 LAN Ethernet Client Filter LABEL DESCRIPTION Ethernet Client Filter Select Disable to deactivate this feature This allows any computer to access the network through t...

Страница 42: ...f the Ethernet connection on this port Choices are Auto 10Mfalfduplex 10Mfullduplex 100Mhalfduplex and 100Mfullduplex Selecting Auto auto negotiation allows one port to negotiate with a peer port auto...

Страница 43: ...3 6 2 DNS Servers There are two places where you can configure DNS setup on the Prestige 1 Use the WAN DNS screen to configure the Prestige to use a DNS server to resolve domain names for Prestige sy...

Страница 44: ...een displays as shown next Click Apply Figure 25 LAN DHCP Server Disable 3 6 3 2 DHCP Server Setup To set the Prestige as a DHCP server select DHCP Server and click Next in the DHCP Server screen A sc...

Страница 45: ...contiguous addresses in the IP address pool Ending IP Address This field specifies the last of the contiguous addresses in the IP address pool Default Lease Time Specify the default time in seconds a...

Страница 46: ...rmation back to the computer Reset Click Reset to start configuring this screen again Fixed Host Click Fixed Host to display a screen where you can assign a static LAN IP address to the specified devi...

Страница 47: ...nfiguration screen Figure 28 LAN DHCP Server DHCP Relay Agent The following table describes the labels in this screen Table 20 LAN DHCP Server DHCP Relay Agent LABEL DESCRIPTION DHCP Server IP Address...

Страница 48: ...dged In RFC 1483 Bridged the Prestige sends the packets based on the MAC address information That is the Prestige bridges the packets In RFC 1483 Routed the Prestige sends the packets based on the IP...

Страница 49: ...Please refer to RFC 2364 for more information on PPPoA Refer to RFC 1661 for more information on PPP 4 1 1 4 IPoA With IPoA IP over ATM the Prestige attempts to map the IP subnet onto the ATM network...

Страница 50: ...ys on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select UBRPlus for non real time applications such as e mail Howev...

Страница 51: ...0 to set the Prestige to obtain an IP address and other TCP IP information from the ISP every time Authentication Protocol Select an authentication type your ISP uses Choices are CHAP and PAP Select...

Страница 52: ...ct false to set the route as a default route for all packets Subnet Mask Specify the subnet mask for PPP connection If you enter 0 0 0 0 the Prestige calculates the subnet mask from the IP address obt...

Страница 53: ...Server Enable this feature to set the Prestige to provide DNS server information to a DHCP server Discover Primary Secondary NBNS Enable this feature to set the Prestige to request NBNS NetBIOS Name...

Страница 54: ...restige can get the DNS server addresses in the following ways 1 The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS serve...

Страница 55: ...gs Click Configuration WAN and SHDSL in the navigation panel to display the screen as shown next Figure 35 SHDSL The following table describes the labels in this screen Table 24 DNS LABEL DESCRIPTION...

Страница 56: ...equency Plan and Annex_B_ANFP are automatically selected when the DSL line is in training state These options are not available in CO mode Note For LAN LAN connection make sure the annex type is the s...

Страница 57: ...Prestige 794M User s Guide 57 Chapter 4 WAN...

Страница 58: ...p restore configuration on the Prestige 5 2 Time Zone To change your Prestige s time and date click Configuration System and Time Server in the navigation panel The screen appears as shown Use this sc...

Страница 59: ...Local Time Zone list is to be displayed Select By City to display the list alphabetically based on the cities for each time zone Select By Time Different to display the list in ascending order Local T...

Страница 60: ...upload them 3 Click Upload to begin the upload process A screen displays showing the firmware upgrade progress Note Do NOT turn off the Prestige while firmware upload is in progress Figure 39 System F...

Страница 61: ...omputer Restore configuration allows you to upload a new or previously saved configuration file from your computer to your Prestige Click Browse to find the file you want to upload Click Restore to be...

Страница 62: ...User Account To add a new user account click Create in the User Management screen A screen displays as shown Table 27 System User Management LABEL DESCRIPTION Valid This field indicates whether the ac...

Страница 63: ...e Enter an account username Password Enter a password associated to the username above Confirm Enter the password again for confirmation Valid Select true to activate this account Otherwise select fal...

Страница 64: ...ly you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall its...

Страница 65: ...ral part of standard security solutions for enterprises Your Prestige includes a full SPI Stateful Packet Inspection firewall for controlling Internet access from your LAN as well as helping to preven...

Страница 66: ...e Policy The options are applicable when you select Enable in the Security field Select All blocked User defined to block all out going LAN to Internet and incoming packets Internet to LAN based on th...

Страница 67: ...ORT NUMBER FIREWALL HIGH MEDIUM LOW START END INBOUND OUTBOUND INBOUND OUTBOUND INBOUND OUTBOUND HTTP 80 TCP 6 80 80 NO YES NO YES NO YES DNS 53 UDP 17 53 53 NO YES NO YES YES YES DNS 53 TCP 6 53 53 N...

Страница 68: ...ngs screen refer to Section 6 3 on page 66 You can modify or delete the pre configured packet filters Figure 46 Firewall Packet Filter The following table describes the labels in this screen Table 31...

Страница 69: ...ame Source Port This field displays the source port number or port number range Destination Port This field displays the destination port number or port number range Inbound This field displays whethe...

Страница 70: ...UDP Source Port Specify the source port or a range of source port numbers in the fields provided Destination Port Specify the destination port or a range of destination port numbers in the fields prov...

Страница 71: ...d Echo CharGen scan The following table lists the types of attacks that the IDS is able to detect and the actions performed Apply Click Apply to save the settings and return to the main Packet Filter...

Страница 72: ...K Scan TCP No Existing session And Scan Hosts more than five Source IP Scan Yes Yes Net Bus Scan TCP No Existing session DstPort Net Bus 12345 12346 3456 Source IP Scan Yes Yes Back Orifice Scan UDP D...

Страница 73: ...pecify the time period in seconds the Prestige blocks any Smurf attacks when detected Scan Attack Block Duration Specify the time period in seconds the Prestige blocks hosts that attempt a possible Sc...

Страница 74: ...e Select Always Block to apply the filter s at all times Select Block From and specify the time period the Prestige applies the filter s Keywords Filtering Select Enable to set the Prestige to block a...

Страница 75: ...Domains Filtering and click Details to display the screen as shown next Figure 52 Firewall URL Filter Domains Filtering Table 37 Firewall URL Filter Keywords Filtering LABEL DESCRIPTION Create Keywor...

Страница 76: ...this field Type Specify whether to allow access Trusted Domain or deny access Forbidden Domain from the drop down list box Apply Click Apply to add the keyword to the table below Trusted Domain This...

Страница 77: ...Log Select Enable to log intrusion detections Select Disable not to log intrusion detections URL Blocking Log Select Enable to log URL blocking events Select Disable not to log URL blocking events Ta...

Страница 78: ...uite for communication Your Prestige supports three main types of VPN Virtual Private Network PPTP IPSec and L2TP 7 2 PPTP Point to Point Tunneling Protocol PPTP is a network protocol that enables sec...

Страница 79: ...reen to configure the Prestige to set up PPTP connection to a remote VPN device Figure 56 VPN PPTP Remote Access Table 40 VPN PPTP LABEL DESCRIPTION Enable Select this option to activate this VPN rule...

Страница 80: ...HAP Challenge Handshake Authentication Protocol The default is CHAP When you select PAP password is sent unencrypted While CHAP provides better security by encrypting the password before transmission...

Страница 81: ...me Enter a descriptive name for identification purposes Type Select Dial Out if you want your Prestige to operate as a client connecting to a remote VPN device Select Dial In to allow computers to est...

Страница 82: ...ncryption Select Auto to set the Prestige to automatically detect whether the remote VPN device uses data encryption Select Enable to activate data encryption on the Prestige Make sure the remote VPN...

Страница 83: ...originator 7 3 2 ESP Encapsulating Security Payload The ESP protocol RFC 2406 provides encryption as well as the services offered by AH ESP authenticating properties are limited compared to the AH du...

Страница 84: ...by bypassing the Diffie Hellman key exchange 7 3 4 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share i...

Страница 85: ...s to use the VPN connection Enter a single IP address in the IP Address field Subnet Select Subnet Address to allow more than one computer in the specified subnet to use the VPN connection Enter the I...

Страница 86: ...ceiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple...

Страница 87: ...haracters You must precede a hexadecimal key with a 0x zero x which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF 0x denotes that the key is hexa...

Страница 88: ...te Access L2TP Connection Use the L2TP Remote Access Connection screen to create an L2TP VPN rule for accessing a remote network Figure 62 L2TP Remote Access Connection Status This field displays whet...

Страница 89: ...ty by encrypting the password before transmission and reauthenticates the VPN client to protect against identity theft Idle Time Specify the time interval in minutes where there is no traffic between...

Страница 90: ...egotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Type from 8 to 31 case sensitive ASCII characters or fr...

Страница 91: ...ent that initiates the VPN connection For example 192 168 1 10 Username If you select Dial Out in the Type field enter the username provided If you select Dial In in the Type field enter a username to...

Страница 92: ...is a tunnel only with no encryption 3DES and AES are more powerful but increase latency DES stands for Data Encryption Standard it uses 56 bits as an encryption method 3DES stands for Triple Data Encr...

Страница 93: ...ished Remote Host Name This optional field is applicable when you select Dial Out in the Type field above Enter the host name of the remote VPN device The name must match to establish a VPN connection...

Страница 94: ...1 Connection Name Example This name is for identification purposes only 2 Dial in Select this field to allow a remote VPN client to establish a VPN connection to the Prestige Private IP Address Assign...

Страница 95: ...n Name Example This name is for identification purposes only 2 Dial out Select this field to allow a VPN client behind the Prestige to establish a VPN connection to a remote network Server IP Address...

Страница 96: ...to control the different quality and speed of throughput for each application when the system is running with full loading of upstream You can find two items under the QoS section Prioritization and...

Страница 97: ...a protocol type from the drop down list box Choices are any tcp udp icmp and gre Source Port Enter the source port number from which traffic travels Destination Port Enter the destination port number...

Страница 98: ...iffServ Code Point DSCP marking allows the classification of traffic based on the DSCP value Select Disabled to deactivate DSCP marking or select a marking scheme Refer to Table 51 on page 98 for the...

Страница 99: ...from the drop down list box Choices are any tcp udp icmp and gre Source Port Enter the source port number from which traffic travels Destination Port Enter the destination port number to which traffic...

Страница 100: ...screen to prioritize time sensitive applications like VoIP Set a high priority level for VoIP traffic to improve service quality and prevent other applications from using most of the bandwidth In the...

Страница 101: ...72 Rating Limiting with IP Throttling Example 8 4 Time Schedule You can configure time schedule profiles and associate a profile to a Prestige setting This allows the Prestige to automatically disabl...

Страница 102: ...on Time Schedule Edit Table 54 Configuration Time Schedule LABEL DESCRIPTION ID This field displays the index number Name This field displays the descriptive name for identification purposes Day in a...

Страница 103: ...BEL DESCRIPTION ID This read only field displays the index number Name Enter a descriptive name for identification purposes Day Select the day of the week this time schedule is active Start Time Set t...

Страница 104: ...owing figure through remote node router R1 However the Prestige is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node router R1 via gatew...

Страница 105: ...otation via gateway Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destina...

Страница 106: ...time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org...

Страница 107: ...u want to be able to use for example www yourhost dyndns org and still reach your hostname Domain Name Enter the domain name your registered with the DDNS service provider you selected above Username...

Страница 108: ...the screen as shown next Figure 78 Advanced Check Emails The following table describes the labels in this screen Table 58 Advanced Check Emails LABEL DESCRIPTION Check Email Select Enable to activate...

Страница 109: ...omatically set up the SHDSL line to connect to the mail server when the line is down Select the check box to enable automatic line set up Note Enabling this feature may add to your Internet access cos...

Страница 110: ...ve a network smoothly and automatically when it is no longer in use 12 1 1 1 How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UP...

Страница 111: ...and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent retu...

Страница 112: ...ATTRIBUTE RFC 1213 MIB II System group Interfaces group Address Translation group IP group ICMP group TCP group UDP group EGP not applicable Transmission SNMP group RFC1650 EtherLike MIB dot3Stats RFC...

Страница 113: ...ter a number Note Make sure the port number is not already used by another service If you change the port number you need to append the port number to the WAN or LAN port IP address to access the web...

Страница 114: ...ation The default is public and allows all requests Enter the IP address of the computer you want to allow to view the device information in the IP Address field Otherwise lease this field to 0 0 0 0...

Страница 115: ...ulticast groups that it has learned from IGMP snooping or that you have manually configured to ports that are members of that group The Prestige discards multicast traffic destined for multicast group...

Страница 116: ...nt filtering 21 Copyright 2 Corrosive Liquids 4 Covers 4 Customer Support 6 D Dampness 4 Danger 4 Daylight saving 59 DDNS 21 106 Denmark Contact Information 6 Device management 110 DHCP 38 43 106 Disa...

Страница 117: ...interface 20 Internet access setup Auto scan 37 Quick start 35 Internet Protocol Security IPSec 83 Intrusion detection 71 Intrusion Detection System IDS 71 IP Address 38 40 IP Pool Setup 43 IP throttl...

Страница 118: ...TP status 31 Pre Shared Key 84 87 Prioritization 96 Example with QoS 100 PVC Permanent Virtual Circuit 49 Q QoS Example 100 QoS Quality of Service 96 Qualified Service Personnel 4 Quick start for Inte...

Страница 119: ...U Universal Plug and Play 110 Universal Plug and Play UPnP 21 UPnP 21 110 URL Uniform Resource Locator 73 URL filter 73 User management 62 V Vendor 4 Ventilation Slots 4 Virtual Private Network VPN 2...

Результаты поиска

Содержание P-794M

Отзывы:

Похожие инструкции для P-794M

Бренды по названию

Популярные бренды

ZyXEL Communications P-794M, Руководство пользователя

Результаты поиска

Содержание P-794M

Отзывы:

Похожие инструкции для P-794M

Бренды по названию

Популярные бренды