ZyXEL Communications ZyWALL 10/10 Скачать руководство пользователя страница 188 | Manualshive

Страница: 188 / 342

ZyXEL Communications ZyWALL 10/10 Скачать руководство пользователя страница 188

ZyWALL 10/10 II/50 Internet Security Gateway

18-2

Filter

Configuration

Figure 18-1 Outgoing Packet Filtering Process

For incoming packets, your ZyWALL applies data filters only. Packets are processed depending upon
whether a match is found. The following sections describe how to configure filter sets.

18.1.1 The Filter Structure of the ZyWALL

A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for
NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to
twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device
filter rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular
port to block multiple types of packets. With each filter set having up to six rules, you can have a
maximum of 24 rules active for a single port.

Sets of factory default filter rules have been configured in menu 21 to prevent NetBIOS traffic from
triggering calls and to prevent incoming telnetting. A summary of their filter rules is shown in the figures
that follow.

The following figure illustrates the logic flow when executing a filter rule. See also

for the

logic flow when executing an IP filter.

Data

Outgoing

Packet

Drop

packet

Built-in
default

Call Filters

User-defined

Call Filters

(if applicable)

Initiate call

if line not up

Active Data

Send packet

and reset

Idle Timer

Or

Or

Drop packet
if line not up

Drop packet
if line not up

Send packet

but do not reset

Idle Timer

Send packet

but do not reset

Idle Timer

Match

Match

Match

No

match

No

match

No

match

Call Filtering

«
...
186
187
188
189
190
...
»

Содержание ZyWALL 10/10

Страница 1: ...ZyWALL 10 10 II 50 Internet Security Gateway User s Guide Version 3 50 June 2002...

Страница 2: ...shed by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither d...

Страница 3: ...uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmf...

Страница 4: ...re that compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility desi...

Страница 5: ...ehold appliances and similar electrical equipment Harmonics 1995 EN 61000 3 3 Disturbance in supply system caused by household appliances and similar electrical equipment Voltage fluctuations 1995 EN...

Страница 6: ...working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including an...

Страница 7: ...Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan support zyxel com 1 714 632 0882 800 255 4101 www zyxel com NORTH AMERICA sales zyxel com 1 714 632 0858 ftp z...

Страница 8: ...agrams xxvii Preface xxix GETTING STARTED I Chapter 1 Getting to Know Your ZyWALL 1 1 1 1 The ZyWALL 10 10 II 50 Internet Security Gateway 1 1 1 2 Features 1 1 1 3 Applications 1 4 1 3 1 Secure Broadb...

Страница 9: ...Resetting the ZyWALL 3 8 3 4 1 Methods of Restoring Factory Defaults 3 8 3 4 2 Procedure To Use The Reset Button 3 9 Chapter 4 General And WAN Setup 4 1 4 1 System Name 4 1 4 2 Dynamic DNS 4 1 4 2 1...

Страница 10: ...CED APPLICATIONS II Chapter 7 Remote Node Setup 7 1 7 1 Remote Node Profile 7 1 7 1 1 Ethernet Encapsulation 7 1 7 1 3 PPTP Encapsulation 7 5 7 2 Editing TCP IP Options with Ethernet Encapsulation 7 7...

Страница 11: ...7 9 5 3 Example 3 Multiple Public IP Addresses With Inside Servers 9 18 9 5 4 Example 4 NAT Unfriendly Application Programs 9 22 FIREWALLAND CONTENT FILTERS III Chapter 10 Firewalls 10 1 10 1 What Is...

Страница 12: ...ement and the Firewall 11 1 11 2 Access Methods 11 1 11 3 Using ZyWALL SMT Menus 11 1 11 3 1 Activating the Firewall 11 1 11 3 2 Viewing the Firewall Log 11 2 Chapter 12 Using the ZyWALL Web Configura...

Страница 13: ...ut 13 13 13 6 1 Factors Influencing Choices for Timeout Values 13 13 Chapter 14 Custom Ports 14 1 14 1 Introduction 14 1 14 2 Creating Editing A Custom Port 14 3 Chapter 15 Logs 15 1 15 1 Log Screen 1...

Страница 14: ...LL 18 2 18 2 Configuring a Filter Set 18 4 18 2 1 Filter Rules Summary Menu 18 6 18 2 2 Configuring a Filter Rule 18 7 18 2 3 TCP IP Filter Rule 18 7 18 2 4 Generic Filter Rule 18 12 18 3 Example Filt...

Страница 15: ...nventions 21 1 21 2 Backup Configuration 21 2 21 2 1 Backup Configuration 21 2 21 2 2 Using the FTP Command from the Command Line 21 3 21 2 3 Example of FTP Commands from the Command Line 21 3 21 2 4...

Страница 16: ...em Firmware Upload Using HyperTerminal 21 15 21 4 10 Uploading a Configuration File Via Console Port 21 16 21 4 11 Example Xmodem Configuration Upload Using HyperTerminal 21 16 Chapter 22 System Maint...

Страница 17: ...PSec Architecture 25 3 25 2 1 IPSec Algorithms 25 4 25 2 2 Key Management 25 4 25 3 Encapsulation 25 5 25 3 1 Transport Mode 25 5 25 3 2 Tunnel Mode 25 5 25 4 IPSec and NAT 25 5 Chapter 26 VPN IPSec S...

Страница 18: ...n 27 1 27 1 Using SA Monitor 27 1 Chapter 28 IPSec Log 28 1 28 1 VPN Initiator IPSec Log 28 1 28 2 VPN Responder IPSec Log 28 2 TROUBLESHOOTING APPENDICES AND INDEX VI Chapter 29 Troubleshooting 29 1...

Страница 19: ...ay Table of Contents xix Appendix E Important Safety Instructions I Appendix F Boot Commands J Appendix G Command Interpreter L Appendix H Firewall Commands M Appendix I NetBIOS Filter Commands S Appe...

Страница 20: ...d Advanced Applications SMT Menus 3 5 Figure 3 5 Advanced Management SMT Menus 3 6 Figure 3 6 IPSec VPN Configuration SMT Menus 3 7 Figure 3 7 Menu 23 System Password 3 7 Figure 4 1 Menu 1 General Set...

Страница 21: ...1 Figure 8 2 Menu 12 IP Static Route Setup 8 2 Figure 8 3 Menu 12 1 Edit IP Static Route 8 2 Figure 9 1 How NAT Works 9 3 Figure 9 2 NAT Application With IP Alias 9 4 Figure 9 3 Menu 4 Applying NAT f...

Страница 22: ...10 5 Figure 10 4 Smurf Attack 10 6 Figure 10 5 Stateful Inspection 10 8 Figure 11 1 Menu 21 Filter and Firewall Setup 11 1 Figure 11 2 Menu 21 2 Firewall Setup 11 2 Figure 11 3 Example Firewall Log 11...

Страница 23: ...et to Local Network Rule Summary 16 11 Figure 16 11 Custom Port for Syslog 16 12 Figure 16 12 Syslog Rule Configuration 16 13 Figure 16 13 Example 3 Rule Summary 16 14 Figure 18 1 Outgoing Packet Filt...

Страница 24: ...UNIX Syslog 20 7 Figure 20 9 Call Triggering Packet Example 20 11 Figure 20 10 Menu 24 4 System Maintenance Diagnostic 20 12 Figure 20 11 WAN LAN DHCP 20 13 Figure 21 1 Telnet into Menu 24 5 21 3 Figu...

Страница 25: ...Menu 24 System Maintenance 22 5 Figure 22 7 Menu 24 10 System Maintenance Time and Date Setting 22 5 Figure 23 1 Telnet Configuration on a TCP IP Network 23 1 Figure 23 2 Menu 24 11 Remote Management...

Страница 26: ...1 IPSec Summary 26 6 Figure 26 7 Menu 27 1 1 IPSec Setup 26 9 Figure 26 8 Two Phases to set up the IPSec SA 26 13 Figure 26 9 Menu 27 1 1 1 IKE Setup 26 15 Figure 26 10 Menu 27 1 1 2 Manual Setup 26 1...

Страница 27: ...p Menu Fields 5 7 Table 5 5 IP Alias Setup Menu Fields 5 8 Table 6 1 Internet Access Setup Menu Fields 6 1 Table 6 2 New Fields in Menu 4 PPTP screen 6 3 Table 6 3 New Fields in Menu 4 PPPoE screen 6...

Страница 28: ...Table 13 2 Predefined Services 13 7 Table 13 3 Creating Editing A Firewall Rule 13 10 Table 13 4 Adding Editing Source and Destination Addresses 13 13 Table 13 5 Timeout Menu 13 15 Table 14 1 Custom...

Страница 29: ...able 26 1 AH and ESP 26 3 Table 26 2 Telecommuter and Headquarters Configuration Example 26 4 Table 26 3 Menu 27 1 IPSec Summary 26 6 Table 26 4 Menu 27 1 1 IPSec Setup 26 9 Table 26 5 Menu 27 1 1 1 I...

Страница 30: ...ZYWALL 10 10 II 50 Internet Security Gateway xxx List of Tables Table 29 6 Troubleshooting Remote Management 29 3...

Страница 31: ...ll NAT and VPN A Diagram 2 Single PC per Modem Hardware Configuration C Diagram 3 ZyWALL as a PPPoE Client D Diagram 4 Transport PPP frames over Ethernet E Diagram 5 PPTP Protocol Overview F Diagram 6...

Страница 32: ......

Страница 33: ...n all platform web based utility that allows you to easily access the ZyWALLs management settings and configure the firewall Use the Help icon in the web configurator for explanations of the fields Mo...

Страница 34: ...for you to select one from the predefined choices The SMT menu titles and labels are in Bold Times New Roman font The choices of a menu item are in Bold Arial font A single keystroke is in Arial font...

Страница 35: ...Getting Started I Part I Getting Started This part is structured as a step by step guide to help you connect install and setup your ZyWALL to operate on your network and access the Internet...

Страница 36: ......

Страница 37: ...II 50 Auto negotiating 10 100Mbps Ethernet LAN This auto negotiation feature allows the ZyWALL to detect the speed of incoming transmissions and adjust appropriately without manual intervention It all...

Страница 38: ...ual private networking over public networks such as the Internet The ZyWALL supports one PPTP server connection at any given time Dynamic DNS Support With Dynamic DNS support you can have a static hos...

Страница 39: ...9X Windows NT and other systems that support the DHCP client The ZyWALL can now also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server t...

Страница 40: ...to the ZyWALL 10 10 II 50 for broadband Internet access via Ethernet port on the modem It provides not only high speed Internet access but secured internal network protection and management as well F...

Страница 41: ...tting to Know Your ZyWALL 1 5 1 3 2 VPN Application ZyWALL VPN is an ideal cost effective way to connect branch offices and business partners over the Internet without the need and expense for leased...

Страница 42: ......

Страница 43: ...and Back Panel Ports 2 1 1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the ZyWALL Figure 2 1 Front Panel The following table describes LED functions Table 2 1 LED D...

Страница 44: ...onnected to a 100Mbps LAN 100M LAN LAN Orange Flashing The 100M LAN is sending receiving packets Off The 10M WAN is not connected On The ZyWALL is connected to a 10M WAN 10M WAN WAN Green Flashing The...

Страница 45: ...ZyWALL 10 10 II 50 Internet Security Gateway Hardware Installation 2 3 Figure 2 2 ZyWALL 10 Rear Panel and Connections...

Страница 46: ...axial cable connector on the back of the cable modem Connect an xDSL modem to the xDSL wall jack See also the Appendices for important safety instructions when making connections to the ZyWALL Step 1...

Страница 47: ...L modem Step 3 Connecting the ZyWALL to the LAN For a single computer connect the 10 100M LAN port on the ZyWALL to the Network Adapter on the computer using a straight through Ethernet cable and push...

Страница 48: ...Interface Card installed 2 A computer equipped with communications software configured to the following parameters VT100 terminal emulation 9600 Baud No parity 8 data bits 1 stop bit flow control set...

Страница 49: ...rn on your ZyWALL it performs several internal tests as well as line initialization After the tests the ZyWALL asks you to press ENTER to continue as shown next Figure 3 1 Initial Screen 3 1 2 Enterin...

Страница 50: ...the hidden menu Move the cursor ENTER or UP DOWN arrow keys Within a menu press ENTER to move to the next field You can also use the UP DOWN arrow keys to move to the previous and the next field respe...

Страница 51: ...ote Node Setup Use this menu to configure detailed remote node settings your ISP is also a remote node as well as apply WAN filters 12 Static Routing Setup Configure IP static routes in this menu 15 N...

Страница 52: ...password in this menu recommended 24 System Maintenance From displaying system status to uploading firmware this menu provides comprehensive system maintenance 26 Schedule Setup Use this menu to sched...

Страница 53: ...ZyWALL 10 10 II 50 Internet Security Gateway Initial Setup 3 5 3 2 3 SMT Menus at a Glance Figure 3 4 Getting Started and Advanced Applications SMT Menus...

Страница 54: ...ZyWALL 10 10 II 50 Internet Security Gateway 3 6 Initial Setup Figure 3 5 Advanced Management SMT Menus...

Страница 55: ...fault system password by following the steps shown next Step 1 Enter 23 in the main menu to open Menu 23 System Password as shown below Figure 3 7 Menu 23 System Password Step 2 Type in your existing...

Страница 56: ...When you turn on the ZyWALL again you will see the initial screen When you see the message Press any key to enter Debug Mode within 3 seconds press any key to enter debug mode To upload the configura...

Страница 57: ...begins to blink the defaults have been restored and the ZyWALL restarts Otherwise go to step 2 2 Turn the ZyWALL off 3 While pressing the RESET button turn the ZyWALL on 4 Continue to hold the RESET b...

Страница 58: ......

Страница 59: ...eld and enter it as the ZyWALL System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter i...

Страница 60: ...ature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns org and...

Страница 61: ...hen you have completed this menu press ENTER at the prompt Press ENTER to Confirm to save your configuration or press ESC at any time to cancel 4 3 1 Configuring Dynamic DNS To configure Dynamic DNS g...

Страница 62: ...lt Host Enter the domain name assigned to your ZyWALL by your Dynamic DNS provider me dyndns org EMAIL Enter your e mail address mail mailserver USER Enter your user name Password Enter the password a...

Страница 63: ...file ZyNOS configuration file It will not change unless you change the setting in menu 2 or upload a different rom file The following table contains instructions on how to configure your WAN setup Tab...

Страница 64: ...s This field is applicable only if you choose the IP Address attached on LAN method Enter the IP address of the computer on the LAN whose MAC you are cloning N A When you have completed this menu pres...

Страница 65: ...he LAN traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Menu 3 2 is discussed in the next chapter Please read on Figure 5 2 Menu 3 1...

Страница 66: ...1 33 to 192 168 1 64 This configuration leaves 31 IP addresses excluding the ZyWALL itself in the lower range for other server machines e g server for mail FTP Telnet web etc that you may have DNS Se...

Страница 67: ...have decided on the network number pick an IP address that is easy to remember e g 192 168 1 1 for your ZyWALL but make sure that no other device on your network is using that IP The subnet mask spec...

Страница 68: ...ticasting then all routers on your network must use multicasting also By default RIP Direction is set to Both and the Version set to RIP 1 5 3 6 IP Multicast Traditionally IP packets are transmitted i...

Страница 69: ...gure 5 3 Physical Network Figure 5 4 Partitioned Logical Networks Use menu 3 2 1 to configure IP Alias on your ZyWALL 5 4 TCP IP and DHCP Ethernet Setup Menu From the main menu enter 3 to open Menu 3...

Страница 70: ...rting Address This field specifies the first of the contiguous addresses in the IP address pool 192 168 1 33 Size of Client IP Pool This field specifies the size or count of the IP address pool 32 Pri...

Страница 71: ...Both default Version Press SPACE BAR to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 default Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to est...

Страница 72: ...y Out Only or None None Version Press SPACE BAR to select the RIP version Options are RIP 1 RIP 2B or RIP 2M RIP 1 Incoming Protocol Filters Enter the filter set s you wish to apply to the incoming tr...

Страница 73: ...using PPPoE If you choose Ethernet in menu 4 you will see the next screen Figure 6 1 Menu 4 Internet Access Setup Ethernet The following table describes this screen Table 6 1 Internet Access Setup Me...

Страница 74: ...address IP Address Assignment If your ISP did not assign you a fixed IP address select Dynamic otherwise select Static and enter the IP address subnet mask in the following fields IP Address Enter the...

Страница 75: ...in menu 4 Table 6 2 New Fields in Menu 4 PPTP screen FIELD DESCRIPTION EXAMPLE Encapsulation Press SPACE BAR and then press ENTER to choose PPTP The encapsulation method influences your choices for IP...

Страница 76: ...rectly on the ZyWALL 10 10 II 50 rather than individual computer s the computers on the LAN do not need PPPoE software installed since the ZyWALL does that part of the task Furthermore with NAT all of...

Страница 77: ...installed and set up your ZyWALL to operate on your network as well as access the Internet When the firewall is activated the default policy allows all communications to the Internet that originate f...

Страница 78: ......

Страница 79: ...Advanced Applications II Part II Advanced Applications This part covers Remote Node Setup IP Static Route Setup and Network Address Translation...

Страница 80: ......

Страница 81: ...ally configuring a remote node We will show you how to configure Menu 11 1 Remote Node Profile Menu 11 3 Remote Node Network Layer Options and Menu 11 5 Remote Node Filter 7 1 Remote Node Profile From...

Страница 82: ...tion Ethernet Service Type Press SPACE BAR to select from Standard RR Toshiba RoadRunner Toshiba authentication method or RR Manager RoadRunner Manager authentication method Choose one of the RoadRunn...

Страница 83: ...the only option for the ZyWALL 10 10 II 50 IP Edit IP This field leads to a hidden menu Press SPACE BAR to select Yes and press ENTER to go to Menu 11 3 Remote Node Network Layer Options Yes Session O...

Страница 84: ...ine where the connection is always up regardless of traffic demand The ZyWALL does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the...

Страница 85: ...ode for a maximum of 10 minutes every hour then the Allocated Budget is 10 minutes and the Period hr is 1 hour 1 Schedules You can apply up to four schedule sets here For more details please refer to...

Страница 86: ...name in the ANT It must follow the c id and n name format This field is optional and depends on the requirements of your xDSL Modem n My ISP Schedules You can apply up to four schedule sets here For m...

Страница 87: ...enter the IP address subnet mask in the following fields Dynamic IP Address If you have a Static IP Assignment enter the IP address assigned to you by your ISP IP Subnet Mask If you have a Static IP...

Страница 88: ...select the RIP direction from Both None In Only Out Only Please see the RIP Setup section for more information on RIP The default for RIP on the WAN side is None It is recommended that you do not cha...

Страница 89: ...d to the remote node 255 255 255 0 My WAN Addr Some implementations especially the UNIX derivatives require the WAN link to have a separate IP network number from the LAN and each end must have a uniq...

Страница 90: ...CE BAR to select the RIP version from RIP 1 RIP 2B RIP 2M RIP 1 Multicast IGMP Internet Group Multicast Protocol is a session layer protocol used to establish membership in a Multicast group The ZyWAL...

Страница 91: ...r to the Filters chapter For PPPoE or PPTP encapsulation you can also specify remote node call filter sets Figure 7 6 Menu 11 5 Remote Node Filter Ethernet Encapsulation Figure 7 7 Menu 11 5 Remote No...

Страница 92: ......

Страница 93: ...remote node specifies only the network to which the gateway is directly connected and the ZyWALL has no knowledge of the networks beyond For instance the ZyWALL knows about network N2 in the following...

Страница 94: ...c Route Setup Now enter the index number of one of the static routes you want to configure Figure 8 3 Menu 12 1 Edit IP Static Route Menu 12 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 __...

Страница 95: ...ss of the gateway The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination On the LAN the gateway must be a router on the same segment as your ZyWALL over th...

Страница 96: ......

Страница 97: ...e packet traverses a router e g the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same...

Страница 98: ...One and Many to Many Overload mapping see Table 9 2 NAT offers the additional benefit of firewall protection If no server is defined in these cases all incoming inquiries will be filtered out by your...

Страница 99: ...How NAT Works 9 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the ZyWALL can communicate with three distin...

Страница 100: ...1 One to One In One to One mode the ZyWALL maps one local IP address to one global IP address 2 Many to One In Many to One mode the ZyWALL maps multiple local IP addresses to one global IP address Th...

Страница 101: ...pecify inside servers of different services behind the NAT to be accessible to the outside world Port numbers do not change for One to One and Many One to One NAT mapping types The following table sum...

Страница 102: ...using mapping types as outlined in Table 9 2 1 Choose SUA Only if you have just one public WAN IP address for your ZyWALL 2 Choose Full Feature if you have multiple public WAN IP addresses for your Zy...

Страница 103: ...apping Set 1 menu 15 1 see section 9 3 1 for further discussion You can configure any of the mapping types described in Table 9 2 Choose Full Feature if you have multiple public WAN IP addresses for y...

Страница 104: ...use the pre configured Set 255 read only A server set is a list of LAN side servers mapped to external ports To use this set one set for the ZyWALL a server rule must be set up inside the NAT Address...

Страница 105: ...you want to create SUA Idx This is the index or rule number 1 Local Start IP Local End IP Local Start IP is the starting local IP address ILA see Figure 9 1 Local End IP is the ending local IP addres...

Страница 106: ...a rule in this menu press ENTER at the message Press ENTER to Confirm to save your configuration or press ESC to cancel User Defined Address Mapping Sets Now let s look at Option 1 in menu 15 1 Enter...

Страница 107: ...y that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9...

Страница 108: ...to select the rule to apply the action in question 1 You must press ENTER at the bottom of the screen to save the whole set You must do this again if you make any changes to the set including deleting...

Страница 109: ...pes are Many to One or Server 0 0 0 0 End This is the ending global IP address IGA This field is N A for One to One Many to One and Server types N A Once you have finished configuring a rule in this m...

Страница 110: ...e unsure refer to your ISP The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the included disk...

Страница 111: ...ing figure you have a computer acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 Step 5 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you d...

Страница 112: ...ZyWALL 10 10 II 50 Internet Security Gateway 9 16 NAT Figure 9 11 Multiple Servers Behind NAT Example...

Страница 113: ...ic IGA Inside Global Address assigned by your ISP Figure 9 12 NAT Example 1 Figure 9 13 Menu 4 Internet Access NAT Example Menu 4 Internet Access Setup ISP s Name ChangeMe Encapsulation Ethernet Servi...

Страница 114: ...9 5 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this case 9 5 2 Example 2 Internet Access with an Inside Serve...

Страница 115: ...s Rule 1 Map the first IGA to the first inside FTP server for FTP traffic in both directions 1 1 mapping giving both local and global IP addresses Rule 2 Map the second IGA to our second inside FTP se...

Страница 116: ...on field in menu 4 or menu 11 3 in Figure 9 17 Step 2 Then enter 15 from the main menu Step 3 Enter 1 to configure the Address Mapping Sets Step 4 Enter 1 to begin configuring this new set Enter a Set...

Страница 117: ...Figure 9 18 Example 3 Menu 15 1 1 1 Menu 15 1 1 1 Address Mapping Rule Type One to One Local IP Start 192 168 1 10 End N A Global IP Start 10 132 50 1 End N A Press ENTER to Confirm or ESC to Cancel...

Страница 118: ...tart IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10 132 50 3 Server 5 6 7 8 9 10 Action...

Страница 119: ...t numbers do not change for Many One to One and One to One NAT mapping types The following figure illustrates this Figure 9 21 NAT Example 4 Other applications such as some gaming programs are NAT unf...

Страница 120: ...apping Rules Menu 15 1 1 1 Address Mapping Rule Type Many One to One Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start 10 132 50 1 End 10 132 50 3 Press ENTER to Confirm or ESC to Cancel Me...

Страница 121: ...ilters III Part III Firewall and Content Filters Part III introduces firewalls in general and the ZyWALL firewall It also explains custom ports and logs and gives example firewall rules and an overvie...

Страница 122: ......

Страница 123: ...loyed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must...

Страница 124: ...s support See section 10 5 for more information on Stateful Inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 10 3 Introduction to...

Страница 125: ...hare information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions These protocols such as HTTP Web FTP File Tran...

Страница 126: ...a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang o...

Страница 127: ...a SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN A...

Страница 128: ...broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof t...

Страница 129: ...are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed thr...

Страница 130: ...ever other Telnet traffic initiated from the WAN is blocked 10 5 1 Stateful Inspection Process In this example the following sequence of events occurs when a TCP packet leaves the LAN network through...

Страница 131: ...inspected by a firewall rule and the connection s state table entry is updated as necessary Based on the updated state information the inbound extended access list temporary entries might be modified...

Страница 132: ...the security policy as is the case with the default policy the connection will be allowed A cache entry is added which includes connection information such as IP addresses TCP ports sequence numbers e...

Страница 133: ...ne safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protocol that operates in this way must be supported on a case by case...

Страница 134: ...ser Internet Explorer 3 02 or better or Netscape 3 0 or better If a web site uses a secure connection it is safe to submit information Secure web transactions are quite difficult to crack 6 Never reve...

Страница 135: ...inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intend...

Страница 136: ...nguish traffic originating from an inside host or an outside host by IP address 4 The firewall performs better than filtering if you need to check many rules 5 Use the firewall if you need routine e m...

Страница 137: ...tructions SMT screens allow you to activate the firewall and view firewall logs CLI commands provide limited configuration options and are only recommended for advanced users please refer to the appen...

Страница 138: ...ll sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme c...

Страница 139: ...the rule matched not matched or was there an attack The set and rule coordinates X Y where X 1 2 Y 00 10 follow with a simple explanation There are two policy sets set 1 X 1 is for LAN to WAN rules a...

Страница 140: ......

Страница 141: ...1 Launch your web browser and enter 192 168 1 1 as the URL Step 2 Enter 1234 default as the password and click Login If a password appears automatically just click Login You should see a screen asking...

Страница 142: ...the Firewall 12 3 E mail The E mail screen show next allows you to specify your mail server where e mail alerts should be sent as well as when and how often they should be sent 12 3 1 Alerts Alerts a...

Страница 143: ...s in the Log Timer fields in the E mail screen following screen 12 3 2 Logs A log is a detailed record that you create for packets that either match a rule don t match a rule or both when you are crea...

Страница 144: ...he ZyWALL as the sender of the e mail messages i e a return to sender address for backup purposes Log Timer Log Schedule This pop up menu is used to configure the frequency of log messages being sent...

Страница 145: ...l error messages appear in SMT menu 24 3 1 as SMTP action request failed ret The are described in the following table Table 12 2 SMTP Error Messages 1 means ZyWALL out of socket 2 means tcp SYN fail 3...

Страница 146: ...m number of opened sessions Subject Firewall Alert From ZyWALL Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 0...

Страница 147: ...g half open sessions rises above a threshold max incomplete high the ZyWALL starts deleting half open sessions as required to accommodate new connection requests The ZyWALL continues to delete half op...

Страница 148: ...erts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click on the Attack Alert tab to bring up the next screen Figure...

Страница 149: ...han 80 session establishment attempts have been detected in the last minute Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open...

Страница 150: ...can choose if the next session should be allowed or blocked If you check Blocking Time any new sessions will be blocked for the length of time you specify in the next field min and all old incomplete...

Страница 151: ...test your rules after you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic...

Страница 152: ...there users that require this service 2 Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective...

Страница 153: ...a range of IPs or a subnet 13 3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall 13 3 1 LAN to WAN Rules...

Страница 154: ...reate custom rules to allow it See the following figure Figure 13 2 WAN to LAN Traffic 13 4 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet so the discu...

Страница 155: ...LD DESCRIPTION OPTIONS General Name This is the name of the firewall rule set Type a name to distinguish the LAN to WAN filter set from the WAN to LAN filter set Name The default action for packets no...

Страница 156: ...for more information Action This is the specified action for that rule Note that Block means the firewall silently discards the packet Block Forward Log This field shows you if a log is created for pa...

Страница 157: ...ion protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Client BOOTP_SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 24032 A popular videoconferencing solution f...

Страница 158: ...sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary conn...

Страница 159: ...gin Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Contro...

Страница 160: ...creen shown to display the following screen Figure 13 4 Creating Editing A Firewall Rule Table 13 3 Creating Editing A Firewall Rule FIELD DESCRIPTION OPTIONS Source Address Click SrcAdd to add a new...

Страница 161: ...kets that match this rule be blocked or forwarded Make your choice from the drop down list box Note that Block means the firewall silently discards the packet Block Forward Log This field determines i...

Страница 162: ...ZyWALL 10 10 II 50 Internet Security Gateway 13 12 Creating Custom Rules Figure 13 5 Adding Editing Source and Destination Addresses...

Страница 163: ...in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable When you have finished click Apply to save your customized settings and...

Страница 164: ...ZyWALL 10 10 II 50 Internet Security Gateway 13 14 Creating Custom Rules Figure 13 6 Timeout Screen...

Страница 165: ...e indicating the end of the TCP session 60 seconds Idle Timeout This is the length of time of inactivity a TCP connection remains open before the ZyWALL considers the connection closed 3600 seconds 1...

Страница 166: ......

Страница 167: ...for services not predefined by the ZyWALL see Figure 13 4 For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website For further information on th...

Страница 168: ...the name of your customized port Protocol This shows the IP protocol TCP UDP or Both that defines your customized port Port This is the port number or range that defines your customized port Click a c...

Страница 169: ...3 14 2 Creating Editing A Custom Port Click Edit in the previous screen to create a new custom port or edit an existing one This action displays the following screen Figure 14 2 Creating Editing A Cu...

Страница 170: ...the drop down list box TCP UDP TCP UDP Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service Single Range Port Number En...

Страница 171: ...hat match don t match or both this rule see Figure 13 4 Click on the Logs to bring up the next screen Firewall logs may also be viewed in SMT Menu 21 3 see section 11 3 or via syslog SMT Menu 24 3 2 S...

Страница 172: ...to WAN rules and set 2 X 2 for WAN to LAN rules Y represents the rule in the set You can configure up to 10 rules in any set Y 01 to 10 Rule number 00 is the default rule not match 1 01 dest IP This m...

Страница 173: ...5 2 Please see the NAT chapter 16 1 1 Example 1 Firewall Rule To Allow Web Service From The Internet Let s say you have one server on the local network with an IP of 10 100 1 2 supporting FTP HTTP Tel...

Страница 174: ...all Enabled check box or through SMT menu 21 2 You can only configure the firewall using the web configurator or CI commands see Appendices When the firewall is active the default rules allow all traf...

Страница 175: ...y clicking Advanced Firewall Configuration then the E mail tab Configure the E mail screen as follows Figure 16 2 Example 1 E Mail Screen Enter 10 100 1 2 the IP address of the mail server here This i...

Страница 176: ...Click Internet and go to the Rule Summary Configure this screen as shown Figure 16 3 Example 1 Configuring a Rule This is an Internet to Local Network rule Move this service to this box by selecting...

Страница 177: ...n address as the IP of your server on the LAN Figure 16 4 Example 1 Destination Address for Traffic Originating from the Internet 10 100 1 2 is the IP of our server on the LAN supporting FTP HTTP Teln...

Страница 178: ...Summary Screen 16 1 2 Example 2 Small Office With Mail FTP and Web Servers A small office has Log of packets should match this rule in the ACL Default Set Click Apply in this screen when you have fini...

Страница 179: ...5 You want i To send alerts when there is an attack ii To only allow access to the Internet from the HTTP proxy server and your mail server iii To only allow FTP server 1 to be accessible from the In...

Страница 180: ...ansport services required to move mail from one system to another The current version is called POP3 Click Custom Ports and then click Edit Configure the screen as follows POP3 is now a predefined ser...

Страница 181: ...of the mail server 192 168 10 2 in the same fashion as in Figure 16 4 Figure 16 8 Example 2 Local Network Rule 1 Configuration Step 6 Similarly configure another local network to Internet rule allowi...

Страница 182: ...the Internet Remember the default Internet to Local Network ACL Set blocks all traffic from the Internet so you want to create a hole for this server Click the Internet link to see its Rule Summary sc...

Страница 183: ...le Summary for this Internet firewall rule should look like the following screen Don t forget to click Apply when you have finished configuring your rule s to save your settings back to the ZyWALL Fig...

Страница 184: ...rom the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL and allow a syslog connection1 from the Internet Follow the procedure...

Страница 185: ...Advanced Management This part provides information on Filter Configuration SNMP Configuration System Information and Diagnosis Firmware and Configuration File Maintenance System Maintenance and Infor...

Страница 186: ......

Страница 187: ...protocol filters which are discussed later Data filtering screens the data to determine if the packet should be allowed to pass Data filters are divided into incoming and outgoing filters depending o...

Страница 188: ...pply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Sets of fact...

Страница 189: ...er Set Fetch First Filter Rule Active Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available Fetch Next Filter Set Next Filter Set Available Accept Packet Drop Packet Yes No Yes No Yes...

Страница 190: ...gle port 18 2 Configuring a Filter Set To configure a filter set follow the procedure below For more information on menus 21 2 and 21 3 please see the firewall chapters Step 1 Select option 21 Filter...

Страница 191: ...ummary Figure 18 6 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3...

Страница 192: ...hain with the present rule An action cannot be taken until the rule chain is complete N means there are no more rules to check You can specify an action to be taken i e forward the packet drop the pac...

Страница 193: ...col filters or generic filters The class of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and devi...

Страница 194: ...ce route option The majority of IP packets do not have source route Yes No Destination IP Address Enter the destination IP Address of the packet you wish to filter This field is ignored if it is 0 0 0...

Страница 195: ...e packet against the value given in Source Port None Less Greater Equal Not Equal TCP Estab This field is applicable only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want...

Страница 196: ...the rule Check Next Rule Forward Drop Press SPACE BAR to select properties for fields that do not need to be typed in When you have Menu 21 1 1 1 TCP IP Filter Rule configured press ENTER at the messa...

Страница 197: ...Filter Active Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr M...

Страница 198: ...against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 the value in either f...

Страница 199: ...e packet that you wish to compare The range for this field is 0 to 8 0 Default Mask Enter the mask in Hexadecimal notation to apply to the data portion before comparison Value Enter the value in Hexad...

Страница 200: ...ss ESC to cancel This data will now be displayed on Menu 21 1 1 Filter Rules Summary 18 3 Example Filter Let s look at an example to block outside users from telnetting into the ZyWALL Please see our...

Страница 201: ...23 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Pr...

Страница 202: ...our example filter set 3 as shown in Figure 18 15 Step 4 Press ENTER to confirm after you enter the set numbers and to leave menu 11 5 Menu 21 1 3 Filter Rules Summary A Type Filter Rules M m n 1 Y IP...

Страница 203: ...possible to know the exact address and port on the wire Therefore the ZyWALL applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for inc...

Страница 204: ...er set s that you want to apply as appropriate You can choose up to four filter sets from twelve by entering their numbers separated by commas e g 3 4 6 11 Input filter sets filter incoming traffic to...

Страница 205: ...affic Menu 11 5 Remote Node Filter Input Filter Sets protocol filters 1 device filters Output Filter Sets protocol filters 1 device filters Call Filter Sets protocol filters 1 device filters Enter her...

Страница 206: ......

Страница 207: ...etwork Management Protocol is a protocol used for exchanging management information between network devices SNMP is a member of TCP IP protocol suite Your ZyWALL supports SNMP agent functionality whic...

Страница 208: ...gh which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that...

Страница 209: ...thin an agent Trap Used by the agent to inform the manager of some events 19 2 Supported MIBs The ZyWALL supports MIB II that is defined in RFC 1213 and RFC 1215 The ZyWALL can also respond with speci...

Страница 210: ...ALL will only respond to SNMP messages from this address If you leave the field set to 0 0 0 0 default your ZyWALL will respond to all SNMP messages it receives regardless of source 0 0 0 0 default Tr...

Страница 211: ...thenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community password 6 whyReboot defined in ZYXEL MIB A trap is sent with...

Страница 212: ......

Страница 213: ...ystem Status gives you information on the version of your system firmware and the status and statistics of the ports as shown in the next figure System Status is a tool that can be used to monitor you...

Страница 214: ...PTION Port This is the WAN or the LAN port Status Shows the port speed and duplex setting if you re using Ethernet Encapsulation and Down line is down idle line ppp idle dial starting to trigger a cal...

Страница 215: ...tal time the ZyWALL has been on Name This is the ZyWALL s system name domain name assigned in menu 1 e g System Name xxx Domain Name baboo mickey com Name xxx baboo mickey com Routing This field refer...

Страница 216: ...IPTION Name This is the ZyWALL s system name domain name assigned in menu 1 Name xxx baboo mickey com Routing Refers to the routing protocol used ZyNOS F W Version Refers to the version of ZyXEL s Net...

Страница 217: ...19200 38400 57600 and 115200 bps for the console port Use SPACE BAR to select the desired speed in menu 24 2 2 as shown below Figure 20 5 Menu 24 2 2 System Maintenance Change Console Port Speed 20 3...

Страница 218: ...1 PP17 INFO adjtime task pause 60 seconds 2 Wed Aug 22 21 23 54 2001 PINI INFO SMT Session Begin 3 Wed Aug 22 21 24 26 2001 PP0d INFO No DNS server available 4 Wed Aug 22 21 24 26 2001 PP17 WARN Wrong...

Страница 219: ...CE BAR to turn syslog on or off Syslog IP Address Enter the IP Address of the server that will log the CDR Call Detail Record and system messages i e the syslog server Log Facility Press SPACE BAR to...

Страница 220: ...l xx str board the hardware board ID line the WAN ID in a board Channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C01 Outgo...

Страница 221: ...R01mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination port Mar 03 10 39 43 202 132 155 97 ZyXEL G...

Страница 222: ...mation prot Protocol TCP UDP ICMP IGMP GRE ESP rule a b where a means set number b means rule number action nothing N block B forward F 08 01 2000 11 48 41 Local1 Notice 192 168 10 10 RAS FW 172 21 1...

Страница 223: ...Type of Service 0x00 0 Total Length 0x002C 44 Identification 0x0002 2 Flags 0x00 Fragment Offset 0x00 Time to Live 0xFE 254 Protocol 0x06 TCP Header Checksum 0xFB20 64288 Source IP 0xC0A80101 192 168...

Страница 224: ...or WAN as shown in Figure 20 11 LAN DHCP has already been discussed The ZyWALL can act either as a WAN DHCP client IP Address Assignment field in menu 4 or menu 11 3 is Dynamic and the Encapsulation...

Страница 225: ...Enter 2 to release your WAN DHCP settings WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings Internet Setup Test Enter 4 to test the Internet Setup You can also test the Internet Setup in Menu...

Страница 226: ......

Страница 227: ...ension With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the Z...

Страница 228: ...ifferent ways to backup restore and upload files in menus 24 5 24 6 24 7 1 and 24 7 2 depending on whether you use the console port or Telnet Option 5 from Menu 24 System Maintenance allows you to bac...

Страница 229: ...computer and renames it config rom See earlier in this chapter for more information on filename conventions Step 7 Enter quit to exit the FTP prompt 21 2 3 Example of FTP Commands from the Command Lin...

Страница 230: ...ser ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Directory Specify the default remote directory path Initial Local Directory...

Страница 231: ...e telnet client and accepts TFTP requests only from this address Step 2 Put the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance Step 3 Enter command sys stdio 0 to disab...

Страница 232: ...en shipped Send Fetch Use Send to upload the file to the ZyWALL and Fetch to back up the file on your computer Local File Enter the path and name of the firmware file bin extension or configuration fi...

Страница 233: ...ress any key to return to the SMT menu Figure 21 6 Successful Backup Confirmation Screen 21 3 Restore Configuration This section shows you how to restore a previously saved configuration Note that thi...

Страница 234: ...Step 1 Launch the FTP client on your computer Step 2 Enter open followed by a space and the IP address of your ZyWALL Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and co...

Страница 235: ...successful restore process 21 3 3 Restore Using FTP Session Example Figure 21 8 Restore Using FTP or TFTP Session Example Refer to section 21 2 5 to read about configurations that disallow TFTP and F...

Страница 236: ...turn to the SMT menu Figure 21 12 Successful Restoration Confirmation Screen 21 4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files You c...

Страница 237: ...owing screen when you telnet into menu 24 7 2 Menu 24 7 1 System Maintenance Upload System Firmware To upload the system firmware follow the procedure below 1 Launch the FTP client on your workstation...

Страница 238: ...he ZyWALL and renames it rom 0 Likewise get rom 0 config rom transfers the configuration file on the ZyWALL to your computer and renames it config rom See earlier in this chapter for more information...

Страница 239: ...nts To transfer the firmware and the configuration file follow the procedure shown next Step 1 Use telnet from your computer to connect to the ZyWALL and log in Because TFTP does not have any security...

Страница 240: ...mode use this mode when transferring binary files host is the ZyWALL s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destinati...

Страница 241: ...the following screen Figure 21 17 Example Xmodem Upload After the firmware upload process has completed the ZyWALL will automatically restart Menu 24 7 1 System Maintenance Upload System Firmware To...

Страница 242: ...LL 21 4 11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer then Send File to display the following screen Menu 24 7 2 System Maintenance Upload System Configuration File To uplo...

Страница 243: ...tion File Maintenance 21 17 Figure 21 19 Example Xmodem Upload After the configuration upload process has completed restart the ZyWALL by entering atgo Type the configuration file s location or click...

Страница 244: ......

Страница 245: ...y a serial connection to the console port although some commands are only available with a serial connection See the included disk or the zyxel com web site for more detailed information on CI command...

Страница 246: ...he ZyWALL within certain times When the total outgoing call time exceeds the limit the current call will be dropped and any future outgoing calls will be blocked Call history chronicles preceding inco...

Страница 247: ...ter 0 to update the screen The budget and the reset period can be configured in menu 11 1 for the remote node Table 22 1 Budget Management FIELD DESCRIPTION EXAMPLE Remote Node Enter the index number...

Страница 248: ...fer rate of the call call This is the number of calls made to or received from that telephone number Max This is the length of time of the longest telephone call Min This is the length of time of the...

Страница 249: ...following screen Figure 22 7 Menu 24 10 System Maintenance Time and Date Setting Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup NTP RFC 1305 Time Server IP Address tic...

Страница 250: ...ield displays an updated time only when you reenter this menu New Time Enter the new time in hour minute and second format Current Date This field displays an updated date only when you reenter this m...

Страница 251: ...ZyWALL 10 10 II 50 Internet Security Gateway System Maintenance Information 22 7 ii When the ZyWALL starts up if there is a time server configured in menu 24 10 iii 24 hour intervals after starting...

Страница 252: ......

Страница 253: ...ZyWALL for remote management is through an SMT session using the console port Once your ZyWALL is configured you can use telnet to configure it remotely as shown next Figure 23 1 Telnet Configuration...

Страница 254: ...Web and FTP services You can customize the service port access interface and the secured client IP address to enhance security and flexibility You may manage your ZyWALL from a remote location via Int...

Страница 255: ...er for the remote management service You may change the port number for a service if needed but you must use the same port number to use that service for remote management 23 Menu 24 11 Remote Managem...

Страница 256: ...n menu 3 1 LAN or in menu 11 5 WAN is applied to block a Telnet FTP or Web service 2 You have disabled that service in menu 24 11 3 The IP address in the Secured Client IP field menu 24 11 does not ma...

Страница 257: ...timeout of five minutes three hundred seconds for either the console port or telnet web FTP connections Your ZyWALL will automatically log you out if you do nothing in this timeout period except when...

Страница 258: ......

Страница 259: ...Call Scheduling and VPN IPSec V Part V Call Scheduling and VPN IPSec Part V provides information about Call Scheduling and VPN IPSec...

Страница 260: ......

Страница 261: ...nu 26 Schedule Setup Lower numbered sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 wi...

Страница 262: ...Yes and press ENTER to activate the schedule set Yes No Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2036 February...

Страница 263: ...he connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field Forced On Forced Down means that the connection is bl...

Страница 264: ...riod hr 0 My Login Schedules 1 2 3 4 My Password Nailed up Connections Authen CHAP PAP Session Options PPTP Edit Filter Sets No My IP Addr Idle Timeout sec 100 Server IP Addr Connection ID Name Press...

Страница 265: ...ible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrit...

Страница 266: ...support 10 Security Associations and the ZyWALL 50 supports 50 Security Associations SAs Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet wi...

Страница 267: ...ZyWALL 10 10 II 50 Internet Security Gateway Introduction to IPSec 25 3 Figure 25 2 VPN Application 25 2 IPSec Architecture The overall IPSec architecture is shown as follows...

Страница 268: ...ation algorithms The Encryption algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication algorithms HMAC MD5 RFC 2403 and...

Страница 269: ...of the original IP header in the hashing process 25 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide acc...

Страница 270: ...including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the r...

Страница 271: ...menu 27 1 submenus including security policies endpoint IP addresses peer IPSec router IP address and key management 2 Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connectio...

Страница 272: ...y is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but...

Страница 273: ...a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES SHA1...

Страница 274: ...DNS The ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway s WAN IP address changes there may be a delay until the DDNS servers are updated with the remote gateway s new WAN IP a...

Страница 275: ...on Figure 26 5 Headquarters ZyWALL Configuration The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management A ZyWALL with Secure Gatewa...

Страница 276: ...dr Type field in Menu 27 1 1 IPSec Setup is configured to Range this is the beginning static IP address in a range of computers on the LAN behind your ZyWALL When the Addr Type field in Menu 27 1 1 IP...

Страница 277: ...DES NULL denotes a tunnel without encryption AH Authentication Header provides strong integrity and authentication by adding authentication information to IP packets This authentication information is...

Страница 278: ...PSec router with which you are making the VPN connection This field displays 0 0 0 0 when you configure the Secure Gateway Addr field in SMT 27 1 1 to 0 0 0 0 193 81 13 2 Select Command Press SPACE BA...

Страница 279: ...name for this VPN rule The name may be up to 32 characters long but only 10 characters will be displayed in Menu 27 1 IPSec Summary Taiwan Active Press SPACE BAR to choose either Yes or No Choose Yes...

Страница 280: ...cal and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as lon...

Страница 281: ...e Addr Type Press SPACE BAR to choose SINGLE RANGE or SUBNET and press ENTER Select SINGLE with a single IP address Use RANGE for a specific range of IP addresses Use SUBNET to specify IP addresses on...

Страница 282: ...l and then press ENTER Manual is useful for troubleshooting if you have problems using IKE key management IKE Edit Key Management Setup Press SPACE BAR to change the default No to Yes and then press E...

Страница 283: ...Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography see section 26 5 5 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set th...

Страница 284: ...ommunications channel Diffie Hellman is used within IKE SA setup to establish session keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffi...

Страница 285: ...re shared keys Pre shared keys are best for small networks with fewer than ten nodes Enter your pre shared key here Enter up to 31 characters Any character may be used including spaces but trailing sp...

Страница 286: ...atically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authen...

Страница 287: ...t 26 6 1 Active Protocol This field is a combination of mode and security protocols used for the VPN These parameters have been discussed earlier Table 26 6 Active Protocol Encapsulation and Security...

Страница 288: ...lds Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys DES Key1 Enter a unique eight character key Any charac...

Страница 289: ...ted 123456789abcde AH Setup The AH Setup fields are N A if you chose an ESP Active Protocol SPI Decimal The SPI must be from one to four unique decimal characters 0 to 9 long N A Authentication ALgori...

Страница 290: ......

Страница 291: ...times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not timeout 27 1 Using SA Monitor 1 Use the Refresh function to display active VPN connections 2...

Страница 292: ...ets Encryption methods include 56 bit DES and 168 bit 3DES NULL denotes a tunnel without encryption An incoming SA may have an AH in addition to ESP The Authentication Header provides strong integrity...

Страница 293: ...ZyWALL 10 10 II 50 Internet Security Gateway SA Monitor 27 3 Table 27 1 Menu 27 2 SA Monitor FIELD DESCRIPTION EXAMPLE configuration or press ESC at any time to cancel...

Страница 294: ......

Страница 295: ...on Figure 28 1 Example VPN Initiator IPSec Log Index Date Time Log 001 01 Jan 08 02 22 Send Main Mode request to 192 168 100 101 002 01 Jan 08 02 22 Send SA 003 01 Jan 08 02 22 Recv SA 004 01 Jan 08 0...

Страница 296: ...egotiation for outbound from the VPN initiator traffic is not finished yet Send Main Mode request to IP Send Aggressive Mode request to IP The ZyWALL has started negotiation with the peer Recv Main Mo...

Страница 297: ...for these phases For example one party may be using 3DES encryption but the other party is using DES encryption so the connection will fail Verifying Local ID failed Verifying Remote ID failed During...

Страница 298: ...rrent ZyWALL WAN IP address static or dynamic to set up the VPN tunnel Cannot find Phase 2 SA The ZyWALL cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the p...

Страница 299: ...Log 28 5 Table 28 3 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE TRANS Transform KE Key Exchange ID Identification CER Certificate CER_REQ Certificate Request HASH Hash SIG Signature NONCE...

Страница 300: ......

Страница 301: ...Troubleshooting Appendices Glossary and Index VI Part VI Troubleshooting Appendices and Index This part provides Troubleshooting followed by some Appendices and an Index...

Страница 302: ......

Страница 303: ...of the LEDs are on when you turn on the ZyWALL Check the connection between the power adapter and the ZyWALL If the error persists you may have a hardware problem In this case you should contact your...

Страница 304: ...fter verifying the MAC address or Host Name or User ID Find out the verification method used by your ISP If the ISP checks the LAN MAC Address tell the ISP the WAN MAC address of the ZyWALL The WAN MA...

Страница 305: ...anufacturer of your cable xDSL device about your cable requirement because for some devices may require crossover cable and others a regular straight through cable Cannot access the Internet Verify yo...

Страница 306: ...s when remote management may not be possible When NAT is enabled Use the ZyWALL s WAN IP address when configuring from the WAN Use the ZyWALL s LAN IP address when configuring from the LAN Refer to th...

Страница 307: ...Internet Security Gateway The Big Picture A Appendix A The Big Picture The following figure gives an overview of how filtering the firewall VPN and NAT are related Diagram 1 Big Picture Filtering Fir...

Страница 308: ......

Страница 309: ...ervices using PPP Benefits of PPPoE PPPoE offers the following benefits 1 It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning...

Страница 310: ...nels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the modem and the A...

Страница 311: ...separate ATM VC per destination Diagram 4 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a PC to the ANT ADSL Network Termination In...

Страница 312: ...the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS Diagram 5 PPTP Protocol Overview Microsoft includes PPTP as a par...

Страница 313: ...Gateway PPTP G PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using...

Страница 314: ......

Страница 315: ...100 Mbit Half Full Auto negotiation for the ZyWALL 10 II and 50 Ethernet Specification for LAN 10 100 Mbit Half Full Auto negotiation Console Port RS 232 Pin 1 NON Pin 2 DTE RXD Pin 3 DTE TXD Pin 4 D...

Страница 316: ......

Страница 317: ...ltage is correct and stable If the input AC voltage is over 10 lower than the standard may cause the ZyWALL to malfunction 7 Installation in restricted access areas must comply with Articles 110 16 11...

Страница 318: ......

Страница 319: ...ilable ZyWALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following t...

Страница 320: ...mon Area ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATG...

Страница 321: ...unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are encl...

Страница 322: ......

Страница 323: ...d saves the current firewall settings D Di is sp pl la ay y config display firewall This command shows the of all the firewall settings including e mail attack and the sets rules config display firewa...

Страница 324: ...ourly daily weekly This command sets how frequently the firewall log is sent via e mail config edit firewall e mail day sunday monday tuesday wednesday thursday friday saturday This command sets the d...

Страница 325: ...ig edit firewall attack minute low 0 255 This command sets the threshold of half open sessions where the ZyWALL stops deleting half opened sessions config edit firewall attack max incomplete high 0 25...

Страница 326: ...ng the ZyWALL leaves a TCP session open after the firewall detects a FIN exchange indicating the end of the TCP session Config edit firewall set set tcp idle timeout seconds This command sets how long...

Страница 327: ...d subnet mask config edit firewall set set rule rule srcaddr range start ip address end ip address This command sets a rule to have the ZyWALL check for traffic from this range of addresses config edi...

Страница 328: ...mand to enter various non consecutive port numbers config edit firewall set set rule rule UDP destport range start port end port This command sets a rule to have the ZyWALL check for UDP traffic with...

Страница 329: ...vices such as PPPoE or PPTP NetBIOS packets cause unwanted calls You can configure NetBIOS filters to Block NetBIOS packets from being sent from the LAN to the WAN Block NetBIOS packets from being sen...

Страница 330: ...Disabled means that NetBIOS packets are blocked from initiating calls Disabled NetBIOS Filter Configuration Syntax sys filter netbios config type on off where type Identify which NetBIOS filter numbe...

Страница 331: ...Y Command sys filter netbios config 1 off This command forwards LAN to DMZ NetBIOS packets Command sys filter netbios config 2 on This command blocks IPSec NetBIOS packets Command sys filter netbios c...

Страница 332: ...UL 1950 CSA C22 2 No 234 M90 AC Power Adapter model AD48 1201200DUY Input power AC120Volts 60Hz Output power DC12Volts 1 2A Power consumption 9 W Plug North American standards Safety standards UL CUL...

Страница 333: ...nited Kingdom standards Safety standards TUV CE EN 60950 BS7002 Japan AC Power Adapter model JOD 48 1124 Input power AC100Volts 50 60Hz 27VA Output power DC12Volts 1 2A Power consumption 10 W Plug Jap...

Страница 334: ......

Страница 335: ...Attack 10 6 Budget Management 22 3 C Cable Modem 2 4 2 5 10 2 Call Control 22 2 Call History 22 4 Call Scheduling 24 1 maximum number of schedule sets 24 1 PPPoE 24 3 Precedence 24 1 Precedence Exampl...

Страница 336: ...Internet EG 3 16 12 DHCP Negotiation 16 12 Diagnostic 20 11 DNS 5 2 Domain Name 5 2 9 14 20 3 DoS Basics 10 3 Types 10 4 DoS Denial of Service 1 1 Dynamic DNS 4 1 4 3 DYNDNS Wildcard 4 2 E E mail Log...

Страница 337: ...Management 11 1 Rule Checklist 13 1 Rule Examples 16 1 Rule Logic 13 1 Rule Precedence 13 4 Rule Security Ramifications 13 2 Rule To Allow Web Service From The Internet 16 1 Services 13 7 SMT Menus 1...

Страница 338: ...es 13 2 L LAN Setup 5 1 5 5 LAN to WAN Rules 13 3 LAND 10 4 10 6 Local Network Rule Summary 13 4 log 20 5 Log Facility 20 7 Log Screen 15 1 Logs 15 1 M MAC Address 4 5 29 2 Mail Server 12 4 Main Menu...

Страница 339: ...7 5 7 8 Private 5 3 5 4 7 8 7 10 8 3 Private IP Addresses 5 3 R Read Me First xxxiii Real Time Chip 1 3 Rear Panel 2 2 2 3 2 4 Related Documentation xxxiii Relay 5 6 Remote Management Firewall 11 1 Re...

Страница 340: ...Configuring 19 3 Community 19 3 Trap 19 4 Trusted Host 19 4 Manager 19 2 MIBs 19 3 SNMP Simple Network Management Protocol 1 2 SNMP Simple Network Management Protocol 19 1 Source Destination Addresse...

Страница 341: ...5 13 13 13 14 13 15 Trace 20 5 Traceroute 10 7 Troubleshooting 29 1 Internet Access 29 3 LAN Interface 29 2 WAN Interface 29 2 U UDP ICMP Security 10 10 Unicast 5 4 UNIX Syslog 20 7 Upload Firmware 21...

Страница 342: ...ZyWALL 10 10 II 50 Internet Security Gateway JJ Index Introduction 10 2...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды