ZyXEL Communications P-312 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung ZyXEL Communications P-312 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von ZyXEL Communications P-312, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung ZyXEL Communications P-312 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung ZyXEL Communications P-312. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung ZyXEL Communications P-312 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts ZyXEL Communications P-312
- Den Namen des Produzenten und das Produktionsjahr des Geräts ZyXEL Communications P-312
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts ZyXEL Communications P-312
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von ZyXEL Communications P-312 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von ZyXEL Communications P-312 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service ZyXEL Communications finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von ZyXEL Communications P-312 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts ZyXEL Communications P-312, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von ZyXEL Communications P-312 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Pr estige 312 Broadba nd Securit y Gateway User’s Guide Version 3.20 November 2000[...]

  • Seite 2

    P312 Br oadband S ecurity G ateway ii Copyright Prestige 312 Broadband Securi ty Gatew ay Copyright Copyright © 2 000 by ZyXE L Communicat ions Corp oration. The contents of this publicati on may not be r eproduced i n any part or as a w hole, transcribed, stored in a retrieval sy stem, tr anslated i nto any language, or transmitted in any form or[...]

  • Seite 3

    P312 Br oadband S ecurity G ateway FCC Statem ent iii Federal Commu nication s Commission (F CC) Interf erence Statement This devic e complies w ith Part 15 of FCC rules. O perat ion is sub ject to the follow ing two conditio ns: This devic e may not cause h armful interference. This devic e must accept any interfer ence receiv ed, includin g inter[...]

  • Seite 4

    P312 Br oadband S ecurity G ateway iv Canadian Us ers Informatio n for Can adian User s The Industry Canad a label iden tif ies certifi ed equi pme nt. T his cer tifi cat ion mea ns that the equipment meets certain tele communications network pro tective, operation, and safety require m ents. The Industry Canada does not guar antee that the equ ipm[...]

  • Seite 5

    P312 Br oadband S ecurity G ateway Warranty v Declaration of Confor mit y We, the Manufacturer/Importer, ZyXEL Communications Cor p . No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, T aiwan, 300 R.O .C declare that t he product Prestige 312 is in co nform ity with (reference to the spec ific at i on under which conformity is decl [...]

  • Seite 6

    P312 Br oadband S ecurity G ateway vi CE Doc[...]

  • Seite 7

    P312 Br oadband S ecurity G ateway Warranty vi i ZyXEL Limited W arranty ZyXE L warrants to the or iginal end user (pur chaser) that this pro duct is free from any defects in materials or workmans hip for a peri od of up to two y ears from t he date of purchase . During the warranty period, and upon proof of pur chase, sh ould the product have indi[...]

  • Seite 8

    P312 Br oadband S ecurity G ateway viii Customer Su pport Customer Support When y ou contact y our customer support representa tive pleas e have the followi ng informati on ready: ♦ Prestig e Model and seri al num ber. ♦ Information in Menu 24.2.1 –S ystem Inform ation . ♦ Warranty Inf o r mation. ♦ Date you recei ved your Prestige. ♦ B[...]

  • Seite 9

    P312 Br oadband S ecurity G ateway T able Of C ontents ix T able of Contents T able of Contents .............................................................................................................. ............. ix List of Fig ures .............................................................................................................[...]

  • Seite 10

    P312 Br oadband Security G ateway x T able Of C ontents 2.10.1 LAN Port Filter Setup .................................................................................................... ... 2-12 Chapter 3 Internet Access .............................................................................................................3- 1 3.1 TCP/IP and [...]

  • Seite 11

    P312 Br oadband S ecurity G ateway T able Of C ontents xi 6.1.4 NAT Mapping Ty pe s ......................................................................................................... .6 - 2 6.1.5 SUA (Single User Accoun t) Versus NAT .......................................................................... 6-3 6.1.6 NAT Application ........[...]

  • Seite 12

    P312 Br oadband Security G ateway xii T able Of Conte nts 9.1 System Status ............................................................................................................... ...............9-2 9.2 System Inf ormation and Console Port Speed .............................................................................. 9-4 9.2.1 System [...]

  • Seite 13

    P312 Br oadband S ecurity G ateway T able Of C ontents xiii 12.2 Telnet Under NAT........................................................................................................... ......... 12-1 12.3 Telnet Capabilities ........................................................................................................ ............ 12-[...]

  • Seite 14

    P312 Br oadband Security G ateway xiv T able Of Conte nts 15.3 E-Mail ..................................................................................................................... ..................15-3 15.3.1 What are Alerts?......................................................................................................... ....... 15[...]

  • Seite 15

    P312 Br oadband S ecurity G ateway T able Of C ontents xv 20.1 Restrict Web Features...................................................................................................... ......... 20-1 20.1.1 ActiveX .................................................................................................................. .......... 20-1 20[...]

  • Seite 16

    P312 Br oadband Security G ateway xvi List Of Figur es List of Figures Figure 1-1 Secure Internet Access v ia Cable ..................................................................................... ....... 1-3 Figure 1-2 Secure Internet Access v ia DSL....................................................................................... ......[...]

  • Seite 17

    P312 Br oadband S ecurity G ateway List Of Fi gures xvii Figure 4-5 Remote Node Netw or k Layer Options .................................................................................. 4 -8 Figure 4-6 Rem ote Node Filter (Ethernet Encapsulation)...................................................................... 4-1 0 Figure 4-7 Remote Node Fil[...]

  • Seite 18

    P312 Br oadband Security G ateway xviii List Of Figures Figure 6-22 Example 4- Me nu 15.1.1.1 - Address Mapping Ru le ............................................................ 6-20 Figure 6-23 Example 4 - Me nu 15.1.1 - A ddress Mapping Rules ............................................................ 6-20 Figure 7-1 Outgoing Packet Filtering P[...]

  • Seite 19

    P312 Br oadband S ecurity G ateway List Of Fi gures xix Figure 9-9 Call-T riggering Packet Example ....................................................................................... ... 9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagn ostic .................................................................... 9-11 Figure 9-1 1 W AN &[...]

  • Seite 20

    P312 Br oadband Security G ateway xx List Of Fi gures Figure 14-2 Menu 21 - Filter and Firewall Setup ................................................................................. .... 14-1 Figure 14-3 Menu 21.2 – Firew all Se tup .......................................................................................... ........ 14-2 Figure 1[...]

  • Seite 21

    P312 Br oadband S ecurity G ateway List Of Fi gures xxi Figure 19-9 Example 2 - Local Net work Ru le Summary .................................................................. 19-10 Figure 19-10 Exam ple 2 - Internet to Local Network Rule Summary .................................................. 19-1 1 Figure 19-1 1 Custom Port for Sy s log ......[...]

  • Seite 22

    [...]

  • Seite 23

    P312 Br oadband S ecurity G ateway List of T ab les xxiii List Of T ables T able 2-1 LED functions ........................................................................................................ ................ 2-1 T able 2-2 Main Menu Co mmands ..............................................................................................[...]

  • Seite 24

    P312 Br oadband Security G ateway xxiv List of T ables T able 7- 2 Abbreviations Used If Filter T y pe Is IP .............................................................................. ....7-7 T able 7- 3 Abbreviations Used If Filter T ype Is GEN .......................................................................... ....7-7 T able 7- 4 TCP/I[...]

  • Seite 25

    P312 Br oadband S ecurity G ateway List of T ab les xxv T able 16-5 T imeout Menu ......................................................................................................... ........... 16-14 T able 17-1 Cus tom Ports ......................................................................................................... ............[...]

  • Seite 26

    [...]

  • Seite 27

    P312 Br oadband S ecurity G ateway Preface xxvii Preface A bout Y our Router Congratu lations on your pu rchase of the Prestig e 312 Broadband Security Gate way. Don’t fo rget to reg ister you r Prestig e (fast, e asy onlin e regist ration at w ww .zy xel.com ) for free future product updates and information. The Presti ge 312 is a du al Ethernet[...]

  • Seite 28

    P312 Br oadband Security G ateway xxviii Preface Regardless of your particular applicatio n, it is i mportant that you follow the steps o u tli ned in C hapters 1-2 to connect y our Prestige to your LAN. You can then refer to the appropriate ch apters of the manual, depending on your applications. Related Documentation " Support ing CD More de[...]

  • Seite 29

    Getting Starte d I Part I: Getti ng Started Chapters 1-3 are s tructured as a step-b y-step guide to h elp you connect, i nstall a nd setup your Prestig e to oper ate on your network and acces s the Inter net.[...]

  • Seite 30

    [...]

  • Seite 31

    P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-1 Chapter 1 Getting to Know Your Prestige This chapt er intr oduces the main f eatures and appl ications of the Pr estige. 1.1 The Prestige 312 B roadband Security Gate wa y The Presti ge 312 is a du al Ethern et Broadband Security Gatew a y integrated w ith a robust firewall an d[...]

  • Seite 32

    P312 Br oadband S ecurity G ateway 1-2 Getting to Know Y o ur Prestige Dynamic DNS Support With Dyn amic DNS support , you can h ave a static hos tname alias for a dy namic IP address , allow i ng the host to be more eas ily accessible from v arious locations on the In ternet. You must register f o r this service with a Dynamic DNS client to use th[...]

  • Seite 33

    P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-3 not choose a time service protocol that your timeserver will send when the Prestige powers up you can enter the time m a nually bu t each tim e the system is booted, the t ime & date w ill be reset to 1/1/197 0 0:0:0 . Logging and T racing The Prestige has the following feat[...]

  • Seite 34

    P312 Br oadband S ecurity G ateway 1-4 Getting to Know Y o ur Prestige Figure 1-2 Secure Int ernet Access v ia DSL You can als o use your xDSL modem in the bridge mode f or al ways- on Internet access and h igh speed data transfer.[...]

  • Seite 35

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 Chapter 2 Hardware Installation & Initial Setup This chapt er shows you how to connec t the har dware an d perform the in itial setup . 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the f ront panel indicate the operational stat[...]

  • Seite 36

    P312 Br oadband S ecurity G ateway 2-2 Hardware Installa tion & Initia l Se tup LEDs Function Indicator Status Activ e Description Flashing The 100M LAN is sending/re ceiving packet s. Off The W AN Link is not ready, or has fa iled. On The W AN Link is ok . WAN W AN G reen Flashing The 10M W AN link is s ending/r eceiv ing packet s. 2.2 Prestig[...]

  • Seite 37

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-3 connector on the back of the cable m ode m. Connect an x DSL Modem to the xDSL Wall Jack. Please also see Appendix C f o r important safety ins tructions on making conn ections to the Prest ige. Step 1. Connecting the Console Port For the initial configuration of[...]

  • Seite 38

    P312 Br oadband S ecurity G ateway 2-4 Hardware Installa tion & Initia l Se tup ♦ 9600 Baud. ♦ No parity, 8 Data bits, 1 Stop b it, Flo w Control set to None. 3. A cable/xDSL m ode m and an ISP account . After th e Prestige is properly set up, y ou can make future ch anges to the conf i gurati on through te lnet connections. 2.4 Housing You[...]

  • Seite 39

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-5 Figure 2- 4 Pas sword Screen 2.6 Navigating the SM T Inter face The SMT (System Management Terminal) is the interface that y ou use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are [...]

  • Seite 40

    P312 Br oadband S ecurity G ateway 2-6 Hardware Installa tion & Initia l Se tup 2.6.1 Main Menu After you enter the password, the SMT displa ys the Prestige 312 Main Menu , as s hown below . Figure 2-5 Prestige 312 M ain Men u 2.6.2 S y stem Management T erminal Interf ace Summary Table 2- 3 Main Menu Summar y # Menu Title Description 1 General[...]

  • Seite 41

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-7 99 Exit To exit from SM T and return to a bla nk screen. 2.7 Changing the System Pass w ord The first thing y our should do bef o re anything els e i s to chan ge t he default system password by foll owing the steps below. Step 1. Enter 23 in the Main Menu to ope[...]

  • Seite 42

    P312 Br oadband S ecurity G ateway 2-8 Hardware Installa tion & Initia l Se tup 2.8 General Setup Menu 1 - General Setup contains administrative and sys te m-related inf ormation. The fields for General Setup are as shown nex t. Syste m Name is for identification purposes . However, because s ome ISPs check this name you should enter your PC’[...]

  • Seite 43

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-9 Table 2-4 Genera l Setup Menu Field Field Description Example System Na me Choose a d escriptiv e name for ident ification p urposes. It is recommende d you enter your co mputer’ s “Computer name” in th is field. T his name c an be up to 30 alpha numeric ch[...]

  • Seite 44

    P312 Br oadband S ecurity G ateway 2-10 Hardware Inst a lla ti on & Initia l Se tup Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example Service Provider Enter the na me of your Dynamic DNS client. www.d dns.org Active Press [SPACE BAR] to togg le betw een Yes or No . Yes Host Enter the domai n name assigned to your Prestige by[...]

  • Seite 45

    P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 1 Figure 2-9 Menu 2 – WAN Setup The MAC address field allows users to conf igure the WAN port' s MAC Address by either u si n g the factory default or clon ing the MAC address f rom a workstation on your LA N. Once it is successfully configu red, the addre[...]

  • Seite 46

    P312 Br oadband S ecurity G ateway 2-12 Hardware Inst a lla ti on & Initia l Se tup Figure 2-10 Menu 3 - LAN Setup 2.10.1 LA N Port Filter Setu p This menu allows you to specif y the filter sets that you wish to apply to the LAN traffic. You seldo m need to filter the LAN traffic, however, the filter sets may be useful to block certain packets,[...]

  • Seite 47

    P312 Br oadband Security G ateway Internet Acc ess 3-1 Chapter 3 Internet Access This chapt er shows y ou how to configur e the LAN as we ll as the W AN of your Presti ge for Int ernet access. 3.1 TCP/I P and DHCP for LAN The Prestige has built-i n DH CP server capabilit y that assigns IP ad dresses and DNS servers to s yste ms that support DHCP cl[...]

  • Seite 48

    P312 Br oadband S ecurity G ateway 3-2 Internet Acc ess The subnet mask specifies the net work number portion of an IP address. Your Pr estige will compute the subnet m ask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the Prestige un less you are instructed to do otherw ise. 3.1.3 Pr[...]

  • Seite 49

    P312 Br oadband Security G ateway Internet Acc ess 3-3 3.1.5 DHCP Configuration DHCP (Dy namic Host Conf iguration Protocol, RF C 2131 and R FC 2132) all ow s the indi vidual cli ents (wor ks tat i ons ) to o bta i n the T CP/ I P co nfigur a tio n at sta rt -up fro m a se r ver . Yo u can configu re the Prestige as a DHCP server or disable it. Whe[...]

  • Seite 50

    P312 Br oadband S ecurity G ateway 3-4 Internet Acc ess The address 224.0. 0.1 is used f or query messages an d i s assi gned to the perm anent group of all IP h o sts (inclu di ng ga teways). Al l hosts must join the 224.0. 0.1 group in order to parti cipate in IGMP. The address 224.0.0.2 is as signed to the multicast routers grou p. The Prestig e[...]

  • Seite 51

    P312 Br oadband Security G ateway Internet Acc ess 3-5 Figure 3-3 Menu 3 - LAN Setup (1 0/100 Mbps Etherne t) To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP /IP and DHCP Ethernet Setup as s ho wn ne xt. Figure 3-4 Menu 3.2 – TCP/IP and DHCP Ethernet Setup Menu 3 – LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP [...]

  • Seite 52

    P312 Br oadband S ecurity G ateway 3-6 Internet Acc ess Follow the instruction s in the following table on how to confi gure the DHCP fields. T able 3-1 LAN DHCP Setup Menu Fields Field Description Example DHCP= This field enables/disables the DHCP server. If it is set to Server , your Prestige w ill act as a DHCP s erver. If s e t to None , DHCP s[...]

  • Seite 53

    P312 Br oadband Security G ateway Internet Acc ess 3-7 Field Description Example Edit IP Alia s The Prestige supp orts three log ical LAN interfac es via its single physical Et hernet in terface with t he Prestige itself a s the gateway for each LAN netw ork. Press the spac e bar to toggle No t o Yes, then press [ENTER] to brin g you to menu 3 .2.1[...]

  • Seite 54

    P312 Br oadband S ecurity G ateway 3-8 Internet Acc ess RIP Direction Press the space bar t o select the RIP d irection from None, Both/In Onl y/Out Onl y . None Version Press the space bar to sele ct the RIP version fr om RIP-1/RIP- 2B/RIP-2M. RIP-1 Incomin g Protocol Filter s Enter the fi lter set( s) you w ish to apply to the incoming tr affic b[...]

  • Seite 55

    P312 Br oadband Security G ateway Internet Acc ess 3-9 The following table describes t his screen. Table 3- 4 Internet Access S etup M enu F ields Field Description ISP’s Name Enter the name of your Internet Servi ce Provider, e .g., myISP. T his information i s for identificatio n purposes only. Encapsulation Press the [SPACE BAR] and the press [...]

  • Seite 56

    P312 Br oadband S ecurity G ateway 3-10 Internet Acc ess 3.3.3 Configuring the PPTP Client T o co nfigur e a P P T P c lient, you mu st co nfi gur e t he My Login and Passwo rd fields for a PPP connection a nd the PPTP parameters for a PPTP connection . After con figuri ng t he User Name and Passwo rd for PPP connection, press [ SP ACE BAR] in t he[...]

  • Seite 57

    P312 Br oadband Security G ateway Internet Acc ess 3-1 1 For the service prov ider, P PPoE offe rs an access and authen tication method that works with existing access control sy stems (e.g., Radius ). For the user, PPPoE provides a login & a uthentication method th at the existing Micros oft Dial-Up Networking sof tware can activate, and there[...]

  • Seite 58

    P312 Br oadband S ecurity G ateway 3-12 Internet Acc ess Tabl e 3-6 New Fields in M enu 4 ( PPPoE) s creen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE . The encapsu lation method influences your choices for IP Address. PPPoE Service Name Enter th e PPPoE service name prov ided to you. PPPoE [...]

  • Seite 59

    Advance d App licatio ns II Part II: Advanced Applications Advance d App licatio ns (Chap ters 4-6) describ e the adva nced ap plicati ons of your Prest ige, suc h as Rem ote Node Setup IP Sta tic routes and N A T .[...]

  • Seite 60

    P312 Br oadband S ecurity G ateway Remote N ode Setup 4-1 Chapter 4 Remote Node Setup This chapt er shows y ou how to configur e a rem ote node. A remote node is required for placing calls to a remote gateway. A rem ote node represents both the remote gate way and the ne twor k be hind it a cro ss a W AN con nectio n. No te t ha t whe n you u se Me[...]

  • Seite 61

    P312 Br oadband S ecurity G ateway 4-2 Remote N ode Set up Table 4-1 Fields in Menu 11.1 Field Description Examples Rem Node Name Enter a descri ptive name for the re mote no de. This fi eld can be up to eight characters. LAoffice Act ive Press the [SPACE BAR] to toggle be tween Yes and No and activate (de activate) the remote node. Yes Encapsulati[...]

  • Seite 62

    P312 Br oadband S ecurity G ateway Remote N ode Setup 4-3 4.1.2 PPPoE Encapsulat ion The Pre stig e supports PPPoE (Point- to-Poin t Protocol ov er Eth ernet ). You ca n only use PPPoE encapsulation when you’ re using the Prestige with an xDSL modem as the WAN device. If you change the Encapsulat ion to PP PoE, then you w ill see the next screen.[...]

  • Seite 63

    P312 Br oadband S ecurity G ateway 4-4 Remote N ode Set up Table 4- 2 Fields in M enu 11.1 ( PPPoE Encapsu lation Sp ecific) Field Description Examples Authen This field sets the authent ication protocol u sed for outgoing calls. Options for t his field are: CHAP/PAP - Your Prestige w ill accept either CHAP or PAP when reque sted by thi s remote no[...]

  • Seite 64

    P312 Br oadband S ecurity G ateway Remote N ode Setup 4-5 Figure 4-3 Remote Nod e Profil e for PPT P Encap sulatio n The next table shows ho w to configure fi elds in Menu 11.1 n ot previously dis cussed above. Tabl e 4-3 Fields in M enu 11.1 (PPT P Encapsu latio n) Field Description Examples Encapsulation T oggle the spac e bar to choose PPTP . Yo[...]

  • Seite 65

    P312 Br oadband S ecurity G ateway 4-6 Remote N ode Set up 4.2 Editi ng TCP/IP Options (with Ether net Encapsulati on) Move the cursor to the Edit IP fie ld in Menu 1 1.1 , then press the [ SPACE BAR] to toggle and set the value to Yes . Press [Enter] to open Menu 11.3 - Net w ork L ayer Options . Figure 4-4 Remote Node Network Layer Options The ne[...]

  • Seite 66

    P312 Br oadband S ecurity G ateway Remote N ode Setup 4-7 Field Description Example between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This f ield is valid on ly for PPTP/ PP Po E enc apsu lat io n. Th is parameter deter mines if the Pre stige w ill include the route to this remote no de in its R IP broad casts. If set t o [...]

  • Seite 67

    P312 Br oadband S ecurity G ateway 4-8 Remote N ode Set up Figure 4-5 Remote Node Network Layer Options The next tab le gi ves yo u ins truct io ns a bout c onfi guri ng re mote no de ne t work la yer op tio ns. Table 4-5 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If y our ISP did not a s sign you [...]

  • Seite 68

    P312 Br oadband S ecurity G ateway Remote N ode Setup 4-9 between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This para m eter determines if the Prestige will include the route to this remote no de in its R IP broad casts. If set t o Yes , this ro ute is kept private and n ot included in RIP broadcast. If No , the route to t[...]

  • Seite 69

    P312 Br oadband S ecurity G ateway 4-10 Remote N ode Set up Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to C[...]

  • Seite 70

    P312 Br oadband S ecurity G ateway IP Static Route Setup 5-1 Chapter 5 IP Static Route Setup This chapt er shows y ou how to configur e static routes wi th your Prestige. Static routes tell the Prestige routing in for mation that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote[...]

  • Seite 71

    P312 Br oadband S ecurity G ateway 5-2 IP Stat ic Route Setup 5.1 IP Static Route S etup You co nfig ure I P stat i c rout e s in M e nu 1 2. 1 , by selecting on e o f the IP static rout es as shown below. Enter 12 from t he Main Menu . Figure 5-2 Menu 12 - IP Static Route Setup Now, enter t he index num ber of one of the st atic rout es you want t[...]

  • Seite 72

    P312 Br oadband S ecurity G ateway IP Static Route Setup 5-3 Table 5- 1 IP Stat ic Route M enu Field s Field Description Route # This is the index number of the sta tic route th at you chose in M enu 12. Route Name Enter a descri ptive name for this route. This is for identifi cation purpose s only. Active This field a llows you to activ ate/deacti[...]

  • Seite 73

    [...]

  • Seite 74

    P312 Br oadband S ecurity G ateway NA T 6-1 Chapter 6 Network Address Translation (NAT) This chapt er dis cusses how to conf igure NAT on the Prestige. 6.1 Introducti on NAT (Netw ork Address Translation - NA T, RFC 1631) is th e translat ion of the IP add ress of a h ost in a packet, e.g., th e source address of an outgoing packet, used w ithin on[...]

  • Seite 75

    P312 Br oadband S ecurity G ateway 6-2 NA T them accessi ble to the outside w o rld. If you do n ot define any s ervers (for Many-to- One a nd Many- to-Many Overload mapping – see below), NAT offers the additional be nefit of fire wall protectio n. If no server is defined in these cases, all incoming inquiries will b e filtered o ut b y your Pres[...]

  • Seite 76

    P312 Br oadband S ecurity G ateway NA T 6-3 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. T his is equivalent to SUA (i.e., PAT, port addr ess translation), ZyXEL’s Single User Account feature th at previous ZyXEL rout ers supported (th e SUA Only opti on in today’ s routers). 3. Ma[...]

  • Seite 77

    P312 Br oadband S ecurity G ateway 6-4 NA T remote node basi s. They are reus able, but only on e set is allowed for each rem o te node. The Prestige supports 2 sets s ince there is on ly one rem ote node. The secon d set ( SUA Onl y option in Menu 15.1) is a conveni ent, pre-conf igured, read only Many -to-1 port m apping set, suff icient for most[...]

  • Seite 78

    P312 Br oadband S ecurity G ateway NA T 6-5 Figure 6-3 Applying NAT for In ternet Access This fig ure shows how you apply N AT to the remote node in Menu 11.1. Step 1. Enter 11 f rom th e Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the def ault No to Yes , then pr ess [ ENT ER] t o bring up Menu 11.3 - Re[...]

  • Seite 79

    P312 Br oadband S ecurity G ateway 6-6 NA T Table 6- 3 Applying N AT in Men us 4 & 11.3 Field Options Description Full Feature W hen y ou selec t this option the SM T will us e Address M apping Set 1 (M enu 15.1 – see se ctio n 6.2.3 for further dis cu ssion). You can con f ig ure any of the 5 mapping types describe d in Table 6-2. None NAT i[...]

  • Seite 80

    P312 Br oadband S ecurity G ateway NA T 6-7 Figure 6-6 Men u 15.1 Addres s Map ping Sets Let’s look firs t at Option 255. Opt ion 255 i s equiv ale nt to SUA in previ ous ZyXEL rou ters ( see section 6.1.4) . The fields i n this menu cann ot be changed. Entering 255 brings up this s creen. Figure 6-7 SUA Address Mapping Rules The following table [...]

  • Seite 81

    P312 Br oadband S ecurity G ateway 6-8 NA T Table 6- 4 SUA A ddres s Map ping Rules Field Description Options/Exa mple Set Name This is the name of the set you sele cted in Menu 15.1 or ent er the name of a new set you w ant to create. SUA Idx This is the index or rule number. 1 Local Start IP Loc al E nd IP Local Start IP i s the starting loca l I[...]

  • Seite 82

    P312 Br oadband S ecurity G ateway NA T 6-9 Figure 6-8 First Set in Menu 15.1.1 The Ty pe, Loca l and Gl obal Start/En d IPs are co nfigure d in Me nu 15.1. 1.1 (described later) a nd the value s are displa yed he re. Ordering Y our Rules Ordering your rules is important becaus e the Prestige applies the rules in the order th at you specify . When [...]

  • Seite 83

    P312 Br oadband S ecurity G ateway 6-10 NA T moved dow n by one rule. Delete means t o delete the selected rul e and then all t he rule s after the se lected one will b e advanced one rule. Save Set means to save the w hole set (note when y ou cho ose this a c tion, the Select Rul e item will b e disabled). Select Rule When you choose Edit , Inser [...]

  • Seite 84

    P312 Br oadband S ecurity G ateway NA T 6-1 1 Field Description Option/Exam ple examples. and Serv er Local IP Only local IP f ields ar e N/A for server; Global IP fie lds M UST be set for Server . Start T his is the starting lo cal IP address (I LA). 0.0.0.0 End T his is the ending loc al IP addres s (ILA). If the rule is for all local IPs, the n [...]

  • Seite 85

    P312 Br oadband S ecurity G ateway 6-12 NA T Figure 6-1 0 Multip le Servers Beh ind N AT 6.3.2 Configuring a Server behind NA T Follow the steps below to con f igure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup. Step 2. Enter 2 to go to Menu 15.2 - NAT Server Setup . Step 3. Enter the service port number in [...]

  • Seite 86

    P312 Br oadband S ecurity G ateway NA T 6-13 Figure 6-1 1 M enu 15.2 – N A T Serv er Set up Tabl e 6-7 Servic es & Port n umbe rs Services Port Number FTP (File Tr ansfer Protoco l) 21 Telnet 23 SMTP (Simple Mail T ransfer Protocol) 25 DNS(Domain Na me System) 53 HTTP (Hy per Text Transfer protoco l or W WW , W eb) 80 PPTP (Point-to-Point T u[...]

  • Seite 87

    P312 Br oadband S ecurity G ateway 6-14 NA T Figure 6-1 2 NAT Example 1 Figure 6-1 3 Internet Access & NAT Examp le From Menu 4 s ho wn above, simply choose the SUA Only option from the Network Add re ss Tran slation field. Thi s is the Many -to-One mapping dis cussed in section 6.1.4. The SUA Onl y read only option from the Network A ddress Tr[...]

  • Seite 88

    P312 Br oadband S ecurity G ateway NA T 6-15 6.4.2 Example 2 – Intern et Access with an Inside Server Figure 6-1 4 NAT Example 2 In this case, we do exactly as abov e (use the conven ie nt pre-conf igured SU A Only set) and also go to Menu 15.2 to s pecify the Inside Serv er behind th e NAT as shown in th e next figu re. Figure 6-1 5 Specif ying [...]

  • Seite 89

    P312 Br oadband S ecurity G ateway 6-16 NA T server an d the other IGA is us ed by all. We want to m ap the FTP servers to the fi rst two of our IGAs an d the other LAN traff ic to t he remaining IGA. We also want to map ou t third IGA to an inside w eb server and mail server. We need to configure 4 rules, 2 bi-directional and 2 o ne directional as[...]

  • Seite 90

    P312 Br oadband S ecurity G ateway NA T 6-17 Step 5. Select Type = as One-to-One (direct m apping for packets goin g both w ays) , and enter the local Start IP as 192.168 .1.10 (the IP address of FTP S erver 1), the g lobal Start IP as 10.132.5 0.1 (our firs t IGA). ( See Figure 6-18) Step 6. Repeat the previous step for rules 2 to 4 as outlined ab[...]

  • Seite 91

    P312 Br oadband S ecurity G ateway 6-18 NA T When we have configu red all fou r rules, Menu 15.1.1 shou ld look as follows . Figure 6-19 Example 3 Final M enu 15.1.1 Now we conf i gure ou r IG A3 to m ap to our w eb server and m ai l server on the LAN. Step 8. Enter 15 f rom th e Main Menu. Step 9. Now ente r 2 from t his menu an d configure it as [...]

  • Seite 92

    P312 Br oadband S ecurity G ateway NA T 6-19 6.4.4 Example 4 –NA T Unfriendly Application Programs Some appli cations do not su pport NAT Mappin g usi ng TCP or UDP po rt address t ransl ation. In t his case it is better to use Many-to-Man y No Overload m apping as port n umbers do not ch ange for Many-to-Many No Overload (and One- to-One ) NAT m[...]

  • Seite 93

    P312 Br oadband S ecurity G ateway 6-20 NA T Figure 6-2 2 Example 4- M enu 15.1. 1.1 - Address M apping Rule After you’ve configured this menu, you should see the following screen. Figure 6-2 3 Example 4 - M enu 15.1. 1 - Address M apping Rules Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 1[...]

  • Seite 94

    Advance d Mana gem ent III Part III: Advanced Manage ment Chapters 7 - 12 pro vide inf orm ation on Pres tige filter ing, S ystem Inform ation and Diagn osis, Transferring Files and T elnet.[...]

  • Seite 95

    [...]

  • Seite 96

    P312 Br oadband S ecurity G ateway Filters 7-1 Chapter 7 Filter Configuration This chapt er shows you how to create a nd app ly filter( s). 7.1 About Filtering Your Prestige uses filters to decid e whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters [...]

  • Seite 97

    P312 Br oadband S ecurity G ateway 7-2 Filters 7.1.1 The Filter Structure of t he Prest ige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descripti ve name. The Prestige allo ws y ou to configure up to t welve filter sets with six rules in [...]

  • Seite 98

    P312 Br oadband S ecurity G ateway Filters 7-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 7-2 Filte[...]

  • Seite 99

    P312 Br oadband S ecurity G ateway 7-4 Filters 7.2 Configur i ng a Fil ter Set To configu re a filter set, f ollow the procedure below . For more inf o r mation on Menus 21.2 and 21.3, pleas e see Part 4. Step 1. Select option 21. F ilt er Set Configuration fro m the M a in M enu to op en M e nu 21 . Figure 7-4 Menu 21 – Filter and Firewall Setup[...]

  • Seite 100

    P312 Br oadband S ecurity G ateway Filters 7-5 Figure 7-6 NetBIOS_W AN Filter Rules Su mmary Figure 7-7 NetBIOS _L AN Filter Rules Summary Figure 7-8 TEL_FT P_WEB_W AN Filter Rules S ummar y Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, SA=0.0.0.0, D[...]

  • Seite 101

    P312 Br oadband S ecurity G ateway 7-6 Filters 7.2.1 Filter Rules Summary Menu This screen shows the summary o f the existing rules in the filter set. The follow ing tables contain a brief description of the abbreviati ons used in the previous m e nus. Table 7- 1 Abbreviatio ns Used in t he Filter Ru les Su mmary M enu Abbrev iations Description Di[...]

  • Seite 102

    P312 Br oadband S ecurity G ateway Filters 7-7 The protocol dependent filter rules abbreviation are listed as follows: ! If the filter type is IP, the following abbreviations listed in the following table will be used. Table 7-2 Abbrev iations Used If Filter Type Is I P Abbrev iation Description Pr Protocol SA Source Address SP Source Port number D[...]

  • Seite 103

    P312 Br oadband S ecurity G ateway 7-8 Filters Figure 7-9 Menu 21.1.1.1 - TCP/I P Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 7-4 T CP/IP Filter Rule M enu Fields Field Description Option Active This field a ctivates/deactiv ates the fi lter rule. Yes/No IP Protocol Protocol refers to the upper layer [...]

  • Seite 104

    P312 Br oadband S ecurity G ateway Filters 7-9 Field Description Option don’t-care if it is 0. Destinatio n: Port # Comp Select the compar ison to apply to t he destination port in the packet a gainst the value g iven in Destination : Port #. None/Less/Gr eater/ Equal/Not Equal] Source: IP Addres s Enter the source IP Ad dress of the packet you w[...]

  • Seite 105

    P312 Br oadband S ecurity G ateway 7-10 Filters Field Description Option Once you h ave co mpleted fi lling in Menu 21.1.1.1 - TCP/IP Filter Rule , press [E nter] at the m essage [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel. This data w ill now be displayed on Menu 21.1.1 - Filter Rule s Summary . The following[...]

  • Seite 106

    P312 Br oadband S ecurity G ateway Filters 7-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check De[...]

  • Seite 107

    P312 Br oadband S ecurity G ateway 7-12 Filters 7.2.4 Generic Filter Rul e This section shows you ho w to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generi c rules, the Pres tige treats a pack et as a byte stream as opposed [...]

  • Seite 108

    P312 Br oadband S ecurity G ateway Filters 7-13 The following table describes the fields in the Generic Filter Rule Me nu. Table 7-5 Generic Filter Rule Menu Fields Field Description Option Filter # This is the filter set, f ilter rule co-ordi nates, i.e., 2,3 refers to the second filter set and the thir d rule of that set . Filter Type Use the [SP[...]

  • Seite 109

    P312 Br oadband S ecurity G ateway 7-14 Filters Drop Once you h ave co mpleted fi lling in Menu 21.4.1.1 - G eneric Filter Rule , pre ss [Enter ] at the message [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel. This data w ill now be displayed on Menu 21.1.1 - Filter Rule s Summary . 7.3 Example Filter Let’s look[...]

  • Seite 110

    P312 Br oadband S ecurity G ateway Filters 7-15 Figure 7-1 3 Exampl e Filter – M enu 21.1. 1.1 When y o u press [Enter] to co nfirm, you will see the following screen. Note that there is only one filter rule in this set. Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No D[...]

  • Seite 111

    P312 Br oadband S ecurity G ateway 7-16 Filters Figure 7-1 4 Exampl e Filter Rule s Summar y – Menu 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 from the main menu to go to Men u 11. Step 2. Go to the Edit Filter Sets field, press th e [SPA CEBAR ] to to g gle Yes to No and press [ENTER] . Step 3. This brin gs[...]

  • Seite 112

    P312 Br oadband S ecurity G ateway Filters 7-17 packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at th e point when the Prestige is receiving and sending the pack ets; i.e. the interface. The in terface can be an Ethernet port or an[...]

  • Seite 113

    P312 Br oadband S ecurity G ateway 7-18 Filters Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters Go to Menu 11.5 (shown below – note that call filter sets are only present for PP PoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers s eparated b [...]

  • Seite 114

    P312 Br oadband S ecurity G ateway SNMP 8-1 Chapter 8 SNMP Configuration This chapt er dis cusses SNMP (Simp le Networ k Manage ment Pro tocol) for network m anagem ent and monitor ing. 8.1 About SNMP Your Presti ge supports SNMP agent functi onality, whi ch allows a manag er station t o manage and m o nitor the Prestige through the network. Keep i[...]

  • Seite 115

    P312 Br oadband S ecurity G ateway 8-2 SNMP The following table describes the SNMP co nfiguration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Get Community Enter th e get community , which i s the pa ssword for the incomi ng Get- and GetN ext- request s from the managem ent station. public Set Community Enter th e[...]

  • Seite 116

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 Chapter 9 System Information & Diagnosis This chapt er talk s you thro ugh SMT Menus 2 4.1 to 24 .4. This chapter covers the diagnost ic to ols that help you to maintai n your Prestige. T hese too ls incl ude updates on system status, port stat us, log and trace capabi[...]

  • Seite 117

    P312 Br oadband S ecurity G ateway 9-2 System I nformati on & Diagn osis 9.1 System Status The fi rst sel e ctio n, S yste m St a tus, give s you in for matio n on th e ver sion o f your s yste m fir mwar e and the status and s tatistics of the ports, as sh own in the figure below. System Status is a tool that can be used to monito r yo ur P re[...]

  • Seite 118

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-3 The following table describes the fields present in Menu 24.1 - System Maint enance - Sta t us . T able 9-1 System M ainten ance - Statu s Men u Fields Field Description Port The W AN or LAN port. Status Shows the po rt speed and duplex setting if you’re using Ethernet E[...]

  • Seite 119

    P312 Br oadband S ecurity G ateway 9-4 System I nformati on & Diagn osis 9.2 S ystem Information and Console Port Speed This secti on descri bes your sys te m and al lows you t o choose diff ere nt consol e port speeds. To g et to the Syst em Inf or mation a nd Cons ole Port Speed: Step 1. Enter 24 to go to Menu 2 4 – System Ma int enance . S[...]

  • Seite 120

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-5 Table 9- 2 Fields in System M aintenance Field Description Name This is the Prest ige's sy stem nam e + domain nam e assigned in Menu 1. E.G., Syste m Name= xx x; Domain Name= baboo.mic key.com Name= xx x.baboo.mi ckey.com Routing Refers to th e routing protoco l used[...]

  • Seite 121

    P312 Br oadband S ecurity G ateway 9-6 System I nformati on & Diagn osis 9.3.1 Viewing Error Log The first place you should look for clu es when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select opti on 24 from the Main Menu to open Menu 24 - System Mainte na nce . Step 2. [...]

  • Seite 122

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-7 Figure 9-8 M enu 24.3.2 - Syst em Main tenance – UNI X Syslog You need to conf i gure the UNIX syslog param eters described in the following table to activ ate syslog then choose w hat y o u want to log. Table 9- 3 System M aint enance M enu Syslog P arameter s Parameter[...]

  • Seite 123

    P312 Br oadband S ecurity G ateway 9-8 System I nformati on & Diagn osis 1. CDR CDR Message Format Sdcm dSyslogS end( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, s t r board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which start [...]

  • Seite 124

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-9 Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202[...]

  • Seite 125

    P312 Br oadband S ecurity G ateway 9-10 System I nformati on & Diagn osis 9.3.3 Call-T riggering Packet Call-Triggering Packet display s information about the packet that trigg ered a dial-out call in an easy readable form at. Equivalent information is available in Menu 24.1 in hex form at. A n ex amp le is s how n next. Figure 9-9 Call-Trigg e[...]

  • Seite 126

    P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 1 Figure 9-10 M enu 24.4 - Sy stem M aintenance - Dia gnostic Follow the proced ure b e lo w to get to M enu 24.4 - S ystem M aintenance – Diagn ostic. Step 1. From the Main Menu, select option 24 to open Menu 24 - Syst e m Maintena nce . Step 2. From this menu, select o[...]

  • Seite 127

    P312 Br oadband S ecurity G ateway 9-12 System I nformati on & Diagn osis Figure 9-11 WAN & L AN DHCP The follo wing table describes t he diagnostic tests a vailable in Menu 24.4 for y our P restige and the connections. Table 9-4 Syste m M aintenance Menu Diagnostic Number Field Description 1 Ping Host Enter 1 t o ping any machi ne (with a [...]

  • Seite 128

    P312 Br oadband S ecurity G ateway T r ansferring F iles 10-1 Chapter 10 T ransferring Files This chapt er tells you how to bac k up and restore y our confi guratio n file as well as upload n ew firmware an d a new c onfigurat ion file. 10.1 Fil ename conventions The configuration file (often called the ro mfile or rom-0) contains the factory defau[...]

  • Seite 129

    P312 Br oadband S ecurity G ateway 10-2 T ransferring F iles Table 10-1 Filename Conventions File Ty pe Internal Name External Name Description AT Command Configurati on File Rom-0 *.rom This is the router config uration f ilename on the Prestige . Uploading the ro m-0 file replaces the entire RO M file sy stem, including y our Prestige con figurat[...]

  • Seite 130

    P312 Br oadband S ecurity G ateway T r ansferring F iles 10-3 10.3 Restore Configuration Menu 2 4.6 -- System Maint enance - Restore Configuration allo ws you to restore the configuratio n via the console port. FTP and TFTP are the preferre d methods for restoring your current w orkstation configuration to your Prestig e since FTP and TF TP are fas[...]

  • Seite 131

    P312 Br oadband S ecurity G ateway 10-4 T ransferring F iles Step 4. After successful firmware u pload, enter atgo to restart the Prestige. Figure 10- 4 Menu 24.7.1 - System M aintenan ce - Uplo ad Router Fi rmware 10.4.2 Uploading Router Configuration File The configuration data, system-related data, the error log and the trace log are all stored [...]

  • Seite 132

    P312 Br oadband S ecurity G ateway T r ansferring F iles 10-5 Figure 10-5 M enu 24.7.2 - Sy stem Maintenance - Upload Router Configuration File 10.5 TFTP File T r ansfer In addition to the direct con sole port connection, the Prestige supports th e up/downloading of the firmware and th e configu ration file us ing TFTP (Triv ial Fil e Transfer Prot[...]

  • Seite 133

    P312 Br oadband S ecurity G ateway 10-6 T ransferring F iles Note: If you upload the firm ware to the Prestige, i t will reboo t automa ticall y when the file tra nsfer is completed (t he SY S LED will flash). Note that the telnet connection must be active a nd the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (se[...]

  • Seite 134

    P312 Br oadband S ecurity G ateway T r ansferring F iles 10-7 10.6 FTP File T ransfer In addition to uploading the firmware and configuration via the console port and T FTP client, you can al so upload the Prestige firmware an d config uration files using FTP. To use th is feature, your workstation must have a n FTP clie nt . When you telnet into t[...]

  • Seite 135

    P312 Br oadband S ecurity G ateway 10-8 T ransferring F iles Figure 10- 7 Telnet in to Menu 24.7.2 - System M aintenance To transfer the f irmware and the configuration file, follow these examples: 10.6.1 Using the FTP command from the DOS Prompt Step 1. Launc h the FTP clie nt on your wor kstat i o n. Step 2. Ty pe open and th e IP address of y o [...]

  • Seite 136

    P312 Br oadband S ecurity G ateway T r ansferring F iles 10-9 Figure 1 0-8 F TP Session Examp le The sy stem re boot s aft er a succes sful upload . The follow ing tabl e describes s ome of the fields t hat you may see in third part y F TP clients. Table 10- 3 T hird Part y FTP Client s –Gene ral field s Host Addr ess Enter the ad dress of the ho[...]

  • Seite 137

    [...]

  • Seite 138

    P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-1 Chapter 11 System Maintenance & Information This chapt er leads you throu gh SMT menus 2 4.8 to 24.11 . 11.1 Command Interp reter Mo de The Command Interpreter (C I) is a part of the main rout er firmw are. The CI provides mu ch of the same functionality as the S[...]

  • Seite 139

    P312 Br oadband S ecurity G ateway 1 1- 2 System Mai nten ance & I nform ati on 11.2 Call Contr ol Support The Prestige provides two call control fun ctions: budget manag ement and call history. Please note that this menu is on l y appl icable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.1. The budget management function allo[...]

  • Seite 140

    P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-3 The total budget is the time limit on the accu mulated ti me for outgoing calls to a remote node. When this limit is reached, th e call will be dropped and fu rther outgoing calls to that remote node w ill be blocked. After each period, th e total budget is reset. Th[...]

  • Seite 141

    P312 Br oadband S ecurity G ateway 1 1- 4 System Mai nten ance & I nform ati on Table 11- 2 Call Hi story Field s Field Description Phone Number The PPPoE service name s are show n here. Dir This sh ows w hether the call was in coming or outgo ing. Rate This is the transfer rate o f the call. #call This is the number o f calls made to or receiv[...]

  • Seite 142

    P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-5 Figure 11-6 System Maintenance – Time and Date Setting Table 11-3 T ime and Date Setting Fields Field Description Use Time S erver w hen Bootup= Enter the time service protocol t hat your timeserver w ill send when the Prestige pow ers up. Choices are D ay time (RF[...]

  • Seite 143

    P312 Br oadband S ecurity G ateway 1 1- 6 System Mai nten ance & I nform ati on zone and G reenwich mean Time (GM T). Be aware if/w hen daylight savings ti me alters this ti me difference for your time zone. Once you h ave filled in the new time and date, press [E nter] to save the s etting a nd press [Es c ] to return to Menu 2 4 . 11.4 Remote[...]

  • Seite 144

    P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-7 Table 11-4 M enu 24.11 - Re mote Management Control Field Description Option FTP service a c tive Press the [SPACE BAR] to t oggle Yes to No and press [Enter] to disable all FTP activity (both LAN and WAN). Yes No Telnet se rvice act ive Press the [SPACE BAR] to t og[...]

  • Seite 145

    P312 Br oadband S ecurity G ateway 1 1- 8 System Mai nten ance & I nform ati on Figure 11-9 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATT[...]

  • Seite 146

    P312 Br oadband S ecurity G ateway Te l n e t 12-1 Chapter 12 Telnet Configuration and Capabilities This chapt er cov ers the T elnet C onfigura tion and C apabili ties of th e Pres tige. 12.1 About T elnet Configurati on Before the Prestige is properly setup for T CP/IP, the only option for configuring it is through the console port. Once y our Pr[...]

  • Seite 147

    P312 Br oadband S ecurity G ateway 12-2 Te l n e t 12.3.2 Syst em T imeout There is a sy stem timeou t o f 5 minu te s (300 seconds) for eith er the console port or teln et. Your Pres tige will automatically log you out if you do nothin g in this ti meout period, except when it is continuousl y updating the status in M enu 24.1 or w hen "sys s[...]

  • Seite 148

    Firewall and Cont ent F ilter s IV Part IV: Firewall and Co ntent Filters Chapters 13 – 20 des crib e types of fire walls, ho w to conf igure your Pres tige f irewall using th e Prestig e Web Configurat or , as well as t ypes of Den ial of Ser vices (D oS) attac ks and Content Filter ing.[...]

  • Seite 149

    P312 Br oadband Security G ateway What Is a Firewall? 13-1 Chapter 13 What is a Firewall This chapter giv es some bac kg rou nd infor mation on fir ew al ls . Ori gin ally , the te r m firewall referred to a cons tructio n techniqu e desi gned to prevent the spread of fi re from one room to another. The netw or k term firewall is ty pically defined[...]

  • Seite 150

    P312 Br oadband Security G ateway 13-2 W hat Is a Firewall ? needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the applicatio n gate way and reject the rest. 13.1.3 Stateful Inspe ction firewalls Stateful Inspection firewalls res trict access by screening [...]

  • Seite 151

    P312 Br oadband Security G ateway What Is a Firewall? 13-3 Figure 13-1 Prestige Firew all Application 13.3 Denial of Serv ice Denials of Service (DoS) attack s are aimed at devices and networks with a con nection to the Internet. Their goal is not to st eal information, but to disable a device or n etwork so users n o longer have access to network [...]

  • Seite 152

    P312 Br oadband Security G ateway 13-4 W hat Is a Firewall ? Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 13.3.2 T y pes of DoS att acks There are four types o f DoS attacks: 1. Those that exploit bugs in a T CP/IP implementation. 2. Those that exploit weakn esses in the TCP/IP specification. 3. Brute-f orce attacks t[...]

  • Seite 153

    P312 Br oadband Security G ateway What Is a Firewall? 13-5 Under normal circumstances , the application that initiates a session sends a SYN (synchron ize) packet to the receiving s erver. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (ackno wled g ment). After this ha nds hake, [...]

  • Seite 154

    P312 Br oadband Security G ateway 13-6 W hat Is a Firewall ? Figure 13-4 Smurf Attack 4. Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack . IP Spoofing may be us ed to break into systems , to hide th e hacker's iden tity, or to ma gnify th e effect of t he DoS attack. IP Spoofin g is a te[...]

  • Seite 155

    P312 Br oadband Security G ateway What Is a Firewall? 13-7 Figure 13-5 Stateful Inspection Figure 13-5 shows the Presti ge’s d efault firewall rules in action as well as demonstrates ho w stateful inspection works. User A can initiate a T elnet session fro m w i thin the LAN and resp o nses to this request are allowed. However other Telnet traffi[...]

  • Seite 156

    P312 Br oadband Security G ateway 13-8 W hat Is a Firewall ? 7. The packet is ins pected by a firewall rule, and the connection 's state table entry is updated as necessary. Based on the updated state inform ation, the inbound extended access list temporary entries might be m odi fied, in order to perm it only packets that are valid for the cu[...]

  • Seite 157

    P312 Br oadband Security G ateway What Is a Firewall? 13-9 When any subs eq uent packet hi ts the box (from the Internet or from the LAN), its conn ection information is extracted and ch ecked against the cache. A pack e t is only allowed to pass through if it corresponds to a v alid connection (that is, if it is a response to a connection which or[...]

  • Seite 158

    P312 Br oadband Security G ateway 13-10 W hat Is a Firewall ? 3. Limit who can Telnet into your router. 4. Don't enable any l ocal service (su c h as SNMP or NTP) th at you don't us e. Any enabled serv ice could present a potential security risk. A determined, hostile part y might be able to find creative way s to misuse the enabled serv [...]

  • Seite 159

    P312 Br oadband Security G ateway What Is a Firewall? 13-1 1 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of co mpanies or individ uals for information that mig ht help them in a social intrusio n.[...]

  • Seite 160

    [...]

  • Seite 161

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-1 Chapter 14 Introducing the Prestige Firewall This chapt er shows y ou how to get st arted with the Prest ige Firew all. Ple ase see Chap ter 13 for some bac kground informatio n on f irewalls. 14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter[...]

  • Seite 162

    P312 Br oadband Security G ateway 14-2 Introducing the Pres tige F irewall Figure 14-3 M enu 21.2 – Fire wall Setup Please n ote that you can onl y configure the fire wall rules u sing the Pres tige Web Configur ator or CLI co mmands. 14.1.1 V iew Firewall Log Enter 3 from menu 21 to view the firewall log. Firewall logs may also b e vie wed from [...]

  • Seite 163

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-3 ICMP Echo A brute-force attack, su ch as a "Smurf" attack, targets a feature in the IP specifi cation known as directed or subn et broadcasting , to quickly flood th e target network with useless data. A Smurf hack er floods a rout er with Intern et Control Messa[...]

  • Seite 164

    P312 Br oadband Security G ateway 14-4 Introducing the Pres tige F irewall T racerout e Traceroute is a u tility used t o determin e the path a packet tak e s between tw o endpoints. S ometimes w he n a packet filter f irewall is configured in correctly an attacker can traceroute th e firewall gaining knowledge of the n etwork topology inside the f[...]

  • Seite 165

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-5 Table 14-4 View Firewall Log Field Description # This is the index number of the firewall log. 128 entries are availa ble numbered fro m 0 to 127. Once t hey are all used, the log will wr ap around and t he old logs w ill be lost. mm:dd:yy e.g., Jan 1 70 Time This is the t[...]

  • Seite 166

    P312 Br oadband Security G ateway 14-6 Introducing the Pres tige F irewall Figure 14-5 Big Picture - Filtering, Firew all and NA T 14.3 Packet F iltering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions. 14.3.1 Packet Filtering: ! The router filters packets as they pass through the router’s interfac[...]

  • Seite 167

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-7 When T o Use F iltering 1. To block/allow LAN pack ets by their MAC address . 2. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. 3. To block/al low both i nboun d (WAN to LAN) and outbou nd (LAN to WA N) traffic between the s pecific inside [...]

  • Seite 168

    [...]

  • Seite 169

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 Chapter 15 Introducing the Prestige Web Configurator This chapt er shows y ou how to configur e your fir ewall w ith the W eb Conf igurator. 15.1 Web Configurator Login and Welcome Screens Launch y o ur web brow ser and en ter 192.168.1.1 as the URL. This is the f[...]

  • Seite 170

    P312 Br oadband Security G ateway 15-2 Introduc ing the Prestige Web Config urator Figure 15-2 Prestige Web Configurator We lcom e Screen 15.2 Enabling the Firewall Click Firewall, then Con figuration, then the Rule Config tab to enable the fire wall a s seen in t he following screen.[...]

  • Seite 171

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-3 Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows y ou to specify your mail server, where e-m a i l alerts should be sent as well as when and how often they should be sen t. 15.3.1 What are Alert s? Alerts are reports on events such as attacks, whi [...]

  • Seite 172

    P312 Br oadband Security G ateway 15-4 Introduc ing the Prestige Web Config urator To field and schedule times f or sending alerts in the Alert Timer fields in the E- Mail screen (following screen). 15.3.2 What are Logs? A log is a det ailed record th at you create f or packets that either match a ru le, don’t match a rul e or both wh en you are [...]

  • Seite 173

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-5 Table 15- 1 E-Mail Field Description Options Address Inform ation Mail Serv er Enter the IP address of your mai l server in dot dec imal format. Y our Internet S ervice Pr ovider (ISP) sh ould be able to pr ovide this information. If t his field is left blank, log[...]

  • Seite 174

    P312 Br oadband Security G ateway 15-6 Introduc ing the Prestige Web Config urator 15.3.3 SMTP Error Me ssages If there are diff iculties in sending e-mail the following error messag es appear. Please see the Support Notes on the accom panying CD for inform atio n on other ty pe s of error m e ssages. E-mail error messages appear as "SMTP acti[...]

  • Seite 175

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-7 Figure 15-5 E-M ail Log 15.4 A ttack A l ert In this screen you may choose to generate an alert when ever an attack is detected. For DoS attacks, the Prestig e uses thres holds t o determine when to drop sess ions th at do not becom e fully esta blished. These thr[...]

  • Seite 176

    P312 Br oadband Security G ateway 15-8 Introduc ing the Prestige Web Config urator You can use the default threshold values, or you can change them to values more suitable to your security requirements. 15.4.1 Threshold V a lues : You really jus t need to tune these param eters when something is n o t working and after y ou have checked the firewal[...]

  • Seite 177

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-9 The Prestige deletes the oldest exi sti ng half-open session for the host for every new connectio n request to the host. This ens ures that the num b er of half-open s essions to a give n host will never ex ceed the threshold. 2. If the Bl ockin g Time timeout is [...]

  • Seite 178

    P312 Br oadband Security G ateway 15-10 Introduc ing the Pr estige Web Conf igur ator Table 15- 3 A t tac k Alert Field Description Default Values Generate alert w hen attack dete cted A dete cted attack automa tically generates a log entry. Che ck this box to genera te an alert (as w ell as a log) w henever an atta ck is detected. See section 15 .[...]

  • Seite 179

    P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 1 Field Description Default Values rises abov e this number, the Pre s tige deletes half-ope n session s as required to accommoda te new connection requests. Do not set Maximum Inco mplet e High to lower than t he current M ax-Incomplete Low number. half-open sess[...]

  • Seite 180

    [...]

  • Seite 181

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 Chapter 16 Creating Custom Rules 16.1 Rules Overvie w Firewall rules are subdiv ided into “Local Network ” and “Internet”. By def a ult, the Prestige’s stateful packet inspection allows all communications to the Intern et that originate from the local network, an d blocks all [...]

  • Seite 182

    P312 Br oadband Security G ateway 16-2 Creating Custom Rules 5. What computers on the LAN are to be affected (if any ) ? 6. What computers on the Internet w ill be affected? The more specific, the better. For ex a mple, if traff ic is being allowed from the Internet to the LAN, it is better to allo w only certain machines on the Internet to access [...]

  • Seite 183

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-3 16.3 Connection Direction This section talks about con fi gur in g firewall rules for connections going fro m LAN to WAN and WAN to LA N in you r fir ewa ll. 16.3.1 LA N to W A N Rules The default rule for LA N to WAN traffic is that all users on the LAN are allowed non-restricted acces[...]

  • Seite 184

    P312 Br oadband Security G ateway 16-4 Creating Custom Rules Figure 16-2 W AN to LAN Traffic 16.4 Services Supported The list box in the Rule Config (uration) screen ( see Figur e 16-4 ) displays all s ervices that the Prestige supports . Custom services may also be configured u sing the Custom Ports function discussed later. Next to the name of th[...]

  • Seite 185

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-5 Table 16-1 Services Supported SERVIC E DESCRIPTI ON BGP(TCP:179) Border Gateway Protocol BOOTP_CLIENT (UDP: 68) DHCP Client BOOTP_SERVE R(UDP :67) DHCP Server CU-SEEME(TCP/UDP: 7648, 24032) A popular videoc onferencing solution f rom White P ines Software. DNS(UDP/TCP: 53) Dom ain Name [...]

  • Seite 186

    P312 Br oadband Security G ateway 16-6 Creating Custom Rules 16.5 Rule Summary The fiel ds in the Rule Su mma ry screen s are the sa me for Local Network and Int erne t , so the discuss ion below refers to both. Click on Firewall , then Local Ne t work to bring up the follo wing scree n. This screen is a summary of the existing rules. Note the orde[...]

  • Seite 187

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-7 Table 16- 2 Firewall Rules Su mmary – F irst S creen Field Description Option General Name T his is the name of the firewall rule set. Default Permit L og Check this box to log all matched rule s in the ACL default set. The default a ction for packe ts not matchin g follow ing rules. [...]

  • Seite 188

    P312 Br oadband Security G ateway 16-8 Creating Custom Rules Field Description Option section 16.5.1 f or more details. Delete Press this bu tton to delet e an existing firew all rule. Note that s ubsequent f irewall rules mov e up by on e when y ou take this a c tion. Move Rule You may reorder your rules usi ng this fun c tion. Select by cl icking[...]

  • Seite 189

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-9 Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Crea ting/Editing A Firewall Rule Field Description Option Source Address Press SrcA dd to add a n ew addres s, SrcEdit to edit an ex isting one or Sr cDelete to delete one. Please see the next sect ion for more i nformation o n ad[...]

  • Seite 190

    P312 Br oadband Security G ateway 16-10 Creating C ustom Rules Field Description Option from the A vailable Serv ices box on the left, then pres s >> to select it. T he selecte d service sh ows up on the Select ed Services box on the rig ht. To remove a servi ce, click on it in t he Selected Serv ices box on the right, then press <<. Ac[...]

  • Seite 191

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 1 Figure 16-5 Adding/Editing Source & Destination A ddresses Table 16-4 Adding/Editing Source & Destination Addr esses Field Description Option Address Ty pe Do y ou want your rule to a pply to pa ckets with a part icular (single) IP , a range of IP addresses (e.g. , 192.16 8.1.[...]

  • Seite 192

    P312 Br oadband Security G ateway 16-12 Creating C ustom Rules When you hav e finished, clic k Apply to save your custo mized sett ings and exit thi s screen, Cancel to exit this s creen w ithout savin g , or Hel p for online HTM L help on fields in this screen. 16.6 T imeout The fiel ds in the Timeout screens are the same for Local and Int ernet n[...]

  • Seite 193

    P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-13 Figure 16-6 T imeout Scr een[...]

  • Seite 194

    P312 Br oadband Security G ateway 16-14 Creating C ustom Rules Table 16-5 T imeout Menu Field Description Default Value TCP T imeout V alues Connectio n Timeout This is the length of time the Pre stige waits for a T CP session to r each the establi shed state b efore dropping the sessio n. 30 seconds FIN- W ait T imeout This is the len gth of ti me[...]

  • Seite 195

    P312 Br oadband S ecurity G ateway Custom Ports 17-1 Chapter 17 Custom Ports 17.1 Introducti on You will need to configure customized por ts for services not included in t he services pr o vided in the scrolling list box in the screen sho wn in Figure 16-4 . For fu rther information on t hese services, please read section 16.4. To configure a custo[...]

  • Seite 196

    P312 Br oadband Security G ateway 17-2 Custom Ports Table 17- 1 Custom Ports Field Description Cus tom i zed Ser vices No T his is the number o f your cust omized port. Name T his is the name of yo ur customized port. Protocol This sh ows the IP protocol ( TCP , UDP or Both ) that defines your customized port. Port T his is the port number or range[...]

  • Seite 197

    P312 Br oadband S ecurity G ateway Custom Ports 17-3 Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen.[...]

  • Seite 198

    P312 Br oadband Security G ateway 17-4 Custom Ports Table 17- 2 Creating/Ed iting A Custom Port Field Description Option Service Na me Enter a unique name for your custo m port. Service Ty pe C hoose the IP por t ( TCP , UDP or Both ) that defines your customized port fr om the drop down list box. TCP UDP Both Port Configura tion Type Click the Sin[...]

  • Seite 199

    P312 Br oadband S ecurity G ateway Logs 18-1 Chapter 18 Logs 18.1 Log Screen When y ou configure a n e w rule y ou also have the opti on to log ev e nts that match, don’ t match (or both ) this rule ( see Figur e 16-4 ). Click on the L ogs to b ring up the next sc reen. Fire wall l o gs ma y also b e vie wed i n SMT Menu 21.3 ( s ee section 14.1.[...]

  • Seite 200

    P312 Br oadband Security G ateway 18-2 Logs Table 18-1 Log Screen Field Description No. This is the index number of the firew all log. 128 entr ies are av ailable numbered from 0 to 127. Once they ar e all used, the log w ill wrap aroun d and the old l ogs will be los t. dd:mm:yy e.g., Jan 1 0 Time This is the tim e the log w as recorded in thi s f[...]

  • Seite 201

    P312 Br oadband S ecurity G ateway Logs 18-3 Field Description When you hav e finished view ing this screen, cli ck another link to exit.[...]

  • Seite 202

    [...]

  • Seite 203

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever you open a h ole in the firewall to forward a service f ro m the Internet to the local netwo rk, and NAT is also enab l ed, you ma y have to al so conf igur e a serve r be hi nd N AT usi n g SMT menu 15.2. Please[...]

  • Seite 204

    P312 Br oadband Security G ateway 19-2 Examples Fire wall R ules Figure 19-1 Activate The Firewall Step 2. Now we conf i gure our E- m ail screen a s follo ws. Click the E-Ma il tab t o br i ng up the next screen. Check here to activate the firew a ll. You may also activate the firew all in SMT men u 21.2.[...]

  • Seite 205

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-3 Figure 1 9-2 Example 1 – E-M ail Scre en Step 3. Now we configu re our firewall rule as shown in the following screen. The defau l t firewall blocks all Internet traff ic entering our local n etwork, but we want to create a hole f or web service from the Internet. Go to the Ru le Sum[...]

  • Seite 206

    P312 Br oadband Security G ateway 19-4 Examples Fire wall R ules Figure 19-3 Example 1 – Configuring A Rule This is an Internet to Local Network rule. Click DestAdd to configure the destination address as t he IP of ou r server on th e LAN. See the ne xt scre e n. Click this butto n when you have finished editing screens. Select this service (web[...]

  • Seite 207

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-5 Figure 1 9-4 Example 1: D estinatio n Address for T raffic Orig inating From T he Internet 10.100.1. 2 is th e IP of ou r server on the LAN (su pporting FTP, HTTP, T elnet and mail services) to w hich we wish to forward traff ic originating from the Internet.[...]

  • Seite 208

    P312 Br oadband Security G ateway 19-6 Examples Fire wall R ules Figure 19- 5 Example 1 - Rule Summa ry Screen 19.1.2 Example 2 – Small Office With Mail, FTP and Web Serv ers Our small office has: i. A mail server with an IP of 192.168.10.2. ii. Two FTP servers. We w a nt FTP server On e (IP of 192.168.10 .3) to be accessible from the Internet, b[...]

  • Seite 209

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-7 Step 1. First we want to send alerts whe n there is an attac k. Go to the Attack Alert scree n (click Configurat ion , then the Attack Alert tab) sh own next. Figure 1 9-6 Send Alerts When Attacked Step 2. Configu re the E-Mail screen as shown in ex ample 1 – our m ai l server’s IP[...]

  • Seite 210

    P312 Br oadband Security G ateway 19-8 Examples Fire wall R ules Figure 19-7 Configuring A POP Custom Por t Step 4. Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traff ic originating from the HTTP proxy server and ou r mail server. Click Internet to see the Rule Summary screen. Now click[...]

  • Seite 211

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-9 Figure 19- 8 Example 2 - Lo cal Net work Rule 1 Configu ration Step 6. Similarly configure another local network to Internet rule allowing traffic f rom our web (HTTP) proxy server. Step 7. The Rule Summary screen sho uld look like Figure 19-9 . Don’t forget to click Apply wh e n yo [...]

  • Seite 212

    P312 Br oadband Security G ateway 19-10 Examples Firewa ll Rules Figure 1 9-9 Example 2 - L ocal N etwo rk Rule Summar y Step 8. Now we want an FTP server (IP of 192.168.10.3 ) to be accessible from the Internet. Remem b er the default Internet to Local Network ACL set b locks all traffic from the Internet, so we want to create a hole for this serv[...]

  • Seite 213

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 1 Figure 19- 10 Examp le 2 - Internet to Local Netw ork Rule Summary 19.1.3 Example 3: DHCP Negotiation and S y slog Connection from the Internet The following are some Internet firew all rules examples to: 1. All ow DHCP negoti ation bet ween th e ISP and the P312. 2. Allow a syslog c[...]

  • Seite 214

    P312 Br oadband Security G ateway 19-12 Examples Firewa ll Rules Figure 19-11 Custom Port for Syslog Step 2. Follow the procedures outli ned in t he previous examples to configure all your rules. Whe n finished, your rule summary screen should look like the following. Cu stom por ts sh ow up wi th an “*” before their n ames in the Services list[...]

  • Seite 215

    P312 Br oadband S ecurity G ateway Example F irewall Rules 19-13 Figure 19-12 Syslog Rule Configuration This is our Sy slog custom port. Click Apply whe n fi nis hed . This is the address ran ge of th e syslog s er vers .[...]

  • Seite 216

    P312 Br oadband Security G ateway 19-14 Examples Firewa ll Rules Figure 19- 13 Exampl e 3 Rule Summary Rule 1: Allow D HCP negotiati on between t he ISP an d the P312. Rule 2: Allow a syslog connection fro m the WAN. Click Apply t o save your settings back to the Prestige.[...]

  • Seite 217

    P312 Br oadband S ecurity G ateway Content Fi ltering 20-1 Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets , cookies as well as disable web proxies. The Prestige can als o block specific URLs by using the keyword featu r e. Please n ote that content filter ing means t he abili t y to bloc k ce[...]

  • Seite 218

    P312 Br oadband Security G ateway 20-2 Content Fi ltering 20.1.3 Cookies Cookies are used b y Web s ervers to track usag e. Cookies prov ide service based on ID. U nfortunat ely, cookies can be progra mmed not onl y to id entify the visitor to the site, but also to track that visito r 's activities. Because they represen t a potential loss of [...]

  • Seite 219

    P312 Br oadband S ecurity G ateway Content Fi ltering 20-3 Figure 20-1 Content Filtering Sc reen Table 20-1 Content Filtering Fields Field Description Restrict Web Feat ures Check the box(es) to re strict that featur e. When you download a page containing a restricted feat ure, that part o f the web page w ill appear blank or grayed out. Block Web [...]

  • Seite 220

    T r oubleshoot ing, A ppendic es, Glossar y and In dex V Part V: Troubleshooting, Append ices, Glossary and Index Chapter 21 provid es inf ormation a bout sol ving comm on probl em s, followed b y som e Appendic es, a Glossar y of T erms and an Index.[...]

  • Seite 221

    [...]

  • Seite 222

    P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-1 Chapter 21 Troubleshooting This chapt er cov ers the pote ntial pr oblems you may run int o and the p ossible r emedies . After each pro blem desc ription, so me instr uctions are prov ided to help you to diagnos e and to s olve t he problem. Please se e our supp orting d isk for furt her i[...]

  • Seite 223

    P312 Br oadband S ecurity G ateway 21-2 T roubleshoot ing 21.2 Problems w ith the LA N Interface Table 21-2 T roubleshooting the LA N Inte rface Problem Correctiv e Action Check the 10M/100M LEDs on the front panel. O ne of the se LEDs should be on . If they are both off, chec k the cables betw een your Prestige and h ub or the station. Can’t pin[...]

  • Seite 224

    P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-3 21.4 Problems with Internet A ccess Table 21-4 T roubleshooting Inter net Access Problem Corrective Action Connect your C able/x DSL modem with the Pres tige using appropriat e cable . Check w i th the manufacturer of y our Cable/x DSL modem abou t the cable require m ent because for s ome [...]

  • Seite 225

    [...]

  • Seite 226

    P312 Br oadband S ecurity G ateway PPPo E E Appendix A PPPoE PPPoE in Action An AD SL modem bridges a PPP session over Ethernet (PPP over Et hern et, RFC 2516) f rom you r PC to an ATM PVC (Permanent Virtual Circuit) which conn ects to a xDSL Access Concentrator where the PPP sess io n term inates (see t he next figure ). One PV C can support any n[...]

  • Seite 227

    P312 Br oadband S ecurity G ateway PPPo E F How PPPoE Works The P PPoE d riv er mak es th e Etherne t appear as a serial link to th e PC an d the PC r uns PPP over it, wh ile the modem bridg es the Ethernet frames to the Access C oncentrator (AC). Between the AC and an ISP, the AC is acting as a L2T P (Layer 2 T unneling Pr otoco l) LAC (L2TP Acces[...]

  • Seite 228

    P312 Br oadband S ecurity G ateway PPTP G Appendix B PPTP What is PPT P? PPTP (Poin t-to-Poin t T unnel ing Protocol) is a Micros oft proprietary protocol (RFC 2637 f or PPTP is inf or mati onal only ) to tu nnel PPP fram es. How can we transport PPP frame s from a PC to a broadband modem over Ethernet? A solution is to build PPT P into the ANT (AD[...]

  • Seite 229

    P312 Br oadband S ecurity G ateway PPTP H PNS and the PAC must have IP co nnectivity; however, the PAC must in addition have dial-up capability. The ph one call is betw een the us er and th e PAC and t he PAC tu nnels th e PPP fram es to t he PN S. Th e PP TP user is una ware o f the tu nnel be twee n the P AC and the PN S. Microsoft includes PPTP [...]

  • Seite 230

    P312 Br oadband S ecurity G ateway Hardware Sp ec if icati ons I Appendix C Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O /P DC 12V 1200 mA MTBF 100000 hr s Operation T emperature 0º C ~ 40º C Ethernet Specifi c ation for WA N 10Mbit Half Dup lex Ethernet Specifi c ation for LAN 10/100 M bit Half / Full Auto-nego tiation Con[...]

  • Seite 231

    P312 Br oadband S ecurity G ateway J Safety Ins tructions Appendix D Important Safety Instructions The following safety instructio ns appl y to the Prestige: 1. Be sure to read and follow all warning notices and instruction s. 2. The maximum recommended am bient temperature for the Prestige is 40º(10 4º). Care must be taken to allow sufficient ai[...]

  • Seite 232

    P312 Br oadband S ecurity G ateway CLI Commands K Appendix E Firewall CLI Commands The follo wing tab le d escri b es t he syn tax use d to conf i gure your fi r ewal l usi ng Co mma nd Line I nte r face (CLI) commands. S elect option 24.8 Comm and Interpreter Mo de from the Main Menu to go into CLI mode. F or details on other CLI commands to confi[...]

  • Seite 233

    P312 Br oadband S ecurity G ateway L CLI Commands Function CLI Sy ntax Description config edit firewall e-mail email-to <e-mail address> Edits the mail address which you want to send t he alert to config edit firewall e-mail policy <full | hourly | daily | weekly> Edits whether the current firewall t raffic log c ontents are sent throug[...]

  • Seite 234

    P312 Br oadband S ecurity G ateway CLI Commands M Function CLI Sy ntax Description config edit firewall set <set #> default-permit <forward | block> Edits whether a pack et is dropped or allowed through, when it does not meet a rule within the set config edit firewall set <set #> icmp-timeout <seconds> Edits the time limit, [...]

  • Seite 235

    P312 Br oadband S ecurity G ateway N CLI Commands Function CLI Sy ntax Description config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> Selects and edits a sourc e address and subnet mask of traffi c wh ich comply to this r ule config edit firewall set <set #> rule <rule #> src[...]

  • Seite 236

    P312 Br oadband S ecurity G ateway CLI Commands O Function CLI Sy ntax Description D D e e l l e e t t e e config delete firewall e-mail Removes all the settings for e-mail alert config delete firewall attack Resets all the settings for attack to default s etting config delete firewall set <set #> Removes t he specifi ed set from t he firewal[...]

  • Seite 237

    P312 Br oadband S ecurity G ateway P Power Adapt er Spec if ic ations Appendix F Power Adapter Specs AC Power Adapter Spec ifications North America AC Power Adapter model M W 48-1201 200 Input power: AC120Volts/ 60H z Output pow er: DC12Volts/1.2A Power consu mption: 9 W Plug: North Am erican sta ndards Safety standar ds: UL, CUL (UL 1310 , CSA C22[...]

  • Seite 238

    P312 Br oadband S ecurity G ateway Power Adapt er Spec if ic ati ons Q Japan AC Power Adapter model JOD-48-1124 Input pow er: AC100Volts/ 50/60Hz / 27VA Output pow er: DC12Volts/1.2A Power consu mption: 9 W Plug: Japan standard s Safety standar ds: T-Mark Australia and N ew Zea land AC Power Adapter model AD-1201200DS Input power: AC240Volts/ 50H z[...]

  • Seite 239

    P312 Br oadband S ecurity G ateway R Glossary Glossary of T erms 10BaseT The 10-M bps baseband Ethernet specification th at uses two pair s of tw isted-pair cabling (C ategory 3 or 5): one pair for tran smitting d ata and th e other for re ceiving data. ARP Address Re solution Proto c ol is a protocol for mapping an Internet Protoc ol address ( IP [...]

  • Seite 240

    P312 Br oadband S ecurity G ateway Glossary S Cookie A string of characters saved by a w eb browser on the user' s hard d isk. M any web pages send cookies to tra ck specif ic user informatio n. Cookies can be used to retai n information a s the user brow ses a web site. For example, cookie s are u sed to 'remember' the items a shop [...]

  • Seite 241

    P312 Br oadband S ecurity G ateway T Glossary Digital Sig nature Digital c ode that authenticat es whomever si gned the do cument or softw are. Software, messages, E mail, and other ele ctronic document s can be signed e lectronically so that they cannot be altered by anyon e else. If someon e alters a signed d ocument, the signature is no longer v[...]

  • Seite 242

    P312 Br oadband S ecurity G ateway Glossary U Events These are netw ork activities. Som e activities are direct at tacks on your system, while others might be depending o n the cir cumstanc es. T herefore, any a ctivity, regardles s of severity i s called an event. An event may or may not be a direct att ack on your syst em. FAQ (Frequently As ked [...]

  • Seite 243

    P312 Br oadband S ecurity G ateway V Glossary Integrity Proof that th e data is th e same as originally intend ed. Unautho rized software or people have not alter ed the original information. internet (Low er case i) Any t ime you connect 2 or more networks together, you have an internet. Internet (Upper c ase I) The v ast collection of inter-conne[...]

  • Seite 244

    P312 Br oadband S ecurity G ateway Glossary W as a stream of bits. Name Resol ution The allo cation of an IP address to a host na me. See DN S NAT Network Addres s Translation is t he translation o f an Inter net Proto col addres s used within one network to a differ ent IP addr ess know n within another netw ork - see also SUA. NDIS Network D rive[...]

  • Seite 245

    P312 Br oadband S ecurity G ateway X Glossary Plain Tex t T he opposite of C ipher T ext, Plain T ext is readable by anyone. Prestige W eb Configurator T his is a web-based Pre stige router ( not all) config urator that in cludes an Internet Access W izard, A dvanced an d Firewall (not al l Prestige models) configurations. POP Post Office Proto col[...]

  • Seite 246

    P312 Br oadband S ecurity G ateway Glossary Y system, m eaning that an end-to-end priv ate cir cuit is es tablished between caller an d callee. Public Key Encryption Sy stem of encry pting electronic files u sing a key pair . The key p air contains a public key used d uring en cryption, and a corresponding pr ivate key used d uring decryption. PVC [...]

  • Seite 247

    P312 Br oadband S ecurity G ateway Z Glossary SPAM Unwanted e-m ail, usually in the form of advertise ments. Spoofing To forge somethin g, such as an IP ad dress. IP Spoofing is a common way for hackers to hide their location and ident ity SSL (Secured Socket Layer) Technology that all ows you to send inf ormation that only the server can read. SS [...]

  • Seite 248

    P312 Br oadband S ecurity G ateway Glossary AA on a host system. O bjects includ e directories an d an assortmen t of fil e types, in cluding text files, g raphics, video, a nd audio. A URL is t he address of an ob ject that is nor mally typed in the A ddress field of a Web br owser. T he URL is basically a poi nter to the location of an object. VP[...]

  • Seite 249

    [...]

  • Seite 250

    P312 Br oadband S ecurity G ateway Index CC Index A Action for M atched Packe ts .......................... 16-10 Activate The F i rewall ...................................... 19-2 ActiveX ........................................................... 20-1 Add Keyword .................................................. 20-3 Alert Schedule ............[...]

  • Seite 251

    P312 Br oadband S ecurity G ateway DD Index Encapsulati on PPP over Ethernet.................................................... E Ethernet Encaps ulation3-8, 4- 1, 4-5, 4-6, 4-10, 6- 11, 6-12 Example E-M a il Log ........................................ 15-6 Examples ........................................................19-1 F Factory Default ..[...]

  • Seite 252

    P312 Br oadband S ecurity G ateway Index EE L LAN Setup ........................ 2-6, 2-11, 2-12, 3-4, 3-5 LAN to WAN Rules ......................................... 16-3 LAND ............................................ 13-4, 13-5, 14-2 Local Netw ork Rule Sum mary ................................................... 16-6 log.......................[...]

  • Seite 253

    P312 Br oadband S ecurity G ateway FF Index S Safety Instruction s ................................................ J Safety Instruction s ................................................ J saving the state ............................................... 13-6 Security In Gener al .......................................13-10 Security Ramif i cations[...]

  • Seite 254

    P312 Br oadband S ecurity G ateway Index GG WAN Setup ............................ 2-6, 2-10, 2- 11, 21-2 WAN to LAN Rules ......................................... 16-3 Web Configurator ........................................... 13-9 Web Proxy ...................................................... 20-2 Welcome screen .............................[...]