Go to page of
Similar user manuals
-
Network Router
ZyXEL Communications ZyWALL 300
778 pages 21.16 mb -
Network Router
ZyXEL Communications VSG-1000/1200
4 pages 0.15 mb -
Network Router
ZyXEL Communications 1600
163 pages 3.27 mb -
Network Router
ZyXEL Communications P-660H-D1
6 pages 0.82 mb -
Network Router
ZyXEL Communications P-974 series
2 pages 0.14 mb -
Network Router
ZyXEL Communications P-660HW-TX V3
428 pages 9.57 mb -
Network Router
ZyXEL Communications 782R
166 pages 2.36 mb -
Network Router
ZyXEL Communications P-660R
2 pages 0.72 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications P-312, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications P-312 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications P-312. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of ZyXEL Communications P-312 should contain:
- informations concerning technical data of ZyXEL Communications P-312
- name of the manufacturer and a year of construction of the ZyXEL Communications P-312 item
- rules of operation, control and maintenance of the ZyXEL Communications P-312 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications P-312 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications P-312, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications P-312.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications P-312 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
Pr estige 312 Broadba nd Securit y Gateway User’s Guide Version 3.20 November 2000[...]
-
Page 2
P312 Br oadband S ecurity G ateway ii Copyright Prestige 312 Broadband Securi ty Gatew ay Copyright Copyright © 2 000 by ZyXE L Communicat ions Corp oration. The contents of this publicati on may not be r eproduced i n any part or as a w hole, transcribed, stored in a retrieval sy stem, tr anslated i nto any language, or transmitted in any form or[...]
-
Page 3
P312 Br oadband S ecurity G ateway FCC Statem ent iii Federal Commu nication s Commission (F CC) Interf erence Statement This devic e complies w ith Part 15 of FCC rules. O perat ion is sub ject to the follow ing two conditio ns: This devic e may not cause h armful interference. This devic e must accept any interfer ence receiv ed, includin g inter[...]
-
Page 4
P312 Br oadband S ecurity G ateway iv Canadian Us ers Informatio n for Can adian User s The Industry Canad a label iden tif ies certifi ed equi pme nt. T his cer tifi cat ion mea ns that the equipment meets certain tele communications network pro tective, operation, and safety require m ents. The Industry Canada does not guar antee that the equ ipm[...]
-
Page 5
P312 Br oadband S ecurity G ateway Warranty v Declaration of Confor mit y We, the Manufacturer/Importer, ZyXEL Communications Cor p . No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, T aiwan, 300 R.O .C declare that t he product Prestige 312 is in co nform ity with (reference to the spec ific at i on under which conformity is decl [...]
-
Page 6
P312 Br oadband S ecurity G ateway vi CE Doc[...]
-
Page 7
P312 Br oadband S ecurity G ateway Warranty vi i ZyXEL Limited W arranty ZyXE L warrants to the or iginal end user (pur chaser) that this pro duct is free from any defects in materials or workmans hip for a peri od of up to two y ears from t he date of purchase . During the warranty period, and upon proof of pur chase, sh ould the product have indi[...]
-
Page 8
P312 Br oadband S ecurity G ateway viii Customer Su pport Customer Support When y ou contact y our customer support representa tive pleas e have the followi ng informati on ready: ♦ Prestig e Model and seri al num ber. ♦ Information in Menu 24.2.1 –S ystem Inform ation . ♦ Warranty Inf o r mation. ♦ Date you recei ved your Prestige. ♦ B[...]
-
Page 9
P312 Br oadband S ecurity G ateway T able Of C ontents ix T able of Contents T able of Contents .............................................................................................................. ............. ix List of Fig ures .............................................................................................................[...]
-
Page 10
P312 Br oadband Security G ateway x T able Of C ontents 2.10.1 LAN Port Filter Setup .................................................................................................... ... 2-12 Chapter 3 Internet Access .............................................................................................................3- 1 3.1 TCP/IP and [...]
-
Page 11
P312 Br oadband S ecurity G ateway T able Of C ontents xi 6.1.4 NAT Mapping Ty pe s ......................................................................................................... .6 - 2 6.1.5 SUA (Single User Accoun t) Versus NAT .......................................................................... 6-3 6.1.6 NAT Application ........[...]
-
Page 12
P312 Br oadband Security G ateway xii T able Of Conte nts 9.1 System Status ............................................................................................................... ...............9-2 9.2 System Inf ormation and Console Port Speed .............................................................................. 9-4 9.2.1 System [...]
-
Page 13
P312 Br oadband S ecurity G ateway T able Of C ontents xiii 12.2 Telnet Under NAT........................................................................................................... ......... 12-1 12.3 Telnet Capabilities ........................................................................................................ ............ 12-[...]
-
Page 14
P312 Br oadband Security G ateway xiv T able Of Conte nts 15.3 E-Mail ..................................................................................................................... ..................15-3 15.3.1 What are Alerts?......................................................................................................... ....... 15[...]
-
Page 15
P312 Br oadband S ecurity G ateway T able Of C ontents xv 20.1 Restrict Web Features...................................................................................................... ......... 20-1 20.1.1 ActiveX .................................................................................................................. .......... 20-1 20[...]
-
Page 16
P312 Br oadband Security G ateway xvi List Of Figur es List of Figures Figure 1-1 Secure Internet Access v ia Cable ..................................................................................... ....... 1-3 Figure 1-2 Secure Internet Access v ia DSL....................................................................................... ......[...]
-
Page 17
P312 Br oadband S ecurity G ateway List Of Fi gures xvii Figure 4-5 Remote Node Netw or k Layer Options .................................................................................. 4 -8 Figure 4-6 Rem ote Node Filter (Ethernet Encapsulation)...................................................................... 4-1 0 Figure 4-7 Remote Node Fil[...]
-
Page 18
P312 Br oadband Security G ateway xviii List Of Figures Figure 6-22 Example 4- Me nu 15.1.1.1 - Address Mapping Ru le ............................................................ 6-20 Figure 6-23 Example 4 - Me nu 15.1.1 - A ddress Mapping Rules ............................................................ 6-20 Figure 7-1 Outgoing Packet Filtering P[...]
-
Page 19
P312 Br oadband S ecurity G ateway List Of Fi gures xix Figure 9-9 Call-T riggering Packet Example ....................................................................................... ... 9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagn ostic .................................................................... 9-11 Figure 9-1 1 W AN &[...]
-
Page 20
P312 Br oadband Security G ateway xx List Of Fi gures Figure 14-2 Menu 21 - Filter and Firewall Setup ................................................................................. .... 14-1 Figure 14-3 Menu 21.2 – Firew all Se tup .......................................................................................... ........ 14-2 Figure 1[...]
-
Page 21
P312 Br oadband S ecurity G ateway List Of Fi gures xxi Figure 19-9 Example 2 - Local Net work Ru le Summary .................................................................. 19-10 Figure 19-10 Exam ple 2 - Internet to Local Network Rule Summary .................................................. 19-1 1 Figure 19-1 1 Custom Port for Sy s log ......[...]
-
Page 22
[...]
-
Page 23
P312 Br oadband S ecurity G ateway List of T ab les xxiii List Of T ables T able 2-1 LED functions ........................................................................................................ ................ 2-1 T able 2-2 Main Menu Co mmands ..............................................................................................[...]
-
Page 24
P312 Br oadband Security G ateway xxiv List of T ables T able 7- 2 Abbreviations Used If Filter T y pe Is IP .............................................................................. ....7-7 T able 7- 3 Abbreviations Used If Filter T ype Is GEN .......................................................................... ....7-7 T able 7- 4 TCP/I[...]
-
Page 25
P312 Br oadband S ecurity G ateway List of T ab les xxv T able 16-5 T imeout Menu ......................................................................................................... ........... 16-14 T able 17-1 Cus tom Ports ......................................................................................................... ............[...]
-
Page 26
[...]
-
Page 27
P312 Br oadband S ecurity G ateway Preface xxvii Preface A bout Y our Router Congratu lations on your pu rchase of the Prestig e 312 Broadband Security Gate way. Don’t fo rget to reg ister you r Prestig e (fast, e asy onlin e regist ration at w ww .zy xel.com ) for free future product updates and information. The Presti ge 312 is a du al Ethernet[...]
-
Page 28
P312 Br oadband Security G ateway xxviii Preface Regardless of your particular applicatio n, it is i mportant that you follow the steps o u tli ned in C hapters 1-2 to connect y our Prestige to your LAN. You can then refer to the appropriate ch apters of the manual, depending on your applications. Related Documentation " Support ing CD More de[...]
-
Page 29
Getting Starte d I Part I: Getti ng Started Chapters 1-3 are s tructured as a step-b y-step guide to h elp you connect, i nstall a nd setup your Prestig e to oper ate on your network and acces s the Inter net.[...]
-
Page 30
[...]
-
Page 31
P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-1 Chapter 1 Getting to Know Your Prestige This chapt er intr oduces the main f eatures and appl ications of the Pr estige. 1.1 The Prestige 312 B roadband Security Gate wa y The Presti ge 312 is a du al Ethern et Broadband Security Gatew a y integrated w ith a robust firewall an d[...]
-
Page 32
P312 Br oadband S ecurity G ateway 1-2 Getting to Know Y o ur Prestige Dynamic DNS Support With Dyn amic DNS support , you can h ave a static hos tname alias for a dy namic IP address , allow i ng the host to be more eas ily accessible from v arious locations on the In ternet. You must register f o r this service with a Dynamic DNS client to use th[...]
-
Page 33
P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-3 not choose a time service protocol that your timeserver will send when the Prestige powers up you can enter the time m a nually bu t each tim e the system is booted, the t ime & date w ill be reset to 1/1/197 0 0:0:0 . Logging and T racing The Prestige has the following feat[...]
-
Page 34
P312 Br oadband S ecurity G ateway 1-4 Getting to Know Y o ur Prestige Figure 1-2 Secure Int ernet Access v ia DSL You can als o use your xDSL modem in the bridge mode f or al ways- on Internet access and h igh speed data transfer.[...]
-
Page 35
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 Chapter 2 Hardware Installation & Initial Setup This chapt er shows you how to connec t the har dware an d perform the in itial setup . 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the f ront panel indicate the operational stat[...]
-
Page 36
P312 Br oadband S ecurity G ateway 2-2 Hardware Installa tion & Initia l Se tup LEDs Function Indicator Status Activ e Description Flashing The 100M LAN is sending/re ceiving packet s. Off The W AN Link is not ready, or has fa iled. On The W AN Link is ok . WAN W AN G reen Flashing The 10M W AN link is s ending/r eceiv ing packet s. 2.2 Prestig[...]
-
Page 37
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-3 connector on the back of the cable m ode m. Connect an x DSL Modem to the xDSL Wall Jack. Please also see Appendix C f o r important safety ins tructions on making conn ections to the Prest ige. Step 1. Connecting the Console Port For the initial configuration of[...]
-
Page 38
P312 Br oadband S ecurity G ateway 2-4 Hardware Installa tion & Initia l Se tup ♦ 9600 Baud. ♦ No parity, 8 Data bits, 1 Stop b it, Flo w Control set to None. 3. A cable/xDSL m ode m and an ISP account . After th e Prestige is properly set up, y ou can make future ch anges to the conf i gurati on through te lnet connections. 2.4 Housing You[...]
-
Page 39
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-5 Figure 2- 4 Pas sword Screen 2.6 Navigating the SM T Inter face The SMT (System Management Terminal) is the interface that y ou use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are [...]
-
Page 40
P312 Br oadband S ecurity G ateway 2-6 Hardware Installa tion & Initia l Se tup 2.6.1 Main Menu After you enter the password, the SMT displa ys the Prestige 312 Main Menu , as s hown below . Figure 2-5 Prestige 312 M ain Men u 2.6.2 S y stem Management T erminal Interf ace Summary Table 2- 3 Main Menu Summar y # Menu Title Description 1 General[...]
-
Page 41
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-7 99 Exit To exit from SM T and return to a bla nk screen. 2.7 Changing the System Pass w ord The first thing y our should do bef o re anything els e i s to chan ge t he default system password by foll owing the steps below. Step 1. Enter 23 in the Main Menu to ope[...]
-
Page 42
P312 Br oadband S ecurity G ateway 2-8 Hardware Installa tion & Initia l Se tup 2.8 General Setup Menu 1 - General Setup contains administrative and sys te m-related inf ormation. The fields for General Setup are as shown nex t. Syste m Name is for identification purposes . However, because s ome ISPs check this name you should enter your PC’[...]
-
Page 43
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-9 Table 2-4 Genera l Setup Menu Field Field Description Example System Na me Choose a d escriptiv e name for ident ification p urposes. It is recommende d you enter your co mputer’ s “Computer name” in th is field. T his name c an be up to 30 alpha numeric ch[...]
-
Page 44
P312 Br oadband S ecurity G ateway 2-10 Hardware Inst a lla ti on & Initia l Se tup Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example Service Provider Enter the na me of your Dynamic DNS client. www.d dns.org Active Press [SPACE BAR] to togg le betw een Yes or No . Yes Host Enter the domai n name assigned to your Prestige by[...]
-
Page 45
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 1 Figure 2-9 Menu 2 – WAN Setup The MAC address field allows users to conf igure the WAN port' s MAC Address by either u si n g the factory default or clon ing the MAC address f rom a workstation on your LA N. Once it is successfully configu red, the addre[...]
-
Page 46
P312 Br oadband S ecurity G ateway 2-12 Hardware Inst a lla ti on & Initia l Se tup Figure 2-10 Menu 3 - LAN Setup 2.10.1 LA N Port Filter Setu p This menu allows you to specif y the filter sets that you wish to apply to the LAN traffic. You seldo m need to filter the LAN traffic, however, the filter sets may be useful to block certain packets,[...]
-
Page 47
P312 Br oadband Security G ateway Internet Acc ess 3-1 Chapter 3 Internet Access This chapt er shows y ou how to configur e the LAN as we ll as the W AN of your Presti ge for Int ernet access. 3.1 TCP/I P and DHCP for LAN The Prestige has built-i n DH CP server capabilit y that assigns IP ad dresses and DNS servers to s yste ms that support DHCP cl[...]
-
Page 48
P312 Br oadband S ecurity G ateway 3-2 Internet Acc ess The subnet mask specifies the net work number portion of an IP address. Your Pr estige will compute the subnet m ask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the Prestige un less you are instructed to do otherw ise. 3.1.3 Pr[...]
-
Page 49
P312 Br oadband Security G ateway Internet Acc ess 3-3 3.1.5 DHCP Configuration DHCP (Dy namic Host Conf iguration Protocol, RF C 2131 and R FC 2132) all ow s the indi vidual cli ents (wor ks tat i ons ) to o bta i n the T CP/ I P co nfigur a tio n at sta rt -up fro m a se r ver . Yo u can configu re the Prestige as a DHCP server or disable it. Whe[...]
-
Page 50
P312 Br oadband S ecurity G ateway 3-4 Internet Acc ess The address 224.0. 0.1 is used f or query messages an d i s assi gned to the perm anent group of all IP h o sts (inclu di ng ga teways). Al l hosts must join the 224.0. 0.1 group in order to parti cipate in IGMP. The address 224.0.0.2 is as signed to the multicast routers grou p. The Prestig e[...]
-
Page 51
P312 Br oadband Security G ateway Internet Acc ess 3-5 Figure 3-3 Menu 3 - LAN Setup (1 0/100 Mbps Etherne t) To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP /IP and DHCP Ethernet Setup as s ho wn ne xt. Figure 3-4 Menu 3.2 – TCP/IP and DHCP Ethernet Setup Menu 3 – LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP [...]
-
Page 52
P312 Br oadband S ecurity G ateway 3-6 Internet Acc ess Follow the instruction s in the following table on how to confi gure the DHCP fields. T able 3-1 LAN DHCP Setup Menu Fields Field Description Example DHCP= This field enables/disables the DHCP server. If it is set to Server , your Prestige w ill act as a DHCP s erver. If s e t to None , DHCP s[...]
-
Page 53
P312 Br oadband Security G ateway Internet Acc ess 3-7 Field Description Example Edit IP Alia s The Prestige supp orts three log ical LAN interfac es via its single physical Et hernet in terface with t he Prestige itself a s the gateway for each LAN netw ork. Press the spac e bar to toggle No t o Yes, then press [ENTER] to brin g you to menu 3 .2.1[...]
-
Page 54
P312 Br oadband S ecurity G ateway 3-8 Internet Acc ess RIP Direction Press the space bar t o select the RIP d irection from None, Both/In Onl y/Out Onl y . None Version Press the space bar to sele ct the RIP version fr om RIP-1/RIP- 2B/RIP-2M. RIP-1 Incomin g Protocol Filter s Enter the fi lter set( s) you w ish to apply to the incoming tr affic b[...]
-
Page 55
P312 Br oadband Security G ateway Internet Acc ess 3-9 The following table describes t his screen. Table 3- 4 Internet Access S etup M enu F ields Field Description ISP’s Name Enter the name of your Internet Servi ce Provider, e .g., myISP. T his information i s for identificatio n purposes only. Encapsulation Press the [SPACE BAR] and the press [...]
-
Page 56
P312 Br oadband S ecurity G ateway 3-10 Internet Acc ess 3.3.3 Configuring the PPTP Client T o co nfigur e a P P T P c lient, you mu st co nfi gur e t he My Login and Passwo rd fields for a PPP connection a nd the PPTP parameters for a PPTP connection . After con figuri ng t he User Name and Passwo rd for PPP connection, press [ SP ACE BAR] in t he[...]
-
Page 57
P312 Br oadband Security G ateway Internet Acc ess 3-1 1 For the service prov ider, P PPoE offe rs an access and authen tication method that works with existing access control sy stems (e.g., Radius ). For the user, PPPoE provides a login & a uthentication method th at the existing Micros oft Dial-Up Networking sof tware can activate, and there[...]
-
Page 58
P312 Br oadband S ecurity G ateway 3-12 Internet Acc ess Tabl e 3-6 New Fields in M enu 4 ( PPPoE) s creen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE . The encapsu lation method influences your choices for IP Address. PPPoE Service Name Enter th e PPPoE service name prov ided to you. PPPoE [...]
-
Page 59
Advance d App licatio ns II Part II: Advanced Applications Advance d App licatio ns (Chap ters 4-6) describ e the adva nced ap plicati ons of your Prest ige, suc h as Rem ote Node Setup IP Sta tic routes and N A T .[...]
-
Page 60
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-1 Chapter 4 Remote Node Setup This chapt er shows y ou how to configur e a rem ote node. A remote node is required for placing calls to a remote gateway. A rem ote node represents both the remote gate way and the ne twor k be hind it a cro ss a W AN con nectio n. No te t ha t whe n you u se Me[...]
-
Page 61
P312 Br oadband S ecurity G ateway 4-2 Remote N ode Set up Table 4-1 Fields in Menu 11.1 Field Description Examples Rem Node Name Enter a descri ptive name for the re mote no de. This fi eld can be up to eight characters. LAoffice Act ive Press the [SPACE BAR] to toggle be tween Yes and No and activate (de activate) the remote node. Yes Encapsulati[...]
-
Page 62
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-3 4.1.2 PPPoE Encapsulat ion The Pre stig e supports PPPoE (Point- to-Poin t Protocol ov er Eth ernet ). You ca n only use PPPoE encapsulation when you’ re using the Prestige with an xDSL modem as the WAN device. If you change the Encapsulat ion to PP PoE, then you w ill see the next screen.[...]
-
Page 63
P312 Br oadband S ecurity G ateway 4-4 Remote N ode Set up Table 4- 2 Fields in M enu 11.1 ( PPPoE Encapsu lation Sp ecific) Field Description Examples Authen This field sets the authent ication protocol u sed for outgoing calls. Options for t his field are: CHAP/PAP - Your Prestige w ill accept either CHAP or PAP when reque sted by thi s remote no[...]
-
Page 64
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-5 Figure 4-3 Remote Nod e Profil e for PPT P Encap sulatio n The next table shows ho w to configure fi elds in Menu 11.1 n ot previously dis cussed above. Tabl e 4-3 Fields in M enu 11.1 (PPT P Encapsu latio n) Field Description Examples Encapsulation T oggle the spac e bar to choose PPTP . Yo[...]
-
Page 65
P312 Br oadband S ecurity G ateway 4-6 Remote N ode Set up 4.2 Editi ng TCP/IP Options (with Ether net Encapsulati on) Move the cursor to the Edit IP fie ld in Menu 1 1.1 , then press the [ SPACE BAR] to toggle and set the value to Yes . Press [Enter] to open Menu 11.3 - Net w ork L ayer Options . Figure 4-4 Remote Node Network Layer Options The ne[...]
-
Page 66
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-7 Field Description Example between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This f ield is valid on ly for PPTP/ PP Po E enc apsu lat io n. Th is parameter deter mines if the Pre stige w ill include the route to this remote no de in its R IP broad casts. If set t o [...]
-
Page 67
P312 Br oadband S ecurity G ateway 4-8 Remote N ode Set up Figure 4-5 Remote Node Network Layer Options The next tab le gi ves yo u ins truct io ns a bout c onfi guri ng re mote no de ne t work la yer op tio ns. Table 4-5 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If y our ISP did not a s sign you [...]
-
Page 68
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-9 between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This para m eter determines if the Prestige will include the route to this remote no de in its R IP broad casts. If set t o Yes , this ro ute is kept private and n ot included in RIP broadcast. If No , the route to t[...]
-
Page 69
P312 Br oadband S ecurity G ateway 4-10 Remote N ode Set up Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to C[...]
-
Page 70
P312 Br oadband S ecurity G ateway IP Static Route Setup 5-1 Chapter 5 IP Static Route Setup This chapt er shows y ou how to configur e static routes wi th your Prestige. Static routes tell the Prestige routing in for mation that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote[...]
-
Page 71
P312 Br oadband S ecurity G ateway 5-2 IP Stat ic Route Setup 5.1 IP Static Route S etup You co nfig ure I P stat i c rout e s in M e nu 1 2. 1 , by selecting on e o f the IP static rout es as shown below. Enter 12 from t he Main Menu . Figure 5-2 Menu 12 - IP Static Route Setup Now, enter t he index num ber of one of the st atic rout es you want t[...]
-
Page 72
P312 Br oadband S ecurity G ateway IP Static Route Setup 5-3 Table 5- 1 IP Stat ic Route M enu Field s Field Description Route # This is the index number of the sta tic route th at you chose in M enu 12. Route Name Enter a descri ptive name for this route. This is for identifi cation purpose s only. Active This field a llows you to activ ate/deacti[...]
-
Page 73
[...]
-
Page 74
P312 Br oadband S ecurity G ateway NA T 6-1 Chapter 6 Network Address Translation (NAT) This chapt er dis cusses how to conf igure NAT on the Prestige. 6.1 Introducti on NAT (Netw ork Address Translation - NA T, RFC 1631) is th e translat ion of the IP add ress of a h ost in a packet, e.g., th e source address of an outgoing packet, used w ithin on[...]
-
Page 75
P312 Br oadband S ecurity G ateway 6-2 NA T them accessi ble to the outside w o rld. If you do n ot define any s ervers (for Many-to- One a nd Many- to-Many Overload mapping – see below), NAT offers the additional be nefit of fire wall protectio n. If no server is defined in these cases, all incoming inquiries will b e filtered o ut b y your Pres[...]
-
Page 76
P312 Br oadband S ecurity G ateway NA T 6-3 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. T his is equivalent to SUA (i.e., PAT, port addr ess translation), ZyXEL’s Single User Account feature th at previous ZyXEL rout ers supported (th e SUA Only opti on in today’ s routers). 3. Ma[...]
-
Page 77
P312 Br oadband S ecurity G ateway 6-4 NA T remote node basi s. They are reus able, but only on e set is allowed for each rem o te node. The Prestige supports 2 sets s ince there is on ly one rem ote node. The secon d set ( SUA Onl y option in Menu 15.1) is a conveni ent, pre-conf igured, read only Many -to-1 port m apping set, suff icient for most[...]
-
Page 78
P312 Br oadband S ecurity G ateway NA T 6-5 Figure 6-3 Applying NAT for In ternet Access This fig ure shows how you apply N AT to the remote node in Menu 11.1. Step 1. Enter 11 f rom th e Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the def ault No to Yes , then pr ess [ ENT ER] t o bring up Menu 11.3 - Re[...]
-
Page 79
P312 Br oadband S ecurity G ateway 6-6 NA T Table 6- 3 Applying N AT in Men us 4 & 11.3 Field Options Description Full Feature W hen y ou selec t this option the SM T will us e Address M apping Set 1 (M enu 15.1 – see se ctio n 6.2.3 for further dis cu ssion). You can con f ig ure any of the 5 mapping types describe d in Table 6-2. None NAT i[...]
-
Page 80
P312 Br oadband S ecurity G ateway NA T 6-7 Figure 6-6 Men u 15.1 Addres s Map ping Sets Let’s look firs t at Option 255. Opt ion 255 i s equiv ale nt to SUA in previ ous ZyXEL rou ters ( see section 6.1.4) . The fields i n this menu cann ot be changed. Entering 255 brings up this s creen. Figure 6-7 SUA Address Mapping Rules The following table [...]
-
Page 81
P312 Br oadband S ecurity G ateway 6-8 NA T Table 6- 4 SUA A ddres s Map ping Rules Field Description Options/Exa mple Set Name This is the name of the set you sele cted in Menu 15.1 or ent er the name of a new set you w ant to create. SUA Idx This is the index or rule number. 1 Local Start IP Loc al E nd IP Local Start IP i s the starting loca l I[...]
-
Page 82
P312 Br oadband S ecurity G ateway NA T 6-9 Figure 6-8 First Set in Menu 15.1.1 The Ty pe, Loca l and Gl obal Start/En d IPs are co nfigure d in Me nu 15.1. 1.1 (described later) a nd the value s are displa yed he re. Ordering Y our Rules Ordering your rules is important becaus e the Prestige applies the rules in the order th at you specify . When [...]
-
Page 83
P312 Br oadband S ecurity G ateway 6-10 NA T moved dow n by one rule. Delete means t o delete the selected rul e and then all t he rule s after the se lected one will b e advanced one rule. Save Set means to save the w hole set (note when y ou cho ose this a c tion, the Select Rul e item will b e disabled). Select Rule When you choose Edit , Inser [...]
-
Page 84
P312 Br oadband S ecurity G ateway NA T 6-1 1 Field Description Option/Exam ple examples. and Serv er Local IP Only local IP f ields ar e N/A for server; Global IP fie lds M UST be set for Server . Start T his is the starting lo cal IP address (I LA). 0.0.0.0 End T his is the ending loc al IP addres s (ILA). If the rule is for all local IPs, the n [...]
-
Page 85
P312 Br oadband S ecurity G ateway 6-12 NA T Figure 6-1 0 Multip le Servers Beh ind N AT 6.3.2 Configuring a Server behind NA T Follow the steps below to con f igure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup. Step 2. Enter 2 to go to Menu 15.2 - NAT Server Setup . Step 3. Enter the service port number in [...]
-
Page 86
P312 Br oadband S ecurity G ateway NA T 6-13 Figure 6-1 1 M enu 15.2 – N A T Serv er Set up Tabl e 6-7 Servic es & Port n umbe rs Services Port Number FTP (File Tr ansfer Protoco l) 21 Telnet 23 SMTP (Simple Mail T ransfer Protocol) 25 DNS(Domain Na me System) 53 HTTP (Hy per Text Transfer protoco l or W WW , W eb) 80 PPTP (Point-to-Point T u[...]
-
Page 87
P312 Br oadband S ecurity G ateway 6-14 NA T Figure 6-1 2 NAT Example 1 Figure 6-1 3 Internet Access & NAT Examp le From Menu 4 s ho wn above, simply choose the SUA Only option from the Network Add re ss Tran slation field. Thi s is the Many -to-One mapping dis cussed in section 6.1.4. The SUA Onl y read only option from the Network A ddress Tr[...]
-
Page 88
P312 Br oadband S ecurity G ateway NA T 6-15 6.4.2 Example 2 – Intern et Access with an Inside Server Figure 6-1 4 NAT Example 2 In this case, we do exactly as abov e (use the conven ie nt pre-conf igured SU A Only set) and also go to Menu 15.2 to s pecify the Inside Serv er behind th e NAT as shown in th e next figu re. Figure 6-1 5 Specif ying [...]
-
Page 89
P312 Br oadband S ecurity G ateway 6-16 NA T server an d the other IGA is us ed by all. We want to m ap the FTP servers to the fi rst two of our IGAs an d the other LAN traff ic to t he remaining IGA. We also want to map ou t third IGA to an inside w eb server and mail server. We need to configure 4 rules, 2 bi-directional and 2 o ne directional as[...]
-
Page 90
P312 Br oadband S ecurity G ateway NA T 6-17 Step 5. Select Type = as One-to-One (direct m apping for packets goin g both w ays) , and enter the local Start IP as 192.168 .1.10 (the IP address of FTP S erver 1), the g lobal Start IP as 10.132.5 0.1 (our firs t IGA). ( See Figure 6-18) Step 6. Repeat the previous step for rules 2 to 4 as outlined ab[...]
-
Page 91
P312 Br oadband S ecurity G ateway 6-18 NA T When we have configu red all fou r rules, Menu 15.1.1 shou ld look as follows . Figure 6-19 Example 3 Final M enu 15.1.1 Now we conf i gure ou r IG A3 to m ap to our w eb server and m ai l server on the LAN. Step 8. Enter 15 f rom th e Main Menu. Step 9. Now ente r 2 from t his menu an d configure it as [...]
-
Page 92
P312 Br oadband S ecurity G ateway NA T 6-19 6.4.4 Example 4 –NA T Unfriendly Application Programs Some appli cations do not su pport NAT Mappin g usi ng TCP or UDP po rt address t ransl ation. In t his case it is better to use Many-to-Man y No Overload m apping as port n umbers do not ch ange for Many-to-Many No Overload (and One- to-One ) NAT m[...]
-
Page 93
P312 Br oadband S ecurity G ateway 6-20 NA T Figure 6-2 2 Example 4- M enu 15.1. 1.1 - Address M apping Rule After you’ve configured this menu, you should see the following screen. Figure 6-2 3 Example 4 - M enu 15.1. 1 - Address M apping Rules Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 1[...]
-
Page 94
Advance d Mana gem ent III Part III: Advanced Manage ment Chapters 7 - 12 pro vide inf orm ation on Pres tige filter ing, S ystem Inform ation and Diagn osis, Transferring Files and T elnet.[...]
-
Page 95
[...]
-
Page 96
P312 Br oadband S ecurity G ateway Filters 7-1 Chapter 7 Filter Configuration This chapt er shows you how to create a nd app ly filter( s). 7.1 About Filtering Your Prestige uses filters to decid e whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters [...]
-
Page 97
P312 Br oadband S ecurity G ateway 7-2 Filters 7.1.1 The Filter Structure of t he Prest ige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descripti ve name. The Prestige allo ws y ou to configure up to t welve filter sets with six rules in [...]
-
Page 98
P312 Br oadband S ecurity G ateway Filters 7-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 7-2 Filte[...]
-
Page 99
P312 Br oadband S ecurity G ateway 7-4 Filters 7.2 Configur i ng a Fil ter Set To configu re a filter set, f ollow the procedure below . For more inf o r mation on Menus 21.2 and 21.3, pleas e see Part 4. Step 1. Select option 21. F ilt er Set Configuration fro m the M a in M enu to op en M e nu 21 . Figure 7-4 Menu 21 – Filter and Firewall Setup[...]
-
Page 100
P312 Br oadband S ecurity G ateway Filters 7-5 Figure 7-6 NetBIOS_W AN Filter Rules Su mmary Figure 7-7 NetBIOS _L AN Filter Rules Summary Figure 7-8 TEL_FT P_WEB_W AN Filter Rules S ummar y Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, SA=0.0.0.0, D[...]
-
Page 101
P312 Br oadband S ecurity G ateway 7-6 Filters 7.2.1 Filter Rules Summary Menu This screen shows the summary o f the existing rules in the filter set. The follow ing tables contain a brief description of the abbreviati ons used in the previous m e nus. Table 7- 1 Abbreviatio ns Used in t he Filter Ru les Su mmary M enu Abbrev iations Description Di[...]
-
Page 102
P312 Br oadband S ecurity G ateway Filters 7-7 The protocol dependent filter rules abbreviation are listed as follows: ! If the filter type is IP, the following abbreviations listed in the following table will be used. Table 7-2 Abbrev iations Used If Filter Type Is I P Abbrev iation Description Pr Protocol SA Source Address SP Source Port number D[...]
-
Page 103
P312 Br oadband S ecurity G ateway 7-8 Filters Figure 7-9 Menu 21.1.1.1 - TCP/I P Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 7-4 T CP/IP Filter Rule M enu Fields Field Description Option Active This field a ctivates/deactiv ates the fi lter rule. Yes/No IP Protocol Protocol refers to the upper layer [...]
-
Page 104
P312 Br oadband S ecurity G ateway Filters 7-9 Field Description Option don’t-care if it is 0. Destinatio n: Port # Comp Select the compar ison to apply to t he destination port in the packet a gainst the value g iven in Destination : Port #. None/Less/Gr eater/ Equal/Not Equal] Source: IP Addres s Enter the source IP Ad dress of the packet you w[...]
-
Page 105
P312 Br oadband S ecurity G ateway 7-10 Filters Field Description Option Once you h ave co mpleted fi lling in Menu 21.1.1.1 - TCP/IP Filter Rule , press [E nter] at the m essage [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel. This data w ill now be displayed on Menu 21.1.1 - Filter Rule s Summary . The following[...]
-
Page 106
P312 Br oadband S ecurity G ateway Filters 7-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check De[...]
-
Page 107
P312 Br oadband S ecurity G ateway 7-12 Filters 7.2.4 Generic Filter Rul e This section shows you ho w to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generi c rules, the Pres tige treats a pack et as a byte stream as opposed [...]
-
Page 108
P312 Br oadband S ecurity G ateway Filters 7-13 The following table describes the fields in the Generic Filter Rule Me nu. Table 7-5 Generic Filter Rule Menu Fields Field Description Option Filter # This is the filter set, f ilter rule co-ordi nates, i.e., 2,3 refers to the second filter set and the thir d rule of that set . Filter Type Use the [SP[...]
-
Page 109
P312 Br oadband S ecurity G ateway 7-14 Filters Drop Once you h ave co mpleted fi lling in Menu 21.4.1.1 - G eneric Filter Rule , pre ss [Enter ] at the message [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel. This data w ill now be displayed on Menu 21.1.1 - Filter Rule s Summary . 7.3 Example Filter Let’s look[...]
-
Page 110
P312 Br oadband S ecurity G ateway Filters 7-15 Figure 7-1 3 Exampl e Filter – M enu 21.1. 1.1 When y o u press [Enter] to co nfirm, you will see the following screen. Note that there is only one filter rule in this set. Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No D[...]
-
Page 111
P312 Br oadband S ecurity G ateway 7-16 Filters Figure 7-1 4 Exampl e Filter Rule s Summar y – Menu 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 from the main menu to go to Men u 11. Step 2. Go to the Edit Filter Sets field, press th e [SPA CEBAR ] to to g gle Yes to No and press [ENTER] . Step 3. This brin gs[...]
-
Page 112
P312 Br oadband S ecurity G ateway Filters 7-17 packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at th e point when the Prestige is receiving and sending the pack ets; i.e. the interface. The in terface can be an Ethernet port or an[...]
-
Page 113
P312 Br oadband S ecurity G ateway 7-18 Filters Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters Go to Menu 11.5 (shown below – note that call filter sets are only present for PP PoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers s eparated b [...]
-
Page 114
P312 Br oadband S ecurity G ateway SNMP 8-1 Chapter 8 SNMP Configuration This chapt er dis cusses SNMP (Simp le Networ k Manage ment Pro tocol) for network m anagem ent and monitor ing. 8.1 About SNMP Your Presti ge supports SNMP agent functi onality, whi ch allows a manag er station t o manage and m o nitor the Prestige through the network. Keep i[...]
-
Page 115
P312 Br oadband S ecurity G ateway 8-2 SNMP The following table describes the SNMP co nfiguration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Get Community Enter th e get community , which i s the pa ssword for the incomi ng Get- and GetN ext- request s from the managem ent station. public Set Community Enter th e[...]
-
Page 116
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 Chapter 9 System Information & Diagnosis This chapt er talk s you thro ugh SMT Menus 2 4.1 to 24 .4. This chapter covers the diagnost ic to ols that help you to maintai n your Prestige. T hese too ls incl ude updates on system status, port stat us, log and trace capabi[...]
-
Page 117
P312 Br oadband S ecurity G ateway 9-2 System I nformati on & Diagn osis 9.1 System Status The fi rst sel e ctio n, S yste m St a tus, give s you in for matio n on th e ver sion o f your s yste m fir mwar e and the status and s tatistics of the ports, as sh own in the figure below. System Status is a tool that can be used to monito r yo ur P re[...]
-
Page 118
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-3 The following table describes the fields present in Menu 24.1 - System Maint enance - Sta t us . T able 9-1 System M ainten ance - Statu s Men u Fields Field Description Port The W AN or LAN port. Status Shows the po rt speed and duplex setting if you’re using Ethernet E[...]
-
Page 119
P312 Br oadband S ecurity G ateway 9-4 System I nformati on & Diagn osis 9.2 S ystem Information and Console Port Speed This secti on descri bes your sys te m and al lows you t o choose diff ere nt consol e port speeds. To g et to the Syst em Inf or mation a nd Cons ole Port Speed: Step 1. Enter 24 to go to Menu 2 4 – System Ma int enance . S[...]
-
Page 120
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-5 Table 9- 2 Fields in System M aintenance Field Description Name This is the Prest ige's sy stem nam e + domain nam e assigned in Menu 1. E.G., Syste m Name= xx x; Domain Name= baboo.mic key.com Name= xx x.baboo.mi ckey.com Routing Refers to th e routing protoco l used[...]
-
Page 121
P312 Br oadband S ecurity G ateway 9-6 System I nformati on & Diagn osis 9.3.1 Viewing Error Log The first place you should look for clu es when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select opti on 24 from the Main Menu to open Menu 24 - System Mainte na nce . Step 2. [...]
-
Page 122
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-7 Figure 9-8 M enu 24.3.2 - Syst em Main tenance – UNI X Syslog You need to conf i gure the UNIX syslog param eters described in the following table to activ ate syslog then choose w hat y o u want to log. Table 9- 3 System M aint enance M enu Syslog P arameter s Parameter[...]
-
Page 123
P312 Br oadband S ecurity G ateway 9-8 System I nformati on & Diagn osis 1. CDR CDR Message Format Sdcm dSyslogS end( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, s t r board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which start [...]
-
Page 124
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-9 Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202[...]
-
Page 125
P312 Br oadband S ecurity G ateway 9-10 System I nformati on & Diagn osis 9.3.3 Call-T riggering Packet Call-Triggering Packet display s information about the packet that trigg ered a dial-out call in an easy readable form at. Equivalent information is available in Menu 24.1 in hex form at. A n ex amp le is s how n next. Figure 9-9 Call-Trigg e[...]
-
Page 126
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 1 Figure 9-10 M enu 24.4 - Sy stem M aintenance - Dia gnostic Follow the proced ure b e lo w to get to M enu 24.4 - S ystem M aintenance – Diagn ostic. Step 1. From the Main Menu, select option 24 to open Menu 24 - Syst e m Maintena nce . Step 2. From this menu, select o[...]
-
Page 127
P312 Br oadband S ecurity G ateway 9-12 System I nformati on & Diagn osis Figure 9-11 WAN & L AN DHCP The follo wing table describes t he diagnostic tests a vailable in Menu 24.4 for y our P restige and the connections. Table 9-4 Syste m M aintenance Menu Diagnostic Number Field Description 1 Ping Host Enter 1 t o ping any machi ne (with a [...]
-
Page 128
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-1 Chapter 10 T ransferring Files This chapt er tells you how to bac k up and restore y our confi guratio n file as well as upload n ew firmware an d a new c onfigurat ion file. 10.1 Fil ename conventions The configuration file (often called the ro mfile or rom-0) contains the factory defau[...]
-
Page 129
P312 Br oadband S ecurity G ateway 10-2 T ransferring F iles Table 10-1 Filename Conventions File Ty pe Internal Name External Name Description AT Command Configurati on File Rom-0 *.rom This is the router config uration f ilename on the Prestige . Uploading the ro m-0 file replaces the entire RO M file sy stem, including y our Prestige con figurat[...]
-
Page 130
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-3 10.3 Restore Configuration Menu 2 4.6 -- System Maint enance - Restore Configuration allo ws you to restore the configuratio n via the console port. FTP and TFTP are the preferre d methods for restoring your current w orkstation configuration to your Prestig e since FTP and TF TP are fas[...]
-
Page 131
P312 Br oadband S ecurity G ateway 10-4 T ransferring F iles Step 4. After successful firmware u pload, enter atgo to restart the Prestige. Figure 10- 4 Menu 24.7.1 - System M aintenan ce - Uplo ad Router Fi rmware 10.4.2 Uploading Router Configuration File The configuration data, system-related data, the error log and the trace log are all stored [...]
-
Page 132
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-5 Figure 10-5 M enu 24.7.2 - Sy stem Maintenance - Upload Router Configuration File 10.5 TFTP File T r ansfer In addition to the direct con sole port connection, the Prestige supports th e up/downloading of the firmware and th e configu ration file us ing TFTP (Triv ial Fil e Transfer Prot[...]
-
Page 133
P312 Br oadband S ecurity G ateway 10-6 T ransferring F iles Note: If you upload the firm ware to the Prestige, i t will reboo t automa ticall y when the file tra nsfer is completed (t he SY S LED will flash). Note that the telnet connection must be active a nd the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (se[...]
-
Page 134
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-7 10.6 FTP File T ransfer In addition to uploading the firmware and configuration via the console port and T FTP client, you can al so upload the Prestige firmware an d config uration files using FTP. To use th is feature, your workstation must have a n FTP clie nt . When you telnet into t[...]
-
Page 135
P312 Br oadband S ecurity G ateway 10-8 T ransferring F iles Figure 10- 7 Telnet in to Menu 24.7.2 - System M aintenance To transfer the f irmware and the configuration file, follow these examples: 10.6.1 Using the FTP command from the DOS Prompt Step 1. Launc h the FTP clie nt on your wor kstat i o n. Step 2. Ty pe open and th e IP address of y o [...]
-
Page 136
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-9 Figure 1 0-8 F TP Session Examp le The sy stem re boot s aft er a succes sful upload . The follow ing tabl e describes s ome of the fields t hat you may see in third part y F TP clients. Table 10- 3 T hird Part y FTP Client s –Gene ral field s Host Addr ess Enter the ad dress of the ho[...]
-
Page 137
[...]
-
Page 138
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-1 Chapter 11 System Maintenance & Information This chapt er leads you throu gh SMT menus 2 4.8 to 24.11 . 11.1 Command Interp reter Mo de The Command Interpreter (C I) is a part of the main rout er firmw are. The CI provides mu ch of the same functionality as the S[...]
-
Page 139
P312 Br oadband S ecurity G ateway 1 1- 2 System Mai nten ance & I nform ati on 11.2 Call Contr ol Support The Prestige provides two call control fun ctions: budget manag ement and call history. Please note that this menu is on l y appl icable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.1. The budget management function allo[...]
-
Page 140
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-3 The total budget is the time limit on the accu mulated ti me for outgoing calls to a remote node. When this limit is reached, th e call will be dropped and fu rther outgoing calls to that remote node w ill be blocked. After each period, th e total budget is reset. Th[...]
-
Page 141
P312 Br oadband S ecurity G ateway 1 1- 4 System Mai nten ance & I nform ati on Table 11- 2 Call Hi story Field s Field Description Phone Number The PPPoE service name s are show n here. Dir This sh ows w hether the call was in coming or outgo ing. Rate This is the transfer rate o f the call. #call This is the number o f calls made to or receiv[...]
-
Page 142
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-5 Figure 11-6 System Maintenance – Time and Date Setting Table 11-3 T ime and Date Setting Fields Field Description Use Time S erver w hen Bootup= Enter the time service protocol t hat your timeserver w ill send when the Prestige pow ers up. Choices are D ay time (RF[...]
-
Page 143
P312 Br oadband S ecurity G ateway 1 1- 6 System Mai nten ance & I nform ati on zone and G reenwich mean Time (GM T). Be aware if/w hen daylight savings ti me alters this ti me difference for your time zone. Once you h ave filled in the new time and date, press [E nter] to save the s etting a nd press [Es c ] to return to Menu 2 4 . 11.4 Remote[...]
-
Page 144
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-7 Table 11-4 M enu 24.11 - Re mote Management Control Field Description Option FTP service a c tive Press the [SPACE BAR] to t oggle Yes to No and press [Enter] to disable all FTP activity (both LAN and WAN). Yes No Telnet se rvice act ive Press the [SPACE BAR] to t og[...]
-
Page 145
P312 Br oadband S ecurity G ateway 1 1- 8 System Mai nten ance & I nform ati on Figure 11-9 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATT[...]
-
Page 146
P312 Br oadband S ecurity G ateway Te l n e t 12-1 Chapter 12 Telnet Configuration and Capabilities This chapt er cov ers the T elnet C onfigura tion and C apabili ties of th e Pres tige. 12.1 About T elnet Configurati on Before the Prestige is properly setup for T CP/IP, the only option for configuring it is through the console port. Once y our Pr[...]
-
Page 147
P312 Br oadband S ecurity G ateway 12-2 Te l n e t 12.3.2 Syst em T imeout There is a sy stem timeou t o f 5 minu te s (300 seconds) for eith er the console port or teln et. Your Pres tige will automatically log you out if you do nothin g in this ti meout period, except when it is continuousl y updating the status in M enu 24.1 or w hen "sys s[...]
-
Page 148
Firewall and Cont ent F ilter s IV Part IV: Firewall and Co ntent Filters Chapters 13 – 20 des crib e types of fire walls, ho w to conf igure your Pres tige f irewall using th e Prestig e Web Configurat or , as well as t ypes of Den ial of Ser vices (D oS) attac ks and Content Filter ing.[...]
-
Page 149
P312 Br oadband Security G ateway What Is a Firewall? 13-1 Chapter 13 What is a Firewall This chapter giv es some bac kg rou nd infor mation on fir ew al ls . Ori gin ally , the te r m firewall referred to a cons tructio n techniqu e desi gned to prevent the spread of fi re from one room to another. The netw or k term firewall is ty pically defined[...]
-
Page 150
P312 Br oadband Security G ateway 13-2 W hat Is a Firewall ? needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the applicatio n gate way and reject the rest. 13.1.3 Stateful Inspe ction firewalls Stateful Inspection firewalls res trict access by screening [...]
-
Page 151
P312 Br oadband Security G ateway What Is a Firewall? 13-3 Figure 13-1 Prestige Firew all Application 13.3 Denial of Serv ice Denials of Service (DoS) attack s are aimed at devices and networks with a con nection to the Internet. Their goal is not to st eal information, but to disable a device or n etwork so users n o longer have access to network [...]
-
Page 152
P312 Br oadband Security G ateway 13-4 W hat Is a Firewall ? Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 13.3.2 T y pes of DoS att acks There are four types o f DoS attacks: 1. Those that exploit bugs in a T CP/IP implementation. 2. Those that exploit weakn esses in the TCP/IP specification. 3. Brute-f orce attacks t[...]
-
Page 153
P312 Br oadband Security G ateway What Is a Firewall? 13-5 Under normal circumstances , the application that initiates a session sends a SYN (synchron ize) packet to the receiving s erver. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (ackno wled g ment). After this ha nds hake, [...]
-
Page 154
P312 Br oadband Security G ateway 13-6 W hat Is a Firewall ? Figure 13-4 Smurf Attack 4. Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack . IP Spoofing may be us ed to break into systems , to hide th e hacker's iden tity, or to ma gnify th e effect of t he DoS attack. IP Spoofin g is a te[...]
-
Page 155
P312 Br oadband Security G ateway What Is a Firewall? 13-7 Figure 13-5 Stateful Inspection Figure 13-5 shows the Presti ge’s d efault firewall rules in action as well as demonstrates ho w stateful inspection works. User A can initiate a T elnet session fro m w i thin the LAN and resp o nses to this request are allowed. However other Telnet traffi[...]
-
Page 156
P312 Br oadband Security G ateway 13-8 W hat Is a Firewall ? 7. The packet is ins pected by a firewall rule, and the connection 's state table entry is updated as necessary. Based on the updated state inform ation, the inbound extended access list temporary entries might be m odi fied, in order to perm it only packets that are valid for the cu[...]
-
Page 157
P312 Br oadband Security G ateway What Is a Firewall? 13-9 When any subs eq uent packet hi ts the box (from the Internet or from the LAN), its conn ection information is extracted and ch ecked against the cache. A pack e t is only allowed to pass through if it corresponds to a v alid connection (that is, if it is a response to a connection which or[...]
-
Page 158
P312 Br oadband Security G ateway 13-10 W hat Is a Firewall ? 3. Limit who can Telnet into your router. 4. Don't enable any l ocal service (su c h as SNMP or NTP) th at you don't us e. Any enabled serv ice could present a potential security risk. A determined, hostile part y might be able to find creative way s to misuse the enabled serv [...]
-
Page 159
P312 Br oadband Security G ateway What Is a Firewall? 13-1 1 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of co mpanies or individ uals for information that mig ht help them in a social intrusio n.[...]
-
Page 160
[...]
-
Page 161
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-1 Chapter 14 Introducing the Prestige Firewall This chapt er shows y ou how to get st arted with the Prest ige Firew all. Ple ase see Chap ter 13 for some bac kground informatio n on f irewalls. 14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter[...]
-
Page 162
P312 Br oadband Security G ateway 14-2 Introducing the Pres tige F irewall Figure 14-3 M enu 21.2 – Fire wall Setup Please n ote that you can onl y configure the fire wall rules u sing the Pres tige Web Configur ator or CLI co mmands. 14.1.1 V iew Firewall Log Enter 3 from menu 21 to view the firewall log. Firewall logs may also b e vie wed from [...]
-
Page 163
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-3 ICMP Echo A brute-force attack, su ch as a "Smurf" attack, targets a feature in the IP specifi cation known as directed or subn et broadcasting , to quickly flood th e target network with useless data. A Smurf hack er floods a rout er with Intern et Control Messa[...]
-
Page 164
P312 Br oadband Security G ateway 14-4 Introducing the Pres tige F irewall T racerout e Traceroute is a u tility used t o determin e the path a packet tak e s between tw o endpoints. S ometimes w he n a packet filter f irewall is configured in correctly an attacker can traceroute th e firewall gaining knowledge of the n etwork topology inside the f[...]
-
Page 165
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-5 Table 14-4 View Firewall Log Field Description # This is the index number of the firewall log. 128 entries are availa ble numbered fro m 0 to 127. Once t hey are all used, the log will wr ap around and t he old logs w ill be lost. mm:dd:yy e.g., Jan 1 70 Time This is the t[...]
-
Page 166
P312 Br oadband Security G ateway 14-6 Introducing the Pres tige F irewall Figure 14-5 Big Picture - Filtering, Firew all and NA T 14.3 Packet F iltering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions. 14.3.1 Packet Filtering: ! The router filters packets as they pass through the router’s interfac[...]
-
Page 167
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-7 When T o Use F iltering 1. To block/allow LAN pack ets by their MAC address . 2. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. 3. To block/al low both i nboun d (WAN to LAN) and outbou nd (LAN to WA N) traffic between the s pecific inside [...]
-
Page 168
[...]
-
Page 169
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 Chapter 15 Introducing the Prestige Web Configurator This chapt er shows y ou how to configur e your fir ewall w ith the W eb Conf igurator. 15.1 Web Configurator Login and Welcome Screens Launch y o ur web brow ser and en ter 192.168.1.1 as the URL. This is the f[...]
-
Page 170
P312 Br oadband Security G ateway 15-2 Introduc ing the Prestige Web Config urator Figure 15-2 Prestige Web Configurator We lcom e Screen 15.2 Enabling the Firewall Click Firewall, then Con figuration, then the Rule Config tab to enable the fire wall a s seen in t he following screen.[...]
-
Page 171
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-3 Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows y ou to specify your mail server, where e-m a i l alerts should be sent as well as when and how often they should be sen t. 15.3.1 What are Alert s? Alerts are reports on events such as attacks, whi [...]
-
Page 172
P312 Br oadband Security G ateway 15-4 Introduc ing the Prestige Web Config urator To field and schedule times f or sending alerts in the Alert Timer fields in the E- Mail screen (following screen). 15.3.2 What are Logs? A log is a det ailed record th at you create f or packets that either match a ru le, don’t match a rul e or both wh en you are [...]
-
Page 173
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-5 Table 15- 1 E-Mail Field Description Options Address Inform ation Mail Serv er Enter the IP address of your mai l server in dot dec imal format. Y our Internet S ervice Pr ovider (ISP) sh ould be able to pr ovide this information. If t his field is left blank, log[...]
-
Page 174
P312 Br oadband Security G ateway 15-6 Introduc ing the Prestige Web Config urator 15.3.3 SMTP Error Me ssages If there are diff iculties in sending e-mail the following error messag es appear. Please see the Support Notes on the accom panying CD for inform atio n on other ty pe s of error m e ssages. E-mail error messages appear as "SMTP acti[...]
-
Page 175
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-7 Figure 15-5 E-M ail Log 15.4 A ttack A l ert In this screen you may choose to generate an alert when ever an attack is detected. For DoS attacks, the Prestig e uses thres holds t o determine when to drop sess ions th at do not becom e fully esta blished. These thr[...]
-
Page 176
P312 Br oadband Security G ateway 15-8 Introduc ing the Prestige Web Config urator You can use the default threshold values, or you can change them to values more suitable to your security requirements. 15.4.1 Threshold V a lues : You really jus t need to tune these param eters when something is n o t working and after y ou have checked the firewal[...]
-
Page 177
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-9 The Prestige deletes the oldest exi sti ng half-open session for the host for every new connectio n request to the host. This ens ures that the num b er of half-open s essions to a give n host will never ex ceed the threshold. 2. If the Bl ockin g Time timeout is [...]
-
Page 178
P312 Br oadband Security G ateway 15-10 Introduc ing the Pr estige Web Conf igur ator Table 15- 3 A t tac k Alert Field Description Default Values Generate alert w hen attack dete cted A dete cted attack automa tically generates a log entry. Che ck this box to genera te an alert (as w ell as a log) w henever an atta ck is detected. See section 15 .[...]
-
Page 179
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 1 Field Description Default Values rises abov e this number, the Pre s tige deletes half-ope n session s as required to accommoda te new connection requests. Do not set Maximum Inco mplet e High to lower than t he current M ax-Incomplete Low number. half-open sess[...]
-
Page 180
[...]
-
Page 181
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 Chapter 16 Creating Custom Rules 16.1 Rules Overvie w Firewall rules are subdiv ided into “Local Network ” and “Internet”. By def a ult, the Prestige’s stateful packet inspection allows all communications to the Intern et that originate from the local network, an d blocks all [...]
-
Page 182
P312 Br oadband Security G ateway 16-2 Creating Custom Rules 5. What computers on the LAN are to be affected (if any ) ? 6. What computers on the Internet w ill be affected? The more specific, the better. For ex a mple, if traff ic is being allowed from the Internet to the LAN, it is better to allo w only certain machines on the Internet to access [...]
-
Page 183
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-3 16.3 Connection Direction This section talks about con fi gur in g firewall rules for connections going fro m LAN to WAN and WAN to LA N in you r fir ewa ll. 16.3.1 LA N to W A N Rules The default rule for LA N to WAN traffic is that all users on the LAN are allowed non-restricted acces[...]
-
Page 184
P312 Br oadband Security G ateway 16-4 Creating Custom Rules Figure 16-2 W AN to LAN Traffic 16.4 Services Supported The list box in the Rule Config (uration) screen ( see Figur e 16-4 ) displays all s ervices that the Prestige supports . Custom services may also be configured u sing the Custom Ports function discussed later. Next to the name of th[...]
-
Page 185
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-5 Table 16-1 Services Supported SERVIC E DESCRIPTI ON BGP(TCP:179) Border Gateway Protocol BOOTP_CLIENT (UDP: 68) DHCP Client BOOTP_SERVE R(UDP :67) DHCP Server CU-SEEME(TCP/UDP: 7648, 24032) A popular videoc onferencing solution f rom White P ines Software. DNS(UDP/TCP: 53) Dom ain Name [...]
-
Page 186
P312 Br oadband Security G ateway 16-6 Creating Custom Rules 16.5 Rule Summary The fiel ds in the Rule Su mma ry screen s are the sa me for Local Network and Int erne t , so the discuss ion below refers to both. Click on Firewall , then Local Ne t work to bring up the follo wing scree n. This screen is a summary of the existing rules. Note the orde[...]
-
Page 187
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-7 Table 16- 2 Firewall Rules Su mmary – F irst S creen Field Description Option General Name T his is the name of the firewall rule set. Default Permit L og Check this box to log all matched rule s in the ACL default set. The default a ction for packe ts not matchin g follow ing rules. [...]
-
Page 188
P312 Br oadband Security G ateway 16-8 Creating Custom Rules Field Description Option section 16.5.1 f or more details. Delete Press this bu tton to delet e an existing firew all rule. Note that s ubsequent f irewall rules mov e up by on e when y ou take this a c tion. Move Rule You may reorder your rules usi ng this fun c tion. Select by cl icking[...]
-
Page 189
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-9 Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Crea ting/Editing A Firewall Rule Field Description Option Source Address Press SrcA dd to add a n ew addres s, SrcEdit to edit an ex isting one or Sr cDelete to delete one. Please see the next sect ion for more i nformation o n ad[...]
-
Page 190
P312 Br oadband Security G ateway 16-10 Creating C ustom Rules Field Description Option from the A vailable Serv ices box on the left, then pres s >> to select it. T he selecte d service sh ows up on the Select ed Services box on the rig ht. To remove a servi ce, click on it in t he Selected Serv ices box on the right, then press <<. Ac[...]
-
Page 191
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 1 Figure 16-5 Adding/Editing Source & Destination A ddresses Table 16-4 Adding/Editing Source & Destination Addr esses Field Description Option Address Ty pe Do y ou want your rule to a pply to pa ckets with a part icular (single) IP , a range of IP addresses (e.g. , 192.16 8.1.[...]
-
Page 192
P312 Br oadband Security G ateway 16-12 Creating C ustom Rules When you hav e finished, clic k Apply to save your custo mized sett ings and exit thi s screen, Cancel to exit this s creen w ithout savin g , or Hel p for online HTM L help on fields in this screen. 16.6 T imeout The fiel ds in the Timeout screens are the same for Local and Int ernet n[...]
-
Page 193
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-13 Figure 16-6 T imeout Scr een[...]
-
Page 194
P312 Br oadband Security G ateway 16-14 Creating C ustom Rules Table 16-5 T imeout Menu Field Description Default Value TCP T imeout V alues Connectio n Timeout This is the length of time the Pre stige waits for a T CP session to r each the establi shed state b efore dropping the sessio n. 30 seconds FIN- W ait T imeout This is the len gth of ti me[...]
-
Page 195
P312 Br oadband S ecurity G ateway Custom Ports 17-1 Chapter 17 Custom Ports 17.1 Introducti on You will need to configure customized por ts for services not included in t he services pr o vided in the scrolling list box in the screen sho wn in Figure 16-4 . For fu rther information on t hese services, please read section 16.4. To configure a custo[...]
-
Page 196
P312 Br oadband Security G ateway 17-2 Custom Ports Table 17- 1 Custom Ports Field Description Cus tom i zed Ser vices No T his is the number o f your cust omized port. Name T his is the name of yo ur customized port. Protocol This sh ows the IP protocol ( TCP , UDP or Both ) that defines your customized port. Port T his is the port number or range[...]
-
Page 197
P312 Br oadband S ecurity G ateway Custom Ports 17-3 Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen.[...]
-
Page 198
P312 Br oadband Security G ateway 17-4 Custom Ports Table 17- 2 Creating/Ed iting A Custom Port Field Description Option Service Na me Enter a unique name for your custo m port. Service Ty pe C hoose the IP por t ( TCP , UDP or Both ) that defines your customized port fr om the drop down list box. TCP UDP Both Port Configura tion Type Click the Sin[...]
-
Page 199
P312 Br oadband S ecurity G ateway Logs 18-1 Chapter 18 Logs 18.1 Log Screen When y ou configure a n e w rule y ou also have the opti on to log ev e nts that match, don’ t match (or both ) this rule ( see Figur e 16-4 ). Click on the L ogs to b ring up the next sc reen. Fire wall l o gs ma y also b e vie wed i n SMT Menu 21.3 ( s ee section 14.1.[...]
-
Page 200
P312 Br oadband Security G ateway 18-2 Logs Table 18-1 Log Screen Field Description No. This is the index number of the firew all log. 128 entr ies are av ailable numbered from 0 to 127. Once they ar e all used, the log w ill wrap aroun d and the old l ogs will be los t. dd:mm:yy e.g., Jan 1 0 Time This is the tim e the log w as recorded in thi s f[...]
-
Page 201
P312 Br oadband S ecurity G ateway Logs 18-3 Field Description When you hav e finished view ing this screen, cli ck another link to exit.[...]
-
Page 202
[...]
-
Page 203
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever you open a h ole in the firewall to forward a service f ro m the Internet to the local netwo rk, and NAT is also enab l ed, you ma y have to al so conf igur e a serve r be hi nd N AT usi n g SMT menu 15.2. Please[...]
-
Page 204
P312 Br oadband Security G ateway 19-2 Examples Fire wall R ules Figure 19-1 Activate The Firewall Step 2. Now we conf i gure our E- m ail screen a s follo ws. Click the E-Ma il tab t o br i ng up the next screen. Check here to activate the firew a ll. You may also activate the firew all in SMT men u 21.2.[...]
-
Page 205
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-3 Figure 1 9-2 Example 1 – E-M ail Scre en Step 3. Now we configu re our firewall rule as shown in the following screen. The defau l t firewall blocks all Internet traff ic entering our local n etwork, but we want to create a hole f or web service from the Internet. Go to the Ru le Sum[...]
-
Page 206
P312 Br oadband Security G ateway 19-4 Examples Fire wall R ules Figure 19-3 Example 1 – Configuring A Rule This is an Internet to Local Network rule. Click DestAdd to configure the destination address as t he IP of ou r server on th e LAN. See the ne xt scre e n. Click this butto n when you have finished editing screens. Select this service (web[...]
-
Page 207
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-5 Figure 1 9-4 Example 1: D estinatio n Address for T raffic Orig inating From T he Internet 10.100.1. 2 is th e IP of ou r server on the LAN (su pporting FTP, HTTP, T elnet and mail services) to w hich we wish to forward traff ic originating from the Internet.[...]
-
Page 208
P312 Br oadband Security G ateway 19-6 Examples Fire wall R ules Figure 19- 5 Example 1 - Rule Summa ry Screen 19.1.2 Example 2 – Small Office With Mail, FTP and Web Serv ers Our small office has: i. A mail server with an IP of 192.168.10.2. ii. Two FTP servers. We w a nt FTP server On e (IP of 192.168.10 .3) to be accessible from the Internet, b[...]
-
Page 209
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-7 Step 1. First we want to send alerts whe n there is an attac k. Go to the Attack Alert scree n (click Configurat ion , then the Attack Alert tab) sh own next. Figure 1 9-6 Send Alerts When Attacked Step 2. Configu re the E-Mail screen as shown in ex ample 1 – our m ai l server’s IP[...]
-
Page 210
P312 Br oadband Security G ateway 19-8 Examples Fire wall R ules Figure 19-7 Configuring A POP Custom Por t Step 4. Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traff ic originating from the HTTP proxy server and ou r mail server. Click Internet to see the Rule Summary screen. Now click[...]
-
Page 211
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-9 Figure 19- 8 Example 2 - Lo cal Net work Rule 1 Configu ration Step 6. Similarly configure another local network to Internet rule allowing traffic f rom our web (HTTP) proxy server. Step 7. The Rule Summary screen sho uld look like Figure 19-9 . Don’t forget to click Apply wh e n yo [...]
-
Page 212
P312 Br oadband Security G ateway 19-10 Examples Firewa ll Rules Figure 1 9-9 Example 2 - L ocal N etwo rk Rule Summar y Step 8. Now we want an FTP server (IP of 192.168.10.3 ) to be accessible from the Internet. Remem b er the default Internet to Local Network ACL set b locks all traffic from the Internet, so we want to create a hole for this serv[...]
-
Page 213
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 1 Figure 19- 10 Examp le 2 - Internet to Local Netw ork Rule Summary 19.1.3 Example 3: DHCP Negotiation and S y slog Connection from the Internet The following are some Internet firew all rules examples to: 1. All ow DHCP negoti ation bet ween th e ISP and the P312. 2. Allow a syslog c[...]
-
Page 214
P312 Br oadband Security G ateway 19-12 Examples Firewa ll Rules Figure 19-11 Custom Port for Syslog Step 2. Follow the procedures outli ned in t he previous examples to configure all your rules. Whe n finished, your rule summary screen should look like the following. Cu stom por ts sh ow up wi th an “*” before their n ames in the Services list[...]
-
Page 215
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-13 Figure 19-12 Syslog Rule Configuration This is our Sy slog custom port. Click Apply whe n fi nis hed . This is the address ran ge of th e syslog s er vers .[...]
-
Page 216
P312 Br oadband Security G ateway 19-14 Examples Firewa ll Rules Figure 19- 13 Exampl e 3 Rule Summary Rule 1: Allow D HCP negotiati on between t he ISP an d the P312. Rule 2: Allow a syslog connection fro m the WAN. Click Apply t o save your settings back to the Prestige.[...]
-
Page 217
P312 Br oadband S ecurity G ateway Content Fi ltering 20-1 Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets , cookies as well as disable web proxies. The Prestige can als o block specific URLs by using the keyword featu r e. Please n ote that content filter ing means t he abili t y to bloc k ce[...]
-
Page 218
P312 Br oadband Security G ateway 20-2 Content Fi ltering 20.1.3 Cookies Cookies are used b y Web s ervers to track usag e. Cookies prov ide service based on ID. U nfortunat ely, cookies can be progra mmed not onl y to id entify the visitor to the site, but also to track that visito r 's activities. Because they represen t a potential loss of [...]
-
Page 219
P312 Br oadband S ecurity G ateway Content Fi ltering 20-3 Figure 20-1 Content Filtering Sc reen Table 20-1 Content Filtering Fields Field Description Restrict Web Feat ures Check the box(es) to re strict that featur e. When you download a page containing a restricted feat ure, that part o f the web page w ill appear blank or grayed out. Block Web [...]
-
Page 220
T r oubleshoot ing, A ppendic es, Glossar y and In dex V Part V: Troubleshooting, Append ices, Glossary and Index Chapter 21 provid es inf ormation a bout sol ving comm on probl em s, followed b y som e Appendic es, a Glossar y of T erms and an Index.[...]
-
Page 221
[...]
-
Page 222
P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-1 Chapter 21 Troubleshooting This chapt er cov ers the pote ntial pr oblems you may run int o and the p ossible r emedies . After each pro blem desc ription, so me instr uctions are prov ided to help you to diagnos e and to s olve t he problem. Please se e our supp orting d isk for furt her i[...]
-
Page 223
P312 Br oadband S ecurity G ateway 21-2 T roubleshoot ing 21.2 Problems w ith the LA N Interface Table 21-2 T roubleshooting the LA N Inte rface Problem Correctiv e Action Check the 10M/100M LEDs on the front panel. O ne of the se LEDs should be on . If they are both off, chec k the cables betw een your Prestige and h ub or the station. Can’t pin[...]
-
Page 224
P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-3 21.4 Problems with Internet A ccess Table 21-4 T roubleshooting Inter net Access Problem Corrective Action Connect your C able/x DSL modem with the Pres tige using appropriat e cable . Check w i th the manufacturer of y our Cable/x DSL modem abou t the cable require m ent because for s ome [...]
-
Page 225
[...]
-
Page 226
P312 Br oadband S ecurity G ateway PPPo E E Appendix A PPPoE PPPoE in Action An AD SL modem bridges a PPP session over Ethernet (PPP over Et hern et, RFC 2516) f rom you r PC to an ATM PVC (Permanent Virtual Circuit) which conn ects to a xDSL Access Concentrator where the PPP sess io n term inates (see t he next figure ). One PV C can support any n[...]
-
Page 227
P312 Br oadband S ecurity G ateway PPPo E F How PPPoE Works The P PPoE d riv er mak es th e Etherne t appear as a serial link to th e PC an d the PC r uns PPP over it, wh ile the modem bridg es the Ethernet frames to the Access C oncentrator (AC). Between the AC and an ISP, the AC is acting as a L2T P (Layer 2 T unneling Pr otoco l) LAC (L2TP Acces[...]
-
Page 228
P312 Br oadband S ecurity G ateway PPTP G Appendix B PPTP What is PPT P? PPTP (Poin t-to-Poin t T unnel ing Protocol) is a Micros oft proprietary protocol (RFC 2637 f or PPTP is inf or mati onal only ) to tu nnel PPP fram es. How can we transport PPP frame s from a PC to a broadband modem over Ethernet? A solution is to build PPT P into the ANT (AD[...]
-
Page 229
P312 Br oadband S ecurity G ateway PPTP H PNS and the PAC must have IP co nnectivity; however, the PAC must in addition have dial-up capability. The ph one call is betw een the us er and th e PAC and t he PAC tu nnels th e PPP fram es to t he PN S. Th e PP TP user is una ware o f the tu nnel be twee n the P AC and the PN S. Microsoft includes PPTP [...]
-
Page 230
P312 Br oadband S ecurity G ateway Hardware Sp ec if icati ons I Appendix C Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O /P DC 12V 1200 mA MTBF 100000 hr s Operation T emperature 0º C ~ 40º C Ethernet Specifi c ation for WA N 10Mbit Half Dup lex Ethernet Specifi c ation for LAN 10/100 M bit Half / Full Auto-nego tiation Con[...]
-
Page 231
P312 Br oadband S ecurity G ateway J Safety Ins tructions Appendix D Important Safety Instructions The following safety instructio ns appl y to the Prestige: 1. Be sure to read and follow all warning notices and instruction s. 2. The maximum recommended am bient temperature for the Prestige is 40º(10 4º). Care must be taken to allow sufficient ai[...]
-
Page 232
P312 Br oadband S ecurity G ateway CLI Commands K Appendix E Firewall CLI Commands The follo wing tab le d escri b es t he syn tax use d to conf i gure your fi r ewal l usi ng Co mma nd Line I nte r face (CLI) commands. S elect option 24.8 Comm and Interpreter Mo de from the Main Menu to go into CLI mode. F or details on other CLI commands to confi[...]
-
Page 233
P312 Br oadband S ecurity G ateway L CLI Commands Function CLI Sy ntax Description config edit firewall e-mail email-to <e-mail address> Edits the mail address which you want to send t he alert to config edit firewall e-mail policy <full | hourly | daily | weekly> Edits whether the current firewall t raffic log c ontents are sent throug[...]
-
Page 234
P312 Br oadband S ecurity G ateway CLI Commands M Function CLI Sy ntax Description config edit firewall set <set #> default-permit <forward | block> Edits whether a pack et is dropped or allowed through, when it does not meet a rule within the set config edit firewall set <set #> icmp-timeout <seconds> Edits the time limit, [...]
-
Page 235
P312 Br oadband S ecurity G ateway N CLI Commands Function CLI Sy ntax Description config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> Selects and edits a sourc e address and subnet mask of traffi c wh ich comply to this r ule config edit firewall set <set #> rule <rule #> src[...]
-
Page 236
P312 Br oadband S ecurity G ateway CLI Commands O Function CLI Sy ntax Description D D e e l l e e t t e e config delete firewall e-mail Removes all the settings for e-mail alert config delete firewall attack Resets all the settings for attack to default s etting config delete firewall set <set #> Removes t he specifi ed set from t he firewal[...]
-
Page 237
P312 Br oadband S ecurity G ateway P Power Adapt er Spec if ic ations Appendix F Power Adapter Specs AC Power Adapter Spec ifications North America AC Power Adapter model M W 48-1201 200 Input power: AC120Volts/ 60H z Output pow er: DC12Volts/1.2A Power consu mption: 9 W Plug: North Am erican sta ndards Safety standar ds: UL, CUL (UL 1310 , CSA C22[...]
-
Page 238
P312 Br oadband S ecurity G ateway Power Adapt er Spec if ic ati ons Q Japan AC Power Adapter model JOD-48-1124 Input pow er: AC100Volts/ 50/60Hz / 27VA Output pow er: DC12Volts/1.2A Power consu mption: 9 W Plug: Japan standard s Safety standar ds: T-Mark Australia and N ew Zea land AC Power Adapter model AD-1201200DS Input power: AC240Volts/ 50H z[...]
-
Page 239
P312 Br oadband S ecurity G ateway R Glossary Glossary of T erms 10BaseT The 10-M bps baseband Ethernet specification th at uses two pair s of tw isted-pair cabling (C ategory 3 or 5): one pair for tran smitting d ata and th e other for re ceiving data. ARP Address Re solution Proto c ol is a protocol for mapping an Internet Protoc ol address ( IP [...]
-
Page 240
P312 Br oadband S ecurity G ateway Glossary S Cookie A string of characters saved by a w eb browser on the user' s hard d isk. M any web pages send cookies to tra ck specif ic user informatio n. Cookies can be used to retai n information a s the user brow ses a web site. For example, cookie s are u sed to 'remember' the items a shop [...]
-
Page 241
P312 Br oadband S ecurity G ateway T Glossary Digital Sig nature Digital c ode that authenticat es whomever si gned the do cument or softw are. Software, messages, E mail, and other ele ctronic document s can be signed e lectronically so that they cannot be altered by anyon e else. If someon e alters a signed d ocument, the signature is no longer v[...]
-
Page 242
P312 Br oadband S ecurity G ateway Glossary U Events These are netw ork activities. Som e activities are direct at tacks on your system, while others might be depending o n the cir cumstanc es. T herefore, any a ctivity, regardles s of severity i s called an event. An event may or may not be a direct att ack on your syst em. FAQ (Frequently As ked [...]
-
Page 243
P312 Br oadband S ecurity G ateway V Glossary Integrity Proof that th e data is th e same as originally intend ed. Unautho rized software or people have not alter ed the original information. internet (Low er case i) Any t ime you connect 2 or more networks together, you have an internet. Internet (Upper c ase I) The v ast collection of inter-conne[...]
-
Page 244
P312 Br oadband S ecurity G ateway Glossary W as a stream of bits. Name Resol ution The allo cation of an IP address to a host na me. See DN S NAT Network Addres s Translation is t he translation o f an Inter net Proto col addres s used within one network to a differ ent IP addr ess know n within another netw ork - see also SUA. NDIS Network D rive[...]
-
Page 245
P312 Br oadband S ecurity G ateway X Glossary Plain Tex t T he opposite of C ipher T ext, Plain T ext is readable by anyone. Prestige W eb Configurator T his is a web-based Pre stige router ( not all) config urator that in cludes an Internet Access W izard, A dvanced an d Firewall (not al l Prestige models) configurations. POP Post Office Proto col[...]
-
Page 246
P312 Br oadband S ecurity G ateway Glossary Y system, m eaning that an end-to-end priv ate cir cuit is es tablished between caller an d callee. Public Key Encryption Sy stem of encry pting electronic files u sing a key pair . The key p air contains a public key used d uring en cryption, and a corresponding pr ivate key used d uring decryption. PVC [...]
-
Page 247
P312 Br oadband S ecurity G ateway Z Glossary SPAM Unwanted e-m ail, usually in the form of advertise ments. Spoofing To forge somethin g, such as an IP ad dress. IP Spoofing is a common way for hackers to hide their location and ident ity SSL (Secured Socket Layer) Technology that all ows you to send inf ormation that only the server can read. SS [...]
-
Page 248
P312 Br oadband S ecurity G ateway Glossary AA on a host system. O bjects includ e directories an d an assortmen t of fil e types, in cluding text files, g raphics, video, a nd audio. A URL is t he address of an ob ject that is nor mally typed in the A ddress field of a Web br owser. T he URL is basically a poi nter to the location of an object. VP[...]
-
Page 249
[...]
-
Page 250
P312 Br oadband S ecurity G ateway Index CC Index A Action for M atched Packe ts .......................... 16-10 Activate The F i rewall ...................................... 19-2 ActiveX ........................................................... 20-1 Add Keyword .................................................. 20-3 Alert Schedule ............[...]
-
Page 251
P312 Br oadband S ecurity G ateway DD Index Encapsulati on PPP over Ethernet.................................................... E Ethernet Encaps ulation3-8, 4- 1, 4-5, 4-6, 4-10, 6- 11, 6-12 Example E-M a il Log ........................................ 15-6 Examples ........................................................19-1 F Factory Default ..[...]
-
Page 252
P312 Br oadband S ecurity G ateway Index EE L LAN Setup ........................ 2-6, 2-11, 2-12, 3-4, 3-5 LAN to WAN Rules ......................................... 16-3 LAND ............................................ 13-4, 13-5, 14-2 Local Netw ork Rule Sum mary ................................................... 16-6 log.......................[...]
-
Page 253
P312 Br oadband S ecurity G ateway FF Index S Safety Instruction s ................................................ J Safety Instruction s ................................................ J saving the state ............................................... 13-6 Security In Gener al .......................................13-10 Security Ramif i cations[...]
-
Page 254
P312 Br oadband S ecurity G ateway Index GG WAN Setup ............................ 2-6, 2-10, 2- 11, 21-2 WAN to LAN Rules ......................................... 16-3 Web Configurator ........................................... 13-9 Web Proxy ...................................................... 20-2 Welcome screen .............................[...]