ZyXEL Communications 50 инструкция обслуживания
- Просмотреть online или скачать инструкцию
- 322 страниц
- 4.39 mb
Идти на страницу of
Похожие руководства по эксплуатации
-
Network Card
ZyXEL Communications nwd2205
82 страниц 1.5 mb -
Network Card
ZyXEL Communications ZyXEL MI-7248
6 страниц 0.92 mb -
Network Card
ZyXEL Communications P-870M-I
2 страниц 0.16 mb -
Network Card
ZyXEL Communications ZyXEL ZyAIR G-1000
192 страниц 6.44 mb -
Network Card
ZyXEL Communications 2002
168 страниц 4.37 mb -
Network Card
ZyXEL Communications P-660HW-Dx v2
11 страниц 1.13 mb -
Network Card
ZyXEL Communications AG-200
2 страниц 0.12 mb -
Network Card
ZyXEL Communications Prestige 2002 Series
14 страниц 0.81 mb
Хорошее руководство по эксплуатации
Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации ZyXEL Communications 50. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции ZyXEL Communications 50 или обучающее видео для пользователей. Условием остается четкая и понятная форма.
Что такое руководство?
Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции ZyXEL Communications 50 можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.
К сожалению немного пользователей находит время для чтения инструкций ZyXEL Communications 50, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.
Из чего должно состоять идеальное руководство по эксплуатации?
Прежде всего в инструкции ZyXEL Communications 50 должна находится:
- информация относительно технических данных устройства ZyXEL Communications 50
- название производителя и год производства оборудования ZyXEL Communications 50
- правила обслуживания, настройки и ухода за оборудованием ZyXEL Communications 50
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам
Почему мы не читаем инструкций?
Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск ZyXEL Communications 50 это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок ZyXEL Communications 50 и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта ZyXEL Communications, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания ZyXEL Communications 50, как это часто бывает в случае бумажной версии.
Почему стоит читать инструкции?
Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства ZyXEL Communications 50, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.
После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции ZyXEL Communications 50. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.
Содержание руководства
-
Страница 1
ZyW ALL 50 Internet Secu rity G ateway User’s Guide Version 3.50 November 2001[...]
-
Страница 2
ZyW ALL 50 Internet Securi ty Gatewa y ii Copyright Copyright Copyrigh t © 2001 by ZyXEL Commun ications Corporat ion. The contents of this publication may not be reproduced in any part or as a w hole, transcribed, stored in a retrieval system, transl ated into any languag e, or transmitted in any form or by any means, electronic, mechanical, magn[...]
-
Страница 3
ZyW ALL 50 Internet Securi ty Gatewa y FCC iii Federal Communications Commission (FCC) Interference S t atement This device co m plies with P art 15 of FCC rules. Operation i s subject to the following two conditio ns: • This device may not cause harmfu l interference. • This device must accept any interference received, including interference [...]
-
Страница 4
ZyW ALL 50 Internet Securi ty Gatewa y iv Inform ation for Can adian U sers Information for Canadian Users The Industry Canada label identi fies certified equipment. This certification means that the equipment meets certain t elecommunications network prot ective operation and safety requirements. The In dustry Canada label does not guarantee that [...]
-
Страница 5
ZyW ALL 50 Internet Securi ty Gatewa y Declarat ion of Conf orm ity v Declaration of Conformi t y We, the Manufacturer/Importer, ZyXEL Communications Corp . No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, T aiwan, 300 R.O .C declare that t he produ ct ZyWA LL 50 is in co nform ity with (reference to the spec ification under w hich[...]
-
Страница 6
ZyW ALL 50 Internet Securi ty Gatewa y vi ZyXEL Limited W ar ranty ZyXEL Limited W arranty ZyXEL warrants to the original end user (purch aser) that this product is free f rom any defects in materials or workman ship for a period of up to tw o years f rom the date of pu rchase. During the warranty period, an d upon proof of pu rchase, sh ould th e [...]
-
Страница 7
ZyW ALL 50 Internet Securi ty Gatewa y Custom er Support vii Customer Support Please hav e the following i nformation ready w hen you contact cust omer support. • Product model and s erial number. • Information in Menu 24.2.1 – System Information . • Warranty Inf ormation. • Date that you received your devi ce. • Brief des cription of t[...]
-
Страница 8
P312 Broadband Sec urity Gate way viii Table Of Contents T able of Content s Copyright ...................................................................................................................... ............................... ii Federal Communications Commission (FCC) Interference S tate m ent ...........................................[...]
-
Страница 9
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents ix 3.1.1 Initial Screen ................................................................................................................. ...... 3-1 3.1.2 Entering the Password......................................................................................................... 3 -1 3.2 Na[...]
-
Страница 10
P312 Broadband Sec urity Gate way x Table Of Contents Chapter 6 Internet Access ...................................................................................................... ................. 6-1 6.1 Intern et Access Setup .......................................................................................................... ....... 6-1[...]
-
Страница 11
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xi 6.2.1 SUA (Singl e User Account) Versus NA T .......................................................................... 6-6 6.2.2 Apply ing NAT ................................................................................................................... .6 - 6 6.3 NAT Setup .........[...]
-
Страница 12
P312 Broadband Sec urity Gate way xii Table Of Contents 7.6 Guidelines For Enhancing Security With You r Firewall .......................................................... 7-11 7.6.1 Security In General ........................................................................................................... 7 -12 7.7 Packet Filtering Vs Firewall[...]
-
Страница 13
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xiii 10.2.3 Key Fields For Configuring Rules .................................................................................... 10-2 10.3 Conn ection Direction ........................................................................................................... . 10-3 10.3.1 LAN to WA[...]
-
Страница 14
P312 Broadband Sec urity Gate way xiv Table Of Contents 14.3 Exem pt Computers ............................................................................................................... 14-1 14.4 Cust omizing .................................................................................................................... ...... 14-2 14.5 Ke[...]
-
Страница 15
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xv 17.1 System Status .................................................................................................................. ...... 17-1 17.2 Sy stem Information and Console Port Speed........................................................................ 17-3 17.2.1 System Infor[...]
-
Страница 16
P312 Broadband Sec urity Gate way xvi Table Of Contents 18.4.2 Configuration File Upload .............................................................................................. 18-11 18.4.3 FTP File Upload Command from the Command Line Ex ample .................................... 18-12 18.4.4 FTP Session Example of Firmware File Upload ....[...]
-
Страница 17
ZyW ALL 50 Internet Securi ty Gatewa y Table Of Contents xvii 21.1 Introdu ction................................................................................................................... ........ 21-1 Chapter 22 Intr oduction to IPSec ............................................................................................... ..........[...]
-
Страница 18
P312 Broadband Sec urity Gate way xviii Table Of Contents 23.5 Manu al Setup ................................................................................................................... ... 23-15 23.5.1 Active Protocol ............................................................................................................... 2 3-15 23.5.[...]
-
Страница 19
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xix List of Figures Figure 1-1 Secu re Internet Access via C able .................................................................................... .............. 1-4 Figure 1-2 Secu re Internet Access via DSL...................................................................................[...]
-
Страница 20
P312 Broadband Sec urity Gate way List Of Figures xx Figure 4-2 Menu 1 1.1 — Remote Node Profile for PPPoE En capsulation .................................................... 4-4 Figure 4-3 Menu 1 1.1 — Remote Node Profile for PPTP Encapsu lation ...................................................... 4-6 Figure 4-4 Menu 1 1.3 — Remote Node Ne[...]
-
Страница 21
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxi Figure 6-19 Ex ample 3: Final Menu 15.1.1....................................................................................... ........... 6-21 Figure 6-20 Ex ample 3: Menu 15.2 ............................................................................................... ...............[...]
-
Страница 22
P312 Broadband Sec urity Gate way List Of Figures xxii Figure 13-1 Activate the Firewall.............................................................................................. ................... 13-2 Figure 13-2 Ex ample 1: E-Mail Screen ........................................................................................... ............[...]
-
Страница 23
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxiii Figure 15-16 Filtering Remote Node T raf fic ..................................................................................... ......... 15-19 Figure 16-1 SNMP Mana gement Model .............................................................................................. ........ 16-[...]
-
Страница 24
P312 Broadband Sec urity Gate way List Of Figures xxiv Figure 18-14 T elnet Into Menu 24.7.2 — Sy stem Maintenance ................................................................ 18- 12 Figure 18-15 FTP Sess ion Example of Firmware File Upload .................................................................. 18-13 Figure 18-16 Men u 24.7.1 as s[...]
-
Страница 25
ZyW ALL 50 Internet Securi ty Gatewa y List Of Figures xxv Figure 23-5 HQ Zy W ALL Configu ration ............................................................................................ ......... 23-5 Figure 23-6 Men u 27.1 — IPSec Summary .......................................................................................... ....... 23-5[...]
-
Страница 26
ZyW ALL 50 Internet Security G ateway xxvi List of T ables List Of T ables T able 2-1 LED Descriptions ..................................................................................................... ...................... 2-1 T able 3-1 Main Menu C ommands .......................................................................................[...]
-
Страница 27
ZyW ALL 50 Internet Securi ty Gatewa y List of Tables xxvii T able 6-3 Applying NA T in Menus 4 & 1 1.3 ....................................................................................... .......... 6-7 T able 6-4 SUA Address Mapping Rules ............................................................................................ .........[...]
-
Страница 28
ZyW ALL 50 Internet Security G ateway xxviii List of T ables T able 15-3 TCP/I P Filter R ule Menu Fields ...................................................................................... ........... 15-8 T able 15-4 Generic Filter Rule Menu Fields ..................................................................................... ......... [...]
-
Страница 29
ZyW ALL 50 Internet Securi ty Gatewa y List of T ables xxix T able 23-6 Active Protocol — Encapsu lation and Security Protocol ........................................................ 23-15 T able 23-7 Menu 27.1.1. 2 — Manu al Set up ........................................................................................ ...... 23-16 T able 24-[...]
-
Страница 30
[...]
-
Страница 31
ZyW ALL 50 Internet Securi ty Gatewa y Prefac e xxxi Preface A bout Y our Zy WA LL Congratu lations on y our purchase of t he ZyWALL 50 In ternet Security Gateway. Don’t forg et to register your ZyWALL (fast , easy online regist ration at www.z yxel. com ) for free future p roduct updates and information. The ZyWALL 50 is a dual Ethern et Interne[...]
-
Страница 32
ZyW ALL 50 Internet Security G ateway xxx ii Prefac e Our Qui ck Star t Guid e is d esigned to hel p yo u get yo ur ZyW ALL up and ru nning r ight a way. It contains a detailed easy-to-follo w connection diagra m, Zy WALL defa ult settings, handy checklists, info rmatio n o n setti ng up your ne twor k and i nfor matio n on co nfig uring your Z yW [...]
-
Страница 33
Getting S tarted I Part I: Gett ing Started This part is structur ed as a step-by-ste p guide to help you connect, i nstall and s etup your Zy W ALL to operate on your net work and ac cess the Int ernet.[...]
-
Страница 34
[...]
-
Страница 35
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-1 Chapter 1 Getting to Know Your ZyWALL This chapt er introduc es the main features and app lications of the ZyW ALL. 1.1 The Zy W A LL 50 Internet Security Gate w ay The ZyWALL 50 is a du al Ethernet Internet secu rity gateway integrated with a robust f irewall and network manage[...]
-
Страница 36
ZyWALL 50 Internet Sec urity Gat eway 1-2 Getting to Know Y our ZyWALL Y ou can configure mo st featu res of the Z yW A LL 50 v ia SMT b ut we recomme nd you configure the fire wall and Content Filters using the ZyW ALL web configurator . Content Filtering The ZyWALL can block web features such as ActiveX controls, Java applets an d cookies, as w e[...]
-
Страница 37
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-3 Netwo rk Address T ranslatio n (NA T) NAT (Netw ork Address Transl ation - NA T, RFC 1631) allow s the transl ation of an Int ernet Protocol address used withi n one net wor k to a d iffere nt IP add ress kno wn wit hin ano ther networ k. Port Forwarding Use this featu re to for[...]
-
Страница 38
ZyWALL 50 Internet Sec urity Gat eway 1-4 Getting to Know Y our ZyWALL 1.3 Applications for th e Z y W ALL 50 1.3.1 Secure Broadband In ternet A ccess v ia Cable or DSL Modem A cable modem or xDSL modem can conn ect to the ZyWALL 50 for broadban d Internet access via Ethernet port on the m odem. It provides n ot only high speed Intern et access, bu[...]
-
Страница 39
ZyWALL 50 Internet Sec urity Gat eway Getting to Know Y our ZyWALL 1-5 1.3.2 VPN A pplication ZyWALL VPN is an ideal cost- effective way to connect branch offices and business partners over the Internet without th e need (and expense) for leased lin es between sites. Figure 1-3 VPN Application[...]
-
Страница 40
[...]
-
Страница 41
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-1 Chapter 2 Hardware Installation This chapt er explai ns the LEDs and ports as well as how to connec t the har dware and per form the initial set up. 2.1 Front Panel LEDs and Back Pane l Port s 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operati onal status of the Z[...]
-
Страница 42
ZyWALL 50 Internet Sec urity Gat eway 2-2 Hardware Installatio n Table 2- 1 LED Descrip tions LED FUNCTION COLOR STA TUS MEANING Flashing The 10M LAN is sendin g/receiv ing packets. Off The 100M LAN is not co nnected. On The Zy WALL is conne cted to a 100M bps LAN. 100M LAN LAN Orange Flashing The 100M LAN is sendi ng/receiv ing packets. Off The 10[...]
-
Страница 43
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-3 Figure 2 -2 ZyWALL 50 Rear P anel and Connec tions This section outlines how to c onnect your ZyWALL 50 to the LAN and the WAN. If you want to connect a cable modem you must connect the coaxial cable from your cable service to the threaded c oaxial cable connector on the back of the c[...]
-
Страница 44
ZyWALL 50 Internet Sec urity Gat eway 2-4 Hardware Installatio n port) of y our computer. You can use an extension RS-232 cabl e if th e enclosed one is too short. Af ter the initial setup, y ou can modify the configuratio n remotely through telnet connections. Step 2. Connecting the ZyW ALL to the Broa dband Modem Step 2a . Connecting the ZyWALL t[...]
-
Страница 45
ZyWALL 50 Internet Sec urity Gat eway Hardware In stallation 2-5 2.3 Additional Inst allation Requirements In addition to the contents of your package, there are other hardware an d soft ware requ irements you need before y ou can install and use your ZyWALL. These requirem ents include: 1. A computer with an Ethernet NIC (Network Interface Card) i[...]
-
Страница 46
[...]
-
Страница 47
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-1 Chapter 3 Initial Setup This chapt er exp lains how t o perfor m initia l ZyW ALL setup and giv es an ov erview of SMT menus . 3.1 T u rni ng On Y our Zy W ALL At this poi nt, you should have connected t he console port, t he LAN port, the WAN port an d the power port to the appropriate devic[...]
-
Страница 48
ZyWALL 50 Internet Sec urity Gat eway 3-2 Initia l Setup Figure 3- 2 Passw ord Scre en 3.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interf ace that y ou use to configure your Zy WALL. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table belo w. Tab[...]
-
Страница 49
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-3 3.2.1 Ma in Menu After you enter the password, the SMT displa y s the Zy WA LL Mai n Me nu , as sho wn ne xt. Figure 3-3 ZyWALL Main Menu 3.2.2 System Management T ermina l Interface Summary Table 3- 2 Main M enu Summary NO. MENU TITLE FUNCTION 1 General Setup Use this menu to set up admin is[...]
-
Страница 50
ZyWALL 50 Internet Sec urity Gat eway 3-4 Initia l Setup Table 3- 2 Main M enu Summary NO. MENU TITLE FUNCTION 23 System Passw ord Change your pa ssword in this menu (recommended). 24 System M aintenance From display ing syst em status to uploading firmw are, this menu prov ides comprehens ive syste m mainte nance. 26 Schedule S etup Use this menu [...]
-
Страница 51
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-5 3.2.3 SMT Menus at a Glance Figure 3-4 Getting Star ted and A dvanced A pplications SMT M enus[...]
-
Страница 52
ZyWALL 50 Internet Sec urity Gat eway 3-6 Initia l Setup Figure 3-5 Advanced Management SMT Menus[...]
-
Страница 53
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-7 Figure 3-6 IPSec VPN Configuration S MT Menus 3.3 Changing the S y stem Pass w ord The first thi ng yo u sho uld do is cha nge the defa ult sys tem pa sswor d by fo llo wing the steps shown next. Step 1. Enter 23 in the main menu to open Menu 23 - System Passw ord as shown below . Figure 3-7 [...]
-
Страница 54
ZyWALL 50 Internet Sec urity Gat eway 3-8 Initia l Setup Step 4. Re-typ e yo ur ne w syste m pas sword for c onfir matio n and press [E NTER] . Note that as you ty pe a password, the screen displays an (X) f or each character you type. 3.4 Resetting the Z y W ALL If you forget y our p assword or cannot access the ZyWALL, you will need to reload the[...]
-
Страница 55
ZyWALL 50 Internet Sec urity Gat eway Initia l Setup 3-9 3.4.2 Procedure T o Us e The Reset Button Make sure the SYS led is on (not blinki ng) before y ou begin thi s procedure. 1. P ress the RESET button for ten seconds, then release it. If the SYS LED begins to blin k, the defaults h ave been restored and th e ZyWALL restarts. Otherw ise, go to s[...]
-
Страница 56
[...]
-
Страница 57
ZyWALL 50 Internet Sec urity Gat eway General an d W AN Setup 4-1 Chapter 4 General And WAN Setup Menu 1 - Gener al Setup contai ns adm inistra tive an d system-rel ate d inform ation. C lone a L AN computer MAC addres s in t he Menu 2 - WAN Setup . 4.1 Sy stem Name Syste m Name is for identification purposes. Zy XEL recommends you enter your compu[...]
-
Страница 58
ZyWALL 50 Internet Sec urity Gat eway 4-2 General an d W AN Setup First of all, you need to h ave registered a dyn amic DNS account with www.d ynd ns.or g . This is f or people with a dynamic IP from their ISP or DHCP server that w ould still like to have a DNS name. To use this service, y ou must register with the Dynamic DNS service provider. The[...]
-
Страница 59
ZyWALL 50 Internet Sec urity Gat eway General an d W AN Setup 4-3 FIELD DESCRIPTION EXAMPLE Host Enter the domai n name as signed to y our Zy WALL by your Dynamic DN S provider. me.dyndns. org EMAIL Enter your e- mail a ddress. mail@mai lserver USER Enter your user name. Password Enter th e password a ssigned t o you. Enable W ildcard Your Zy W ALL[...]
-
Страница 60
ZyWALL 50 Internet Sec urity Gat eway 4-4 General an d W AN Setup Figure 4-2 Menu 2 — WAN Setup The MAC address field allows users to configu re the WAN port's MAC address by using either the factory default or clon ing the MAC address from a compu ter on your LAN. Once it is successfully configu red, the address w ill be copied to the rom f[...]
-
Страница 61
[...]
-
Страница 62
[...]
-
Страница 63
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-1 Chapter 5 LAN Setup This chapt er descr ibes how to config ure the LAN us ing Menu 3 – LAN Setu p . 5.1 Introduction This sectio n descr ibes ho w to c onfig ure the LAN using M enu 3 — LAN Setup . From the main menu, enter 3 to open m enu 3. Figure 5-1 Menu 3 — LAN Setup 5.2 L A N Port F il[...]
-
Страница 64
ZyWALL 50 Internet Sec urity Gat eway 5-2 LAN Set up 5.3.1 Fact ory LAN Default s The LAN parameters of the ZyWALL are preset in the factory with the follo wing values: 1. IP address of 192.168. 1.1 w ith subnet mask of 255.255.2 55.0 (24 bi ts). 2. DHCP se rver enabled w ith 32 clien t IP addresses s tarting from 192.168.1.33. These parameters sho[...]
-
Страница 65
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-3 Wher e you o btain your ne twor k nu mber de pends o n your par ticular situa tio n. If t he ISP or your net work administrator as signs you a block of registered IP address es, follow their ins tructions in selecting the IP addresses and the su bnet mask. If the I SP d id not e xplic itly gi ve y[...]
-
Страница 66
ZyWALL 50 Internet Sec urity Gat eway 5-4 LAN Set up Regardless o f your partic ular sit uation, do not crea te an arb itrary IP addre ss; always follow the guidelines above. For more information on addr ess assignment, please refe r to RFC 1597, Address Allocation for Pr ivate Intern ets and RFC 1 466, Guidelines f or Manag ement of IP Address Spa[...]
-
Страница 67
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-5 5.3.7 IP A lias IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interf aces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network . Figure 5-3[...]
-
Страница 68
ZyWALL 50 Internet Sec urity Gat eway 5-6 LAN Set up Figure 5-6 Menu 3.2 — TCP/IP and DHCP Ethernet Setup Follow the instruction s in the next table on how to configure the DHCP fields. Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP This field enables/disables the DHCP server. If set to Server , y our Zy W ALL will act a[...]
-
Страница 69
ZyWALL 50 Internet Sec urity Gat eway LAN Setup 5-7 Table 5-3 DHCP Ethernet Setup Menu Fields FIELD DESCRIPTION EXAMPLE DHCP Server Address If Relay is selec ted in t he DHCP field above, then type i n the IP addres s of the actual, remote DHCP server here. Follow the instructions in the following table to configure TCP/IP parameters for the LAN po[...]
-
Страница 70
ZyWALL 50 Internet Sec urity Gat eway 5-8 LAN Set up Figure 5-7 M enu 3.2. 1 — IP Alias Setup Use the instructions in the follo w ing table to configure IP Alias para meters. Table 5-5 IP Alias Setup Menu Fields FIELD DESCRIPTION EXAMPLE IP Alias Choose Yes t o configure the LAN network for the Zy WALL. Yes IP Address Enter the IP addre ss of you[...]
-
Страница 71
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-1 Chapter 6 Internet Access This chapt er shows y ou how to con figure y our ZyW ALL for Interne t access . 6.1 Internet A ccess Setup You will see three different menu 4 screens depending on whether you chose Ethe rnet, PPT P or PPPoE Encapsulat ion . 6.1.1 Et hernet Encap sulatio n You mus[...]
-
Страница 72
ZyWALL 50 Internet Sec urity Gat eway 6-2 Inte rnet Access Table 6- 1 Internet Access Set up M enu Fields FIELD DESCRIPTION Encapsulati on Press [SPACE BAR] and then press [ENTER] to choose Eth ernet . The encapsulat ion met hod influen ces your choices fo r IP Address. Service Ty pe Press [SPACE BAR] to select Standard , RR-Toshiba (RoadRunner T o[...]
-
Страница 73
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-3 The ZyW A LL 50 support s one PPTP server connection at any given time. 6.1.3 Configuring the PPTP Client T o confi gure a P PTP clie nt, you must c onfig ure t he My Login and Passwo rd fields for a PPP conn ection and the PPTP parameters for a PPTP conn ection. After conf iguring My L og[...]
-
Страница 74
ZyWALL 50 Internet Sec urity Gat eway 6-4 Inte rnet Access 6.1.4 PPPoE Encapsul ation The ZyWALL su pports PPPo E (Point- to-Poin t Protocol ov er Eth ernet). PPPoE is an IETF Draf t standard (RFC 2516) s pecifying h ow a personal comput er (PC) interacts with a broadband m odem (i.e. x DSL, cable, wireless, etc.) conn ection. For the service prov [...]
-
Страница 75
ZyWALL 50 Internet Sec urity Gat eway Inte rnet Acce ss 6-5 Table 6- 3 New Field s in Men u 4 (PPPo E) scre en FIELD DESCRIPTION EXA MPLE Encapsulati on Press [SPACE BAR] and then pres s [ENTER] to choose PPPoE . T he encapsulat ion met hod influen ces your choices fo r IP Address. PPPoE Idle Timeout This v alue specif ies the ti me in sec onds tha[...]
-
Страница 76
Adv anced Ap plic ation s II Part II: Advanced Applica tions This part covers Rem ote Node Setup, IP S tatic Route Setup a nd Network Ad dress Translation.[...]
-
Страница 77
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-1 Chapter 4 Remote Node Setup This chapt er shows y ou how to c onfigure a r emote n ode. A remote node is required for placing calls to a remote g ateway. A remote node represents both the remote gate way and the ne twork b ehi nd it a cross a WAN co nnect ion. Note t hat whe n you use me n[...]
-
Страница 78
ZyWALL 50 Internet Sec urity Gat eway 4-2 Remote Node Set up Figure 4-1 Menu 11.1 — Remote Node Profile for Ethernet Encapsulation Table 4- 1 Fields in M enu 11.1 FIELD DESCRIPTION EXA MPLE Rem Node Name Enter a descriptiv e name for t he remote node . This fiel d can be up to eight c haracters. LAoffice Active Press [SPACE BAR] to select Yes (a [...]
-
Страница 79
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-3 Table 4- 1 Fields in M enu 11.1 FIELD DESCRIPTION EXA MPLE My Passw ord Enter the passw ord assigne d by your ISP w hen the Zy W AL L calls this remote n ode. Valid for PPPoE encaps ulation only . ***** Server IP This field i s valid for RoadRun ner service typ e only. T he ZyWALL will fin[...]
-
Страница 80
ZyWALL 50 Internet Sec urity Gat eway 4-4 Remote Node Set up Figure 4-2 Menu 11.1 — Remote Node Profile for PPPoE E ncapsulation Outgoing A uthentication Protocol Generally speaking, you should employ the st rongest auth entication protocol pos sible, for o bvious reasons. However, some vendor’s imple mentation includes specific authentication [...]
-
Страница 81
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-5 Table 4- 2 Fields in M enu 11.1 (PPPoE Enc apsulati on Specifi c) FIELD DESCRIPTION EXAMPLE Authen This field sets the aut henticati on protocol u sed for outgo ing calls. Options for t his field are: CHAP / PAP - Your Zy W ALL w ill acce pt either CHA P or PAP when reque sted by thi s rem[...]
-
Страница 82
ZyWALL 50 Internet Sec urity Gat eway 4-6 Remote Node Set up Figure 4-3 Menu 11.1 — Remote Node Profile for PPTP Encapsulation The next table shows how to configure f ields in menu 11.1 not previ ously discussed abov e. Tabl e 4-3 Fields in Menu 11.1 (PPTP Encapsul ation ) FIELD DESCRIPTION EXAMPLE Encapsulati on Toggle th e space bar to choos e [...]
-
Страница 83
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-7 4.2 Editing TCP/I P Options ( w ith Ethernet Encap sulation) Move the cursor to the Edit IP field in menu 11.1, press [SPA CE BAR] to s elect Yes . Press [ENTER] to open Menu 11.3 - Network Layer Options . Figure 4-4 Menu 11.3 — Remote Node Network Layer Options The next tab le gi ves yo[...]
-
Страница 84
ZyWALL 50 Internet Sec urity Gat eway 4-8 Remote Node Set up Table 4- 4 Remote Node N etwo rk Layer Options M enu Fields FIELD DESCRIPTION EXAMPLE Metric This field i s valid only for PPTP/PPPoE encapsul ation. The metric represents th e “cost” of tra nsmission for routing pur poses. IP routing uses hop c ount as the measuremen t of co st, with[...]
-
Страница 85
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-9 Figure 4-5 Menu 11.3 — Remote Node Network Layer Options The next tab le gi ves you i nstr uctio ns ab out co nfigur ing re mo te nod e net work la yer op tion s. Table 4- 5 Remote Node N etwo rk Layer Options M enu Fields FIELD DESCRIPTION EXAMPLE IP Address Assignment If your ISP did n[...]
-
Страница 86
ZyWALL 50 Internet Sec urity Gat eway 4-10 Remote Node Setup Table 4- 5 Remote Node N etwo rk Layer Options M enu Fields FIELD DESCRIPTION EXAMPLE Metric The metric repres ents the “co st” of trans mission f or routing p urposes. IP routing use s hop count as the m easurement of c ost, w ith a minimum of 1 for dir ectly con nected netw orks. En[...]
-
Страница 87
ZyWALL 50 Internet Sec urity Gat eway Remote Node Setup 4-1 1 Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoin g traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, e.g., 1, 5, 9, 12, in each filter field. Note that [...]
-
Страница 88
[...]
-
Страница 89
ZyWALL 50 Internet Sec urity Gat eway IP S tatic Route Set up 5-1 Chapter 5 IP Static Route Setup This chapt er shows y ou how to c onfigure s tatic rout es with yo ur ZyW ALL. Static routes tell the ZyWALL routing information that it cannot lear n automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each rem[...]
-
Страница 90
ZyWALL 50 Internet Sec urity Gat eway 5-2 IP S tatic Route Set up 5.1 IP S t atic Route Setup You co nfig ure IP static route s in me nu 12. 1 by sele ctin g one of the IP static route s as sho wn ne xt. Ente r 12 fr om the ma in m enu . Figure 5-2 Menu 12 — IP Static Route Setup Now, enter t he index num ber of one of the static rou tes you want[...]
-
Страница 91
ZyWALL 50 Internet Sec urity Gat eway IP S tatic Route Set up 5-3 Table 5-1 IP Static Route Menu Fields FIELD DESCRIPTION Route # This is the index number of th e static rout e that you chose in menu 12. Route Name Enter a descri ptive name for this ro ute. This i s for identifica tion purpose s only. Active This field a llows y ou to activat e/dea[...]
-
Страница 92
[...]
-
Страница 93
ZyWALL 50 Internet Sec urity Gat eway NA T 6-1 Chapter 6 Network Address Translation (NAT) This chapt er disc usses how to c onfigure N AT on the ZyW ALL. 6.1 Introduction NAT (Netw ork Address Translat ion - NAT, RFC 1631) i s the tran slation of the IP add ress of a host in a packet, e.g., th e source address of an outgoing packet, used wi thin o[...]
-
Страница 94
ZyWALL 50 Internet Sec urity Gat eway 6-2 NA T Table 6-1 NAT Definitions TERM DESCRIPTION WA N . NAT neve r cha nges the IP addre ss (eit her local or glo bal) of an outsi de host. 6.1.2 What NA T Does In the simplest f orm, NAT changes the source IP address in a packet receiv ed from a subscriber (the ins ide local address) t o another (th e insid[...]
-
Страница 95
ZyWALL 50 Internet Sec urity Gat eway NA T 6-3 Figure 6-1 How N A T W orks 6.1.4 NA T Application The following figure illustrate s a possible NAT applicatio n, w here three inside LANs (logical LANs using IP Alias) behind the Zy WALL can co mmun icate with three distinct WAN networks. More exam ples follow at the end of this chapter.[...]
-
Страница 96
ZyWALL 50 Internet Sec urity Gat eway 6-4 NA T Figure 6-2 NAT Application With IP A lias 6.1.5 NA T Mapping T y pes NAT su pports fiv e types of IP/ port ma pping. They are: 1. One to One : In One-t o-One mode, the ZyWALL m aps one local IP address to one global IP a ddress. 2. Many to One : In Many-to-One mode, the ZyWALL maps multiple local IP ad[...]
-
Страница 97
ZyWALL 50 Internet Sec urity Gat eway NA T 6-5 3. Many to Many Overload : In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addr esses to shar ed globa l IP add resses. 4. Many t o M any No Overload : In Many-to-Many No Overload mode, the Zy WALL maps the each local I P addr esses to uniq ue glo bal IP addresse s. 5. Server : Thi[...]
-
Страница 98
ZyWALL 50 Internet Sec urity Gat eway 6-6 NA T 6.2 Using NA T 6.2.1 SUA (Single User A ccount) V ersus NA T SUA (Sing le User Account) i s a ZyNOS im ple m entation of a subset of NA T that supports tw o ty pes of mapping , Many-to-One and S er ver . See section 6.3.1 f or a detailed d escription of the NAT set for SUA. The ZyWALL al so supports Fu[...]
-
Страница 99
ZyWALL 50 Internet Sec urity Gat eway NA T 6-7 Step 2. Move the cursor to the Edit IP field, press [SPACE BAR] to select Ye s and th en press [ENTER] to bring up M enu 1 1.3 - Remote Node Network Layer Options. Figure 6-4 Menu 11.3 — Applying NAT to the Remote Node The follow ing table des cribes the option s for Network Addres s Translation . Ta[...]
-
Страница 100
ZyWALL 50 Internet Sec urity Gat eway 6-8 NA T 6.3 NA T Setup Use the Address Mapping Sets menus and subm enus to create the mapping table used to as sign global addresses t o computers on the LAN. You can s ee two NAT Address Mappi ng sets in menu 15.1. You can only configure Set 1 . Set 255 is used for SUA. When you select Full Feature in menu 4 [...]
-
Страница 101
ZyWALL 50 Internet Sec urity Gat eway NA T 6-9 SUA Addre ss M apping Set Enter 255 to display t he next screen (s ee also section 6.2.1) . The fi elds in this menu cannot be chan ged. Figure 6-7 M enu 15.1 .255 — SU A Addre ss Mapp ing Rules The following table explains the f ields in this screen. The fi elds in Menu 15.1 .255 are read-o nly. Tab[...]
-
Страница 102
ZyWALL 50 Internet Sec urity Gat eway 6-10 NA T Table 6-4 SUA Address Mapping Rules FIELD DESCRIPTION EXAMPLE Type These are the mapp ing type s discussed above (se e Table 6-2 ). Serve r allows us t o specify multiple s ervers of differen t types behind NAT to thi s machine . See later for some ex amples. Server Once you h ave finished config urin[...]
-
Страница 103
ZyWALL 50 Internet Sec urity Gat eway NA T 6-1 1 Ordering Y our Rules Ordering y our rules is important because the Zy WALL applies the rules in the order that you s pecify. When a rule matches the cu rrent packet, the ZyWALL takes the correspondin g action and the remaining rules are ignor ed. I f there a re an y empt y rule s befo re your new co [...]
-
Страница 104
ZyWALL 50 Internet Sec urity Gat eway 6-12 NA T Figure 6-9 Menu 15.1.1.1 — Editing/Configuring an Indiv idual Rule in a Set Table 6-6 Menu 15.1.1.1 — Editing/Configuring an Indiv idual Rule in a Set FIELD DESCRIPTION EXAMPLE Type Press [SPACE BAR] to togg le through a t otal of five ty pes. These are the mappi ng types d iscuss ed in Table 6- 2[...]
-
Страница 105
ZyWALL 50 Internet Sec urity Gat eway NA T 6-13 6.4 N A T Server Set s – Port Forwarding A NAT server set is a lis t of inside (behind NAT on the LAN) serv ers, for example, web or FTP, that y ou can make vi sible to the outs ide world even th ough NAT makes your wh ole inside network appear as a single machine to the outside world. Use Menu 1 5 [...]
-
Страница 106
ZyWALL 50 Internet Sec urity Gat eway 6-14 NA T Table 6- 7 Services & Port Numbers SERVICES PORT NUMBER Finger 79 HTTP (Hy per Text Transfer pr otocol or WWW, W eb) 80 POP3 (Post Office Pr otocol) 110 NNTP (Netw ork News Transport Proto col) 119 SNMP (Simple Ne twork M anagement Prot ocol) 161 SNMP trap 162 PPTP (Point-to-Point T unneling Proto[...]
-
Страница 107
ZyWALL 50 Internet Sec urity Gat eway NA T 6-15 Figure 6-1 0 M enu 15.2 — N A T Server Setup Figure 6-11 Multiple Servers Behind N A T Example Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- 1. Default Default 0.0.0.0 2. 21 25 192.168.1.33 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5[...]
-
Страница 108
ZyWALL 50 Internet Sec urity Gat eway 6-16 NA T 6.5 General NA T Examples 6.5.1 Int ernet Access Only In the following In ternet access example, you only need on e rule where all your ILAs (In side Local addresses ) map to one dy namic IGA (In side Global A ddress) assi gned by your IS P. Figure 6-12 NAT Example 1 Figure 6-1 3 Menu 4 — Internet A[...]
-
Страница 109
ZyWALL 50 Internet Sec urity Gat eway NA T 6-17 From m enu 4 shown above, simply choos e the SU A Onl y opt io n f r om th e Network Address Translation field. Thi s is the Many -to-One mappin g discuss ed in section 6.5. The SUA Only read-only option from the Network Ad dress Trans lation f ield in menus 4 an d 11.3 is specif ically pre-conf igure[...]
-
Страница 110
ZyWALL 50 Internet Sec urity Gat eway 6-18 NA T Figure 6-1 5 Men u 15.2 — Specif ying an Ins ide Serv er 6.5.3 Example 3: Mu ltiple Public IP A ddresses With Inside Serv ers In this example, th ere are 3 IGAs from our ISP. There are many departments but two h ave their o wn FTP server. All departm ents share the same rout er. The example will res[...]
-
Страница 111
ZyWALL 50 Internet Sec urity Gat eway NA T 6-19 The example s ituation l ooks somewhat like this: Figure 6-16 NAT Example 3 Step 1. In this case y ou need to configure A ddress Mapping Set 1 from Menu 1 5.1 - Address M apping Sets. Therefore y ou mu st choose the Full Feat ure option from the Netwo rk Address Trans lation fiel d (in menu 4 or m enu[...]
-
Страница 112
ZyWALL 50 Internet Sec urity Gat eway 6-20 NA T Step 6. Repeat the previous step for rules 2 to 4 as outlined above. Step 7. When fi nished, me nu 15.1.1 shou ld look l ike as show n in Figure 6-19. Figure 6-1 7 Example 3: Menu 11. 3 The following figure shows h ow to configure the first rule. Figure 6-1 8 Example 3: Menu 15. 1.1.1 Menu 15.1.1.1 Ad[...]
-
Страница 113
ZyWALL 50 Internet Sec urity Gat eway NA T 6-21 Figure 6-1 9 Example 3: Final M enu 15.1.1 Now conf igure the IGA3 to map to ou r we b server and mai l server on th e LAN. Step 8. Enter 15 f rom the ma in menu. Step 9. Now enter 2 from this menu and configure it as s hown in Figure 6-2 0 . Figure 6-2 0 Example 3: Menu 15. 2 Menu 15.1.1 - Address Ma[...]
-
Страница 114
ZyWALL 50 Internet Sec urity Gat eway 6-22 NA T 6.5.4 Example 4: NA T Unfriendl y A pplication Programs Some appli cations do n ot support NA T Mapping u sing TCP or UDP port address t ranslati on. In this case i t is better to use Many-to-M any No Overlo ad mapping as port numbers do not chang e for M any -to- Many No Overload (and One-to-One ) NA[...]
-
Страница 115
ZyWALL 50 Internet Sec urity Gat eway NA T 6-23 Figure 6-2 2 Example 4: Menu 15.1.1. 1 — A ddres s M apping Rule After you’ve con figur ed your rule, you sho uld b e ab le to c heck the setti ngs in me nu 15 .1.1 as shown next. Figure 6-2 3 Example 4: Menu 15.1.1 — A ddress M apping Rules Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many [...]
-
Страница 116
Firewall and Cont ent Filters III Part III: Firewal l and Content Filter s Part III in troduces f irewalls i n genera l and the Z y WALL firewall. It also ex plains c ustom ports and logs and gives exam ple fir ewall rules and an o verview of content f iltering.[...]
-
Страница 117
[...]
-
Страница 118
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-1 Chapter 7 Firewalls This chapt er gives some bac kground inform ation on f irewalls and expla ins how to get s tarted w ith the ZyW ALL firewall. 7.1 What Is a Fire wall? Ori gin ally , th e t erm fire wall referred to a constru ction technique design ed to prevent the spread of f ire from one r[...]
-
Страница 119
ZyW ALL 50 Internet Security G ateway 7-2 Firewa lls i. Inform ation hiding prevents the nam es of intern al systems from being made kn own via DNS to outside syst ems, since the application gateway is the on ly host whose name must be made k nown to outside syste ms. ii. R obust authentication and logging pre-authenticates application traffic bef [...]
-
Страница 120
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-3 Figure 7-1 ZyWALL Firewall A pplication 7.4 Denial of Service Denials of Service (DoS) attack s are aimed at devi ces and networks with a connection to the Internet. Their goal is not to steal inform ation, but to disable a device or netw ork so users no longer hav e access to network resources.[...]
-
Страница 121
ZyW ALL 50 Internet Security G ateway 7-4 Firewa lls for us e over a single port , such as Web on port 80, othe r ports are also active. If the person conf iguring or managing th e computer is not careful, a h acker could attack it over an unprotected port. Some of the m ost co mm on IP ports are: Table 7- 1 Common IP Po rts 21 FTP 53 DNS 23 Telnet[...]
-
Страница 122
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-5 Figure 7-2 T hree-Wa y Handsh ake Under normal circumstances, the app lication that initiates a sessio n sends a SYN (synchronize) packet to the receiving s erver. The receiver sends back an ACK (acknowledgm ent) packet and its own SYN, and then the initiator responds w ith an ACK (acknowledgmen[...]
-
Страница 123
ZyW ALL 50 Internet Security G ateway 7-6 Firewa lls 2-b In a LAND Attack , h ackers flood SYN packet s into th e network with a s poofed source IP address of th e targeted system. This makes it appear as if the host computer sen t the packets to itself, making the system unavailable while the target syste m tries to respond to itself. 3. A brute-f[...]
-
Страница 124
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-7 Table 7-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP co mm ands are illegal except for those displa yed in the following tables. Table 7-4 Legal SMTP Commands AUTH DATA EHLO ET RN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOM L TURN VRFY ?[...]
-
Страница 125
ZyW ALL 50 Internet Security G ateway 7-8 Firewa lls Denies all sessions orig inating from the WAN to the LAN. Figure 7-5 Stateful Inspec tion The previous figure shows the ZyWALL’s default firewall rules in action a s well as demonstrates how stateful inspection w orks. U ser A can initiate a Te lnet session from within the LAN and respo nse[...]
-
Страница 126
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7-9 3. The packet is inspected by a firew all rule to determine and record inf or m ation about the state of th e packet's connection . This information is recorded in a new state table entry created for the new connection. If there is n ot a firewall rule for this packet and it is not an attac[...]
-
Страница 127
ZyW ALL 50 Internet Security G ateway 7-10 Fire walls The ability to define firew all rules is a v ery powerful tool. Using cu stom rules, it is possible to disable all firew all protectio n or block all access t o the Intern et. Use extreme c aution w hen creatin g or delet ing firew all rules . T est changes after creating th em to mak e sure th [...]
-
Страница 128
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7- 11 little tracking information. For instance, ICMP redirect p ackets are nev er allowed in, since the y could b e used to reroute traffic through attacking machines. 7.5.5 Upper Layer Protocols Some higher layer protoco ls (such as FTP and RealAudio) utilize multiple network connections simult an[...]
-
Страница 129
ZyW ALL 50 Internet Security G ateway 7-12 Fire walls 7.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations abou t what you can do to minimize them. 1. Encourag e your company or orga nization to devel op a comprehensi ve security plan . Go[...]
-
Страница 130
ZyW ALL 50 Internet Securi ty Gatewa y Fire walls 7- 13 7.7.1 Pack et Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. [...]
-
Страница 131
ZyW ALL 50 Internet Security G ateway 7-14 Fire walls 3. To selectiv ely block/all ow inbound or out bound traffi c between inside hos t/networks and outs ide host/networks. Reme mber that filters can not distinguish traffic originating fro m an inside host or an outsi de host by IP addres s. 4. The firewall performs better than filtering if you ne[...]
-
Страница 132
ZyW ALL 50 Internet Securi ty Gatewa y Introduc ing the Z y W ALL Fire wall 8-1 Chapter 8 Introducing the ZyWALL Firewall This chapt er shows y ou how to g et started w ith the Zy WALL firewa ll. 8.1 Remote Management and the Firewall When SMT menu 24.11 is con figured to allow management from the WAN, it overrides the firewall. See the Remote Mana[...]
-
Страница 133
ZyW ALL 50 Internet Security G ateway 8-2 Introduc ing the Z y W ALL Fire wall Figure 8-2 Menu 21.2 — Firewall Setup Configure the firewall rules using the web configurator or CLI commands. 8.3.2 Vie wing the Firewall Log In menu 21, enter 3 to view the firew all log. An example of a firewall log is shown next. Figure 8-3 Example Firewall Log An [...]
-
Страница 134
ZyW ALL 50 Internet Securi ty Gatewa y Introduc ing the Z y W ALL Fire wall 8-3 Table 8-1 View Firew all Log FIELD DESCRIPTION EXAMPLES # This is the index number of th e firewall log. 128 entr ies are availabl e numbered fr om 0 to 127. Once th ey are all used, th e log w ill wrap arou nd and the ol d logs will be lost. 23 mm:dd:yy e.g., Jan 1 00 [...]
-
Страница 135
[...]
-
Страница 136
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-1 Chapter 9 Using the ZyWALL Web Configurator This chapt er shows y ou how to con figure y our firewa ll with the web confi gurator. 9.1 Web Configur ator Login and M ain Menu Screens Use the ZyWALL web conf igurator, to configure y our firewall. T o g et started, follow[...]
-
Страница 137
ZyW ALL 50 Internet Security G ateway 9-2 Using the Z y W ALL W eb Conf igurator Figure 9-1 Main Menu Use the icon (located in th e upper right port ion of m ost screens) f or online HTML h elp. If you forget your password, refer to th e Resetting the Zy WALL section to see ho w to reset the default confi gur ation fi le. Click WI ZARD SETUP for in[...]
-
Страница 138
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-3 9.2 Enabling the Fi rewall Click Advanced , Firewall , Configurat ion and then the Config tab. Enable (or activate) the fi rewall b y clic king t he Firewall Enable d check box as seen in the following screen. Figure 9-2 Enabling the Firewall 9.3 E-mail The E-mail scre[...]
-
Страница 139
ZyW ALL 50 Internet Security G ateway 9-4 Using the Z y W ALL W eb Conf igurator 10-4) . When an event generates an alert, a message is immediately sent to an e-mail account specified by you. Enter the complete e-mail add ress to which alert messages will be sent in the E-mail Aler ts To field and schedule times for sendi ng alerts in the Log T ime[...]
-
Страница 140
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-5 Table 9- 1 E-mail FIELD DESCRIPTION OPTIONS Address Info Mail Serv er Enter the IP addre ss of your mail serv er in dotted decimal not ation. Your Int ernet Service Prov ider (ISP) should be ab le to provi de this i nformation. If this field is left blank, l og and ale[...]
-
Страница 141
ZyW ALL 50 Internet Security G ateway 9-6 Using the Z y W ALL W eb Conf igurator 9.3.3 SMTP Error Mes sages If there are difficulties in sending e-mail the following error messages appear. Please see the Suppor t Note s on the inclu ded disk for inform ation on other ty pes of error mess ages. E-mail error m essages appear in SMT menu 24.3.1 as &qu[...]
-
Страница 142
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-7 Figure 9-4 E-mail Log 9.4 A tt ack Alert Attack alerts are the first defense against DOS attacks. In the Attack Alert scre en, sho wn la ter, yo u may choose to gen erate an alert whenever an attack is detected. For DoS attacks, th e ZyWALL uses thresholds to determin [...]
-
Страница 143
ZyW ALL 50 Internet Security G ateway 9-8 Using the Z y W ALL W eb Conf igurator 2. The minimum capacity of server backlog in y our LAN net work. 3. The CPU pow er of servers in your LAN n etwork. 4. Netw ork bandwidth . 5. Type of traff ic for certain servers. If your network is slower than average for any of these factors (especially if you have [...]
-
Страница 144
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-9 2. If the Blocki ng Time timeout is greater than 0, then the ZyWALL blocks all new connectio n requests to the hos t givi ng the serve r ti me to hand le the p rese nt con necti ons. T he ZyW ALL co ntin ues to bloc k all new connection requests until the Blocking Ti m[...]
-
Страница 145
ZyW ALL 50 Internet Security G ateway 9-10 Us ing the Z y W ALL W eb Configurator Table 9-3 A tta ck Alert FIELD DESCRIPTION DEFAULT VALUES Denial of Servi ce Threshol ds One M inute Low This is the rate of new half-op en sessions that causes the firew all to stop deleting half-open se ssions. T he Zy W A LL continue s to delete half-open s essions[...]
-
Страница 146
ZyW ALL 50 Internet Securi ty Gatewa y Using the Z yW ALL W eb Conf igurator 9-11 Table 9-3 A tta ck Alert FIELD DESCRIPTION DEFAULT VALUES Incomplete host IP addres s that cau ses the firew all to start dropping half-open s essions t o that same desti nation host IP addr ess. Enter a number betw een 1 and 25 0. As a gener al rule, you sh ould choo[...]
-
Страница 147
[...]
-
Страница 148
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-1 Chapter 10 Creating Custom Rules This chapt er cont ains instr uctions for defini ng both Loc al Network and Inter net rules . 10.1 Rules Overview Firew all rules are subdi vided into “L ocal Network” and “ Internet”. By default, th e ZyWALL’s statefu l packet inspection a[...]
-
Страница 149
ZyW ALL 50 Internet Security G ateway 10-2 Creating C ustom Rules 2. Is the intent of the rule to forward o r block traff ic? 3. What is the direction conn ection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be aff ected (if any )? 6. What computers on the [...]
-
Страница 150
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-3 Source A ddress What is the conn ection’s source address; is it on the LAN or WAN? Is it a sing le IP, a range of IPs or a su bn et? Destination A ddress What is the conn ection’s destination address ; is it on the LAN or WAN? Is it a sing le IP, a range of IPs or a su bn et? 10[...]
-
Страница 151
ZyW ALL 50 Internet Security G ateway 10-4 Creating C ustom Rules 10.3.2 W AN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If y ou wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 10-2 WAN to LAN Traffi[...]
-
Страница 152
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-5 Figure 10-3 Firewall Rules Summary — First Screen The following table describes the fields in this screen. Table 10- 1 Firew all Rules Summar y — First Screen FIELD DESCRIPTION OPTIONS General Name This is the name of the firewall rule set. T ype a name to distinguis h the LAN-t[...]
-
Страница 153
ZyW ALL 50 Internet Security G ateway 10-6 Creating Custom Rules Table 10- 1 Firew all Rules Summar y — First Screen FIELD DESCRIPTION OPTIONS Default Poli cy Log Click this check box to log all matched rule s in th e ACL default set. The follow ing fields summar ize the rule s you have cre ated. Note that th ese fields are r ead only . Click the[...]
-
Страница 154
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-7 10.5 Predefined Services The Available Services list box in the Rule Config (uration) screen (see Figure 10-4 ) displays all predefined services that the ZyWALL already su pports. Next t o the name of the servi ce, two fields appear in brackets. The first f ield indicates the IP pro[...]
-
Страница 155
ZyW ALL 50 Internet Security G ateway 10-8 Creating Custom Rules Table 10- 2 Predefin ed Serv ices SERVICE DESCRIPTION MSN M essenger(TCP:186 3) Microsoft Networks ’ messenge r service u ses this pr otocol. MULT ICAST(IGMP:0) Internet Group M ulticast Proto col is used w hen sendi ng packets t o a specific gr oup of h osts. NE W S(TCP:144) A prot[...]
-
Страница 156
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-9 Table 10- 2 Predefin ed Serv ices SERVICE DESCRIPTION STRM WORKS(UDP:1558) Stream W ork s Protocol. TACAC S(UDP:49) Login Host Protocol used for ( Terminal A ccess Controll er Acce ss Control System). TELNET (TCP:23) Telnet is the login and t erminal emulation pr otocol co mmon on t[...]
-
Страница 157
ZyW ALL 50 Internet Security G ateway 10-10 Creating C ustom Rules 10.5.1 Creating/Editing Fire wall Rules To create a new ru le, click a number ( No. ) then click Ed it in the last screen sho wn to displ ay the following screen. Figure 10-4 Creating/Editing A Firewall Rule Table 10- 3 Creating/ Editing A Firew all Rule FIELD DESCRIPTION OPTIONS So[...]
-
Страница 158
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-11 Table 10- 3 Creating/ Editing A Firew all Rule FIELD DESCRIPTION OPTIONS Please see th e follow ing secti on on adding and editing dest ination addresses . DestEdit DestDelete Services Available/Sel ected Services Please see T able 10-2 for more information on services av ailable. [...]
-
Страница 159
ZyW ALL 50 Internet Security G ateway 10-12 Creating C ustom Rules Figure 10-5 Adding/Editing Source and Destination Addresses[...]
-
Страница 160
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-13 Table 10-4 Adding/Editing Source and Destination A ddresses FIELD DESCRIPTION OPTIONS Address Ty pe Do y ou want your rule to apply to packets w ith a partic ular (single) IP address, a r ange of IP addr esses (e.g. , 192.168.1 .10 to 192.169.1.5 0), a subnet or any IP addr ess? Se[...]
-
Страница 161
ZyW ALL 50 Internet Security G ateway 10-14 Creating C ustom Rules Figure 10-6 Timeout Sc reen[...]
-
Страница 162
ZyW ALL 50 Internet Securi ty Gatewa y Creating C ustom Rules 10-15 Table 10-5 Timeout Menu FIELD DESCRIPTION DEFA ULT VALUE TCP T imeout Valu es Connectio n Timeout This is the len gth of time t he Zy WALL waits for a T CP session to r each the e stablish ed state befor e dropping the sessio n. 30 seconds FIN- W ait Tim eout This is the len gth of[...]
-
Страница 163
[...]
-
Страница 164
ZyW ALL 50 Internet Securi ty Gatewa y Custom Ports 11- 1 Chapter 11 Custom Ports This chapt er cov ers creatin g, viewin g and edit ing cus tom ports . 11.1 Introduction Configu re customized ports for serv ices not predefined by the Zy WALL (see Figure 10-4) . For a comprehens ive list of port num bers and services, vis it the IANA (Intern et Ass[...]
-
Страница 165
ZyW ALL 50 Internet Security G ateway 11-2 Custom Ports Table 11- 1 Custom Ports FIELD DESCRIPTION Customiz ed Services No. This is the num ber of your customized port. Status Indicates whether ports have a lready been configured or are stil l empty. Name This is the nam e of your c ustomized port. Protocol This show s the IP protocol (TCP, UDP or [...]
-
Страница 166
ZyW ALL 50 Internet Securi ty Gatewa y Custom Ports 11- 3 11.2 Creating/Editing A Custom Port Click Edit i n the previou s screen to create a new custo m port or edit an existing on e. This action displays the following screen. Figure 11-2 Creating/Editing A Custom Port The next table describes the fields in this screen.[...]
-
Страница 167
ZyW ALL 50 Internet Security G ateway 11-4 Custom Ports Table 11- 2 Creating/ Editing A Custom Po rt FIELD DESCRIPTION OPTIONS Service Na me Enter a uni que name for y our cust om port. Service Ty pe Choose the IP por t ( TCP , UDP or Both ) that defines your custo mized port fr om the drop dow n list box. TCP UDP Both Port Configura tion Type Clic[...]
-
Страница 168
ZyW ALL 50 Internet Securi ty Gatewa y Logs 12-1 Chapter 12 Logs This chapt er cont ains inf ormation abo ut using the log screen to vie w the resul ts of the r ules you have conf igured. 12.1 Log Screen When y ou configure a new rule you also h ave the option to log events that mat ch, don’t match (or both) thi s rule (see Figur e 10-4 ). Click [...]
-
Страница 169
ZyW ALL 50 Internet Security G ateway 12-2 Logs Table 12-1 Log Scr een FIELD DESCRIPTION EXAMPLES No. This is the ind ex number of the firewall log. 128 entries are av ailable nu mbered from 0 to 127. Once they are all use d, the log will w rap around and the old l ogs w ill be lost. dd:mm:yy e.g., Jan 1 0 Time This is the time the lo g was recorde[...]
-
Страница 170
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-1 Chapter 13 Example Firewall Rules This chapt er gives ex amples for configuring v arious rul es for W AN to LAN and LA N to WAN. 13.1 Examples Whenever you open a hole in the firewall to f orward a service from the Intern et to the local network, and NAT is also enabled, y ou may [...]
-
Страница 171
ZyW ALL 50 Internet Security G ateway 13-2 Ex ample F irewall Ru les Step 1. Activate the firewall. You may activate the firewall through the web configurator as shown next (click Configuratio n , the Config tab, then click the Firewall Enabled c heck b ox) o r thro ugh SMT menu 21.2. You can only configu re the firewall using the web configu rator[...]
-
Страница 172
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-3 Step 2. Go to the E-mail screen by clicking Advanced , Firewall , Configura tion , then the E-mail tab . Configu re the E-mail scree n as follows. Figure 1 3-2 Exampl e 1: E-M ail Screen Enter 1 0.100 .1.2, the IP address of the mail s erver here. This is where the alerts w ill be[...]
-
Страница 173
ZyW ALL 50 Internet Security G ateway 13-4 Ex ample F irewall Ru les Step 3. Configure your firewall rule as sho wn in the following screen. The default firewall blocks all Internet traffic en tering our local network, bu t you want to create a hole for web s ervice from the Internet. Click Internet an d go to the Rule Summary. Configure this scree[...]
-
Страница 174
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-5 Step 4. Click DestAdd in the previous screen to conf igure the destination address as the IP of y our server on the LA N. Figure 1 3-4 Example 1: Destinatio n Address f or Traf fic Originatin g from the Internet 10.100.1.2 i s the IP of our server on the LAN (supporting FTP, HTTP,[...]
-
Страница 175
ZyW ALL 50 Internet Security G ateway 13-6 Ex ample F irewall Ru les Step 5. When you ha ve fin ished confi guri ng your r ules, the R ule S ummar y scree n sho uld lo ok li ke thi s. Click Apply i n this screen to save your configuration back to the ZyWALL. Figure 1 3-5 Example 1: Rule Summ ary Scre en 13.1.2 Example 2 : Small Off ice With M ail, [...]
-
Страница 176
ZyW ALL 50 Internet Securi ty Gatewa y Exam ple Firewa ll Rules 13-7 i. A mail server with an IP of 192.168 .10.2. ii. Tw o FTP servers. You want FTP server 1 (I P of 192. 168.10.3) to be accessible f rom the Internet, but FTP server 2 (19 2.168.10.4) m ay only be access ed by internal users , i.e., from the local netw ork. iii. HTTP proxy se rver [...]
-
Страница 177
ZyW ALL 100 Internet S ecurity Gate way 13-8 Ex ample F irewall Ru les Step 3. Now you want to restrict acces s to the Internet except f or the HTTP proxy server an d your mail server. First y ou need to create a custom port f or POP3. POP (Post Office Protocol) is an In ternet mail server protocol that prov ides an incoming message storag e system[...]
-
Страница 178
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewa ll Rules 13-9 Network to see the R ule Sum m ary screen. Now click an available No. (rule num ber) button, then click Edit to b ring up the next scr een. Step 5. Click SrcAdd under the Source Address box and enter the IP address of the mail server (192.168.10. 2) in t he sam e fashion as in Fig[...]
-
Страница 179
ZyW ALL 100 Internet S ecurity Gate way 13-10 Ex ample F irewall Ru les Step 7. The Rule Summary screen shou ld look lik e Figure 13-9 . Don’ t forget to click Apply whe n yo u have finis hed co nfigur ing your r ule(s) to save your setting s b ack to t he ZyW ALL. Figure 13- 9 Example 2: L ocal Netw ork Rule Summ ary Step 8. Now y ou want an FTP[...]
-
Страница 180
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewall Rules 13-11 screen. Now click on the DestAdd button un der the Destinatio n Address box and en ter the IP of FTP server On e (192.168.10.3 ). Step 9. On completing the procedu re the Rul e Summ ary f or this Internet f irewall ru le should l ook like the following screen. Don’t forget to cl[...]
-
Страница 181
ZyW ALL 100 Internet S ecurity Gate way 13-12 Ex ample F irewall Ru les 13.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rule examples that allow DHCP negotiation between the ISP and the ZyWALL and allow a sy slog connection from the Internet. Follow the procedure s hown next to fir[...]
-
Страница 182
ZyW ALL 100 Internet Securit y Gateway Exam ple Firewall Rules 13-13 Step 2. Follow the procedures ou tlined in the previous ex amples to configure all your rules. You shou ld configure the ru le configuratio n screen like the one below and apply it. Figure 13-12 Syslog Rule Configuration This is your Syslog custo m po rt. This is the address range[...]
-
Страница 183
ZyW ALL 100 Internet S ecurity Gate way 13-14 Ex ample F irewall Ru les Step 3. On completing the conf iguration procedure for these Intern et firewall rules, the Ru le S umm ary screen should look like the follo w ing. Don’t forget to click Apply when yo u have fin ishe d configuring your rule(s) to save your settings back to the ZyWALL. Figure [...]
-
Страница 184
ZyW ALL 100 Internet Securit y Gateway Content Fi ltering 14-1 Chapter 14 Content Filtering This chapter provides a brief overview of content filter ing using the we b embedded configur ator. For more detailed inf ormation, c onsult t he embedded HTM L help. Internet content filtering allows schools a nd businesses to create and enforce Internet ac[...]
-
Страница 185
ZyW ALL 100 Internet S ecurity Gate way 14-2 Content Filtering 14.4 Customizing Customize the content filter list by adding or removing specific si tes from the filter list . 14.5 Key w ords The ZyWALL can also be configu red to block certain Web sites by using URL k eywords. 14.6 Log Records This screen records the results of your content filter p[...]
-
Страница 186
Advance d Managem ent IV Part IV: Advan ced Manage ment This part provides inf orm ation on Filter Configur ation, SNMP Configur ation, S y st em Information and Diagnos is, Fir mware a nd Configurat ion Fi le Maint enance, S ystem Maint enanc e and In f o r m ation a nd Remote Management .[...]
-
Страница 187
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-1 Chapter 15 Filter Configuration This chapt er shows y ou how to cr eate and a pply filter s. 15.1 About Fil tering Your Zy WALL uses filters to decide whether to allow passage of a data packet and/or to m ake a call. There are two types of filter applications: data filtering and call [...]
-
Страница 188
ZyWALL 50 Internet Sec urity Gat eway 15-2 Filter Config uration Figure 15-1 Outgoing Pa cket Filtering Process For incoming packets, your ZyWALL applies data filters o nly. Packets are processed depending upon whether a match is found. T he following sections describe ho w to configure filter sets. 15.1.1 The Filter S tructure o f the Zy W A LL A [...]
-
Страница 189
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rul[...]
-
Страница 190
ZyWALL 50 Internet Sec urity Gat eway 15-4 Filter Config uration You can apply up to four filter sets to a particular port to block multiple types o f packets. With each filter set ha ving up to six r ules, you can ha ve a ma ximum o f 24 rules ac tive fo r a sin gle po rt. 15.2 Configur ing a Filter Set To configure a f ilter set, follow the proce[...]
-
Страница 191
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-5 Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] . Step 4. Enter a descriptiv e name or comment in the Edi t Commen ts field and press [ENT ER] . Step 5. Pre ss [ENTER] at the message [Press ENT ER to conf irm] to open Menu 21. 1.1 - Filter Rules Summary . [...]
-
Страница 192
ZyWALL 50 Internet Sec urity Gat eway 15-6 Filter Config uration 15.2.1 Filter Rules Summar y Menu This screen shows the summar y of the existing rules in the filter set. The following tables contain a brief description of the abbreviation s used in the previous menus. Table 15- 1 Abbreviat ions Used in the Filter Ru les S ummary Menu FIELD DESCRIP[...]
-
Страница 193
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-7 Table 15- 2 Rule Abbreviations Used ABBREVIATION DESCRIPTION DP De stination Port number GEN Off Offset Len Length Refer to the next section for information on configuring the filter rules. 15.2.2 Configuring a Filter Rule To configu re a filter rule, type its num ber in Menu 21 .1 - [...]
-
Страница 194
ZyWALL 50 Internet Sec urity Gat eway 15-8 Filter Config uration Figure 15- 8 Menu 21.1.1.1 — T CP/IP Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Active Yes activ ates the fi lter rule an d No deactivat es it. Yes / No IP Protocol Prot[...]
-
Страница 195
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-9 Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Port # Enter the destinati on port of th e packet s that you w ish to filter. The ra nge of t his field is 0 to 65535 . This fie ld is igno red if it is 0 . 0-65535 Port # Comp Select the compar ison to ap ply to t[...]
-
Страница 196
ZyWALL 50 Internet Sec urity Gat eway 15-10 Filter Config uration Table 15- 3 TCP/IP F ilter Ru le Menu Fields FIELD DESCRIPTION OPTIONS Drop Action Not Matched Select the ac tion for a pa cket not m atching the rul e. Check Next Rule Forward Drop Press [SPACE BAR] to sel ect properties for fields t hat do not need to be ty ped in. When you have Me[...]
-
Страница 197
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Add[...]
-
Страница 198
ZyWALL 50 Internet Sec urity Gat eway 15-12 Filter Config uration 15.2.4 Generic Filt er Rule Thi s sectio n sho ws you how to config ure a ge ner ic fil ter rul e. T he pur pose of gener ic rule s is to allo w you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generi c rules, the Zy WALL treats a packet [...]
-
Страница 199
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-13 Table 15- 4 Generic Fi lter Rule M enu F ields FIELD DESCRIPTION OPTIONS Filter # T his is the filter set, f ilter rule c o-ordinates, i .e., 2,3 refer s to the seco nd filter set and the thir d rule of th at set. Filter Type Use [SPACE BAR] to select a rule ty pe. Parameter s displa[...]
-
Страница 200
ZyWALL 50 Internet Sec urity Gat eway 15-14 Filter Config uration Table 15- 4 Generic Fi lter Rule M enu F ields FIELD DESCRIPTION OPTIONS Drop Once you h ave comp leted filli ng in Menu 21.4.1.1 - G eneric Filter Rule , press [ENT ER] at the messag e “Press ENTER to Confirm” to save your c onfiguration , or press [ESC ] to can cel. This d ata [...]
-
Страница 201
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-15 Step 3. Enter a descriptiv e name or comment in the Edi t Commen ts field and press [ENT ER]. Step 4. Pre ss [ENTER] at the message [Press ENT ER to conf irm] to open Menu 21.1 .1 - Filter Rul es Sum ma ry . Step 5. Enter 1 to configure the first filter rule (th e only filter rule of[...]
-
Страница 202
ZyWALL 50 Internet Sec urity Gat eway 15-16 Filter Config uration When y ou press [ENTE R] to conf irm, you will see the f ollo wing screen. Note that there is only one filter rule in this set. Figure 15- 13 Examp le Filter Rul es Summa ry — M enu 21.1.3 After y ou’ve created the filter set, y ou must apply it. Step 1. Enter 11 f rom the ma in [...]
-
Страница 203
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-17 15.4 Filter T ypes and NA T There are two classes of filter rules, Generic Filter (Device) rules and Protocol Filter ( TCP/IP ) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protoco l Filter rules act on the IP packets . Generic and TCP/IP filter rules are disc[...]
-
Страница 204
ZyWALL 50 Internet Sec urity Gat eway 15-18 Filter Config uration 15.6 Appl y ing a Fi lter and Factory Defaults This section shows you where to apply the filter(s) after you design it (them). Sets of factory default filter rules hav e been configured i n menu 21 to prev ent NetBIOS traffic from trig gering calls , and block incoming telnet, FTP an[...]
-
Страница 205
ZyWALL 50 Internet Sec urity Gat eway Filter Conf iguration 15-19 numbers separated by commas. T he factory default filter set, NetBIOS_WAN, can be applied in menu 11.5 to bloc k loc al Ne tBIOS t raf fic f rom t rigg ering calls to th e ISP (w he n you are usin g PPPoE or PP TP encapsulation only). Enter 1 in protocol filters unde r Outp ut Filter[...]
-
Страница 206
[...]
-
Страница 207
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-1 Chapter 16 SNMP Configuration This chapter d iscusses SN MP for network management and moni toring. 16.1 A bout SNM P SNMP (Sim ple Network Management Protocol) i s a protoco l used f or exchanging m anagement inform ation between n etwork devi ces. SNMP is a m ember of TCP/IP protocol s uite. You r Z[...]
-
Страница 208
ZyWALL 50 Internet Sec urity Gat eway 16-2 SNMP Figure 16-1 SNMP Management Model An SNMP mana ged ne twor k consi sts of t wo ma in co mpone nts: a gents a nd a manager . An age nt is a manage ment soft ware module t hat r esides i n a mana ged d evice (the Z yWA LL). An agent translates the local management inform ation fro m the m anaged device [...]
-
Страница 209
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-3 Table 16- 1 General SNM P Commands COMMAND DESCRIPTION Get Allows the man ager to retrieve an obje ct variable from the agent. GetNex t Allows the manager to re trieve the n ext object v ariable fro m a table or list within an agent. In SNM Pv1, when a manager wants to retr ieve all e lements of a tab[...]
-
Страница 210
ZyWALL 50 Internet Sec urity Gat eway 16-4 SNMP Figure 16-2 Menu 22 — SNMP Configuration The following table describes the SNMP configuration parameters. Table 16-2 SNMP Configuration Menu Fields FIELD DESCRIPTION DEFA ULT Get Community Enter the Get Community , w hich is the passw ord for the in coming Get- and GetNex t- requests fro m the manag[...]
-
Страница 211
ZyWALL 50 Internet Sec urity Gat eway SNMP 16-5 Table 16- 3 SNM P Traps TRAP # TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215 ) A trap i s sent after booting (po wer on). 1 warmStart (defined in RFC-1 215 ) A trap is sent after booting (so ftw are reboot). 4 authenticati onFailure (defined in RFC-1215 ) A trap is sent to the mana ger when r[...]
-
Страница 212
[...]
-
Страница 213
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-1 Chapter 17 System Information & Di agnosis This chapt er cover s SMT menus 24.1 to 2 4.4. This chapter covers the diagnostic to ols that help you to maintain y our ZyWALL. T hese tools include updates on system status, po rt status, log and trace capabilities and up[...]
-
Страница 214
ZyWALL 50 Internet Sec urity Gat eway 17-2 System Inf ormation & Di agnosis Step 2. In this menu, enter 1 to open System Maintena nce - Status . Step 3. T here are three com mands in Me nu 24.1 - System Mainte nance - Status . Entering 1 drops th e WAN connection, 9 resets th e counters and [ESC] takes y ou back to the previous s creen. Figure [...]
-
Страница 215
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-3 Table 17-1 System Maintenance — Status Menu Fields FIELD DESCRIPTION Cols The number of collisio ns on thi s port. Tx B/s Shows the tra nsmission speed in By tes per se cond on thi s port. Rx B/s Shows the re ception sp eed in By tes per second on this por t. Up Time [...]
-
Страница 216
ZyWALL 50 Internet Sec urity Gat eway 17-4 System Inf ormation & Di agnosis Figure 17-3 Menu 24.2 — Syste m Information and Console Port Speed 17.2.1 Sy stem Information System Information gi ves you information about your s ystem as shown below. More specificall y, it gives you i nfor mation o n your routi ng pro toco l, Ethe rnet a ddre ss,[...]
-
Страница 217
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-5 Table 17- 2 Fields in System M aintenance — In format ion FIELD DESCRIPTION IP Address This is the IP address of the Zy W ALL in d otted deci mal notat ion. IP Mask T his shows the IP mask o f the Zy WALL. DHCP This field shows the DHCP setting of the Zy WALL. When fi[...]
-
Страница 218
ZyWALL 50 Internet Sec urity Gat eway 17-6 System Inf ormation & Di agnosis Step 1. Select opt ion 24 from the main m enu to open Menu 2 4 - System Mainte nance . Step 2. From m enu 24, select option 3 to open Me nu 24.3 - System Ma intenance - Log and Trace . Step 3. Select the first option fro m M enu 24.3 - System Maintenance - Log and Trace[...]
-
Страница 219
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-7 17.3.2 U NIX Syslog The ZyWALL uses the UNIX s yslog facility to log the CDR (Call Detail Record) and syste m m essa ges to a syslog s erver. Syslog an d accounting can be conf igured in Menu 2 4.3.2 - Syste m Ma intenance - Syslog and Accounting , as sho wn ne xt. Figu[...]
-
Страница 220
ZyWALL 50 Internet Sec urity Gat eway 17-8 System Inf ormation & Di agnosis Table 17- 3 System M aintenance M enu S yslog Para meters PARAMETER DESCRIPTION Filter log No filters are logge d when th is field is s et to No . Filter s with t he individu al filter Log Filter field set to Yes (Menu 2 1.x .x).) are logged when t his fiel d is set to [...]
-
Страница 221
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-9 Data: We will send forty-eight Hex characters to the server Jul 19 1 1:28:39 192.168. 102.2 Zy XEL: Pack et Trigger : Protoc ol=1, Data=45 00003c10 010000 1f010004 c0a866 14ca849 a7b0800 4a5c020 0010061 6263646 5666768 696a6b6 c6d6e6f7 071727 374 Jul 19 11:28:56 192.168[...]
-
Страница 222
ZyWALL 50 Internet Sec urity Gat eway 17-10 System Inf ormation & Di agnosis 4. PPP log PPP Log Message Format sdcmdSyslogSend( SYSL OG_PPPLOG, SYSLOG_NOTICE, String ); String = ppp:Proto Starting / ppp:Proto Opening / ppp:Prot o Closing / ppp:Proto Shutdown Proto = LCP / ATC P / BAC P / BC P / C BCP / CCP / CHA P/ PAP / IP CP / IPXC P Jul 19 1[...]
-
Страница 223
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-1 1 Figure 17-9 Call-Triggering Packet Exa mple 17.4 Diagnostic The diagnostic facility allo ws y ou to test t he different aspects of your ZyWALL to deter m ine if it is working properly. Menu 24.4 allows y ou to choose am ong various ty pes of diagn ostic test s to eval[...]
-
Страница 224
ZyWALL 50 Internet Sec urity Gat eway 17-12 System Inf ormation & Di agnosis Figure 17-10 Menu 24.4 — System Maintenance — Diagnostic Follow the proced ure below to get to Menu 24.4 - Sys tem Maintenance – Diagnos tic. Step 1. From the main menu, select optio n 24 to open M enu 24 - Syste m M aintenance . Step 2. From this menu, select op[...]
-
Страница 225
ZyWALL 50 Internet Sec urity Gat eway System Inform ation & Diagnos is 17-13 Figure 17-11 W AN & LAN DHCP The follo w ing table describes the diagnostic tests a vailable in menu 24.4 for your ZyWALL an d associated connections. Table 17-4 System Maintenance M enu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machi ne (w ith an [...]
-
Страница 226
[...]
-
Страница 227
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-1 Chapter 18 Firmware and Configuration Maintenance This chapt er tells you how to back up and rest ore your c onfiguration f ile as w ell as upl oad new firmware an d a new co nfiguration file. 18.1 Filename Convent ions The configuration file (often called th[...]
-
Страница 228
ZyWALL 50 Internet Sec urity Gat eway 18-2 Firm ware and Conf iguratio n File Mai ntenance you have uploaded the correct firmw are version. The AT command is th e command you enter after you press “y” w hen prompted in the SMT menu to go into debu g mode. Table 18- 1 Filename Con vention s FILE TYPE INTERNAL NAME EXTERNAL NAME DESCRIPTION Confi[...]
-
Страница 229
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-3 Figure 18-1 Telnet in M enu 24.5 18.2.2 Using the FTP Comm and from the Command Line Step 1. Launc h the FTP client o n your comp uter. Step 2. Enter “open ”, followed by a space and th e IP address of y our ZyWALL. Step 3. Pre ss [ENTER] when prompted fo[...]
-
Страница 230
ZyWALL 50 Internet Sec urity Gat eway 18-4 Firm ware and Conf iguratio n File Mai ntenance Figure 18-2 FTP Session Exa mple 18.2.4 GUI-B ased FTP Cli ent s The following table describes some of the commands that you may see in GUI-Based FTP clien ts. Table 18- 2 General Com mands fo r GUI-Based F TP Clien ts COMMAND DESCRIPTION Host Addres s Enter [...]
-
Страница 231
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-5 • There is an SMT console ses sion running . • The firewall is active. The default firewall policies block all traffic from the W AN, so to enable TFTP over the WAN, you must turn the firewall off (menu 21.2) or create a firewall rule to allow TFTP from t[...]
-
Страница 232
ZyWALL 50 Internet Sec urity Gat eway 18-6 Firm ware and Conf iguratio n File Mai ntenance TFTP [-i] host get rom-0 config.rom where “i” specifies bin ary image transfer mode (use this m ode w hen transferring binary files), “host” is the ZyWALL IP address, “ get” transfers the f ile source on the ZyWALL (rom-0 name of the configuration[...]
-
Страница 233
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-7 Step 2. The following screen indicates th at the Xmodem download has started. Figure 18- 4 System M aintenance — Starting Xmodem Dow nload Scr een Step 3. Run t he Hyper Te rminal p rogr am by cli cki ng Transf er , then Receive File as shown in the followi[...]
-
Страница 234
ZyWALL 50 Internet Sec urity Gat eway 18-8 Firm ware and Conf iguratio n File Mai ntenance FTP is the preferred methods for restor ing y our current computer configuration to y our ZyW ALL since it is faster. Please note that you must wait for the syste m to auto matically restart after the file transfer is complete. WAR N I N G ! DO N OT I N TER U[...]
-
Страница 235
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-9 Step 3. Pre ss [ENTER] when prompted for a usern ame. Step 4. Enter y our password as requested (th e defaul t is “1234”). Step 5. Enter “bin” to set transfer mode to binary. Step 6. Find t he “ro m” file (on your c omput er) t hat yo u want t o r[...]
-
Страница 236
ZyWALL 50 Internet Sec urity Gat eway 18-10 Firm ware and Conf iguratio n File Mai ntenance Figure 18- 10 System M aintenan ce — Start ing Xmod em Download Screen Step 3. Run t he Hyper Te rminal p rogr am by cli cki ng Transf er , then Receive File as shown in the following screen. Figure 18-11 Restore Configuration Example Step 4. After a succe[...]
-
Страница 237
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-1 1 WAR N I N G ! DO N OT I N TER UP T THE FIL E TRA NSFE R PR OCES S A S TH IS MA Y PERM ANENTL Y DA M A GE YOUR ZYW A LL. 18.4.1 Firmware File Uplo ad FTP is the preferred m ethod for uploading the firmware and conf iguration. T o use th is feature, your comp[...]
-
Страница 238
ZyWALL 50 Internet Sec urity Gat eway 18-12 Firm ware and Conf iguratio n File Mai ntenance Figure 18- 14 Telnet In to M enu 24.7.2 — S ystem Maint enance To upload the firmware and the configuration file, follow these examples 18.4.3 FTP File Upload Command from the Command Line Example Step 1. Launc h the FTP client o n your comp uter. Step 2. [...]
-
Страница 239
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-13 18.4.4 FTP Session Example of Firm ware File Upload Figure 1 8-15 FTP S ession Exa mple of Fir mware F ile Upload More commands (found in GUI-Based FT P clients) are listed earlier in this chapter. Refer to section 18.2.5 t o read about con figurations that [...]
-
Страница 240
ZyWALL 50 Internet Sec urity Gat eway 18-14 Firm ware and Conf iguratio n File Mai ntenance Step 5. Use the TFTP client (see the exam ple below) to transfer files between the ZyWALL and the computer. The file n ame for the firmware is “ ras”. Note that the telnet connection must be activ e and the ZyWALL in CI mode before an d during the TFTP t[...]
-
Страница 241
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-15 Figure 1 8-16 Men u 24.7.1 as seen using the Con sole Port Step 2. After t he "Starting Xmodem upload" me ssage appears, acti vate the Xm odem protocol on you r computer. Follow the procedure as shown previously for the HyperTermi nal program. The [...]
-
Страница 242
ZyWALL 50 Internet Sec urity Gat eway 18-16 Firm ware and Conf iguratio n File Mai ntenance 18.4.10 Uploading a Configuration File V ia Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upl oad Firmware to display Menu 24.7.2 - Syste m M aintenance - Uploa d System Configurat ion File . Follo w the instructio ns as shown in th[...]
-
Страница 243
ZyWALL 50 Internet Sec urity Gat eway Firm ware and Config uration F ile Mainten ance 18-17 Figure 18-19 Example Xmodem Upload After the configuration upload pr ocess has completed, restart the ZyWALL by entering “atgo”. Type the conf iguration file’s location, or click Brows e to search for it. Choose th e Xmo dem p r otoco l . Then click Se[...]
-
Страница 244
[...]
-
Страница 245
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-1 Chapter 19 System Mai ntenance & Information This chapt er leads y ou through SMT men us 24.8 to 24.11. 19.1 Command Interpreter M ode The Command Interpreter (C I) is a part of th e main system firmware. The C I provides much of the same functionality as the SMT ,[...]
-
Страница 246
ZyWALL 50 Internet Sec urity Gat eway 19-2 System Maintenanc e & Inf ormation Figure 19-2 Valid Commands 19.2 Call Control Suppor t The ZyWALL provides tw o call control functions: budget man agement and call history. Please note that this menu is only applicable when Encap sulation is set to PPPo E or PPTP in menu 4 or m enu 11.1. The budget m[...]
-
Страница 247
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-3 Figure 19-4 Budget Management The total budget is th e time limit on the accumulated time for outgoing calls to a remote node. When th is limit is reached, th e call will be dropped and furth er outgoing calls to that rem ote node will be blocked. After each period, th[...]
-
Страница 248
ZyWALL 50 Internet Sec urity Gat eway 19-4 System Maintenanc e & Inf ormation 19.2.2 C all History This is the second o ption in Menu 24.9 - Syst em Ma intenance - Call Cont rol . It displays information about past incoming an d outgoing calls. Enter 2 f rom Menu 2 4.9 - Syste m Ma intenance - Call Control to bring up the follow ing menu. Figur[...]
-
Страница 249
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-5 19.3 T ime and Date Set ting The ZyWALL has a Real Time Chip (R TC) that keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server wh en you turn on your ZyWALL. Menu 24.10 all[...]
-
Страница 250
ZyWALL 50 Internet Sec urity Gat eway 19-6 System Maintenanc e & Inf ormation Figure 19-7 Menu 24.10 System Maintenanc e — T ime and Da te Setting Table 19- 3 Time and Dat e Setting F ields FIELD DESCRIPTION Enter the time service pro tocol that your time serv er sends w hen you turn o n the Zy W ALL. Not a ll time s ervers supp ort all proto[...]
-
Страница 251
ZyWALL 50 Internet Sec urity Gat eway System Maintenance & Inf ormation 19-7 Table 19- 3 Time and Dat e Setting F ields FIELD DESCRIPTION Daylight Savi ng If you use daylight savings time, the n choose Yes . Start Date If using day light sav ings time, enter the month and day that it starts on. End Date If using daylight savings ti me, enter t [...]
-
Страница 252
[...]
-
Страница 253
ZyWALL 50 Internet Sec urity Gat eway Remote Mana gement 20-1 Chapter 20 Remote Management This chapt er cover s remote managemen t found in SMT menu 24 .11. 20.1 T elnet The only wa y to con figure the ZyWAL L for r emote manage ment is thr ough a n SMT sessio n using the console port. Once y our ZyWALL is configured, you can use telnet to configu[...]
-
Страница 254
ZyWALL 50 Internet Sec urity Gat eway 20-2 Rem ote Management 20.3 W eb You can use the Zy WALL’s embedded web conf igurator for config uration and file management. See the Using t he ZyWALL Web Configurat or chapter f or an introduct ion to the w eb configurator. 20.4 Remote M anagement Remote management cont rol is for managing Telnet, Web and [...]
-
Страница 255
ZyWALL 50 Internet Sec urity Gat eway Remote Mana gement 20-3 Table 20- 1 Menu 24.11 – Remote M anagement Control FIELD DESCRIPTION EXAMPLE TELN ET S erve r FTP Server W eb Ser ver These read-on ly labels denote the kind of server that you may remotely ma nage. Server Port You may cha nge the serv ice port nu mber for corre sponding services i n [...]
-
Страница 256
ZyWALL 50 Internet Sec urity Gat eway 20-4 Rem ote Management 6. There is a w eb re m ote management ses sion running with a Telnet se ssion. A Telnet sessio n will be disconnected if you begin a web session; it will not begin if there alread y is a web sessio n. 20.5 Remote Management and NA T When NAT is enabled: Use the ZyWALL’s WAN IP add[...]
-
Страница 257
Call Sch eduling a nd VPN/I PSec V Part V: Call Sch eduling and VP N/IPS ec Part V pr ovides i nform ation about Ca ll Schedu ling and VPN/IP Sec.[...]
-
Страница 258
[...]
-
Страница 259
ZyWALL 50 Internet Sec urity Gat eway Call Sch eduling 21- 1 Chapter 21 Call Scheduling Call schedu ling al lows you to d ictate when a r emote n ode should b e called an d for how long . 21.1 Introduction The call scheduling f eature allo w s the ZyWALL to manage a rem ote node and dictate when a remote node should be called and f or how long. Thi[...]
-
Страница 260
ZyWALL 50 Internet Sec urity Gat eway 21-2 Call Scheduling You c an desi gn up t o twel ve s chedule sets b ut you c an o nly a pply up to fo ur sche dule se ts fo r a re mote node. T o delete a schedule set , enter th e set num ber and press [SP ACE B A R] or [DELET E] in th e Edi t Name field. To setu p a schedul e set select th e schedule s et y[...]
-
Страница 261
ZyWALL 50 Internet Sec urity Gat eway Call Sch eduling 21- 3 Table 21-1 Schedule Set Setup Fields FIELD DESCRIPTION OPTION How O ften Should this schedule s et recur w eekly or be used just o nce only ? Press [SPACE BAR] to toggle betw een Once and Weekly . Both these options are mutually exclusiv e. If Once is selected, then all w eekday settings [...]
-
Страница 262
ZyWALL 50 Internet Sec urity Gat eway 21-4 Call Scheduling Figure 21-3 Apply ing Schedule Set(s) to a Remote Node (PPP oE) You can apply up to 4 schedu le sets, se parated by commas, for on e remot e node. Change the schedule s et numbers to y our preference(s). Figure 21-4 Apply ing Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node P[...]
-
Страница 263
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 1 Chapter 22 Introduction to IPSec This chapt er introduc es the bas ics of I PSec VPNs. 22.1 Introduction 22.1.1 VPN A VPN (Virtual Private Network) provides secu re communications between sites without the ex pense of leased site-to-site li nes. A secure VPN is a combination of tunn[...]
-
Страница 264
ZyWALL 50 Internet Sec urity Gat eway 22-2 Introduct ion to IPSec Figure 22-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt pack ets before transmitting them across a n etwork. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensu re that the data has not been altered during tr[...]
-
Страница 265
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 3 Figure 22-2 VPN Applica tion 22.2 IPSec A rchitecture The overall IPSec architecture is shown as follo ws.[...]
-
Страница 266
ZyWALL 50 Internet Sec urity Gat eway 22-4 Introduct ion to IPSec Figure 2 2-3 IPSe c Archite cture 22.2.1 IPSe c Algorit hms The ESP (En capsulating S ecurity Pay load) Protocol (R FC 2406) an d AH ( Auth entication Header) prot ocol (RFC 2402) des cribe the packet formats and t he default st andards for packet stru cture (including implementation[...]
-
Страница 267
ZyWALL 50 Internet Sec urity Gat eway Introduct ion to IPSec 22- 5 22.3 Encap sulation The two m odes of operation for IPSec VPNs are Transport mode and Tunnel m ode. Figure 22-4 Transport a nd T unnel Mode IPSec Encapsulation 22.3.1 T ransport Mode Transp ort mode is u sed to protect upper l ayer protocol s and only affects th e data in the IP pac[...]
-
Страница 268
ZyWALL 50 Internet Sec urity Gat eway 22-6 Introduct ion to IPSec A NAT device in between th e IP Sec endpoin ts will rewrite either the source or destin ation address with one of its own choos ing. The VPN device at the receiving end w ill verify the integrity of the incoming packet by computing its own hash value, and complain that the h ash valu[...]
-
Страница 269
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 1 Chapter 23 VPN/IPSec Setup This chapt er introduc es the VP N SMT m enus. 23.1 VPN/IPSec Setup The VPN/IPSec main SMT menu has three main submenus. 1. Define VPN policies i n menu 27.1 su bmenus , including secu rity polic ies, endpoin t IP address es, peer IPSec router I P address and k [...]
-
Страница 270
ZyWALL 50 Internet Sec urity Gat eway 23-2 VPN/IPSec Setup Figure 23-2 Menu 27 — VPN/IPSec Setup 23.2 IPSec A lgorithms The ESP an d AH protocols are neces sary to create a Security Association (SA), the foun dation of an IPSec VPN. An SA is built from the authentica tion provided by the AH and ESP protocols . The prim ary function of key managem[...]
-
Страница 271
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 3 Tabl e 23-1 AH and ESP ESP AH Select DES for minimal sec urity and 3DES for max imum. Select M D5 for minimal s ecurity and SHA-1 for maximum sec urity. DES (default) Data Encryption Standard (DE S) is a w idely used metho d of data encry ption usin g a private (s ecret) key. D ES applies[...]
-
Страница 272
ZyWALL 50 Internet Sec urity Gat eway 23-4 VPN/IPSec Setup My IP Addr is the (initiator) ZyWALL W AN IP address. If this field is configured as 0.0.0.0, then the ZyWALL will use the current ZyWALL WAN IP address (static or d y namic) to set up the VP N tunnel. If the My IP Addr changes after setup, then the VPN tu nnel will have to be rebuilt again[...]
-
Страница 273
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 5 Figure 23-5 HQ ZyWALL Configuration The Secu re Gatew ay IP Address ma y be configure d as 0.0.0. 0 only wh en using IKE key negotiation and not Manual key negotiation. A Z y W A L L w i t h Secure Gate way IP Addres s set to 0. 0.0.0 may receiv e multiple V PN connectio n requests using [...]
-
Страница 274
ZyWALL 50 Internet Sec urity Gat eway 23-6 VPN/IPSec Setup Table 23- 3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE # This is the VPN policy in dex number . 1 Name This field d isplays t he unique i dentificatio n name for th is VPN rule. T he name may b e up to 32 c haracters l ong but only 10 charac ters will be displayed here. Tai wan A[...]
-
Страница 275
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 7 Table 23- 3 Menu 27.1 — IPSec Summary FIELD DESCRIPTION EXAMPLE commands. Select None and then press [ ENTER ] to go to the “Press E NTER to Confirm…” pro mpt. Use Edit to create or e dit a rule. U se Delete to re move a rule. T o edit or delete a r ule, first m ake sure y ou are [...]
-
Страница 276
ZyWALL 50 Internet Sec urity Gat eway 23-8 VPN/IPSec Setup Figure 23-7 Menu 27.1.1 — IPSec Setup Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Index This is the VPN r ule ind ex number y ou selec ted in the pr evious men u. 1 Name Enter a unique identificat ion n ame for this VPN r ule. T he name may be u p to 32 char acters[...]
-
Страница 277
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23- 9 Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Secure Gateway IP Addr This is the W AN IP address o f the IPSec ro uter with w hich you’re making the VPN conn ection. If th e peer has a dynami c WAN IP addr ess, se t this fie ld to 0.0. 0.0. This m ay be use ful for[...]
-
Страница 278
ZyWALL 50 Internet Sec urity Gat eway 23-10 VPN/IPSec Setup Table 23- 4 Men u 27.1.1 — IPS ec Setup FIELD DESCRIPTION EXAMPLE Press [SPACE BAR] to select Yes or No . Choo se Yes and press [ENT ER] to enable repl ay detecti on. Key Management Press [SPACE BAR] to choose eit her IKE or Ma nual and then press [ENTER]. If you choo se IKE , then yo u [...]
-
Страница 279
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-1 1 Figure 2 3-8 Tw o Phases to set up the I PSec SA In phas e 1 you must: Choose a negotiatio n mode Authenticate the connection by en tering a pre-shared key Choose an encryption algorithm Choose an authentication algorithm Choose a Diffi e-Hellman public-k ey cryptogra[...]
-
Страница 280
ZyWALL 50 Internet Sec urity Gat eway 23-12 VPN/IPSec Setup Aggress ive M ode is quicker than Ma i n Mo de becaus e it eliminates several steps when the communicating parties are negotiating authentication (phase 1). How ever the trade-off is that faster speed limits its ne gotiating power and it also do es not provide id entity protection. It [...]
-
Страница 281
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-13 Figure 23-9 Menu 27. 1.1.1 — IKE Setup Table 23- 5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Phase 1 Negotiatio n Mode Press [SPACE BAR] to choose from Main or A ggressive an d then pre ss [ENTER]. See earli er for a dis cussion of these modes. Main Pre-Shared Key ZyW ALL ga[...]
-
Страница 282
ZyWALL 50 Internet Sec urity Gat eway 23-14 VPN/IPSec Setup Table 23- 5 Menu 27.1.1.1 — IKE Setup FIELD DESCRIPTION EXAMPLE Authenticatio n Algorithm MD5 (M essage Dige st 5) and SHA 1 (Secure Hash Algorith m) are hash algorith ms used to auth enticat e packet dat a. The SHA1 algorithm is gen erally considered stron ger than MD5 , but is slightly[...]
-
Страница 283
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-15 23.5 Manual Setup You o nly co nfig ure Menu 27.1.1.2 – Manual Setu p when you sele ct Manua l in the Key Man agement field in Menu 27.1.1 – IP Sec Setu p . Manua l ke y mana geme nt is usefu l if you have p rob lems wit h IKE ke y mana geme nt. 23.5.1 A ctive Protocol This fiel d is [...]
-
Страница 284
ZyWALL 50 Internet Sec urity Gat eway 23-16 VPN/IPSec Setup Figure 2 3-10 Men u 27.1.1.2 — M anual Set up Table 23- 7 Menu 27.1.1.2 — M anual Setu p FIELD DESCRIPTION EXAMPLE Active Protocol Press [SPACE BAR] to choose from ESP Tunnel , ESP Transport , AH Tunnel or A H Transport and then pr ess [ENT ER]. Choosing an ESP combinatio n causes t he[...]
-
Страница 285
ZyWALL 50 Internet Sec urity Gat eway VPN/IP Sec Setup 23-17 Table 23- 7 Menu 27.1.1.2 — M anual Setu p FIELD DESCRIPTION EXAMPLE Authenticatio n Algorithm Press [SPACE BAR] to choose from MD5 or SHA1 and th en press [ENTER]. MD5 Key Enter the au thenticatio n key to be u sed by IPSec if applica ble. The key must be unique. Enter 16 char acters f[...]
-
Страница 286
[...]
-
Страница 287
ZyWALL 50 Internet Sec urity Gat eway SA Monitor 24- 1 Chapter 24 SA Monitor This chapt er teaches you h ow to manage your SAs by using the SA Monit or in S MT menu 27 .2. 1.1. Introducti on A Security Association (SA) is the gro up of security settings related to a specific VPN tunnel. This menu (shown next) display s active VPN connections. An S [...]
-
Страница 288
ZyWALL 50 Internet Sec urity Gat eway 24-2 S A Monitor Table 24- 1 Menu 27.2 — SA Mon itor FIELD DESCRIPTION EXAMPLE Name T his field disp lays the i dentific ation name fo r this VPN p olicy. T his name is unique for each conn ection w here the se cure gat eway IP add ress is a public stat ic IP addr ess. When the secure gatew ay IP addres s is [...]
-
Страница 289
ZyWALL 50 Internet Sec urity Gat eway IPSec Lo g 25- 1 Chapter 25 IPSec Log This chapt er interpr ets com mon IPSec log mess ages. To view the IPSec and IKE connection log , type 3 in menu 27 an d press [ENTER] to displa y the IPSec log as shown next. The follo wing figure shows a typical log from the initiator of a VPN co nnection. Figure 2 5-1 Ex[...]
-
Страница 290
ZyWALL 50 Internet Sec urity Gat eway 25-2 IPSec Log This menu is us eful for troubleshooting . A log index number, the date and tim e the log was created and a log message are display ed. Double exclamation mar ks (!!) denote an er ror or warning messag e. The follo wing tabl e sho ws sa mple lo g messa ges d uring I KE ke y excha nge. Table 25-1 [...]
-
Страница 291
ZyWALL 50 Internet Sec urity Gat eway IPSec Lo g 25- 3 Table 25-1 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Local / remote IPs of incoming request conflict with rule <#d> If the security gatew ay is “0.0. 0.0”, the Zy W ALL will use the peer’ s “Local Addr” as its “Re mote Addr”. If t his IP (range) co nflicts w it[...]
-
Страница 292
ZyWALL 50 Internet Sec urity Gat eway 25-4 IPSec Log Table 25-2 Sample IPSec Logs During Packe t Transmission LOG MESSAGE DESCRIPTION !! Inbound packet decryption failed The decrypti on conf iguration s ettings are i ncorrect. Please c heck them. Rule <#d> idle time out, disconnect If an SA has no packets tra nsmitted for a period of t ime (c[...]
-
Страница 293
T r ouble s hoo t i n g, Ap p en d i c e s and In d ex VI Part VI: Troubleshooting, Appendices and Index This part provides Troubleshooting , follo wed b y some Appendices and an In dex.[...]
-
Страница 294
ZyW ALL 50 Internet Securi ty Gatewa y Troubles hooting 26-1 Chapter 26 Troubleshooting This chapt er cover s potential pr oblems a nd possibl e remedies . After eac h problem descripti on, some ins tructions are prov ided to h elp you to d iagnos e and to so lve the pro blem. Pl ease see our included disk for f urther inf ormat ion. 26.1 Problems [...]
-
Страница 295
ZyW ALL 50 Internet Securi ty Gatewa y 26-2 Troubles hooting 26.2 Problems with th e LA N Interface Table 26-2 Troubleshooting the LA N Interface PROBLEM CORRECTIVE ACTION Check the 10M/100M LEDs on the fr ont panel. O ne of these LEDs should be on . If they are both off, check the cables betw een y our Zy W ALL and hub or the stati on. Can’t pin[...]
-
Страница 296
ZyW ALL 50 Internet Securi ty Gatewa y Troubles hooting 26-3 Table 26-3 Troubleshooting the WAN interfa ce PROBLEM CORRECTIVE ACTION Can’t conn ect to a rem ote node or ISP. Check menu 2 4.1 to verify the line status. If it indic ates Down , then refer to the se ction on the line problems. 26.4 Problems w ith Internet Access Table 26-4 Troublesho[...]
-
Страница 297
ZyW ALL 50 Internet Securi ty Gatewa y 26-4 Troubles hooting Table 26-6 Troubleshooting Remote Management PROBLEM CORRECTIVE ACTION Refer to the Rem ote M anagement Limitat ions section for scenarios when remote manag ement may not be po ssible. W hen NA T is en abl ed: Use the Zy WALL’s WAN IP ad dress w hen configuri ng from the W AN . [...]
-
Страница 298
ZyW ALL 50 Internet Securi ty Gatewa y The Big Pictur e A Appendix A The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 1 Big Picture — Filtering, Firew all, NAT and VPN[...]
-
Страница 299
[...]
-
Страница 300
ZyW ALL 50 Internet Securi ty Gatewa y PPPoE C Appendix B PPPoE PPPoE in A ction An AD SL modem bri dges a PPP sess ion ove r Ethern et (PPP ove r Ethern et, RFC 2516) from y our PC to an ATM PVC (Permanent Virtual Circu it) that connects to a xDSL Access Concentrator where the PPP sess ion term inates (see th e next figure). One PVC can support an[...]
-
Страница 301
ZyW ALL 50 Internet Securi ty Gatewa y D PPPoE How PPPoE Works The P PPoE dr ive r mak es th e Ethe rnet appear as a s eria l link to t he PC and th e PC ru ns PPP over i t, w hil e the modem bridg es the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is actin g as a L2 TP (Layer 2 T unneling P rot ocol ) LAC (L2[...]
-
Страница 302
ZyW ALL 50 Internet Securi ty Gatewa y PPTP E Appendix C PPTP What is PPT P? PPTP (Poin t-to- Point Tunneling Protocol) is a Mi crosoft pr oprietary protocol (R FC 2637 f or PPTP is informational only) to tunnel PPP fram es. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build P PTP into the ANT (ADSL[...]
-
Страница 303
ZyW ALL 50 Internet Securi ty Gatewa y F PPTP PPTP is v ery sim ilar to L2TP, s ince L2TP is based on both PPTP and L2F (Cisco’ s Layer 2 Forw arding). Conceptually, there are th ree parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Ac cess C oncentr ator) an d th e PPTP u ser. The PNS is t he box that hosts bot h th e PPP an d[...]
-
Страница 304
ZyW ALL 50 Internet Securi ty Gatewa y PPTP G PPP Data Connection The PPP frames are tunneled betw een the PNS and PAC over GRE (General R outing Encapsulation, RFC 1701, 1702). The in dividual call s within a tun nel are distingu ished usi ng the Call I D field in the GRE header.[...]
-
Страница 305
ZyW ALL 50 Internet Securi ty Gatewa y H Hardware Spec ifications Appendix D Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O/P DC 12V 12 00 mA MTBF 10000 0 hrs Operation T emperature 0º C ~ 40º C Ethernet Specifi cation for WA N 10Mbit H alf Duplex Ethernet Specifi cation for LAN 10/100 M bit Half / Full Auto-negotia tion Cons[...]
-
Страница 306
ZyW ALL 50 Internet Securi ty Gatewa y Sa fety Ins truc tion s I Appendix E Import ant Safety Instructions The following safety instructions apply to the ZyWALL. 1. Be sure to read and follo w all war ning notices and instructions. 2. The maximum recommended am bient temperature for the ZyWALL is 40º Celsius (104 º Fahrenheit).Care must be taken [...]
-
Страница 307
ZyW ALL 50 Internet Securi ty Gatewa y J Safety Instru ctions • Never install telephone jacks i n wet location unless the jack is speciall y designed for wet location. • Never touch uninsulated telephone wires or ter minals unless the telephone line has been disconnected at the n etwork interface. • Use caution when installing or modifying te[...]
-
Страница 308
ZyW ALL 50 Internet Securi ty Gatewa y Boot Com mands K Appendix F Boot Commands The BootModul e AT commands execute from within the router’ s bootup s oftware, when debug mode is selected before the m ain system firmware (ZyNOS) is started. When you start u p your ZyWALL, you are given a choic e to go into debug mode b y pressi ng a key at t he [...]
-
Страница 309
ZyW ALL 50 Internet Securi ty Gatewa y L Boot Comm ands Diagram 8 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to[...]
-
Страница 310
ZyW ALL 50 Internet Securi ty Gatewa y Firewa ll CLI C omm ands M Appendix G Firewall CLI Commands The following table describes the syntax used to configure your firew all using Command Line Interface (CLI) commands. Se lect Men u 24.8 - Command Interpreter Mode from the main menu to go into CLI mode. For details on other CLI commands to conf igur[...]
-
Страница 311
ZyW ALL 50 Internet Securi ty Gatewa y N Fire wall CLI Com m ands FUNCTION CLI SYNTAX DESCRIPTION config edit firewall e-mail email-to <e-mail address> Edits t he mail address which you want t o send the alert to. config edit firewall e-mail policy <full | hourly | daily | weekly> Edits whether the current firewall traff ic log contents[...]
-
Страница 312
ZyW ALL 50 Internet Securi ty Gatewa y Fire wall CLI C omm ands O FUNCTION CLI SYNTAX DESCRIPTION config edit firewall attack tcp- max-incomplete <0-255> The threshold to start executi ng the block field. S S e e t t s s config edit firewall set <set #> name <desired name> Edits the name for a specified set. Config edit firewall s[...]
-
Страница 313
ZyW ALL 50 Internet Securi ty Gatewa y P Fire wall CLI C omm ands FUNCTION CLI SYNTAX DESCRIPTION rule <rule #> alert <yes | no> DOS attack occurs or t here is a violation of any alert settings. In case of such instances, the function will send an e-mail to the SMTP destination address and log an alert. config edit firewall set <set [...]
-
Страница 314
ZyW ALL 50 Internet Securi ty Gatewa y Fire wall CLI C omm ands Q FUNCTION CLI SYNTAX DESCRIPTION config edit firewall set <set #> rule <rule #> UDP destport-single <port #> Selects and edits t he destination port of the traffic which comply with this rule. For non-consecutive port numbers, the user may repeat this command line to[...]
-
Страница 315
ZyW ALL 50 Internet Securi ty Gatewa y R Power Adapt er Specif icatio ns Appendix H Power Adapter Specifications AC Power Adapter Specifica tions North America AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/ 60Hz/0.25A Output pow er: DC12Volts/1.2A Power consu mption: 10 W Plug: North Am erican sta ndards Safety standar ds: UL, CUL [...]
-
Страница 316
ZyW ALL 50 Internet Securi ty Gatewa y Power Ad apter Specif icatio ns S Plug: Europe an Union stan dards Safety standar ds: TUV, CE (E N 60950) UK AC Power Adapter model AD- 1201200DK Input power: AC230Volts/ 50Hz/0.2A Output pow er: DC12Volts/1.2A Power consu mption: 10 W Plug: United Kingdom st andards Safety standar ds: TUV, CE (E N 60950, BS70[...]
-
Страница 317
[...]
-
Страница 318
ZyW ALL 50 Internet Securi ty Gatewa y Index U Index A Action for M atched Packe ts .......................... 10-11 Activate The F irewall....................................... 13-3 Alert Schedule ................................................... 9-5 Application-l evel Firewalls................................. 7-1 Application s for the Zy W AL[...]
-
Страница 319
ZyW ALL 50 Internet Securi ty Gatewa y V Index Types ............................................................ 7-4 DoS (Denial of Serv ice) .................................... 1-1 Dynamic DNS ................................................... 4-1 E E-mail Log Example................................................. 9-6 Mail Serv er ...........[...]
-
Страница 320
ZyW ALL 50 Internet Securi ty Gatewa y Index W IGMP (Internet Gr oup Multica st Protocol) ......... 5-4 Initial Screen ..................................................... 3-1 Installation Requirement s ................................. 2-5 Internet Acce ss Setup ....................... 6-1, 6-6, 26-2 Internet Acce ss via Cabl e or xD SL Modem ...[...]
-
Страница 321
ZyW ALL 50 Internet Securi ty Gatewa y X Index PPTP Encapsulati on .................... 1-2, 6-2, 4-5, 4-8 Private ................................ 5-3, 5-4, 4-8 , 4-10, 5-3 Private IP Addres ses ........................................ 5-3 R Read Me First .................................................. xxxi Rear Panel...........................[...]
-
Страница 322
ZyW ALL 50 Internet Securi ty Gatewa y Index Y T TCP M aximum Incomplete...... 9-8, 9-9, 9-1 1, 9-11 TCP Security................................................... 7-10 TCP/IP 5-1, 5- 2, 5-5, 5-7, 4-7, 4-10, 7- 3, 7-4, 15-7, 15-8, 15-10, 15- 13, 15-17, 20- 1 TCP/IP filter ru le.............................................. 15-7 Teardrop ..........[...]