Home » ZyXEL Manuals » Networking » ZyXEL P-202H » Manual Viewer

ZyXEL P-202H User Guide - Page 78

Introduction to ZyXEL's Firewall

Get ZyXEL P-202H PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 78 highlights

P-202H Plus v2 User's Guide • Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. • Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest. 8.2.3 Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. See Section 8.5 on page 82 for more information on stateful inspection. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. 8.3 Introduction to ZyXEL's Firewall The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device also has packet filtering capabilities. The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The ZyXEL Device has one ISDN port and four Ethernet LAN ports, which physically separate the network into two areas. • The ISDN port connects to the Internet. • The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, "inbound access" will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service. 77 Chapter 8 Firewalls

Section	Page
P-202H Plus v2	1
Copyright	3
Certifications	4
Safety Warnings	5
ZyXEL Limited Warranty	6
Customer Support	7
Table of Contents	9
List of Figures	21
List of Tables	27
Preface	31
1. Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.3 Applications for the ZyXEL Device	37
1.3.1 Internet Access	37
1.3.2 LAN-to-LAN Connection	37
1.3.3 Remote Access Server	38
1.3.4 Secure Broadband Internet Access and VPN	38
1.4 Front Panel LEDs	39
1.5 Hardware Connection	40
2. Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	42
2.3.1 Using the Reset Button	42
2.4 Navigating the Web Configurator	43
2.4.1 Changing Login Password	44
3. Wizard Setup	47
3.1 Introduction	47
3.1.1 MSN (Multiple Subscriber Number) and Subaddress	47
3.1.2 PABX Outside Line Prefix	47
3.2 Wizard Setup	47
3.2.1 Test Your Internet Connection	54
4. LAN Setup	55
4.1 LAN Overview	55
4.1.1 LANs, WANs and the ZyXEL Device	55
4.1.2 DHCP Setup	55
4.1.2.1 IP Pool Setup	56
4.1.3 DNS Server Address Assignment	56
4.2 LAN TCP/IP	56
4.2.1 IP Address and Subnet Mask	56
4.2.1.1 Private IP Addresses	57
4.3 Configuring LAN Setup	57
5. WAN Setup	61
5.1 WAN Overview	61
5.1.1 PPP Multilink	61
5.1.2 Bandwidth on Demand	61
5.1.3 IP Address Assignment	61
5.2 Internet Access Setup	61
6. Network Address Translation (NAT) Screens	65
6.1 NAT Overview	65
6.1.1 NAT Definitions	65
6.1.2 What NAT Does	66
6.1.3 How NAT Works	66
6.1.4 NAT Application	67
6.1.5 NAT Mapping Types	67
6.2 SUA (Single User Account) Versus NAT	68
6.3 Selecting the NAT Mode	68
6.4 SUA Server	69
6.4.1 Default Server IP Address	70
6.4.2 Port Forwarding: Services and Port Numbers	70
6.4.3 Configuring Servers Behind NAT (Example)	70
6.5 Configuring SUA Server	71
6.6 Configuring Address Mapping	72
6.6.1 Address Mapping Rule Edit	73
7. Dynamic DNS	75
7.1 Dynamic DNS Overview	75
7.1.1 DYNDNS Wildcard	75
7.2 Configuring Dynamic DNS	75
8. Firewalls	77
8.1 Firewall Overview	77
8.2 Types of Firewalls	77
8.2.1 Packet Filtering Firewalls	77
8.2.2 Application-level Firewalls	77
8.2.3 Stateful Inspection Firewalls	78
8.3 Introduction to ZyXEL’s Firewall	78
8.3.1 Denial of Service Attacks	79
8.4 Denial of Service	79
8.4.1 Basics	79
8.4.2 Types of DoS Attacks	80
8.4.2.1 ICMP Vulnerability	82
8.4.2.2 Illegal Commands (NetBIOS and SMTP)	82
8.4.2.3 Traceroute	83
8.5 Stateful Inspection	83
8.5.1 Stateful Inspection Process	84
8.5.2 Stateful Inspection and the ZyXEL Device	84
8.5.3 TCP Security	85
8.5.4 UDP/ICMP Security	85
8.5.5 Upper Layer Protocols	86
8.6 Guidelines for Enhancing Security with Your Firewall	86
8.6.1 Security In General	86
8.7 Packet Filtering Vs Firewall	87
8.7.1 Packet Filtering:	87
8.7.1.1 When To Use Filtering	88
8.7.2 Firewall	88
8.7.2.1 When To Use The Firewall	88
9. Firewall Configuration	89
9.1 Enabling the Firewall	89
9.2 E-Mail	89
9.3 Attack Alert	91
9.3.1 Alerts	91
9.3.2 Threshold Values	91
9.3.3 Half-Open Sessions	92
9.3.3.1 TCP Maximum Incomplete and Blocking Time	92
9.3.4 Configuring Firewall Alert	92
9.4 Rules Overview	94
9.5 Rule Logic Overview	94
9.5.1 Rule Checklist	95
9.5.2 Security Ramifications	95
9.5.3 Key Fields For Configuring Rules	95
9.5.3.1 Action	95
9.5.3.2 Service	95
9.5.3.3 Source Address	96
9.5.3.4 Destination Address	96
9.6 Connection Direction	96
9.6.1 LAN to WAN Rules	96
9.6.2 WAN to LAN Rules	96
9.7 Firewall Rules Summary	96
9.7.1 Configuring Firewall Rules	98
9.7.2 Source and Destination Addresses	100
9.7.3 Customized Services	101
9.7.4 Configuring A Customized Service	102
9.8 Timeout	102
9.8.1 Factors Influencing Choices for Timeout Values	103
9.9 Logs Screen	104
9.10 Example Firewall Rule	105
9.11 Predefined Services	108
10. Introduction to IPSec	111
10.1 VPN Overview	111
10.1.1 IPSec	111
10.1.2 Security	111
10.1.3 Other Terminology	111
10.1.3.1 Encryption	111
10.1.3.2 Data Confidentiality	112
10.1.3.3 Data Integrity	112
10.1.3.4 Data Origin Authentication	112
10.1.4 VPN Applications	112
10.2 IPSec Architecture	112
10.2.1 IPSec Algorithms	113
10.2.2 Key Management	113
10.3 Encapsulation	113
10.3.1 Transport Mode	114
10.3.2 Tunnel Mode	114
10.4 IPSec and NAT	114
11. VPN Screens	117
11.1 VPN/IPSec Overview	117
11.2 IPSec Algorithms	117
11.2.1 AH (Authentication Header) Protocol	117
11.2.2 ESP (Encapsulating Security Payload) Protocol	117
11.3 My IP Address	118
11.4 Secure Gateway IP Address	118
11.4.1 Dynamic Secure Gateway Address	119
11.5 VPN Summary Screen	119
11.6 Keep Alive	121
11.7 ID Type and Content	121
11.7.1 ID Type and Content Examples	122
11.8 Pre-Shared Key	123
11.9 VPN Rules	123
11.10 IKE Phases	127
11.10.1 Negotiation Mode	128
11.10.2 Diffie-Hellman (DH) Key Groups	129
11.10.3 Perfect Forward Secrecy (PFS)	129
11.11 Advanced IKE Settings	129
11.12 Manual Key	132
11.12.1 Security Parameter Index (SPI)	132
11.13 Manual Key Screen	133
11.14 SA Monitor Screen	135
11.15 Global Setting Screen	136
11.16 Telecommuter VPN/IPSec Examples	137
11.16.1 Telecommuters Sharing One VPN Rule Example	137
11.16.2 Telecommuters Using Unique VPN Rules Example	138
11.17 Logs	139
12. NetCAPI	141
12.1 NetCAPI Overview	141
12.2 CAPI	141
12.2.1 ISDN-DCP	141
12.3 Configuring NetCAPI	142
12.3.1 Configuring the ZyXEL Device as a NetCAPI Server	143
12.3.2 RVS-COM	143
12.3.3 Example of Installing a CAPI driver and Communication Software	144
13. Supplementary Phone Services	145
13.1 Overview	145
13.2 Setting Up Supplemental Phone Service	146
13.3 The Flash Key	146
13.4 Call Waiting	146
13.4.1 How to Use Call Waiting	146
13.4.1.1 Placing the Current Call on Hold	146
13.4.1.2 Dropping the Current Call to Switch to an Incoming/Holding Call	146
13.5 Three Way Calling	147
13.5.1 How to Use Three-Way Calling	147
13.5.1.1 To drop the last call added to the three-way call:	147
13.5.1.2 To drop yourself from the conference call:	147
13.6 Call Transfer	147
13.6.1 How to Use Call Transfer	147
13.6.2 To Do a Blind Transfer:	148
13.7 Call Forwarding	148
13.8 Reminder Ring	148
13.9 Multiple Subscriber Number (MSN)	149
13.10 Using MSN	149
13.11 Terminal Portability (Suspend/Resume)	149
13.11.1 How to Suspend/Resume a Phone Call:	149
13.11.1.1 To suspend an active phone call	149
13.11.1.2 To resume your phone call	149
14. Maintenance	151
14.1 Maintenance Overview	151
14.2 System Status	151
14.2.1 System Statistics	153
14.3 DHCP Table Screen	154
14.4 Firmware Screen	155
14.5 Budget Control	158
15. Introducing the SMT	159
15.1 SMT Introduction	159
15.2 Accessing the ZyXEL Device via Console Port	159
15.2.1 Initial Screen	159
15.2.2 Entering Password	159
15.3 Procedure for SMT Configuration via Telnet	160
15.4 SMT Menu Overview	160
15.5 Navigating the SMT Interface	162
15.5.1 System Management Terminal Interface Summary	163
15.6 Changing the System Password	164
16. Menu 1 General Setup	167
16.1 General Setup	167
16.2 Procedure To Configure Menu 1	167
16.2.1 Procedure to Configure Dynamic DNS	168
17. Menu 2 ISDN Setup	171
17.1 ISDN Setup Overview	171
17.1.1 Supplementary Voice Services	171
17.1.2 ISDN Call Waiting	171
17.1.3 PABX Outside Line Prefix	171
17.1.4 Outgoing Calling Party Number	172
17.2 ISDN Setup	172
17.2.1 ISDN Advanced Setup	174
17.2.2 Configuring Advanced Setup	175
17.3 NetCAPI	176
17.3.1 Configuring NetCAPI	176
18. Menu 3 Ethernet Setup	179
18.1 Ethernet Setup	179
18.1.1 General Ethernet Setup	179
18.2 Ethernet TCP/IP and DHCP Server	180
18.3 Configuring TCP/IP Ethernet Setup and DHCP	180
18.3.1 IP Alias Setup	181
19. Internet Access Setup	185
19.1 Introduction to Internet Access Setup	185
19.2 Internet Access Setup	185
20. Remote Node Configuration	187
20.1 Introduction to Remote Node Setup	187
20.1.1 Minimum Toll Period	187
20.2 Remote Node Profile Setup	187
20.3 Outgoing Authentication Protocol	190
20.4 PPP Multilink	191
20.5 Bandwidth on Demand	191
20.6 Editing PPP Options	192
20.7 LAN-to-LAN Application	193
20.8 Configuring Network Layer Options	194
20.9 Remote Node Filter	196
21. Static Route Setup	199
21.1 Static Route	199
21.2 IP Static Route Setup	199
22. Dial-in Setup	203
22.1 Dial-in Users Overview	203
22.2 Default Dial-in User Setup	203
22.2.1 CLID Callback Support For Dial-In Users	203
22.3 Setting Up Default Dial-in	204
22.3.1 Default Dial-in Filter	206
22.4 Callback Overview	206
22.5 Dial-In User Setup	207
22.6 Telecommuting Application With Windows Example	208
22.7 LAN-to-LAN Server Application Example	210
22.7.1 Configuring Callback in LAN-to-LAN Application	210
22.7.2 Configuring With CLID in LAN-to-LAN Application	212
23. Network Address Translation (NAT)	215
23.1 Using NAT	215
23.1.1 SUA (Single User Account) Versus NAT	215
23.2 Applying NAT	215
23.3 NAT Setup	217
23.3.1 Address Mapping Sets	217
23.3.1.1 User-Defined Address Mapping Sets	219
23.3.1.2 Ordering Your Rules	220
23.4 Configuring a Server behind NAT	221
23.5 General NAT Examples	223
23.5.1 Example 1: Internet Access Only	223
23.5.2 Example 2: Internet Access with an Inside Server	224
23.5.3 Example 3: Multiple Public IP Addresses With Inside Servers	224
23.5.4 Example 4: NAT Unfriendly Application Programs	228
24. Enabling the Firewall	231
24.1 Remote Management and the Firewall	231
24.2 Access Methods	231
24.3 Enabling the Firewall	231
24.3.1 Viewing the Firewall Log	232
24.3.2 Example E-mail Log	234
25. Filter Configuration	235
25.1 Introduction to Filters	235
25.1.1 The Filter Structure of the ZyXEL Device	236
25.2 Configuring a Filter Set	237
25.2.1 Filter Rules Summary Menus	240
25.2.2 Configuring a Filter Rule	241
25.2.3 Configuring a TCP/IP Filter Rule	241
25.2.4 Configuring a Generic Filter Rule	244
25.3 Example Filter	246
25.4 Filter Types and NAT	248
25.5 Firewall Versus Filters	249
25.6 Applying a Filter	249
25.6.1 Applying LAN Filters	249
25.6.2 Applying Remote Node Filters	250
26. SNMP Configuration	251
26.1 About SNMP	251
26.2 Supported MIBs	252
26.3 SNMP Configuration	252
26.4 SNMP Traps	253
27. System Security	255
27.1 System Security	255
27.2 System Password	255
27.3 RADIUS	255
27.4 Configuring External Server	256
28. System Information and Diagnosis	259
28.1 System Status	259
28.2 System Information and Console Port Speed	261
28.2.1 System Information	261
28.2.2 Console Port Speed	262
28.3 Log and Trace	263
28.3.1 Viewing Error Log	263
28.3.2 Unix Syslog	264
28.3.2.1 CDR	265
28.3.2.2 Packet triggered	266
28.3.2.3 Filter log	266
28.3.2.4 PPP log	267
28.3.2.5 POTS log	267
28.3.3 Accounting Server	267
28.3.4 Call-Triggering Packet	268
28.4 Diagnostic	269
29. Firmware and Configuration File Maintenance	271
29.1 Filename Conventions	271
29.2 Backup Configuration	272
29.2.1 Backup Configuration	272
29.2.2 Using the FTP Command from the Command Line	273
29.2.3 Example of FTP Commands from the Command Line	273
29.2.4 GUI-based FTP Clients	274
29.2.5 Remote Management Limitations	274
29.2.6 Backup Configuration Using TFTP	274
29.2.7 TFTP Command Example	275
29.2.8 GUI-based TFTP Clients	275
29.2.9 Backup Via Console Port	276
29.3 Restore Configuration	277
29.3.1 Restore Using FTP	277
29.3.2 Restore Using FTP Session Example	278
29.3.3 Restore Via Console Port	278
29.4 Uploading Firmware and Configuration Files	279
29.4.1 Firmware File Upload	279
29.4.2 Configuration File Upload	280
29.4.3 FTP File Upload Command from the DOS Prompt Example	281
29.4.4 FTP Session Example of Firmware File Upload	281
29.4.5 TFTP File Upload	281
29.4.6 TFTP Upload Command Example	282
29.4.7 Uploading Via Console Port	282
29.4.8 Uploading Firmware File Via Console Port	282
29.4.9 Example Xmodem Firmware Upload Using HyperTerminal	283
29.4.10 Uploading Configuration File Via Console Port	283
29.4.11 Example Xmodem Configuration Upload Using HyperTerminal	284
30. System Maintenance	285
30.1 Command Interpreter Mode	285
30.1.1 Command Syntax	285
30.1.2 Command Usage	286
30.2 Call Control Support	286
30.2.1 Call Control Parameters	287
30.2.2 Black List	287
30.2.3 Budget Management	288
30.2.4 Call History	289
30.3 Time and Date Setting	290
30.3.1 Resetting the Time	291
31. Remote Management	293
31.1 Remote Management	293
31.1.1 Remote Management Limitations	294
31.2 Remote Management and NAT	294
31.3 System Timeout	295
32. Call Scheduling	297
32.1 Introduction to Call Scheduling	297
33. VPN/IPSec Setup	301
33.1 VPN/IPSec Overview	301
33.2 IPSec Summary Screen	302
33.3 IPSec Setup	304
33.4 IKE Setup	307
33.5 Manual Setup	309
33.5.1 Active Protocol	309
34. SA Monitor	313
34.1 SA Monitor Overview	313
34.2 Using SA Monitor	313
35. IPSec Log	315
35.1 IPSec Logs	315
36. Troubleshooting	319
36.1 Problems Starting Up the ZyXEL Device	319
36.2 Problems with the LAN	319
36.3 Problems with the ISDN Line	320
36.4 Problems with Remote User Dial-in	320
36.5 Problems Accessing the ZyXEL Device	321
A. Product Specifications	323
B. Wall-mounting Instructions	325
C. Log Descriptions	327
D. Setting up Your Computer’s IP Address	339
36.5.1 Verifying Settings	354
E. IP Addresses and Subnetting	355
F. Pop-up Windows, JavaScripts and Java Permissions	363
Index	371
A	371
B	371
C	371
D	371
E	372
F	372
G	372
H	372
I	372
K	373
L	373
M	373
N	373
O	373
P	373
Q	374
R	374
S	374
T	375
U	375
V	375
W	375
X	375

Match case Limit results 1 per page

P-202H Plus v2 User’s Guide

Chapter 8 Firewalls

•

Information hiding prevents the names of internal systems from being made known via

DNS to outside systems, since the application gateway is the only host whose name must

be made known to outside systems.

•

Robust authentication and logging pre-authenticates application traffic before it reaches

internal hosts and causes it to be logged more effectively than if it were logged with

standard host logging. Filtering rules at the packet filtering router can be less complex

than they would be if the router needed to filter application traffic and direct it to a

number of specific systems. The router need only allow application traffic destined for

the application gateway and reject the rest.

8.2.3

Stateful Inspection Firewalls

Stateful inspection firewalls restrict access by screening data packets against defined access

rules. They make access control decisions based on IP address and protocol. They also

"inspect" the session data to assure the integrity of the connection and to adapt to dynamic

protocols. These firewalls generally provide the best speed and transparency, however, they

may lack the granular application level access control or caching that some proxies support.

See

Section 8.5 on page 82

for more information on stateful inspection.

Firewalls, of one type or another, have become an integral part of standard security solutions

for enterprises.

8.3

Introduction to ZyXEL’s Firewall

The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against

Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The

ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely

connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and

modification of data, as well as log events, which may be important to the security of your

network. The ZyXEL Device also has packet filtering capabilities.

The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a

secure gateway for all data passing between the Internet and the LAN.

The ZyXEL Device has one ISDN port and four Ethernet LAN ports, which physically

separate the network into two areas.

•

The ISDN port connects to the Internet.

•

The LAN (Local Area Network) port attaches to a network of computers, which needs

security from the outside world. These computers will have access to Internet services

such as e-mail, FTP, and the World Wide Web.

However, “inbound access” will not be

allowed unless you configure remote management or create a firewall rule to allow a

remote host to use a specific service.