Home » ZyXEL Manuals » Networking » ZyXEL P-2802HW-I1 » Manual Viewer

ZyXEL P-2802HW-I1 User Guide - Page 156

General Firewall Policy Overview

Get ZyXEL P-2802HW-I1 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 156 highlights

Chapter 11 Firewalls • allows traffic that originates from your LAN computers to go to all of the networks. • blocks traffic that originates on the other networks from going to the LAN. Your customized rules take precedence and override the ZyXEL Device's default settings. The ZyXEL Device checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyXEL Device takes the action specified in the rule. 11.1.3 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via web configurator. 2 Think about access control before you connect to the network in any way. 3 Limit who can access your router. 4 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5 For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6 Protect against IP spoofing by making sure the firewall is active. 7 Keep the firewall in a secured (locked) room. 11.2 General Firewall Policy Overview Firewall rules are grouped based on the direction of travel of packets to which they apply. • LAN to LAN/ Router • LAN to WAN • WAN to LAN • WAN to WAN/ Router " The LAN includes both the LAN port and the WLAN. By default, the ZyXEL Device's stateful packet inspection allows packets traveling in the following directions: • LAN to LAN/ Router These rules specify which computers on the LAN can manage the ZyXEL Device (remote management) and communicate between networks or subnets connected to the LAN interface (IP alias). " You can also configure the remote management settings to allow only a specific computer to manage the ZyXEL Device. 156 P-2802H(W)(L)-I Series User's Guide

Section	Page
User's Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	21
List of Tables	27
Introduction	33
Introducing the ZyXEL Device	35
1.1 Overview	35
1.2 Ways to Manage the ZyXEL Device	36
1.3 Good Habits for Managing the ZyXEL Device	37
1.4 Applications for the ZyXEL Device	37
1.4.1 Secure Internet Access	37
1.4.2 Wireless LAN Application	38
1.4.3 Making Calls via Internet Telephony Service Provider	38
1.4.4 Making Peer-to-peer Calls	39
1.5 LEDs	40
1.6 The RESET Button	41
1.6.1 Using The Reset Button	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.1.1 Accessing the Web Configurator	43
2.2 Web Configurator Main Screen	46
2.2.1 Title Bar	46
2.2.2 Navigation Panel	47
2.2.3 Main Window	49
2.2.4 Status Bar	49
Wizard	51
Internet and Wireless Setup Wizard	53
3.1 Introduction	53
3.2 Internet Access Wizard Setup	53
3.3 Wireless Connection Wizard Setup	58
3.3.1 Manually Assign a WPA-PSK key	61
3.3.2 Manually Assign a WEP Key	61
VoIP Wizard And Example	65
4.1 Introduction	65
4.2 VoIP Wizard Setup	65
Advanced	71
Status Screens	73
5.1 Status Screen	73
5.2 Any IP Table	76
5.3 WLAN Status (“W” models only)	77
5.4 Packet Statistics	77
5.5 VoIP Statistics	79
WAN Setup	83
6.1 WAN Overview	83
6.1.1 PPP over Ethernet	83
6.1.2 IP Address Assignment	83
6.1.3 Nailed-Up Connection (PPP)	84
6.2 Internet Access Setup	84
6.2.1 Advanced Internet Access Setup	86
6.3 WAN Interface Setup	87
LAN Setup	89
7.1 LAN Overview	89
7.1.1 LANs, WANs and the ZyXEL Device	89
7.1.2 DHCP Setup	90
7.2 DNS Server Addresses	90
7.3 LAN TCP/IP	90
7.3.1 IP Address and Subnet Mask	91
7.3.2 RIP Setup	92
7.3.3 Multicast	92
7.3.4 Any IP	93
7.4 Configuring LAN IP	94
7.4.1 Configuring Advanced LAN Setup	95
7.5 DHCP Setup	96
7.6 LAN Client List	97
7.7 LAN IP Alias	99
Wireless LAN	101
8.1 Wireless Network Overview	101
8.2 Wireless Security Overview	102
8.2.1 SSID	102
8.2.2 MAC Address Filter	102
8.2.3 User Authentication	102
8.2.4 Encryption	103
8.2.5 One-Touch Intelligent Security Technology (OTIST)	104
8.3 Additional Wireless Terms	104
8.4 General WLAN Screen	104
8.4.1 No Security	105
8.4.2 WEP Encryption Screen	106
8.4.3 WPA(2)-PSK	107
8.4.4 WPA(2) Authentication Screen	109
8.4.5 Wireless LAN Advanced Setup	110
8.5 OTIST Screen	111
8.5.1 Notes on OTIST	113
8.6 MAC Filter	114
Network Address Translation (NAT) Screens	117
9.1 NAT General Overview	117
9.1.1 NAT Definitions	117
9.1.2 What NAT Does	118
9.1.3 How NAT Works	118
9.1.4 NAT Application	118
9.1.5 NAT Mapping Types	119
9.2 SUA (Single User Account) Versus NAT	120
9.3 NAT General Setup	120
9.4 Port Forwarding	121
9.4.1 Default Server IP Address	122
9.4.2 Port Forwarding: Services and Port Numbers	122
9.4.3 Configuring Servers Behind Port Forwarding (Example)	122
9.5 Configuring Port Forwarding	123
9.5.1 Port Forwarding Rule Edit	124
9.6 Address Mapping	125
9.6.1 Address Mapping Rule Edit	126
9.6.2 SIP ALG	128
Voice	129
10.1 Introduction to VoIP	129
10.2 SIP	129
10.2.1 SIP Identities	129
10.2.2 SIP Call Progression	130
10.2.3 SIP Servers	130
10.2.4 RTP	132
10.2.5 Pulse Code Modulation	132
10.2.6 Voice Coding	132
10.2.7 PSTN Call Setup Signaling	133
10.2.8 MWI (Message Waiting Indication)	133
10.2.9 Custom Tones (IVR)	133
10.3 Quality of Service (QoS)	134
10.3.1 Type of Service (ToS)	134
10.3.2 DiffServ	134
10.3.3 VLAN Tagging	135
10.4 SIP Settings Screen	135
10.5 Advanced SIP Setup Screen	137
10.6 SIP QoS Screen	141
10.7 Phone	141
10.7.1 Voice Activity Detection/Silence Suppression	141
10.7.2 Comfort Noise Generation	142
10.7.3 Echo Cancellation	142
10.8 Analog Phone Screen	142
10.9 Advanced Analog Phone Setup Screen	143
10.10 Common Phone Settings Screen	144
10.11 Phone Services Overview	145
10.11.1 The Flash Key	145
10.11.2 Europe Type Supplementary Phone Services	145
10.11.3 USA Type Supplementary Services	147
10.12 Phone Region Screen	148
10.13 Speed Dial	148
10.14 Incoming Call Policy Screen	150
10.15 PSTN Line (“L” models only)	152
10.16 PSTN Line Screen (“L” models only)	152
Firewalls	155
11.1 Firewall Overview	155
11.1.1 Stateful Inspection Firewall	155
11.1.2 About the ZyXEL Device Firewall	155
11.1.3 Guidelines For Enhancing Security With Your Firewall	156
11.2 General Firewall Policy Overview	156
11.3 Security Considerations	158
11.4 Triangle Route	158
11.4.1 The “Triangle Route” Problem	158
11.4.2 Solving the “Triangle Route” Problem	159
11.5 General Firewall Policy	160
11.6 Firewall Rules Summary	161
11.6.1 Configuring Firewall Rules	163
11.6.2 Customized Services	166
11.6.3 Configuring A Customized Service	166
11.7 Example Firewall Rule	167
11.8 Firewall Thresholds	171
11.8.1 Threshold Values	172
11.8.2 Configuring Firewall Thresholds	172
Content Filtering	175
12.1 Content Filtering Overview	175
12.2 Configuring Keyword Blocking	175
12.3 Configuring the Schedule	176
12.4 Configuring Trusted Computers	177
Introduction to IPSec	179
13.1 VPN Overview	179
13.1.1 IPSec	179
13.1.2 Security Association	179
13.1.3 Other Terminology	179
13.1.4 VPN Applications	180
13.2 IPSec Architecture	180
13.2.1 IPSec Algorithms	181
13.2.2 Key Management	181
13.3 Encapsulation	181
13.3.1 Transport Mode	182
13.3.2 Tunnel Mode	182
13.4 IPSec and NAT	182
VPN Screens	185
14.1 VPN/IPSec Overview	185
14.2 IPSec Algorithms	185
14.2.1 AH (Authentication Header) Protocol	185
14.2.2 ESP (Encapsulating Security Payload) Protocol	185
14.3 My IP Address	186
14.4 Secure Gateway Address	186
14.4.1 Dynamic Secure Gateway Address	187
14.5 VPN Setup Screen	187
14.6 Keep Alive	189
14.7 VPN, NAT, and NAT Traversal	189
14.8 Remote DNS Server	190
14.9 ID Type and Content	191
14.9.1 ID Type and Content Examples	192
14.10 Pre-Shared Key	193
14.11 Editing VPN Policies	193
14.12 IKE Phases	198
14.12.1 Negotiation Mode	199
14.12.2 Diffie-Hellman (DH) Key Groups	199
14.12.3 Perfect Forward Secrecy (PFS)	200
14.13 Configuring Advanced IKE Settings	200
14.14 Manual Key Setup	202
14.14.1 Security Parameter Index (SPI)	202
14.15 Configuring Manual Key	203
14.16 Viewing SA Monitor	205
14.17 Configuring Global Setting	207
14.18 Telecommuter VPN/IPSec Examples	207
14.18.1 Telecommuters Sharing One VPN Rule Example	207
14.18.2 Telecommuters Using Unique VPN Rules Example	208
14.19 VPN and Remote Management	210
Certificates	211
15.1 Certificates Overview	211
15.1.1 Advantages of Certificates	212
15.2 Self-signed Certificates	212
15.3 Configuration Summary	212
15.4 My Certificates	212
15.5 My Certificate Import	214
15.5.1 Certificate File Formats	215
15.6 My Certificate Create	216
15.7 My Certificate Details	218
15.8 Trusted CAs	221
15.9 Trusted CA Import	223
15.10 Trusted CA Details	224
15.11 Trusted Remote Hosts	226
15.12 Verifying a Trusted Remote Host’s Certificate	228
15.12.1 Trusted Remote Host Certificate Fingerprints	228
15.13 Trusted Remote Hosts Import	229
15.14 Trusted Remote Host Certificate Details	229
15.15 Directory Servers	232
15.16 Directory Server Add and Edit	233
Static Route	235
16.1 Static Route	235
16.2 Configuring Static Route	235
16.2.1 Static Route Edit	236
Quality of Service (QoS)	239
17.1 QoS Overview	239
17.1.1 IEEE 802.1Q Tag	239
17.1.2 IP Precedence	240
17.1.3 DiffServ	240
17.1.4 Automatical Priority Queue Assignment	241
17.2 Configuring QoS General Screen	241
17.3 Class Setup	242
17.3.1 Class Configuration	243
17.3.2 QoS Example	246
17.4 QoS Monitor	248
Dynamic DNS Setup	251
18.1 Dynamic DNS Overview	251
18.1.1 DYNDNS Wildcard	251
18.2 Configuring Dynamic DNS	251
Remote Management Configuration	255
19.1 Remote Management Overview	255
19.1.1 Remote Management Limitations	256
19.1.2 Remote Management and NAT	256
19.1.3 System Timeout	256
19.2 WWW (HTTP and HTTPS)	257
19.3 WWW	258
19.4 HTTPS Example	259
19.4.1 Internet Explorer Warning Messages	259
19.4.2 Netscape Navigator Warning Messages	260
19.4.3 Avoiding the Browser Warning Messages	260
19.4.4 Login Screen	261
19.5 Telnet	263
19.6 Configuring Telnet	263
19.7 Configuring FTP	264
19.8 SNMP	265
19.8.1 Supported MIBs	266
19.8.2 SNMP Traps	267
19.8.3 Configuring SNMP	267
19.9 Configuring DNS	268
19.10 Configuring ICMP	269
Universal Plug-and-Play (UPnP)	271
20.1 Introducing Universal Plug and Play	271
20.1.1 How do I know if I'm using UPnP?	271
20.1.2 NAT Traversal	271
20.1.3 Cautions with UPnP	271
20.2 UPnP and ZyXEL	272
20.2.1 Configuring UPnP	272
20.3 Installing UPnP in Windows Example	273
20.4 Using UPnP in Windows XP Example	276
Maintenance, Troubleshooting and Specifications	283
System	285
21.1 General Setup and System Name	285
21.1.1 General Setup	285
21.2 Time Setting	287
Logs	289
22.1 Logs Overview	289
22.1.1 Alerts and Logs	289
22.2 Viewing the Logs	289
22.3 Configuring Log Settings	290
22.4 SMTP Error Messages	292
22.4.1 Example E-mail Log	293
22.5 Log Descriptions	294
Tools	303
23.1 Introduction	303
23.2 Filename Conventions	303
23.3 File Maintenance Over WAN	304
23.4 Firmware Upgrade Screen	305
23.5 Backup and Restore	306
23.5.1 Backup Configuration	307
23.5.2 Restore Configuration	307
23.5.3 Reset to Factory Defaults	308
23.6 Restart	309
23.7 Using FTP or TFTP to Back Up Configuration	309
23.7.1 Using the FTP Commands to Back Up Configuration	309
23.7.2 FTP Command Configuration Backup Example	310
23.7.3 Configuration Backup Using GUI-based FTP Clients	310
23.7.4 Backup Configuration Using TFTP	310
23.7.5 TFTP Command Configuration Backup Example	311
23.7.6 Configuration Backup Using GUI-based TFTP Clients	311
23.8 Using FTP or TFTP to Restore Configuration	312
23.8.1 Restore Using FTP Session Example	312
23.9 FTP and TFTP Firmware and Configuration File Uploads	312
23.9.1 FTP File Upload Command from the DOS Prompt Example	313
23.9.2 FTP Session Example of Firmware File Upload	313
23.9.3 TFTP File Upload	313
23.9.4 TFTP Upload Command Example	314
Diagnostic	315
24.1 General Diagnostic	315
24.2 DSL Line Diagnostic	315
Troubleshooting	317
25.1 Power, Hardware Connections, and LEDs	317
25.2 ZyXEL Device Access and Login	318
25.3 Internet Access	320
25.4 Phone Calls and VoIP	321
25.5 Problems With Multiple SIP Accounts	322
25.5.1 Outgoing Calls	322
25.5.2 Incoming Calls	323
Product Specifications	325
Appendices and Index	335
Setting up Your Computer’s IP Address	337
Pop-up Windows, JavaScripts and Java Permissions	349
IP Addresses and Subnetting	355
Wireless LANs	363
Services	373
Internal SPTGEN	377
Legal Information	401
Customer Support	405

Match case Limit results 1 per page

Chapter 11 Firewalls

P-2802H(W)(L)-I Series User’s Guide

156

•

allows traffic that originates from your LAN computers to go to all of the networks.

•

blocks traffic that originates on the other networks from going to the LAN.

Your customized rules take precedence and override the ZyXEL Device’s default settings. The

ZyXEL Device checks the source IP address, destination IP address and IP protocol type of

network traffic against the firewall rules (in the order you list them). When the traffic matches

a rule, the ZyXEL Device takes the action specified in the rule.

11.1.3

Guidelines For Enhancing Security With Your Firewall

Change the default password via web configurator.

Think about access control before you connect to the network in any way.

Limit who can access your router.

Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled

service could present a potential security risk. A determined hacker might be able to find

creative ways to misuse the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the

services to communicate only with specific peers, and protect by configuring rules to

block packets for the services at specific interfaces.

Protect against IP spoofing by making sure the firewall is active.

Keep the firewall in a secured (locked) room.

11.2

General Firewall Policy Overview

Firewall rules are grouped based on the direction of travel of packets to which they apply.

The LAN includes both the LAN port and the WLAN.

By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the

following directions:

•

LAN to LAN/ Router

These rules specify which computers on the LAN can manage the ZyXEL Device (remote

management) and communicate between networks or subnets connected to the LAN

interface (IP alias).

You can also configure the remote management settings to allow only a

specific computer to manage the ZyXEL Device.

•

LAN to LAN/ Router

•

WAN to LAN

•

LAN to WAN

•

WAN to WAN/ Router