Home » ZyXEL Manuals » Networking » ZyXEL P-662HW-61 » Manual Viewer

ZyXEL P-662HW-61 User Guide - Page 158

Introduction to ZyXEL's Firewall

Get ZyXEL P-662HW-61 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 158 highlights

Chapter 10 Firewalls 10.2.2 Application-level Firewalls Application-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts: Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest. 10.2.3 Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. See Section 10.5 on page 162 for more information on stateful inspection. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. 10.3 Introduction to ZyXEL's Firewall The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device also has packet filtering capabilities. The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The ZyXEL Device has one DSL/ISDN port and one Ethernet LAN port, which physically separate the network into two areas. • The DSL/ISDN port connects to the Internet. • The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, "inbound access" will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service. 158 P-662H/HW-D Series User's Guide

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	23
List of Tables	31
Introduction and Wizards	37
Getting To Know Your ZyXEL Device	39
1.1 Introducing the ZyXEL Device	39
1.1.1 Applications of the ZyXEL Device	39
1.1.2 Firewall for Secure Broadband Internet Access	40
1.1.3 Front Panel LEDs	41
Introducing the Web Configurator	43
2.1 Web Configurator Overview	43
2.2 Accessing the Web Configurator	43
2.3 Resetting the ZyXEL Device	46
2.3.1 Using the Reset Button	46
2.4 Navigating the Web Configurator	47
2.4.1 Navigation Panel	47
2.4.2 Status Screen	50
2.4.3 Status: Any IP Table	53
2.4.4 Status: WLAN Status	53
2.4.5 Status: Bandwidth Status	54
2.4.6 Status: VPN Status	54
2.4.7 Status: Packet Statistics	55
2.4.8 Changing Login Password	57
Wizard Setup for Internet Access	59
3.1 Introduction	59
3.2 Internet Access Wizard Setup	59
3.2.1 Automatic Detection	61
3.2.2 Manual Configuration	61
3.3 Wireless Connection Wizard Setup	66
3.3.1 Automatically assign a WPA key	69
3.3.2 Manually assign a WPA-PSK key	69
3.3.3 Manually assign a WEP key	69
Bandwidth Management Wizard	73
4.1 Introduction	73
4.2 Predefined Media Bandwidth Management Services	73
4.3 Bandwidth Management Wizard Setup	74
Network	79
WAN Setup	81
5.1 WAN Overview	81
5.1.1 Encapsulation	81
5.1.2 Multiplexing	82
5.1.3 VPI and VCI	82
5.1.4 IP Address Assignment	82
5.1.5 Nailed-Up Connection (PPP)	83
5.1.6 NAT	83
5.2 Metric	83
5.3 Traffic Shaping	84
5.3.1 ATM Traffic Classes	85
5.4 Zero Configuration Internet Access	85
5.5 Internet Connection	86
5.5.1 Configuring Advanced Internet Connection	87
5.6 Configuring More Connections	89
5.6.1 More Connections Edit	90
5.6.2 Configuring More Connections Advanced Setup	92
5.7 Traffic Redirect	94
5.8 Configuring WAN Backup	94
5.9 WAN Backup Advanced Screen	96
5.10 Dial Backup Modem Setup	99
LAN Setup	101
6.1 LAN Overview	101
6.1.1 LANs, WANs and the ZyXEL Device	101
6.1.2 DHCP Setup	102
6.1.3 DNS Server Address	102
6.1.4 DNS Server Address Assignment	102
6.2 LAN TCP/IP	103
6.2.1 IP Address and Subnet Mask	103
6.2.2 RIP Setup	104
6.2.3 Multicast	104
6.2.4 Any IP	105
6.3 Configuring LAN IP	106
6.3.1 Configuring Advanced LAN Setup	107
6.4 DHCP Setup	108
6.5 LAN Client List	109
6.6 LAN IP Alias	110
Wireless LAN	113
7.1 Wireless Network Overview	113
7.2 Wireless Security Overview	114
7.2.1 SSID	114
7.2.2 MAC Address Filter	114
7.2.3 User Authentication	114
7.2.4 Encryption	115
7.2.5 One-Touch Intelligent Security Technology (OTIST)	116
7.3 Wireless Performance Overview	116
7.3.1 Quality of Service (QoS)	116
7.4 Additional Wireless Terms	116
7.5 General Wireless LAN Screen	117
7.5.1 No Security	118
7.5.2 WEP Encryption Screen	119
7.5.3 WPA(2)-PSK	120
7.5.4 WPA(2) Authentication Screen	122
7.5.5 Wireless LAN Advanced Setup	124
7.6 OTIST	125
7.6.1 Enabling OTIST	125
7.6.2 Starting OTIST	127
7.6.3 Notes on OTIST	128
7.7 MAC Filter	129
7.8 WMM QoS	130
7.8.1 WMM QoS Example	130
7.8.2 WMM QoS Priorities	130
7.8.3 Services	131
7.9 QoS Screen	131
7.9.1 ToS (Type of Service) and WMM QoS	131
7.9.2 Application Priority Configuration	132
7.10 Multiple SSID (P-662HW-D Models only)	133
7.10.1 Multiple SSID Commands	134
7.10.2 Multiple SSID Example	135
DMZ	137
8.1 Introduction	137
8.2 Configuring DMZ	137
8.3 DMZ Public IP Address Example	139
Network Address Translation (NAT) Screens	141
9.1 NAT Overview	141
9.1.1 NAT Definitions	141
9.1.2 What NAT Does	142
9.1.3 How NAT Works	142
9.1.4 NAT Application	142
9.1.5 NAT Mapping Types	143
9.2 SUA (Single User Account) Versus NAT	144
9.3 NAT General Setup	144
9.4 Port Forwarding	145
9.4.1 Default Server IP Address	146
9.4.2 Port Forwarding: Services and Port Numbers	146
9.4.3 Configuring Servers Behind Port Forwarding (Example)	146
9.5 Configuring Port Forwarding	147
9.5.1 Port Forwarding Rule Edit	148
9.6 Address Mapping	149
9.6.1 Address Mapping Rule Edit	150
9.7 Trigger Port	151
9.8 Edit Trigger Port	153
Security	155
Firewalls	157
10.1 Firewall Overview	157
10.2 Types of Firewalls	157
10.2.1 Packet Filtering Firewalls	157
10.2.2 Application-level Firewalls	158
10.2.3 Stateful Inspection Firewalls	158
10.3 Introduction to ZyXEL’s Firewall	158
10.3.1 Denial of Service Attacks	159
10.4 Denial of Service	159
10.4.1 Basics	159
10.4.2 Types of DoS Attacks	160
10.5 Stateful Inspection	162
10.5.1 Stateful Inspection Process	163
10.5.2 Stateful Inspection and the ZyXEL Device	164
10.5.3 TCP Security	164
10.5.4 UDP/ICMP Security	165
10.5.5 Upper Layer Protocols	165
10.6 Guidelines for Enhancing Security with Your Firewall	166
10.6.1 Security In General	166
10.7 Packet Filtering Vs Firewall	167
10.7.1 Packet Filtering:	167
10.7.2 Firewall	167
Firewall Configuration	169
11.1 Access Methods	169
11.2 Firewall Policies Overview	169
11.3 Rule Logic Overview	170
11.3.1 Security Ramifications	170
11.3.2 Key Fields For Configuring Rules	171
11.4 Connection Direction	171
11.4.1 LAN to WAN Rules	172
11.4.2 Alerts	172
11.5 General Firewall Policy	172
11.6 Firewall Rules Summary	173
11.6.1 Configuring Firewall Rules	175
11.6.2 Customized Services	178
11.6.3 Configuring A Customized Service	178
11.7 Example Firewall Rule	179
11.8 Predefined Services	183
11.9 Anti-Probing	185
11.10 DoS Thresholds	186
11.10.1 Threshold Values	186
11.10.2 Half-Open Sessions	187
11.10.3 Configuring Firewall Thresholds	187
Content Filtering	191
12.1 Content Filtering Overview	191
12.2 Configuring Keyword Blocking	191
12.3 Configuring the Schedule	192
12.4 Configuring Trusted Computers	193
Content Access Control	195
13.1 Content Access Control Overview	195
13.1.1 Content Access Control WLAN Application	195
13.1.2 Configuration Steps	195
13.2 Activating CAC and Creating User Groups	196
13.2.1 Configuring Time Schedule	197
13.2.2 Configuring Services	198
13.2.3 Configuring Web Site Filters	200
13.2.4 Testing Web Site Access Privileges	205
13.3 User Account Setup	206
13.4 User Online Status	207
13.5 Trusted Devices	208
13.6 Trusted-external Websites	208
13.7 Content Access Control Logins	209
13.7.1 User Login	209
13.7.2 Administrator Login	210
Register	211
14.1 myZyXEL.com overview	211
14.1.1 Subscription Services Available on the ZyXEL Device	211
14.2 Registration	212
14.3 Service	213
Introduction to IPSec	215
15.1 VPN Overview	215
15.1.1 IPSec	215
15.1.2 Security Association	215
15.1.3 Other Terminology	215
15.1.4 VPN Applications	216
15.2 IPSec Architecture	216
15.2.1 IPSec Algorithms	217
15.2.2 Key Management	217
15.3 Encapsulation	217
15.3.1 Transport Mode	218
15.3.2 Tunnel Mode	218
15.4 IPSec and NAT	218
VPN Screens	221
16.1 VPN/IPSec Overview	221
16.2 IPSec Algorithms	221
16.2.1 AH (Authentication Header) Protocol	221
16.2.2 ESP (Encapsulating Security Payload) Protocol	221
16.3 My IP Address	222
16.4 Secure Gateway Address	222
16.4.1 Dynamic Secure Gateway Address	223
16.5 VPN Setup Screen	223
16.6 Keep Alive	225
16.7 VPN, NAT, and NAT Traversal	225
16.8 Remote DNS Server	226
16.9 ID Type and Content	227
16.9.1 ID Type and Content Examples	228
16.10 Pre-Shared Key	229
16.11 Editing VPN Policies	229
16.12 IKE Phases	233
16.12.1 Negotiation Mode	234
16.12.2 Diffie-Hellman (DH) Key Groups	235
16.12.3 Perfect Forward Secrecy (PFS)	235
16.13 Configuring Advanced IKE Settings	235
16.14 Manual Key Setup	238
16.14.1 Security Parameter Index (SPI)	238
16.15 Configuring Manual Key	238
16.16 Viewing SA Monitor	241
16.17 Configuring Global Setting	242
16.18 Telecommuter VPN/IPSec Examples	243
16.18.1 Telecommuters Sharing One VPN Rule Example	243
16.18.2 Telecommuters Using Unique VPN Rules Example	244
16.19 VPN and Remote Management	245
Certificates	247
17.1 Certificates Overview	247
17.1.1 Advantages of Certificates	248
17.2 Self-signed Certificates	248
17.3 Configuration Summary	248
17.4 My Certificates	248
17.5 My Certificate Import	250
17.5.1 Certificate File Formats	251
17.6 My Certificate Create	252
17.7 My Certificate Details	254
17.8 Trusted CAs	257
17.9 Trusted CA Import	259
17.10 Trusted CA Details	260
17.11 Trusted Remote Hosts	262
17.12 Verifying a Trusted Remote Host’s Certificate	264
17.12.1 Trusted Remote Host Certificate Fingerprints	264
17.13 Trusted Remote Hosts Import	265
17.14 Trusted Remote Host Certificate Details	265
17.15 Directory Servers	268
17.16 Directory Server Add or Edit	269
Advanced	271
Static Route	273
18.1 Static Route Overview	273
18.2 Configuring Static Routes	274
18.2.1 Static Route Edit	275
Bandwidth Management	277
19.1 Bandwidth Management Overview	277
19.2 Application-based Bandwidth Management	277
19.3 Subnet-based Bandwidth Management	277
19.4 Application and Subnet-based Bandwidth Management	278
19.5 Scheduler	278
19.5.1 Priority-based Scheduler	278
19.5.2 Fairness-based Scheduler	279
19.6 Maximize Bandwidth Usage	279
19.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	279
19.6.2 Maximize Bandwidth Usage Example	279
19.6.3 Bandwidth Management Priorities	281
19.7 Configuring Summary	281
19.8 Bandwidth Management Rule Setup	282
19.8.1 Rule Configuration	283
19.9 Bandwidth Monitor	286
Dynamic DNS Setup	287
20.1 Dynamic DNS Overview	287
20.1.1 DYNDNS Wildcard	287
20.2 Configuring Dynamic DNS	287
Remote Management Configuration	291
21.1 Remote Management Overview	291
21.1.1 Remote Management Limitations	292
21.1.2 Remote Management and NAT	292
21.1.3 System Timeout	292
21.2 WWW	292
21.3 Telnet	294
21.4 Configuring Telnet	294
21.5 Configuring FTP	295
21.6 SNMP	296
21.6.1 Supported MIBs	297
21.6.2 SNMP Traps	297
21.6.3 Configuring SNMP	297
21.7 Configuring DNS	299
21.8 Configuring ICMP	299
21.9 TR-069	300
Universal Plug-and-Play (UPnP)	303
22.1 Introducing Universal Plug and Play	303
22.1.1 How do I know if I'm using UPnP?	303
22.1.2 NAT Traversal	303
22.1.3 Cautions with UPnP	303
22.2 UPnP and ZyXEL	304
22.2.1 Configuring UPnP	304
22.3 Installing UPnP in Windows Example	305
22.4 Using UPnP in Windows XP Example	308
Maintenance, Troubleshooting and Specifications	315
System	317
23.1 General Setup and System Name	317
23.1.1 System Configuration	317
23.2 Time Setting	319
Logs	323
24.1 Logs Overview	323
24.1.1 Alerts and Logs	323
24.2 Viewing the Logs	323
24.3 Configuring Log Settings	324
24.4 SMTP Error Messages	326
24.4.1 Example E-mail Log	327
Tools	329
25.1 Firmware Upgrade	329
25.2 Configuration Screen	331
25.2.1 Backup Configuration	331
25.2.2 Restore Configuration	332
25.2.3 Back to Factory Defaults	333
25.3 Restart	333
Diagnostic	335
26.1 General Diagnostic	335
26.2 DSL Line Diagnostic	336
Troubleshooting	337
27.1 Problems Starting Up the ZyXEL Device	337
27.2 Problems with the LAN	337
27.3 Problems with the WAN	338
27.4 Problems Accessing the ZyXEL Device	338
27.4.1 Pop-up Windows, JavaScripts and Java Permissions	339
27.4.2 ActiveX Controls in Internet Explorer	344
Product Specifications	347
28.1 General ZyXEL Device Specifications	347
28.2 Wall-mounting Instructions	351
Appendices and Index	353
Setting up Your Computer’s IP Address	355
Pop-up Windows, JavaScripts and Java Permissions	377
IP Addresses and Subnetting	385
Wireless LANs	395
Management with Wireless Zero Configuration	409
Common Services	423
Virtual Circuit Topology	427
Importing Certificates	429
NetBIOS Filter Commands	435
Command Interpreter	437
Internal SPTGEN	443
Log Descriptions	459
Legal Information	475
Customer Support	479

Match case Limit results 1 per page

Chapter 10 Firewalls

P-662H/HW-D Series User’s Guide

158

10.2.2

Application-level Firewalls

Application-level firewalls restrict access by serving as proxies for external servers. Since they

use programs written for specific Internet services, such as HTTP, FTP and telnet, they can

evaluate network packets for valid application-specific data. Application-level gateways have

a number of general advantages over the default mode of permitting application traffic directly

to internal hosts:

Information hiding prevents the names of internal systems from being made known via DNS

to outside systems, since the application gateway is the only host whose name must be made

known to outside systems.

Robust authentication and logging pre-authenticates application traffic before it reaches

internal hosts and causes it to be logged more effectively than if it were logged with standard

host logging. Filtering rules at the packet filtering router can be less complex than they would

be if the router needed to filter application traffic and direct it to a number of specific systems.

The router need only allow application traffic destined for the application gateway and reject

the rest.

10.2.3

Stateful Inspection Firewalls

Stateful inspection firewalls restrict access by screening data packets against defined access

rules. They make access control decisions based on IP address and protocol. They also

"inspect" the session data to assure the integrity of the connection and to adapt to dynamic

protocols. These firewalls generally provide the best speed and transparency, however, they

may lack the granular application level access control or caching that some proxies support.

See

Section 10.5 on page 162

for more information on stateful inspection.

Firewalls, of one type or another, have become an integral part of standard security solutions

for enterprises.

10.3

Introduction to ZyXEL’s Firewall

The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against

Denial of Service attacks when activated. The ZyXEL Device’s purpose is to allow a private

Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can

be used to prevent theft, destruction and modification of data, as well as log events, which may

be important to the security of your network. The ZyXEL Device also has packet filtering

capabilities.

The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a

secure gateway for all data passing between the Internet and the LAN.

The ZyXEL Device has one DSL/ISDN port and one Ethernet LAN port, which physically

separate the network into two areas.

•

The DSL/ISDN port connects to the Internet.

•

The LAN (Local Area Network) port attaches to a network of computers, which needs

security from the outside world. These computers will have access to Internet services

such as e-mail, FTP, and the World Wide Web.

However, “inbound access” will not be

allowed unless you configure remote management or create a firewall rule to allow a

remote host to use a specific service.