ZyXEL Communications 10~100 Series Network Router User Manual
Contents
1. TYPE CODE DESCRIPTION 0 Echo message 14 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message l5 Information Request 0 Information request message 16 Information Reply 0 Information reply message Chart 13 9 Sys log LOG MESSAGE DESCRIPTION Mon dd hr mm ss hostname This message is sent by the RAS when this syslog is src 2 srclP srcPort generated The messages and notes are defined in this dst dstIP dstPort appendix s other charts msg msg note lt note gt VPN IPSec logs To view the IPSec and IKE connection log type 3 in menu 27 and press ENTER to display the IPSec log as shown next The following figure shows a typical log from the initiator of a VPN connection Log Descriptions 13 11 ZyWALL 10 100 Series Internet Security Gateway Index 0 0 0 0 0 0 0 0 0 0 0 0 Date Time Main Mode request to lt 192 168 100 101 gt lt SA gt lt SA gt lt KE gt lt NONCE gt lt KE gt lt NONCE gt lt ID gt lt HASH gt lt ID gt lt HASH gt Phase 1 IKE SA process done Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Send lt HASH gt Clear IPSec Lo2. FORWARD the router forwarded the packet Filter default policy UDP access matched a default filter policy Access was allowed and FORWARD the router forwarded the packet Filter default policy ICMP access matched a default filter policy Access was allowed and FORWARD the router forwarded the packet Filter default policy Access matched a default filter policy Access was allowed and the FORWARD router forwarded the packet Filter default policy Access matched a default filter policy denied LAN IP Access was FORWARD allowed and the router forwarded the packet Filter match DROP TCP access matched the listed filter rule and the ZyWALL dropped lt set d rule d gt the packet to block access Filter match DROP UDP access matched the listed filter rule and the ZyWALL dropped set d rule d gt the packet to block access Log Descriptions 13 7 ZyWALL 10 100 Series Internet Security Gateway Chart 13 6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP ICMP access matched the listed filter rule and the ZyWALL dropped set d rule d the packet to block access Filter match DROP Access matched the listed filter rule and the ZyWALL dropped the set d rule d packet to block access Filter match DROP Access matched the listed filter rule denied LAN IP and the ZyWALL set d rule d dropped the packet to block access Fi
3. 2 1 Chapter 3 The Big Mu 3 1 Chapter 4 Wireless LAN and IEEE 802 11 erecoroenoennvvnnvennvennvenneennvenneeneennnennennnennnennesnnennnennesnnesnnesnnenene 4 1 Chapter 5 Wireless LAN With IEEE 802 1x erecnvennvennvnnvennvennvennvennveneeenennnnnnnennnennnennesnnesnnennneennsnnennneenes 5 1 NO dd NM VE 6 1 Chapter 7 A ennes sensns oeoa o oS EE EESTO SSS POSEE S o eSEE S EEES REE IS ESS 7 1 Chapter 8 alunt 8 1 Command and Log Information eesveensvevernneennvenneennnnnennnennnennnennennnennnennnennneenevensnnnsennsennnennnnnennennnennesnnesnnee II Chapter 9 Command Interpreter serosvornrernvernvennnennnsnneennesnnennneennnenenenennnennnennnennnennesnneennenneennennnsenseene 9 1 Chapter 10 Firewall Commands eee ee esee eee eene eese tn seen aetates sontes esse tuse suse snae tn stus tassa seta sn 10 1 Chapter 11 NetBIOS Filter Commands eere ee eese eee etes ee eene eren seen ases seta ases stans esse toas enun 11 1 Chapter 12 Boot Commands eres esses eee eese nennen satanas etas tts sts senses sens sens essen netus esu seta concen 12 1 Chapter 13 Log Descriptions eserennvennvennvennvennennvennvenernneennernnennsennennnennnennennnesnnennnennnvenssensnneennseneenneene 13 1 Chapter 14 Brute Force Password Guessing Protection c eeeeee eee eerte eren eee eren tnnnnn
4. ko Computer ISP 2 3 SYN ACK 1 I I I 1 I i Lp B ISP 1 Diagram 2 2 Triangle Route Problem The Triangle Route Solutions This section presents you two solutions to the triangle route problem IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface Your Zy WALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyWALL to your LAN The following steps describe such a scenario Step 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN Step 2 The ZyWALL reroutes the packet to Gateway B which is in Subnet 2 Step 3 The reply from WAN goes through the ZyWALL to the computer on the LAN in Subnet 1 LAN Subnet 1 3 SYN ACK B ISP 1 Subnet 2 Diagram 2 3 IP Alias 2 2 Triangle Route ZyWALL 10 100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your ZyWALL to your LAN Therefore your LAN is protected LAN WAN 2 SYNACK ISP 2 B ISP 1 Diagram 2 4 Gateways on the WAN Side Trian
5. 13 8 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packets The firewall sent out TCP reset packets Packet without a NAT table entry blocked The router blocked a packet that did not have a corresponding NAT table entry Out of order TCP handshake packet blocked The router blocked a TCP handshake packet that came out of the proper order Drop unsupported out of order ICMP The ZyWALL generates this log after it drops an ICMP packet due to one of the following two reasons 1 The ZyWALL does not support the ICMP packet s protocol 2 The ICMP packet is an echo reply for which there was no corresponding echo request Router sent ICMP The router sent an ICMP response packet This packet automatically response packet bypasses the firewall See the section on ICMP messages for type type d code d and code details Chart 13 7 ACL Setting Notes ACL SET DIRECTION DESCRIPTION NUMBER d LAN to WAN ACL set 1 for packets traveling from the LAN to the WAN 2 WAN to LAN ACL set 2 for packets traveling from the WAN to the LAN 3 DMZ to LAN ACL set 3 for packets traveling from the DMZ to the LAN 4 DMZ to WAN ACL set 4 for packets traveling from the DMZ to the WAN 5 WAN to DMZ ACL set 5 for packets traveling from the WAN to the DMZ 6 LAN to DMZ ACL set 6 for pa
6. LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER REO Certificate Request HASH Hash SIG Signature ONCE Nonce OTFY Notification DE Delete VID Vendor ID 13 16 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Log Commands Go to the command interpreter interface the Command Interpreter Appendix explains how to access and use the commands Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record Use sys logs category followed by a log category and a parameter to decide what to record Chart 13 13 Log Categories and Available Settings LOG CATEGORIES AVAILABLE PARAMETERS access O Li 27 3 attack Do Ag 273 error Og Uu 2 543 ike 07 Lp 3 ipsec Ue 17324 13 javablocked OG AS mten O 1 upnp 0 1 urlblocked O 52743 urlforward 0 1 Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Usethe sys logs save command to store the settings in the ZyWALL you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyWALL s log Usethe sys logs catego
7. LOG MESSAGE DESCRIPTION WAN IP changed to lt IP gt If the ZyWALL s WAN IP changes all configured My IP Addr are changed to b 0 0 0 0 If this field is configured as 0 0 0 0 then the ZyWALL will use the current ZyWALL WAN IP address static or dynamic to set up the VPN tunnel Cannot find IPSec SA The ZyWALL cannot find a phase 2 SA that corresponds with the SPI of an inbound packet from the peer the packet is dropped Cannot find outbound SA The packet matches the rule index number d but Phase 1 or for rule d Phase 2 negotiation for outbound from the VPN initiator traffic is not finished yet Discard REPLAY packet If the ZyWALL receives a packet with the wrong sequence number it will discard it Inbound packet The authentication configuration settings are incorrect Please authentication failed check them Inbound packet The decryption configuration settings are incorrect Please check decryption failed them Rule fd idle time out If an SA has no packets transmitted for a period of time disconnect configurable via Cl command the ZyWALL drops the connection Log Descriptions 13 15 ZyWALL 10 100 Series Internet Security Gateway The following table shows RFC 2408 ISAKMP payload types that the log displays Please refer to the RFC for detailed information on each type Chart 13 12 RFC 2408 ISAKMP Payload Types
8. Chart 13 5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack see the section on ICMP messages for type and code details illegal command TCP The firewall detected a TCP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry TCP The firewall detected a TCP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry UDP The firewall detected an UDP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry IGMP The firewall detected an IGMP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry ESP The firewall detected an ESP IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry GRE The firewall detected a GRE IP spoofing attack while the ZyWALL did not have a default route ip spoofing no routing entry OSPF The firewall detected an OSPF IP spoofing attack while the ZyWALL did not have a default route ip spoof
9. RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL EAP Over LAN Radius Server BESSE ER Unauthorized State AP RADIUS Server RADIUS Access Request RADIUS Access Challenge A de RADIUS Access Request Client computer RADIUS Access Accept access authorized RADIUS Access Deny Client computer access not authorized Diagram 5 1 Sequences for EAP MD5 Challenge Authentication 5 2 Wireless LAN with IEEE 802 1x ZyWALL 10 100 Series Internet Security Gateway Chapter 6 PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet PPP over Ethernet RFC 2516 from your PC to an ATM PVC Permanent Virtual Circuit which connects to a DSL Access Concentrator where the PPP session terminates see the next figure One PVC can support any number of PPP sessions from your LAN PPPoE provides access control and billing functionality in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits I It provides you with a familiar dial up networking DUN user interface 2 It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple switches for thousands of users For GSTN PSTN amp ISDN the switching fabric is already in place 3 Itallows the
10. 10 100 Series Internet Security Gateway AT ATHE ATBAx ATENx y ATSE ATTI h m s ATDA y m d ATDS ATDT ATDUx y ATRBx ATRWx ATRLx ATGO x ATGR ATGT ATRTw x y z ATSH ATDOx y ATTD ATUR ATLC ATXSx ATSR just answer OK print help change baudrate 1 38 4k 2 19 2k 3 9 6k 4 57 6k 5 115 2k set BootExtension Debug Flag y password show the seed of password generator change system time to hour min sec or show current time change system date to year month day or show current date dump RAS stack dump Boot Module Common Area dump memory contents from address x for length y display the 8 bit value of address x display the 16 bit value of address x display the 32 bit value of address x run program at addr x or boot router boot router run Hardware Test Program RAM test level w from address x to y z iterations dump manufacturer related data in ROM download from address x for length y to PC via XMODEM download router configuration to PC via XMODEM upload router firmware to flash ROM upload router configuration file to flash ROM xmodem select x 0 CRC mode default x 1 checksum mode System reboot Diagram 12 2 Boot Module Commands 12 2 Boot Commands ZyWALL 10 100 Series Internet Security Gateway Chapter 13 Log Descriptions Chart 13 1 System Error Logs LOG MESSAGE DESCRIPTION s exceeds the max This attempt to create a NAT session exceeds the maximum number
11. 14 1 Ihn ON II Table of Contents vii ZyWALL 10 100 Series Internet Security Gateway viii Table of Contents ZyWALL 10 100 Series Internet Security Gateway List of Diagrams Diagram 2 1 IdealiSetup 555 es ee teet e e t DU HATS 2 1 Di gr m 2 2 Triangle Route Problem dro tab Ra dise dae 2 2 Diagram 2 3 IP Alias ne Rev pu ette e tuti ed 2 2 Diagram 2 4 Gateways on the WAN Side 2 3 Diagram 3 1 Big Picture Filtering Firewall VPN and NAT erennreronnernrrnvnnrrerennnerernerveernsnesvsenesnsesensserenne 3 1 Diagram 4 1 Peer to Peer Communication in an Ad hoc Network 4 3 Diagram 4 2 ESS Provides Campus Wide Coverage sese enne nnns 4 4 Diagram 5 1 Sequences for EAP MD5 Challenge Authentication essen 5 2 Diagram 6 1 Single PC per Modem Hardware Configuration essere 6 1 Diagram 6 2 ZyWALL as a PPPoE Cent 6 2 Diagram 7 1 Transport PPP frames over Ebene 7 1 Diagram 7 2 PPTP Protocol Overview isses eene enne nnne nnne rennen ener 7 2 Diagram 7 3 Example Message Exchange between PC and an ANT seen 7 3 Diagram 11 1 NetBIOS Display Filter Settings Command Without DMZ sample 11 2 Diagram 11 2 NetBIOS Display Filter Settings Command With DMZ Example sess 11 2 Diagram 12 1 Option to Enter Debug Mode 12 1 Diagram 12 2 Boot Module Commandes 12 2 Diagram 13 1 Example VPN Initiator IPSec Log 13 12 Diagram 13 2 Example VPN Responder IPSec Log 13 12 List of
12. 6 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 The remaining 7 bits determine the number of hosts each subnet can have Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet so the actual number of hosts available on each subnet in the example above is 2 2 or 126 hosts for each subnet 8 4 IP Subnetting ZyWALL 10 100 Series Internet Security Gateway 192 168 1 0 with mask 255 255 255 128 is the subnet itself and 192 168 1 127 with mask 255 255 255 128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet 1s 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Example Four Subnets The above example illustrated using a 25 bit subnet mask to divide a class C address space into two subnets Similarly to divide a class C address into four subnets you need to borrow two host ID bits to give four possible combinations of 00 01 10 and 11 The subnet mask
13. D Y 13 5 Chart 13 7 AGE Setting Notes un eR RR RARE ASAE RARE AEE RA RE 13 9 Chart 13 8 ICMP Notes iia cede cai ede ead t Fea eC rta eee RA Rede te ean 13 10 Ch rt 13 9 SysHlogs ege e eR s Nene A te e UE te PELA oe LI Sd 13 11 Chart 13 10 Sample IKE Key Exchange Logs sssssen eene eene 13 13 x List of Charts ZyWALL 10 100 Series Internet Security Gateway Chart 13 11 Sample IPSec Logs During Packet Transmission ee 13 15 Chart 13 12 RFC 2408 ISAKMP Payload Types ernvrrnrrrnrvrnrvrrrrrrnrrernrernvernvensvrnvvrnnvrnsvrnnvrnrsnnrsnernnernnennee 13 16 Chart 13 13 Log Categories and Available Settings sess eee ene 13 17 Chart 14 1 Brute Force Password Guessing Protection Commands rornrnrnrornrernrernvrnvrnvvrnvernvernsvrnsvrnnrssnrr 14 1 List of Charts xi ZyWALL 10 100 Series Internet Security Gateway Preface About Your ZyWALL Congratulations on your purchase of the ZyWALL Security Gateway About This User s Manual This manual is designed to provide background information on some of the ZyWALL s features It also includes commands for use with the command interpreter This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL This manual covers the ZyWALL 10 to 100 models Supported features and the details of the features vary from model to model Not every feature applies to every model refer to the Model Comparison Chart in chapte
14. Diagrams ix ZyWALL 10 100 Series Internet Security Gateway List of Charts Chart 8 1 Classes of IP Addresses oii i eei de eet ic eene dera eege eessen 8 1 Chart 8 2 Allowed IP Address Range By Class eene 8 2 Chart 8 3 Natural Maski sue 8 2 Chart 8 4 Alternative Subnet Mask Notation rrvvrvrrrrvvevevrvvrrrevrevevevsevesvevsevesrensevesrevsevesvevsevesvevenvevsensevenvenenne 8 3 Chart 8 SUDOESTE A A AE AAA ER dE AO AI 8 4 EE 8 4 Chart 8 7 Subn t Leeder ere edd 8 5 Chart 8 8 Subnet 2 EEGENEN deeg 8 5 Chart 8 9 SuDnet 33 EE 8 5 Chart STO EEN 8 6 Chart 8 11 Eight SUDfets iioii o teesa verse vet Y ete Esta f tbv acer ath rive a E Pe desee ree eo Ue Ee 8 6 Chart 8 12 Class C Subnet Pl nning air ee test eei e te sce aet Vedere cos teretes 8 7 Chart 8 13 Class B Subnet Planning mene eene nin inen 8 7 Chart D s I Eirewall Commands siis aa io ieu T d OE A lodien skann 10 1 Chart 11 1 NetBIOS Filter Default Settings srrnrornvrnvrnrvrnvvrnvvrnrvrnrvrnnrrrnrsrnrnrersnernversvrnvernsernsvrnsernsesnnrnnnes 11 2 Chart 13 1 System Error Og Sorsien a ded Pe evi ra e te Peu e atoll EE 13 1 Chart 13 2 System Maintenance Logs eene merenti 13 1 Chart 1353 UPnP EE 13 2 Chart 13 4 Content Filtering Logs eee ene eene nn enmt 13 2 Chart 13 5 Attack Loge arna eC ES e IE AGE heel 13 2 Chart 136 A Gcess Dogs cai oen ss tab uten tdeo dias teste e et ELS
15. ISP to use the existing dial up model to authenticate and optionally to provide differentiated services Traditional Dial up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial up networking il ISP 1 ISP 2 L o 4 fo i 4 C Ou O c o O Diagram 6 1 Single PC per Modem Hardware Configuration PPPoE 6 1 ZyWALL 10 100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it while the modem bridges the Ethernet frames to the Access Concentrator AC Between the AC and an ISP the AC is acting as a L2TP Layer 2 Tunneling Protocol LAC L2TP Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit 1s equivalent to the dial up connection and is between the modem and the AC as opposed to all the way to the ISP However the PPP negotiation is between the PC and the ISP ZyWALL as a PPPoE Client When using the ZyWALL as a PPPoE client the PCs on the LAN see only Ethernet and are not aware of PPPoE This alleviates the administrator from having to manage the PPPoE clients on the individual PCs Concentrator Diagram 6 2 ZyWALL as a PPPoE Client o 2 PPPoE ZyWALL 10 100 Series Internet Security Gateway Chapter 7 PPTP What is PPTP PPTP Poi
16. Security Gateway 6 If you do not know your gateway s IP address Advanced TCP IP Settings remove any previously installed gateways in the IP Settings tab and click OK IP Settings DNS WINS Options IP addresses Do one or more of the following if you want to TERR Subnet mask configure additional IP addresses DHCP Enabled In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP Kees address and a subnet mask in Subnet mask SSES si and then click Add Repeat the above two steps for each IP address you want to add Automatic metric Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished Setting Up Your Computer s IP Address 1 7 ZyWALL 10 100 Series Internet Security Gateway 7 In the Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties window the General tab in Windows XP General Altemate Configuration Click Obtain DNS server address You can get IP settings assigned automatically if your network supports automatically if you do not kno
17. This command sets a rule to have the gt rule rule gt srcaddr range ZyWALL check for traffic from this range of start ip address end ip addresses address config edit firewall set set This command sets the rule to have the gt rule rule gt destaddr ZyWALL check for traffic with this individual single ip address gt destination address config edit firewall set set This command sets a rule to have the gt rule rule gt destaddr ZyWALL check for traffic with a particular subnet ip address subnet subnet destination defined by IP address and mask subnet mask config edit firewall set set This command sets a rule to have the gt rule rule gt destaddr range ZyWALL check for traffic going to this range of start ip address end ip addresses address 10 6 Firewall Commands ZyWALL 10 100 Series Internet Security Gateway Chart 10 1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall set set This command sets a rule to have the f rule rule gt TCP destport ZyWALL check for TCP traffic with this single port gt destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set This command sets a rule to have the f rule rule gt TCP destport ZyWALL check for TCP traffic with a range start port 4 end port destination port in this range gt config edit firewall set lt set This comma
18. device may not cause harmful interference This device must accept any interference received including interference that may cause undesired operations This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help Notice 1 Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment Certifications Refer to the product page at www zyxel com FCC iii ZyWALL 10 100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label
19. identifies certified equipment This certification means that the equipment meets certain telecommunications network protective operation and safety requirements The Industry Canada does not guarantee that the equipment will operate to a user s satisfaction Before installing this equipment users should ensure that it is permissible to be connected to the facilities of the local telecommunications company The equipment must also be installed using an acceptable method of connection In some cases the company s inside wiring associated with a single line individual service may be extended by means of a certified connector assembly The customer should be aware that the compliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment For their own protection users should ensure that the electrical ground connections of the power utility telephone lines and internal metallic water pipe system if present are connected together This precaution may be particularly important in rural areas Caution Users should not attempt to make such connections themselves but should contact the appropriate electrical inspection a
20. is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 25 2 or 62 hosts for each subnet all 0 s is the subnet itself all Us is the broadcast address on the subnet Chart 8 7 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Chart 8 8 Subnet 2 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Chart 8 9 Subnet 3 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 IP Subnetting 8 5 ZyWALL 10 100 Series Internet Security Gateway Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Chart 8 10 Subnet 4 NETWORK NUMBER LAST
21. selected before the main router firmware ZyNOS is started When you start up your ZyWALL you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen In debug mode you have access to a series of boot module commands for example ATUR for uploading firmware and AT LC for uploading the configuration file These are already discussed in the Firmware and Configuration File Maintenance chapter Bootbase Version V1 02 08 08 2001 15 40 50 RAM Size 16384 Kbytes DRAM Post Testing 16384K OK FLASH Intel 16M ZyNOS Version V3 50 WB 0 b3 08 08 2001 16 21 27 Press any key to enter debug mode within 3 seconds Diagram 12 1 Option to Enter Debug Mode Enter ATHE to view all available ZyWALL boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps AT SE displays the seed that is used to generate a password to turn on the debug flag in the firmware The ATSH command shows product related information such as boot module version vendor name product model RAS code revision etc A TGO allows you to continue booting the system Most other commands aid in advanced troubleshooting and should only be used by qualified engineers Boot Commands 12 1 ZyWALL
22. table entries has been Full exceeded and the table is full Chart 13 3 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through UPnP packets can pass through the firewall Firewall Chart 13 4 Content Filtering Logs CATEGORY LOG MESSAGE DESCRIPTION URLFOR IP Domain Name The ZyWALL allows access to this IP address or domain name and forwarded traffic addressed to the IP address or domain name URLBLK IP Domain Name The ZyWALL blocked access to this IP address or domain name due to a forbidden keyword All web traffic is disabled except for trusted domains untrusted domains or the cybernot list JAVBLK IP Domain Name The ZyWALL blocked access to this IP address or domain name because of a forbidden service such as ActiveX a Java applet a cookie or a proxy Chart 13 5 Attack Logs LOG MESSAGE DESCRIPTION attack TCP The firewall detected a TCP attack attack UDP The firewall detected an UDP attack 13 2 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detected an IGMP attack attack ESP The firewall detected an ESP attack attack GRE The firewall detected a GRE attack attack OSPF The firewall detected an OSPF attack attack ICMP type d Th
23. 0 Series Internet Security Gateway Syntax Conventions Enter means for you to type one or more characters and press the carriage return Select or Choose means for you to use one of the predefined choices The SMT menu titles and labels are in Bold Times New Roman font The choices of a menu item are in Bold Arial font A single keystroke is in Arial font and enclosed in square brackets for instance ENTER means the Enter or carriage return key ESC means the escape key and SPACE BAR means the space bar UP and DOWN are the up and down arrow keys Mouse action sequences are denoted using a comma For example click the Apple icon Control Panels and then Modem means first click the Apple icon then point your mouse pointer to Control Panels and then click Modem For brevity s sake we will use e g as a shorthand for for instance and i e for that is or in other words throughout this manual Preface xiii General Information Part I General Information This part provides background information about setting up your computer s IP address triangle route how functions are related wireless LAN 802 1x PPPoE PPTP and IP subnetting ZyWALL 10 100 Series Internet Security Gateway Chapter 1 Setting up Your Computer s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP IP installed Windows 95 98 Me NT 2000 XP Maci
24. 4 Brute Force Password Guessing Protection guessing protection mechanism for the password See the Command Interpreter appendix for information on the command structure Chart 14 1 Brute Force Password Guessing Protection Commands COMI AND sys pwderrtm sys pwderrtm 0 sys pwderrtm N Example sys pwderrtm 5 DESCRIPTION This command displays the brute force guessing password protection settings This command turns off the password s protection from brute force guessing The brute force password guessing protection is turned off by default This command sets the password protection to block all access attempts for N a number from 1 to 60 minutes after the third time an incorrect password is entered This command sets the password protection to block all access attempts for five minutes after the third time an incorrect password is entered Brute Force Password Guessing Protection 14 1 Index Part III ZyWALL 10 100 Series Internet Security Gateway Index A DSSS See Direct Sequence Spread Spectrum Ad hoc Configuration oooooncnonononnnoncconccnnonnonnnos 4 2 E Alternative Subnet Mask Notaton 8 3 See See Syntax Conventions B Encapsulation Basic Service Set 4 2 PPP over Ethernet eee 6 1 Big Pictures uso Rea s 3 1 Enter aec oe See Syntax Conventions Bold Times font See Syntax Conventions ESSA i aene See Extended Service Set Boo
25. ALL and restart your computer if prompted Verifying Your Computer s IP Address Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window MA Grab File Edit Capt About This Mac Get Mac OS X Software System Preferences Dock Location 1 10 Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet Security Gateway Click Network in the icon bar eo Network m is m uH Select Automatic from the Location list EE ra Select Built in Ethernet from the Show list Location Automatic Ka E Click the TCP IP tab Show Built in Ethernet m Tee PPPoE I AppleTalk f Proxies Configure Using DHCP r3 Domain Name Servers Optional IP Address 192 168 11 12 168 95 11 Provided by DHCP Server Subnet Mask 255 255 254 0 Router 192 168 10 11 Search Domains Optional DHCP Client ID Optional Example apple com earthlink net Ethernet Address 00 05 02 43 93 ff d Click the lock to prevent further changes 3 For dynamically assigned settings select Using DHCP from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router addres
26. OCTET BIT VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create 8 subnets 001 010 011 100 101 110 The following table shows class C IP address last octet values for each subnet Chart 8 11 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 223 254 255 The following table is a summary for class C subnet planning 8 6 IP Subnetting ZyWALL 10 100 Series Internet Security Gateway Chart 8 12 Class C Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 Subnetting With Class A and Class B Networks For class A and class B addresses the subnet mask also determines which bits are part of the network number and which are part of the h
27. Options la Key Caps AppleTalk Network Browser ColorSync G Recent Applications Control Strip Ei Recent Documents GARE if Remote Access Status Energy Saver Scrapbook Extensions Manager Sherlock 2 File Exchange Speakable Items File Sharing j General Controls Internet Keyboard Keychain Access Launcher Location Manager Memory Modem Monitors Mouse Multiple Users Numbers QuickTime Settings Remote Access Software Update Sound Speech Startup Disk Text USBPrinter Sharing 2 Select Ethernet built in O TCP 1 E from the Connect via list Comect via Ethernet Setup Configure Using DHCP Server DHCP Client ID IP Address s will be supplied by server gt Subnet mask will be supplied by server gt Router address lt will be supplied by server gt Search comans Name server addr will be supplied by server gt 3 For dynamically assigned settings select Using DHCP Server from the Configure list Setting Up Your Computer s IP Address 1 9 ZyWALL 10 100 Series Internet Security Gateway 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyWALL in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your ZyW
28. Recv lt Symbol gt IKE uses the ISAKMP protocol refer to RFC2408 ISAKMP to transmit data Each ISAKMP packet contains payloads of different types that show in the log see Chart 13 12 Phase 1 IKE SA process done Phase 1 negotiation is finished Start Phase 2 Quick Mode Phase 2 negotiation is beginning using Quick Mode IKE Negotiation is in process The ZyWALL has begun negotiation with the peer for the connection already but the IKE key exchange has not finished yet Duplicate requests with the same cookie The ZyWALL has received multiple requests from the same peer but it is still processing the first IKE packet from that peer No proposal chosen The parameters configured for Phase 1 or Phase 2 negotiations don t match Please check all protocols and settings for these phases For example one party may be using 3DES encryption but the other party is using DES encryption so the connection will fail Verifying Local ID failed Verifying Remote ID failed During IKE Phase 2 negotiation both parties exchange policy details including local and remote IP address ranges If these ranges differ then the connection fails Local remote IPs of incoming request conflict with rule dd If the security gateway is 0 0 0 0 the ZyWALL will use the peer s Local Addr as its Remote Addr If this IP range conflicts with a previously configured rule t
29. Series Internet Security Gateway 4 Select Internet Protocol TCP IP under the L Local Area Connection Properties General tab in Win XP and click Properties ET General Authentication Advanced Connect using E9 Accton EN1207D TX PCI Fast Ethemet Adapter This connection uses the following items VI 8 Client for Microsoft Networks v 8 File and Printer Sharing for Microsoft Networks M 23005 Packet Scheduler lvi Internet Protocol TCP IP Description Transmission Control Protacol Intemet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected 5 The Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties window opens the General tab in Windows XP General Alternate Configuration If you havea dynamic IP address click Obtain You can get IP settings assigned automatically if your network supports an IP a d dre ss aut om ati cal ly ie faste need to ask pour network administrator for If you have a static IP address click Use the Obtain an IP address automatically following IP Address and fill in the IP address Use the following IP address Subnet mask and Default gateway fields Click Advanced fi Obtain DNS server address automatically Use the following DNS server addresses 1 6 Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet
30. This command sets the threshold of half open TCP sessions with the same destination where the ZyWALL starts dropping half open sessions to that destination This command sets a name to identify a specified set This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set This command sets the time period to allow an ICMP session to wait for the ICMP response This command sets how long a UDP connection is allowed to remain inactive before the ZyWALL considers the connection closed 10 4 Firewall Commands ZyWALL 10 100 Series Internet Security Gateway Chart 10 1 Firewall Commands FUNCTION COMMAND Config edit firewall set set f connection timeout seconds Config edit firewall set set gt fin wait timeout seconds Config edit firewall set set gt tcp idle timeout seconds Config edit firewall set set gt log yes no Rules Config edit firewall set set gt rule rule gt permit forward block Config edit firewall set set gt rule rule gt active yes no Config edit firewall set set f rule rule gt protocol integer protocol value gt Config edit firewall set set gt rule rule gt log none match not match both DESCRIPTION This command sets how long ZyWALL waits for a TCP session to be established before dropping the session This command sets how long the Z
31. ZyWALL 10 100 Series Internet Security Gateway Reference Guide Versions 3 52 3 60 and 3 61 March 2003 ZyXEL Unleash Networking Power ZyWALL 10 100 Series Internet Security Gateway Copyright Copyright 2003 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication 1s subject to change without notice Trademarks Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners ii Copyright ZyWALL 10 100 Series Internet Security Gateway Federal Communications Commission FCC Interference Statement This device complies with Part 15 of FCC rules Operation is subject to the following two conditions This
32. a ete tits 2 1 Online Registration essen V Timmele Roue SONOS and 2 2 E W VE Ne Warranty Lt Ee tee SE o Ae OS v PPTP EE 7 1 Vess LAN ut andel 4 1 R Benefits dee aleeden ed 4 1 Read Me Eet xii WLAN LLL See Wireless LAN Related Documentation sess xii WWW ZYX l com V Repaits oce eee e ees V Z Replacement sese v D ZyXEL Limited Warranty Return Material Authorization Number v Wl v RF signals niea o it 4 2 EEN v B Index
33. according to the ACL set s configuration ct Firewall defaul policy ESP se ESP access matched the default policy of the listed ACL set and the DEEN ZyWALL blocked or forwarded it according to the ACL set s configuration ER ET Firewall defaul policy GRE se GRE access matched the default policy of the listed ACL set and the DEEN ZyWALL blocked or forwarded it according to the ACL set s Cr CT configuration Firewall default OSPF access matched the default policy of the listed ACL set and the policy OSPF set d ZyWALL blocked or forwarded it according to the ACL set s configuration Firewall default Access matched the default policy of the listed ACL set and the policy set d ZyWALL blocked or forwarded it according to the ACL set s configuration Firewall rule match TCP access matched the listed firewall rule and the ZyWALL blocked TCP set d rule d or forwarded it according to the rule s configuration Firewall rule match UDP access matched the listed firewall rule and the ZyWALL blocked UDP set d rule d or forwarded it according to the rule s configuration Firewall rule match ICMP access matched the listed firewall rule and the ZyWALL ICMP set d blocked or forwarded it according to the rule s configuration See the rule d type d section on ICMP messages for type and code details code Sd Log Descriptions 13 5 ZyWALL 10 100 Series Interne
34. al up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls You can configure NetBIOS filters to do the following filters for DMZ are not available on all models e Allow or disallow the sending of NetBIOS packets from the LAN to the WAN e Allow or disallow the sending of NetBIOS packets from the WAN to the LAN e Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ e Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ e Allow or disallow the sending of NetBIOS packets from the DMZ to the LAN e Allow or disallow the sending of NetBIOS packets from the DMZ to the WAN e Allow or disallow the sending of NetBIOS packets through VPN connections e Allow or disallow NetBIOS packets to initiate calls Display NetBIOS Filter Settings Syntax sys filter netbios disp NetBIOS Filter Commands 11 1 ZyWALL 10 100 Series Internet Security Gateway This command gives a read only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ NetBIOS Filter Status LAN to WAN WAN to LAN IPSec Packets Trigger Dial Forward Forward Forward Disabled Diagram 11 1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax sys filter netbios disp This command gives a read only list of the current NetBIOS filter modes for a ZyWALL that has DMZ DMZ to NetBIOS Filter Status WAN LAN DMZ DMZ LAN WAN IPSec Pack
35. and type the information in the D l fields below you may not need to fill them all Bus DEE in Remove Setting Up Your Computer s IP Address 1 3 ZyWALL 10 100 Series Internet Security Gateway 3 Click the Gateway tab aixi If you do not know your gateway s IP address Bindings Advanced NeBlos remove previously installed gateways DNS Configuration Gateway wins Configuration IP Address iti The first gateway in the Installed Gateway list will be the default T you have a gateway le address type it in the The address order in the list will be the order in which these New gateway field and click Add machines are used New gateway Installed gateways Ce 4 Click OK to save and close the TCP IP Properties window 5 Click OK to close the Network window Insert the Windows CD if prompted 6 Turn on your ZyWALL and restart your computer when prompted Verifying Your Computer s IP Address 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window Select your network adapter You should see your computer s IP address subnet mask and default gateway Windows 2000 NT XP 1 4 Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet Security Gateway 1 For Windows XP click start Control Panel In Windows 2000 NT click Start Settings Control Panel For Windows XP click Network Conne
36. ckets traveling from the LAN to the DMZ 7 LAN to ACL set 7 for packets traveling from the LAN to the LAN or the LAN ZyWALL ZyWALL 8 WAN to ACL set 8 for packets traveling from the WAN to the WAN or the WAN ZyWALL ZyWALL Log Descriptions 13 9 ZyWALL 10 100 Series Internet Security Gateway Chart 13 7 ACL Setting Notes ACL SET DIRECTION DESCRIPTION NUMBER 9 DMZ to ACL set 9 for packets traveling from the DMZ to the DM or the DMZ ZyWALL ZyWALL Chart 13 8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable BICOIPF In c A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network OQINIKHIO Redirect datagrams for the Type of Service and Host 8 Echo 13 10 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 8 ICMP Notes
37. ctions For Windows 2000 NT click Network and Dial up Connections amp Control Panel File Edit View Favorites Q Back o H 3 Search 1 Folders E Address D Control Panel Tools Help E LS Control Panel 2 Add Hardware D Switch to Category View v 5 See Also a Fonts Game Controllers Windows Update Internet Explorer Outlook Express Y Paint Files and Settings Transfer W BM Command Prompt EJ Acrobat Reader 4 0 Tour Windows XP 8 Windows Movie Maker All Programs gt c My Documents PI My Recent Documents e My Pictures e My Music 43 My Computer 4 Control Panel Ka Printers and Faxes Y Help and Support untitled Paint 3 Right click Local Area Connection and then click Properties Network Connections File Edit View Favorites Tools Advanced Help Q ra Sc gt Ki yo Search E Folders EJ e Network Connections Network Tasks E Create a new connection Set up a home or small office network Disable this network device DN Repair this connection si Rename this connection View status of this connection 2 Change settings of this connection LANor High Speed Internet C ulla EE onnection CI Fast Ethernet Adapter Disable Status Repair Bridge Connections Create Shortcut Rename Setting Up Your Computer s IP Address 1 5 ZyWALL 10 100
38. dical band The third method is infrared technology using very high frequencies just below visible light in the electromagnetic spectrum to carry data Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless nodes or stations STA which is called a Basic Service Set BSS In the most basic form a wireless LAN connects a set of computers with wireless adapters Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an Ad hoc network or Independent Basic Service Set IBSS See the following diagram of an example of an Ad hoc wireless LAN 4 2 The Big Picture ZyWALL 10 100 Series Internet Security Gateway er E d e e e x ERE Notebook with Desktop with Wireless NIC Wireless NIC Ad hoc Wireless LAN i Sa D i d i i en e pt Fee ae AER TAM S Notebook with Desktop with Wireless NIC Wireless NIC Diagram 4 1 Peer to Peer Communication in an Ad hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs multiple Access Points APs link the WLAN to the wired network and allow users to efficiently share network resources The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediat
39. e firewall detected an ICMP attack see the section on ICMP code 3d messages for type and code details land TCP The firewall detected a TCP land attack land UDP The firewall detected an UDP land attack land IGMP The firewall detected an IGMP land attack land ESP The firewall detected an ESP land attack land GRE The firewall detected a GRE land attack land OSPF The firewall detected an OSPF land attack land ICMP type d The firewall detected an ICMP land attack see the section on ICMP code 3d messages for type and code details ip spoofing WAN TCP The firewall detected a TCP IP spoofing attack on the WAN port ip spoofing WAN UDP The firewall detected an UDP IP spoofing attack on the WAN port ip spoofing WAN The firewall detected an IGMP IP spoofing attack on the WAN port IGMP ip spoofing WAN ESP The firewall detected an ESP IP spoofing attack on the WAN port ip spoofing WAN GRE The firewall detected a GRE IP spoofing attack on the WAN port ip spoofing WAN The firewall detected an OSPF IP spoofing attack on the WAN port OSPF ip spoofing WAN The firewall detected an ICMP IP spoofing attack on the WAN port ICMP type d See the section on ICMP messages for type and code details code Sd icmp echo ICMP The firewall detected an ICMP echo attack See the section on ICMP type d code d messages for type and code details Log Descriptions 13 3 ZyWALL 10 100 Series Internet Security Gateway
40. e neighborhood Multiple Access Points can provide wireless coverage for an entire building or campus All communications between stations or between a station and a wired network client go through the Access Point The Extended Service Set ESS shown in the next figure consists of a series of overlapping BSSs each containing an Access Point connected together by means of a Distribution System DS Although the DS Wireless LAN and IEEE 802 11 4 3 ZyWALL 10 100 Series Internet Security Gateway could be any type of network it is almost invariably an Ethernet LAN Mobile nodes can roam between Access Points and seamless campus wide coverage Is possible Ethernet Notebook with Wireless NI Desktop with Wireless NIC tebook with Desktop with ireless NIC Wireless NIC BSS 2 Access Point BSS 1 PON E N ES mE T ESS A ccr rc AS Wireless NIC Diagram 4 2 ESS Provides Campus Wide Coverage The Big Picture ZyWALL 10 100 Series Internet Security Gateway Chapter 5 Wireless LAN With IEEE 802 1x As wireless networks become popular for both portable computing and corporate networks security is now a priority Security Flaws with IEEE 802 11 Wireless networks based on the original IEEE 802 11 have a poor reputation for safety The IEEE 802 11b wireless access standard first published in 1999 was based on the MAC address As the MAC address is sent acros
41. egin with 10 therefore the first octet of a class B address has a valid range of 128 to 191 The first octet of a class C address begins with 110 and therefore has a range of 192 to 223 Chart 8 2 Allowed IP Address Range By Class CLASS ALLOWED RANGE OF FIRST OCTET ALLOWED RANGE OF FIRST OCTET BINARY DECIMAL Class A 00000000 to 01111111 0 to 127 Class B 10000000 to 10111111 128 to 191 Class C 11000000 to 11011111 192 to 223 Class D 11100000 to 11101111 224 to 239 Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation A subnet mask has 32 bits each bit of the mask corresponds to a bit of the IP address If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Chart 8 3 Natural Masks CLASS NATURAL MASK A 255 0 0 0 B 255 255 0 0 C 255 255 255 0 Subnetting 8 2 IP Subnetting ZyWALL 10 100 Series Internet Security Gateway With subnetting the class arrangement of an IP address 1s ignored For example a class C address no longer
42. ess type IP address The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays the IP address type and IP address of the incoming packet vs My Remote IP address gt The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays this router s configured remote IP address type or IP address that the incoming packet did not match 13 14 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs My Local lt IP address gt The IP address type or IP address of an incoming packet does not match the peer IP address type or IP address configured on the local router The log displays this router s configured local IP address type or IP address that the incoming packet did not match lt symbol gt The router sent a payload type of IKE packet Error ID Info The parameters configured for Phase 1 ID content do not match or the parameters configured for the Phase 2 ID IP address of single range or subnet do not match Please check all protocols and settings for these phases The following table shows sample log messages during packet transmission Chart 13 11 Sample IPSec Logs During Packet Transmission
43. et mask of 255 255 255 0 NETWORK NUMBER HOST ID IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 255 255 255 0 Subnet Mask Binary 11111111 11111111 11111111 00000000 IP Subnetting 8 3 ZyWALL 10 100 Series Internet Security Gateway The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit The borrowed host ID bit can be either 0 or 1 thus giving two subnets 192 168 1 0 with mask 255 255 255 128 and 192 168 1 128 with mask 255 255 255 128 In the following charts shaded bolded last octet bit values indicate host ID bits borrowed to form network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet Chart 8 5 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 255 255 255 128 Subnet Mask Binary 11111111 11111111 11111111 10000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Chart 8
44. ets Trigger Dial Forward Forward Forward Forward Forward Forward Forward Disabled Diagram 11 2 NetBIOS Display Filter Settings Command With DMZ Example The filter types and their default settings are as follows Chart 11 1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE LAN to WAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the LAN to the WAN WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the LAN LAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded Forward from the LAN to the DMZ NetBIOS Filter Commands ZyWALL 10 100 Series Internet Security Gateway Chart 11 1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the DMZ DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the DMZ to the LAN DMZ to WAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the DMZ to the WAN IPSec This field displays whether NetBIOS packets sent through a VPN Forward Packets connection are blocked or forwarded Trigger dial This field displays whether NetBIOS packets are allowed to initiate Disabled calls Disabled means that NetBIOS packets are blocked from init
45. file on a handheld or notebook computer upon entering a patient s room 3 Itallows flexible workgroups a lower total cost of ownership for workspaces that are frequently reconfigured 4 It allows conference room users access to the network as they move from meeting to meeting getting up to date access to information and the ability to communicate decisions while on the go 5 It provides campus wide networking mobility allowing enterprises the roaming capability to set up easy to use wireless networks that cover the entire campus transparently IEEE 802 11 The 1997 completion of the IEEE 802 11 standard for wireless LANs WLANs was a first important step in the evolutionary development of wireless networking technologies The standard was developed to maximize interoperability between differing brands of wireless LANs as well as to introduce a variety of performance improvements and benefits On September 16 1999 the 802 11b provided much higher data rates of up to 11Mbps while maintaining the 802 11 protocol Wireless LAN and IEEE 802 11 4 1 ZyWALL 10 100 Series Internet Security Gateway The IEEE 802 11 specifies three different transmission methods for the PHY the layer responsible for transferring data between nodes Two of the methods use spread spectrum RF signals Direct Sequence Spread Spectrum DSSS and Frequency Hopping Spread Spectrum FHSS in the 2 4 to 2 4825 GHz unlicensed ISM Industrial Scientific and Me
46. g y n Diagram 13 1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer ooooooooooo 0 Clear IPSec Log y n Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Main Mode request from 192 168 100 100 lt SA gt lt SA gt lt KE gt lt NONCE gt lt KE gt lt NONCE gt lt ID gt lt HASH gt lt ID gt lt HASH gt Phase 1 IKE SA process done Recv lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt Start Phase 2 Quick Mode Send lt HASH gt lt SA gt lt NONCE gt lt ID gt lt ID gt 08 Recv lt HASH gt Diagram 13 2 Example VPN Responder IPSec Log This menu is useful for troubleshooting A log index number the date and time the log was created and a log message are displayed Double exclamation marks denote an error or warning message 13 12 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway The following table shows sample log messages during IKE key exchange Chart 13 10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Send lt Symbol gt Mode request to lt IP gt Send lt Symbol gt Mode request to lt IP gt The ZyWALL has started negotiation with the peer Recv lt Symbol gt Mode request from lt IP gt Recv lt Symbol gt Mode request from lt IP gt The ZyWALL has received an IKE negotiation request from the peer
47. gle Route 2 3 ZyWALL 10 100 Series Internet Security Gateway Chapter 3 The Big Picture The following figure gives an overview of how filtering the firewall VPN and NAT are related LAN WAN LAN to WAN Outbound Traffic gt DeviceFilter LAN to WAN Firewall Call Device Call Protocol Filler Filter WAN to L AN Firewall WAN to LAN Firewall Remote Node N LA Ae Device Filter WAN to LAN Inbound Traffic _ Diagram 3 1 Big Picture Filtering Firewall VPN and NAT The Big Picture 3 1 ZyWALL 10 100 Series Internet Security Gateway 3 2 The Big Picture ZyWALL 10 100 Series Internet Security Gateway Chapter 4 Wireless LAN and IEEE 802 11 A wireless LAN WLAN provides a flexible data communications system that you can use to access various services navigating the Internet email printer services etc without the use of a cabled connection In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area WLAN is not available on all models Benefits of a Wireless LAN Wireless LAN offers the following benefits I Itprovides you with access to network services in areas otherwise hard or expensive to wire such as historical buildings buildings with asbestos materials and classrooms 2 It provides healthcare workers like doctors and nurses access to a complete patient s pro
48. guration tab displays a list of installed components You need a network adapter the TCP IP protocol and Client for Microsoft Networks If you need the adapter a In the Network window click Add b Select Adapter and then click Add C Select the manufacturer and model of your network adapter and then click OK If you need TCP IP a In the Network window click Add b Select Protocol and then click Add C Select Microsoft from the list of manufacturers d Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks a Click Add b Select Client and then click Add C Select Microsoft from the list of manufacturers d Select Client for Microsoft Networks from the list of network clients and then click OK e Restart your computer so the changes you made take effect In the Network window Configuration tab select your network adapter s TCP IP entry and click Properties 1 2 Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet Security Gateway Click the IP Address tab TCP IP Properties If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS
49. has to have 24 bits of network number and 8 bits of host ID With subnetting some of the host ID bits are converted into network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the left most bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask is always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with mask 255 255 255 128 The following table shows all possible subnet masks for a class C address using both notations Chart 8 4 Alternative Subnet Mask Notation SUBNET MASK IP ADDRESS SUBNET MASK 1 BITS LAST OCTET BIT VALUE 255 255 255 0 124 0000 0000 255 255 255 128 125 1000 0000 255 255 255 192 126 1100 0000 255 255 255 224 127 1110 0000 255 255 255 240 128 1111 0000 255 255 255 248 29 1111 1000 255 255 255 252 30 1111 1100 The first mask shown is the class C natural mask Normally if no mask is specified it is understood that the natural mask is being used Example Two Subnets As an example you have a class C address 192 168 1 0 with subn
50. hen the connection is not allowed 1 Invalid IP IP start gt lt IP end The peer s Local IP Addr range is invalid Log Descriptions 13 13 ZyWALL 10 100 Series Internet Security Gateway Chart 13 10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION conflicts Remote IP IP start IP end If the security gateway is 0 0 0 0 the ZyWALL will use the peer s Local Addr as its Remote Addr If a peer s Local Addr range conflicts with other connections then the ZyWALL will not accept VPN connection requests from this peer Active connection allowed exceeded The ZyWALL limits the number of simultaneous Phase 2 SA negotiations The IKE key exchange process fails if this limit is exceeded IKE Packet Retransmit The ZyWALL did not receive a response from the peer and so retransmits the last packet sent Failed to send IKE Packet The ZyWALL cannot send IKE packets due to a network error Too many errors Deleting SA The ZyWALL deletes an SA when too many errors occur Phase 1 ID type mismatch The ID type of an incoming packet does not match the local s peer ID type Phase 1 ID content mismatch The ID content of an incoming packet does not match the local s peer ID content No known phase 1 ID type found The ID type of an incoming packet does not match any known ID type Peer ID IP addr
51. iating calls NetBIOS Filter Configuration Syntax sys filter netbios config type lt on off gt where type Identify which NetBIOS filter numbered 0 3 to configure 0 LAN to WAN 1 WAN to LAN 2 LAN to DMZ 3 WAN to DMZ 4 DMZ to LAN 5 DMZ to WAN 6 IPSec packet pass through 7 Trigger Dial NetBIOS Filter Commands 11 3 ZyWALL 10 100 Series Internet Security Gateway lt on off gt Fortypes 0 and 1 use on to enable the filter and block NetBIOS packets Use of f to disable the filter and forward NetBIOS packets For type 6 use on to block NetBIOS packets from being sent through a VPN connection Use off to allow NetBIOS packets to be sent through a VPN connection For type 7 use on to allow NetBIOS packets to initiate dial backup calls Use off to block NetBIOS packets from initiating dial backup calls Example commands Command Sys filter netbios config 0 on This command blocks LAN to WAN NetBIOS packets Command Sys filter netbios config 1 off This command forwards WAN to LAN NetBIOS packets Command Sys filter netbios config 6 on This command blocks IPSec NetBIOS packets Command Sys filter netbios config 7 off This command stops NetBIOS commands from initiating calls 11 4 NetBIOS Filter Commands ZyWALL 10 100 Series Internet Security Gateway Chapter 12 Boot Commands The BootModule AT commands execute from within the router s bootup software when debug mode is
52. ing no routing entry ICMP type d code d The firewall detected an ICMP IP spoofing attack while the ZyWALL did not have a default route see the section on ICMP messages for type and code details vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack see the section on ICMP messages for type and code details traceroute ICMP type d code d The firewall detected an ICMP traceroute attack see the section on ICMP messages for type and code details 13 4 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 6 Access Logs LOG MESSAGE DESCRIPTION Firewall defaul policy TCP se TCP access matched the default policy of the listed ACL set and the EEN ZyWALL blocked or forwarded it according to the ACL set s configuration Firewall defaul policy UDP se UDP access matched the default policy of the listed ACL set and the EEN ZyWALL blocked or forwarded it according to the ACL set s Cr CT configuration Firewall default ICMP access matched the default policy of the listed ACL set and the policy ICMP set d ZyWALL blocked or forwarded it according to the ACL set s type d code d configuration See the section on ICMP messages for type and code details Firewall defaul IGMP access matched the default policy of the listed ACL set and the policy IGMP set d ZyWALL blocked or forwarded it
53. irewall sub commands This command sets the IP address to which the e mail messages are sent This command sets the source e mail address of the firewall e mails This command sets the e mail address to which the firewall e mails are sent This command sets how frequently the firewall log is sent via e mail This command sets the day on which the current firewall log is sent through e mail if the ZyWALL is set to send it on a weekly basis 10 2 Firewall Commands ZyWALL 10 100 Series Internet Security Gateway Chart 10 1 Firewall Commands FUNCTION COMMAND config edit firewall e mail hour 0 23 config edit firewall e mail minute 0 59 Attack config edit firewall attack send alert yes no config edit firewall attack block yes no config edit firewall attack block minute 0 255 config edit firewall attack minute high 0 255 DESCRIPTION This command sets the hour when the firewall log is sent through e mail if the ZyWALL is set to send it on an hourly daily or weekly basis This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyWALL is set to send it on a hourly daily or weekly basis This command enables or disables the immediate sending of DOS attack notification e mail messages Set this command to yes to block new traffic after the tcp max incomplete threshold is exceeded Set it to no to delete the oldest half open session
54. ke up the host ID Class B addresses have a 1 in the left most bit and a 0 in the next left most bit In a class B address the first two octets make up the network number and the two remaining octets make up the host ID gt Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets make up the network number and the last octet is the host ID gt Class D addresses begin with 1 I 1 0 Class D addresses are used for multicasting There is also a class E address It is reserved for future use Chart 8 1 Classes of IP Addresses IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class A 0 Network number Host ID Host ID Host ID Class B 10 Network number Network number Host ID Host ID Class C 110 Network number Network number Network number Host ID Host IDs of all zeros or all ones are not allowed Therefore gt A class C network 8 host bits can have 2 2 or 254 hosts IP Subnetting 8 1 ZyWALL 10 100 Series Internet Security Gateway gt A class B address 16 host bits can have 2 2 or 65534 hosts A class A address 24 host bits can have 2 2 hosts approximately 16 million hosts Since the first octet of a class A IP address must contain a 0 the first octet of a class A address can have a value of 0 to 127 Similarly the first octet of a class B must b
55. ll set set gt config display firewall set set 4 rule rule 4 DESCRIPTION This command turns the firewall on or off This command returns the previously saved firewall settings This command saves the current firewall settings This command shows the of all the firewall settings including e mail attack and the sets rules This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears This command shows the current entries of a rule in a firewall rule set Firewall Commands 10 1 ZyWALL 10 100 Series Internet Security Gateway FUNCTION Edit E mail Chart 10 1 Firewall Commands COMMAND config display firewall attack config display firewall e mail config display firewall firewall e mail lt ip address of mail config edit mail server server gt firewall e mail lt e mail address gt config edit return addr config edit firewall e mail email to lt e mail address gt config edit firewall e mail policy lt full hourly daily weekly gt config edit firewall e mail day lt sunday monday tuesday wednesday thursday friday saturday gt DESCRIPTION This command shows all of the attack response settings This command shows all of the e mail settings This command shows all of the available f
56. lter match FORWARD TCP access matched the listed filter rule Access was allowed and the set d rule d gt router forwarded the packet Filter match FORWARD UDP access matched the listed filter rule Access was allowed and set d rule d the router forwarded the packet Filter match FORWARD ICMP access matched the listed filter rule Access was allowed and set d rule d gt the router forwarded the packet Filter match FORWARD Access matched the listed filter rule Access was allowed and the set d rule d gt router forwarded the packet Filter match FORWARD Access matched the listed filter rule denied LAN IP Access was set d rule d gt allowed and the router forwarded the packet set d With firewall messages this is the number of the ACL policy set and denotes the packet s direction see Chart 13 7 With filter messages this is the number of the filter set rule d With firewall messages the firewall rule number denotes the number of a firewall rule within an ACL policy set With filter messages this is the number of an individual filter rule Router sent blocked message was sent to notify a user that the router blocked access to web site messag a requested web site Triangle route packet The firewall allowed a triangle route session to pass through forwarded Firewall sent TCP The firewall detected a DoS attack and sent a TCP packet s in packet in response to response DoS attack
57. milar to L2TP a tunnel control connection is first established before call control messages can be exchanged Please note that a tunnel control connection supports multiple call sessions The following diagram depicts the message exchange of a successful call setup between a PC and an ANT 7 2 PPTP ZyWALL 10 100 Series Internet Security Gateway Start Control Connection Request Start Control Connection Reply Outgoing Call Reply PPP Frames Outgoing Call Request PPP Frames Diagram 7 3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE General Routing Encapsulation RFC 1701 1702 The individual calls within a tunnel are distinguished using the Call ID field in the GRE header I do PPTP ZyWALL 10 100 Series Internet Security Gateway Chapter 8 IP Subnetting IP Addressing Routers route based on the network number The router that delivers the data packet to the correct destination host uses the host ID IP Classes An IP address is made up of four octets eight bits written in dotted decimal notation for example 192 168 1 1 IP addresses are categorized into different classes The class of an address depends on the value of its first octet gt Class A addresses have a 0 in the left most bit In a class A address the first octet is the network number and the remaining three octets ma
58. must configure the PPTP clients The ZyWALL initializes the PPTP connection hence there is no need to configure the remote PPTP clients PPTP 7 1 ZyWALL 10 100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP since L2TP is based on both PPTP and L2F Cisco s Layer 2 Forwarding Conceptually there are three parties in PPTP namely the PNS PPTP Network Server the PAC PPTP Access Concentrator and the PPTP user The PNS is the box that hosts both the PPP and the PPTP stacks and forms one end of the PPTP tunnel The PAC is the box that dials answers the phone calls and relays the PPP frames to the PNS The PPTP user is not necessarily a PPP client can be a PPP server too Both the PNS and the PAC must have IP connectivity however the PAC must in addition have dial up capability The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS The PPTP user is unaware of the tunnel between the PAC and the PNS PPTP User Phone call DAC PPP frames PNS Diagram 7 2 PPTP Protocol Overview Microsoft includes PPTP as a part of the Windows OS In Microsoft s implementation the PC and hence the ZyWALL is the PNS that requests the PAC the ANT to place an outgoing call over AALS to an RFC 2364 server Control amp PPP connections Each PPTP session has distinct control connection and PPP data connection Call Connection The control connection runs over TCP Si
59. nd sets a rule to have the f rule rule gt UDP destport ZyWALL check for UDP traffic with this single port gt destination address You may repeat this command to enter various non consecutive port numbers config edit firewall set set This command sets a rule to have the gt rule rule gt UDP destport ZyWALL check for UDP traffic with a range start port f gt end port destination port in this range gt Delete config delete firewall e mail This command removes all of the settings for e mail alert config delete firewall attack This command resets all of the attack response settings to their defaults config delete firewall set lt set This command removes the specified set from gt the firewall configuration Firewall Commands 10 7 ZyWALL 10 100 Series Internet Security Gateway Chart 10 1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete firewall set set This command removes the specified rule in a gt rule firewall configuration set rule gt 10 8 Firewall Commands ZyWALL 10 100 Series Internet Security Gateway Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS packet filter commands See the Command Interpreter appendix for information on the command structure Introduction NetBIOS Network Basic Input Output System are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN For some di
60. ng describes how to use the command interpreter Enter 24 in the main menu to bring up the system maintenance menu Enter 8 to go to Menu 24 8 Command Interpreter Mode See the included disk or zyxel com for more detailed information on these commands Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets lt gt The optional fields in a command are enclosed in square brackets The symbol means or For example sys filter netbios config type lt on off gt means that you must specify the type of netbios filter and whether to turn it on or off Command Usage A list of valid commands can be found by typing help or at the command prompt Always type the full command Type exit to return to the SMT main menu when finished Command Interpreter 9 1 ZyWALL 10 100 Series Internet Security Gateway Chapter 10 Firewall Commands The following describes the firewall commands See the Command Interpreter appendix for information on the command structure Chart 10 1 Firewall Commands FUNCTION COMMAND Firewall Set Up config edit firewall active lt yes no config retrieve firewall config save firewall Display config display firewall config display firewa
61. nt to Point Tunneling Protocol is a Microsoft proprietary protocol RFC 2637 for PPTP is informational only to tunnel PPP frames How can we transport PPP frames from a PC to a broadband modem over Ethernet A solution is to build PPTP into the ANT ADSL Network Termination where PPTP is used only over the short haul between the PC and the modem over Ethernet For the rest of the connection the PPP frames are transported with PPP over AALS RFC 2364 The PPP connection however is still between the PC and the ISP The various connections in this setup are depicted in the following diagram The drawback of this solution is that it requires one separate ATM VC per destination ATM over amp DSL PP TP RF C 2354 PPP Diagram 7 1 Transport PPP frames over Ethernet PPTP and the ZyWALL When the ZyWALL is deployed in such a setup it appears as a PC to the ANT In Windows VPN or PPTP Pass Through feature the PPTP tunneling is created from Windows 95 98 and NT clients to an NT server in a remote location The pass through feature allows users on the network to access a different remote server using the ZyWALL s Internet connection In NAT mode the ZyWALL is able to pass the PPTP packets to the internal PPTP server 1 e NT server behind the NAT Users need to forward PPTP packets to port 1723 by configuring the server in Menu 15 2 Server Set Setup In the case above as the remote PPTP Client initializes the PPTP connection the user
62. ntosh OS 7 and later operating systems and all versions of UNIX LINUX include the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addresses that place them in the same subnet as the ZyWALL s LAN port Windows 95 98 Me Click Start Settings Control Panel and double click the ES Network icon to open the Network window Configuration Identification Access Control The following network components are installed EP ZyAIR 100 Wireless PCMCIA 2 NDISWAN gt lt nothing gt Y TCP IP gt Accton EN1207D TX PCI Fast Ethernet Adapte Y TCPAP gt Dial Up Adapter Y TCP IP gt ZyAIR 100 Wireless PCMCIA v Add Remove Properties Primary Network Logon Client for Microsoft Networks se File and Print Sharing r Description TCP IP is the protocol you use to connect to the Internet and wide area networks Cancel Setting Up Your Computer s IP Address 1 1 ZyWALL 10 100 Series Internet Security Gateway The Network window Confi
63. of number of session per NAT session table entries allowed to be created per host host Chart 13 2 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is The router has adjusted its time based on information from the time successful server Time calibration The router failed to get information from the time server failed DHCP client gets s A DHCP client got a new IP address from the DHCP server DHCP client IP A DHCP client s IP address has expired expired DHCP server assigns The DHCP server assigned an IP address to a client MT Login Someone has logged on to the router s SMT interface uccessfully MT Login Fail Someone has failed to log on to the router s SMT interface S S S WEB Login Someone has logged on to the router s web configurator interface Successfully W T S EB Login Fail Someone has failed to log on to the router s web configurator interface ELNET Login Someone has logged on to the router via telnet uccessfully Log Descriptions 13 1 ZyWALL 10 100 Series Internet Security Gateway Chart 13 2 System Maintenance Logs TELNET Login Fail Someone has failed to log on to the router via telnet FTP Login Someone has logged on to the router via ftp Successfully FTP Login Fail Someone has failed to log on to the router via ftp NAT Session Table is The maximum number of NAT session
64. ost ID A class B address has two host ID octets available for subnetting and a class A address has three host ID octets see Chart 8 1 available for subnetting The following table is a summary for class B subnet planning Chart 8 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 IP Subnetting 8 7 ZyWALL 10 100 Series Internet Security Gateway Chart 8 13 Class B Subnet Planning NO BORROWED HOST BITS SUBNETMASK NO SUBNETS NO HOSTS PER SUBNET 9 255 255 255 128 512 126 125 10 255 255 255 192 1024 62 126 11 255 255 255 224 2048 30 127 12 255 255 255 240 4096 14 128 13 255 255 255 248 8192 6 129 14 255 255 255 252 16384 2 130 15 255 255 255 254 32768 1 131 8 8 IP Subnetting Command and Log Information Part II Command and Log Information This part provides information on the command interpreter interface firewall and NetBIOS commands and logs and password protection ZyWALL 10 100 Series Internet Security Gateway Chapter 9 Command Interpreter The followi
65. purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended that the unit be insured when shipped Any returned products without proof of purchase or those with an out dated warranty will be repaired or replaced at the discretion of ZyXEL and the customer will be billed for parts and labor All repaired or replaced products will be shipped by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Online Registration Register online registration at www zyxel com for free future product updates and information Warranty V ZyWALL 10 100 Series Internet Security Gateway Customer Support When you contact your customer support representative please have the following information ready Please have the following information ready when you contact customer support e Product model and serial number Information in Menu 24 2 1 System Information Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it METHOD E MAIL TELEPHONE FAX WEB SITE FTP SITE REGULAR MAIL SUPPORT SALES LOCATION WORLDWIDE
66. r I of the Web Configurator User s Guide to see what features are specific to your ZyWALL model You may use the System Management Terminal SMT web configurator or command interpreter interface to configure your ZyWALL Not all features can be configured through all interfaces Related Documentation Support Disk Refer to the included CD for support documents Read Me First or Quick Start Guide The Read Me First or Quick Start Guide is designed to help you get up and running right away It contains a detailed easy to follow connection diagram default settings handy checklists and information on setting up your network and configuring for Internet access SMT User s Guide This manual is designed to guide you through the configuration of your Zy WALL using the System Management Terminal Web Configurator User s Guide This manual is designed to guide you through the configuration of your ZyWALL using the embedded web configurator Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Packing List Card The Packing List Card lists all items that should have come in the package Certifications Refer to the product page at www zyxel com for information on product certifications ZyXEL Glossary and Web Site Please refer to www zyxel com for an online glossary of networking terms and additional support documentation xii Preface ZyWALL 10 10
67. ry display command to show the log settings for all of the log categories Log Descriptions 13 17 ZyWALL 10 100 Series Internet Security Gateway Use the sys logs display log category command to show the logs in an individual ZyWALL log category Use the sys logs clear command to erase all of the ZyWALL s logs Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results ras gt sys logs load ras gt sys logs category access 3 ras sys logs save ras sys logs display access time source destination notes message 0 11 11 2002 15 10 12 172 22 3 80 137 172422 255 255 137 ACCESS BLOCK Firewall default policy UDP set 8 1 11 11 2002 15 10 12 172 21 4 17 138 1724214 2959 25572138 ACCESS BLOCK Firewall default policy UDP set 8 2 11 11 2002 15 10 11 172 17 2 1 224 0 1 60 ACCESS BLOCK Firewall default policy IGMP set 8 3 11 11 2002 5 10 11 1172 22 3 8902137 172 22 2955 255 137 ACCESS BLOCK Firewall default policy UDP set 8 4 11 11 2002 15 10 10 192 168 10 1 520 192 168 10 255 520 ACCESS BLOCK Firewall default policy UDP set 8 5111 11 2002 15 10 10 172 21 4 67 137 1724 2125572554137 ACCESS BLOCK 13 2 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway The following describes the commands for enabling disabling and configuring the brute force password Chapter 1
68. s box Click Apply Now and close the window 6 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address Check your TCP IP properties in the Network window Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet Security Gateway Chapter 2 Triangle Route The Ideal Setup When the firewall is on your ZyWALL acts as a secure gateway between your LAN and the Internet In an ideal network topology all incoming and outgoing network traffic passes through the Zy WALL to protect your LAN against attacks LAN 2 SYN ACK Computer Diagram 2 1 Ideal Setup The Triangle Route Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem Step 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN Step 2 The ZyWALL reroutes the SYN packet through Gateway B on the LAN to the WAN Step 3 The reply from the WAN goes directly to the computer on the LAN without going through the ZyWALL As a result the ZyWALL resets the connection as the connection has not been acknowledged Triangle Route 2 1 ZyWALL 10 100 Series Internet Security Gateway LAN WAN
69. s the wireless link in clear text it is easy to spoof and fake Even the WEP Wire Equivalent Privacy data encryption is unreliable as it can be easily decrypted with current computer speed Deployment Issues with IEEE 802 11 User account management has become a network administrator s nightmare in a corporate environment as the IEEE 802 11b standard does not provide any central user account management User access control is done through manual modification of the MAC address table on the access point Although WEP data encryption offers a form of data security you have to reset the WEP key on the clients each time you change your WEP key on the access point IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Advantages of the IEEE 802 1x e User based identification that allows for roaming Wireless LAN with IEEE 802 1x 5 1 ZyWALL 10 100 Series Internet Security Gateway e Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server e Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients
70. sted firewall rule and the ZyWALL logged it Firewall rule NOT match ESP set d rule d ESP access did not match the listed firewall rule and the ZyWALL logged it Firewall rule NOT GRE ac access did not match the listed firewall rule and the ZyWALL match GRE set d logged it rule d 13 6 Log Descriptions ZyWALL 10 100 Series Internet Security Gateway Chart 13 6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT OSPF access did not match the listed firewall rule and the ZyWALL match OSPF set d logged it rule d Firewall rule NOT Access did not match the listed firewall rule and the ZyWALL logged match set d it rule d Filter default policy TCP access matched a default filter policy and the ZyWALL dropped DROP the packet to block access Filter default policy UDP access matched a default filter policy and the ZyWALL dropped DROP the packet to block access Filter default policy ICMP access matched a default filter policy and the ZyWALL dropped DROP the packet to block access Filter default policy Access matched a default filter policy and the ZyWALL dropped the DROP packet to block access Filter default policy Access matched a default filter policy denied LAN IP and the DROP ZyWALL dropped the packet to block access Filter default policy TCP access matched a default filter policy Access was allowed and
71. support zyxel com tw 886 3 578 3942 www zyxel com ZyXEL Communications Corp www europe zyxel com 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan sales zyxel com tw 886 3 578 2439 ftp europe zyxel com NORTH support zyxel 1 714 632 0882 www zyxel com ZyXEL Communications Inc AMERICA 800 255 4101 1650 Miraloma Avenue PI tia CA 92870 U S A sales Qzyxel com 1 714 632 0858 ftp zyxel com acentia SCANDINAVIA support zyxel dk 45 3955 0700 www zyxel dk ZyXEL Communications A S Columbusvej 5 2860 Soeborg sales zyxel dk 45 3955 0707 ftp zyxel dk Denmark GERMANY support zyxel de 49 2405 6909 0 www zyxel de ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 sales zyxel de 49 2405 6909 99 Wuerselen Germany vi Customer Support ZyWALL 10 100 Series Internet Security Gateway Table of Contents EU A gl ii Federal Communications Commission FCC Interference Statement eese iii Information for Canadian Users eesesnnveneennvvnneennvenneennvenenenennnennnennnenneennennnennnennnennesnnennnennneennvennnennennnenneenseee iv ZyXEL Limited Warranty P v Customer Support E vi DA R ix List OF e E x LN NET xii General Information ssas D M I Chapter 1 Setting up Your Computer s IP Address csscssccssscsssscscesessescceceesceecscesescescscesesseeoeees 1 1 Chapter MICI CIL
72. t Security Gateway Chart 13 6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match IGMP set d rule d IGMP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule match ESP set d rule d ESP access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule match GRE set d rule d GRE access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule match OSPF set d rule d OSPF access matched the listed a firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule match set d rule d Access matched the listed firewall rule and the ZyWALL blocked or forwarded it according to the rule s configuration Firewall rule NOT match TCP set d rule d TCP access did not match the listed firewall rule and the ZyWALL logged it Firewall rule NOT match UDP set d rule d UDP access did not match the listed firewall rule and the ZyWALL logged it Firewall rule NOT match ICMP set d rule d type d code d ICMP access did not match the listed firewall rule and the ZyWALL logged it Firewall rule NOT match IGMP set d rule d IGMP access did not match the li
73. t commands seen 12 1 Extended Service Set 4 3 Broadband Access Security Gateway xii F Eras aen See Basic Service Set LE GE 111 C FHSS See Frequency Hopping Spread Spectrum A e E E iv Frequency Hopping Spread Spectrum 4 2 Caution i elite eee e re D etre A iv H Certifications tue ege ette iii Host IDs ene nuntius 8 1 Classes of IP Addresses sssss 8 1 I CLI Commandes 10 1 B ST TT See Syntax Conventions Computer s IP Address 1 1 BOSS eee See Independent Basic Service Set Copytight 2 5 oes S eee skatts ii TREE 802 A ES E E 4 1 Customer Support vi Deployment Issues sese 5 1 D Security Flaws ienris 5 1 Direct Sequence Spread Spectrum 4 2 JEEE SO KE 5 1 Disclaimer EE il Advantages ccsccesecesecsceeseeeseeeeeeeseeereeeens 5 1 Distribution Swstem sss 4 3 Independent Basic Service Set 4 2 DS ied tee iei See Distribution System Industry Canada iv Index A ZyWALL 10 100 Series Internet Security Gateway Infrastructure Configuration 4 3 S IP Address iie 8 1 Geleet cene See Syntax Conventions IP CTaSSes ee e 8 1 SELVICE essences ici v L Subnet Masks cete 8 2 Log Descnpttons 13 1 elen EE 8 2 N Support Disk inse eoe eee xii Network Topology With RADIUS Server Syntax Conventions sse xiii Example tico aot Een 5 2 T hh EE lii Tadek e T ii S Triangles sac
74. uthority or electrician as appropriate Note This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of Industry Canada iv Information for Canadian Users ZyWALL 10 100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product is modified misused tampered with damaged by an act of God or subjected to abnormal working conditions NOTE Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or
75. w your DNS e SES need to ask pour network administrator for server IP address es Obtain an IP address automatically If you know your DNS server IP address es O Use the following IP address click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them Obtain DNS server address automatically Use the following DNS server addresses 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10 Turn on your ZyWALL and restart your computer if prompted Verifying Your Computer s IP Address 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 8 Setting Up Your Computer s IP Address ZyWALL 10 100 Series Internet Security Gateway File Edit View Window Special Help 1 Click the Apple menu Control Panel and double click About This Computer TCP IP to open the TCP IP Control Panel Apple system Profiler E Calculator Chooser ADSL Control and Status Control Panels ld Appearance Di Favorites Apple Menu
76. when traffic exceeds the tcp max incomplete threshold This command sets the number of minutes for new sessions to be blocked when the tcp max incomplete threshold is reached This command is only valid when block is set to yes This command sets the threshold rate of new half open sessions per minute where the ZyWALL starts deleting old half opened sessions until it gets them down to the minute low threshold Firewall Commands 10 3 ZyWALL 10 100 Series Internet Security Gateway FUNCTION Sets Chart 10 1 Firewall Commands COMMAND config edit firewall attack minute low lt 0 255 gt config edit firewall attack max incomplete high lt 0 255 gt config edit firewall attack max incomplete low lt 0 255 gt config edit firewall attack tcp max incomplete 0 255 config edit firewall set set gt name desired name gt Config edit firewall set set f default permit forward block Config edit firewall set set gt icmp timeout seconds Config edit firewall set set gt udp idle timeout seconds DESCRIPTION This command sets the threshold of half open sessions where the ZyWALL stops deleting half opened sessions This command sets the threshold of half open sessions where the ZyWALL starts deleting old half opened sessions until it gets them down to the max incomplete low This command sets the threshold where the ZyWALL stops deleting half opened sessions
77. yWALL leaves a TCP session open after the firewall detects a FIN exchange indicating the end of the TCP session This command sets how long ZyWALL lets an inactive TCP connection remain open before considering it closed This command sets whether or not the ZyWALL creates logs for packets that match the firewall s default rule set This command sets whether packets that match this rule are dropped or allowed through This command sets whether a rule is enabled or not This command sets the protocol specification number made in this rule for ICMP This command sets the ZyWALL to log traffic that matches the rule doesn t match both or neither Firewall Commands 10 5 ZyWALL 10 100 Series Internet Security Gateway Chart 10 1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit firewall set lt set This command sets whether or not the gt rule rule 4 alert yes ZyWALL sends an alert e mail when a DOS no attack or a violation of a particular rule occurs config edit firewall set set This command sets the rule to have the gt rule rule gt srcaddr single ZyWALL check for traffic with this individual ip address source address config edit firewall set set This command sets a rule to have the gt rule rule gt srcaddr subnet ZyWALL check for traffic from a particular lt ip address subnet mask subnet defined by IP address and subnet mask config edit firewall set set
Download Pdf Manuals
Related Search