ZyXEL Communications 2WE manual

ZyWALL 2/2WE

Internet Security Gateway

User’s Guide

Version 3.60

March 2003

Contents

User’s Guide Copyright Copyright © 2003 by ZyXEL Communications Corporation Disclaimer Trademarks Notice Certifications Information for Canadian Users Caution Note ZyXEL Limited Warranty NOTE Customer Support Table of Contents Chapter 8 Wireless LAN Security Setup Page Chapter 13 Firewalls Chapter 14 Introducing the ZyWALL Firewall Chapter 16 Creating Custom Rules Logs, Filter Configuration, and SNMP Configuration Chapter 18 Centralized Logs System Maintenance and Information and Remote Management Chapter 24 Remote Management Call Scheduling and VPN/IPSec Page General Appendices Appendix C Triangle Route Appendix E Wireless LAN and IEEE 802.11 Appendix F Wireless LAN With IEEE 802.1x Appendix G PPPoE Page List of Figures Page Page Page Page Page Page List of Tables Page Page Page Preface About This User's Manual Related Documentation Syntax Conventions Control Panels Modem Part I: Overview Page Getting to Know Your ZyWALL 1.1Introducing the ZyWALL 2/2WE Internet Security Gateway 1.2Features 1.2.1Physical Features 4-PortSwitch 1.2.2Non-PhysicalFeatures IPSec VPN Capability Firewall EAP (RFC2284) RADIUS (RFC2138, 2139) IEEE 802.1x for Network Security Wireless LAN MAC Address Filtering Brute-ForcePassword Guessing Protection Content Filtering Dynamic DNS Support IP Multicast IP Alias Central Network Management SNMP 1.3Applications for the ZyWALL 1.3.1Secure Broadband Internet Access and VPN 1.3.2Wireless LAN Application Hardware Installation 2.1Introduction to Hardware Installation 2.2Front Panels LEDs 2.3LED Descriptions 2.4ZyWALL Rear Panels and Connections 2.5Hardware Connections 2.5.1Connecting a Broadband Modem to the WAN Port 2.5.2Connecting the Console Port 2.5.3Connecting the AUX Port 2.5.4LAN 10/100M Ports 2.5.5Connecting the Power to your ZyWALL 2.6Hardware Mounting Options 2.7Additional Installation Requirements for Using 2.8Turning On Your ZyWALL Page Part II: Initial Setup and Configuration Page Introducing the Web Configurator 3.1Introduction to the Web Configurator 3.2Accessing the ZyWALL Web Configurator 3.3Web Configurator Navigation Introducing the SMT 4.1Introduction to the SMT 4.2Accessing the Console Port via the Console Port 4.2.1Initial Screen 4.2.2Entering the Password 4.3Navigating the SMT Interface 4.3.1Main Menu 4.3.2System Management Terminal Interface Summary 4.3.3SMT Menus at a Glance Figure 4-4Getting Started and Advanced Applications SMT Menus (ZyWALL 2WE) Figure 4-5Advanced Management SMT Menus 4.4Changing the System Password 4.5Resetting the ZyWALL 4.5.1Uploading a Configuration File Via Console Port 4.5.2Procedure To Use The Reset Button Page SMT Menu 1 - General Setup 5.1Introduction to General Setup 5.2 System Name 5.3 Dynamic DNS 5.3.1DYNDNS Wildcard 5.4General Setup 5.4.1Configuring Dynamic DNS Page Page Page WAN Setup 6.1Introduction to WAN Setup 6.2Cloning The MAC Address 6.3WAN Setup Table 6-1MAC Address Cloning in WAN Setup LAN Setup 7.1Introduction to LAN Setup 7.2Accessing the LAN Menus 7.3LAN Port Filter Setup 7.4TCP/IP and LAN DHCP 7.4.1Factory LAN Defaults 7.4.2DHCP Configuration IP Pool Setup DNS Server Address 7.4.3IP Address and Subnet Mask Private IP Addresses 7.4.4RIP Setup 7.4.5IP Multicast 7.4.6IP Alias 7.5TCP/IP and DHCP Ethernet Setup Menu Figure 7-5Menu 3: TCP/IP and DHCP Setup TCP/IP and DHCP Setup Menu 3.2: TCP/IP and DHCP Ethernet Setup Figure 7-6Menu 3.2: TCP/IP and DHCP Ethernet Setup Table 7-3DHCP Ethernet Setup Menu Fields Table 7-4LAN TCP/IP Setup Menu Fields 7.5.1IP Alias Setup Figure 7-7Menu 3.2.1: IP Alias Setup Table 7-5IP Alias Setup Menu Fields 7.6Wireless LAN 7.6.1Channel 7.6.2ESS ID 7.6.3RTS Threshold 7.6.4Fragmentation Threshold 7.7Wireless LAN Setup Menu LAN Setup Wireless LAN Setup Figure 7-9Menu 3.5 – Wireless LAN Setup The settings of all client stations on the wireless LAN must match those of the The ZyWALL LAN Ethernet and wireless ports can transparently communicate with each other (transparent bridge) Page Wireless LAN Security Setup 8.1Introduction to Wireless LAN Security 8.2Levels of Security 8.3Data Encryption with WEP 8.3.1Setting Up WEP 8.4Network Authentication 8.4.1EAP 8.4.2RADIUS •Authentication •Authorization •Accounting Types of RADIUS Messages •Access-Request 8.4.3Sequence for EAP Authentication 8.4.4Enable EAP Authentication on Your ZyWALL 8.4.5Configuring an External RADIUS Server Figure 8-5Authentication RADIUS Table 8-3Authentication RADIUS 8.5Local User Authentication Figure 8-6Local User Database 8.6MAC Address Filtering Table 8-5WLAN MAC Address Filter Page Internet Access 9.1Introduction to Internet Access Setup 9.2Ethernet Encapsulation 9.3PPTP Encapsulation 9.3.1Configuring the PPTP Client 9.4PPPoE Encapsulation 9.4.1Configuring the PPPoE Client 9.5Basic Setup Complete Page Part III: Advanced Applications Page Remote Node Setup 10.1 Introduction to Remote Node Setup 10.2 Remote Node Setup 10.3 Remote Node Profile Setup 10.3.1 Ethernet Encapsulation 10.3.2 PPPoE Encapsulation PPPoE Figure 10-3Menu 11.1: Remote Node Profile for PPPoE Encapsulation Outgoing Authentication Protocol Nailed-UpConnection Metric Table 10-2Fields in Menu 11.1 (PPPoE Encapsulation Specific) 10.3.3 PPTP Encapsulation 10.4 Edit IP Table 10-4Remote Node Network Layer Options Menu Fields 10.5 Remote Node Filter 10.6 Traffic Redirect Figure 10-9Traffic Redirect LAN Setup Menu 11.1— Remote Node Profile Figure 10-10Menu 11.1: Remote Node Profile Edit Traffic Redirect 10.6.1 Traffic Redirect Setup Page Page IP Static Route Setup 11.1 Introduction to Static Route 11.2 IP Static Route Setup Figure 11-3Menu 12. 1: Edit IP Static Route Table 11-1IP Static Route Menu Fields Page Network Address Translation (NAT) 12.1 Introduction to NAT 12.1.1 NAT Definitions 12.1.2 What NAT Does 12.1.3 How NAT Works Figure 12-1How NAT Works 12.1.4 NAT Application 12.1.5 NAT Mapping Types Many to One Many to Many Overload Many One to One Server Port numbers do not change for One-to-One and Many-One-to-One NAT mapping 12.2 Using NAT 12.2.1 SUA (Single User Account) Versus NAT 12.2.2 Applying NAT [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options 12.3 NAT Setup 12.3.1 Address Mapping Sets Figure 12-7Menu 15.1.255: SUA Address Mapping Rules Menu 15.1.255 is read-only Table 12-4SUA Address Mapping Rules User-DefinedAddress Mapping Sets Select Rule Set Name The entire set will be deleted if you leave the Set Name field blank and press [ENTER] are the bottom of the screen Table 12-5Fields in Menu No changes to the set take place until this action is taken Edit Menu 15.1.1.1 - Address Mapping Rule Local Figure 12-9Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set Table 12-6Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set 12.4 NAT Server Sets – Port Forwarding 12.4.1 Configuring a Server behind NAT Figure 12-10Menu 15.2: NAT Server Setup Figure 12-11Multiple Servers Behind NAT Example 12.5 General NAT Examples 12.5.1 Internet Access Only 12.5.2 Example 2: Internet Access with an Inside Server 12.5.3 Example 3: Multiple Public IP Addresses With Inside Servers Figure 12-16NAT Example Menu 15.1 - Address Mapping Sets Edit Action Start IP Figure 12-17Example 3: Menu Figure 12-18Example 3: Menu Figure 12-19Example 3: Final Menu Figure 12-20Example 3: Menu 12.5.4 Example 4: NAT Unfriendly Application Programs 12.6 Trigger Port Forwarding 12.6.1 Trigger Port Forwarding Process 12.6.2 Two Points To Remember About Trigger Ports Table 12-8Menu 15.3—TriggerPort Setup Description Page Part IV: Firewall and Content Filters Page Firewalls 13.1 Introduction to Firewalls 13.2 Types of Firewalls 13.2.1 Packet Filtering Firewalls 13.2.2 Application-levelFirewalls 13.3 Introduction to ZyXEL’s Firewall 13.4 Denial of Service 13.4.1 Basics 13.4.2 Types of DoS Attacks Figure 13-2 Three-WayHandshake SYN Attack Figure 13-3SYN Flood LAND Attack brute-force Figure 13-4Smurf Attack Table 13-2ICMP Commands That Trigger Alerts 13.5 Stateful Inspection 13.5.1 Stateful Inspection Process 13.5.2 Stateful Inspection and the ZyWALL 13.5.3 TCP Security 13.5.4 UDP/ICMP Security 13.5.5 Upper Layer Protocols 13.6 Guidelines For Enhancing Security With Your Firewall 13.7 Packet Filtering Vs Firewall 13.7.1 Packet Filtering: 13.7.2 Firewall When To Use The Firewall Page Introducing the ZyWALL Firewall 14.1 Introduction to the ZyWALL Firewall 14.2 Remote Management and the Firewall 14.3 Access Methods 14.4 Using ZyWALL SMT Menus 14.4.1 Activating the Firewall Firewall Configuration 15.1 Introduction to Firewall Configuration 15.2 Enabling the Firewall 15.2.1 Alerts 15.3 Attack Alert 15.3.1 Threshold Values 15.3.2 Half-OpenSessions one-minute TCP Maximum Incomplete and Blocking Time TCP Maximum Incomplete Figure 15-2Attack Alert Table 15-1Attack Alert Page Page Page Creating Custom Rules 16.1 Introduction to Custom Rules 16.2 Rule Logic Overview 16.2.1 Rule Checklist 16.2.2 Security Ramifications 16.2.3 Key Fields For Configuring Rules 16.3 Connection Direction Examples 16.3.1 LAN to WAN Rules 16.3.2 WAN to LAN Rules 16.4 Rule Summary Page 16.5 Predefined Services Page Page 16.5.1 Creating/Editing Firewall Rules Figure 16-4Creating/Editing A Firewall Rule Table 16-3Creating/Editing A Firewall Rule Page 16.5.2 Source and Destination Addresses 16.6 Custom Ports 16.7 Creating/Editing A Custom Port 16.8 Example Firewall Rule Figure 16-7Firewall Rule Configuration Screen Example Any ScrDelete ScrAdd Figure 16-8Firewall IP Config Screen Example Custom Port Custom Port Configuration Figure 16-9Custom Port Example Available Serv Selected Services Figure 16-10Rule Configuration Example Rule Summary Figure 16-11Rule Summary Example Content Filtering 17.1 Introduction to Content Filtering 17.2 Restrict Web Features 17.3 Days and Times 17.4 Configure Content Filtering Figure 17-1ContentFilter Table 17-1Content Filter Page Page Part V: Logs, Filter Configuration, and SNMP Configuration Page Centralized Logs 18.1 Introduction to Centralized Logs 18.1.1 Alerts and Logs 18.2 View Log Figure 18-1View Log Table 18-1View Log 18.3 Log Settings Figure 18-2Log Settings Table 18-2Log Settings 18.4 Reports Figure 18-3Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps 18.4.1 Web Site Hits 18.4.2 Protocol/Port Figure 18-5Protocol/Port Report Example Table 18-5Protocol/Port Report 18.4.3 LAN IP Address 18.4.4 Reports Specifications Filter Configuration 19.1 Introduction to Filters 19.1.1 The Filter Structure of the ZyWALL Filter Set Execute Filter Rule Figure 19-2Filter Rule Process 19.2 Configuring a Filter Set Edit Comments Table 19-1Abbreviations Used in the Filter Rules Summary Menu 19.2.1 Configuring a Filter Rule 19.2.2 Configuring a TCP/IP Filter Rule TCP/IP Filter Rule Filter Type open Menu 21.1.x.x - TCP/IP Filter Rule, as shown next Figure 19-5Menu 21.1.1.1: TCP/IP Filter Rule Table 19-3TCP/IP Filter Rule Menu Fields Page Page Figure 19-6Executing an IP Filter 19.2.3 Configuring a Generic Filter Rule Table 19-4Generic Filter Rule Menu Fields 19.3 Example Filter Figure 19-9Example Filter: Menu Figure 19-10Example Filter Rules Summary: Menu 19.4 Filter Types and SUA/NAT 19.5 Firewall Versus Filters 19.6 Applying a Filter and Factory Defaults 19.6.1 Applying LAN Filters 19.6.2 Applying Remote Node Filters Figure 19-13Filtering Remote Node Traffic SNMP Configuration 20.1 Introduction to SNMP Figure 20-1SNMP Management Model 20.2 Supported MIBs 20.3 SNMP Configuration 20.4 SNMP Traps Part VI: System Information and Diagnosis and Firmware and Configuration File Maintenance Page System Information & Diagnosis 21.1 Introduction to System Status 21.2 System Status Step 1. Enter number 24 to go to Menu 24 - System Maintenance Menu 24.1 - System Maintenance - Status Figure 21-2Menu 24.1: System Maintenance: Status (ZyWALL 2WE) Table 21-1System Maintenance: Status Menu Fields 21.3 System Information and Console Port Speed 21.3.1 System Information 21.3.2 Console Port Speed 21.4 Log and Trace 21.4.1 Viewing Error Log 21.4.2 UNIX Syslog Table 21-3System Maintenance Menu Syslog Parameters Page 21.4.3 Call-TriggeringPacket 21.5 Diagnostic 21.5.1 WAN DHCP Figure 21-11WAN & LAN DHCP Table 21-4System Maintenance Menu Diagnostic Page Firmware and Configuration File Maintenance 22.1 Filename Conventions 22.2 Backup Configuration 22.2.1 Backup Configuration 22.2.2 Using the FTP Command from the Command Line 22.2.3 Example of FTP Commands from the Command Line 22.2.4 GUI-basedFTP Clients 22.2.5 File Maintenance Over WAN 22.2.6 Backup Configuration Using TFTP 22.2.7 TFTP Command Example 22.2.8 GUI-basedTFTP Clients 22.2.9 Backup Via Console Port Figure 22-3System Maintenance: Backup Configuration Figure 22-4System Maintenance: Starting Xmodem Download Screen Receive File Figure 22-5Backup Configuration Example Figure 22-6Successful Backup Confirmation Screen 22.3 Restore Configuration 22.3.1 Restore Using FTP Figure 22-7Telnet into Menu 22.3.2 Restore Using FTP Session Example 22.3.3 Restore Via Console Port 22.4 Uploading Firmware and Configuration Files 22.4.1 Firmware File Upload 22.4.2 Configuration File Upload 22.4.3 FTP File Upload Command from the DOS Prompt Example 22.4.4 FTP Session Example of Firmware File Upload 22.4.5 TFTP File Upload 22.4.6 TFTP Upload Command Example 22.4.7 Uploading Via Console Port 22.4.8 Uploading Firmware File Via Console Port 22.4.9 Example Xmodem Firmware Upload Using HyperTerminal 22.4.10Uploading Configuration File Via Console Port 22.4.11Example Xmodem Configuration Upload Using HyperTerminal Figure 22-19Example Xmodem Upload Part VII: System Maintenance and Information and Remote Management Page System Maintenance & Information 23.1 Command Interpreter Mode 23.2 Call Control Support 23.2.1 Budget Management Figure 23-4Budget Management Table 23-1Budget Management 23.2.2 Call History 23.3 Time and Date Setting 23.3.1 Resetting the Time Page Page Remote Management 24.1 Remote Management and the Firewall 24.2 Telnet 24.3 FTP 24.4 Web 24.5 SNMP 24.6 DNS 24.7 Remote Management When you Choose WAN only or ALL (LAN & WAN), you still need to configure a firewall rule to allow access Disable Server Access Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control 24.8 Remote Management and SUA/NAT 24.9 System Timeout Page Part VIII: Call Scheduling and VPN/IPSec Page Call Scheduling 25.1 Introduction to Call Scheduling 25.2 Configuring Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field Menu 26.1 - Schedule Set Setup Figure 25-2Schedule Set Setup Duration 25.3 Applying Schedule Sets Figure 25-3Applying Schedule Set(s) to a Remote Node (PPPoE) Figure 25-4Applying Schedule Set(s) to a Remote Node (PPTP) Page Introduction to IPSec 26.1 VPN Overview 26.1.1 IPSec 26.1.2 Security Association 26.1.3 Other Terminology 26.1.4 VPN Applications 26.2 IPSec Architecture 26.2.1 IPSec Algorithms 26.2.2 Key Management 26.3 Encapsulation 26.3.1 Transport Mode 26.3.2 Tunnel Mode 26.4 IPSec and NAT Table 26-1VPN and NAT VPN/IPSec Setup 27.1 VPN/IPSec Overview 27.2 IPSec Algorithms 27.2.1 AH (Authentication Header) Protocol 27.2.2 ESP (Encapsulating Security Payload) Protocol 27.3 My IP Address 27.4 Secure Gateway Address 27.4.1 Dynamic Secure Gateway Address 27.5 Summary Screen 27.6 Keep Alive 27.7 NAT Traversal 27.7.1 NAT Traversal Configuration 27.8 ID Type and Content Table 27-3Local ID Type and Content Fields Table 27-4Peer ID Type and Content Fields 27.8.1 ID Type and Content Examples 27.9 Configuring Basic IKE VPN Rule Setup Figure 27-4Basic IKE VPN Rule Setup Table 27-7Basic IKE VPN Rule Setup Page Page Page 27.10IKE Phases 27.10.1Negotiation Mode 27.10.2Pre-SharedKey 27.10.3Diffie-Hellman(DH) Key Groups 27.10.4Perfect Forward Secrecy (PFS) 27.11Configuring Advanced IKE Setup Figure 27-6Advanced IKE VPN Rule Setup Table 27-8Advanced IKE VPN Rule Setup Page Page Page 27.12Manual Key Setup 27.12.1Security Parameter Index (SPI) 27.13Configuring Edit Manual Setup Manual Figure 27-7Manual IKE VPN Rule Setup Table 27-9Manual IKE VPN Rule Setup Page Page 27.14SA Monitor Figure 27-8VPN SA Monitor Table 27-10VPN SA Monitor 27.15Global Settings 27.16Telecommuter VPN/IPSec Examples 27.16.1Telecommuters Sharing One VPN Rule Example 27.16.2Telecommuters Using Unique VPN Rules Example Figure 27-11Telecommuters Using Unique VPN Rules Example Page Part IX: Troubleshooting Page Troubleshooting 23.1 Problems Starting Up the ZyWALL 28.1 Problems with a LAN Interface 28.2 Problems with the WAN Interface 28.3 Problems with Internet Access 23.2 Problems with the Password 28.4 Problems with Remote Management Page Part X: General Appendices Page Setting up Your Computer’s IP Address Windows 95/98/Me Configuration Page Page Page Windows 2000/NT/XP Page Page Page Page Macintosh OS 8/9 Macintosh OS Page Antennas Antenna Characteristics Types of Antennas For WLAN Positioning Antennas Triangle Route The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side The Big Picture Wireless LAN and IEEE Benefits of a Wireless LAN IEEE Ad-hocWireless LAN Configuration Infrastructure Wireless LAN Configuration Wireless LAN With IEEE Security Flaws with IEEE Deployment Issues with IEEE Advantages of the IEEE Diagram F-1Sequences for EAP MD5–ChallengeAuthentication Page Page PPPoE PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works ZyWALL as a PPPoE Client PPTP What is PPTP PPTP and the ZyWALL PPTP Protocol Overview Control & PPP connections PPP Data Connection Hardware Specifications Cable Pin Assignments Chart I-2Console/Dial Backup Port Pin Assignments Chart I-3Ethernet Cable Pin Assignments Power Adaptor Specifications Chart I-6UK AC Power Adaptor Specifications Chart I-7Japan AC Power Adaptor Specifications Chart I-8Australia and New Zealand AC Power Adaptor Specifications Universal Plug and Play UPnP and ZyXEL NAT Traversal Opening UPnP Installing UPnP in Windows Examples Step 1. Click Start and Control Panel. Double-click Add/Remove Programs Windows Setup Communication Components Using UPnP in Windows XP Example Auto-discoverYour UPnP-enabledNetwork Device start Step 3. In the Internet Connection Properties Web Configurator Easy Access Panel Connections Step 3. Select My Network Places under Other Places Local Network Page IP Subnetting IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Chart K-5Subnet Chart K-6Subnet Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Safety Warnings and Instructions Page Part XI: Command and Log Appendices Page Command Interpreter Command Syntax Command Usage Firewall Commands Page Page Page Page Page Page NetBIOS Filter Commands Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Page Boot Commands Diagram P-2Boot Module Commands Log Descriptions Chart Q-3UPnP Logs Chart Q-4Content Filtering Logs Chart Q-5Attack Logs Page Page Chart Q-6Access Logs Page Page Page Chart Q-7ACL Setting Notes Chart Q-8ICMP Notes Page VPN/IPSec logs VPN Responder IPSec Log A PYLD_MALFORMED packet usually means that the two ends of the VPN tunnel are not using the same pre-sharedkey Chart Q-10Sample IKE Key Exchange Logs Page Chart Q-11Sample IPSec Logs During Packet Transmission Log Commands Log Command Example Page Brute-ForcePassword Guessing Protection Part XII: Index Page Index