17-1 | ZyXEL Communications P-312 guide

P312 Broadband Security Gateway


15.3	E-Mail		15-3
15.3.1		What are Alerts?	15-3
15.3.2		What are Logs?	15-4
15.3.3		SMTP Error Messages	15-6
15.3.4		Example E-Mail Log	15-6
15.4	Attack Alert		15-7
15.4.1		Threshold Values:	15-8
15.4.2		Half-Open Sessions	15-8
Chapter 16		Creating Custom Rules	16-1
16.1	Rules Overview		16-1
16.2	Rule Logic Overview		16-1
16.2.1		Rule Checklist	16-1
16.2.2		Security Ramifications	16-2
16.2.3		Key Fields For Configuring Rules	16-2
16.3	Connection Direction		16-3
16.3.1		LAN to WAN Rules	16-3
16.3.2		WAN to LAN Rules	16-3
16.4	Services Supported		16-4
16.5	Rule Summary		16-6
16.5.1		Creating/Editing Firewall Rules	16-8
16.5.2		Source & Destination Addresses	16-10
16.6	Timeout		16-12
16.6.1		Factors Influencing Choices for Timeout Values:	16-12
Chapter 17		Custom Ports	17-1
17.1	Introduction		17-1
17.2	Creating/Editing A Custom Port		17-2
Chapter 18		Logs	18-1
18.1	Log Screen		18-1
Chapter 19		Example Firewall Rules	19-1
19.1	Examples		19-1
19.1.1		Example 1 - Firewall Rule To Allow Web Service From The Internet	19-1
19.1.2		Example 2 – Small Office With Mail, FTP and Web Servers	19-6
19.1.3		Example 3: DHCP Negotiation and Syslog Connection from the Internet	19-11
Chapter 20		Content Filtering	20-1

xiv		Table Of Contents

Image 14

ZyXEL Communications P-312 manual 17-1

Contents

Prestige Trademarks CopyrightDisclaimer Federal Communications Commission FCC Interference Statement Information for Canadian Users Declaration of Conformity Version P312 Broadband Security Gateway CE Doc ZyXEL Limited Warranty Customer Support Information in Menu 24.2.1 -System Information Table of Contents LAN Port Filter Setup Chapter Advanced Management 12-1 Firewall and Content Filters 13-1 17-1 21-1 Pptp List of Figures Menu 11.1 Remote Node Profile for Ethernet Encapsulation List Of Figures Xvii Xviii List Of Figures Xix Menu 21 Filter and Firewall Setup 14-1 List Of Figures Xxi Page List Of Tables Xxiv List of Tables Xxv Page Structure of this Manual PrefaceAbout Your Router Related Documentation Syntax Conventions Part Page Prestige 312 Broadband Security Gateway Features of The PrestigeGetting to Know Your Prestige Dynamic DNS Support Dhcp Dynamic Host Configuration ProtocolTime and Date Setting IP Multicast Applications for Prestige Broadband Internet Access via Cable or xDSL ModemUpgrade Prestige Firmware via LAN Logging and Tracing Secure Internet Access via DSL Front Panel LEDs Hardware Installation & Initial SetupFront Panel LEDs and Back Panel Ports LED functions Prestige 312 Rear Panel and Connections WAN Additional Installation Requirements Entering Password HousingPower Up Your Prestige Initial Screen Operation Keystrokes Description Main Menu CommandsNavigating the SMT Interface Enter Prestige 312 Main Menu Main MenuSystem Management Terminal Interface Summary Main Menu Summary Changing the System Password Resetting the Prestige Dyndns Wildcard General SetupDynamic DNS Configure Menu 1.1 Configure Dynamic DNS discussed next Configuring Dynamic DNSGeneral Setup Menu Field Field Description Example Yes WAN SetupConfigure Dynamic DNS Menu Fields Me.ddns.org LAN Setup WAN Setup Menu Fields LAN Port Filter Setup 10 Menu 3 LAN Setup TCP/IP and Dhcp for LAN Internet AccessFactory LAN Defaults IP Address and Subnet Mask RIP Setup Private IP Addresses IP Multicast Dhcp ConfigurationIP Pool Setup DNS Server Address Physical Network Partitioned Logical Networks TCP/IP and Dhcp Ethernet SetupIP Alias Menu 3 LAN Setup 10/100 Mbps Ethernet LAN Dhcp Setup Menu Fields LAN TCP/IP Setup Menu Fields IP Alias Setup Menu Fields IP Alias SetupMenu 3.2.1 IP Alias Setup Only/Out Only Internet Access SetupEthernet Encapsulation RIP-1 Internet Access Setup Menu Fields Pptp Encapsulation New Fields in Menu 4 Pptp screen Configuring the Pptp ClientPPPoE Encapsulation Prestige automatically disconnects from the Pptp server Internet Access Setup PPPoE Basic Setup Complete New Fields in Menu 4 PPPoE screen Advanced Applications Remote Node Setup Remote Node Profile Fields in Menu Nailed-Up Connection Fields in Menu 11.1 PPPoE Encapsulation Specific Fields in Menu 11.1 Pptp Encapsulation Editing TCP/IP Options with Ethernet Encapsulation Remote Node Network Layer Options Menu Fields Version Editing TCP/IP Options with Pptp EncapsulationPrivate 2B/RIP-2M and None Multicast Remote Node Network Layer Options Yes/No Remote Node FilterEditing TCP/IP Options with PPPoE Encapsulation None/In Only/Out Only and None Remote Node Filter Ethernet Encapsulation IP Static Route Setup Example of Static Routing Topology IP Static Route Setup Menu 12 IP Static Route Setup IP Static Route Menu Fields Field DescriptionPage NAT Definitions Network Address Translation NATIntroduction What NAT Does How NAT works NAT Mapping Types Type IP Mapping SMT abbreviation SUA Single User Account Versus NATNAT Mapping Types Applying NAT in the SMT Menus SMT MenusNAT Application Applying NAT for Internet Access Address Mapping Sets and NAT Server Sets Configuring NATField Options Description Network Full Feature Applying NAT in Menus 4 Menu 15.1 Address Mapping Sets Field Description Options/Example Server Ordering Your Rules Menu Menu 15.1.1.1 configuring an individual rule Editing an Individual Rule in a Set NAT Server Sets Multiple Servers behind NAT Configuring a Server behind NAT 10 Multiple Servers Behind NAT Examples Internet Access OnlyServices Port Number 13 Internet Access & NAT Example NAT Example Example 2 Internet Access with an Inside Server Example 3 General Case 16 NAT Example 17 Example 3 Menu 19 Example 3 Final Menu Example 4 -NAT Unfriendly Application Programs 21 NAT Example 22 Example 4- Menu 15.1.1.1 Address Mapping Rule Advanced Management Page Filter Configuration About Filtering Filter Structure of the Prestige Filter Rule Process Rule Forward Drop Configuring a Filter Set Menu 21 Filter and Firewall Setup NetBIOSWAN Filter Rules Summary Abbreviations Description Display Filter Rules Summary MenuAbbreviations Used in the Filter Rules Summary Menu Action Not Matched will be N/A Refers to Action Matched Abbreviations Used If Filter Type Is IP Configuring a Filter Rule3 TCP/IP Filter Rule Abbreviations Used If Filter Type Is GEN Menu 21.1.1.1 TCP/IP Filter Rule TCP/IP Filter Rule Menu Fields Yes / No None/Less/GreaterEqual/Not Equal Action Matched Following diagram illustrates the logic flow of an IP filter 10 Executing an IP Filter Generic Filter Rule 11 Menu 21.4.1.1 Generic Filter Rule Generic Filter Rule Menu Fields Example Filter 12 Telnet Filter Example 13 Example Filter Menu Filter Types and NAT 14 Example Filter Rules Summary Menu LAN traffic Applying a Filter and Factory DefaultsFirewall Remote Node Filters 16 Filtering LAN Traffic About Snmp Snmp ConfigurationConfiguring Snmp Snmp Configuration Menu Fields Field Description Default Menu 24 System Maintenance System Information & Diagnosis Menu 24.1 System Maintenance Status System Status LAN System Maintenance Status Menu FieldsPPPoE Encapsulation Dhcp System Information and Console Port Speed System Information Console Port Speed Fields in System MaintenanceLog and Trace Viewing Error Log Unix Syslog CDR System Maintenance Menu Syslog ParametersParameter Description CDR PPP log Diagnostic Call-Triggering Packet 10 Menu 24.4 System Maintenance Diagnostic WAN Dhcp Number Field Description System Maintenance Menu DiagnosticInternet Setup in Menu 4 Internet Access Transferring Files Filename conventions Firmware Development Backup ConfigurationCommand Filename Conventions Uploading the Router Firmware Restore ConfigurationUpload Firmware Uploading Router Configuration File Menu 24.7.1 System Maintenance Upload Router Firmware Tftp File Transfer Example Tftp Command Third Party Tftp Clients -General fields FTP File Transfer Telnet into Menu Using the FTP command from the DOS Prompt Telnet into Menu 24.7.2 System Maintenance Third Party FTP Clients -General fields Page Valid Commands System Maintenance & InformationCommand Interpreter Mode Call Control Call Control SupportBudget Management Call History Call History Call History Fields Time and Date SettingHow often does the Prestige update the time? System Maintenance & Information 11-5 Remote Management Setup Menu 24.11 Remote Management Control Boot Commands Option to Enter Debug Mode Boot Module Commands Single Administrator Telnet Configuration and CapabilitiesAbout Telnet Configuration Telnet Under NAT System Timeout Telnet Under the Firewall Firewall and Content Filters Packet Filtering Firewalls What is a FirewallTypes of Firewalls Application-level Firewalls Introduction to ZyXEL’s Firewall Stateful Inspection firewalls Denial of Service Basics Types of DoS attacks Common IP Ports SYN Flood Stateful Inspection Smurf Attack Stateful Inspection Process Stateful Inspection Stateful Inspection & the Prestige TCP Security Upper Layer Protocols Guidelines For Enhancing Security With Your Firewall13.4.4 UDP/ICMP Security Security In General What Is a Firewall? 13-11 Page Introducing the Prestige Firewall SMT Main Menu Land View Firewall LogAttack Types IP Spoofing Legal NetBIOS Commands Icmp Commands That Trigger AlertsIllegal Commands NetBIOS and Smtp Legal Smtp Commands Traceroute Teardrop Big Picture Filtering, Firewall and NAT Packet Filtering Vs Firewall Packet Filtering Firewall When To Use FilteringWhen To Use The Firewall Page Introducing the Prestige Web Configurator Web Configurator Login and Welcome Screens Prestige Web Configurator Welcome Screen Enabling the Firewall Mail What are Alerts? What are Logs? Mail Screen Mail Example E-Mail Log Smtp Error MessagesSmtp Error Messages Attack Alert Mail Log TCP Maximum Incomplete And Blocking Time Threshold ValuesHalf-Open Sessions Attack Alert Field Description Default Values Existing half-open sessions When TCP Maximum Incomplete is Do not set Maximum Incomplete High toPage Rules Overview Rule ChecklistCreating Custom Rules Rule Logic Overview Key Fields For Configuring Rules Security Ramifications WAN to LAN Rules Connection DirectionLAN to WAN Rules Services Supported WAN to LAN Traffic Services Supported Service Description Rule Summary Firewall Rules Summary First Screen Block Match Creating/Editing Firewall Rules Field Description Option Creating/Editing a Firewall Rule Source & Destination Addresses Range Address Adding/Editing Source & Destination AddressesSingle Address Subnet Address Timeout Factors Influencing Choices for Timeout Values Timeout Screen Hour Timeout MenuField Description Default Value Custom Ports Custom Ports Creating/Editing a Custom Port Creating/Editing a Custom Port Single Range Log Screen LogsLog Screen Jan 1 Vulnerability, NetBIOS, smtp illegalCommand, traceroute, teardrop, or syn Src IP, dest port, src port and protocol Logs 18-3 Page Example Firewall Rules Activate The Firewall Example 1 E-Mail Screen Example 1 Configuring a Rule Example Firewall Rules 19-5 Example 2 Small Office With Mail, FTP and Web Servers Example 1 Rule Summary Screen Send Alerts When Attacked Configuring a POP Custom Port Example 2 Local Network Rule 1 Configuration Example 2 Local Network Rule Summary 10 Example 2 Internet to Local Network Rule Summary 11 Custom Port for Syslog 12 Syslog Rule Configuration 13 Example 3 Rule Summary ActiveX Content FilteringRestrict Web Features Java Cookies Content Filtering Using the Web ConfiguratorBlocking URLs Web Proxy Block Web URLs Content Filtering FieldsField Description Restrict Web Features Troubleshooting, Appendices, Glossary and Index Page Troubleshooting the Start-Up of your Prestige TroubleshootingProblems Starting Up the Prestige Problem Corrective Action Troubleshooting the LAN Interface Problems with the LAN InterfaceProblems with the WAN interface Troubleshooting the WAN interface Troubleshooting Internet Access Problems with Internet AccessProblems with the Firewall Page PPPoE in Action Diagram 1 Single-PC per Modem Hardware ConfigurationAppendix a PPPoE Benefits of PPPoE Prestige as a PPPoE Client Diagram 2 Prestige as a PPPoE ClientHow PPPoE Works Pptp and the Prestige What is PPTP?Appendix B Pptp Protocol Overview Control & PPP connections IRD + OTD + Appendix C Hardware SpecificationsMtbf Appendix D Important Safety Instructions Appendix E Firewall CLI Commands Function CLI Syntax Sets Function CLI Syntax Description P312 Broadband Security Gateway Delete Appendix F Power Adapter Specs AC Power Adapter Specifications P312 Broadband Security Gateway CDR Chap Glossary of TermsARP CSU/DSU DCE DTE Dram DSLDslam EMI FTP FAQFCC Hdlc MAC Ipcp PPP IPXIRC ISP NIC NATNdis PAP Pstn POPPots PPP RIP PVCRFC SAP SUA TCP SpamSTP Tftp VPN Page Index Ddns Encapsulation 2-11, 2-12, 3-4 13-6 15-1 ZyNOS