Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications P-324 12.1.1 Guidelines For Enhancing Security With Your Firewall

1 285

Download 285 pages, 5.1 Mb

The Prestige can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.

The Prestige is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.

The Prestige has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically separate the network into two areas.

The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.

The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless the remote host is authorized to use a specific service.

12.1.1 Guidelines For Enhancing Security With Your Firewall

1.Change the default password via web configurator.

Think about access control before you connect to the network in any way, including attaching a modem to the port.

Limit who can access your router.

Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.

Protect against IP spoofing by making sure the firewall is active.

Keep the firewall in a secured (locked) room.

12-2

Firewall

Contents

User’s Guide Copyright Disclaimer Trademarks Federal Communications Commission (FCC) Interference Statement Notice Information for Canadian Users Declaration of Conformity We, the Manufacturer/Importer ZyXEL Communications Corp No. 6, Innovation Rd. II Science-BasedIndustrial Park ZyXEL Limited Warranty Customer Support Table of Contents Advanced Applications Advanced Management Page Page List of Figures Page Page Page Page List of Diagrams List of Charts List of Tables Page Page Page Preface About This User's Manual Related Documentation Syntax Conventions Page Part I: Getting Started Page Getting to Know Your Prestige 1.1Intelligent Broadband Sharing Gateway 1.2Features of the Prestige 1.2.1 Hardware Features 10/100MB Auto-negotiatingEthernet WAN 1.2.2Firmware Features Full Network Management Firewall Content Filtering Packet Filtering DHCP Support Dynamic DNS Support IP Multicast IP Alias Call Scheduling 1.3Broadband Internet Access via Cable or DSL Modem 1.4Internet Access Configuration Checklist Page Hardware Installation & Initial Setup 2.1Front Panel 2.2Prestige Rear Panel and Connections Table 2-1PrestigeRear Panel Connections Do this step last. Use only the included power adapter See the Power Adapter Specification Appendix for regional See the for regional 2.3Turning on Your Prestige 2.4Front Panel LEDs Page Page Introducing the Web Configurator This chapter describes how to access the Prestige web configurator 3.1Accessing the Prestige Web Configurator Figure 3-3Change Password MAIN MENU WIZARD SETUP MAINTENANCE Figure 3-4The MAIN MENU Screen of the Web Configurator Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view embedded help The icon does not appear in the MAIN MENU screen Page Wizard Setup 4.1Introduction to Wizard Screens 4.1.1 General Setup and System Name 4.1.2 Domain Name 4.2Wizard Setup: Screen 4.2.1 Ethernet 4.2.2 PPTP Encapsulation The Prestige supports one PPTP server connection at any given time Figure 4-2Wizard 2: PPTP Encapsulation Table 4-3PPTP Encapsulation 4.2.3 PPPoE Encapsulation Figure 4-3Wizard2: PPPoE Encapsulation 4.3Wizard Setup: Screen 4.3.1 WAN IP Address Assignment 4.3.2 IP Address and Subnet Mask 4.3.3 DNS Server Address Assignment 4.3.4 WAN MAC Address Table 4-6Example of Network Properties for LAN Servers with Fixed IP Addresses Table 4-7WAN Setup 4-11WizardSetup 4.4Basic Setup Complete Introducing the SMT and General Setup 5.1Accessing the Prestige via the Console Port 5.1.1 Initial Screen 5.1.2 Entering the Password 5.2Navigating the SMT Interface 5.2.1 Main Menu 5.2.2 System Management Terminal Interface Summary 5.3Changing the System Password 5.3.1 Resetting the Prestige Uploading a Configuration File Via Console Port Procedure To Use The RESET Button 5.4General Setup 5.4.1 Dynamic DNS DYNDNS Wildcard 5.4.2 Procedure For Configuring Menu 5.4.3 Configuring Dynamic DNS Figure 5-7Configure Dynamic DNS Follow the instructions in the next table to configure Dynamic DNS parameters Table 5-4Configure Dynamic DNS Menu Fields http://www.dyndns.org Page WAN Setup and Dial Backup 6.1Cloning The MAC Address 6.2Dial Backup 6.2.1 Configuring Dial Backup in Menu Figure 6-2Configuring Dial Backup in Menu The following table contains instructions on how to configure your WAN setup Table 6-2Configuring Dial Backup in Menu Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device 6.2.2 Configuring Dial Backup Using Advanced WAN Setup 6.2.3 AT Command Strings 6.2.4 DTR Signal 6.2.5 Response Strings Edit Advanced Setup Menu 2 - WAN Setup Figure 6-3Menu 2.1 Advanced WAN Setup Table 6-3Advanced WAN Port Setup: AT Commands Fields Table 6-4Advanced WAN Port Setup: Call Control Parameters 6.2.6 Configuring Remote Node Profile (Backup ISP) Page 6.2.7 Editing PPP Options 6.2.8 Edit Script Options Dial Timeout Figure 6-6Remote Node Setup Script LAN Setup 7.1Introduction 7.1.1 LAN Port Filter Setup 7.2TCP/IP and DHCP for LAN 7.2.1 Factory LAN Defaults 7.2.2 DHCP Configuration IP Pool Setup DNS Server Address 7.2.3 IP Address and Subnet Mask 7.2.4 Private IP Addresses 7.2.5 RIP Setup 7.2.6 IP Multicast 7.2.7 IP Alias 7.3TCP/IP and DHCP Ethernet Setup Figure 7-5Menu 3 — LAN Setup (10/100 Mbps Ethernet) Menu 3.2 - TCP/IP and DHCP Ethernet Setup Figure 7-6Menu 3.2 — TCP/IP and DHCP Ethernet Setup Table 7-3LAN DHCP Setup Menu Fields Table 7-4LAN TCP/IP Setup Menu Fields 7.3.1 IP Alias Setup Page Internet Access 8.1Internet Access Setup 8.1.1 Ethernet Encapsulation Figure 8-1Internet Access Setup (Ethernet) The following table describes this screen Table 8-1Internet Access Setup Menu Fields Internet Access 8.1.2 PPTP Encapsulation 8.1.3 Configure PPTP Client 8.1.4 PPPoE Encapsulation Figure 8-3Internet Access (PPPoE) 8.2Internet Test Setup Page Part II: Advanced Applications Remote Node Setup 9.1Introduction 9.2Remote Node Profile 9.2.1 Ethernet Encapsulation Figure 9-1Menu 11.1 Remote Node Profile for Ethernet Encapsulation Table 9-1Fields in Menu 11.1 (Ethernet Encapsulation) 9.2.2 PPTP Encapsulation Figure 9-2Remote Node Profile for PPTP Encapsulation Table 9-2Fields in Menu 11.1 (PPTP Encapsulation) Nailed-UpConnection 9.2.3 PPPoE Encapsulation Figure 9-3Menu 11.1 Remote Node Profile for PPPoE Encapsulation The next table describes the fields NOT already described in Table 9-1 already Table 9-3Fields in Menu 11.1 (PPPoE Encapsulation Specific Only) 9.3Edit IP Remote Node Network Layer Options Table 9-4Remote Node Network Layer Options Menu Fields 9.4Remote Node Filter 9.5Traffic Redirect 9.5.1 Route Priority and Metric 2.Traffic-redirectroute 3.Dial-backuproute Menu 11.1— Remote Node Profile Figure 9-9Menu 11.1 — Remote Node Profile Edit Traffic Redirect Table 9-5Menu 11.1 — Remote Node Profile (Traffic Redirect Field) 9.5.2 Traffic Redirect Setup Page IP Static Route Setup 10.1 IP Static Route Setup Table 10-1IP Static Route Menu Fields Page Network Address Translation (NAT) 11.1 Introduction 11.1.1 NAT Definitions 11.1.2 What NAT Does 11.1.3 How NAT Works 11.1.4 NAT Application 11.1.5 NAT Mapping Types Many to Many Overload Server Port numbers do not change for One-to-One and Many One-to-One NAT mapping types When you select One-to-One or Many- One-to-One NAT mapping, the firewall 11.2 SUA (Single User Account) Versus NAT 11.2.1Applying NAT Figure 11-3Menu 4 — Applying NAT for Internet Access Menu 11.3 - Remote Node Network Layer Options 11.3 NAT Setup 11.3.1 Address Mapping Sets SUA Address Mapping Set Figure 11-7Menu 15.1.255 — SUA Address Mapping Rules The following table explains the fields in this screen The fields in menu 15.1.255 are read-only Table 11-4SUA Address Mapping Rules User-DefinedAddress Mapping Sets Ordering Your Rules No changes to the set take place until this action is taken Edit Menu 15.1.1.1 - Address Mapping Rule Local Global Start/End IPs Page 11.3.2 Port Forwarding Setup Configuring a Server behind NAT Figure 11-10Menu 15.2 — NAT Server Setup Figure 11-11Multiple Servers Behind NAT Example 11.3.3 Trigger Port Setup Two Points To Remember About Trigger Ports Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown next Menu 15.3 — Trigger Port Setup Figure 11-13Menu 15.3: Trigger Port Setup 11.4 General NAT Examples 11.4.1 Internet Access Only Figure 11-14NAT Example Figure 11-15Menu 4 — Internet Access & NAT Example Network Address Translation 11.4.2 Example 2: Internet Access with an Inside Server 11.4.3 Example 3: Multiple Public IP Addresses With Inside Servers Figure 11-17NAT Example Menu 15.1 - Address Mapping Sets Full Feature Edit Action One-to-One Start IP Figure 11-18Example 3: Menu Figure 11-19Example 3: Menu Figure 11-20Example 3: Final Menu Now configure the IGA3 to map to our web server and mail server on the LAN Step 7. Enter 15 from the main menu Step 8. Now enter 2 from this menu and configure it as shown in Figure 11.4.4 Example 4: NAT Unfriendly Application Programs Figure 11-22NAT Example Figure 11-23Example 4: Menu 15.1.1.1 — Address Mapping Rule Figure 11-24Example 4: Menu 15.1.1 — Address Mapping Rules Page Part III: Advanced Management Page Firewall 12.1 Introduction What is a Firewall Stateful Inspection Firewall About the Prestige Firewall 12.1.1 Guidelines For Enhancing Security With Your Firewall 12.2 SMT Firewall Menu 12.3 Web Configurator Firewall Settings Screen Figure 12-3Firewall Settings Table 12-1Firewall Settings 12.4 The Firewall, NAT and Remote Management 12.4.1LAN-to-WANrules 12.4.2 WAN-to-LANrules 12.5 Filter Table 12-2Firewall Filter 12.6 Services Table 12-3Firewall Service Page Filter Configuration 13.1 About Filtering 13.1.1 The Filter Structure of the Prestige Filter Set Execute Filter Rule 13.2 Configuring a Filter Set 13.2.1 Filter Rules Summary Menu 13.2.2 Configuring a Filter Rule 13.2.3 TCP/IP Filter Rule Page The following figure illustrates the logic flow of an IP filter Figure 13-7Executing an IP Filter 13.2.4 Generic Filter Rule Page 13.3 Example Filter Figure 13-10Example Filter — Menu Figure 13-11Example Filter Rules Summary — Menu 13.4 Filter Types and NAT 13.5 Applying a Filter and Factory Defaults 13.5.1 LAN traffic 13.5.2 Remote Node Filters UPnP 14.1 Introducing Universal Plug and Play 14.1.1 How do I know if I'm using UPnP 14.1.2 NAT Traversal 14.1.3 Cautions with UPnP 14.2 UPnP and ZyXEL 14.2.1 Configuring UPnP Figure 14-1Configuring UPnP Table 14-1Configuring UPnP 14.3 Installing UPnP in Windows Example Installing UPnP in Windows Me Installing UPnP in Windows XP 14.4 Using UPnP in Windows XP Example Auto-discoverYour UPnP-enabledNetwork Device Add When the UPnP-enableddevice is disconnected from your computer, all port mappings will be deleted automatically Web Configurator Easy Access Local Network Invoke SNMP Configuration This chapter explains SNMP configuration menu 15.1 About SNMP 15.2 Supported MIBs 15.3 SNMP Configuration 15.4 SNMP Traps Page System Information & Diagnosis 16.1 System Status 16.1.1 To get to the System Status: 16.2 System Information and Console Port Speed 16.2.1 System Information 16.2.2 Console Port Speed 16.3 Log and Trace 16.3.1 Viewing Error Log 16.3.2 UNIX Syslog 16.3.3 Call-TriggeringPacket 16.4 Diagnostic 16.4.1 WAN DHCP Figure 16-11WAN & LAN DHCP Table 16-4System Maintenance Menu Diagnostic Page Firmware and Configuration File Maintenance 17.1 Filename Conventions 17.2 Backup Configuration 17.2.1 Using the FTP Command from the DOS Prompt Example of FTP Commands from the DOS Prompt FTP GUI Clients TFTP and FTP over WAN Will Not Work When 17.2.2 Backup Configuration Using TFTP 17.2.3 TFTP Command Example TFTP GUI Clients 17.2.4 Backup Via Console Port Figure 17-3System Maintenance — Backup Configuration Step 1. The following screen indicates that the Xmodem download has started Figure 17-4System Maintenance — Starting Xmodem Download Screen Receive File Figure 17-5Backup Configuration Example 17.3 Restore Configuration 17.3.1 Restore Using FTP or TFTP Figure 17-7Telnet into Menu Step 14. Launch the FTP client on your computer Restore Using FTP or TFTP Session Example 17.3.2 Restore Via Console Port 17.4 Uploading Firmware and Configuration Files 17.4.1 Firmware File Upload 17.4.2 Configuration File Upload FTP File Upload Command from the DOS Prompt Example FTP Session Example of Firmware File Upload 17.4.3 TFTP File Upload TFTP Upload Command Example 17.4.4 Uploading Via Console Port Uploading a Firmware File Via Console Port Example Xmodem Firmware Upload Using HyperTerminal Example Xmodem Configuration Upload Using HyperTerminal Figure 17-19Example Xmodem Upload System Maintenance & Information 18.1 Command Interpreter Mode 18.2 Call Control Support 18.2.1 Budget Management 18.2.2 Call History 18.3 Time and Date Setting Figure 18-7Menu 24.10 System Maintenance — Time and Date Setting Table 18-3Time and Date Setting Fields Time Update Frequency Page Remote Management 19.1 Introduction 19.1.1 Telnet 19.1.2 FTP 19.1.3 Web 19.2 Remote Management Setup the service, then you will not be able to remotely manage the service Disable Server Access Enter 11 from menu 24 to bring up Menu 24.11 – Remote Management Control If you just wish to block certain users from using these services, then use 19.3 Remote Management and the Firewall 19.4 Remote Management and NAT 19.5 System Timeout Page Call Scheduling This chapter shows you how to setup call time periods for remote nodes 20.1 Introduction 20.2 Schedule Setup 20.3 Schedule Set Setup Table 20-1Schedule Set Setup Fields 20.4 Applying Schedule Sets to Remote Nodes Figure 20-4Applying Schedule Sets to a Remote Node Example (PPTP Encapsulation) Page Troubleshooting 21.1 Problems Starting Up the Prestige 21.2 Problems with the LAN Interface 21.3 Problems with the WAN Interface Page Part IV: Appendices and Index Appendix A PPPoE PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works The Prestige as a PPPoE Client Appendix B PPTP What is PPTP How can we transport PPP frames from a PC to a broadband modem over Ethernet PPTP Protocol Overview Control & PPP connections Call Connection Diagram 5 Example Message Exchange between PC and an ANT PPP Data Connection Appendix C Boot Commands Diagram 7 Boot Module Commands Appendix D NetBIOS Filter Commands The following describes the NetBIOS packet filter commands Display NetBIOS Filter Settings NetBIOS Filter Configuration Page Appendix E Log Descriptions Chart 3 UPnP Logs UPnP pass through Firewall Chart 4 Content Filtering Logs IP/Domain Name Chart 5 ICMP Type and Code Explanations Page Appendix F Power Adapter Specifications Appendix G Hardware Specifications Cable Pin Assignments Windows 95/98/Me Configuration If you need the adapter: If you need TCP/IP: If you need Client for Microsoft Networks: Properties Page Checking/Modifying Your Computer’s IP Address Windows 2000/NT/XP Page Page Page Page Macintosh OS 8/9 Macintosh OS Check your TCP/IP properties in the Network window Appendix Brute-ForcePassword Guessing Protection Example Appendix J Triangle Route The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side How To Configure Triangle Route: Page Page Index Header Encapsulation Ethernet 4-2, 4-5 Ethernet Encapsulation ...8-1, 9-1, 9-2, 9-4, 9-10 IP Multicast Internet Group Management Protocol (IGMP) 10-1, 10-2 7-1, 7-6 6-1, 6-2 RIP 7-5, 7-8 RR-Manager 1-6, 8-2 8-2 TCP/IP 7-2, 7-6, 7-7, 7-8, 9-7, 13-7, 13-9, 13-12 13-16 TCP/IP filter rule Telnet Configuration Telnet Under NAT