ZyXEL Communications P-660HW-DX CHAPTER 9

P-660HW-Dx User’s Guide 143

CHAPTER 9

Firewalls

This chapter gives some background information on firewalls and introduces the ZyXEL

Device firewall.

9.1 Firewall Overview

Originally, the term firewall referred to a construction technique designed to prevent the

spread of fire from one room to another. The networking term “firewall” is a system or group

of systems that enforces an access-control policy between two networks. It may also be

defined as a mechanism used to protect a trusted network from an untrusted network. Of

course, firewalls cannot solve every security problem. A firewall is one of the mechanisms

used to establish a network security perimeter in support of a network security policy. It

should never be the only mechanism or method employed. For a firewall to guard effectively,

you must design and deploy it appropriately. This requires integrating the firewall into a broad

information-security policy. In addition, specific policies must be implemented within the

firewall itself.

Refer to Section 10.5 on page 158 to configure default firewall settings.

Refer to Section 10.6 on page 159 to view firewall rules.

Refer to Section 10.6.1 on page 161 to configure firewall rules.

Refer to Section 10.6.2 on page 164 to configure a custom service.

Refer to Section 10.10.3 on page 173 to configure firewall thresholds.

9.2 Types of Firewalls

There are three main types of firewalls:

• Packet Filtering Firewalls

• Application-level Firewalls

• Stateful Inspection Firewalls

9.2.1 Packet Filtering Firewalls

Packet filtering firewalls restrict access based on the source/destination computer network

address of a packet and the type of application.

Contents

Main Page About This User's Guide " Document Conventions 1 " Page Safety Warnings 1 Page Page Contents Overview Page Table of Contents Page Page Page Page Page Part VI: Maintenance and Troubleshooting....................................... 225 Part VII: Appendices and Index .......................................................... 263 Page Page List of Figures Page Page Page Page Page List of Tables Page Page Page Page Page CHAPTER 1 Introducing the ZyXEL Device 1.1 Overview 1 " 1.2 Ways to Manage the ZyXEL Device 1.3 Good Habits for Managing the ZyXEL Device 1.4 LEDs Chapter 1 Introducing the ZyXEL Device The following table describes the LEDs. 1.5 Hardware Connections Refer to the Quick Start Guide for information on hardware connections. Table 2 Front Panel LEDs CHAPTER 2 Introducing the Web Configurator 2.1 Web Configurator Overview 2.2 Accessing the Web Configurator " 2.2.1 User Access 2.2.2 Administrator Access Page " 2.3 Resetting the ZyXEL Device 2.3.1 Using the Reset Button 2.4 Navigating the Web Configurator 2.4.1 Navigation Panel " embedded help. Table 3 Web Configurator Screens Summary Table 3 Web Configurator Screens Summary (continued) Chapter 2 Introducing the Web Configurator P-660HW-Dx Users Guide 43 2.4.2 Status Screen Table 3 Web Configurator Screens Summary (continued) Figure 9 Status Screen The following table describes the labels shown in the Status screen. Table 4 Status Screen Chapter 2 Introducing the Web Configurator P-660HW-Dx Users Guide 45 Table 4 Status Screen (continued) 2.4.3 Status: Any IP Table 2.4.4 Status: WLAN Status 2.4.5 Status: Bandwidth Status 2.4.6 Status: Packet Statistics Figure 13 Status: Packet Statistics Table 7 Status: Packet Statistics 2.4.7 Changing Login Password Page Page Page CHAPTER 3 Wizard Setup for Internet Access " Page Page Figure 20 Internet Access Wizard Setup: ISP Parameters Table 8 Internet Access Wizard Setup: ISP Parameters Page Figure 23 Internet Connection with ENET ENCAP Table 11 Internet Connection with ENET ENCAP Table 10 Internet Connection with RFC 1483 (continued) Page Page Page Figure 29 Wireless LAN Setup Wizard 2 Table 14 Wireless LAN Setup Wizard 2 " 3.3.1 Manually assign a WPA-PSK key 3.3.2 Manually assign a WEP key 5Click Apply to save your wireless LAN settings. Page Page CHAPTER 4 Bandwidth Management Wizard 4.1 Introduction 4.2 Predefined Media Bandwidth Management Services Chapter 4 Bandwidth Management Wizard 4.3 Bandwidth Management Wizard Setup Figure 34 Select a Mode Table 17 Media Bandwidth Management Setup: Services (continued) Page Page Page Page Page Page CHAPTER 5 WAN Setup 5.1 WAN Overview 5.1.1 Encapsulation 5.1.2 Multiplexing 5.1.3 Encapsulation and Multiplexing Scenarios 5.1.4 VPI and VCI 5.1.5 IP Address Assignment 5.1.6 Nailed-Up Connection (PPP) 5.1.7 NAT 5.2 Metric 5.3 Traffic Shaping 5.3.1 ATM Traffic Classes 5.4 Zero Configuration Internet Access 5.5 Internet Connection Chapter 5 WAN Setup P-660HW-Dx Users Guide 81 Figure 40 Internet Connection (PPPoE) Table 20 Internet Connection 5.5.1 Configuring Advanced Internet Connection Setup Table 20 Internet Connection (continued) Chapter 5 WAN Setup P-660HW-Dx Users Guide 83 Figure 41 Advanced Internet Connection Setup Table 21 Advanced Internet Connection Setup 5.6 Configuring More Connections Figure 42 More Connections Table 21 Advanced Internet Connection Setup (continued) Chapter 5 WAN Setup P-660HW-Dx Users Guide 85 5.6.1 More Connections Edit Click the edit icon ( ) in the More Connections screen to configure a connection. Table 22 More Connections Page Chapter 5 WAN Setup P-660HW-Dx Users Guide 87 Table 23 More Connections Edit (continued) 5.6.2 Configuring More Connections Advanced Setup Figure 44 More Connections Advanced Setup The following table describes the labels in this screen. Table 24 More Connections Advanced Setup Page Figure 47 WAN Backup Setup The following table describes the labels in this screen. Table 25 WAN Backup Setup Chapter 5 WAN Setup P-660HW-Dx Users Guide 91 Note: If you activate traffic redirect, you must configure at least one Check WAN IP Address. Table 25 WAN Backup Setup (continued) Page CHAPTER 6 LAN Setup 6.1 LAN Overview 6.1.1 6.1.2 DHCP Setup 6.2 DNS Server Addresses 6.3 LAN TCP/IP 6.3.1 IP Address and Subnet Mask " 6.3.2 RIP Setup 6.3.3 Multicast 6.3.4 Any IP " 6.4 Configuring LAN IP Chapter 6 LAN Setup P-660HW-Dx Users Guide 99 6.4.1 Configuring Advanced LAN Setup Figure 51 Advanced LAN Setup The following table describes the labels in this screen. Table 27 Advanced LAN Setup 6.5 DHCP Setup Figure 52 DHCP Setup Table 27 Advanced LAN Setup (continued) Table 28 DHCP Setup 6.6 LAN Client List 6.7 LAN IP Alias " Chapter 6 LAN Setup P-660HW-Dx Users Guide 103 Figure 55 LAN IP Alias Table 30 LAN IP Alias Page CHAPTER 7 Wireless LAN 7.1 Wireless Network Overview 7.2 Wireless Security Overview 7.2.1 SSID 7.2.2 MAC Address Filter 7.2.3 User Authentication 7.2.4 Encryption " 7.2.5 One-Touch Intelligent Security Technology (OTIST) 7.3 General Wireless LAN Screen " 7.3.1 No Security " 7.3.2 WEP Encryption Chapter 7 Wireless LAN P-660HW-Dx Users Guide 111 Figure 59 Wireless: Static WEP Encryption 7.3.3 WPA-PSK/WPA2-PSK Table 34 Wireless: Static WEP Encryption Figure 60 Wireless: WPA-PSK/WPA2-PSK Table 35 Wireless: WPA-PSK/WPA2-PSK Chapter 7 Wireless LAN P-660HW-Dx Users Guide 113 7.3.4 WPA/WPA2 Table 35 Wireless: WPA-PSK/WPA2-PSK Figure 61 Wireless: WPA/WPA2 Table 36 Wireless: WPA/WPA2 Chapter 7 Wireless LAN P-660HW-Dx Users Guide 115 7.3.5 Wireless LAN Advanced Setup Table 36 Wireless: WPA/WPA2 (continued) Figure 62 Advanced Table 37 Wireless LAN: Advanced 7.4 OTIST " 7.4.1 Enabling OTIST " Page 7.4.2 Starting OTIST " 7.4.3 Notes on OTIST 7.5 MAC Filter 7.6 WMM QoS 7.6.1 WMM QoS Example 7.6.2 WMM QoS Priorities 7.6.3 Services Table 41 Commonly Used Services Chapter 7 Wireless LAN P-660HW-Dx Users Guide 125 7.7 QoS Screen 7.7.1 ToS (Type of Service) and WMM QoS Table 41 Commonly Used Services (continued) Click Network > Wireless LAN > QoS. The following screen displays. Figure 71 Wireless LAN: QoS Table 42 Wireless Lan: QoS Chapter 7 Wireless LAN P-660HW-Dx Users Guide 127 7.7.2 Application Priority Configuration Figure 72 Application Priority Configuration Table 43 Application Priority Configuration Page CHAPTER 8 Network Address Translation (NAT) Screens 8.1 NAT Overview 8.1.1 NAT Definitions 8.1.2 What NAT Does 8.1.3 How NAT Works 8.1.4 NAT Application 8.1.5 NAT Mapping Types 8.2 SUA (Single User Account) Versus NAT 8.3 SIP ALG Chapter 8 Network Address Translation (NAT) Screens P-660HW-Dx Users Guide 133 8.4 NAT General Setup Figure 75 NAT General The following table describes the labels in this screen. 8.5 Port Forwarding Table 46 NAT General " 8.5.2 Port Forwarding: Services and Port Numbers 8.5.3 Configuring Servers Behind Port Forwarding (Example) 8.6 Configuring Port Forwarding " Figure 77 NAT Port Forwarding The following table describes the fields in this screen. 8.6.1 Port Forwarding Rule Edit Table 48 NAT Port Forwarding 8.7 Address Mapping " Page 8.7.1 Address Mapping Rule Edit Table 51 Edit Address Mapping Rule Page Page CHAPTER 9 Firewalls 9.1 Firewall Overview 9.2 Types of Firewalls 9.2.1 Packet Filtering Firewalls 9.3 Introduction to ZyXELs Firewall 9.3.1 Denial of Service Attacks 9.4 Denial of Service 9.4.1 Basics 9.4.2 Types of DoS Attacks Page 9.5 Stateful Inspection 9.5.1 Stateful Inspection Process 9.5.2 Stateful Inspection and the ZyXEL Device " 9.5.3 TCP Security 9.5.4 UDP/ICMP Security 9.5.5 Upper Layer Protocols 9.6 Guidelines for Enhancing Security with Your Firewall 9.6.1 Security In General 9.7 Packet Filtering Vs Firewall 9.7.1 Packet Filtering: 9.7.2 Firewall Page CHAPTER 10 Firewall Configuration 10.1 Access Methods 10.2 Firewall Policies Overview " 10.3 Rule Logic Overview " 10.3.1 Rule Checklist 10.3.2 Security Ramifications 10.3.3 Key Fields For Configuring Rules " 10.4 Connection Direction 10.4.1 LAN to WAN Rules 10.4.2 Alerts 10.5 General Firewall Policy 10.6 Firewall Rules Summary " Figure 87 Firewall Rules Table 57 Firewall Rules Chapter 10 Firewall Configuration P-660HW-Dx Users Guide 161 10.6.1 Configuring Firewall Rules Table 57 Firewall Rules (continued) Page Chapter 10 Firewall Configuration P-660HW-Dx Users Guide 163 Table 58 Firewall: Edit Rule 10.6.2 Customized Services 10.6.3 Configuring a Customized Service 10.7 Example Firewall Rule Page Page Page 10.8 Predefined Services Table 61 Predefined Services (continued) 10.9 Anti-Probing 10.10 DoS Thresholds 10.10.1 Threshold Values 10.10.2 Half-Open Sessions 10.10.3 Configuring Firewall Thresholds Figure 97 Firewall: Threshold Table 63 Firewall: Threshold Chapter 10 Firewall Configuration P-660HW-Dx Users Guide 175 Table 63 Firewall: Threshold (continued) Page CHAPTER 11 Content Filtering 11.1 Content Filtering Overview 11.2 Configuring Keyword Blocking Chapter 11 Content Filtering 11.3 Configuring the Schedule Table 64 Content Filter: Keyword Chapter 11 Content Filtering P-660HW-Dx Users Guide 179 The following table describes the labels in this screen. 11.4 Configuring Trusted Computers The following table describes the labels in this screen. Figure 100 Content Filter: Trusted Table 65 Content Filter: Schedule Table 66 Content Filter: Trusted Page Page Page CHAPTER 12 Static Route The following table describes the labels in this screen. 12.2.1 Static Route Edit Chapter 12 Static Route P-660HW-Dx Users Guide 185 Figure 103 Static Route Edit Table 68 Static Route Edit Page CHAPTER 13 Bandwidth Management 13.1 Bandwidth Management Overview 13.2 Application-based Bandwidth Management 13.3 Subnet-based Bandwidth Management 13.4 Application and Subnet-based Bandwidth Management 13.5 Scheduler 13.5.1 Priority-based Scheduler 13.5.2 Fairness-based Scheduler 13.6 Maximize Bandwidth Usage 13.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic 13.6.2 Maximize Bandwidth Usage Example Page 13.6.3 Bandwidth Management Priorities 13.7 Over Allotment of Bandwidth 13.8 Configuring Summary Figure 105 Bandwidth Management: Summary The following table describes the labels in this screen. 13.9 Bandwidth Management Rule Setup Table 75 Media Bandwidth Management: Summary Chapter 13 Bandwidth Management P-660HW-Dx Users Guide 193 Click Advanced > Bandwidth MGMT > Rule Setup to open the following screen. Figure 106 Bandwidth Management: Rule Setup The following table describes the labels in this screen. Table 76 Bandwidth Management: Rule Setup 13.10 DiffServ 13.10.1 DSCP and Per-Hop Behavior 13.10.2 Rule Configuration Chapter 13 Bandwidth Management P-660HW-Dx Users Guide 195 Figure 108 Bandwidth Management Rule Configuration Table 78 Bandwidth Management Rule Configuration Table 78 Bandwidth Management Rule Configuration (continued) 13.11 Bandwidth Monitor Page CHAPTER 14 Dynamic DNS Setup 14.1 Dynamic DNS Overview 14.1.1 DYNDNS Wildcard 14.2 Configuring Dynamic DNS Chapter 14 Dynamic DNS Setup Figure 110 Dynamic DNS Table 81 Dynamic DNS Chapter 14 Dynamic DNS Setup P-660HW-Dx Users Guide 201 Table 81 Dynamic DNS (continued) Page CHAPTER 15 Remote Management Configuration 15.1 Remote Management Overview " 15.1.1 Remote Management Limitations 15.2 WWW 15.3 Telnet 15.4 Configuring Telnet 15.5 Telnet Login " 15.6 Configuring FTP 15.7 SNMP " 15.7.1 Supported MIBs 15.7.2 SNMP Traps 15.7.3 Configuring SNMP 15.8 Configuring DNS 15.9 Configuring ICMP Chapter 15 Remote Management Configuration Figure 118 Remote Management: ICMP Table 88 Remote Management: ICMP CHAPTER 16 Universal Plug-and-Play (UPnP) 16.1 Introducing Universal Plug and Play 16.1.1 How do I know if I'm using UPnP? 16.1.2 NAT Traversal 16.2 UPnP and ZyXEL 16.2.1 Configuring UPnP 16.3 Installing UPnP in Windows Example 16.3.1 Installing UPnP in Windows Me 16.3.2 Installing UPnP in Windows XP Page 16.4.1 Auto-discover Your UPnP-enabled Network Device Page " 16.4.2 Web Configurator Easy Access Page Page Page PART VI Page CHAPTER 17 System 17.1 General Setup 17.1.1 General Setup and System Name 17.1.2 General Setup Figure 134 System General Setup Table 90 System General Setup 17.2 Time Setting Table 91 System Time Setting Chapter 17 System P-660HW-Dx Users Guide 231 Table 91 System Time Setting (continued) Page CHAPTER 18 Logs 18.1 Logs Overview 18.1.1 Alerts and Logs 18.2 Viewing the Logs 18.3 Configuring Log Settings Page 18.3.1 Example E-mail Log End of Log" message shows that a complete log has been sent. Table 93 Log Settings Chapter 18 Logs P-660HW-Dx Users Guide 237 18.4 Log Descriptions This section provides descriptions of example log messages. Table 94 System Maintenance Logs Table 95 System Error Logs Table 96 Access Control Logs Table 94 System Maintenance Logs (continued) Chapter 18 Logs P-660HW-Dx Users Guide 239 Table 97 TCP Reset Logs Table 98 Packet Filter Logs Table 96 Access Control Logs (continued) Table 99 ICMP Logs Table 100 CDR Logs Table 101 PPP Logs Chapter 18 Logs P-660HW-Dx Users Guide 241 Table 102 UPnP Logs Table 103 Content Filtering Logs Table 104 Attack Logs Table 105 IPSec Logs Chapter 18 Logs P-660HW-Dx Users Guide 243 Table 106 IKE Logs Table 105 IPSec Logs (continued) Table 106 IKE Logs (continued) Chapter 18 Logs P-660HW-Dx Users Guide 245 Table 106 IKE Logs (continued) Table 107 PKI Logs Chapter 18 Logs P-660HW-Dx Users Guide 247 Table 108 Certificate Path Verification Failure Reason Codes Table 109 ACL Setting Notes Table 110 ICMP Notes Chapter 18 Logs P-660HW-Dx Users Guide 249 Table 111 Syslog Logs Table 112 RFC-2408 ISAKMP Payload Types Page CHAPTER 19 Tools 19.1 Firmware Upgrade 1 19.2 Configuration Screen 19.2.1 Backup Configuration 19.2.2 Restore Configuration 1 19.2.3 Back to Factory Defaults 19.3 Restart Page CHAPTER 20 Diagnostic Page CHAPTER 21 Troubleshooting 21.1 Power, Hardware Connections, and LEDs V 21.2 ZyXEL Device Access and Login V 21.3 Internet Access V PART VII Page P-660HW-Dx Users Guide 265 APPENDIX A Product Specifications and Wall Mounting Note: Only upload firmware for your specific model! Product Specifications The following tables summarize the ZyXEL Devices hardware and firmware features.M4 Page Appendix A Product Specifications and Wall Mounting P-660HW-Dx Users Guide 267 Table 119 Wireless Firmware Specifications Table 120 Standards Supported Table 118 Firmware Specifications Table 120 Standards Supported (continued) Wall-mounting Instructions " Page APPENDIX B Wireless LANs Wireless LAN Topologies Ad-hoc Wireless LAN Configuration BSS ESS Channel RTS/CTS " Fragmentation Threshold Preamble Type " IEEE 802.11g Wireless LAN Wireless Security Overview " IEEE 802.1x RADIUS Types of RADIUS Messages Types of EAP Authentication EAP-MD5 (Message-Digest Algorithm 5) EAP-TLS (Transport Layer Security) EAP-TTLS (Tunneled Transport Layer Service) PEAP (Protected EAP) LEAP " WPA and WPA2 Encryption User Authentication Wireless Client WPA Supplicants WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example Security Parameters Summary Antenna Overview Antenna Characteristics Frequency Radiation Pattern Antenna Gain Page APPENDIX C Setting up Your Computers IP Address Windows 95/98/Me Installing Components Configuring Windows 2000/NT/XP Page Page Page Page Macintosh OS 8/9 Page Macintosh OS X Linux " Using the K Desktop Environment (KDE) Using Configuration Files Page Enter ifconfig in a terminal screen to check your TCP/IP properties. APPENDIX D IP Addresses and Subnetting Introduction to IP Addresses Structure Subnet Masks Network Size Notation Subnetting Example: Four Subnets Appendix D IP Addresses and Subnetting Example: Eight Subnets Table 130 Subnet 2 Table 131 Subnet 3 Table 132 Subnet 4 Table 133 Eight Subnets Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. The following table is a summary for subnet planning on a network with a 16-bit network number. Table 133 Eight Subnets (continued) Table 134 24-bit Network Number Subnet Planning Configuring IP Addresses Private IP Addresses P-660HW-Dx Users Guide 309 APPENDIX E Firewall Commands The following describes the firewall commands. Table 136 Firewall Commands Page Page Page Page Page APPENDIX F Internal SPTGEN Internal SPTGEN Overview The Configuration Text File Format " Internal SPTGEN File Modification - Important Points to Remember Internal SPTGEN FTP Download Example " be named rom-t when you upload it to your ZyXEL Device. Internal SPTGEN FTP Upload Example Example Internal SPTGEN Menus This section provides example Internal SPTGEN menus. Table 137 Abbreviations Used in the Example Internal SPTGEN Screens Table Table 138 Menu 1 General Setup Page Table 140 Menu 4 Internet Access Setup Appendix F Internal SPTGEN Table 140 Menu 4 Internet Access Setup (continued) P-660HW-Dx Users Guide 321 Table 140 Menu 4 Internet Access Setup (continued) Table 141 Menu 12 Table 142 Menu 15 SUA Server Setup Appendix F Internal SPTGEN Table 142 Menu 15 SUA Server Setup (continued) P-660HW-Dx Users Guide 323 Table 142 Menu 15 SUA Server Setup (continued) Table 143 Menu 21.1 Filter Set #1 Appendix F Internal SPTGEN P-660HW-Dx Users Guide 325 Table 143 Menu 21.1 Filter Set #1 (continued) Table 144 Menu 21.1 Filer Set #2, Table 144 Menu 21.1 Filer Set #2, (continued) Appendix F Internal SPTGEN P-660HW-Dx Users Guide 327 Table 144 Menu 21.1 Filer Set #2, (continued) Table 145 Menu 23 System Menus Table 145 Menu 23 System Menus (continued) Table 146 Menu 24.11 Remote Management Control Appendix F Internal SPTGEN P-660HW-Dx Users Guide 329 Command Examples Table 147 Command Examples Page APPENDIX G Command Interpreter 1 Accessing the CLI Command Syntax Page APPENDIX H Pop-up Windows, JavaScripts and Java Permissions " Internet Explorer Pop-up Blockers Disable pop-up Blockers Enable pop-up Blockers with Exceptions Page JavaScripts Page Page APPENDIX I NetBIOS Filter Commands Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration APPENDIX J Splitters and Microfilters Connecting a POTS Splitter Telephone Microfilters Page Page Page APPENDIX K Triangle Route The Ideal Setup The Triangle Route Problem Page APPENDIX L Legal Information Copyright Certifications ! ZyXEL Limited Warranty Page APPENDIX M Customer Support Page Page Page Page Page Index A B C D E F H I L M N O P Q R S T U V W Z