Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications Wireless Gateway Series 12.4 Guidelines For Enhancing Security With Your Firewall, 12.3.3 Key Fields For Configuring Rules, Block, Action, Forward, Service, Service

1 420

Download 420 pages, 12.23 Mb

ZyAIR Wireless Gateway Series User’s Guide

2.Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?

3.Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.

4.Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.

12.3.3 Key Fields For Configuring Rules

Action

Should the action be to Block or Forward?

“Block” means the firewall silently discards the packet.Service

Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See section 12.6.3 for more information on predefined services.

12.4 Guidelines For Enhancing Security With Your Firewall

1.Change the default password via web configurator.

2.Think about access control before you connect to the network in any way, including attaching a modem to the port.

3.Limit who can access your router.

4.Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.

5.For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.

6.Protect against IP spoofing by making sure the firewall is active.

7.Keep the firewall in a secured (locked) room.

Firewall Screens

12-3

Contents

Version May Copyright Federal Communications Commission (FCC) Interference Statement ZyXEL Limited Warranty Customer Support Page Table of Contents Page Chapter 8 WAN Screens Chapter 9 Single User Account (SUA) / Network Address Translation (NAT) FIREWALL AND REMOTE MANAGEMENT Chapter 12 Firewall Screens Chapter 14 UPnP Screen Chapter 15 Logs Screens Chapter 16 Maintenance Chapter 17 Introducing the SMT Chapter 18 General and WAN Setup Chapter 20 Internet Access Chapter 21 Remote Node Configuration Chapter 25 SNMP Configuration Chapter 26 System Security FTP Web Table of Contents APPENDICES A-1 Appendix B Brute-ForcePassword Guessing Protection B-1 C-1 List of Figures Page Page Page Page Page Page List of Tables Page Page Preface Control Panels Modem User Guide Feedback Page Part I: OVERVIEW Page 1.1Introducing the ZyAIR Wireless Gateway Series 1.2ZyAIR Features 4-PortSwitch 10/100M Auto-negotiatingEthernet/Fast Ethernet Interface 10/100M Auto-crossoverEthernet/Fast Ethernet Interface 10/100 Mbps Ethernet WAN Reset Button ZyAIR LED 802.11b Wireless LAN Standard Output Power Management Limit the number of Client Connections SSL Passthrough Wi-FiProtected Access Firewall IEEE 802.1x Network Security Wireless LAN MAC Address Filtering Universal Plug and Play (UPnP) PPTP Encapsulation Network Address Translation (NAT) NAT for Single-IP-addressInternet Access DHCP (Dynamic Host Configuration Protocol) Multicast SNMP Full Network Management Logging and Tracing Diagnostics Capabilities Embedded FTP and TFTP Servers 1.3Application for the ZyAIR 1.3.1 Internet Access Application Page 2.1Web Configurator Overview 2.2Accessing the ZyAIR Web Configurator 2.3Resetting the ZyAIR 2.3.1 Procedure to Use the Reset Button 2.3.2 Uploading a Configuration File via Console Port 2.4Navigating the ZyAIR Web Configurator 3.1Wizard Setup Overview 3.1.1 Channel 3.1.2 ESS ID 3.1.3 WEP Encryption 3.2Wizard Setup: General Setup 3.3Wizard Setup: Wireless LAN Setup Figure 3-2Wizard 2: Wireless LAN Setup Table 3-2Wizard 2: Wireless LAN Setup 3.4Wizard Setup: ISP Parameters 3.4.1 Ethernet Figure 3-3Wizard 3: Ethernet Encapsulation Table 3-3Wizard 3: Ethernet Encapsulation 3.4.2 PPTP Encapsulation Figure 3-4Wizard 3: PPTP Encapsulation Table 3-4Wizard 3: PPTP Encapsulation 3.4.3 PPPoE Encapsulation Figure 3-5Wizard 3: PPPoE Encapsulation Table 3-5Wizard 3: PPPoE Encapsulation 3.5Wizard Setup: WAN and DNS 3.5.1 WAN IP Address Assignment 3.5.2 IP Address and Subnet Mask 3.5.3 DNS Server Address Assignment 3.5.4 WAN MAC Address Figure 3-6Wizard 4: WAN and DNS Table 3-8Wizard 4: WAN and DNS Page 3.6Basic Setup Complete Figure 3-7Setup Complete Page Part II: SYSTEM, LAN AND WIRELESS Page 4.1System Overview 4.2Configuring General Setup 4.3Dynamic DNS 4.3.1 DYNDNS Wildcard 4.4Configuring Dynamic DNS Figure 4-2DDNS Table 4-2DDNS 4.5Configuring Password 4.6Configuring Time Setting Figure 4-4Time Setting Table 4-4Time Setting Page 5.1LAN Overview 5.2LANs and WANs 5.2.1 LANs, WANs and the ZyAIR 5.3DHCP Setup 5.4Factory LAN Defaults 5.5RIP Setup 5.6Multicast 5.7Configuring the LAN IP Screens Figure 5-2IP Table 5-1IP Page Page the screen 6.1Wireless LAN Overview 6.1.1 IBSS 6.1.2 BSS 6.1.3 ESS 6.2Wireless LAN Basics 6.2.1 RTS/CTS 6.2.2 Fragmentation Threshold 6.3Configuring Wireless Figure 6-5Wireless Table 6-1Wireless If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of 6.4Configuring Roaming 6.4.1 Requirements for Roaming Table 6-2Roaming All APs on the same subnet and the wireless stations must have 7.1Wireless Security Overview 7.2WEP Overview 7.2.1 Data Encryption 7.2.2 Authentication 7.3Configuring WEP Encryption Figure 7-3Wireless Table 7-1Wireless : WEP Fields 7.4MAC Filter Figure 7-4MAC Address Filter 7.5802.1x Overview 7.6Dynamic WEP Key Exchange 7.7Introduction to WPA 7.7.1 User Authentication 7.7.2 Encryption 7.8WPA-PSKApplication Example 7.9WPA with RADIUS Application Example 7.10 Security Parameters Summary 7.11 Wireless Client WPA Supplicants 7.12 Configuring 802.1x and WPA 7.12.1 Authentication Required: Figure 7-8Wireless LAN: 802.1x/WPA for 802.1x Protocol Table 7-5Wireless LAN: 802.1x/WPA for 802.1x Protocol If wireless station authentication is done using a RADIUS server, the reauthentication timer on the RADIUS server has 7.12.2 Authentication Required: WPA Figure 7-9Wireless LAN: 802.1x/WPA for WPA Protocol The following table describes the labels not previously discussed Table 7-6Wireless LAN: 802.1x/WPA for WPA Protocol 7.12.3 Authentication Required: WPA-PSK 7.13 Introduction to Local User Database 7.14 Configuring Local User Database Figure 7-11Local User Database 7.15 Introduction to RADIUS •Authentication •Accounting Types of RADIUS Messages •Access-Request 7.15.1 EAP Authentication Overview 7.16 Configuring RADIUS Table 7-9RADIUS Part III: WAN Page 8.1WAN Overview 8.2Configuring WAN ISP 8.2.1 Ethernet Encapsulation Service Type 8.2.2 PPPoE Encapsulation Figure 8-3PPPoE Encapsulation Table 8-3PPPoE Encapsulation 8.2.3 PPTP Encapsulation Figure 8-4PPTP Encapsulation Table 8-4PPTP Encapsulation 8.3TCP/IP Priority (Metric) 8.4Configuring WAN IP Page Page 8.5Configuring WAN MAC Page Part IV: SUA/NAT AND STATIC ROUTE Page ZyAIR 9.1NAT Overview 9.1.1 NAT Definitions 9.1.2 What NAT Does 9.1.3 How NAT Works 9.1.4 NAT Application 9.1.5 NAT Mapping Types 9.1.6 SUA (Single User Account) Versus NAT 9.2SUA Server Default Server IP Address 9.2.1 Port Forwarding: Services and Port Numbers 9.2.2 Configuring Servers Behind SUA (Example) 9.3Configuring SUA Server Figure 9-4SUA/NAT Setup Table 9-4SUA/NAT Setup 9.4Configuring Address Mapping Figure 9-5Address Mapping Table 9-5Address Mapping 9.4.1 Configuring Address Mapping Rule Page 10.1 Static Route Overview 10.2 Configuring IP Static Route Figure 10-2IP Static Route Summary Table 10-1IP Static Route Summary 10.2.1 Configuring Route Entry Page Part V: FIREWALL AND REMOTE MANAGEMENT Page 11.1 Firewall Overview 11.2 Types of Firewalls 11.2.1 Packet Filtering Firewalls 11.2.2 Application-levelFirewalls 11.2.3 Stateful Inspection Firewalls 11.3 Introduction to ZyXEL’s Firewall 11.4 Denial of Service 11.4.1 Basics 11.4.2 Types of DoS Attacks SYN Attack Figure 11-3SYN Flood LAND Attack brute-force Figure 11-4Smurf Attack Table 11-2ICMP Commands That Trigger Alerts Table 11-3Legal NetBIOS Commands 11.5 Stateful Inspection Figure 11-5Stateful Inspection 12.1 Access Methods 12.2 Firewall Policies Overview 12.3 Rule Logic Overview 12.3.1 Rule Checklist 12.3.2 Security Ramifications 12.3.3 Key Fields For Configuring Rules 12.4 Guidelines For Enhancing Security With Your Firewall 12.5 Connection Direction Examples 12.5.1 LAN to WAN Rules 12.5.2 WAN to LAN Rules 12.6 Enabling Firewall Figure 12-3Firewall Settings Table 12-1Firewall Settings 12.6.1 Configuring Content Filtering Page Table 12-2Firewall Filter 12.6.2 Configuring Firewall Services Table 12-3Creating/Editing A Firewall Rule 12.6.3 Predefined Services Page Page Page 13.1 Remote Management Overview 13.1.1 Remote Management Limitations 13.1.2 Remote Management and NAT 13.1.3 System Timeout 13.2 Telnet 13.3 Configuring TELNET 13.4 Configuring FTP 13.5 Configuring WWW 13.6 Configuring SNMP Figure 13-5SNMP Management Model 13.6.1 Supported MIBs 13.6.2 SNMP Traps 13.6.3 REMOTE MANAGEMENT: SNMP 13.7 Configuring DNS 13.8 Configuring Security Figure 13-8Security Table 13-8Security Page Page Part VI: UPNP AND LOGS Page 14.1 Universal Plug and Play Overview 14.1.1 How Do I Know If I'm Using UPnP 14.1.2 NAT Traversal 14.1.3 Cautions with UPnP 14.2 UPnP and ZyXEL 14.3 Configuring UPnP Figure 14-1Configuring UPnP Table 14-1Configuring UPnP 14.4 Installing UPnP in Windows Example 14.4.1 Installing UPnP in Windows Me 14.4.2 Installing UPnP in Windows XP Click 14.5 Using UPnP in Windows XP Example 14.5.1 Auto-discoverYour UPnP-enabledNetwork Device Step 3. In the Internet Connection Properties Add 14.5.2 Web Configurator Easy Access Control Panel Connections Step 3. Select My Network Places under Other Places Page 15.1 Using the View Log Screen Figure 15-1View Log Table 15-1View Log 15.2 Configuring Log Settings Figure 15-2Log Settings Table 15-2Log Settings 15.3 Configuring Reports Page 15.3.1 Viewing Protocol/Port Figure 15-4Protocol/Port Report Table 15-4Protocol/Port Report 15.3.2 Viewing LAN IP Address 15.3.3 Reports Specifications Page Part VII: MAINTENANCE Page 16.1 Maintenance Overview 16.2 System Status Screen 16.2.1 System Statistics Figure 16-2Status: Show Statistics Table 16-2Status: Show Statistics 16.3 DHCP Table Screen 16.4 Association List 16.5 Channel Usage Table 16-5Channel Usage (ZyAIR B-2000) Figure 16-6Channel Usage Table 16-6Channel Usage 16.6 F/W Upload Screen Table 16-7Firmware Upload Do not turn off the device while firmware upload is in progress Firmware Upload in Process Figure 16-8Firmware Upload In Process Figure 16-9Network Temporarily Disconnected 16.7 Configuration Screen 16.7.1 Backup Configuration 16.7.2 Restore Configuration 16.7.3 Back to Factory Defaults 16.8 Restart Screen Part VIII: SMT GETTING STARTED MENUS Page 17.1 Connect to your ZyAIR Using Telnet 17.2 Connect to Your ZyAIR Using the Console Port 17.2.1 Initial Screen 17.2.2 Entering Password 17.3 Changing the System Password 17.4 ZyAIR SMT Menu Overview Example Figure 17-4ZyAIR B-2000v.2 SMT Menu Overview Example 17.5 Navigating the SMT Interface 17.5.1 System Management Terminal Interface Summary Page Page 18.1 General Setup 18.1.1 Dynamic DNS 18.1.2 Procedure To Configure Menu Figure 18-1Menu 1 General Setup Table 18-1Menu 1 General Setup 18.1.3 Procedure to Configure Dynamic DNS Page 18.2 WAN Setup Page 19.1 LAN Setup 19.1.1 General Ethernet Port Filter Setup 19.2 TCP/IP Ethernet and DHCP Setup Table 19-1Menu 3.2 DHCP Ethernet Setup Table 19-2Menu3.2 TCP/IP Ethernet Setup SPACE BAR 19.3 IP Alias 19.3.1 IP Alias Setup 19.4 Wireless LAN Setup Figure 19-8Menu 3.5 Wireless LAN Setup Table 19-4Menu 3.5 Wireless LAN Setup Page 19.4.1 Configuring MAC Address Filter Figure 19-10Menu 3.5.1 WLAN MAC Address Filter Table 19-5Menu 3.5.1 WLAN MAC Address Filter 19.4.2 Configuring Roaming on the ZyAIR Table 19-6Menu 3.5.2 Roaming Configuration 20.1 Internet Access Configuration 20.2 Internet Access Setup Refer to the System Security chapter for the wireless LAN security setup Page Part IX: SMT ADVANCED APPLICATION MENUS Page 21.1 Remote Node Profile 21.1.1 Encapsulation Scenarios Figure 21-1Menu 11.1 Remote Node Profile Menu 11.1 – Remote Node Profile Table 21-1Menu 11.1 Remote Node Profile Page 21.1.2 Outgoing Authentication Protocol 21.1.3 Remote Node Setup Edit IP Remote Node Network Layer Options Figure 21-2Menu 11.3 Remote Node Network Layer Options The next table explains the fields in this menu Table 21-2Menu 11.3 Remote Node Network Layer Options 21.2 Remote Node Filter 21.2.1 IP Static Route Setup Configuration Static Route Setup Figure 21-5Menu 12.1 IP Static Route Setup Step 2. Now, type the route number of a static route you want to configure Figure 21-6Menu 12.1 Edit IP Static Route Page Page 22.1 Dial-inUser Setup Table 22-1Menu 14.1- Edit Dial-inUser 23.1 Introduction 23.1.1 Applying NAT 23.2 NAT Setup 23.2.1 Address Mapping Sets Figure 23-5Menu 15.1.255 SUA Address Mapping Rules The following table explains the fields in this menu Table 23-2Menu 15.1.255 SUA Address Mapping Rules User-DefinedAddress Mapping Sets Select Rule Set Name Figure 23-6Menu 15.1.1 Address Mapping Rules The table below describes the fields for configuration in this menu 23.2.2 Configuring Individual Rule 23.3 Port Forwarding Setup - NAT Server Sets 23.3.1 Configuring a Server behind NAT 23.4 General NAT Examples 23.4.1 Example 1: Internet Access Only Figure 23-9NAT Example Figure 23-10Menu 4 Internet Access Setup Network Address Translation 23.4.2 Example 2: Internet Access with an Inside Server 23.4.3 Example 3: Multiple Public IP Addresses With Inside Servers 1 : Many : Server Figure 23-13NAT Example Menu 15.1 - Address Mapping Sets Figure 23-14Menu 11.3 Remote Node Network Layer Options Edit Action Start IP Figure 23-15Menu 15.1.1.1 Address Mapping Rule Step 7. When finished, menu 15.1.1 should look like as shown next Figure 23-16Menu 15.1.1 Address Mapping Rules Menu 15.2 – Port Forwarding Setup Example 3: Menu 15.2 Port Forwarding Setup 23.4.4 Example 4: NAT Unfriendly Application Programs 23.5 Trigger Port Setup Two Points To Remember About Trigger Ports Menu 15.3 — Trigger Port Setup Figure 23-21Menu 15.3 Trigger Port Setup Table 23-6Menu 15.3 Trigger Port Setup Page Part X: SMT ADVANCED MANAGEMENT MENUS Page 24.1 About Filtering Execute Figure 24-2Filter Rule Process 24.2 Configuring a Filter Set Figure 24-4NetBIOS_WAN Filter Rules Summary Figure 24-5NetBIOS_LAN Filter Rules Summary Figure 24-6TEL_FTP_WEB_WAN Filter Rules Summary 24.2.1 Filter Rules Summary Menus 24.3 Configuring a Filter Rule 24.3.1 TCP/IP Filter Rule Figure 24-7Menu 21.1.1 TCP/IP Filter Rule The following table describes how to configure your TCP/IP filter rule Table 24-3Menu 21.1.1 TCP/IP Filter Rule Page The following figure illustrates the logic flow of an IP filter Figure 24-8Executing an IP Filter 24.3.2 Generic Filter Rule 24.4 Filter Types and NAT 24.5 Example Filter TCP/IP Filter Rule Figure 24-12Sample Filter - Menu 24.6 Applying Filters and Factory Defaults 24.6.1 Ethernet Traffic 24.6.2 Remote Node Filters 24.7 Firewall Setup Page 25.1 SNMP Configuration Page 26.1 System Security 26.1.1 System Password 26.1.2 Configuring External RADIUS Server Figure 26-3Menu 23.2 System Security : RADIUS Server Table 26-1Menu 23.2 System Security : RADIUS Server 26.1.3 IEEE802.1x Figure 26-5Menu 23.4 System Security : IEEE802.1x Table 26-2Menu 23.4 System Security : IEEE802.1x Page Page 27.1 System Status Figure 27-2Menu 24.1 System Maintenance : Status Table 27-1Menu 24.1 System Maintenance : Status 27.2 System Information 27.2.1 System Information 27.2.2 Console Port Speed 27.3 Log and Trace 27.3.1 Viewing Error Log 27.3.2 Syslog Logging 27.3.3 Call-TriggeringPacket 27.4 Diagnostic 28.1 Filename Conventions 28.2 Backup Configuration 28.2.1 Backup Configuration 28.2.2 Using the FTP Command from the Command Line 28.2.3 Example of FTP Commands from the Command Line 28.2.4 GUI-basedFTP Clients 28.2.5 TFTP and FTP over WAN Management Limitations 28.2.6 Backup Configuration Using TFTP 28.2.7 TFTP Command Example 28.2.8 GUI-basedTFTP Clients 28.2.9 Backup Via Console Port (only for ZyAIR B-2000) 28.3 Restore Configuration 28.3.1 Restore Using FTP 28.3.2 Restore Using FTP Session Example 28.3.3 Restore Via Console Port (only for ZyAIR B-2000) 28.4 Uploading Firmware and Configuration Files 28.4.1 Firmware File Upload 28.4.2 Configuration File Upload 28.4.3 FTP File Upload Command from the DOS Prompt Example 28.4.4 FTP Session Example of Firmware File Upload 28.4.5 TFTP File Upload 28.4.6 TFTP Upload Command Example 28.4.7 Uploading Via Console Port (only for ZyAIR B-2000) 28.4.8 Uploading Firmware File Via Console Port (only for ZyAIR B-2000) 28.4.9 Example Xmodem Firmware Upload Using HyperTerminal 28.4.11Example Xmodem Configuration Upload Using HyperTerminal Figure 28-19Example Xmodem Upload 29.1 Command Interpreter Mode 29.2 Call Control Support 29.2.1 Budget Management 29.2.2 Call History 29.3 Time and Date Setting Figure 29-6Menu 24.10 System Maintenance : Time and Date Setting Table 29-3Menu 24.10 System Maintenance : Time and Date Setting 29.3.1 Resetting the Time 30.1 Telnet 30.2 FTP 30.3 Web 30.4 Remote Management 30.4.1 Remote Management Setup 30.4.2 Remote Management Limitations 30.5 Remote Management and NAT 30.6 System Timeout 31.1 Introduction To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field Edit Name Menu 26.1 - Schedule Set Setup Figure 31-2Menu 26.1 Schedule Set Setup Main Menu PPPoE PPTP Figure 31-3Applying Schedule Set(s) to a Remote Node (PPTP) Part XI: APPENDICES Page Problems Starting Up the ZyAIR Problems with the Password Problems with the Ethernet Interface Problems with the WAN Interface Problems with Internet Access Problems with Telnet Problems with the WLAN Interface Appendix B Brute-ForcePassword Guessing Protection Chart B-1 Brute-ForcePassword Guessing Protection Commands Brute-ForcePassword Guessing Protection Page Windows 95/98/Me If you need the adapter: If you need TCP/IP: If you need Client for Microsoft Networks: C-2 C-3 Windows 2000/NT/XP C-5 C-6 C-7 Macintosh OS 8/9 C-9 Macintosh OS Check your TCP/IP properties in the Network window C-11 Page Benefits of a Wireless LAN Ad-hocWireless LAN Configuration Infrastructure Wireless LAN Configuration Diagram D-2ESS Provides Campus-WideCoverage Page Security Flaws with IEEE Deployment Issues with IEEE Advantages of the IEEE Diagram E-1Sequences for EAP MD5–ChallengeAuthentication EAP-MD5 (Message-DigestAlgorithm 5) EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) PEAP (Protected EAP) Comparison of EAP Authentication Types Antenna Characteristics Frequency Radiation Pattern Antenna Gain Types of Antennas For WLAN Positioning Antennas Connector Type PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works ZyAIR as a PPPoE Client What is PPTP PPTP and the ZyAIR PPTP Protocol Overview Control & PPP connections Call Connection PPP Data Connection Page IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks J-8 Command Syntax Command Usage Page Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Appendix M Boot Commands Diagram M-1Option to Enter Debug Mode Diagram M-2Boot Module Commands M-2 The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side Page Appendix O Log Descriptions Chart O-1System Error Logs Chart O-2System Maintenance Logs Log Descriptions Chart O-3UPnP Logs Chart O-4ICMP Notes O-2 O-3 Log Commands Log Command Example Page Appendix P Power Adaptor Specifications Power Adaptor Specifications P-1 P-2 3-11 D-2 Alternative Subnet Mask Notation .................. J-3 Appendix Q Index 29-3 Maximum Number of Schedule Sets Precedence Example 13-10 3-3, 3-12, 9-6 DoS Basics Types Frequency-HoppingSpread Spectrum ...........D-2 4-2, 5-2, 9-6, 13-1, 13-4 Restrictions 13-1 Management Information Base (MIB) See NAT Many to One Message Digest Algorithm 5 See MD5 Remote Node Profile 5-2, 19-3 Roaming 6-3 12-1 TFTP and FTP over WAN Will Not Work When… TFTP Restrictions TKIP See Temporal Key Integrity Protocol