ZyXEL ATP100W Users Manual
Chapter 24 Web Authentication
Make sure you select Enable Policy, Single Sign-On and choose required in Authentication.
Do NOT select any as the source address unless you want all incoming connections to be authenticated!
ZyWALL ATP Series User’s Guide
481
Chapter 24 Web Authentication
See Table 184 on page 462 and Table 185 on page 465 for more information on configuring these screens.
24.4.4 Create a Security Policy
Configure a Security Policy for SSO traffic source and destination direction in order to prevent the security policy from blocking this traffic. Go to Configuration > Security Policy > Policy Control and add a new policy if a default one does not cover the SSO web authentication traffic direction.
Configure the fields as shown in the following screen. Configure the source and destination addresses according to the SSO web authentication traffic in your network.
ZyWALL ATP Series User’s Guide
482
Chapter 24 Web Authentication
24.4.5 Configure User Information
Configure a User account of the ext-group-user type.
Configure Group Identifier to be the same as Group Membership on the SSO agent.
ZyWALL ATP Series User’s Guide
483
Chapter 24 Web Authentication
24.4.6 Configure an Authentication Method
Configure Active Directory (AD) for authentication with SSO.
Choose group ad as the authentication server for SSO.
ZyWALL ATP Series User’s Guide
484
Chapter 24 Web Authentication
24.4.7 Configure Active Directory
You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on the SSO agent.
The default AD server port is 389. If you change this, make sure you make the same changes on the SSO. Configure the Base DN exactly the same as on the Domain Controller and SSO. Bind DN is a user name and password that allows the Zyxel Device to join the domain with administrative privileges. It is a required field.
ZyWALL ATP Series User’s Guide
485
Chapter 24 Web Authentication
24.5 SSO Agent Configuration
This section shows what you have to do on the SSO agent in order to work with the Zyxel Device.
After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen)
Right-click the SSO icon and select Configure Zyxel SSO Agent.
Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other.
ZyWALL ATP Series User’s Guide
486
Chapter 24 Web Authentication
Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device.
LDAP/AD Server Configuration
ZyWALL ATP Series User’s Guide
487
Chapter 24 Web Authentication
Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the Zyxel Device Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the Zyxel Device.
After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable Zyxel SSO Agent.
ZyWALL ATP Series User’s Guide
488
CHAPTER 25
Security Policy
25.1 Overview
A security policy is a template of security settings that can be applied to specific traffic at specific times. The policy can be applied:
•to a specific direction of travel of packets (from / to)
•to a specific source and destination address objects
•to a specific type of traffic (services)
•to a specific user or group of users
•at a specific schedule
The policy can be configured:
•to allow or deny traffic that matches the criteria above
•send a log or alert for traffic that matches the criteria above
•to apply the actions configured in the profiles (application patrol, content filter, IDP, anti-malware, email security) to traffic that matches the criteria above
Note: Security policies can be applied to both IPv4 and IPv6 traffic.
The security policies can also limit the number of user sessions.
The following example shows the Zyxel Device’s default security policies behavior for a specific direction of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone.
Figure 341 Default Directional Security Policy Example
ZyWALL ATP Series User’s Guide
489
Chapter 25 Security Policy
25.2 One Security
OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other information. This is an example of a port forwarding configuration walkthrough.
Figure 342 Example of a Port Forwarding Configuration Walkthrough.
1 |
2 |
3 |
4 |
This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting.
ZyWALL ATP Series User’s Guide
490
Chapter 25 Security Policy
Figure 343 Example of L2TP over IPSec Troubleshooting - 1
1
2
3
2
ZyWALL ATP Series User’s Guide
491
Chapter 25 Security Policy
Figure 344 Example of L2TP over IPSec Troubleshooting - 2
3
In the Zyxel Device, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in certain screens.
For example, at the time of writing, these are the OneSecurity icons you can see.
Table 191 OneSecurity Icons
ONESECURITY ICON |
SCREEN |
|
|
|
|
|
Click this icon to go to a series of screens that guide you how to configure the |
|
|
feature. Note that the walkthroughs do not perform the actual configuring, but just |
|
|
show you how to do it. |
|
|
• Device HA > General |
|
|
• |
Licensing > Registration |
|
• |
Network > NAT |
|
• Network > Routing > Policy Route |
|
|
• Security Service > App Patrol |
|
|
• Security Service > Content Filter |
|
|
• Security Service > IDP |
|
|
• Security Service > Anti-Malware |
|
|
• Security Service > Email Security |
|
|
• VPN > IPSec VPN |
|
|
• VPN > SSL VPN |
|
|
• VPN > L2TP VPN |
|
|
|
|
|
Click this icon to go to a series of screens that guide you how to fix problems with the |
|
|
feature. |
|
|
• Device HA > General |
|
|
• |
Network > NAT |
|
• Network > Routing > Policy Route |
|
|
• Security Service > App Patrol |
|
|
• Security Service > Content Filter |
|
|
• Security Service > IDP |
|
|
• Security Service > Anti-Malware |
|
|
• Security Service > Email Security |
|
|
• VPN > IPSec VPN |
|
|
• VPN > SSL VPN |
|
|
• VPN > L2TP VPN |
|
|
|
|
ZyWALL ATP Series User’s Guide
492
|
|
Chapter 25 Security Policy |
|
|
|
|
Table 191 OneSecurity Icons (continued) |
|
|
ONESECURITY ICON |
SCREEN |
|
|
|
|
|
Click this icon for more information on Application Patrol, which identifies traffic that |
|
|
passes through the Zyxel Device, so you can decide what to do with specific types |
|
|
of traffic. Traffic not recognized by application patrol is ignored. |
|
|
• Security Service > Application Patrol |
|
|
|
|
|
Click this icon for more information on Content Filter, which controls access to |
|
|
specific web sites or web content. |
|
|
• Security Service > Content Filter |
|
|
|
|
|
Click this icon for more information on IPSec and SSL VPN. Internet Protocol Security |
|
|
(IPSec) VPN connects IPSec routers or remote users using IPSec client software. SSL |
|
|
VPN allows users to use a web browser for secure remote user login without need of |
|
|
a VPN router or VPN client software. |
|
|
• VPN > IPSec VPN |
|
|
• VPN > SSL VPN |
|
|
|
|
|
Click this icon to download VPN client software. |
|
|
• VPN > IPSec VPN |
|
|
• VPN > SSL VPN |
Click this icon for more information on the Wireless AP Controller which sets how the
Zyxel Device allows APs to connect to the wireless network.
•Wireless > AP Management > Mgnt. AP List
25.3What You Can Do in this Chapter
•Use the Security Policy Control screens (Section 25.4 on page 495) to enable or disable policies, asymmetrical routes, and manage and configure policies.
•Use the Anomaly Detection and Prevention (ADP) screens (Section 25.5 on page 501) to detect traffic with protocol anomalies and take appropriate action.
•Use the Session Control screens (see Section 25.5 on page 501) to limit the number of concurrent NAT/ security policies traffic sessions a client can use.
25.3.1 What You Need to Know
Stateful Inspection
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces.
ZyWALL ATP Series User’s Guide
493
Chapter 25 Security Policy
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in various directions.
Table 192 Directional Security Policy Behavior
FROM ZONE TO ZONE |
BEHAVIOR |
|
|
From any to Device |
DHCP traffic from any interface to the Zyxel Device is allowed. |
|
|
From LAN1 to any (other than |
Traffic from the LAN1 to any of the networks connected to the Zyxel Device is |
the Zyxel Device) |
allowed. |
|
|
From LAN2 to any (other than |
Traffic from the LAN2 to any of the networks connected to the Zyxel Device is |
the Zyxel Device) |
allowed. |
|
|
From LAN1 to Device |
Traffic from the LAN1 to the Zyxel Device itself is allowed. |
|
|
From LAN2 to Device |
Traffic from the LAN2 to the Zyxel Device itself is allowed. |
|
|
From WAN to Device |
The default services listed in To-Device Policies are allowed from the WAN to the |
|
Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped. |
|
|
From any to any |
Traffic that does not match any Security policy is dropped. This includes traffic |
|
from the WAN to any of the networks behind the Zyxel Device. |
|
This also includes traffic to or from interfaces that are not assigned to a zone |
|
(extra-zone traffic). |
|
|
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default:
•The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device.
•The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device.
•The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it does not conflict with your service control rule. The Zyxel Device checks the security policy before the service control rules for traffic destined for the Zyxel Device.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security Policies. The global Security Policies are the only Security Policies that apply to an interface that is not included in a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to traffic going to the interface.
Security Policy Rule Criteria
The Zyxel Device checks the schedule, user name (user’s login name on the Zyxel Device), source IP address and object, destination IP address and object, IP protocol type of network traffic (service) and Security Service profile criteria against the Security Policies (in the order you list them). When the traffic matches a policy, the Zyxel Device takes the action specified in the policy.
ZyWALL ATP Series User’s Guide
494
Chapter 25 Security Policy
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user name only. If you also apply a schedule to the Security Policy, the user can only access the network at the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel Device and will be disabled after the user logs out of the Zyxel Device.
Session Limits
Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and corresponding Security Policy session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the Zyxel Device. The Zyxel Device lets you limit the number of concurrent NAT/Security Policy sessions a client can use.
25.4 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the connection has not been acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your network into logical sections over the same interface. See the chapter about interfaces for more information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a scenario.
1A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the WAN.
2The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
3The reply from the WAN goes to the Zyxel Device.
4The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
ZyWALL ATP Series User’s Guide
495
Chapter 25 Security Policy
Figure 345 Using Virtual Interfaces to Avoid Asymmetrical Routes
25.4.1 Configuring the Security Policy Control Screen
Click Configuration > Security Policy > Policy Control to open the Security Policy screen. Use this screen to enable or disable the Security Policy and asymmetrical routes, set a maximum number of sessions per host, and display the configured Security Policies. Specify from which zone packets come and to which zone packets travel to display only the policies specific to the selected direction. Note the following.
•Besides configuring the Security Policy, you also need to configure NAT rules to allow computers on the WAN to access LAN devices.
•The Zyxel Device applies NAT (Destination NAT) settings before applying the Security Policies. So for example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure a corresponding Security Policy to allow the traffic, you need to set the LAN IP address as the destination.
•The ordering of your policies is very important as policies are applied in sequence.
The following screen shows the Security Policy summary screen.
ZyWALL ATP Series User’s Guide
496
Chapter 25 Security Policy
Figure 346 Configuration > Security Policy > Policy Control
ZyWALL ATP Series User’s Guide
497
Chapter 25 Security Policy
The following table describes the labels in this screen.
Table 193 Configuration > Security Policy > Policy Control
LABEL |
DESCRIPTION |
|
|
Show Filter/Hide |
Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters. |
Filter |
|
|
|
General Settings |
Enable or disable the Security Policy feature on the Zyxel Device. |
|
|
Enable Policy |
Select this to activate Security Policy on the Zyxel Device to perform access control. |
Control |
|
|
|
IPv4 / IPv6 |
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on |
Configuration |
direction, application, user, source, destination and/or schedule. |
|
|
From / To |
Select a zone to view all security policies from a particular zone and/or to a particular zone. |
|
any means all zones. |
|
|
IPv4 / IPv6 |
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source |
Source |
address object used. |
|
• An IPv4 IP address is written as four integer blocks separated by periods. This is an example |
|
IPv4 address: 172.16.6.7. |
|
• An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons |
|
(:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
|
|
IPv4 / IPv6 |
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination |
Destination |
address object used. |
|
• An IPv4 IP address is written as four integer blocks separated by periods. This is an example |
|
IPv4 address: 172.16.6.7. |
|
• An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons |
|
(:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. |
|
|
Service |
View all security policies based the service object used. |
|
|
User |
View all security policies based on user or user group object used. |
|
|
Schedule |
View all security policies based on the schedule object used. |
|
|
IPv4/IPv6 Policy |
Use the following items to manage IPv4 and IPv6 policies. |
Management |
|
|
|
Allow |
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s |
Asymmetrical |
LAN IP address, return traffic may not go through the Zyxel Device. This is called an |
Route |
asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the |
|
|
|
connection has not been acknowledged. |
|
Select this check box to have the Zyxel Device permit the use of asymmetrical route topology |
|
on the network (not reset the connection). |
|
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the |
|
LAN without passing through the Zyxel Device. A better solution is to use virtual |
|
interfaces to put the Zyxel Device and the backup gateway on separate |
|
subnets. |
|
|
Add |
Click this to create a new entry. Select an entry and click Add to create a new entry after the |
|
selected entry. |
|
|
Edit |
Double-click an entry or select it and click Edit to open a screen where you can modify the |
|
entry’s settings. |
|
|
Remove |
To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove |
|
it before doing so. |
|
|
Activate |
To turn on an entry, select it and click Activate. |
|
|
Inactivate |
To turn off an entry, select it and click Inactivate. |
|
|
ZyWALL ATP Series User’s Guide
498
|
|
Chapter 25 Security Policy |
|
|
|
|
Table 193 Configuration > Security Policy > Policy Control (continued) |
|
|
LABEL |
DESCRIPTION |
|
|
|
|
Move |
To change a policy’s position in the numbered list, select the policy and click Move to display a |
|
|
field to type a number for where you want to put that policy and press [ENTER] to move the |
|
|
policy to the number that you typed. |
|
|
The ordering of your policies is important as they are applied in order of their numbering. |
|
|
|
|
Clone |
Use Clone to create a new entry by modifying an existing one. |
|
|
• Select an existing entry. |
|
|
• Click Clone, type a number where the new entry should go and then press [ENTER]. |
|
|
• A configuration copy of the selected entry pops up. You must at least change the name as |
|
|
duplicate entry names are not allowed. |
|
|
|
|
The following read-only fields summarize the policies you have created that apply to traffic traveling in the |
|
|
selected packet direction. |
|
|
|
|
|
Priority |
This is the position of your Security Policy in the global policy list (including all through-Zyxel |
|
|
Device and to-Zyxel Device policies). The ordering of your policies is important as policies are |
|
|
applied in sequence. Default displays for the default Security Policy behavior that the Zyxel |
|
|
Device performs on traffic that does not match any other Security Policy. |
|
|
|
|
Status |
This icon is lit when the entry is active and dimmed when the entry is inactive. |
|
|
|
|
Name |
This is the name of the Security policy. |
|
|
|
|
From / To |
This is the direction of travel of packets. Select from which zone the packets come and to |
|
|
which zone they go. |
|
|
Security Policies are grouped based on the direction of travel of packets to which they apply. |
|
|
For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN |
|
|
to either another computer or subnet on the LAN. |
|
|
From any displays all the Security Policies for traffic going to the selected To Zone. |
|
|
To any displays all the Security Policies for traffic coming from the selected From Zone. |
|
|
From any to any displays all of the Security Policies. |
|
|
To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which |
|
|
computers can manage the Zyxel Device. |
|
|
|
|
IPv4 / IPv6 Source |
This displays the IPv4 / IPv6 source address object, including geographic address and FQDN |
|
|
(group) objects, to which this Security Policy applies. |
|
|
|
|
IPv4 / IPv6 |
This displays the IPv4 / IPv6 destination address object, including geographic address and |
|
Destination |
FQDN (group) objects, to which this Security Policy applies. |
|
|
|
|
Service |
This displays the service object to which this Security Policy applies. |
|
|
|
|
User |
This is the user name or user group name to which this Security Policy applies. |
|
|
|
|
Schedule |
This field tells you the schedule object that the policy uses. none means the policy is active at all |
|
|
times if enabled. |
|
|
|
|
Action |
This field displays whether the Security Policy silently discards packets without notification |
|
|
(deny), permits the passage of packets (allow) or drops packets with notification (reject) |
|
|
|
|
Log |
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not |
|
|
(no) when the policy is matched to the criteria listed above. |
|
|
|
|
Profile |
This field shows you which Security Service profiles (application patrol, content filter, IDP, anti- |
|
|
malware, email security) apply to this Security policy. Click an applied Security Service profile |
|
|
icon to edit the profile directly. |
|
|
|
|
Apply |
Click Apply to save your changes back to the Zyxel Device. |
|
|
|
|
Reset |
Click Reset to return the screen to its last-saved settings. |
|
|
|
ZyWALL ATP Series User’s Guide
499
Chapter 25 Security Policy
25.4.2 The Security Policy Control Add/Edit Screen
In the Security Policy Control screen, click the Edit or Add icon to display the Security Policy Edit or Add screen.
Figure 347 Configuration > Security Policy > Policy Control > Add
The following table describes the labels in this screen.
Table 194 Configuration > Security Policy > Policy Control > Add
LABEL |
DESCRIPTION |
|
|
|
|
Create new |
Use to configure any new settings objects that you need to use in this screen. |
|
Object |
|
|
|
|
|
Enable |
Select this check box to activate the Security policy. |
|
|
|
|
Name |
Type a name to identify the policy |
|
|
|
|
Description |
Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are |
|
|
allowed. |
|
|
|
|
From |
For through-Zyxel Device policies, select the direction of travel of packets to which the policy |
|
To |
applies. |
|
any means all interfaces. |
||
|
||
|
Device means packets destined for the Zyxel Device itself. |
|
|
|
|
Source |
Select an IPv4 / IPv6 address or address group object, including geographic address and FQDN |
|
|
(group) objects, to apply the policy to traffic coming from it. Select any to apply the policy to all |
|
|
traffic coming from IPv4 / IPv6 addresses. |
|
|
|
|
Destination |
Select an IPv4 / IPv6 address or address group, including geographic address and FQDN (group) |
|
|
objects, to apply the policy to traffic going to it. Select any to apply the policy to all traffic going |
|
|
to IPv4 / IPv6 addresses. |
|
|
|
|
Service |
Select a service or service group from the drop-down list box. |
|
|
|
ZyWALL ATP Series User’s Guide
500
Chapter 25 Security Policy
Table 194 Configuration > Security Policy > Policy Control > Add (continued)
LABEL |
DESCRIPTION |
|
|
User |
This field is not available when you are configuring a to-Zyxel Device policy. |
|
Select a user name or user group to which to apply the policy. The Security Policy is activated |
|
only when the specified user logs into the system and the policy will be disabled when the user |
|
logs out. |
|
Otherwise, select any and there is no need for user logging. |
|
Note: If you specified a source IP address (group) instead of any in the field below, the |
|
user’s IP address should be within the IP address range. |
|
|
Schedule |
Select a schedule that defines when the policy applies. Otherwise, select none and the policy is |
|
always effective. |
|
|
Action |
Use the drop-down list box to select what the Security Policy is to do with packets that match this |
|
policy. |
|
Select deny to silently discard the packets without sending a TCP reset packet or an ICMP |
|
destination-unreachable message to the sender. |
|
Select reject to discard the packets and send a TCP reset packet or an ICMP destination- |
|
unreachable message to the sender. |
|
Select allow to permit the passage of the packets. |
|
|
Log matched |
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no) |
traffic |
when the policy is matched to the criteria listed above.. |
|
|
Profile |
Use this section to apply anti- x profiles (created in the Configuration > Security Service screens) |
|
to traffic that matches the criteria above. You must have created a profile first; otherwise none |
|
displays. |
|
Use Log to generate a log (log), log and alert (log alert) or not (no) for all traffic that matches |
|
criteria in the profile. |
|
|
Application |
Select an Application Patrol profile from the list box; none displays if no profiles have been |
Patrol |
created in the Configuration > Security Service > App Patrol screen. |
|
|
Content |
Select a Content Filter profile from the list box; none displays if no profiles have been created in |
Filter |
the Configuration > Security Service > Content Filter screen. |
|
|
SSL |
Select an SSL Inspection profile from the list box; none displays if no profiles have been created in |
Inspection |
the Configuration > Security Service > SSL Inspection screen. |
|
|
OK |
Click OK to save your customized settings and exit this screen. |
|
|
Cancel |
Click Cancel to exit this screen without saving. |
|
|
25.5 Anomaly Detection and Prevention Overview
Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated when you upload new firmware.
ZyWALL ATP Series User’s Guide
501
Chapter 25 Security Policy
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes:
•TCP Decoder
•UDP Decoder
•ICMP Decoder
Protocol anomaly policies may be updated when you upload new firmware.
Note: First, create an ADP profile in the In the Configuration > Security Policy > ADP > Profile screen.
Then, apply the profile to traffic originating from a specific zone in the Configuration > Security Policy > ADP > General screen.
25.5.1 The Anomaly Detection and Prevention General Screen
Click Configuration > Security Policy > ADP > General to display the next screen.
Figure 348 Configuration > Security Policy > ADP > General
The following table describes the labels in this screen.
Table 195 Configuration > Security Policy > ADP > General
|
LABEL |
DESCRIPTION |
|
|
|
|
General Settings |
|
|
|
|
|
Enable Anomaly Detection |
Select this to enable traffic anomaly and protocol anomaly detection and |
|
and Prevention |
prevention. |
|
|
|
|
Add |
Select an entry and click Add to append a new row beneath the one selected. ADP |
|
|
policies are applied in order (Priority) shown in this screen |
|
|
|
|
Edit |
Select an entry and click this to be able to modify it. |
|
|
|
|
Remove |
Select an entry and click this to delete it. |
|
|
|
|
Activate |
To turn on an entry, select it and click Activate. |
|
|
|
|
Inactivate |
To turn off an entry, select it and click Inactivate. |
|
|
|
|
Move |
To change an entry’s position in the numbered list, select it and click Move to display |
|
|
a field to type a number for where you want to put that entry and press [ENTER] to |
|
|
move the entry to the number that you typed. |
|
|
|
|
# |
This is the entry’s index number in the list. |
|
|
|
|
|
|
|
|
ZyWALL ATP Series User’s Guide |
502
|
|
Chapter 25 Security Policy |
|
|
|
|
Table 195 Configuration > Security Policy > ADP > General |
|
|
LABEL |
DESCRIPTION |
|
|
|
|
Priority |
This is the rank in the list of anomaly profile policies. The list is applied in order of |
|
|
priority. |
|
|
|
|
Status |
The activate (light bulb) icon is lit when the entry is active and dimmed when the |
|
|
entry is inactive. |
|
|
|
|
From |
This is the direction of travel of packets to which an anomaly profile is bound. Traffic |
|
|
direction is defined by the zone the traffic is coming from. |
|
|
Use the From field to specify the zone from which the traffic is coming. Select ZyWALL |
|
|
to specify traffic coming from the Zyxel Device itself. |
|
|
From LAN means packets traveling from a computer on one LAN subnet to a |
|
|
computer on another subnet via the Zyxel Device’s LAN1 zone interfaces. The Zyxel |
|
|
Device does not check packets traveling from a LAN computer to another LAN |
|
|
computer on the same subnet. |
|
|
From WAN means packets that come in from the WAN zone and the Zyxel Device |
|
|
routes back out through the WAN zone. |
|
|
Note: Depending on your network topology and traffic load, applying |
|
|
every packet direction to an anomaly profile may affect the Zyxel |
|
|
Device’s performance. |
|
|
|
|
Anomaly Profile |
An anomaly profile is a set of anomaly policies with configured activation, log and |
|
|
action settings. This field shows which anomaly profile is bound to which traffic |
|
|
direction. Select an ADP profile to apply to the entry’s traffic direction. Configure the |
|
|
ADP profiles in the ADP profile screens. |
|
|
|
25.5.2 Creating New ADP Profiles
Create new ADP profiles in the Configuration > Security Policy > ADP > Profile screens.
When creating ADP profiles. you may find that certain policies are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the Zyxel Device. As each network is different, false positives and false negatives are common on initial ADP deployment.
To counter this, you could create a ‘monitor profile’ that creates logs, but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that they have been reduced to an acceptable level, you could then create an ‘in-line profile’ whereby you configure appropriate actions to be taken when a packet matches a policy.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile, select a base profile and then click OK to go to the profile details screen. Type a new profile name, enable or disable individual policies and then edit the default log options and actions.
Click Configuration > Security Policy > ADP > Profile to view the following screen.
ZyWALL ATP Series User’s Guide
503
Chapter 25 Security Policy
Figure 349 Configuration > Security Policy > ADP > Profile
The following table describes the labels in this screen.
Table 196 Configuration > Security Policy > ADP > Profile
LABEL |
DESCRIPTION |
|
|
Profile Management |
Create ADP profiles here and then apply them in the Configuration > Security Policy |
|
> ADP > Profile screen. |
|
|
Add |
Click Add and first choose a none or all Base Profile. |
|
• none base profile sets all ADP entries to have Log set to no and Action set to |
|
none by default. |
|
• all base profile sets all ADP entries to have Log set to log and Action set to block |
|
by default. |
|
|
Edit |
Select an entry and click this to be able to modify it. |
|
|
Remove |
Select an entry and click this to delete it. |
|
|
References |
Select an entry and click References to open a screen that shows which settings use |
|
the entry. Click Refresh to update information on this screen. |
|
|
Clone |
Use Clone to create a new entry by modifying an existing one. |
|
• Select an existing entry. |
|
• Click Clone. |
|
• A configuration copy of the selected entry pops up. You must at least change |
|
the name as duplicate entry names are not allowed. |
|
|
# |
This is the entry’s index number in the list. |
|
|
Name |
This is the name of the profile you created. |
|
|
Description |
This is the description of the profile you created. |
|
|
Base Profile |
This is the name of the base profile used to create this profile. |
|
|
Reference |
This is the number of object references used to create this profile. |
|
|
25.5.3 Traffic Anomaly Profiles
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the
Configuration > Security Policy > ADP > Profile screen, click the Edit or Add icon and choose a base profile. Traffic Anomaly is the first tab in the profile.
ZyWALL ATP Series User’s Guide
504
Chapter 25 Security Policy
Figure 350 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
The following table describes the labels in this screen.
Table 197 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
LABELS |
DESCRIPTION |
|
|
|
|
Name |
A name is automatically generated that you can edit. The name must be the same |
|
|
in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You |
|
|
may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first |
|
|
character cannot be a number. This value is case-sensitive. These are valid, unique |
|
|
profile names: |
|
|
• |
MyProfile |
|
• |
mYProfile |
|
• Mymy12_3-4 |
|
|
These are invalid profile names: |
|
|
• |
1mYProfile |
|
• |
My Profile |
|
• |
MyProfile? |
|
• |
Whatalongprofilename123456789012 |
|
|
|
Description |
In addition to the name, type additional information to help you identify this ADP |
|
|
profile. |
|
|
|
|
ZyWALL ATP Series User’s Guide
505
|
|
Chapter 25 Security Policy |
|
|
|
|
Table 197 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued) |
|
|
LABELS |
DESCRIPTION |
|
|
|
|
Scan/Flood Detection |
Scan detection, such as port scanning, tries to find attacks where an attacker scans |
|
|
device(s) to determine what types of network protocols or services a device |
|
|
supports. |
|
|
Flood detection tries to find attacks that saturate a network with useless data, use up |
|
|
all available bandwidth, and so aim to make communications in the network |
|
|
impossible. |
|
|
|
|
Sensitivity |
(Scan detection only.) Select a sensitivity level so as to reduce false positives in your |
|
|
network. If you choose low sensitivity, then scan thresholds and sample times are set |
|
|
low, so you will have fewer logs and false positives; however some traffic anomaly |
|
|
attacks may not be detected. |
|
|
If you choose high sensitivity, then scan thresholds and sample times are set high, so |
|
|
most traffic anomaly attacks will be detected; however you will have more logs and |
|
|
false positives. |
|
|
|
|
Block Period |
Specify for how many seconds the Zyxel Device blocks all packets from being sent |
|
|
to the victim (destination) of a detected anomaly attack. Flood Detection applies |
|
|
blocking to the destination IP address and Scan Detection applies blocking to the |
|
|
source IP address. |
|
|
|
|
Edit (Flood Detection |
Select an entry and click this to be able to modify it. |
|
only) |
|
|
|
|
|
Activate |
To turn on an entry, select it and click Activate. |
|
|
|
|
Inactivate |
To turn off an entry, select it and click Inactivate. |
|
|
|
|
Log |
To edit an item’s log option, select it and use the Log icon. Select whether to have |
|
|
the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when |
|
|
traffic matches this anomaly policy. |
|
|
|
|
Action |
To edit what action the Zyxel Device takes when a packet matches a policy, select |
|
|
the policy and use the Action icon. |
|
|
none: The Zyxel Device takes no action when a packet matches the policy. |
|
|
block: The Zyxel Device silently drops packets that matches the policy. Neither |
|
|
sender nor receiver are notified. |
|
|
|
|
# |
This is the entry’s index number in the list. |
|
|
|
|
Status |
The activate (light bulb) icon is lit when the entry is active and dimmed when the |
|
|
entry is inactive. |
|
|
|
|
Name |
This is the name of the anomaly policy. Click the Name column heading to sort in |
|
|
ascending or descending order according to the protocol anomaly policy name. |
|
|
|
|
Log |
These are the log options. To edit this, select an item and use the Log icon. |
|
|
|
|
Action |
This is the action the Zyxel Device should take when a packet matches a policy. To |
|
|
edit this, select an item and use the Action icon. |
|
|
|
|
Threshold (pkt/sec) |
(Flood detection only.) Select a suitable threshold level (the number of packets per |
|
|
second that match the flood detection criteria) for your network. If you choose a |
|
|
low threshold, most traffic anomaly attacks will be detected, but you may have |
|
|
more logs and false positives. |
|
|
If you choose a high threshold, some traffic anomaly attacks may not be detected, |
|
|
but you will have fewer logs and false positives. |
|
|
|
|
OK |
Click OK to save your settings to the Zyxel Device, complete the profile and return to |
|
|
the profile summary page. |
|
|
|
|
Cancel |
Click Cancel to return to the profile summary page without saving any changes. |
|
|
|
|
Save |
Click Save to save the configuration to the Zyxel Device but remain in the same |
|
|
page. You may then go to the another profile screen (tab) in order to complete the |
|
|
profile. Click OK in the final profile screen to complete the profile. |
|
|
|
|
|
|
|
|
ZyWALL ATP Series User’s Guide |
506
Chapter 25 Security Policy
25.5.4 Protocol Anomaly Profiles
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments). Protocol anomaly detection includes:
•TCP Decoder
•UDP Decoder
•ICMP Decoder
•IP Decoder
Teardrop
When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the Zyxel Device, it is fragmented using the TCP or ICMP protocol.
A Teardrop attack falsifies the offset which defines the size of the fragment and the original packet. A series of IP fragments with overlapping offset fields can cause some systems to crash, hang, or reboot when fragment reassembling is attempted at the destination.
IP Spoofing
IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so that it appears that the packets originate from a host within a trusted network.
•In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device LAN interface.
•In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that Zyxel Device LAN interface.
ZyWALL ATP Series User’s Guide
507
Chapter 25 Security Policy
Figure 351 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
ZyWALL ATP Series User’s Guide
508
Chapter 25 Security Policy
The following table describes the labels in this screen.
Table 198 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
|
LABEL |
DESCRIPTION |
|
|
|
|
|
|
Name |
A name is automatically generated that you can edit. The name must be the same |
|
|
|
in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You |
|
|
|
may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first |
|
|
|
character cannot be a number. This value is case-sensitive. These are valid, unique |
|
|
|
profile names: |
|
|
|
• |
MyProfile |
|
|
• |
mYProfile |
|
|
• Mymy12_3-4 |
|
|
|
• These are invalid profile names: |
|
|
|
• |
1mYProfile |
|
|
• |
My Profile |
|
|
• |
MyProfile? |
|
|
• |
Whatalongprofilename123456789012 |
|
|
|
|
|
Description |
In addition to the name, type additional information to help you identify this ADP |
|
|
|
profile. |
|
|
|
|
|
|
TCP Decoder/UDP |
Perform the following actions for each type of encoder. |
|
|
Decoder/ICMP Decoder/IP |
|
|
|
Decoder |
|
|
|
|
|
|
|
Activate |
To turn on an entry, select it and click Activate. |
|
|
|
|
|
|
Inactivate |
To turn off an entry, select it and click Inactivate. |
|
|
|
|
|
|
Log |
To edit an item’s log option, select it and use the Log icon. Select whether to have |
|
|
|
the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when |
|
|
|
traffic matches this anomaly policy. |
|
|
|
|
|
|
Action |
To edit what action the Zyxel Device takes when a packet matches a policy, select |
|
|
|
the policy and use the Action icon. |
|
|
|
original setting: Select this action to return each rule in a service group to its |
|
|
|
previously saved configuration. |
|
|
|
none: Select this action to have the Zyxel Device take no action when a packet |
|
|
|
matches a policy. |
|
|
|
drop: Select this action to have the Zyxel Device silently drop a packet that matches |
|
|
|
a policy. Neither sender nor receiver are notified. |
|
|
|
reject-sender: Select this action to have the Zyxel Device send a reset to the sender |
|
|
|
when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will |
|
|
|
send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel |
|
|
|
Device will send an ICMP unreachable packet. |
|
|
|
reject-receiver: Select this action to have the Zyxel Device send a reset to the |
|
|
|
receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel |
|
|
|
Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet, |
|
|
|
the Zyxel Device will do nothing. |
|
|
|
reject-both: Select this action to have the Zyxel Device send a reset to both the |
|
|
|
sender and receiver when a packet matches the policy. If it is a TCP attack packet, |
|
|
|
the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is |
|
|
|
an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable |
|
|
|
packet. |
|
|
|
|
|
|
# |
This is the entry’s index number in the list. |
|
|
|
|
|
|
Status |
The activate (light bulb) icon is lit when the entry is active and dimmed when the |
|
|
|
entry is inactive. |
|
|
|
|
|
|
Name |
This is the name of the anomaly policy. Click the Name column heading to sort in |
|
|
|
ascending or descending order according to the protocol anomaly policy name. |
|
|
|
|
|
|
|
|
|
|
|
|
ZyWALL ATP Series User’s Guide |
509
Chapter 25 Security Policy
Table 198 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LABEL |
DESCRIPTION |
|
|
Log |
These are the log options. To edit this, select an item and use the Log icon. |
|
|
Action |
This is the action the Zyxel Device should take when a packet matches a policy. To |
|
edit this, select an item and use the Action icon. |
|
|
OK |
Click OK to save your settings to the Zyxel Device, complete the profile and return to |
|
the profile summary page. |
|
|
Cancel |
Click Cancel to return to the profile summary page without saving any changes. |
|
|
Save |
Click Save to save the configuration to the Zyxel Device but remain in the same |
|
page. You may then go to the another profile screen (tab) in order to complete the |
|
profile. Click OK in the final profile screen to complete the profile. |
|
|
25.6 The Session Control Screen
Click Configuration > Security Policy > Session Control to display the Security Policy Session Control screen. Use this screen to limit the number of concurrent NAT/Security Policy sessions a client can use. You can apply a default limit for all users and individual limits for specific users, addresses, or both. The individual limit takes priority if you apply both.
Figure 352 Configuration > Security Policy > Session Control
ZyWALL ATP Series User’s Guide
510
Loading...