ZyXEL ATP100W Users Manual
Chapter 24 Web Authentication
Make sure you select Enable Policy, Single Sign-On and choose required in Authentication.
Do NOT select any as the source address unless you want all incoming connections to be
authenticated!
ZyWALL ATP Series User’s Guide
481
Chapter 24 Web Authentication
See Table 184 on page 462 and Table 185 on page 465 for more information on configuring these
screens.
24.4.4 Create a Security Policy
Configure a Security Policy for SSO traffic source and destination direction in order to prevent the
security policy from blocking this traffic. Go to Configuration > Security Policy > Policy Control and add a
new policy if a default one does not cover the SSO web authentication traffic direction.
Configure the fields as shown in the following screen. Configure the source and destination addresses
according to the SSO web authentication traffic in your network.
ZyWALL ATP Series User’s Guide
482
Chapter 24 Web Authentication
24.4.5 Configure User Information
Configure a User account of the ext-group-user type.
Configure Group Identifier to be the same as Group Membership on the SSO agent.
ZyWALL ATP Series User’s Guide
483
Chapter 24 Web Authentication
24.4.6 Configure an Authentication Method
Configure Active Directory (AD) for authentication with SSO.
Choose group ad as the authentication server for SSO.
ZyWALL ATP Series User’s Guide
484
Chapter 24 Web Authentication
24.4.7 Configure Active Directory
You must configure an Active Directory (AD) server in AAA Setup to be the same as AD configured on
the SSO agent.
The default AD server port is 389. If you change this, make sure you make the same changes on the SSO.
Configure the Base DN exactly the same as on the Domain Controller and SSO. Bind DN is a user name
and password that allows the Zyxel Device to join the domain with administrative privileges. It is a
required field.
ZyWALL ATP Series User’s Guide
485
Chapter 24 Web Authentication
24.5 SSO Agent Configuration
This section shows what you have to do on the SSO agent in order to work with the Zyxel Device.
After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen)
Right-click the SSO icon and select Configure Zyxel SSO Agent.
Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the
Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to
communicate with each other.
ZyWALL ATP Series User’s Guide
486
Chapter 24 Web Authentication
Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for
the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group
Identifier on the Zyxel Device.
LDAP/AD Server Configuration
ZyWALL ATP Series User’s Guide
487
Chapter 24 Web Authentication
Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the
Zyxel Device Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have
the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the
password, then copy and paste it to the Zyxel Device.
After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable
Zyxel SSO Agent.
ZyWALL ATP Series User’s Guide
488
25.1 Overview
A security policy is a template of security settings that can be applied to specific traffic at specific times.
The policy can be applied:
• to a specific direction of travel of packets (from / to)
• to a specific source and destination address objects
• to a specific type of traffic (services)
• to a specific user or group of users
• at a specific schedule
The policy can be configured:
• to allow or deny traffic that matches the criteria above
• send a log or alert for traffic that matches the criteria above
• to apply the actions configured in the profiles (application patrol, content filter, IDP, anti-malware,
email security) to traffic that matches the criteria above
CHAPTER 25
Security Policy
Note: Security policies can be applied to both IPv4 and IPv6 traffic.
The security policies can also limit the number of user sessions.
The following example shows the Zyxel Device’s default security policies behavior for a specific direction
of travel of packets. WAN to LAN traffic and how stateful inspection works. A LAN user can initiate a
Telnet session from within the LAN zone and the Zyxel Device allows the response. However, the Zyxel
Device blocks incoming Telnet traffic initiated from the WAN zone and destined for the LAN zone.
Figure 341 Default Directional Security Policy Example
ZyWALL ATP Series User’s Guide
489
25.2 One Security
1
2
3
4
OneSecurity is a website with guidance on configuration walkthroughs, troubleshooting, and other
information. This is an example of a port forwarding configuration walkthrough.
Figure 342 Example of a Port Forwarding Configuration Walkthrough.
Chapter 25 Security Policy
This is an example of L2TP over IPSec VPN Troubleshooting troubleshooting.
ZyWALL ATP Series User’s Guide
490
1
2
2
3
Chapter 25 Security Policy
Figure 343 Example of L2TP over IPSec Troubleshooting - 1
ZyWALL ATP Series User’s Guide
491
Chapter 25 Security Policy
3
Figure 344 Example of L2TP over IPSec Troubleshooting - 2
In the Zyxel Device, you will see icons that link to OneSecurity walkthroughs, troubleshooting and so on in
certain screens.
For example, at the time of writing, these are the OneSecurity icons you can see.
Table 191 OneSecurity Icons
ONESECURITY ICON SCREEN
Click this icon to go to a series of screens that guide you how to configure the
feature. Note that the walkthroughs do not perform the actual configuring, but just
show you how to do it.
• Device HA > General
• Licensing > Registration
• Network > NAT
• Network > Routing > Policy Route
• Security Service > App Patrol
• Security Service > Content Filter
• Security Service > IDP
• Security Service > Anti-Malware
• Security Service > Email Security
•VPN > IPSec VPN
•VPN > SSL VPN
•VPN > L2TP VPN
Click this icon to go to a series of screens that guide you how to fix problems with the
feature.
• Device HA > General
• Network > NAT
• Network > Routing > Policy Route
• Security Service > App Patrol
• Security Service > Content Filter
• Security Service > IDP
• Security Service > Anti-Malware
• Security Service > Email Security
•VPN > IPSec VPN
•VPN > SSL VPN
•VPN > L2TP VPN
ZyWALL ATP Series User’s Guide
492
Chapter 25 Security Policy
Table 191 OneSecurity Icons (continued)
ONESECURITY ICON SCREEN
Click this icon for more information on Application Patrol, which identifies traffic that
passes through the Zyxel Device, so you can decide what to do with specific types
of traffic. Traffic not recognized by application patrol is ignored.
• Security Service > Application Patrol
Click this icon for more information on Content Filter, which controls access to
specific web sites or web content.
• Security Service > Content Filter
Click this icon for more information on IPSec and SSL VPN. Internet Protocol Security
(IPSec) VPN connects IPSec routers or remote users using IPSec client software. SSL
VPN allows users to use a web browser for secure remote user login without need of
a VPN router or VPN client software.
•VPN > IPSec VPN
•VPN > SSL VPN
Click this icon to download VPN client software.
•VPN > IPSec VPN
•VPN > SSL VPN
Click this icon for more information on the Wireless AP Controller which sets how the
Zyxel Device allows APs to connect to the wireless network.
• Wireless > AP Management > Mgnt. AP List
25.3 What You Can Do in this Chapter
• Use the Security Policy Control screens (Section 25.4 on page 495) to enable or disable policies,
asymmetrical routes, and manage and configure policies.
• Use the Anomaly Detection and Prevention (ADP) screens (Section 25.5 on page 501) to detect traffic
with protocol anomalies and take appropriate action.
• Use the Session Control screens (see Section 25.5 on page 501) to limit the number of concurrent NAT/
security policies traffic sessions a client can use.
25.3.1 What You Need to Know
Stateful Inspection
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by
screening data packets against defined access rules. It also inspects sessions. For example, traffic from
one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your
needs. You can configure security policies for data passing between zones or even between interfaces.
ZyWALL ATP Series User’s Guide
493
Chapter 25 Security Policy
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here
is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in
various directions.
Table 192 Directional Security Policy Behavior
FROM ZONE TO ZONE BEHAVIOR
From any to Device DHCP traffic from any interface to the Zyxel Device is allowed.
From LAN1 to any (other than
the Zyxel Device)
From LAN2 to any (other than
the Zyxel Device)
From LAN1 to Device Traffic from the LAN1 to the Zyxel Device itself is allowed.
From LAN2 to Device Traffic from the LAN2 to the Zyxel Device itself is allowed.
From WAN to Device The default services listed in To-Device Policies are allowed from the WAN to the
From any to any Traffic that does not match any
Traffic from the LAN1 to any of the networks connected to the Zyxel Device is
allowed.
Traffic from the LAN2 to any of the networks connected to the Zyxel Device is
allowed.
Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped.
Security policy is dropped. This includes traffic
from the WAN to any of the networks behind the Zyxel Device.
This also includes traffic to or from interfaces that are not assigned to a zone
(extra-zone traffic).
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device.
• The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device.
• The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a
log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it
does not conflict with your service control rule. The Zyxel Device checks the security policy before the
service control rules for traffic destined for the Zyxel Device.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Global Security Policies
Security Policies with from any and/or to any as the packet direction are called global Security Policies.
The global Security Policies are the only Security Policies that apply to an interface that is not included in
a zone. The from any policies apply to traffic coming from the interface and the to any policies apply to
traffic going to the interface.
Security Policy Rule Criteria
The Zyxel Device checks the schedule, user name (user’s login name on the Zyxel Device), source IP
address and object, destination IP address and object, IP protocol type of network traffic (service) and
Security Service profile criteria against the Security Policies (in the order you list them). When the traffic
matches a policy, the Zyxel Device takes the action specified in the policy.
ZyWALL ATP Series User’s Guide
494
Chapter 25 Security Policy
User Specific Security Policies
You can specify users or user groups in Security Policies. For example, to allow a specific user from any
computer to access a zone by logging in to the Zyxel Device, you can set up a policy based on the user
name only. If you also apply a schedule to the Security Policy, the user can only access the network at
the scheduled time. A user-aware Security Policy is activated whenever the user logs in to the Zyxel
Device and will be disabled after the user logs out of the Zyxel Device.
Session Limits
Accessing the Zyxel Device or network resources through the Zyxel Device requires a NAT session and
corresponding Security Policy session. Peer to peer applications, such as file sharing applications, may
use a large number of NAT sessions. A single client could use all of the available NAT sessions and
prevent others from connecting to or through the Zyxel Device. The Zyxel Device lets you limit the
number of concurrent NAT/Security Policy sessions a client can use.
25.4 The Security Policy Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s LAN IP
address, return traffic may not go through the Zyxel Device. This is called an asymmetrical or “triangle”
route. This causes the Zyxel Device to reset the connection, as the connection has not been
acknowledged.
You can have the Zyxel Device permit the use of asymmetrical route topology on the network (not reset
the connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the Zyxel Device. A better solution is to use virtual interfaces to put the Zyxel
Device and the backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about interfaces for more
information.
By putting LAN 1 and the alternate gateway (A in the figure) in different subnets, all returning network
traffic must pass through the Zyxel Device to the LAN. The following steps and figure describe such a
scenario.
1 A computer on the LAN1 initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2 The Zyxel Device reroutes the packet to gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the Zyxel Device.
4 The Zyxel Device then sends it to the computer on the LAN1 in Subnet 1.
ZyWALL ATP Series User’s Guide
495
Chapter 25 Security Policy
Figure 345 Using Virtual Interfaces to Avoid Asymmetrical Routes
25.4.1 Configuring the Security Policy Control Screen
Click Configuration > Security Policy > Policy Control to open the Security Policy screen. Use this screen
to enable or disable the Security Policy and asymmetrical routes, set a maximum number of sessions per
host, and display the configured Security Policies. Specify from which zone packets come and to which
zone packets travel to display only the policies specific to the selected direction. Note the following.
• Besides configuring the Security Policy, you also need to configure NAT rules to allow computers on
the WAN to access LAN devices.
• The Zyxel Device applies NAT (Destination NAT) settings before applying the Security Policies. So for
example, if you configure a NAT entry that sends WAN traffic to a LAN IP address, when you configure
a corresponding Security Policy to allow the traffic, you need to set the LAN IP address as the
destination.
• The ordering of your policies is very important as policies are applied in sequence.
The following screen shows the Security Policy summary screen.
ZyWALL ATP Series User’s Guide
496
Chapter 25 Security Policy
Figure 346 Configuration > Security Policy > Policy Control
ZyWALL ATP Series User’s Guide
497
Chapter 25 Security Policy
The following table describes the labels in this screen.
Table 193 Configuration > Security Policy > Policy Control
LABEL DESCRIPTION
Show Filter/Hide
Filter
General Settings Enable or disable the Security Policy feature on the Zyxel Device.
Enable Policy
Control
IPv4 / IPv6
Configuration
From / To Select a zone to view all security policies from a particular zone and/or to a particular zone.
IPv4 / IPv6
Source
IPv4 / IPv6
Destination
Click Show Filter to display IPv4 and IPv6 (if enabled) security policy search filters.
Select this to activate Security Policy on the Zyxel Device to perform access control.
Use IPv4 / IPv6 search filters to find specific IPv4 and IPv6 (if enabled) security policies based on
direction, application, user, source, destination and/or schedule.
any means all zones.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 source
address object used.
• An IPv4 IP address is written as four integer blocks separated by periods. This is an example
IPv4 address: 172.16.6.7.
• An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons
(:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Type an IPv4 or IPv6 IP address to view all security policies based on the IPv4 / IPv6 destination
address object used.
• An IPv4 IP address is written as four integer blocks separated by periods. This is an example
IPv4 address: 172.16.6.7.
• An 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons
(:). This is an example IPv6 address: 2001:0db8:1a2b:0015:0000:0000:1a2f:0000.
Service View all security policies based the service object used.
User View all security policies based on user or user group object used.
Schedule View all security policies based on the schedule object used.
IPv4/IPv6 Policy
Management
Allow
Asymmetrical
Route
Use the following items to manage IPv4 and IPv6 policies.
If an alternate gateway on the LAN has an IP address in the same subnet as the Zyxel Device’s
LAN IP address, return traffic may not go through the Zyxel Device. This is called an
asymmetrical or “triangle” route. This causes the Zyxel Device to reset the connection, as the
connection has not been acknowledged.
Select this check box to have the Zyxel Device permit the use of asymmetrical route topology
on the network (not reset the connection).
Note: Allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the Zyxel Device. A better solution is to use virtual
interfaces to put the Zyxel Device and the backup gateway on separate
subnets.
Add Click this to create a new entry. Select an entry and click Add to create a new entry after the
selected entry.
Edit Double-click an entry or select it and click Edit to open a screen where you can modify the
Remove To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove
Activate To turn on an entry, select it and click Activate.
Inactivate To turn off an entry, select it and click Inactivate.
entry’s settings.
it before doing so.
ZyWALL ATP Series User’s Guide
498
Chapter 25 Security Policy
Table 193 Configuration > Security Policy > Policy Control (continued)
LABEL DESCRIPTION
Move To change a policy’s position in the numbered list, select the policy and click Move to display a
field to type a number for where you want to put that policy and press [ENTER] to move the
policy to the number that you typed.
The ordering of your policies is important as they are applied in order of their numbering.
Clone Use Clone to create a new entry by modifying an existing one.
• Select an existing entry.
•Click Clone, type a number where the new entry should go and then press [ENTER].
• A configuration copy of the selected entry pops up. You must at least change the name as
duplicate entry names are not allowed.
The following read-only fields summarize the policies you have created that apply to traffic traveling in the
selected packet direction.
Priority This is the position of your Security Policy in the global policy list (including all through-Zyxel
Device and to-Zyxel Device policies). The ordering of your policies is important as policies are
applied in sequence. Default displays for the default Security Policy behavior that the Zyxel
Device performs on traffic that does not match any other Security Policy.
Status This icon is lit when the entry is active and dimmed when the entry is inactive.
Name This is the name of the Security policy.
From / To This is the direction of travel of packets. Select from which zone the packets come and to
which zone they go.
Security Policies are grouped based on the direction of travel of packets to which they apply.
For example, from LAN to LAN means packets traveling from a computer or subnet on the LAN
to either another computer or subnet on the LAN.
From any displays all the Security Policies for traffic going to the selected To Zone.
To any displays all the Security Policies for traffic coming from the selected From Zone.
From any to any displays all of the Security Policies.
To ZyWALL policies are for traffic that is destined for the Zyxel Device and control which
computers can manage the Zyxel Device.
IPv4 / IPv6 Source This displays the IPv4 / IPv6 source address object, including geographic address and FQDN
IPv4 / IPv6
Destination
Service This displays the service object to which this Security Policy applies.
User This is the user name or user group name to which this Security Policy applies.
Schedule This field tells you the schedule object that the policy uses. none means the policy is active at all
Action This field displays whether the Security Policy silently discards packets without notification
Log Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not
Profile This field shows you which Security Service profiles (application patrol, content filter, IDP, anti-
Apply Click Apply to save your changes back to the Zyxel Device.
Reset Click Reset to return the screen to its last-saved settings.
(group) objects, to which this Security Policy applies.
This displays the IPv4 / IPv6 destination address object, including geographic address and
FQDN (group) objects, to which this Security Policy applies.
times if enabled.
(deny), permits the passage of packets (allow) or drops packets with notification (reject)
(
no) when the policy is matched to the criteria listed above.
malware, email security) apply to this Security policy. Click an applied Security Service profile
icon to edit the profile directly.
ZyWALL ATP Series User’s Guide
499
Chapter 25 Security Policy
25.4.2 The Security Policy Control Add/Edit Screen
In the Security Policy Control screen, click the Edit or Add icon to display the Security Policy Edit or Add
screen.
Figure 347 Configuration > Security Policy > Policy Control > Add
The following table describes the labels in this screen.
Table 194 Configuration > Security Policy > Policy Control > Add
LABEL DESCRIPTION
Create new
Object
Enable Select this check box to activate the Security policy.
Name Type a name to identify the policy
Description Enter a descriptive name of up to 60 printable ASCII characters for the Policy. Spaces are
From
To
Source Select an IPv4 / IPv6 address or address group object, including geographic address and FQDN
Destination Select an IPv4 / IPv6 address or address group, including geographic address and FQDN (group)
Service Select a service or service group from the drop-down list box.
Use to configure any new settings objects that you need to use in this screen.
allowed.
For through-Zyxel Device policies, select the direction of travel of packets to which the policy
applies.
any means all interfaces.
Device means packets destined for the Zyxel Device itself.
(group) objects, to apply the policy to traffic coming from it. Select any to apply the policy to all
traffic coming from IPv4 / IPv6 addresses.
objects, to apply the policy to traffic going to it. Select any to apply the policy to all traffic going
to IPv4 / IPv6 addresses.
ZyWALL ATP Series User’s Guide
500
Chapter 25 Security Policy
Table 194 Configuration > Security Policy > Policy Control > Add (continued)
LABEL DESCRIPTION
User This field is not available when you are configuring a to-Zyxel Device policy.
Select a user name or user group to which to apply the policy. The Security Policy is activated
only when the specified user logs into the system and the policy will be disabled when the user
logs out.
Otherwise, select any and there is no need for user logging.
Note: If you specified a source IP address (group) instead of any in the field below, the
user’s IP address should be within the IP address range.
Schedule Select a schedule that defines when the policy applies. Otherwise, select none and the policy is
always effective.
Action Use the drop-down list box to select what the Security Policy is to do with packets that match this
policy.
Select deny to silently discard the packets without sending a TCP reset packet or an ICMP
destination-unreachable message to the sender.
Select reject to discard the packets and send a TCP reset packet or an ICMP destination-
unreachable message to the sender.
Select allow to permit the passage of the packets.
Log matched
traffic
Profile Use this section to apply anti- x profiles (created in the Configuration > Security Service screens)
Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or not (no)
when the policy is matched to the criteria listed above..
to traffic that matches the criteria above. You must have created a profile first; otherwise none
displays.
Use Log to generate a log (log), log and alert (log alert) or not (no) for all traffic that matches
criteria in the profile.
Application
Patrol
Content
Filter
SSL
Inspection
OK Click OK to save your customized settings and exit this screen.
Cancel Click Cancel to exit this screen without saving.
Select an Application Patrol profile from the list box; none displays if no profiles have been
created in the Configuration > Security Service > App Patrol screen.
Select a Content Filter profile from the list box; none displays if no profiles have been created in
the Configuration > Security Service > Content Filter screen.
Select an SSL Inspection profile from the list box; none displays if no profiles have been created in
the Configuration > Security Service > SSL Inspection screen.
25.5 Anomaly Detection and Prevention Overview
Anomaly Detection and Prevention (ADP) protects against anomalies based on violations of protocol
standards (RFCs – Requests for Comments) and abnormal flows such as port scans. This section
introduces ADP, anomaly profiles and applying an ADP profile to a traffic direction.
Traffic Anomalies
Traffic anomaly policies look for abnormal behavior or events such as port scanning, sweeping or
network flooding. They operate at OSI layer-2 and layer-3. Traffic anomaly policies may be updated
when you upload new firmware.
ZyWALL ATP Series User’s Guide
501
Chapter 25 Security Policy
Protocol Anomalies
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Protocol anomaly detection includes:
•TCP Decoder
• UDP Decoder
•ICMP Decoder
Protocol anomaly policies may be updated when you upload new firmware.
Note: First, create an ADP profile in the In the Configuration > Security Policy > ADP > Profile
screen.
Then, apply the profile to traffic originating from a specific zone in the Configuration >
Security Policy > ADP > General screen.
25.5.1 The Anomaly Detection and Prevention General Screen
Click Configuration > Security Policy > ADP > General to display the next screen.
Figure 348 Configuration > Security Policy > ADP > General
The following table describes the labels in this screen.
Table 195 Configuration > Security Policy > ADP > General
LABEL DESCRIPTION
General Settings
Enable Anomaly Detection
and Prevention
Add Select an entry and click Add to append a new row beneath the one selected. ADP
Edit Select an entry and click this to be able to modify it.
Remove Select an entry and click this to delete it.
Activate
Inactivate To turn off an entry, select it and click Inactivate.
Move To change an entry’s position in the numbered list, select it and click Move to display
#
Select this to enable traffic anomaly and protocol anomaly detection and
prevention.
policies are applied in order (Priority) shown in this screen
To turn on an entry, select it and click Activate.
a field to type a number for where you want to put that entry and press [ENTER] to
move the entry to the number that you typed.
This is the entry’s index number in the list.
ZyWALL ATP Series User’s Guide
502
Chapter 25 Security Policy
Table 195 Configuration > Security Policy > ADP > General
LABEL DESCRIPTION
Priority This is the rank in the list of anomaly profile policies. The list is applied in order of
priority.
Status The activate (light bulb) icon is lit when the entry is active and dimmed when the
From This is the direction of travel of packets to which an anomaly profile is bound. Traffic
Anomaly Profile An anomaly profile is a set of anomaly policies with configured activation, log and
entry is inactive.
direction is defined by the zone the traffic is coming from.
Use the From field to specify the zone from which the traffic is coming. Select ZyWALL
to specify traffic coming from the Zyxel Device itself.
From LAN means packets traveling from a computer on one LAN subnet to a
computer on another subnet via the Zyxel Device’s LAN1 zone interfaces. The Zyxel
Device does not check packets traveling from a LAN computer to another LAN
computer on the same subnet.
From WAN means packets that come in from the WAN zone and the Zyxel Device
routes back out through the WAN zone.
Note: Depending on your network topology and traffic load, applying
every packet direction to an anomaly profile may affect the Zyxel
Device’s performance.
action settings. This field shows which anomaly profile is bound to which traffic
direction. Select an ADP profile to apply to the entry’s traffic direction. Configure the
ADP profiles in the ADP profile screens.
25.5.2 Creating New ADP Profiles
Create new ADP profiles in the Configuration > Security Policy > ADP > Profile screens.
When creating ADP profiles. you may find that certain policies are triggering too many false positives or
false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when
invalid traffic is wrongly allowed to pass through the Zyxel Device. As each network is different, false
positives and false negatives are common on initial ADP deployment.
To counter this, you could create a ‘monitor profile’ that creates logs, but all actions are disabled.
Observe the logs over time and try to eliminate the causes of the false alarms. When you’re satisfied that
they have been reduced to an acceptable level, you could then create an ‘in-line profile’ whereby you
configure appropriate actions to be taken when a packet matches a policy.
ADP profiles consist of traffic anomaly profiles and protocol anomaly profiles. To create a new profile,
select a base profile and then click OK to go to the profile details screen. Type a new profile name,
enable or disable individual policies and then edit the default log options and actions.
Click Configuration > Security Policy > ADP > Profile to view the following screen.
ZyWALL ATP Series User’s Guide
503
Chapter 25 Security Policy
Figure 349 Configuration > Security Policy > ADP > Profile
The following table describes the labels in this screen.
Table 196 Configuration > Security Policy > ADP > Profile
LABEL DESCRIPTION
Profile Management Create ADP profiles here and then apply them in the Configuration > Security Policy
> ADP > Profile screen.
Add Click Add and first choose a none or all Base Profile.
• none base profile sets all ADP entries to have Log set to no and Action set to
none by default.
• all base profile sets all ADP entries to have Log set to log and Action set to block
by default.
Edit Select an entry and click this to be able to modify it.
Remove Select an entry and click this to delete it.
References Select an entry and click References to open a screen that shows which settings use
the entry. Click Refresh to update information on this screen.
Clone Use Clone to create a new entry by modifying an existing one.
• Select an existing entry.
•Click Clone.
• A configuration copy of the selected entry pops up. You must at least change
the name as duplicate entry names are not allowed.
#
Name This is the name of the profile you created.
Description This is the description of the profile you created.
Base Profile This is the name of the base profile used to create this profile.
Reference This is the number of object references used to create this profile.
This is the entry’s index number in the list.
25.5.3 Traffic Anomaly Profiles
Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. In the
Configuration > Security Policy > ADP > Profile screen, click the Edit or Add icon and choose a base
profile. Traffic Anomaly is the first tab in the profile.
ZyWALL ATP Series User’s Guide
504
Chapter 25 Security Policy
Figure 350 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
The following table describes the labels in this screen.
Table 197 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly
LABELS DESCRIPTION
Name A name is automatically generated that you can edit. The name must be the same
in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You
may use 1-31 alphanumeric characters, underscores(
character cannot be a number. This value is case-sensitive. These are valid, unique
profile names:
•MyProfile
• mYProfile
• Mymy12_3-4
These are invalid profile names:
•1mYProfile
•My Profile
• MyProfile?
• Whatalongprofilename123456789012
Description In addition to the name, type additional information to help you identify this ADP
profile.
ZyWALL ATP Series User’s Guide
_), or dashes (-), but the first
505
Chapter 25 Security Policy
Table 197 Configuration > Security Policy > ADP > Profile > Add-Traffic-Anomaly (continued)
LABELS DESCRIPTION
Scan/Flood Detection Scan detection, such as port scanning, tries to find attacks where an attacker scans
device(s) to determine what types of network protocols or services a device
supports.
Flood detection tries to find attacks that saturate a network with useless data, use up
all available bandwidth, and so aim to make communications in the network
impossible.
Sensitivity (Scan detection only.) Select a sensitivity level so as to reduce false positives in your
network. If you choose low sensitivity, then scan thresholds and sample times are set
low, so you will have fewer logs and false positives; however some traffic anomaly
attacks may not be detected.
If you choose high sensitivity, then scan thresholds and sample times are set high, so
most traffic anomaly attacks will be detected; however you will have more logs and
false positives.
Block Period Specify for how many seconds the Zyxel Device blocks all packets from being sent
Edit (Flood Detection
only)
Activate To turn on an entry, select it and click Activate.
Inactivate To turn off an entry, select it and click Inactivate.
Log To edit an item’s log option, select it and use the Log icon. Select whether to have
Action To edit what action the Zyxel Device takes when a packet matches a policy, select
to the victim (destination) of a detected anomaly attack. Flood Detection applies
blocking to the destination IP address and Scan Detection applies blocking to the
source IP address.
Select an entry and click this to be able to modify it.
the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when
traffic matches this anomaly policy.
the policy and use the Action icon.
none: The Zyxel Device takes no action when a packet matches the policy.
block: The Zyxel Device silently drops packets that matches the policy. Neither
sender nor receiver are notified.
#
Status The activate (light bulb) icon is lit when the entry is active and dimmed when the
Name This is the name of the anomaly policy. Click the Name column heading to sort in
Log These are the log options. To edit this, select an item and use the Log icon.
Action This is the action the Zyxel Device should take when a packet matches a policy. To
Threshold (pkt/sec) (Flood detection only.) Select a suitable threshold level (the number of packets per
OK Click OK to save your settings to the Zyxel Device, complete the profile and return to
Cancel Click Cancel to return to the profile summary page without saving any changes.
Save Click Save to save the configuration to the Zyxel Device but remain in the same
This is the entry’s index number in the list.
entry is inactive.
ascending or descending order according to the protocol anomaly policy name.
edit this, select an item and use the Action icon.
second that match the flood detection criteria) for your network. If you choose a
low threshold, most traffic anomaly attacks will be detected, but you may have
more logs and false positives.
If you choose a high threshold, some traffic anomaly attacks may not be detected,
but you will have fewer logs and false positives.
the profile summary page.
page. You may then go to the another profile screen (tab) in order to complete the
profile. Click OK in the final profile screen to complete the profile.
ZyWALL ATP Series User’s Guide
506
Chapter 25 Security Policy
25.5.4 Protocol Anomaly Profiles
Protocol anomalies are packets that do not comply with the relevant RFC (Request For Comments).
Protocol anomaly detection includes:
•TCP Decoder
• UDP Decoder
•ICMP Decoder
• IP Decoder
Teardrop
When an IP packet is larger than the Maximum Transmission Unit (MTU) configured in the Zyxel Device, it
is fragmented using the TCP or ICMP protocol.
A Teardrop attack falsifies the offset which defines the size of the fragment and the original packet. A
series of IP fragments with overlapping offset fields can cause some systems to crash, hang, or reboot
when fragment reassembling is attempted at the destination.
IP Spoofing
IP Spoofing is used to gain unauthorized access to network devices by modifying packet headers so
that it appears that the packets originate from a host within a trusted network.
• In an IP Spoof from the WAN, the source address appears to be in the same subnet as a Zyxel Device
LAN interface.
• In an IP Spoof from a LAN interface, the source address appears to be in a different subnet from that
Zyxel Device LAN interface.
ZyWALL ATP Series User’s Guide
507
Chapter 25 Security Policy
Figure 351 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
ZyWALL ATP Series User’s Guide
508
Chapter 25 Security Policy
The following table describes the labels in this screen.
Table 198 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LABEL DESCRIPTION
Name A name is automatically generated that you can edit. The name must be the same
in the Traffic Anomaly and Protocol Anomaly screens for the same ADP profile. You
may use 1-31 alphanumeric characters, underscores(
character cannot be a number. This value is case-sensitive. These are valid, unique
profile names:
•MyProfile
• mYProfile
• Mymy12_3-4
• These are invalid profile names:
•1mYProfile
•My Profile
• MyProfile?
• Whatalongprofilename123456789012
Description In addition to the name, type additional information to help you identify this ADP
TCP Decoder/UDP
Decoder/ICMP Decoder/IP
Decoder
Activate To turn on an entry, select it and click Activate.
Inactivate To turn off an entry, select it and click Inactivate.
Log To edit an item’s log option, select it and use the Log icon. Select whether to have
Action To edit what action the Zyxel Device takes when a packet matches a policy, select
profile.
Perform the following actions for each type of encoder.
the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when
traffic matches this anomaly policy.
the policy and use the Action icon.
original setting: Select this action to return each rule in a service group to its
previously saved configuration.
none: Select this action to have the Zyxel Device take no action when a packet
matches a policy.
drop: Select this action to have the Zyxel Device silently drop a packet that matches
a policy. Neither sender nor receiver are notified.
reject-sender: Select this action to have the Zyxel Device send a reset to the sender
when a packet matches the policy. If it is a TCP attack packet, the Zyxel Device will
send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the Zyxel
Device will send an ICMP unreachable packet.
_), or dashes (-), but the first
reject-receiver: Select this action to have the Zyxel Device send a reset to the
receiver when a packet matches the policy. If it is a TCP attack packet, the Zyxel
Device will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP attack packet,
the Zyxel Device will do nothing.
reject-both: Select this action to have the Zyxel Device send a reset to both the
sender and receiver when a packet matches the policy. If it is a TCP attack packet,
the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is
an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable
packet.
# This is the entry’s index number in the list.
Status The activate (light bulb) icon is lit when the entry is active and dimmed when the
Name This is the name of the anomaly policy. Click the Name column heading to sort in
entry is inactive.
ascending or descending order according to the protocol anomaly policy name.
ZyWALL ATP Series User’s Guide
509
Chapter 25 Security Policy
Table 198 Configuration > Security Policy > ADP > Profile > Add-Protocol-Anomaly
LABEL DESCRIPTION
Log These are the log options. To edit this, select an item and use the Log icon.
Action This is the action the Zyxel Device should take when a packet matches a policy. To
edit this, select an item and use the Action icon.
OK Click OK to save your settings to the Zyxel Device, complete the profile and return to
Cancel Click Cancel to return to the profile summary page without saving any changes.
Save Click Save to save the configuration to the Zyxel Device but remain in the same
the profile summary page.
page. You may then go to the another profile screen (tab) in order to complete the
profile. Click OK in the final profile screen to complete the profile.
25.6 The Session Control Screen
Click Configuration > Security Policy > Session Control to display the Security Policy Session Control
screen. Use this screen to limit the number of concurrent NAT/Security Policy sessions a client can use.
You can apply a default limit for all users and individual limits for specific users, addresses, or both. The
individual limit takes priority if you apply both.
Figure 352 Configuration > Security Policy > Session Control
ZyWALL ATP Series User’s Guide
510
Loading...