ZyWALL IDP 10
Intrusion Detection Prevention Appliance
User’s Guide
Version 1
July 2004
ZyWALL IDP10 User’s Guide
Copyright
Copyright © 2004 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice.
This publication is subject to change without notice.
Trademarks
Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
ii |
Copyright |
ZyWALL IDP10 User’s Guide
Federal Communications Commission (FCC)
Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause undesired operations.
This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and the receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment.
Certifications
1.Go to www.zyxel.com.
2.Select your product from the drop-down list box on the ZyXEL home page to go to that product's page.
3.Select the certification you wish to view from this page.
FCC Statement |
iii |
ZyWALL IDP10 User’s Guide
Information for Canadian Users
The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction.
Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company. The equipment must also be installed using an acceptable method of connection. In some cases, the company's inside wiring associated with a single line individual service may be extended by means of a certified connector assembly. The customer should be aware that the compliance with the above conditions may not prevent degradation of service in some situations.
Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the telecommunications company cause to request the user to disconnect the equipment.
For their own protection, users should ensure that the electrical ground connections of the power utility, telephone lines, and internal metallic water pipe system, if present, are connected together. This precaution may be particularly important in rural areas.
Caution
Users should not attempt to make such connections themselves, but should contact the appropriate electrical inspection authority, or electrician, as appropriate.
Note
This digital apparatus does not exceed the class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of Industry Canada.
iv |
Information for Canadian Users |
ZyWALL IDP10 User’s Guide
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
NOTE
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be insured when shipped. Any returned products without proof of purchase or those with an outdated warranty will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country to country.
Online Registration
Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.
ZyXEL Limited Warranty |
v |
ZyWALL IDP10 User’s Guide
Customer Support
When you contact your customer support representative please have the following information ready: Please have the following information ready when you contact customer support.
•Product model and serial number.
•Warranty Information.
•Date that you received your device.
•Brief description of the problem and the steps you took to solve it.
METHOD |
SUPPORT E-MAIL |
|
TELEPHONE1 |
WEB SITE |
REGULAR MAIL |
LOCATION |
SALES E-MAIL |
|
FAX1 |
FTP SITE |
|
|
|
|
|
|
|
|
|
|
|
|
|
WORLDWIDE |
support@zyxel.com.tw |
+886-3-578-3942 |
www.zyxel.com |
ZyXEL Communications Corp. |
|
|
|
|
|
www.europe.zyxel.com |
6 Innovation Road II |
|
|
|
|
Science Park |
|
|
|
|
|
|
|
|
sales@zyxel.com.tw |
+886-3-578-2439 |
ftp.zyxel.com |
Hsinchu 300 |
|
|
|
|
|
ftp.europe.zyxel.com |
Taiwan |
|
|
|
|
|
|
|
|
|
|
|
|
NORTH |
support@zyxel.com |
+1-800-255-4101 |
www.us.zyxel.com |
ZyXEL Communications Inc. |
|
AMERICA |
|
+1-714-632-0882 |
|
1130 N. Miller St. |
|
|
|
|
Anaheim |
||
|
|
|
|
|
|
|
sales@zyxel.com |
+1-714-632-0858 |
ftp.us.zyxel.com |
CA 92806-2001 |
|
|
|
|
|
|
U.S.A. |
GERMANY |
support@zyxel.de |
+49-2405-6909-0 |
www.zyxel.de |
ZyXEL Deutschland GmbH. |
|
|
sales@zyxel.de |
+49-2405-6909-99 |
|
Adenauerstr. 20/A2 D-52146 |
|
|
|
Wuerselen |
|||
|
|
|
|
|
Germany |
FRANCE |
info@zyxel.fr |
+33 |
(0)4 72 52 97 97 |
www.zyxel.fr |
ZyXEL France |
|
|
+33 |
(0)4 72 52 19 20 |
|
1 rue des Vergers |
|
|
|
Bat. 1 / C |
||
|
|
|
|
|
69760 Limonest |
|
|
|
|
|
France |
SPAIN |
support@zyxel.es |
+34 |
902 195 420 |
www.zyxel.es |
ZyXEL Communications |
|
sales@zyxel.es |
+34 |
913 005 345 |
|
Alejandro Villegas 33 |
|
|
1º, 28043 Madrid |
|||
|
|
|
|
|
|
|
|
|
|
|
Spain |
|
|
|
|
|
|
DENMARK |
support@zyxel.dk |
+45 |
39 55 07 00 |
www.zyxel.dk |
ZyXEL Communications A/S |
|
sales@zyxel.dk |
+45 |
39 55 07 07 |
|
Columbusvej 5 |
|
|
2860 Soeborg |
|||
|
|
|
|
|
|
|
|
|
|
|
Denmark |
|
|
|
|
|
|
NORWAY |
support@zyxel.no |
+47 |
22 80 61 80 |
www.zyxel.no |
ZyXEL Communications A/S |
|
sales@zyxel.no |
+47 |
22 80 61 81 |
|
Nils Hansens vei 13 |
|
|
0667 Oslo |
|||
|
|
|
|
|
|
|
|
|
|
|
Norway |
SWEDEN |
support@zyxel.se |
+46 |
31 744 7700 |
www.zyxel.se |
ZyXEL Communications A/S |
|
sales@zyxel.se |
+46 |
31 744 7701 |
|
Sjöporten 4, 41764 Göteborg |
|
|
Sweden |
|||
|
|
|
|
|
|
FINLAND |
support@zyxel.fi |
+358-9-4780-8411 |
www.zyxel.fi |
ZyXEL Communications Oy |
|
|
sales@zyxel.fi |
+358-9-4780 8448 |
|
Malminkaari 10 |
|
|
|
00700 Helsinki |
|||
|
|
|
|
|
Finland |
1 “+” is the (prefix) number you enter to make an international telephone call.
vi |
Customer Support |
ZyWALL IDP10 User’s Guide
Table of Contents
Copyright......................................................................................................................................... |
ii |
|
Federal Communications Commission (FCC) Interference Statement.......................................... |
iii |
|
Information for Canadian Users..................................................................................................... |
iv |
|
ZyXEL Limited Warranty ................................................................................................................. |
v |
|
Customer Support.......................................................................................................................... |
vi |
|
Preface.......................................................................................................................................... |
xii |
|
Getting Started ................................................................................................................................... |
I |
|
Chapter 1 Introducing the ZyWALL IDP 10.................................................................................. |
1-1 |
|
1.1 |
Introduction ...................................................................................................................... |
1-1 |
1.2 |
Features ........................................................................................................................... |
1-2 |
1.3 |
Application Examples....................................................................................................... |
1-3 |
Chapter 2 Introducing the Web Configurator.............................................................................. |
2-1 |
|
2.1 |
Web Configurator Overview............................................................................................. |
2-1 |
2.2 |
Accessing the ZyWALL Web Configurator....................................................................... |
2-1 |
2.3 |
Navigating the ZyWALL Web Configurator ...................................................................... |
2-3 |
2.4 |
Example Configuration Settings....................................................................................... |
2-6 |
General, Interface, and Remote Management................................................................................ |
II |
|
Chapter 3 General Settings........................................................................................................... |
3-1 |
|
3.1 |
Device .............................................................................................................................. |
3-1 |
3.2 |
Introduction to VLANs ...................................................................................................... |
3-2 |
3.3 |
Configuring VLAN on the ZyWALL .................................................................................. |
3-3 |
Chapter 4 Interface Screens ......................................................................................................... |
4-1 |
|
4.1 |
10/100M Auto-Sensing Ethernet Ports............................................................................. |
4-1 |
4.2 |
Configuring Link ............................................................................................................... |
4-1 |
4.3 |
Stealth .............................................................................................................................. |
4-2 |
4.4 |
Policy Check .................................................................................................................... |
4-3 |
Chapter 5 Remote Management ................................................................................................... |
5-1 |
|
5.1 |
Remote Management Overview ...................................................................................... |
5-1 |
5.2 |
Configuring WWW ........................................................................................................... |
5-1 |
5.3 |
SNMP............................................................................................................................... |
5-2 |
5.4 |
SSH Overview.................................................................................................................. |
5-4 |
5.5 |
SSH (Secure Shell) Configuration ................................................................................... |
5-5 |
IDP ..................................................................................................................................................... |
|
III |
Chapter 6 IDP Policies................................................................................................................... |
6-1 |
|
6.1 |
IDP Overview ................................................................................................................... |
6-1 |
Table of Contents |
vii |
ZyWALL IDP10 User’s Guide
6.2 |
mySecurity Zone ............................................................................................................. |
6-1 |
6.3 |
Signature Categories ...................................................................................................... |
6-2 |
6.4 |
Configuring Pre-defined Policies................................................................................... |
6-13 |
6.5 |
Update........................................................................................................................... |
6-19 |
6.6 |
User-defined Policies .................................................................................................... |
6-20 |
6.7 |
Registering your ZyWALL ............................................................................................. |
6-28 |
Log and Report................................................................................................................................ |
IV |
|
Chapter 7 Log and Report............................................................................................................ |
7-1 |
|
7.1 |
Logs................................................................................................................................. |
7-1 |
7.2 |
Report.............................................................................................................................. |
7-2 |
7.3 |
Alarm Schedule............................................................................................................... |
7-4 |
Maintenance & CLI ........................................................................................................................... |
V |
|
Chapter 8 Maintenance................................................................................................................. |
8-1 |
|
8.1 |
Maintenance Overview.................................................................................................... |
8-1 |
8.2 |
Password......................................................................................................................... |
8-1 |
8.3 |
Time and Date................................................................................................................. |
8-2 |
8.4 |
Firmware Upload............................................................................................................. |
8-6 |
8.5 |
Configuration................................................................................................................. |
8-10 |
8.6 |
Restart........................................................................................................................... |
8-12 |
Chapter 9 Command Line Interface Overview ........................................................................... |
9-1 |
|
9.1 |
Command Syntax Conventions....................................................................................... |
9-1 |
9.2 |
Login................................................................................................................................ |
9-2 |
9.3 |
Commands ...................................................................................................................... |
9-2 |
Appendices & Index........................................................................................................................ |
VI |
|
Appendix A Introduction to Intrusions ....................................................................................... |
A-1 |
|
A.1 |
Introduction to Ports ........................................................................................................ |
A-1 |
A.2 |
Introduction to Denial of Service ..................................................................................... |
A-1 |
A.3 |
DoS Examples................................................................................................................. |
A-1 |
A.4 |
Scanning ......................................................................................................................... |
A-3 |
A.5 |
Malicious Programs......................................................................................................... |
A-4 |
A.6 |
Example Intrusions.......................................................................................................... |
A-4 |
Appendix B Intrusion Protection................................................................................................. |
B-1 |
|
B.1 |
Firewalls and Intrusions .................................................................................................. |
B-1 |
B.2 |
Intrusion Detection and Prevention (IDP) ....................................................................... |
B-1 |
B.3 |
Detection Methods .......................................................................................................... |
B-2 |
Appendix C Index.......................................................................................................................... |
C-1 |
viii |
Table of Contents |
|
ZyWALL IDP10 User’s Guide |
|
List of Figures |
Figure 1-1 ZyWALL ............................................................................................................................................ |
1-1 |
Figure 1-2 Installation Example 1........................................................................................................................ |
1-3 |
Figure 1-3 Installation Example 2........................................................................................................................ |
1-4 |
Figure 1-4 Installation Example 3........................................................................................................................ |
1-5 |
Figure 1-5 Installation Example 4........................................................................................................................ |
1-6 |
Figure 2-1 Default Web Configurator IP Address................................................................................................ |
2-1 |
Figure 2-2 Login Screen ...................................................................................................................................... |
2-2 |
Figure 2-3 Change Password Screen ................................................................................................................... |
2-2 |
Figure 2-4 Web Configurator HOME Screen....................................................................................................... |
2-3 |
Figure 3-1 General: Device.................................................................................................................................. |
3-1 |
Figure 3-2 General: VLAN .................................................................................................................................. |
3-3 |
Figure 3-3 General: State ..................................................................................................................................... |
3-4 |
Figure 4-1 Interface: Link.................................................................................................................................... |
4-1 |
Figure 4-2 Interface: Stealth ................................................................................................................................ |
4-2 |
Figure 4-3 ZyWALL Policy Check ...................................................................................................................... |
4-3 |
Figure 4-4 Interface: Policy Check ...................................................................................................................... |
4-4 |
Figure 5-1 Remote Management: WWW ............................................................................................................ |
5-1 |
Figure 5-2 SNMP Management Model................................................................................................................ |
5-2 |
Figure 5-3 Remote Management: SNMP............................................................................................................. |
5-4 |
Figure 5-4 SSH Communication Example........................................................................................................... |
5-5 |
Figure 5-5 How SSH Works ................................................................................................................................ |
5-5 |
Figure 5-6 Remote Management: SSH ................................................................................................................ |
5-6 |
Figure 5-7 PuTTY settings................................................................................................................................... |
5-7 |
Figure 5-8 PuTTY Security Alert......................................................................................................................... |
5-7 |
Figure 5-9 ZyWALL Command Interface Login Screen ..................................................................................... |
5-8 |
Figure 6-1 P2P Signatures.................................................................................................................................... |
6-2 |
Figure 6-2 IM (Chat) Signatures.......................................................................................................................... |
6-3 |
Figure 6-3 Spam Signatures................................................................................................................................. |
6-4 |
Figure 6-4 DoS/DDoS Signatures........................................................................................................................ |
6-4 |
Figure 6-5 Scan Signatures .................................................................................................................................. |
6-5 |
Figure 6-6 Buffer Overflow Signatures ............................................................................................................... |
6-6 |
Figure 6-7 Worm/Virus Signatures ...................................................................................................................... |
6-7 |
Figure 6-8 Backdoor/Trojan Signatures............................................................................................................... |
6-8 |
Figure 6-9 Access Control Signatures.................................................................................................................. |
6-9 |
Figure 6-10 Web Attack Signatures ................................................................................................................... |
6-10 |
List of Figures |
ix |
ZyWALL IDP10 User’s Guide
Figure 6-11 Porn Signatures ............................................................................................................................... |
6-11 |
Figure 6-12 Others Signatures............................................................................................................................ |
6-12 |
Figure 6-13 Pre-defined IDP Policies Summary................................................................................................. |
6-14 |
Figure 6-14 Search Example .............................................................................................................................. |
6-17 |
Figure 6-15 Query Example ............................................................................................................................... |
6-17 |
Figure 6-16 Pre-defined Policies: Modify .......................................................................................................... |
6-18 |
Figure 6-17 Update Policies ............................................................................................................................... |
6-19 |
Figure 6-18 User-defined Policies ...................................................................................................................... |
6-21 |
Figure 6-19 Configuring a User-defined IDP Policy .......................................................................................... |
6-24 |
Figure 6-20 Registering ZyWALL...................................................................................................................... |
6-29 |
Figure 7-1 View Log............................................................................................................................................. |
7-1 |
Figure 7-2 Report: E-Mail .................................................................................................................................... |
7-3 |
Figure 7-3 Report: syslog ..................................................................................................................................... |
7-4 |
Figure 7-4 Alarm .................................................................................................................................................. |
7-5 |
Figure 8-1 Maintenance: Password....................................................................................................................... |
8-1 |
Figure 8-2 Debug Mode Reset Example............................................................................................................... |
8-2 |
Figure 8-3 Maintenance: Time Setting ................................................................................................................. |
8-4 |
Figure 8-4 Synchronization in Process ................................................................................................................. |
8-6 |
Figure 8-5 Synchronization is Successful............................................................................................................. |
8-6 |
Figure 8-6 Synchronization Fail ........................................................................................................................... |
8-6 |
Figure 8-7 Maintenance: F/W Upload .................................................................................................................. |
8-7 |
Figure 8-8 Firmware Upload in Progress ............................................................................................................. |
8-9 |
Figure 8-9 Network Temporarily Disconnected ................................................................................................... |
8-9 |
Figure 8-10 Firmware Upload Error................................................................................................................... |
8-10 |
Figure 8-11 Maintenance: Configuration............................................................................................................ |
8-11 |
Figure 8-12 Maintenance: Restart ...................................................................................................................... |
8-12 |
Figure A-1 Three-Way Handshake ...................................................................................................................... |
A-2 |
Figure A-2 SYN Flood ........................................................................................................................................ |
A-2 |
Figure A-3 Smurf Attack ..................................................................................................................................... |
A-3 |
x |
List of Figures |
|
ZyWALL IDP10 User’s Guide |
|
List of Tables |
Table 2-1 Web Configurator HOME Screen ........................................................................................................ |
2-4 |
Table 2-2 Screens Summary ................................................................................................................................ |
2-5 |
Table 2-3 Example Configuration Settings .......................................................................................................... |
2-6 |
Table 3-1 General: Device ................................................................................................................................... |
3-2 |
Table 3-2 General: VLAN.................................................................................................................................... |
3-3 |
Table 3-3 General: State....................................................................................................................................... |
3-4 |
Table 4-1 Interface: Link...................................................................................................................................... |
4-2 |
Table 4-2 Interface: Stealth .................................................................................................................................. |
4-3 |
Table 4-3 Interface: Policy Check........................................................................................................................ |
4-4 |
Table 5-1 Remote Management: WWW.............................................................................................................. |
5-2 |
Table 5-2 SNMP Traps......................................................................................................................................... |
5-3 |
Table 5-3 Remote Management: SNMP .............................................................................................................. |
5-4 |
Table 5-4 Remote Management: SSH.................................................................................................................. |
5-6 |
Table 6-1 Policy Severity................................................................................................................................... |
6-12 |
Table 6-2 Policy Actions.................................................................................................................................... |
6-13 |
Table 6-3 Selecting Pre-defined Policies ........................................................................................................... |
6-15 |
Table 6-4 Pre-defined IDP Policies.................................................................................................................... |
6-18 |
Table 6-5 Update Policies .................................................................................................................................. |
6-20 |
Table 6-6 User-defined Policies ......................................................................................................................... |
6-21 |
Table 6-7 Configuring a User-defined IDP Policy ............................................................................................. |
6-25 |
Table 6-8 Registering ZyWALL ........................................................................................................................ |
6-29 |
Table 7-1 View Log.............................................................................................................................................. |
7-2 |
Table 7-2 Report: E-Mail ..................................................................................................................................... |
7-3 |
Table 7-3 Report: syslog ...................................................................................................................................... |
7-4 |
Table 7-4 Alarm ................................................................................................................................................... |
7-5 |
Table 8-1 Maintenance: Password ....................................................................................................................... |
8-1 |
Table 8-2 Default Time Servers ........................................................................................................................... |
8-3 |
Table 8-3 Time and Date...................................................................................................................................... |
8-4 |
Table 8-4 Maintenance: F/W Upload................................................................................................................... |
8-7 |
Table 8-5 Restore Configuration........................................................................................................................ |
8-11 |
Table 9-1 Commands Summary........................................................................................................................... |
9-2 |
Table A-1 Common IP Ports ............................................................................................................................... |
A-1 |
Table A-2 Common Malicious Programs............................................................................................................ |
A-4 |
List of Tables |
xi |
ZyWALL IDP10 User’s Guide
Preface
About This User's Manual
Congratulations on your purchase of the ZyWALL IDP 10 Intrusion Detection Prevention Appliance . This manual is designed to guide you through the configuration of your ZyWALL for its various applications.
Related Documentation
Support Disk
Refer to the included CD for support documents. Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains hardware (connection) information, basic troubleshooting and shows you how to configure the device using the wizard.
Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary information. Packing List Card
The Packing List Card lists all items that should have come in the package. Certifications
Refer to the product page at www.zyxel.com for information on product certifications. ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation.
Syntax Conventions
•This manual will refer to the ZyWALL IDP 10 Intrusion Detection Prevention Appliance simply as the ZyWALL.
•The version number on the title page is the latest firmware version that is documented in this User’s Guide. Earlier versions may also be included.
•“Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices.
•The choices of a menu item are in Bold Arial font.
•Mouse action sequences are denoted using a comma. For example, “click the Apple icon, Control Panels and then Modem” means first click the Apple icon, then point your mouse pointer to
Control Panels and then click Modem.
•For brevity’s sake, we will use “e.g.” as a shorthand for “for instance” and “i.e.” for “that is” or “in other words” throughout this manual.
xii |
Preface |
ZyWALL IDP10 User’s Guide
User’s Guide Feedback
Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Graphics Icon Key
ZyWALL IDP |
Modem |
Notebook Computer |
|
||
|
|
|
Computer |
Server |
|
|
|
|
|
|
|
Firewall |
Router |
Switch |
|
|
|
|
|
|
Intrusion source |
Blocked intrusion |
Security hole |
|
||
|
|
|
Preface |
xiii |
Getting Started
Part I:
Getting Started
This part introduces intrusions, ZyWALL features, applications and the web configurator.
I
ZyWALL IDP10 User’s Guide
Chapter 1
Introducing the ZyWALL IDP 10
This chapter introduces the main features and applications of the ZyWALL.
1.1Introduction
An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect anomaly detections based on violations of protocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as port scans. The rules that define how to identify and respond to intrusions are called “signatures”.
See the appendices for more detailed information on intrusions, intrusion examples and detection types.
The ZyWALL is an Intrusion Detection and Prevention (IDP) Appliance designed to protect against network-based intrusions. The ZyWALL functions as a transparent plug and play bridge designed to protect networks from intrusions while allowing safe Internet access.
The ZyWALL comes with a built-in signature set that can be regularly updated. Regular updates are vital as new intrusions evolve.
For people with knowledge of packet header types and OSI (Open System Interconnection), the IDP allows you to create your own rules.
You can configure the ZyWALL using the friendly, embedded web configurator or the command-line interface you access via the console port.
Figure 1-1 ZyWALL
Introducing the ZyWALL IDP 10 |
1-1 |
ZyWALL IDP10 User’s Guide
1.2Features
LAN, WAN and Management Ports
You can also manage the ZyWALL via the LAN or WAN port, but the MGMT port is dedicated for management. If you manage the ZyWALL via the LAN or WAN port then the ZyWALL itself may be susceptible to being compromised.
Intrusion Detection & Prevention (IDP)
Real-time detection & prevention system at structure Inline, Monitor, Bypass modes
Automatic signature update Protect against:
o DoS and DDoS attacks o Buffer overflow
o Network and port scans o Trojan Horse attacks
o Back Door attacks o Worms
Detection Methods:
oHeuristic Analysis based on exceeding statistical thresholds such as abnormal port scan probes.
o Pattern Matching where a signature database identifies malicious code strings in packets. o Protocol Anomaly Detection based on RFC protocol violations.
oTraffic flow anomalies where certain applications such as peer-to-peer applications for example are defined as “abnormal” and therefore an “intrusion”.
oStateful pattern matching based on reassembling TCP screams to make the complete string available to the detection engine.
User-defined rules allow:
o Multiple Attack Pattern Detection o Multiple string match
o IP/TCP/UDP/ICMP and IGMP packets filters that block suspect attack sources.
Firmware Upgrade
Automatically schedule download and upgrade
Logs & Reports
Automatically schedule reports sent by E-mail.
Alarms are urgent notification of attacks.
1-2 |
Introducing the ZyWALL IDP 10 |
ZyWALL IDP10 User’s Guide
System Management
Console (RS-232)
Web-based GUI (HTTP)
Command line interface
SNMP v2c
1.3Application Examples
You can install a ZyWALL either between the firewall (or switch) and Internet (see Figure 1-2) to protect your local networks and firewall (or switch) from intrusions from the Internet, behind the firewall (or switch) to protect the DMZ servers from intrusions from the local network (due to an infected LAN computer, for example), or ideally, install one in front of the firewall and two others behind the firewall.
In installation example 1 (Figure 1-2) the ZyWALL (A) protects the firewall/router (B), DMZ servers and LAN computers from network intrusions from the Internet. However, it does not protect the DMZ servers from intrusions from the LAN (and vice versa), and the ZyWALL itself is vulnerable, as it does not receive firewall protection.
Figure 1-2 Installation Example 1
Introducing the ZyWALL IDP 10 |
1-3 |
ZyWALL IDP10 User’s Guide
In installation example 2 (see Figure 1-3) the ZyWALL (A) protects the LAN from intrusions from the Internet and the DMZ servers from intrusions from the LAN (and vice versa). The ZyWALL itself receives firewall protection too. However, it does not protect the firewall (B) nor the DMZ servers from intrusions from the Internet.
Figure 1-3 Installation Example 2
1-4 |
Introducing the ZyWALL IDP 10 |
ZyWALL IDP10 User’s Guide
In installation example 3 (see Figure 1-4) the ZyWALL (A) protects the DMZ servers from intrusions from the Internet and also from intrusions from the LAN (and vice versa). The ZyWALL itself receives firewall protection too. However, it does not protect the LAN computers nor the firewall (B) from intrusions from the Internet.
Figure 1-4 Installation Example 3
Introducing the ZyWALL IDP 10 |
1-5 |
ZyWALL IDP10 User’s Guide
In installation example 4 (see Figure 1-5) ZyWALLs (A1 and A3) protect the LAN and DMZ from intrusions from the Internet and from each other. ZyWALLs (A1 and A3) also receive firewall protection.
ZyWALL (A2) protects the firewall (B), DMZ servers (and LAN). However, ZyWALL (A2) does not receive firewall protection.
Figure 1-5 Installation Example 4
1-6 |
Introducing the ZyWALL IDP 10 |
ZyWALL IDP10 User’s Guide
Chapter 2
Introducing the Web Configurator
This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens.
2.1Web Configurator Overview
The embedded web configurator (eWC) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. It is recommended that you set your screen resolution to 1024 by 768 pixels. The screens you see in the web configurator may vary somewhat from the ones shown in this document due to differences between individual firmware versions.
2.2Accessing the ZyWALL Web Configurator
1.Make sure your ZyWALL hardware is properly connected and prepare your computer/computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2.Launch your web browser and type "192.168.1.3" as the URL.
Figure 2-1 Default Web Configurator IP Address
3.Type "1234" (default) as the password and click Login. In some versions, the default password appears automatically - if this is the case, click Login.
Introducing the Web Configurator |
2-1 |
ZyWALL IDP10 User’s Guide
Figure 2-2 Login Screen
4.You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Figure 2-3 Change Password Screen
5. You should now see the HOME screen (see Figure 2-4).
2-2 |
Introducing the Web Configurator |
ZyWALL IDP10 User’s Guide
The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires.
Simply log back into the ZyWALL if this happens to you.
2.3Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen.
Click the help icon (located in the top right corner of most screens) to view online help.
You can configure the ZyWALL’s IP address in order to access it for management. All LAN, WAN, DNZ and WLAN ports act as a hub and share the same IP address.
Use submenus to configure
ZyWALL features.
Click LOGOUT at any time to exit the web configurator.
Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/firmware files. Maintenance includes Password, Time Setting, F/W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart.
Figure 2-4 Web Configurator HOME Screen
The following table describes the labels in this screen.
Introducing the Web Configurator |
2-3 |
ZyWALL IDP10 User’s Guide
|
Table 2-1 Web Configurator HOME Screen |
|
|
LABEL |
DESCRIPTION |
|
|
Wizard… |
|
|
|
Quick Setup |
Click Quick Setup to start the ZyWALL setup wizard. |
|
|
Device Information |
|
|
|
System Name |
The system name identifies your device type. The system name should also be on a |
|
sticker on your device. If you are uploading firmware, be sure to upload firmware for this |
|
exact system name. |
Firmware Version |
This is the firmware version number and the date created. |
|
|
Policy Version |
This field displays the intrusion signature set version number and the date updated |
|
|
Current Time |
This field displays the present time as configured on the device. |
|
|
Current Date |
This field displays the present date as configured on the device. |
|
|
Up Time |
This field displays the total time in seconds since the ZyWALL was last turned on. |
|
|
Memory |
The first number shows how many kilobytes of the heap memory the ZyWALL is using. |
|
Heap memory refers to the memory that is used by the ZYWALL operating system. The |
|
second number shows the ZyWALL's total heap memory (in kilobytes). The bar displays |
|
what percent of the ZyWALL's heap memory is in use. The bar is green when less than |
|
70% is in use and red when more than 70% is in use. |
Flash Usage |
The first number shows the amount of flash (non-volatile) memory used by the ZyWALL. |
|
The bar displays what percentage of disk space is in use. The bar is green when less |
|
than 70% is in use and red when more than 70% is in use. The second number shows |
|
the total available disk space (in megabytes). |
|
|
Current TCP |
This field displays number of TCP sessions currently established. |
Session |
|
Policy Number |
This field displays the number of signature “rules” for the displayed policy version. |
|
|
IP Address |
This shows the ZyWALL’s IP address. The LAN, WAN and MGMT ports all use the same |
|
IP address. |
|
|
Netmask |
This shows the ZyWALL’s subnet mask. |
|
|
Gateway |
This field displays the IP address of the gateway. The gateway is an immediate neighbor |
|
of your ZyWALL that will forward the packet to the destination. The gateway must be on |
|
the same segment as your ZyWALL. The gateway and DNS settings are only relevant to |
|
the internal functions (SNMP, e-mail, syslog) of the ZyWALL. |
State |
This field displays whether the ZyWALL is Inline (configure an action for suspicious |
|
packets), Monitor (send out alerts only for suspicious packets) or Bypass (all traffic can |
|
pass through the ZyWALL without inspection). |
|
|
Link Mode |
This field displays whether each port is up or down, the speed (10M or 100M), the |
|
duplex mode (full or half) and whether stealth is enabled. |
|
|
2.3.1 Navigation Panel
After you enter the password, use the sub-menus on the navigation panel to configure ZyWALL features.
The following table describes the sub-menus.
2-4 |
Introducing the Web Configurator |
|
|
|
|
ZyWALL IDP10 User’s Guide |
|
|
|
|
Table 2-2 Screens Summary |
||
|
|
|
|
|
|
|
LINK |
TAB |
|
FUNCTION |
|
|
|
|
|
|
|
|
HOME |
|
|
This screen shows the ZyWALL’s general device information. Use this |
|
|
|
|
|
screen to access the setup wizard. |
|
|
|
|
|
|
|
|
SYSTEM |
|
|
Access the GENERAL, INTERFACE and REMOTE MGMT links from |
|
|
|
|
|
here. |
|
|
GENERAL |
Device |
|
Use this screen to configure device TCP/IP settings and TCP idle |
|
|
|
|
|
timeout. |
|
|
|
|
|
|
|
|
|
VLAN |
|
Use this screen to configure the VLAN tag and VLAN ID. |
|
|
|
|
|
|
|
|
|
State |
|
Use this screen to set the intrusion operating state (Inline, Monitor or |
|
|
|
|
|
Bypass). |
|
|
INTERFACE |
Link |
|
Use this screen to set each port’s speed and duplex mode. |
|
|
|
|
|
|
|
|
|
Stealth |
|
Use this screen to enable/disable stealth on the LAN or WAN ports. |
|
|
|
|
|
|
|
|
|
Policy Check |
|
Policy check determines the interface on which traffic will be checked |
|
|
|
|
|
against the ZyWALL policy rules (both pre-defined and user-defined). |
|
|
|
|
|
By selecting LAN port, then only traffic coming into the LAN and out |
|
|
|
|
|
through the WAN will be checked. Similarly, by selecting WAN port, |
|
|
|
|
|
then only traffic coming into the WAN and out through the LAN will be |
|
|
|
|
|
checked. |
|
|
|
|
|
|
|
|
REMOTE MGMT |
WWW |
|
Use this screen to configure through which interface(s) and from which |
|
|
|
|
|
IP address(es) users can use HTTP to manage the ZyWALL. |
|
|
|
|
|
|
|
|
|
SNMP |
|
Use this screen to configure Simple Network Management Protocol |
|
|
|
|
|
(SNMP) ZyWALL management. |
|
|
|
SSH |
|
Use this screen to configure through which interface(s) and from which |
|
|
|
|
|
IP address(es) users can use Secure Shell to manage the ZyWALL. |
|
|
|
|
|
|
|
|
IDP |
Pre-defined |
|
All pre-defined IDP policies are already stored in the ZyWALL by |
|
|
|
|
|
default. Use this screen to see all pre-defined policies or search fro |
|
|
|
|
|
specific ones. |
|
|
|
|
|
|
|
|
|
Update |
|
Use this screen to set the IP address of the update server and to |
|
|
|
|
|
schedule automatic downloading. |
|
|
|
|
|
|
|
|
|
User-defined |
|
Use screen to create your own intrusion protection policies. |
|
|
|
|
|
|
|
|
|
Registration |
|
Use this screen to register for IDP update server downloads. |
|
|
|
|
|
|
|
|
LOG & REPORT |
|
|
Access the LOGS, REPORT and ALARM links from here. |
|
|
|
|
|
|
|
|
LOGS |
View Log |
|
Use this screen to view the logs for the categories that you selected. |
|
|
|
|
|
|
|
|
REPORT |
|
Use this screen to configure and schedule e-mailed log reports. |
|
|
|
|
|
|
|
|
|
|
syslog |
|
A syslog server is an external logging server used to store and parse |
|
|
|
|
|
logs. |
|
|
ALARM |
ALARM |
|
Use this screen to configure and set the frequency of (e-mailed) alarms. |
|
|
|
|
|
|
|
|
MAINTENANCE |
Password |
|
Use this screen to change your password. |
|
|
|
|
|
|
|
|
|
Time Setting |
|
Use this screen to set your ZyWALL’s time and date. |
|
|
|
|
|
|
|
|
|
F/W Upload |
|
Use this screen to configure and schedule firmware uploads to your |
|
|
|
|
|
ZyWALL. |
|
|
|
|
|
|
|
|
|
Configuration |
|
Use this screen to back up, restore ZyWALL configuration settings or |
|
|
|
|
|
reset them to the factory defaults. |
|
Introducing the Web Configurator |
2-5 |
ZyWALL IDP10 User’s Guide
|
|
|
Table 2-2 Screens Summary |
||
|
|
|
|
|
|
LINK |
TAB |
|
FUNCTION |
||
|
|
|
|
|
|
|
|
Restart |
|
This screen allows you to reboot the ZyWALL without turning the power |
|
|
|
|
|
off. |
|
|
|
|
|
|
|
LOGOUT |
|
|
Click this link to log out of and exit the web configurator. For security |
||
|
|
|
|
reasons, you should do this after each management session. |
|
|
|
|
|
|
|
See the Quick Start Guide for information on using the wizard to configure the ZyWALL for the first time.
2.4Example Configuration Settings
The following table shows an example setup for your ZyWALL. In this setup, the ZyWALL is behind a NAT router (or firewall) and is given a private IP address. The gateway is also in a private network. The LAN and WAN ports are both in stealth mode and remote management is only allowed from the MGMT port.
Table 2-3 Example Configuration Settings
ZyWALL Settings
IP Address |
|
10. 10. 1.1 (private IP address) |
||
|
|
|
|
|
Subnet Mask |
|
255.255.255. 0 |
|
|
|
|
|
|
|
Gateway |
|
10. 10. 1.254 |
(switch or router on LAN or DMZ) |
|
|
|
|
|
|
State |
|
INLINE |
|
|
|
|
|
|
|
Ports Settings |
|
|
|
|
|
|
|
|
|
Port |
Link |
Status |
|
Stealth |
|
|
|
|
|
WAN |
Auto 10M/Half |
UP |
|
ON |
|
|
|
|
|
LAN |
Auto 100M/Full |
UP |
|
ON |
|
|
|
|
|
MGMT |
Auto 100M/Full |
UP |
|
OFF |
|
|
|
|
|
Remote Management: |
|
|
|
|
|
|
|
|
|
WWW Server Access |
|
MGMT only |
|
|
|
|
|
|
|
SNMP Server Access |
|
MGMT only |
|
|
|
|
|
|
|
SSH Server Access |
|
MGMT only |
|
|
|
|
|
|
|
2-6 |
Introducing the Web Configurator |
General, Interface, and Remote Management
Part II:
General, Interface, and Remote Management
This part covers configuration of the General, Interface, and Remote Management screens.
II
ZyWALL IDP 10 User’s Guide
Chapter 3
General Settings
This chapter describes how to configure the ZyWALL’s TCP, VLAN and State settings.
3.1Device
Enter the ZyWALL IP address, subnet mask, gateway IP address and DNS server IP address in the next screen. The gateway and DNS entries relate to the e-mail, syslog and SNMP functions of the ZyWALL.
The DNS server maps a domain name to its corresponding IP address and vice versa. If you configure a DNS server, you can enter an IP address or domain name for e-mail, syslog, etc. servers.
If you change the ZyWALL IP address, you will need to access it again using the new IP address. To change your ZyWALL’s network settings click GENERAL, then the Device tab.
Figure 3-1 General: Device
The following table describes the fields in this screen.
General Settings |
3-1 |
ZyWALL IDP 10 User’s Guide
|
Table 3-1 General: Device |
|
|
LABEL |
DESCRIPTION |
|
|
System Name |
Enter a descriptive name of up to 128 single-Byte or double-Byte characters for |
|
identification purposes. |
|
|
Administrator |
Type how many minutes a management session (either via the web configurator or SSH) |
Inactivity Timer |
can be left idle before the session times out. After it times out you have to log in with |
|
your password again. Very long idle timeouts may have security risks. A value of "0" |
|
means a management session never times out, no matter how long it has been left idle |
|
(not recommended). |
|
|
Device Setup |
|
|
|
IP Address |
Type the IP address of your ZyWALL. If you change the ZyWALL IP address, you will |
|
need to access it again using the new IP address. |
Subnet Mask |
Type the IP subnet mask of your ZyWALL. |
|
|
Gateway |
Type the IP address of the gateway. The gateway and DNS entries relate to the e-mail, |
|
syslog and SNMP functions of the ZyWALL. |
|
|
DNS Server |
The DNS server maps a domain name to its corresponding IP address and vice versa. If |
|
you configure a DNS server, you can enter an IP address or domain name for e-mail, |
|
syslog, etc. servers. |
|
|
Apply |
Click this button to save your changes back to the ZyWALL. |
|
|
Reset |
Click this button to begin configuring this screen afresh. |
|
|
3.2Introduction to VLANs
A VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Devices on a logical network belong to one group. A device can belong to more than one group. With VLAN, a device cannot directly talk to or hear from devices that are not in the same group(s); the traffic must first go through a router.
VLAN increases network performance by limiting broadcasts to a smaller and more manageable logical broadcast domain.
3.2.1 Tagged VLANs (IEEE 802.1Q)
This section gives some technical background information on tagged VLANs. Skip to section 3.3 to see how to configure VLAN tagging on the ZyWALL. When a device receives a frame from a workstation, the VLAN from whence it came must be known so the device may respond, if necessary, to the source of the frame. This is accomplished by tagging.
IEEE 802.1Q tagged VLAN uses an explicit tag (VLAN ID) in the MAC header to identify the VLAN membership of a frame across devices - tagged VLANs are not confined to the device on which they were created.
The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information, a tagged header starts after the source address field of the Ethernet frame).
3-2 |
General Settings |