ZyXEL LTE7461-M602 Users Manual

11.1 Overview

This chapter shows you how to enable the Zyxel Device firewall. Use the firewall to protect your Zyxel Device and network from attacks by hackers on the Internet and control access to it. The firewall:

• allows traffic that originates from your LAN computers to go to all other networks.

• blocks traffic that originates on other networks from going to the LAN. By default, the Zyxel Device blocks DoS attacks whether the firewall is enabled or disabled.

The following figure illustrates the firewall action. User A can initiate an IM (Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4).

Figure 82 Default Firewall Action

HAPTER

Firewall

11.1.1 What You Need to Know About Firewall

DoS

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Zyxel Device is pre-configured to automatically detect and thwart all known DoS attacks.

ICMP

Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly appar ent to the application user.

LTE7461-M602 User’s Guide

109

Chapter 11 Firewall

DoS Thresholds

For DoS attacks, the Zyxel Devi ce uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you ca n change them to values more suitable to your security requirements.

11.2 The Firewall Screen

11.2.1 What You Can Do in this Chapter

• Use the General screen to configure the sec urit y lev el of t he firewall on the Zyx el Devic e (Section 11.3

on page 110).

• Use the Protocol screen to add or remove predefined Internet services and configure firewall rules (Section 11.4 on page 111 ).

• Use the Access Control screen to view and configure incoming/outgoing filtering rules (Section 11.5

on page 113).

• Use the DoS screen to activa te protection against Denial of Service (DoS) attacks (Section 11.6 on

page 115).

11.3 The Firewall General Screen

Use the firewall to protect your Zyxel Device and network from attacks by hackers on the Internet and control access to it. Use this screen to set the security level of the firewall on the Zyxel Device. Firewall rules are grouped based on the direction of travel of packets. A higher firewall level means more restrictions on the Internet activities you can perform. Click Security > Firewall > General to display the following screen. Use the slider to select the level of firewall protection.

LTE7461-M602 User’s Guide

110

Chapter 11 Firewall

Figure 83 Security > Firewall > G en eral

te: LAN to W AN is your access to all Internet services. WAN to LAN is the access of other

computers on the Internet to devices behind the Zyxel Device. When the security level is set to High, access to Telnet, FTP, HTTP, HTTPS, DNS, IMAP, POP3, SMTP, and IPv6 Ping are still allowed from the LAN.

The following table describes the labels in this screen. Table 42 Security > Firewall > General

LABEL DESCRIPTION

IPv4 Firewall

IPv6 Firewall

Enable firewal l protection when using IPv4 (Internet Protocol version 4).

Enable firewal l protection when using IPv6 (Internet Protocol version 6).

This setting blocks all traffic to and from the Inter net. Only local network traffic and LAN to WA N serviceHigh (Telnet, FTP, HTTP, HTTPS, DNS, PO P 3, S MTP) is permitted .

This is the recommen ded se tt ing. It allows traffic to th e In ternet but blocks anyon e f rom the InternetMedium from accessing any services on your loc al network.

This setting allows traffic to the Internet and also allows someone from the Internet to access services onLow your local network. This would be used with Port Forwarding, Default Server.

Click this to save your changes.Apply Click this to restore your previously saved settings.Cancel

11.4 Th

A protocol is a port number rule which defines a service. Services include Email, File sharing, Instant messaging, Online games, Print servers, Voice over IP and so on. Define services in this screen that you want to apply access control rules to in the Firewall > Access Control screen. For a compreh ensi ve lis t of

e Protocol (Customized Services) Screen

LTE7461-M602 User’s Guide

111

Chapter 11 Firewall

port numbers and services, visit the IANA (Internet Assigned Number Authority) website. Click Security > Firewall > Protocol to display the following screen.

ote: Removing a protocol rule will also remove associated ACL rules.

Figure 84 Security > Firewall > Protocol

The following table describes the labels in this screen. Table 43 Security > F irewall > Protocol

LABEL DESCRIPTION

dd New

A Protocol Entry

Ports/ Protocol Number

Click this to configure a customized service.

This is the name of your customized service.Name This is a description of your customized service.Description This shows the port number or range and the IP protocol (TCP or UDP) th at defines your customiz ed

service.

Click this to edit a customized service.Modify

11.4.1 Add Cus

Add a customized rule or edit an existing rule by specifying the IP port and the port num ber(s). Click Add New Protocol Entry in the Protocol screen to display the following screen.

Figure 85 Security > Firewall > Protocol: Add New Protocol Entry

tomized Service

LTE7461-M602 User’s Guide

112

Chapter 11 Firewall

The following table describes the labels in this screen. Table 44 Security > Firewall > Protocol: Add New Protocol Entry

LABEL DESCRIPTION

pe a unique name for yo ur custom port.Service Name Enter a description for your custom port.Description Choose the IP port (Protocol TCP, UDP, ICMP, ICMPv6, Other) that defines your customized port from the

drop down list box . Type a single port number or the ra nge of po rt numbers (Protocol Number 0-255) that define your customized

service.

OK Click this to save your changes. Cancel Click this to exit this screen without saving.

11.5 The Access Control (Rules) Screen

An Access Control List (ACL) rule is a manually-defined rule that can accept, r eject, or drop inc oming or outgoing packets from your network based on the type of service. For example, you could block users using Instant Messaging in your network. This screen displays a list of the configured incoming or outgoing filtering rules. Note the order in which the rules are listed. Click Security > Firewall > Access Control to display the following screen.

ote: The ordering of your rules is very important as rules are applied in turn.

Figure 86 Security > Fire w al l > Ac cess Control

The following table describes the labels in this screen. Table 45 Security > Firewall > Rules

LABEL DESCRIPTION

ules Storage Space

Usage

This read-only bar shows how much of the Zyxel Device's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.

Select an inde x numb er an d clickAdd New ACL Rule Add to add a new fir ewal l rule after the select ed in dex number. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.

This field displays the rule index number. The ordering of your rules is important as rules are# applied in turn .

This field displays the rule name.Name This field dis plays the source IP addresses to which th is rule applies.Src IP This field displays the destination IP addresses to which this rule applies.Dest IP This field displays the protocol (TCP, UDP, TCP+UDP or any) used to transport the pack etsService

for which you want to apply the rule.

LTE7461-M602 User’s Guide

113

Chapter 11 Firewall

Table 45 Security > Firewall > Rules (continued)

LABEL DESCRIPTION

ction Displays wh et her the f ir ewa ll si le nt ly di s car ds pa cket s ( Drop), discards packets and sends

Modify Click the Edit icon to edit the firewall rule.

a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject), or allow the passage of (Accept) packets that match this rule.

Click the Delete icon to delete an existing firewall rule.

11.5.1 Acc

Use this screen to configure firewall rules. In the Access Control screen, select an index number and click Add New ACL Rule or click a rule’s Edit icon to display this screen and refer to the following table for

information on the labels.

Figure 87 Security > Firewall > Access Control > Add New ACL Rule

ess Control Add New ACL Rule Screen

The following table describes the labels in this screen. Table 46 Security > Firewall > Access Control > Add New ACL Rule

LABEL DESCRIPTION

lter Name Type a unique name for yo ur fil ter rule.

Fi Order Assign the order of your rules as rule s are applied in turn .

LTE7461-M602 User’s Guide

114

Chapter 11 Firewall

Table 46 Security > Firewall > Access Control > Add New ACL Rule (continued)

LABEL DESCRIPTION

lect Source IP

Address

Select Destination Device

Custom Destination Port

Scheduler Rules packet(s) per

(1-512)

OK Cancel Click this to exit thi s s cre en without saving.

If you want the source to come from a particular (single) IP, select Specific IP Address. If not, select from a detected device.

If you selectedSource IP Address Specific IP Address in the previous item, enter the source device’s IP address here. Othe r wise this field will be hidden if yo u select the detected devi c e.

If you want your rule to apply to packets with a particular (single) IP, select Specific IP Address. If not, select a detected device.

If you selectedDestinat ion IP Address Specific IP Address in the previou s item , en te r the destina t io n de vice’ s IP address here. Othe r wise this field will be hidden if yo u select the detected devi c e.

Select betweenIP Type IPv4 or IPv6. Compared to IPv4, IPv6 (Internet Protocol version 6), is designed to enhan c e IP add r ess siz e an d f ea tu r es. Th e increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. The Zyxel Device can use IPv4/IPv6 dual stack to connect to IPv4 and IPv6 networks, and supports IPv6 rapid deployment (6RD).

Select a service fro m th eSelect Service Select Service box. Select the protocol (Protocol ALL, TCP/UDP, TCP, UDP, ICMP, ICMPv6) used to transp ort th e packet s

for which you want to apply the rule. This is a single port number or the starting port number of a range that defines your rule.Custom Source Port This is a single port number or the ending port num ber o f a range th at defi ne s your rule .

Use the drop-down list box to select whether to discard (Policy Drop), deny and send an ICMP destination-unreachable message to the sender (Reject), or allow the passage of (Accept) packets that match this rule.

SelectDirection WAN to LAN to apply the rule to traffic from WAN to LAN. Select LAN to WAN to apply the rule to traf fic from LAN to WAN. Sele ct WAN to Rou ter to apply th e rule to traf fic from WAN to router. Selec t LAN to Router to apply the rule to traffic from LAN to router.

Click to enable (switch turns blue) the setting of max imum number of packets perEnable Rate Limit maximum number of minute/second to lim i t th e th r o ughput of traff ic th at matches th is rule. If not, the next item will be disabled.

Enter the maximum number of packets (1-512) per minute/second.

Select a schedule rule for this ACL rule form the drop-do w n list bo x . Yo u c a n c on f ig u r e aAdd New Rule new schedule rule by clicking Add New Rule.

Click this to save your chan ges.

11.6 DoS Screen

Activate protection agai nst DoS attacks. DoS (De nia l of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access becomes unavailable.

Click Security > Firewall > DoS to display the following screen.

LTE7461-M602 User’s Guide

115

Chapter 11 Firewall

Figure 88 Security > Firewall > DoS

The following table describes the labels in this screen. Table 47 Security > F irewall > DoS

LABEL DESCRIPTION

S Protection

Blocking

Enable this to protect against DoS attacks. The Zyxel Device will drop sessions that surpass maximum threshold s.

Click this to save your changes.Apply Click this to restore your previously saved settings.Cancel

11.7 Firewall Technical Reference

This section provides some technical background information about the topics covered in this chapter.

11.7.1 Firew

all Rules Overview

Your customized rules take precedence an d over rid e th e Zyxel Devi ce’s de fault setti ng s. The Zyxel Device checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the Zyxel Device takes the action specified in the rule.

Firewall rules are grouped based on the direction of travel of packets to which they apply:

•LAN to Router •WAN to LAN

• LAN to WAN • WAN to Router

By default, the Zyxel Device’s stateful packet inspection allows packets traveling in the following directions:

•LAN to Router These rules specify which computers on the LAN can manage the Zyxel Device (remote

management).

ote: You can also configure the remote management settings to allow only a specific

computer to manage the Zyxel Device.

• LAN to WAN These rules specify which computers on the LAN can access which computers or services on the

WAN.

LTE7461-M602 User’s Guide

116

Chapter 11 Firewall

By default, the Zyxel Device’s stateful packet inspection drops packets traveling in the following directions:

•WAN to LAN These rules specify which computers on the WAN can access which computers or services on the

LAN.

ote: You also need to configure NAT port forwarding (or full featured NAT address mapping

rules) to allow computers on the WAN to access devices on the LAN.

•WAN to Router By default the Zyxel Device stops computers on the WAN from managing the Zyxel Device. You could

configure one of these rules to allow a WAN computer to manage the Zyxel Device.

ote: You also need to configure the remote management settings to allow a WAN

computer to manage the Zyxel Device.

You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.

For example, you may create rules to:

• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.

• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the

• Allow everyone except your competitors to access a web server.

• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the source IP address, destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Zyxel Device’s default rules.

11.7.2 Gu

1 Change the default password via the Web Configurator.

2 Think about access control before you con nect to the network in any way.

3 Limit who can access your router.

4 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.

5 For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the ser vices at specific interfaces.

Internet to specific hosts on the LAN.

idelines For Enhancing Security With Your Firewall

6 Protect against IP spoofing by making sure the firewall is active.

7 Keep the firewall in a secured (locked) room.

LTE7461-M602 User’s Guide

117

Chapter 11 Firewall

11.7.3 Se

Consider these security ramifications before creating a rule:

1 Does this rule stop LAN users from accessing critical resources on the Intern et ? For examp le, if IRC

(Internet R elay Chat) is b locked, are there users tha t require this service?

2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule

that blocks just certain users be more effective?

3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For

example, if FTP ports (TCP 20, 21 ) are allow ed from the Int ernet to the LAN, Int ernet users ma y be able to connect to computers with running FTP servers.

4 Does this rule conflict with any existing rules?

Once these que stions have be en answered, a dding rules is simply a matter of entering the information into the corr ect fields in the Web Configurator screens.

curity Considerations

ote: Incorrectly configuring the firewall may block valid access or introduce security risks to

the Zyxel Device and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.

LTE7461-M602 User’s Guide

118

12.1 MAC Filter Overview

You can configure the Zyxel Device to permit access to clients based on their MAC addresses in the MAC Filter screen. This applies to wired and wireless connections. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the LAN client to configure this screen.

12.2 The MAC Filter Screen

Enable MAC Address Filter and add the host name and MAC address of a LAN client to the table if you wish to allow or deny them access to your network. Select Security > MAC Filter. The screen appears as shown.

HAPTER

MAC Filter

Figure 89 Security > MAC Filter

You can choose to enable or disable the filters per entry; make sure that the check box under Active is selected if you want to use a filter, as shown in the example below.

Figure 90 Enabling individual MAC filters

LTE7461-M602 User’s Guide

119

Chapter 12 MAC Filter

The following table describes the labels in this screen. Table 48 Security > MAC Filter

LABEL DESCRIPTION

C Address Filter

C Restrict Mode

dd New Rule

A Se

Active Select Active to enable the MAC filter rule. The rule will not be applied if Allow is not

st Name

C Address

lete

De Ca

ncel Click Cancel to restore your previously saved settings.

ply Click Apply to save your changes.

Sel

ect Enable to activate the MAC filter function.

Sel

ect Allow to only permit the listed MAC addresses access to the Zyxel Device. Select

Deny to permit anyone access to the Zyxel Device except the listed MAC addresses.

ick this button to create a new entry.

Cl T

his is the index number of the MAC addr es s.

selected unde r MAC Restrict Mode. E

nter the host name of the wireless or LAN cl ients that are allow ed access to the Zyxel

Device.

nter the MAC addresses of the wireless or LAN clients that are allowed ac ce ss to th e Zyx el

E Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.

ick the Delete icon to delete an existing rul e.

LTE7461-M602 User’s Guide

120

13.1 Overview

The Zyxel Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.

HAPTER

Certificates

13.1.1 Wh

at You Can Do in this Chapter

• Use the Local Certificates screen to view and import the Zyxel Device’s CA-signed (Certification Authority) certificates (Section 13.2 on page 121).

• Use the Trusted CA scre en to save the certificates of trusted CAs to the Zyxel Device. You can also export the certificates to a computer (Section 13.3 on page 125).

13.2 Local Certificates

View the Zyxel Device’s summary list of certificates, generate certification requests, and import the signed certificates. You can import the following certificates to your Zyxel Device:

• Web Server - This certificate secures HTTP connections.

• SSH- This certificate secures remote connections.

Click Security > Certificates to open the Local Certificates screen.

Figure 91 Security > Certificates > Local Certificates

LTE7461-M602 User’s Guide

121

Chapter 13 Certificates

The following table describes the labels in this screen. Table 49 Security > Certificates > Local Certificates

LABEL DESCRIPTION

eplace Private Key/Certificate file in PEM for m at

Private Key is protected by password

Create Certificate Request

Select the check box and enter the private key into the text box to store it on the Zyxel Device. The private key should not exceed 63 ASCII characters (not including spaces).

Click this button to find the certificate file you want to upload.Choose File Click this button to sa ve the ce r ti fic at e th at you have enrolled from a certificat io n authorityImport Certific at e

from your computer to the Zyxel Device. Click this button to go to the screen where you can have the Zyxel Devic e ge ner at e a

certification re q ues t . This field displays th e na me used to identify th is ce r ti fic a te. It is recommend ed th at you giveCurrent File

each certificate a unique name. This field displays id en tif y in g information abou t th e c er t ificate’s owner, s uch asSubject CN (Common

Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). I t is recommended that each certifica t e have a unique subj ect information.

This field displays id en tif y in g inf o rmation about th e ce rt if icate’s issuing cer t if ication authority ,Issuer such as a common name, organizational unit or department, organization or company and country.

This field displays th e da te that the certifi cate becomes applic a ble. The text displa ys in re dValid From and includes a Not Yet Valid! message if th e ce rt if icate has not yet beco me applicable.

This field displays the date that the cert if i c at e expires. The text displa ys in red an d in c lu des anValid To Expiring! or Expired! message if the certificate is about to expire or has already expired.

Click theModify View icon to open a screen with an in-d ept h lis t of information abou t the certificate.

13.2.1 Create

Click Security > Certificates > Local Certificates and then Create Certificate Request to open the following screen. Have the Zyxel Device generate a certification request. To create a certificate signing request, you need to enter a common name, organization name, state/province name, and the twoletter country code for the certificate.

For a certification request, click Load Signed to import the signed cert ificate. Click the Remove icon to remove the certificate (or certification request). A window displays

asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action.

Certificate Request

LTE7461-M602 User’s Guide

122

Chapter 13 Certificates

Figure 92 Create Certificate Request

The following table describes the labels in this screen. Table 50 Create Certificate Request

LABEL DESCRIPTION

ertificate

Name

Type up to 63 ASCII characters (not including spaces) to identify this certifica te.

SelectCommon Name Auto to have the Zyxel Device configure this field automatically. Or select Customize to enter it manually.

Organization Name

State/Province Name

Country/Region Name

13.2.2 Vie

View in-depth information about the certificate request. The Certificate is used to verify the authenticity of the certification authority. The Private Key serves as your digital signature for authentication and must be safely stored. The Signing Request contains the certificate signing request value that you will copy upon submitting the ce rtificate request to the CA (certificate authority).

Click the View icon in the Local Certificates screen to open the following screen.

Type the IP address (in dotted deci mal notation), dom ain name or email address in the field provided. The domain name or email address can be up to 63 ASCII char ac ters. The domai n name or email addre s s is fo r id en tif i c at io n pur po s es on ly an d c an be an y s tri ng .

Type up to 63 characters to identify the company or group to which the certificate owner belongs. You may use an y ch a r act e r, inc lu d in g s paces, but the Zyxel Device drops trail in g spaces.

Type up to 32 ch ar ac te rs t o i de nt if y th e s t at e or pr o vi n ce wh ere t h e ce r ti fi c at e o wn er is l oca t ed. You may use any char act e r, inc lu d in g s paces, but the Zyxel Device drops trail in g spaces.

Select a country to identify the nation where the cer tificate owner is located.

ncel

lick Cancel to exit this screen without saving.

C ClickOK OK to save your changes.

w Certificate Request

LTE7461-M602 User’s Guide

123

Chapter 13 Certificates

Figure 93 Certificate Request: View

The following table describes the fields in this screen. Table 51 Certificate Request: View

LABEL DESCRIPTION

Name This field displays th e id entifying name of this c ert if icate. Type This field displa ys g eneral information about the cer t if icate. ca means tha t a Cert if ication

Subject This field di sp lays i nfo rma ti on t hat id en tif i es t he owne r of the c ert if ica te , su ch as Com mon Nam e

Authority sig ne d th e c er t if icate.

(CN), Organizational Unit (OU), Organization (O) and Country ( C) . This read-only text bo x displays the certif icate in Privacy Enhanced Mail (PEM) format. PEM usesCertificate

base 64 to convert the binary certif icate into a printable fo rm. You can copy and paste the certificate into an email to send to friends or colleagues or you can

copy and paste the certificate into a text editor and save the file on a management computer for later distribution.

This field displays the private key of this certificate.Private Key

LTE7461-M602 User’s Guide

124

Table 51 Certificate Request: View (continued)

LABEL DESCRIPTION

T be provided to a certificate authority, and it includes information about the public key, organizati on na me, domain name , lo c ation, and coun tr y of this certificate.

ClickBack Back to return to the previous screen.

13.3 Trusted CA

Click Security > Certificates > Trusted CA to open the following screen. A summary list of certificates of the certification authorities that you have set the Zyxel Device to accept as trusted is listed below. The Zyxel Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities.

ote: A maximum of 4 certificates can be stored.

Figure 94 Security > Certificates > Trusted CA

Chapter 13 Certificates

his field displays the CSR (Certificate Signing Request) information of this certificate. The CSR willSigning Request

The following table describes the labels in this screen. Table 52 Security > Certificates > Trusted CA

LABEL DESCRIPTION

lick this button to open a screen where you c a n s av e the certificate of a ce r ti fic a tio nImport Certific at e

authority that you trust to the Zyxel Device. This is the index number of the entry.# This field displays th e name used to identify this certifica te .Name This field displays in for m at ion that identifies th e owner of the certific at e, suc h as CommonSubject

Name (CN), OU (Organi za ti onal U ni t or depa rtm ent) , Organ iz ati on (O), St ate ( S T) an d Co unt ry (C). It is recomm ended that each cer t ificate have a un ique subject information.

This field displays general information about the certificate.Type ca means that a Certifi c at io n Authority s ig ned the certifi c at e .

odify

ick the View icon to open a screen with an in-depth list of information about the certificate

(or certificatio n r equest). Click the Remove icon to delete the certificate (or certification request). You cannot delete a

certificate that one or more features is configured to use.

LTE7461-M602 User’s Guide

125

Chapter 13 Certificates

13.4 Import Trusted CA Certificate

Click Import Certificate in the Trusted CA screen to open the Import Certificate screen. The Zyxel Device trusts any valid certificate signed by any of the imported trusted CA certificates. Certificates should be in one of the following formats: B inary X.509, PEM (b ase-64) encoded, Binary PKCS#7, or PEM (base-64) encoded PKCS#7. You can save a trusted certification authority’s certificate to the Zyxel Device.

ote: You must remove any spaces from the certificate’s filename before you can import the

certificate.

Figure 95 Trusted CA > Import

The following table describes the labels in this screen. Table 53 Security > Certificates > Trusted CA > Import

LABEL DESCRIPTION

ertificate File

C Path

Type in the location of the file you wan t to upload in this field or click Choose File to find it.

Click this button to find the certif icate file you want to upload.Choose File Click this to sav e the certificate on th e Z y xe l Device.OK Click this to exit this screen without saving.Cancel

13.5 View Trusted CA Certificate

View in-depth information about the certification authority’s certificate. The certificate text box is readonly and can be distributed to others.

Click Security > Certificates > Trusted CA to open the Trusted CA screen. Click the View icon to open th e View Certificate screen.

LTE7461-M602 User’s Guide

126

Figure 96 Trusted CA: View

Chapter 13 Certificates

The following table describes the labels in this screen. Table 54 Trusted CA: View

LABEL DESCRIPTION

ame This field displays the identifying name of this certificate.

This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) for m at. PEM uses 64 ASC II characters to co nv ert the binary ce rtificate into a printable form.

You can copy and paste the certificate into an email to send to friends or colleagues or you can copy and past e the certificate into a text editor and save the fi le on a management computer for later distribution (via USB thumb drive for example).

Back Click this to return to the previous screen.

13.6 Certificates Technical Reference

This section provides some technical background information about the topics covered in this chapter.

Certification Authorities

A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities.

LTE7461-M602 User’s Guide

127

Chapter 13 Certificates

Public and Private Keys

When using public-key cryptology for authentication, eac h host has two keys. One key is public and can be made openly available; the other key is private and must be kept secure. Public-key encryption in general works as follows.

1 Tim wants to send a private message to Jenny. Tim generates a public-private key pair. What is

encrypted with one key can only be decrypted using th e other.

2 Tim keeps the private key and makes the public key openly available.

3 Tim uses his private key to encrypt the message and se nds it to Jenny.

4 Jenny receives the message and uses Tim’s public key to decrypt it.

5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny’s public key to

decrypt the message.

The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption a l go r i thm.

The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.

Advantages of Certificates

Certificates offer the following benefits.

• The Zyxel Device only has to store the certificates of the certification authorities that you decide to

• Key distribution is simple and very secure since you can freely distribute public keys and you never

Certificate File Format

The certification authority certificate that you want to import has to be in PEM (Base-64) encoded X.509 file format. This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X.509 certificate into a printable form.

13.6.1 Ve

Before you import a trusted CA or trusted remote host certificate into the Zyxel Device, you should verify that you have the actual certificate. This is especially true of trusted CA certificates since the Zyxel Device also trusts any valid certificate signed by any of the imported trusted CA certificates.

trust, no matter how many de vices you need to authenticate.

need to transmit private keys.

rifying a Certificate

You can use a certificate’s fingerprint to verify it. A certificate’s fingerprint is a message digest calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate.

1 Browse to where you have the certificate saved on your computer.

LTE7461-M602 User’s Guide

128

Chapter 13 Certificates

2 Make sure that the certificate has a “.cer” or “.crt” file name extension.

Figure 97 Certificates on Your Computer

3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down

to the Thumbprint Algorithm and Thumbprint fields. Figure 98 Certificate Details

Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may vary based on your situation. Possible examples would be over the telephone or thr oug h an HTT PS conne ct ion.

LTE7461-M602 User’s Guide

129

14.1 Log Overview

These screens allow you to determine the categories of events and/or alerts that the Zyxel Device logs and then display these logs or have the Zyxel Device send them to an administrator (through email) or to a syslog server.

HAPTER

Log

14.1.1 Wh

• Use the System Log screen to see the system logs (Section 14.2 on page 131).

• Use the Security Log screen to see the security-related logs for the categories that you select (Section

14.1.2 Wh

The following terms and concepts may help as you read th is chapter.

Alerts and Logs

An alert is a type of log that warrants more serious attention. They include system errors, attacks (access control) and attempted access to blocked web sites. Some categories such as System Errors consist of both logs and alerts. You may differentiate them by their color in the View Log screen. Alerts display in red and logs display in black.

Syslog Overview

The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages. A syslog-enabled device can generate a syslog message and send it to a syslog server.

at You Can Do in this Chapter

14.3 on page 131).

at You Need To Know

Syslog is defined in RFC 3164. The RFC defines the packet format, content and system log related information of syslog messages. Each syslog message has a facility and severity level. The syslog facility identifies a file in the syslog server. Refer to the documentation of your syslog program for details. The following table describes the syslog severity levels.

Table 55 Syslog Severity Levels

CODE SEVERITY

0 E 1 Alert: Action mu st be tak e n im mediately. 2 Critical: Th e sys tem condition is cr itical. 3 Error: There is an error condition on th e system. 4 Warning: There is a warning co ndition on the sys t em .

mergency: The system is unusable.

LTE7461-M602 User’s Guide

130

Chapter 14 Log

Table 55 Syslog Severity Levels

CODE SEVERITY

5 N 6 Informational: The syslog contains an informational message. 7 Debug: The message is intended for de bu g-level purp oses.

otice: There is a normal but significant condition on the system.

14.2 The System Log Screen

Export or email the system logs. You can filter the entries by clicking the Level and/or Category dropdown list boxes. Click System Monitor > Log to open the System Log screen.

Figure 99 System Monitor > Log > System Log

The following table describes the fields in this screen. Table 56 System Monitor > Log > System Log

LABEL DESCRIPTION

Level Select a severity level from the drop-down list box. This filters sear ch results according to the

tegory

ear Log

Cl Re

fresh

Exp

ort Log

Email Log Now Click this to send the log file(s) to the email address you specify in the Maintenance > Logs

# Thi Ti

Category This fiel d displays the type of the log.

ssages

severity level you have selected. When you select a severity, the Zyxel Device searches through all logs of that severity or higher.

elect the type of logs to display.

lick this to delete all the logs.

C C

lick this to renew the log screen.

lick this to export the selected log(s).

Setting screen.

s field is a seq uential value and is not associated with a specif ic entry.

Thi

s field displays the time the log was recorded.

The log facility allows you to send logs to dif ferent files in the syslog server. Refer to theFacility documentation of y our syslog progra m for more details.

This field displays the severity level of the logLevel that the devic e is to se n d to this syslog serv er.

his field states the reason for the log.

14.3 Th

View the security-related logs for t he categ ories that you select . You can filt er the entr ies by click ing the Level and/or Category drop-down list boxes. Click System Monitor > Log > Security Log to open the following screen.

e Security Log Screen

LTE7461-M602 User’s Guide

131

Chapter 14 Log

Figure 100 System Monitor > Log > Security Log

The following table describes the fields in this screen. Table 57 System Monitor > Log > Security Log

LABEL DESCRIPTION

vel

tegory

Clear Log Click this to delete all the logs.

fresh

ort Log

Exp Em

ail Log Now

# Thi

tegory

ssages

elect a severit y level from the drop-down list box. This filters sear ch results according to the severity level you have selected. When you select a severity, the Zyxel Device searches through all logs of that severity or higher.

elect the type of logs to display.

lick this to renew the log screen.

lick this to export the selected log(s).

C C

lick this to send the log file(s) to the email address you specify in the Maintenance > Logs

Setting screen.

s field is a seq uential value and is not associated with a specif ic entry. s field displays the time the log was recorded.

Thi The log facility allows you to send logs to dif ferent files in the syslog server. Refer to theFacility

documentation of y our syslog progra m for more details. This field displays the severity level of the logLevel that the devic e is to se n d to this syslog serv er. Thi

s field displays the type of the log.

his field states the reason for the log.

LTE7461-M602 User’s Guide

132

15.1 Traffic Status Overview

View the network traffic status and statistics of the WAN/LAN interfaces.

HAPTER

Traffic Status

15.1.1 Wh

at You Can Do in this Chapter

• Use the WAN screen to view the WAN traffic statistics (Section 15.2 on page 133).

• Use the LAN screen to view the LAN traffic statistics (Section 15.3 on page 134).

15.2 The WAN Status Screen

Click System Monitor > Traffic Status to open the WAN screen. The figures in this screen show the number of bytes received and sent through the Zyxel Device. Detailed information about each interface are listed in the tables below.

Figure 101 System Monitor > Traffic Status > WAN

The following table describes the fields in this screen. Table 58 System Monitor > Traffic Status > WAN

LABEL DESCRIPTION

fresh IntervalSelect how often you want the Zyxel De vice to update this screen.

Re Co

nnected

Interface

ckets Sent

Thi

s shows the name of the WAN inter f ace that is currently connected.

LTE7461-M602 User’s Guide

133

Chapter 15 Traffic Status

Table 58 System Monitor > Traffic Status > WAN (continued)

LABEL DESCRIPTION

ror

Drop This indicates the number of outgoing packets dropped on this interface.

ackets Received

Da Er

ror

sabled

Di Interface

ckets Sent

Data This indicates the number of transmitted pac kets on this interfa ce.

ror

ackets Received

Error This indicates the number of frames with errors receive d on this interface.

his indicates the n umber of transmitt e d pa c kets on this interfa ce. Thi

s indicates the number of frames with errors transmitted on this interface.

his indicates the n umber of received pac k et s on th is in terface.

T T

his indicates the number of frames with errors received on this interface. This indicate s the n umber of received pac k et s dropped on this interf a c e.Drop

s shows the name of the WAN interface that is currently disabled.

Thi

s indicates the number of frames with errors transmitted on this interface.

Thi

s indicates the number of outgoing packets dropped on this interface.

Thi

his indicates the n umber of received pac k et s on th is in terface.

his indicates the n umber of received pac k et s dropped on this interface.Drop

15.3 The LAN Status Screen

Click System Monitor > Traffic Status > LAN to open the following screen. The figures in this screen show the number of bytes received and sent from each LAN port and wireless network.

Figure 102 System Monitor > Traffic Status > LAN

LTE7461-M602 User’s Guide

134

Chapter 15 Traffic Status

The following table describes the fields in this screen. Table 59 System Monitor > Traffic Status > LAN

LABEL DESCRIPTION

fresh Interval

terface

Bytes Sent This indicat es the number of bytes transmitted on this interface.

tes ReceivedThis indicates the number of bytes received on this interface.

terface

In Se

nt (Packets)

Error This indicat es the number of frame s with errors transmitted on this inter face.

ceived (Packets)

Error This indicates the number of frames with errors received on this interface.

op This indicates the number of re ceived packets dr opped on this inte rface.

elect how often you want the Zyxel Devi c e to update this screen.

is shows the LAN or WLAN interface.

is shows the LAN or WLAN interfaces.

his indicates the numbe r of transmitted packets on this interface.

his indicates the number of outgoing packets dropped on this interfac e.

his indicates the number of rec eived packets on th is interface .

LTE7461-M602 User’s Guide

135

16.1 ARP Table Overview

Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network.

An IP (version 4) address is 32 bits long. In an Ethernet LAN, MAC addresses are 48 bits long. The ARP table maintains an association between each MAC address and its corresponding IP address.

HAPTER

ARP Table

16.1.1 How

When an incoming packet destined for a host device on a local area network arrives at the device, the device's ARP program looks in the ARP table and, if it finds the address, sends it to the device.

If no entry is found for the IP address, ARP broadcasts the request to all the devices on th e LAN. The device fills in its own MAC and IP address in the sender address fields, and puts the known IP address of the target in the target IP address field. In addition, the device puts all ones in the target MAC field (FF.FF.FF.FF.FF.FF is the Ethernet broadcast address). The replying device (which is either the IP address of the device being sought or the router that knows the way) replaces the broadcast address with the target's MAC address, swaps the sender and target pairs, and unicasts the answer dire ctly back to the requesting machine. ARP updates the ARP table for future reference and then sends the packet to the MAC address that replied.

ARP Works

LTE7461-M602 User’s Guide

136

16.2 ARP Table Screen

Use the ARP table to view the IPv4-to-MAC address mapping(s) for the LAN. The neighbor table shows the IPv6-to-MAC address mappin g(s) of each neig hbor. To op en t his screen, click System Monitor > ARP

Table.

Figure 103 System Monitor > ARP Table

Chapter 16 ARP Table

The following table describes the labels in this screen. Table 60 System Monitor > ARP Table

LABEL DESCRIPTION

# This is the ARP table entry number. IPv4/IPv6

Address

Device This is the type of interface us ed by th e device. You can clic k th e device type to go to it s

This is the learned IPv4 or IPv 6 IP ad dr e ss of a de v ic e connected to a port.

This is the MAC address of the device with the listed IP address.MAC Address

configuratio n s creen.

LTE7461-M602 User’s Guide

137

17.1 Routing Table Overview

Routing is based on the destination address only and the Zyxel Device takes the shortest path to forward a packet.

17.2 The Routing Table Screen

The table below shows IPv4 and IPv6 routing information. The destination can be a network or host. The IPv4 subnet mask is ‘255.255.255.255’ for a host destination and ‘0.0.0.0’ for the default route. The gateway address is written as ‘*’(IPv4)/‘::’(IPv6) if none is set. Flags can be U - up, ! - reject, G - gateway, C - cache, H - host, R - rein stat e, D - dynamic (redirect), or M - m odif i ed ( red ire ct). Met ric is t he dist a nce to the target (usually counted in hops). Interface is how the packets for this route will be sent.

HAPTER

Routing Table

LTE7461-M602 User’s Guide

138

+ 67 hidden pages