Page 1
ZyWALL P1
Internet Security Appliance
User’s Guide
Version 3.64
8/2005
Page 2
ZyWALL P1 User’s Guide
Copyright
Copyright © 2005 by ZyXEL Communications Corporation.
The contents of this publication may not be reproduced in any part or as a whole, transcribed,
stored in a retrieval system, translated into any language, or transmitted in any form or by any
means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or
otherwise, without the prior written permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or
software described herein. Neither does it convey any license under its patent rights nor the
patent rights of others. ZyXEL further reserves the right to make changes in any products
described herein without notice. This publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL
Communications, Inc. Other trademarks mentioned in this publication are used for
identification purposes only and may be properties of their respective owners.
Copyright 1
Page 3
ZyWALL P1 User’s Guide
Federal Communications
Commission (FCC) Interference
Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two
conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause
undesired operations.
This equipment has been tested and found to comply with the limits for a Class B digital
device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy, and if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver
is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance
could void the user's authority to operate the equipment.
Certifications
1 Go to www.zyxel.com
2 Select your product from the drop-down list box on the ZyXEL
home page to go to that product's page.
3 Select the certification you wish to view from this page
2 Federal Communications Commission (FCC) Interference Statement
Page 4
ZyWALL P1 User’s Guide
Safety Warnings
For your safety, be sure to read and follow all warning notices and instructions.
• To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger
telecommunication line cord.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel can
service the device. Please contact your vendor for further information.
• Use ONLY the dedicated power supply for your device. Connect the power cord or
power adaptor to the right supply voltage (110V AC in North America or 230V AC in
Europe).
• Do NOT use the device if the power supply is damaged as it might cause electrocution.
• If the power supply is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power supply. Contact your local vendor to order a new
power supply.
• Place connecting cables carefully so that no one will step on them or stumble over them.
Do NOT allow anything to rest on the power cord and do NOT locate the product where
anyone can walk on the power cord.
• If you wall mount your device, make sure that no electrical, gas or water pipes will be
damaged.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of
electric shock from lightning.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.
• Make sure to connect the cables to the correct ports.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.
Safety Warnings 3
Page 5
ZyWALL P1 User’s Guide
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects
in materials or workmanship for a period of up to two years from the date of purchase. During
the warranty period, and upon proof of purchase, should the product have indications of failure
due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the
defective products or components without charge for either parts or labor, and to whatever
extent it shall deem necessary to restore the product or components to proper operating
condition. Any replacement will consist of a new or re-manufactured functionally equivalent
product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or
subjected to abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the
purchaser. This warranty is in lieu of all other warranties, express or implied, including any
implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in
no event be held liable for indirect or consequential damages of any kind of character to the
purchaser.
ZyXEL Limited Warranty
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return
Material Authorization number (RMA). Products must be returned Postage Prepaid. It is
recommended that the unit be insured when shipped. Any returned products without proof of
purchase or those with an out-dated warranty will be repaired or replaced (at the discretion of
ZyXEL) and the customer will be billed for parts and labor. All repaired or replaced products
will be shipped by ZyXEL to the corresponding return address, Postage Paid. This warranty
gives you specific legal rights, and you may also have other rights that vary from country to
country.
Safety Warnings
For your safety, be sure to read and follow all warning notices and instructions.
• To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger
telecommunication line cord.
• Do NOT open the device or unit. Opening or removing covers can expose you to
dangerous high voltage points or other risks. ONLY qualified service personnel can
service the device. Please contact your vendor for further information.
• Use ONLY the dedicated power supply for your device. Connect the power cord or
power adaptor to the right supply voltage (110V AC in North America or 230V AC in
Europe).
• Do NOT use the device if the power supply is damaged as it might cause electrocution.
• If the power supply is damaged, remove it from the power outlet.
• Do NOT attempt to repair the power supply. Contact your local vendor to order a new
power supply.
4 ZyXEL Limited Warranty
Page 6
ZyWALL P1 User’s Guide
• Place connecting cables carefully so that no one will step on them or stumble over them.
Do NOT allow anything to rest on the power cord and do NOT locate the product where
anyone can walk on the power cord.
• If you wall mount your device, make sure that no electrical, gas or water pipes will be
damaged.
• Do NOT install nor use your device during a thunderstorm. There may be a remote risk of
electric shock from lightning.
• Do NOT expose your device to dampness, dust or corrosive liquids.
• Do NOT use this product near water, for example, in a wet basement or near a swimming
pool.
• Make sure to connect the cables to the correct ports.
• Do NOT obstruct the device ventilation slots, as insufficient airflow may harm your
device.
• Do NOT store things on the device.
• Connect ONLY suitable accessories to the device.
ZyXEL Limited Warranty 5
Page 7
ZyWALL P1 User’s Guide
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it. .
Customer Support
METHOD
LOCATION
CORPORATE
HEADQUARTERS
(WORLDWIDE)
CZECH REPUBLIC
DENMARK
FINLAND
FRANCE
GERMANY
NORTH AMERICA
NORWAY
SPAIN
SWEDEN
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.com.tw +886-3-578-3942 www.zyxel.com
sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com
info@cz.zyxel.com +420 241 091 350 www.zyxel.cz ZyXEL Communications
info@cz.zyxel.com +420 241 091 359
support@zyxel.dk +45 39 55 07 00 www.zyxel.dk ZyXEL Communications A/S
sales@zyxel.dk +45 39 55 07 07
support@zyxel.fi +358-9-4780-8411 www.zyxel.fi ZyXEL Communications Oy
sales@zyxel.fi +358-9-4780 8448
i nf o @z y xe l .f r + 33 (0 ) 4 7 2 5 2 9 7 9 7 w ww .z y xe l . fr Z yX E L F r an c e
+33 (0)4 72 52 19 20
support@zyxel.de +49-2405-6909-0 www.zyxel.de ZyXEL Deutschland GmbH.
sales@zyxel.de +49-2405-6909-99
support@zyxel.com +1-800-255-4101
+1-714-632-0882
sales@zyxel.com +1-714-632-0858 ftp.us.zyxel.com
support@zyxel.no +47 22 80 61 80 www.zyxel.no ZyXEL Communications A/S
sales@zyxel.no +47 22 80 61 81
support@zyxel.es +34 902 195 420 www.zyxel.es ZyXEL Communications
sales@zyxel.es +34 913 005 345
support@zyxel.se +46 31 744 7700 www.zyxel.se ZyXEL Communications A/S
sales@zyxel.se +46 31 744 7701
A
WEB SITE
www.europe.zyxel.com
ftp.europe.zyxel.com
www.us.zyxel.com ZyXEL Communications Inc.
REGULAR MAIL
ZyXEL Communications Corp.
6 Innovation Road II
Sc ien ce P ar k
Hsinchu 300
Ta iw a n
Czech s.r.o.
Modranská 621
143 01 Praha 4 - Modrany
Ceská Republika
Col um bu sv ej 5
2860 Soeborg
Denmark
Mal mi nk aa ri 10
00700 Helsinki
Finland
1 ru e d e s V er ge r s
Ba t. 1 / C
69760 Limonest
France
Adenauerstr. 20/A2 D-52146
Wuerselen
Germany
1130 N. Miller St.
Anaheim
CA 92806-2001
U.S.A.
Ni ls H ans en s ve i 13
0667 Oslo
Norway
Alejandro Villegas 33
1º, 28043 Madrid
Spain
Sjöporten 4, 41764 Göteborg
Sweden
6 Customer Support
Page 8
ZyWALL P1 User’s Guide
METHOD
LOCATION
UNITED KINGDOM
SUPPORT E-MAIL TELEPHONE
SALES E-MAIL FAX FTP SITE
support@zyxel.co.uk +44 (0) 1344 303044
08707 555779 (UK only)
sales@zyxel.co.uk +44 (0) 1344 303034 ftp.zyxel.co.uk
A
WEB SITE
www.zyxel.co.uk ZyXEL Communications UK
a. “+” is the (prefix) number you enter to make an international telephone call.
REGULAR MAIL
Ltd.,11 The Courtyard,
Eastern Road, Bracknell,
Berkshire, RG12 2XB,
United Kingdom (UK)
Customer Support 7
Page 9
ZyWALL P1 User’s Guide
8 Customer Support
Page 10
ZyWALL P1 User’s Guide
Table of Contents
Copyright ..................................................................................................................1
Federal Communications Commission (FCC) Interference Statement ............... 2
Safety Warnings ....................................................................................................... 3
ZyXEL Limited Warranty.......................................................................................... 4
Customer Support.................................................................................................... 6
Preface ....................................................................................................................29
Chapter 1
Getting to Know Your ZyWALL ............................................................................. 31
1.1 Overview ............................................................................................................31
1.2 ZyWALL Features ..............................................................................................31
1.2.1 Physical Features .....................................................................................31
1.2.2 Non-Physical Features .............................................................................32
1.3 Applications ........................................................................................................35
1.3.1 Secure Network Access for Telecommuters .............................................35
1.3.2 LAN Network Protection ..........................................................................35
1.4 ZyWALL Hardware Connection ..........................................................................36
1.5 Front Panel LED .................................................................................................36
Chapter 2
Introducing the Web Configurator........................................................................ 39
2.1 Overview ............................................................................................................39
2.2 Accessing the Web Configurator ........................................................................39
2.3 Resetting the ZyWALL .......................................................................................41
2.3.1 Procedure to Use the Reset Button ..........................................................42
2.4 Navigating the Web Configurator .......................................................................42
2.4.1 The HOME Screen ...................................................................................42
2.4.2 Navigation Panel .......................................................................................44
2.4.3 System Statistics .......................................................................................46
2.4.4 DHCP Table Screen .................................................................................47
2.4.5 VPN Status ...............................................................................................48
Table of Contents 9
Page 11
ZyWALL P1 User’s Guide
Chapter 3
Wizard Setup .......................................................................................................... 51
3.1 Overview ............................................................................................................51
3.2 Internet Access Wizard Setup ...........................................................................51
3.3 VPN Wizard Setup .............................................................................................58
3.4 IPSec Algorithms ................................................................................................64
3.2.1 ISP Parameters ........................................................................................51
3.2.2 WAN and DNS ..........................................................................................51
3.2.2.1 WAN IP Address Assignment ..........................................................51
3.2.2.2 IP Address and Subnet Mask ..........................................................52
3.2.2.3 DNS Server Address Assignment ...................................................52
3.2.2.4 Ethernet ...........................................................................................53
3.2.2.5 PPPoE Encapsulation .....................................................................54
3.2.2.6 PPTP Encapsulation .......................................................................56
3.2.3 Internet Access Wizard Setup Complete ..................................................58
3.3.1 IPSec ........................................................................................................59
3.3.2 Security Association .................................................................................59
3.3.3 My IP Address ..........................................................................................59
3.3.4 Secure Gateway Address .........................................................................59
3.3.4.1 Dynamic Secure Gateway Address ................................................59
3.3.5 VPN Wizard: Gateway Policy Setting .......................................................59
3.3.6 VPN Wizard: Network Setting ...................................................................60
3.3.7 IKE Phases ...............................................................................................62
3.3.7.1 Negotiation Mode ............................................................................63
3.3.7.2 Pre-Shared Key ...............................................................................63
3.3.7.3 Diffie-Hellman (DH) Key Groups .....................................................63
3.3.7.4 Perfect Forward Secrecy (PFS) .....................................................64
3.4.1 AH (Authentication Header) Protocol ........................................................64
3.4.2 ESP (Encapsulating Security Payload) Protocol ......................................64
3.4.3 IKE Tunnel Setting (IKE Phase 1) ............................................................66
3.4.4 IPSec Setting (IKE Phase 2) .....................................................................67
3.4.5 VPN Status Summary ...............................................................................68
3.4.6 VPN Wizard Setup Complete ...................................................................70
Chapter 4
LAN Screens........................................................................................................... 73
4.1 LAN Overview ....................................................................................................73
4.2 DHCP Setup .......................................................................................................73
4.2.1 IP Pool Setup ............................................................................................73
4.2.2 DNS Servers .............................................................................................73
4.3 LAN TCP/IP ........................................................................................................74
4.3.1 Factory LAN Defaults ................................................................................74
4.3.2 IP Address and Subnet Mask ...................................................................74
10 Table of Contents
Page 12
ZyWALL P1 User’s Guide
4.3.3 RIP Setup .................................................................................................74
4.3.4 Multicast ....................................................................................................75
4.4 Configuring LAN .................................................................................................75
4.5 Configuring Static DHCP ....................................................................................77
Chapter 5
WAN Screens.......................................................................................................... 79
5.1 WAN Overview ...................................................................................................79
5.1.1 TCP/IP Priority (Metric) .............................................................................79
5.1.2 WAN MAC Address ..................................................................................79
5.2 WAN Route Setup ..............................................................................................79
5.3 Configuring WAN Setup .....................................................................................80
5.3.1 Ethernet Encapsulation .............................................................................80
5.3.2 PPPoE Encapsulation ...............................................................................83
5.3.3 PPTP Encapsulation .................................................................................85
5.4 Dynamic DNS .....................................................................................................87
5.4.1 DYNDNS Wildcard ....................................................................................87
5.4.2 Configuring Dynamic DNS ........................................................................88
Chapter 6
Firewalls.................................................................................................................. 91
6.1 Firewall Overview ...............................................................................................91
6.2 Types of Firewalls ..............................................................................................91
6.2.1 Packet Filtering Firewalls ..........................................................................91
6.2.2 Application-level Firewalls ........................................................................91
6.2.3 Stateful Inspection Firewalls .....................................................................92
6.3 Introduction to ZyXEL’s Firewall .........................................................................92
6.4 Denial of Service ................................................................................................93
6.4.1 Basics .......................................................................................................93
6.4.2 Types of DoS Attacks ...............................................................................94
6.4.2.1 ICMP Vulnerability ..........................................................................96
6.4.2.2 Illegal Commands (NetBIOS and SMTP) ........................................96
6.4.2.3 Traceroute .......................................................................................97
6.5 Stateful Inspection ..............................................................................................97
6.5.1 Stateful Inspection Process ......................................................................98
6.5.2 Stateful Inspection and the ZyWALL .........................................................99
6.5.3 TCP Security .............................................................................................99
6.5.4 UDP/ICMP Security ................................................................................100
6.5.5 Upper Layer Protocols ............................................................................100
6.6 Guidelines For Enhancing Security With Your Firewall ....................................101
6.7 Packet Filtering Vs Firewall ..............................................................................101
6.7.1 Packet Filtering: ......................................................................................101
6.7.1.1 When To Use Filtering ...................................................................101
Table of Contents 11
Page 13
ZyWALL P1 User’s Guide
Chapter 7
Firewall Screens................................................................................................... 103
7.1 Access Methods ...............................................................................................103
7.2 Firewall Policies Overview ...............................................................................103
7.3 Rule Logic Overview ........................................................................................104
7.4 Connection Direction Examples .......................................................................105
7.5 Alerts ................................................................................................................106
7.6 Configuring Firewall .........................................................................................107
7.7 Example Firewall Rule ..................................................................................... 112
7.8 Predefined Services .........................................................................................116
7.9 Anti-Probing ..................................................................................................... 118
7.10 Configuring Attack Alert ................................................................................. 119
6.7.2 Firewall ...................................................................................................102
6.7.2.1 When To Use The Firewall ............................................................102
7.3.1 Rule Checklist .........................................................................................104
7.3.2 Security Ramifications ............................................................................104
7.3.3 Key Fields For Configuring Rules ...........................................................105
7.3.3.1 Action ............................................................................................105
7.3.3.2 Service ..........................................................................................105
7.3.3.3 Source Address .............................................................................105
7.3.3.4 Destination Address ......................................................................105
7.4.1 LAN To WAN Rules ................................................................................106
7.4.2 WAN To LAN Rules ................................................................................106
7.6.1 Rule Summary ........................................................................................107
7.6.2 Configuring Firewall Rules ......................................................................109
7.6.3 Configuring Custom Services ................................................................. 112
7.10.1 Threshold Values ..................................................................................120
7.10.2 Half-Open Sessions ..............................................................................120
7.10.2.1 TCP Maximum Incomplete and Blocking Time ...........................120
Chapter 8
Introduction to IPSec ........................................................................................... 123
8.1 VPN Overview ..................................................................................................123
8.1.1 IPSec ......................................................................................................123
8.1.2 Security Association ...............................................................................123
8.1.3 Other Terminology ..................................................................................123
8.1.3.1 Encryption .....................................................................................123
8.1.3.2 Data Confidentiality .......................................................................124
8.1.3.3 Data Integrity .................................................................................124
8.1.3.4 Data Origin Authentication ............................................................124
8.1.4 VPN Applications ....................................................................................124
8.1.4.1 Linking Two or More Private Networks Together ...........................124
12 Table of Contents
Page 14
ZyWALL P1 User’s Guide
8.1.4.2 Accessing Network Resources When NAT Is Enabled .................124
8.1.4.3 Unsupported IP Applications .........................................................124
8.2 IPSec Architecture ...........................................................................................125
8.2.1 IPSec Algorithms ....................................................................................125
8.2.2 Key Management ....................................................................................125
8.3 Encapsulation ...................................................................................................125
8.3.1 Transport Mode ......................................................................................126
8.3.2 Tunnel Mode ...........................................................................................126
8.4 IPSec and NAT .................................................................................................126
Chapter 9
VPN Screens......................................................................................................... 129
9.1 VPN/IPSec Overview .......................................................................................129
9.2 IPSec Algorithms ..............................................................................................129
9.2.1 AH (Authentication Header) Protocol ......................................................129
9.2.2 ESP (Encapsulating Security Payload) Protocol ....................................129
9.3 My ZyWALL ......................................................................................................130
9.4 Secure Gateway Address ................................................................................130
9.4.1 Dynamic Secure Gateway Address ........................................................131
9.4.2 Nailed Up ................................................................................................131
9.5 NAT Traversal ..................................................................................................131
9.5.1 NAT Traversal Configuration ...................................................................132
9.5.2 X-Auth (Extended Authentication) ..........................................................132
9.5.3 Authentication Server .............................................................................132
9.6 ID Type and Content ........................................................................................133
9.6.1 ID Type and Content Examples ..............................................................134
9.7 Pre-Shared Key ................................................................................................134
9.8 IKE VPN Rule Summary Screen ......................................................................135
9.8.1 Configurign an IKE VPN Rule .................................................................135
9.8.2 Configuring an IKE VPN Policy ...............................................................140
9.8.2.1 Activating a VPN Connection ........................................................144
9.9 Viewing SA Monitor ..........................................................................................144
9.10 Configuring Global Setting .............................................................................145
9.11 Telecommuter VPN/IPSec Examples .............................................................146
9.11.1 Telecommuters Sharing One VPN Rule Example .................................147
9.11.2 Telecommuters Using Unique VPN Rules Example .............................147
9.12 VPN and Remote Management .....................................................................149
Chapter 10
Certificates............................................................................................................ 151
10.1 Certificates Overview .....................................................................................151
10.1.1 Advantages of Certificates ....................................................................152
10.2 Self-signed Certificates ..................................................................................152
Table of Contents 13
Page 15
ZyWALL P1 User’s Guide
10.3 Configuration Summary .................................................................................152
10.4 My Certificates ...............................................................................................152
10.5 Certificate File Formats ..................................................................................154
10.6 Importing a Certificate ....................................................................................155
10.7 Creating a Certificate .....................................................................................156
10.8 My Certificate Details .....................................................................................158
10.9 Trusted CAs ...................................................................................................161
10.10 Importing a Trusted CA’s Certificate .............................................................163
10.11 Trusted CA Certificate Details ......................................................................164
10.12 Trusted Remote Hosts .................................................................................167
10.13 Verifying a Trusted Remote Host’s Certificate ..............................................169
10.14 Importing a Trusted Remote Host’s Certificate ............................................170
10.15 Trusted Remote Host Certificate Details ......................................................171
10.16 Directory Servers .........................................................................................174
10.17 Add or Edit a Directory Server .....................................................................175
Chapter 11
Network Address Translation (NAT) ................................................................... 177
10.13.1 Trusted Remote Host Certificate Fingerprints .....................................169
11.1 NAT Overview .................................................................................................177
11.1.1 NAT Definitions .....................................................................................177
11.1.2 What NAT Does ....................................................................................178
11.1.3 How NAT Works ....................................................................................178
11.1.4 NAT Mapping Types ..............................................................................178
11.2 Using NAT ......................................................................................................179
11.2.1 SUA (Single User Account) Versus NAT ...............................................180
11.3 Configuring NAT Overview .............................................................................180
11.4 Port Forwarding ..............................................................................................181
11.4.1 Default Server IP Address ....................................................................181
11.4.2 Port Forwarding: Services and Port Numbers ......................................181
11.4.3 Configuring Servers Behind Port Forwarding (Example) ......................182
11.4.4 Port Translation .....................................................................................183
11.5 Configuring Port Forwarding .........................................................................183
11.6 Configuring Trigger Port .................................................................................185
Chapter 12
Static Route .......................................................................................................... 187
12.1 Static Route Overview ....................................................................................187
12.2 Configuring IP Static Route ............................................................................187
12.2.1 Configuring a Static Route Entry ...........................................................188
14 Table of Contents
Page 16
ZyWALL P1 User’s Guide
Chapter 13
Remote Management ........................................................................................... 191
13.1 Remote Management Overview .....................................................................191
13.1.1 Remote Management Limitations .........................................................191
13.1.2 Remote Management and NAT ............................................................192
13.1.3 System Timeout ...................................................................................192
13.2 Introduction to HTTPS ....................................................................................192
13.3 Configuring WWW ..........................................................................................193
13.4 HTTPS Example ............................................................................................194
13.4.1 Internet Explorer Warning Messages ...................................................195
13.4.2 Netscape Navigator Warning Messages ...............................................195
13.4.3 Avoiding the Browser Warning Messages ............................................196
13.4.4 Login Screen .........................................................................................197
13.5 SSH Overview ................................................................................................200
13.6 How SSH works .............................................................................................200
13.7 SSH Implementation on the ZyWALL .............................................................201
13.7.1 Requirements for Using SSH ................................................................202
13.8 Configuring SSH ............................................................................................202
13.9 Secure Telnet Using SSH Examples ..............................................................203
13.9.1 Example 1: Microsoft Windows .............................................................203
13.9.2 Example 2: Linux ..................................................................................203
13.10 Secure FTP Using SSH Example ................................................................204
13.11 Telnet ............................................................................................................205
13.12 Configuring TELNET ....................................................................................205
13.13 Configuring FTP ...........................................................................................206
13.14 Configuring SNMP .......................................................................................207
13.14.1 Supported MIBs .................................................................................209
13.14.2 SNMP Traps .......................................................................................209
13.14.3 REMOTE MANAGEMENT: SNMP ......................................................209
13.15 Configuring DNS ..........................................................................................211
13.16 Introducing Vantage CNM ............................................................................211
13.17 Configuring CNM ..........................................................................................212
Chapter 14
UPnP...................................................................................................................... 215
14.1 Universal Plug and Play Overview .................................................................215
14.1.1 How Do I Know If I'm Using UPnP? ......................................................215
14.1.2 NAT Traversal .......................................................................................215
14.1.3 Cautions with UPnP ..............................................................................215
14.2 UPnP and ZyXEL ...........................................................................................216
14.3 Configuring UPnP ..........................................................................................216
14.4 Displaying UPnP Port Mapping ......................................................................217
14.5 Installing UPnP in Windows Example ............................................................218
Table of Contents 15
Page 17
ZyWALL P1 User’s Guide
14.6 Using UPnP in Windows XP Example ...........................................................220
Chapter 15
Logs Screens........................................................................................................ 225
15.1 Configuring View Log .....................................................................................225
15.2 Log Description Example ...............................................................................226
15.3 Configuring Log Settings ................................................................................227
15.4 Configuring Reports .......................................................................................230
Chapter 16
Maintenance ......................................................................................................... 235
14.5.1 Installing UPnP in Windows Me ............................................................219
14.5.2 Installing UPnP in Windows XP ............................................................220
14.6.1 Auto-discover Your UPnP-enabled Network Device .............................221
14.6.2 Web Configurator Easy Access ............................................................223
15.4.1 Viewing Web Site Hits ...........................................................................232
15.4.2 Viewing Protocol/Port ...........................................................................232
15.4.3 Viewing LAN IP Address .......................................................................233
15.4.4 Reports Specifications ..........................................................................234
16.1 Maintenance Overview ...................................................................................235
16.1.1 General Setup and System Name ........................................................235
16.1.2 Domain Name .......................................................................................235
16.2 Configuring Password ....................................................................................236
16.3 Pre-defined NTP Time Servers List ................................................................237
16.4 Configuring Time and Date ............................................................................238
16.4.1 Time Server Synchronization ................................................................240
16.5 F/W Upload Screen ........................................................................................241
16.6 Configuration Screen .....................................................................................243
16.6.1 Backup Configuration ...........................................................................244
16.6.2 Restore Configuration ..........................................................................244
16.6.3 Back to Factory Defaults .......................................................................246
16.7 Restart Screen ...............................................................................................246
Chapter 17
Firmware and Configuration File Maintenance ................................................. 249
17.1 Introduction ....................................................................................................249
17.2 Filename Conventions ...................................................................................249
17.3 Backup Configuration .....................................................................................250
17.3.1 Using the FTP Command from the Command Line ..............................250
17.3.2 GUI-based FTP Clients .........................................................................251
17.3.3 File Maintenance Over WAN ................................................................251
17.3.4 Backup Configuration Using TFTP .......................................................252
17.3.5 TFTP Command Example ....................................................................252
16 Table of Contents
Page 18
ZyWALL P1 User’s Guide
17.3.6 GUI-based TFTP Clients ......................................................................253
17.4 Restore Configuration ....................................................................................253
17.4.1 Restore Using FTP ...............................................................................253
17.4.2 Restore Using FTP Session Example ..................................................254
17.5 Uploading Firmware and Configuration Files .................................................254
17.5.1 Firmware File Upload ............................................................................254
17.5.2 FTP File Upload Command from the Command Prompt Example .......254
17.5.3 FTP Session Example of Firmware File Upload ...................................255
17.5.4 TFTP File Upload ..................................................................................255
17.5.5 TFTP Upload Command Example ........................................................256
Chapter 18
Troubleshooting ................................................................................................... 257
18.1 Problems Starting Up the ZyWALL .................................................................257
18.2 Problems Accessing the ZyWALL ..................................................................258
18.2.1 Pop-up Windows, JavaScripts and Java Permissions ..........................258
18.2.1.1 Internet Explorer Pop-up Blockers ..............................................258
18.2.1.2 JavaScripts ..................................................................................261
18.2.1.3 Java Permissions ........................................................................263
18.3 Problems with the LAN Interface ....................................................................265
18.4 Problems with the WAN Interface ..................................................................266
18.5 Problems with Internet Access .......................................................................266
18.6 Problems with the Password ..........................................................................266
18.7 Problems with Remote Management .............................................................267
Appendix A
Setting up Your Computer’s IP Address............................................................ 269
Appendix B
IP Subnetting ........................................................................................................ 281
Appendix C
PPPoE ................................................................................................................... 289
Appendix D
PPTP......................................................................................................................291
Appendix E
Triangle Route ...................................................................................................... 295
Appendix F
SIP Passthrough .................................................................................................. 299
Appendix G
VPN Setup............................................................................................................. 305
Table of Contents 17
Page 19
ZyWALL P1 User’s Guide
Appendix H
Importing Certificates .......................................................................................... 317
Appendix I
Command Interpreter........................................................................................... 329
Appendix J
Firewall Commands ............................................................................................. 331
Appendix K
NetBIOS Filter Commands .................................................................................. 337
Appendix L
Certificates Commands ....................................................................................... 341
Appendix M
Brute-Force Password Guessing Protection..................................................... 345
Appendix N
Log Descriptions.................................................................................................. 347
Index...................................................................................................................... 363
18 Table of Contents
Page 20
ZyWALL P1 User’s Guide
List of Figures
Figure 1 Application: Telecommuters ................................................................................ 35
Figure 2 Application: LAN Network Protection ................................................................... 36
Figure 3 Front Panel: LEDs ................................................................................................ 36
Figure 4 Web Configurator: Initial Screen .......................................................................... 40
Figure 5 Web Configurator: Login Screen ........................................................................... 40
Figure 6 Change Password Screen .................................................................................... 41
Figure 7 Replace Certificate Screen ................................................................................... 41
Figure 8 Web Configurator: HOME ................................................................................... 43
Figure 9 Home : Show Statistics ......................................................................................... 47
Figure 10 Home: DHCP Table ............................................................................................. 48
Figure 11 Home : VPN Status ............................................................................................. 49
Figure 12 Internet Access Wizard: Ethernet Encapsulation ................................................ 53
Figure 13 Internet Access Wizard: PPPoE Encapsulation .................................................. 55
Figure 14 Internet Access Wizard: PPTP Encapsulation .................................................... 57
Figure 15 Internet Access Wizard: Complete ...................................................................... 58
Figure 16 VPN Wizard: Gateway Policy Setting ................................................................. 60
Figure 17 VPN Wizard: Network Setting ............................................................................. 61
Figure 18 Two Phases to Set Up the IPSec SA .................................................................. 62
Figure 19 VPN Wizard: IKE Tunnel Setting ......................................................................... 66
Figure 20 VPN Wizard: IPSec Setting ................................................................................. 67
Figure 21 VPN Wizard: VPN Status .................................................................................... 69
Figure 22 VPN Wizard: Complete ....................................................................................... 71
Figure 23 LAN: LAN ............................................................................................................ 75
Figure 24 LAN: Static DHCP ............................................................................................... 78
Figure 25 WAN: Route ...................................................................................................... 80
Figure 26 WAN: WAN: Ethernet ....................................................................................... 81
Figure 27 WAN: WAN: PPPoE ......................................................................................... 84
Figure 28 WAN: WAN: PPTP ............................................................................................. 86
Figure 29 WAN: DDNS ........................................................................................................ 88
Figure 30 ZyWALL Firewall Application .............................................................................. 93
Figure 31 Three-Way Handshake ....................................................................................... 94
Figure 32 SYN Flood ........................................................................................................... 95
Figure 33 Smurf Attack ....................................................................................................... 96
Figure 34 Stateful Inspection ............................................................................................... 98
Figure 35 LAN to WAN Traffic ............................................................................................. 106
Figure 36 WAN to LAN Traffic ............................................................................................. 106
List of Figures 19
Page 21
ZyWALL P1 User’s Guide
Figure 37 Firewall: Default Rule ......................................................................................... 107
Figure 38 Firewall: Rule Summary ...................................................................................... 108
Figure 39 Firewall: Creating/Editing A Firewall Rule ........................................................... 110
Figure 40 Firewall: Creating/Editing A Custom Service ...................................................... 112
Figure 41 Firewall Example: Rule Summary ....................................................................... 113
Figure 42 Firewall Example: Rule Edit .............................................................................. 113
Figure 43 Firewall Example: Edit Custom Service ............................................................. 114
Figure 44 Firewall Example: My Service Rule Configuration .............................................. 115
Figure 45 Firewall Example: My Service Example Rule Summary ..................................... 116
Figure 46 Firewall: Anti-Probing .......................................................................................... 119
Figure 47 Firewall: Threshold .............................................................................................. 121
Figure 48 Encryption and Decryption .................................................................................. 124
Figure 49 IPSec Architecture .............................................................................................. 125
Figure 50 Transport and Tunnel Mode IPSec Encapsulation .............................................. 126
Figure 51 NAT Router Between IPSec Routers .................................................................. 132
Figure 52 IPSec Summary Fields ....................................................................................... 135
Figure 53 VPN Rules (IKE) ................................................................................................. 135
Figure 54 VPN Rules (IKE): Gateway Policy .................................................................... 136
Figure 55 VPN Rules (IKE): Network Policy ...................................................................... 141
Figure 56 VPN Rule (IKE): VPN Activation ....................................................................... 144
Figure 57 VPN: SA Monitor ................................................................................................. 145
Figure 58 VPN: Global Setting ............................................................................................ 146
Figure 59 Telecommuters Sharing One VPN Rule Example ............................................... 147
Figure 60 Telecommuters Using Unique VPN Rules Example ......................................... 148
Figure 61 Certificate Configuration Overview ..................................................................... 152
Figure 62 VPN: My Certificates ........................................................................................... 153
Figure 63 Certificate: My Certificate: Import ...................................................................... 155
Figure 64 Certificate: My Certificate: Create ....................................................................... 156
Figure 65 Certificate: My Certificate: Details ...................................................................... 159
Figure 66 Certificates: Trusted CAs .................................................................................... 162
Figure 67 Trusted CA Import ............................................................................................... 163
Figure 68 Certificates: Trusted CA: Details ......................................................................... 165
Figure 69 Certificates: Trusted Remote Hosts .................................................................... 168
Figure 70 Remote Host Certificates .................................................................................... 169
Figure 71 Certificate Details ............................................................................................... 170
Figure 72 Certificates: Trusted Remote Host: Import .......................................................... 171
Figure 73 Certificates: Trusted Remote Host: Details ......................................................... 172
Figure 74 Certificates: Directory Servers ............................................................................ 174
Figure 75 Certificates: Directory Server: Add ...................................................................... 175
Figure 76 How NAT Works .................................................................................................. 178
Figure 77 NAT Overview ..................................................................................................... 180
Figure 78 Multiple Servers Behind NAT Example ............................................................... 182
Figure 79 Port Translation Example .................................................................................... 183
20 List of Figures
Page 22
ZyWALL P1 User’s Guide
Figure 80 NAT: Port Forwarding .......................................................................................... 184
Figure 81 Trigger Port Forwarding Process: Example ........................................................ 185
Figure 82 NAT: Port Triggering ............................................................................................ 186
Figure 83 Example of Static Routing Topology ................................................................... 187
Figure 84 Static Route .........................................................................................................188
Figure 85 Static Route: Edit .............................................................................................. 189
Figure 86 HTTPS Implementation ....................................................................................... 193
Figure 87 WWW ..................................................................................................................193
Figure 88 Security Alert Dialog Box (Internet Explorer) ...................................................... 195
Figure 89 Security Certificate 1 (Netscape) ........................................................................ 196
Figure 90 Security Certificate 2 (Netscape) ........................................................................ 196
Figure 91 Login Screen (Internet Explorer) ......................................................................... 198
Figure 92 Login Screen (Netscape) .................................................................................... 198
Figure 93 Replace Certificate .............................................................................................. 199
Figure 94 Device-specific Certificate ................................................................................... 199
Figure 95 Common ZyWALL Certificate .............................................................................. 200
Figure 96 SSH Communication Example ............................................................................ 200
Figure 97 How SSH Works ................................................................................................. 201
Figure 98 SSH ..................................................................................................................... 202
Figure 99 SSH Example 1: Store Host Key ......................................................................... 203
Figure 100 SSH Example 2: Test ....................................................................................... 204
Figure 101 SSH Example 2: Log in ..................................................................................... 204
Figure 102 Secure FTP: Firmware Upload Example .......................................................... 205
Figure 103 Telnet Configuration on a TCP/IP Network ....................................................... 205
Figure 104 Telnet ................................................................................................................ 206
Figure 105 FTP ................................................................................................................... 207
Figure 106 SNMP Management Model ............................................................................... 208
Figure 107 SNMP ................................................................................................................210
Figure 108 DNS .................................................................................................................. 211
Figure 109 CNM .................................................................................................................. 212
Figure 110 Configuring UPnP ............................................................................................. 216
Figure 111 UPnP Ports ........................................................................................................ 217
Figure 112 View Log ........................................................................................................... 225
Figure 113 Log Example ................................................................................................... 226
Figure 114 Log Settings ...................................................................................................... 228
Figure 115 Reports .............................................................................................................. 231
Figure 116 Web Site Hits Report Example .......................................................................... 232
Figure 117 Protocol/Port Report Example ........................................................................... 233
Figure 118 LAN IP Address Report Example ...................................................................... 234
Figure 119 General ............................................................................................................236
Figure 120 Password ......................................................................................................... 237
Figure 121 Time and Date ................................................................................................... 238
Figure 122 Synchronization in Process ............................................................................... 240
List of Figures 21
Page 23
ZyWALL P1 User’s Guide
Figure 123 Synchronization is Successful .......................................................................... 241
Figure 124 Synchronization Fail .......................................................................................... 241
Figure 125 Firmware Upload ............................................................................................... 242
Figure 126 Firmware Upload In Process ............................................................................. 242
Figure 127 Network Temporarily Disconnected .................................................................. 243
Figure 128 Firmware Upload Error ...................................................................................... 243
Figure 129 Configuration ..................................................................................................... 244
Figure 130 Configuration Upload Successful ...................................................................... 245
Figure 131 Network Temporarily Disconnected .................................................................. 245
Figure 132 Configuration Upload Error ............................................................................... 246
Figure 133 Reset Warning Message ................................................................................... 246
Figure 134 Restart Screen .................................................................................................. 247
Figure 135 FTP Session Example ...................................................................................... 251
Figure 136 Restore Using FTP Session Example ............................................................... 254
Figure 137 FTP Session Example of Firmware File Upload ............................................... 255
Figure 138 Pop-up Blocker ................................................................................................. 259
Figure 139 Internet Options ............................................................................................... 259
Figure 140 Internet Options ................................................................................................ 260
Figure 141 Pop-up Blocker Settings ................................................................................... 261
Figure 142 Internet Options ................................................................................................ 262
Figure 143 Security Settings - Java Scripting ..................................................................... 263
Figure 144 Security Settings - Java .................................................................................... 264
Figure 145 Java (Sun) ......................................................................................................... 265
Figure 146 WIndows 95/98/Me: Network: Configuration ..................................................... 270
Figure 147 Windows 95/98/Me: TCP/IP Properties: IP Address ......................................... 271
Figure 148 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ............................ 272
Figure 149 Windows XP: Start Menu .................................................................................. 273
Figure 150 Windows XP: Control Panel .............................................................................. 273
Figure 151 Windows XP: Control Panel: Network Connections: Properties ....................... 274
Figure 152 Windows XP: Local Area Connection Properties .............................................. 274
Figure 153 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 275
Figure 154 Windows XP: Advanced TCP/IP Properties ...................................................... 276
Figure 155 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 277
Figure 156 Macintosh OS 8/9: Apple Menu ........................................................................ 278
Figure 157 Macintosh OS 8/9: TCP/IP ................................................................................ 278
Figure 158 Macintosh OS X: Apple Menu ........................................................................... 279
Figure 159 Macintosh OS X: Network ................................................................................. 280
Figure 160 Single-Computer per Router Hardware Configuration ...................................... 290
Figure 161 ZyWALL as a PPPoE Client .............................................................................. 290
Figure 162 Transport PPP frames over Ethernet ............................................................... 291
Figure 163 PPTP Protocol Overview .................................................................................. 292
Figure 164 Example Message Exchange between Computer and an ANT ........................ 293
Figure 165 Ideal Setup ........................................................................................................ 295
22 List of Figures
Page 24
ZyWALL P1 User’s Guide
Figure 166 “Triangle Route” Problem .................................................................................. 296
Figure 167 IP Alias .............................................................................................................. 297
Figure 168 Gateways on the WAN Side .............................................................................. 297
Figure 169 SIP User Agent Server ...................................................................................... 300
Figure 170 SIP Proxy Server .............................................................................................. 301
Figure 171 SIP Redirect Server .......................................................................................... 302
Figure 172 ZyWALL SIP ALG ............................................................................................. 303
Figure 173 VPN Rules ........................................................................................................ 306
Figure 174 Headquarters VPN Rule Edit ............................................................................ 307
Figure 175 Branch Office VPN Rule Edit ............................................................................ 308
Figure 176 VPN Rule Configured ........................................................................................ 309
Figure 177 VPN Dial ........................................................................................................... 309
Figure 178 VPN Tunnel Established ................................................................................... 310
Figure 179 Menu 27: VPN/IPSec Setup .............................................................................. 310
Figure 180 Menu 27.1: IPSec Summary ............................................................................. 311
Figure 181 Headquarters Menu 27.1.1: IPSec Setup ......................................................... 311
Figure 182 Branch Office Menu 27.1.1: IPSec Setup ......................................................... 312
Figure 183 Menu 27.1.1.1: IKE Setup ................................................................................. 313
Figure 184 VPN Log Example ............................................................................................ 314
Figure 185 IKE/IPSec Debug Example .............................................................................. 315
Figure 186 Security Certificate ............................................................................................ 317
Figure 187 Login Screen ..................................................................................................... 318
Figure 188 Certificate General Information before Import ................................................... 318
Figure 189 Certificate Import Wizard 1 ............................................................................... 319
Figure 190 Certificate Import Wizard 2 ............................................................................... 319
Figure 191 Certificate Import Wizard 3 ............................................................................... 320
Figure 192 Root Certificate Store ........................................................................................ 320
Figure 193 Certificate General Information after Import ..................................................... 321
Figure 194 ZyWALL Trusted CA Screen ............................................................................. 322
Figure 195 CA Certificate Example ..................................................................................... 323
Figure 196 Personal Certificate Import Wizard 1 ................................................................ 324
Figure 197 Personal Certificate Import Wizard 2 ................................................................ 324
Figure 198 Personal Certificate Import Wizard 3 ................................................................ 325
Figure 199 Personal Certificate Import Wizard 4 ................................................................ 325
Figure 200 Personal Certificate Import Wizard 5 ................................................................ 326
Figure 201 Personal Certificate Import Wizard 6 ................................................................ 326
Figure 202 Access the ZyWALL Via HTTPS ....................................................................... 326
Figure 203 SSL Client Authentication ................................................................................. 327
Figure 204 ZyWALL Secure Login Screen .......................................................................... 327
Figure 205 Displaying Log Categories Example ................................................................. 361
Figure 206 Displaying Log Parameters Example ................................................................ 361
List of Figures 23
Page 25
ZyWALL P1 User’s Guide
24 List of Figures
Page 26
ZyWALL P1 User’s Guide
List of Tables
Table 1 Feature Specifications ........................................................................................... 31
Table 2 Front Panel LEDs .................................................................................................. 37
Table 3 Web Configurator: HOME ...................................................................................... 43
Table 4 Navigation Panel: Menu Summary ........................................................................ 45
Table 5 Home: Show Statistics ........................................................................................... 47
Table 6 Home: DHCP Table ............................................................................................... 48
Table 7 Home: VPN Status ................................................................................................. 49
Table 8 Private IP Address Ranges ................................................................................... 51
Table 9 Internet Access Wizard: Ethernet Encapsulation .................................................. 54
Table 10 Internet Access Wizard: PPPoE Encapsulation .................................................. 55
Table 11 Internet Access Wizard: PPTP Encapsulation ..................................................... 57
Table 12 VPN Wizard: Gateway Policy Setting .................................................................. 60
Table 13 VPN Wizard: Network Setting .............................................................................. 61
Table 14 ESP and AH ........................................................................................................ 65
Table 15 VPN Wizard: IKE Tunnel Setting ......................................................................... 66
Table 16 VPN Wizard: IPSec Setting ................................................................................. 67
Table 17 VPN Wizard: VPN Status ..................................................................................... 69
Table 18 LAN: LAN .............................................................................................................76
Table 19 LAN: Static DHCP ................................................................................................ 78
Table 20 Example of Network Properties for LAN Servers with Fixed IP Addresses ......... 79
Table 21 WAN: Route ......................................................................................................... 80
Table 22 WAN: WAN: Ethernet .......................................................................................... 81
Table 23 WAN: WAN: PPPoE ............................................................................................ 84
Table 24 WAN: WAN: PPTP ............................................................................................... 86
Table 25 WAN: DDNS ........................................................................................................ 88
Table 26 Common IP Ports ................................................................................................ 93
Table 27 ICMP Commands That Trigger Alerts .................................................................. 96
Table 28 Legal NetBIOS Commands ................................................................................. 96
Table 29 Legal SMTP Commands ..................................................................................... 97
Table 30 Firewall: Default Rule .......................................................................................... 107
Table 31 Firewall: Rule Summary ...................................................................................... 108
Table 32 Firewall: Creating/Editing A Firewall Rule ........................................................... 111
Table 33 Firewall: Creating/Editing A Custom Service ....................................................... 112
Table 34 Predefined Services ............................................................................................ 116
Table 35 Firewall: Anti-Probing .......................................................................................... 119
Table 36 Firewall: Threshold .............................................................................................. 121
List of Tables 25
Page 27
ZyWALL P1 User’s Guide
Table 37 VPN and NAT ...................................................................................................... 127
Table 38 ESP and AH ........................................................................................................ 130
Table 39 Local ID Type and Content Fields ....................................................................... 133
Table 40 Peer ID Type and Content Fields ........................................................................ 133
Table 41 Matching ID Type and Content Configuration Example ....................................... 134
Table 42 Mismatching ID Type and Content Configuration Example ................................. 134
Table 43 VPN Rules (IKE): Gateway Policy ....................................................................... 136
Table 44 VPN Rules (IKE): Add Policy ............................................................................... 141
Table 45 VPN Rule (IKE): VPN Activation .......................................................................... 144
Table 46 SA Monitor ...........................................................................................................145
Table 47 VPN: Global Setting ............................................................................................. 146
Table 48 Telecommuters Sharing One VPN Rule Example ............................................... 147
Table 49 Telecommuters Using Unique VPN Rules Example ............................................ 148
Table 50 Certificate: My Certificates ................................................................................... 153
Table 51 Certificate: My Certificate: Import ........................................................................ 155
Table 52 Certificate: My Certificate: Create ........................................................................ 156
Table 53 Certificate: My Certificate: Details ....................................................................... 160
Table 54 Certificates: Trusted CAs ..................................................................................... 162
Table 55 Certificates: Trusted CA: Import .......................................................................... 164
Table 56 Certificates: Trusted CA: Details .......................................................................... 165
Table 57 Certificates: Trusted Remote Hosts ..................................................................... 168
Table 58 Certificates: Trusted Remote Host: Import .......................................................... 171
Table 59 Certificates: Trusted Remote Host: Details .......................................................... 172
Table 60 Certificates: Directory Servers ............................................................................. 175
Table 61 Certificates: Directory Server: Add ...................................................................... 176
Table 62 NAT Definitions .................................................................................................... 177
Table 63 NAT Mapping Types ..................................................................................... 179
Table 64 NAT Overview ...................................................................................................... 180
Table 65 Services and Port Numbers ................................................................................. 182
Table 66 NAT: Port Forwarding .......................................................................................... 184
Table 67 NAT: Port Triggering ............................................................................................ 186
Table 68 Static Route .........................................................................................................188
Table 69 Static Route: Edit ................................................................................................. 189
Table 70 WWW ..................................................................................................................194
Table 71 SSH ..................................................................................................................... 202
Table 72 Telnet ................................................................................................................... 206
Table 73 FTP ...................................................................................................................... 207
Table 74 SNMP Traps ........................................................................................................ 209
Table 75 SNMP .................................................................................................................. 210
Table 76 DNS ..................................................................................................................... 211
Table 77 CNM .................................................................................................................... 212
Table 78 Configuring UPnP ................................................................................................ 216
Table 79 UPnP Ports .......................................................................................................... 217
26 List of Tables
Page 28
ZyWALL P1 User’s Guide
Table 80 View Log .............................................................................................................. 226
Table 81 Example Log Description ..................................................................................... 226
Table 82 Log Settings .........................................................................................................229
Table 83 Reports ................................................................................................................ 231
Table 84 Web Site Hits Report ........................................................................................... 232
Table 85 Protocol/ Port Report ........................................................................................... 233
Table 86 LAN IP Address Report ....................................................................................... 234
Table 87 Report Specifications ........................................................................................... 234
Table 88 General ................................................................................................................ 236
Table 89 Password .............................................................................................................237
Table 90 Default Time Servers ........................................................................................... 237
Table 91 Time and Date ..................................................................................................... 239
Table 92 Firmware Upload ................................................................................................. 242
Table 93 Restore Configuration .......................................................................................... 244
Table 94 Filename Conventions ......................................................................................... 250
Table 95 General Commands for GUI-based FTP Clients ................................................. 251
Table 96 General Commands for GUI-based TFTP Clients ............................................... 253
Table 97 Troubleshooting the Start-Up of Your ZyWALL .................................................... 257
Table 98 Troubleshooting Accessing the ZyWALL ............................................................. 258
Table 99 Troubleshooting the LAN Interface ...................................................................... 265
Table 100 Troubleshooting the WAN Interface ................................................................... 266
Table 101 Troubleshooting Internet Access ....................................................................... 266
Table 102 Troubleshooting the Password .......................................................................... 266
Table 103 Troubleshooting Telnet ...................................................................................... 267
Table 104 Classes of IP Addresses ................................................................................... 281
Table 105 Allowed IP Address Range By Class ................................................................. 282
Table 106 “Natural” Masks ................................................................................................ 282
Table 107 Alternative Subnet Mask Notation ..................................................................... 283
Table 108 Two Subnets Example ....................................................................................... 283
Table 109 Subnet 1 ............................................................................................................284
Table 110 Subnet 2 ............................................................................................................284
Table 111 Subnet 1 ............................................................................................................. 285
Table 112 Subnet 2 ............................................................................................................285
Table 113 Subnet 3 ............................................................................................................285
Table 114 Subnet 4 ............................................................................................................286
Table 115 Eight Subnets .................................................................................................... 286
Table 116 Class C Subnet Planning ................................................................................... 286
Table 117 Class B Subnet Planning ................................................................................... 287
Table 118 SIP Call Progression .......................................................................................... 299
Table 119 Firewall Commands ........................................................................................... 331
Table 120 NetBIOS Filter Default Settings ......................................................................... 338
Table 121 Certificates Commands ..................................................................................... 341
Table 122 Brute-Force Password Guessing Protection Commands .................................. 345
List of Tables 27
Page 29
ZyWALL P1 User’s Guide
Table 123 System Maintenance Logs ................................................................................ 347
Table 124 System Error Logs ............................................................................................. 348
Table 125 Access Control Logs .......................................................................................... 348
Table 126 TCP Reset Logs ................................................................................................ 349
Table 127 Packet Filter Logs .............................................................................................. 349
Table 128 ICMP Logs ......................................................................................................... 350
Table 129 CDR Logs .......................................................................................................... 350
Table 130 PPP Logs ........................................................................................................... 350
Table 131 UPnP Logs ........................................................................................................ 351
Table 132 Content Filtering Logs ....................................................................................... 351
Table 133 Attack Logs ........................................................................................................ 352
Table 134 IPSec Logs ........................................................................................................ 353
Table 135 IKE Logs ............................................................................................................353
Table 136 PKI Logs ............................................................................................................356
Table 137 Certificate Path Verification Failure Reason Codes ........................................... 357
Table 138 802.1X Logs ...................................................................................................... 358
Table 139 ACL Setting Notes ............................................................................................. 359
Table 140 ICMP Notes ....................................................................................................... 359
Table 141 Syslog Logs ....................................................................................................... 360
Table 142 RFC-2408 ISAKMP Payload Types ................................................................... 360
28 List of Tables
Page 30
ZyWALL P1 User’s Guide
Preface
Congratulations on your purchase of the ZyWALL.
Note: Register your product online to receive e-mail notices of firmware upgrades and
information at www.zyxel.com for global products, or at www.us.zyxel.com for
North American products.
Your ZyWALL is easy to install and configure.
About This User's Guide
This manual is designed to guide you through the configuration of your ZyWALL for its
various applications.
Note: Use the web configurator or command interpreter interface (CLI) to configure
your ZyWALL. Not all features can be configured through all interfaces.
Related Documentation
• Supporting Disk
Refer to the included CD for support documents.
• Quick Start Guide
The Quick Start Guide is designed to help you get up and running right away. It contains
a detailed easy-to-follow connection diagram, default settings, handy checklists and
information on setting up your network and configuring for Internet access.
• Web Configurator Online Help
Embedded web help for descriptions of individual screens and supplementary
information.
• ZyXEL Glossary and Web Site
Please refer to www.zyxel.com for an online glossary of networking terms and additional
support documentation.
User Guide Feedback
Help us help you. E-mail all User Guide-related comments, questions or suggestions for
improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing
Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,
Hsinchu, 300, Taiwan. Thank you!
Syntax Conventions
• “Enter” means for you to type one or more characters. “Select” or “Choose” means for
you to use one predefined choices.
Preface 29
Page 31
ZyWALL P1 User’s Guide
• Mouse action sequences are denoted using a comma. For example, “click the Apple icon,
Control Panels and then Modem” means first click the Apple icon, then point your
mouse pointer to Control Panels and then click Modem.
• For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for
“that is” or “in other words” throughout this manual.
• The ZyWALL P1 Internet Security Appliance will be referred to as the ZyWALL in this
User’s Guide.
Graphics Icons Key
ZyWALL Computer Notebook computer
Server DSLAM Firewall
Telephone Switch Router
VPN Tunnel
30 Preface
Page 32
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL.
1.1 Overview
The ZyWALL can be pre-configured by a network administrator makes an ideal plug-andplay security device for telecommuters who are always on the move and need a secure
connection to the company network through the Internet
By integrating NAT, firewall, certificates and VPN capability, ZyXEL’s ZyWALL is a
complete security solution that protects your computer. In addition, the embedded web
configurator is easy to operate.
ZyWALL P1 User’s Guide
CHAPTER 1
1.2 ZyWALL Features
The following sections describe ZyWALL features.
Table 1 Feature Specifications
FEATURE SPECIFICATION
Number of Static Routes 12
Number of NAT Sessions 2048
Number of IPSec VPN Tunnels/Security Associations 1
1.2.1 Physical Features
10/100 Mbps Ethernet LAN and WAN
The Ethernet ports are auto-negotiating and auto-crossover.
An auto-negotiating port can detect and adjust to the optimum Ethernet speed (10/100Mpbs)
and duplex mode (full duplex or half duplex) of the connected device.
An auto-crossover (auto-MDI/MDI-X) port automatically works with a straight-through or
crossover Ethernet cable.
Chapter 1 Getting to Know Your ZyWALL 31
Page 33
ZyWALL P1 User’s Guide
Time and Date
The ZyWALL allows you to get the current time and date from an external server when you
turn on your ZyWALL. You can also set the time manually. The Real Time Chip (RTC) keeps
track of the time and date.
Reset Button
Use the reset button to restore the factory default password to 1234; IP address to
192.168.167.1, subnet mask to 255.255.255.0 and DHCP server enabled with a pool of 1 with
192.168.167.33 as the client IP address.
1.2.2 Non-Physical Features
IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect with business partners and branch
offices using data encryption and the Internet to provide secure communications without the
expense of leased site-to-site lines. The ZyWALL VPN is based on the IPSec standard and is
fully interoperable with other IPSec-based VPN products.
X-Auth (Extended Authentication)
X-Auth provides added security for VPN by requiring a VPN client to use a username and
password.
Certificates
The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates
are based on public-private key pairs. Certificates provide a way to exchange public keys for
use in authentication.
SSH
The ZyWALL uses the SSH (Secure Shell) secure communication protocol to provide secure
encrypted communication between two hosts over an unsecured network.
HTTPS
HyperText Transfer Protocol over Secure Socket Layer, or HTTP over SSL is a web protocol
that encrypts and decrypts web sessions. Use HTTPS for secure web configurator access to the
ZyWALL
32 Chapter 1 Getting to Know Your ZyWALL
Page 34
ZyWALL P1 User’s Guide
Firewall
The ZyWALL is a stateful inspection firewall with DoS (Denial of Service) protection. By
default, when the firewall is activated, all incoming traffic from the WAN to the LAN is
blocked unless it is initiated from the LAN. The ZyWALL firewall supports TCP/UDP
inspection, DoS detection and prevention, real time alerts, reports and logs.
Universal Plug and Play (UPnP)
Using the standard TCP/IP protocol, the ZyWALL and other UPnP-enabled devices can
dynamically join a network, obtain an IP address and convey its capabilities to other devices
on the network.
PPPoE
PPPoE facilitates the interaction of a host with an Internet modem to achieve access to highspeed data networks via a familiar "dial-up networking" user interface.
PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using a
TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The ZyWALL supports one PPTP server connection at any
given time.
Dynamic DNS Support
With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for
a dynamic IP address, allowing the host to be more easily accessible from various locations on
the Internet. You must register for this service with a Dynamic DNS service provider.
IP Multicast
Deliver IP packets to a specific group of hosts using IP multicast. IGMP (Internet Group
Management Protocol) is the protocol used to support multicast groups. The latest version is
version 2 (see RFC 2236); the ZyWALL supports both versions 1 and 2.
Static Route
Static routes tell the ZyWALL routing information that it cannot learn automatically through
other means. This can arise in cases where RIP is disabled on the LAN or a remote network is
beyond the one that is directly connected to a remote node.
Chapter 1 Getting to Know Your ZyWALL 33
Page 35
ZyWALL P1 User’s Guide
Central Network Management
Central Network Management (CNM) allows an enterprise or service provider network
administrator to manage your ZyWALL. The enterprise or service provider network
administrator can configure your ZyWALL, perform firmware upgrades and do
troubleshooting for you.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging
management information between network devices. SNMP is a member of the TCP/IP
protocol suite. Your ZyWALL supports SNMP agent functionality, which allows a manager
station to manage and monitor the ZyWALL through the network. The ZyWALL supports
SNMP version one (SNMPv1).
Network Address Translation (NAT)
Network Address Translation (NAT) allows the translation of an Internet protocol address
used within one network (for example a private IP address used in a local network) to a
different IP address known within another network (for example a public IP address used on
the Internet).
Port Forwarding
Use this feature to forward incoming service requests to a server on your local network. You
may enter a single port number or a range of port numbers to be forwarded, and the local IP
address of the desired server.
DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol) allows the individual client computers to
obtain the TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL
has built-in DHCP server capability, enabled by default, which means it can assign IP
addresses, an IP default gateway and DNS servers to all systems that support the DHCP client.
Full Network Management
The embedded web configurator is an all-platform web-based utility that allows you to easily
access the ZyWALL’s management settings and configure the firewall.
RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner’s
RoadRunner Service.
Logging and Tracing
• Built-in message logging and packet tracing.
• Unix syslog facility support.
34 Chapter 1 Getting to Know Your ZyWALL
Page 36
• Firewall logs.
Upgrade ZyWALL Firmware via LAN
The firmware of the ZyWALL can be upgraded via the LAN.
Embedded FTP and TFTP Servers
The ZyWALL’s embedded FTP and TFTP servers enable fast firmware upgrades as well as
configuration file backups and restoration.
1.3 Applications
Here are some examples of what you can do with your ZyWALL.
1.3.1 Secure Network Access for Telecommuters
ZyWALL P1 User’s Guide
The following figure shows a VPN network example. A telecommunter can simply connect
the pre-configured ZyWALL and enter the VPN account information to establish a VPN
connection through the Internet to headquaters.
Figure 1 Application: Telecommuters
1.3.2 LAN Network Protection
In most cases, firewalls are deployed to protect the local network (LAN) from attacks
originating from the WAN (such as the Internet). However, security outbreaks are possible on
the LAN via other means (such as file shareing with removable storage devices). You can use
the ZyWALL to provide network security on the LAN.
In the following example, computers in the Sales and Research departments are protected from
each other by the ZyWALLs on the LAN.
Chapter 1 Getting to Know Your ZyWALL 35
Page 37
ZyWALL P1 User’s Guide
Figure 2 Application: LAN Network Protection
1.4 ZyWALL Hardware Connection
Refer to the Quick Start Guide for information on hardware connection and basic setup.
1.5 Front Panel LED
The LED and port labels are on the front panel.
Figure 3 Front Panel: LEDs
36 Chapter 1 Getting to Know Your ZyWALL
Page 38
ZyWALL P1 User’s Guide
The following table describes the LEDs.
Table 2 Front Panel LEDs
LED COLOR STATUS DESCRIPTION
PWR Off The ZyWALL is turned off.
Green On The ZyWALL is turned on.
Blinking The ZyWALL is starting.
WAN Off The WAN connection is not ready, or has failed.
Green On The ZyWALL has a successful 10Mbps WAN connection.
Blinking The 10M WAN is sending or receiving packets.
Amber On The ZyWALL has a successful 100Mbps WAN connection.
Blinking The 100M WAN is sending or receiving packets.
VPN Off The ZyWALL does not have a VON connection.
Green On The ZyWALL has a successful VPN connection.
Blinking The ZyWALL is receiving or sending data through the VPN
connection.
Managed Off The ZyWALL does not have a CNM connection.
Green On The ZyWALL has a successful CNM connection.
Blinking The ZyWALL is receiving or sending data using CNM.
LAN Off The LAN is not connected.
Green On The ZyWALL has a successful 10Mbps LAN connection.
Blinking The 10M LAN is sending or receiving packets.
Amber On The ZyWALL has a successful 100Mbps LAN connection.
Blinking The 100M LAN is sending or receiving packets.
Chapter 1 Getting to Know Your ZyWALL 37
Page 39
ZyWALL P1 User’s Guide
38 Chapter 1 Getting to Know Your ZyWALL
Page 40
This chapter describes how to access the ZyWALL web configurator and provides an
overview of its screens.
2.1 Overview
The web configurator is an HTML-based management interface that allows easy ZyWALL
setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape
Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
ZyWALL P1 User’s Guide
CHAPTER 2
Introducing the Web
Configurator
In order to use the web configurator you need to allow:
• Web browser pop-up windows from your device. Web pop-up blocking is enabled by
default in Windows XP SP (Service Pack) 2.
• JavaScripts (enabled by default).
• Java permissions (enabled by default).
See the Troubleshooting chapter to see how to make sure these functions are allowed in
Internet Explorer.
2.2 Accessing the Web Configurator
Follow the steps below to access the advanced web configurator screens.
1 Make sure your ZyWALL hardware is properly connected and prepare your computer/
computer network to connect to the ZyWALL (refer to the Quick Start Guide).
2 Launch your web browser.
3 Type "192.168.167.1" as the URL.
4 The initial screen displays. Refer to the Quick Start Guide for more information.
5 To log into the ZyWALL, click ADVANCED in the navigation panel.
Chapter 2 Introducing the Web Configurator 39
Page 41
ZyWALL P1 User’s Guide
Figure 4 Web Configurator: Initial Screen
6 A login screen displays. Type "1234" (default) as the password and click Login. In some
versions, the default password appears automatically - if this is the case, click Login.
Figure 5 Web Configurator: Login Screen
7 You should see a screen asking you to change your password (highly recommended) as
shown next. Type a new password (and retype it to confirm) and click Apply or click
Ignore.
Note: If you do not change the password, the following screen appears every time
you log in.
40 Chapter 2 Introducing the Web Configurator
Page 42
ZyWALL P1 User’s Guide
Figure 6 Change Password Screen
8 Click Apply in the Replace Certificate screen to create a certificate using your
ZyWALL’s MAC address that will be specific to this device.
Note: If you do not replace the default certificate here or in the CERTIFICATES
screen, this screen displays every time you access the web configurator.
Figure 7 Replace Certificate Screen
9 You should now see the HOME screen (see Figure 8 on page 43)
Note: The management session automatically times out when the time period set in
the Administrator Inactivity Timer field expires (default five minutes). Simply
log back into the ZyWALL if this happens to you.
2.3 Resetting the ZyWALL
If you forget your password or cannot access the web configurator, you will need to reload the
factory-default configuration file or use the RESET button on the ZyWALL. Uploading this
configuration file replaces the current configuration file with the factory-default configuration
file. This means that you will lose all configurations that you had previously and the password
will be reset to 1234, also.
Chapter 2 Introducing the Web Configurator 41
Page 43
ZyWALL P1 User’s Guide
2.3.1 Procedure to Use the Reset Button
Make sure the PWR LED is on (not blinking) before you begin this procedure.
1 Press the RESET button in for about 10 seconds and release it. When the PWR LED
starts to blink, the defaults have been restored and the ZyWALL restarts. Otherwise, go to
step 2.
2 Turn the ZyWALL off.
3 While pressing the RESET button, turn the ZyWALL on.
4 Continue to hold the RESET button. The PWR LED will begin to blink. This indicates
that the defaults have been restored. Release the RESET button.
5 Wait for the ZyWALL to finish restarting before accessing again.
2.4 Navigating the Web Configurator
The following summarizes how to navigate the web configurator from the HOME screen.
Note: Follow the instructions you see in the HOME screen or click the icon
(located in the top right corner of most screens) to view online help.
2.4.1 The HOME Screen
The following screen shows the HOME screen.
42 Chapter 2 Introducing the Web Configurator
Page 44
Figure 8 Web Configurator: HOME
ZyWALL P1 User’s Guide
• Use the submenus to configure ZyWALL features.
• Click LOGOUT at any time to exit the web configurator.
• Click MAINTENANCE to view information about your ZyWALL or upgrade
configuration/firmware files. Maintenance includes General, Password, Time and
Date, F/W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart.
The following table describes the labels in this screen.
Table 3 Web Configurator: HOME
LABEL DESCRIPTION
Wizards for
Quick Setup
Internet Access Click Internet Access to use the initial configuration wizard. .
VPN Wizard Click VPN Wizard to create VPN policies.
Device
Information
System Name This is the System Name you enter in the MAINTENANCE General screen. It is for
Firmware Version This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's
Routing Protocol This shows the routing protocol - IP for which the ZyWALL is configured. This field is
System Time This field displays your ZyWALL’s present date and time.
identification purposes.
proprietary Network Operating System (NOS) design.
not configurable.
Chapter 2 Introducing the Web Configurator 43
Page 45
ZyWALL P1 User’s Guide
Table 3 Web Configurator: HOME (continued)
LABEL DESCRIPTION
Memory The first number shows how many kilobytes of the heap memory the ZyWALL is
Sessions The first number shows how many sessions are currently open on the ZyWALL.
Network Status
Interface This is the port type. Port types are: WAN and LAN.
Status For the LAN port, this displays the port speed and duplex setting. For the WAN port,
IP Address This shows the port’s IP address.
Subnet Mask This shows the port’s subnet mask.
DHCP This shows the WAN port’s DHCP role - Client or None.
Renew If you are using Ethernet encapsulation and the WAN port is configured to get the IP
Show Statistics Click Show Statistics to see performance statistics such as the number of packets
Show DHCP
Table
VPN Status Click VPN Status to display the active VPN connections.
using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL
Network Operating System) and is thus available for running processes like NAT,
VPN and the firewall.
The second number shows the ZyWALL's total heap memory (in kilobytes).
The bar displays what percent of the ZyWALL's heap memory is in use. The bar
turns from green to red when the maximum is being approached.
This includes all sessions that are currently:
• Traversing the ZyWALL
• Terminating at the ZyWALL
• Initiated from the ZyWALL
The second number is the maximum number of sessions that can be open at one
time.
The bar displays what percent of the maximum number of sessions is in use. The
bar turns from green to red when the maximum is being approached.
it displays the port speed and duplex setting if you’re using Ethernet encapsulation
and Down (line is down or not connected), Idle (line (ppp) idle), or Drop (dropping a
call) if you’re using PPPoE encapsulation.
This shows the LAN port’s DHCP role - Server or None.
address automatically from the ISP, click Renew to release the WAN port’s
dynamically assigned IP address and get the IP address afresh. Click Dial to dial up
the PPTP or PPPoE connection.
sent and number of packets received for each port, including WAN and LAN.
Click Show DHCP Table to show current DHCP client information.
2.4.2 Navigation Panel
After you enter the password, use the sub-menus on the navigation panel to configure
ZyWALL features. The following table describes the sub-menus.
44 Chapter 2 Introducing the Web Configurator
Page 46
ZyWALL P1 User’s Guide
Table 4 Navigation Panel: Menu Summary
LINK TAB FUNCTION
HOME This screen shows the ZyWALL’s general device and network
status information. Use this screen to access the wizards, statistics
and DHCP table.
LAN LAN Use this screen to configure LAN DHCP and TCP/IP settings.
Static DHCP Use this screen to assign fixed IP addresses on the LAN.
WAN Route This screen allows you to configure route priority and traffic redirect
properties.
WAN Use this screen to configure ZyWALL WAN port for internet
access.
DDNS Use this screen to configure dynamic DNS settings.
FIREWALL Default Rule Use this screen to activate/deactivate the firewall and the direction
of network traffic to which to apply the rule
Rule Summary This screen shows a summary of the firewall rules, and allows you
Anti-Probing Use this screen to change your anti-probing settings.
Threshold Use this screen to configure the threshold for DoS attacks.
VPN VPN Rules
(IKE)
SA Monitor Use this screen to display and manage active VPN connections.
Global Setting Use this screen to set the VPN traffic and gateway domain name
CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage
Trusted CAs Use this screen to view and manage the list of the trusted CAs.
Trusted
Remote Hosts
Directory
Servers
NAT NAT Overview Use this screen to enable NAT.
Port
Forwarding
Port Triggering Use this screen to change your ZyWALL’s port triggering settings.
STATIC ROUTE IP Static Route Use this screen to configure IP static routes.
to edit/add a firewall rule.
Use this screen to configure VPN connections using IKE and view
the rule summary.
update timers
certificates and certification requests.
Use this screen to view and manage the certificates belonging to
the trusted remote hosts.
Use this screen to view and manage the list of the directory
servers.
Use this screen to configure servers behind the ZyWALL.
Chapter 2 Introducing the Web Configurator 45
Page 47
ZyWALL P1 User’s Guide
Table 4 Navigation Panel: Menu Summary (continued)
LINK TAB FUNCTION
REMOTE MGMT WWW Use this screen to configure through which interface(s) and from
UPnP UPnP Use this screen to enable UPnP on the ZyWALL.
LOGS View Log Use this screen to view the logs for the categories that you
MAINTENANCE General This screen contains administrative.
LOGOUT Click this label to exit the web configurator.
which IP address(es) users can use HTTPS or HTTP to manage
the ZyWALL.
SSH Use this screen to configure through which interface(s) and from
which IP address(es) users can use Secure Shell to manage the
ZyWALL.
TELNET Use this screen to configure through which interface(s) and from
which IP address(es) users can use Telnet to manage the
ZyWALL.
FTP Use this screen to configure through which interface(s) and from
which IP address(es) users can use FTP to access the ZyWALL.
SNMP Use this screen to configure your ZyWALL’s settings for Simple
Network Management Protocol management.
DNS Use this screen to configure through which interface(s) and from
which IP address(es) users can send DNS queries to the ZyWALL.
CNM Use this screen to configure your ZyWALL’s CNM (Central
Network Management) settings to allow management from a
remote CNM server.
Ports Use this screen to view the NAT port mapping rules that UPnP
creates on the ZyWALL.
selected.
Log Settings Use this screen to change your ZyWALL’s log settings.
Reports Use this screen to have the ZyWALL record and display the
network usage reports.
Password Use this screen to change your password.
Time and Date Use this screen to change your ZyWALL’s time and date.
F/W Upload Use this screen to upload firmware to your ZyWALL
Configuration Use this screen to backup and restore the configuration or reset
the factory defaults to your ZyWALL.
Restart This screen allows you to reboot the ZyWALL without turning the
power off.
2.4.3 System Statistics
Click Show Statistics in the HOME screen. Read-only information here includes port status
and packet specific statistics. Also provided is "Up Time" and "poll interval(s)". The Poll
Interval(s) field is configurable.
46 Chapter 2 Introducing the Web Configurator
Page 48
ZyWALL P1 User’s Guide
Figure 9 Home : Show Statistics
The following table describes the labels in this screen.
Table 5 Home: Show Statistics
LABEL DESCRIPTION
Port This is the WAN or LAN port.
Status This displays the port speed and duplex setting if you’re using Ethernet
encapsulation and Down (line is down), Idle (line (ppp) idle), Dial (starting to trigger
a call) or Drop (dropping a call) if you’re using PPPoE encapsulation.
TxPkts This is the number of transmitted packets on this port.
RxPkts This is the number of received packets on this port.
Collisions This is the number of collisions on this port.
Tx B/s This displays the transmission speed in bytes per second on this port.
Rx B/s This displays the reception speed in bytes per second on this port.
Up Time This is the total amount of time the line has been up.
System Up Time This is the total time the ZyWALL has been on.
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
Stop Click Stop to stop refreshing statistics.
field.
2.4.4 DHCP Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the DHCP client. If DHCP service is disabled, you must have
another DHCP server on your LAN, or else the computer must be manually configured.
Click Show DHCP Table in the HOME screen. Read-only information here relates to your
DHCP status. The DHCP table shows current DHCP client information (including IP
Address, Host Name and MAC Address) of the network client using the ZyWALL’s DHCP
server.
Chapter 2 Introducing the Web Configurator 47
Page 49
ZyWALL P1 User’s Guide
Figure 10 Home: DHCP Table
The following table describes the labels in this screen.
Table 6 Home: DHCP Table
LABEL DESCRIPTION
# This is the index number of the host computer.
IP Address This field displays the IP address relative to the # field listed above.
Host Name This field displays the computer host name.
MAC Address The MAC (Media Access Control) or Ethernet address on a LAN (Local Area Network)
Reserve Select this check box to have the ZyWALL always assign this IP address to this MAC
Refresh Click Refresh to reload the DHCP table.
is unique to your computer (six pairs of hexadecimal notation).
A network interface card such as an Ethernet adapter has a hardwired address that is
assigned at the factory. This address follows an industry standard that ensures no
other adapter has a similar address.
address (and host name). You can select up to 8 entries in this table. After you click
Apply, the MAC address and IP address also display in the LAN Static DHCP screen
(where you can edit them).
2.4.5 VPN Status
Click VPN Status in the HOME screen when the ZyWALL. Read-only information here
includes encapsulation mode and security protocol. The Poll Interval(s) field is configurable.
48 Chapter 2 Introducing the Web Configurator
Page 50
Figure 11 Home : VPN Status
The following table describes the labels in this screen.
ZyWALL P1 User’s Guide
Table 7 Home: VPN Status
LABEL DESCRIPTION
# This is the security association index number.
Name This field displays the identification name for this VPN policy.
Encapsulation This field displays Tunnel or Transport mode.
IPSec Algorithm This field displays the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and communications
latency (delay).
Poll Interval(s) Enter the time interval for refreshing statistics in this field.
Set Interval Click this button to apply the new poll interval you entered in the Poll Interval(s)
field.
Stop Click Stop to stop refreshing statistics.
Chapter 2 Introducing the Web Configurator 49
Page 51
ZyWALL P1 User’s Guide
50 Chapter 2 Introducing the Web Configurator
Page 52
This chapter provides information on the Wizard Setup screens in the advanced web
configurator.
3.1 Overview
The web configurator's setup wizards help you configure the WAN port on the ZyWALL to
access the Internet and edit VPN policies and configure IKE settings to establish a VPN
tunnel.
3.2 Internet Access Wizard Setup
ZyWALL P1 User’s Guide
CHAPTER 3
Wizard Setup
The first Internet access wizard screen has three variations depending on what encapsulation
type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in
each field. Leave a field blank if you don’t have that information.
3.2.1 ISP Parameters
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
3.2.2 WAN and DNS
The second wizard screen allows you to configure WAN IP address assignment, DNS server
address assignment and the WAN MAC address.
3.2.2.1 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated
from the Internet, for instance, only between your two branch offices, you can assign any IP
addresses to the hosts without problems. However, the Internet Assigned Numbers Authority
(IANA) has reserved the following three blocks of IP addresses specifically for private
networks.
Table 8 Private IP Address Ranges
10.0.0.0
172.16.0.0
192.168.0.0
Chapter 3 Wizard Setup 51
- 10.255.255.255
- 172.31.255.255
- 192.168.255.255
Page 53
ZyWALL P1 User’s Guide
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private
network. If you belong to a small organization and your Internet access is through an ISP, the
ISP can provide you with the Internet addresses for your local networks. On the other hand, if
you are part of a much larger organization, you should consult your network administrator for
the appropriate IP addresses.
Note: Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address
assignment, please refer to RFC 1597, Address Allocation for Private Internets
and RFC 1466, Guidelines for Management of IP Address Space.
3.2.2.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a
LAN share one common network number.
Where you obtain your network number depends on your particular situation. If the ISP or
your network administrator assigns you a block of registered IP addresses, follow their
instructions in selecting the IP addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single
user account and the ISP will assign you a dynamic IP address when the connection is
established. If this is the case, it is recommended that you select a network number from
192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT)
feature of the ZyWALL. The Internet Assigned Number Authority (IANA) reserved this block
of addresses specifically for private use; please do not use any other number unless you are
told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254
individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other
words, the first three numbers specify the network number while the last number identifies an
individual computer on that network.
Once you have decided on the network number, pick an IP address that is easy to remember,
for instance, 192.168.167.1, for your ZyWALL, but make sure that no other device on your
network is using that IP address.
The subnet mask specifies the network number portion of an IP address. Your ZyWALL will
compute the subnet mask automatically based on the IP address that you entered. You don't
need to change the subnet mask computed by the ZyWALL unless you are instructed to do
otherwise.
3.2.2.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and
vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is
extremely important because without it, you must know the IP address of a computer before
you can access it.
The ZyWALL can get the DNS server addresses in the following ways.
52 Chapter 3 Wizard Setup
Page 54
1 The ISP tells you the DNS server addresses, usually in the form of an information sheet,
when you sign up. If your ISP gives you DNS server addresses, manually enter them in
the DNS server fields.
2 If your ISP dynamically assigns the DNS server IP addresses (along with the ZyWALL’s
WAN IP address), set the DNS server fields to get the DNS server address from the ISP.
3 You can manually enter the IP addresses of other DNS servers. These servers can be
public or private. A DNS server could even be behind a remote IPSec router.
3.2.2.4 Ethernet
For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still
online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets. Contact your
ISP to find the correct port number.
Choose Ethernet when the WAN port is used as a regular Ethernet.
Figure 12 Internet Access Wizard: Ethernet Encapsulation
ZyWALL P1 User’s Guide
The following table describes the labels in this screen
Chapter 3 Wizard Setup 53
Page 55
ZyWALL P1 User’s Guide
.
Table 9 Internet Access Wizard: Ethernet Encapsulation
LABEL DESCRIPTION
ISP Parameters for Internet Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
WAN IP Address
Assignment
My WAN IP
Address
My WAN IP
Subnet Mask
Gateway IP
Address
First/Second DNS
Server
Finish Click Finish to save the settings.
Ethernet.
Note: You can select a service type in the advanced WAN screen
(refer to Section 5.3 on page 80).
Select Dynamic If your ISP did not assign you a fixed IP address. This is the
default selection.
Select Static If your ISP assigned a fixed IP address. The set the following fields.
Enter your WAN IP address in this field if you select Static in the WAN IP Address
Assignment field.
Enter the IP subnet mask in this field if you select Static in the WAN IP Address
Assignment field.
Enter the gateway IP address in this field if you select Static in the WAN IP
Address Assignment field.
DNS (Domain Name System) is for mapping a domain name to its corresponding IP
address and vice versa, e.g., the IP address of www.zyxel.com is 204.217.0.2. The
DNS server is extremely important because without it, you must know the IP
address of a computer before you can access it.
Enter the IP address(es) of the DNS server(s) provided by your ISP.
3.2.2.5 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an
IETF (Internet Engineering Task Force) draft standard specifying how a host personal
computer interacts with a broadband modem (for example xDSL, cable, wireless, etc.) to
achieve access to high-speed data networks. It preserves the existing Microsoft Dial-Up
Networking experience and requires no new learning or procedures.
For the service provider, PPPoE offers an access and authentication method that works with
existing access control systems (for instance, Radius). For the user, PPPoE provides a login
and authentication method that the existing Microsoft Dial-Up Networking software can
activate, and therefore requires no new learning or procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network
services, a function known as dynamic service selection. This enables the service provider to
easily create and offer new IP services for specific users.
Operationally, PPPoE saves significant effort for both the subscriber and the ISP/carrier, as it
requires no specific configuration of the broadband modem at the subscriber’s site.
54 Chapter 3 Wizard Setup
Page 56
ZyWALL P1 User’s Guide
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the
computers on the LAN do not need PPPoE software installed, since the ZyWALL does that
part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Refer to Appendix C on page 289 for more information on PPPoE.
Figure 13 Internet Access Wizard: PPPoE Encapsulation
The following table describes the related labels in this screen.
Table 10 Internet Access Wizard: PPPoE Encapsulation
LABEL DESCRIPTION
ISP Parameter for
Internet Access
Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet
forms a dial-up connection.
Service Name Type the name of your service provider.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype Password Type your password again for confirmation.
Chapter 3 Wizard Setup 55
Page 57
ZyWALL P1 User’s Guide
Table 10 Internet Access Wizard: PPPoE Encapsulation (continued)
LABEL DESCRIPTION
Nailed-Up
Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPPoE server. The default time is 100 seconds.
Refer to Table 9 on page 54 for other label descriptions.
3.2.2.6 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data
from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/
IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public
networks, such as the Internet.
Note: Refer to Appendix D on page 291 for more information on PPTP. . The
ZyWALL supports one PPTP server connection at any given time.
56 Chapter 3 Wizard Setup
Page 58
Figure 14 Internet Access Wizard: PPTP Encapsulation
ZyWALL P1 User’s Guide
The following table describes the related labels in this screen.
Table 11 Internet Access Wizard: PPTP Encapsulation
LABEL DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation Select PPTP from the drop-down list box.
User Name Type the user name given to you by your ISP.
Password Type the password associated with the User Name above.
Retype Password Type your password again for confirmation.
Nailed-Up
Connection
Idle Timeout Type the time in seconds that elapses before the router automatically disconnects
PPTP Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
Chapter 3 Wizard Setup 57
Select Nailed-Up Connection if you do not want the connection to time out.
from the PPTP server.
Page 59
ZyWALL P1 User’s Guide
Table 11 Internet Access Wizard: PPTP Encapsulation (continued)
LABEL DESCRIPTION
My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given).
Server IP Address Type the IP address of the PPTP server.
Connection ID/
Name
Enter the connection ID or connection name in this field. It must follow the "c:id"
and "n:name" format. For example, C:12 or N:My ISP.
This field is optional and depends on the requirements of your DSL modem.
Refer to Table 9 on page 54 for other label descriptions.
3.2.3 Internet Access Wizard Setup Complete
Well done! You have successfully set up your ZyWALL to operate on your network and
access the Internet.
Figure 15 Internet Access Wizard: Complete
3.3 VPN Wizard Setup
A VPN (Virtual Private Network) provides secure communications between sites without the
expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption,
authentication, access control and auditing technologies/services used to transport traffic over
the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Use the VPN wizard screens to configure a VPN rule that use a pre-shared key. If you want to
set the rule to use a certificate, please go to the advanced VPN screens for configuration.
58 Chapter 3 Wizard Setup
Page 60
3.3.1 IPSec
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for
secure data communications across a public network like the Internet. IPSec is built around a
number of standardized cryptographic techniques to provide confidentiality, data integrity and
authentication at the IP layer.
3.3.2 Security Association
A Security Association (SA) is a contract between two parties indicating what security
parameters, such as keys and algorithms they will use.
3.3.3 My IP Address
My IP Address identifies the WAN IP address of the ZyWALL. You can enter the
ZyWALL's static WAN IP address (if it has one) or leave the field set to 0.0.0.0. The
ZyWALL has to rebuild the VPN tunnel if the My IP Address changes after setup.
ZyWALL P1 User’s Guide
3.3.4 Secure Gateway Address
Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router
(secure gateway).
If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway
Address field. You may alternatively enter the remote secure gateway’s domain name (if it
has one) in the Secure Gateway Address field.
You can also enter a remote secure gateway’s domain name in the Secure Gateway Address
field if the remote secure gateway has a dynamic WAN IP address and is using DDNS. The
ZyWALL has to rebuild the VPN tunnel each time the remote secure gateway’s WAN IP
address changes (there may be a delay until the DDNS servers are updated with the remote
gateway’s new WAN IP address).
3.3.4.1 Dynamic Secure Gateway Address
If the remote secure gateway has a dynamic WAN IP address and does not use DDNS, enter
0.0.0.0 as the secure gateway’s address. In this case only the remote secure gateway can
initiate SAs. This may be useful for telecommuters initiating a VPN tunnel to the company
network.
3.3.5 VPN Wizard: Gateway Policy Setting
Click VPN Wizard in the HOME screen to open the screen as shown and have the quick and
initial VPN configuration.
Configure the first VPN wizard screen to configure the settings between the ZyWALL and the
remote VPN router.
Chapter 3 Wizard Setup 59
Page 61
ZyWALL P1 User’s Guide
Figure 16 VPN Wizard: Gateway Policy Setting
The following table describes the labels in this screen.
Table 12 VPN Wizard: Gateway Policy Setting
LABEL DESCRIPTION
Gateway Policy Property
Name Type up to 32 characters to identify this VPN gateway policy. You may use any
Gateway Policy Setting
My ZyWALL Enter the WAN IP address or the domain name of your ZyWALL. The ZyWALL uses
Remote
Gateway
Next Click Next to continue.
character, including spaces, but the ZyWALL drops trailing spaces.
its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you
leave this field as 0.0.0.0.
The ZyWALL has to rebuild the VPN tunnel if the IP address changes after setup.
Enter the WAN IP address or the domain name of the IPSec router with which you're
making the VPN connection. Set this field to 0.0.0.0 if the remote IPSec router has a
dynamic WAN IP address.
3.3.6 VPN Wizard: Network Setting
Use the second VPN wizard screen to configure the settings for each LAN network behind the
ZyWALL and the remote VPN router.
Two active SAs cannot have the local and remote IP address(es) both the same. Two active
SAs can have the same local or remote IP address, but not both. You can configure multiple
SAs between the same local and remote IP addresses, as long as only one is active at any time.
60 Chapter 3 Wizard Setup
Page 62
Figure 17 VPN Wizard: Network Setting
The following table describes the labels in this screen.
ZyWALL P1 User’s Guide
Table 13 VPN Wizard: Network Setting
LABEL DESCRIPTION
Network Policy Property
Active Select this checkbox to enable this VPN rule.
Name Type up to 32 characters to identify this VPN network policy. You may use any
character, including spaces, but the ZyWALL drops trailing spaces.
Network Policy Setting
Local Network Local IP addresses must be static and correspond to the remote IPSec router's
configured remote IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Starting IP
Address
Ending IP
Address/
Subnet Mask
Remote
Network
When the Local Network field is configured to Single, enter a (static) IP address on
the LAN behind your ZyWALL. When the Local Network field is configured to Range
IP, enter the beginning (static) IP address, in a range of computers on the LAN behind
your ZyWALL. When the Local Network field is configured to Subnet, this is a (static)
IP address on the LAN behind your ZyWALL.
When the Local Network field is configured to Single, this field is N/A. When the
Local Network field is configured to Range IP, enter the end (static) IP address, in a
range of computers on the LAN behind your ZyWALL. When the Local Network field
is configured to Subnet, this is a subnet mask on the LAN behind your ZyWALL.
Remote IP addresses must be static and correspond to the remote IPSec router's
configured local IP addresses.
Select Single for a single IP address. Select Range IP for a specific range of IP
addresses. Select Subnet to specify IP addresses on a network by their subnet mask.
Chapter 3 Wizard Setup 61
Page 63
ZyWALL P1 User’s Guide
Table 13 VPN Wizard: Network Setting (continued)
LABEL DESCRIPTION
Starting IP
Address
Ending IP
Address/
Subnet Mask
Back Click Back to return to the previous screen.
Next Click Next to continue.
3.3.7 IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1
(Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and
the second one uses that SA to negotiate SAs for IPSec.
Figure 18 Two Phases to Set Up the IPSec SA
When the Remote Network field is configured to Single, enter a (static) IP address
on the network behind the remote IPSec router. When the Remote Network field is
configured to Range IP, enter the beginning (static) IP address, in a range of
computers on the network behind the remote IPSec router. When the Remote
Network field is configured to Subnet, enter a (static) IP address on the network
behind the remote IPSec router
When the Remote Network field is configured to Single, this field is not applicable.
When the Remote Network field is configured to Range IP, enter the end (static) IP
address, in a range of computers on the network behind the remote IPSec router.
When the Remote Network field is configured to Subnet, enter a subnet mask on the
network behind the remote IPSec router.
In phase 1 you must:
• Choose a negotiation mode.
• Authenticate the connection by entering a pre-shared key.
• Choose an encryption algorithm.
• Choose an authentication algorithm.
• Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2).
• Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should
stay up before it times out. An IKE SA times out when the IKE SA lifetime period
expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA
stays connected.
62 Chapter 3 Wizard Setup
Page 64
In phase 2 you must:
• Choose which protocol to use (ESP or AH) for the IKE key exchange.
• Choose an encryption algorithm.
• Choose an authentication algorithm
• Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman publickey cryptography (see Section 3.3.7 on page 62). Select None (the default) to disable
PFS.
• Choose Tunnel mode or Transport mode.
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA
should stay up before it times out. The ZyWALL automatically renegotiates the IPSec SA
if there is traffic when the IPSec SA lifetime period expires. The ZyWALL also
automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled,
even if there is no traffic. If an IPSec SA times out, then the IPSec router must renegotiate
the SA the next time someone attempts to send traffic.
3.3.7.1 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will
be established for each connection through IKE negotiations.
ZyWALL P1 User’s Guide
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA
negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random
number). This mode features identity protection (your identity is not revealed in the
negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when
the communicating parties are negotiating authentication (phase 1). However the tradeoff is that faster speed limits its negotiating power and it also does not provide identity
protection. It is useful in remote access situations where the address of the initiator is not
know by the responder and both parties want to use pre-shared key authentication.
3.3.7.2 Pre-Shared Key
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is
called pre-shared because you have to share it with another party before you can communicate
with them over a secure connection.
3.3.7.3 Diffie-Hellman (DH) Key Groups
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish
a shared secret over an unsecured communications channel. Diffie-Hellman is used within
IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 –
DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman
exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For
authentication, use pre-shared keys.
Chapter 3 Wizard Setup 63
Page 65
ZyWALL P1 User’s Guide
3.3.7.4 Perfect Forward Secrecy (PFS)
Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand
new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS
enabled, if one key is compromised, previous and subsequent keys are not compromised,
because subsequent keys are not derived from previous keys. The (time-consuming) DiffieHellman exchange is the trade-off for this extra security.
This may be unnecessary for data that does not require such security, so PFS is disabled
(None) by default in the ZyWALL. Disabling PFS means new authentication and encryption
keys are derived from the same root secret (which may have security implications in the long
run) but allows faster SA setup (by bypassing the Diffie-Hellman key exchange).
3.4 IPSec Algorithms
The ESP and AH protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the AH and
ESP protocols. The primary function of key management is to establish and maintain the SA
between systems. Once the SA is established, the transport of data may commence.
3.4.1 AH (Authentication Header) Protocol
AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay
resistance), and non-repudiation but not for confidentiality, for which the ESP was designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an AH can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
3.4.2 ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by
AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of
the IP header information during the authentication process. However, ESP is sufficient if
only the upper layer protocols need to be authenticated.
64 Chapter 3 Wizard Setup
Page 66
ZyWALL P1 User’s Guide
An added feature of the ESP is payload padding, which further protects communications by
concealing the size of the packet being transmitted.
Table 14 ESP and AH
ESP AH
Encryption DES (default)
Data Encryption Standard (DES) is a
widely used method of data encryption
using a secret key. DES applies a 56-bit
key to each 64-bit block of data.
3DES
Triple DES (3DES) is a variant of DES,
which iterates three times with three
separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.
AES
Advanced Encryption Standard is a
newer method of data encryption that
also uses a secret key. This
implementation of AES applies a 128-bit
key to 128-bit blocks of data. AES is
faster than 3DES.
Select NULL to set up a phase 2 tunnel
without encryption.
Authentication MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Select MD5 for minimal security and SHA-1 for maximum security.
MD5 (default)
MD5 (Message Digest 5) produces a
128-bit digest to authenticate packet
data.
SHA1
SHA1 (Secure Hash Algorithm) produces
a 160-bit digest to authenticate packet
data.
Chapter 3 Wizard Setup 65
Page 67
ZyWALL P1 User’s Guide
3.4.3 IKE Tunnel Setting (IKE Phase 1)
Figure 19 VPN Wizard: IKE Tunnel Setting
The following table describes the labels in this screen.
Table 15 VPN Wizard: IKE Tunnel Setting
LABEL DESCRIPTION
Negotiation Mode Use the radio buttons to select Main Mode or Aggressive Mode. Multiple SAs
Encryption Algorithm When DES is used for data communications, both sender and receiver must
Authentication
Algorithm
Key Group You must choose a key group for phase 1 IKE setup. DH1 (default) refers to
SA Life Time
(Seconds)
connecting through a secure gateway must have the same negotiation mode.
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman
Group 2 a 1024 bit (1Kb) random number.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
66 Chapter 3 Wizard Setup
Page 68
Table 15 VPN Wizard: IKE Tunnel Setting (continued)
LABEL DESCRIPTION
Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a
communicating party during a phase 1 IKE negotiation. It is called "pre-shared"
because you have to share it with another party before you can communicate
with them over a secure connection.
Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal
("0-9", "A-F") characters. You must precede a hexadecimal key with a "0x (zero
x), which is not counted as part of the 16 to 62 character range for the key. For
example, in "0x0123456789ABCDEF", 0x denotes that the key is hexadecimal
and 0123456789ABCDEF is the key itself.
Both ends of the VPN tunnel must use the same pre-shared key. You will
receive a PYLD_MALFORMED (payload malformed) packet if the same preshared key is not used on both ends.
Back Click Back to return to the previous screen.
Next Click Next to continue.
3.4.4 IPSec Setting (IKE Phase 2)
Figure 20 VPN Wizard: IPSec Setting
ZyWALL P1 User’s Guide
The following table describes the labels in this screen.
Table 16 VPN Wizard: IPSec Setting
LABEL DESCRIPTION
Encapsulation Mode Select Tu nnel mode or Transport mode.
IPSec Protocol Select the security protocols used for an SA.
Both AH and ESP increase ZyWALL processing requirements and
communications latency (delay).
Chapter 3 Wizard Setup 67
Page 69
ZyWALL P1 User’s Guide
Table 16 VPN Wizard: IPSec Setting (continued)
LABEL DESCRIPTION
Encryption Algorithm When DES is used for data communications, both sender and receiver must
Authentication
Algorithm
SA Life Time
(Seconds)
Perfect Forward
Secret (PFS)
Back Click Back to return to the previous screen.
Next Click Next to continue.
know the same secret key, which can be used to encrypt and decrypt the
message or to generate and verify a message authentication code. The DES
encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES
that uses a 168-bit key. As a result, 3DES is more secure than DES. It also
requires more processing power, resulting in increased latency and decreased
throughput. This implementation of AES uses a 128-bit key. AES is faster than
3DES. Select NULL to set up a tunnel without encryption. When you select
NULL, you do not enter an encryption key.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data. The SHA1 algorithm is generally
considered stronger than MD5, but is slower. Select MD5 for minimal security
and SHA-1 for maximum security.
Define the length of time before an IKE SA automatically renegotiates in this
field. The minimum value is 180 seconds.
A short SA Life Time increases security by forcing the two VPN gateways to
update the encryption and authentication keys. However, every time the VPN
tunnel renegotiates, all users accessing remote resources are temporarily
disconnected.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec
SA setup. This allows faster IPSec setup, but is not so secure.
Select DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768
bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb)
random number (more secure, yet slower).
3.4.5 VPN Status Summary
This read-only screen shows the status of the current VPN setting. Use the summary table to
check whether what you have configured is correct.
68 Chapter 3 Wizard Setup
Page 70
Figure 21 VPN Wizard: VPN Status
ZyWALL P1 User’s Guide
The following table describes the labels in this screen.
Table 17 VPN Wizard: VPN Status
LABEL DESCRIPTION
Gateway Setting
My ZyWALL This is the WAN IP address or domain name of your ZyWALL.
Remote Gateway
Address
Network Setting
Local Network
Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL.
Ending IP Address/
Subnet Mask
Remote Network
Starting IP Address This is a (static) IP address on the network behind the remote IPSec router.
Ending IP Address/
Subnet Mask
This is the IP address or domain name used to identify the remote IPSec router.
When the local network is configured for a single IP address, this field is not
applicable. When the local network is configured for a range IP address, this is
the end (static) IP address, in a range of computers on the LAN behind your
ZyWALL. When the local network is configured for a subnet, this is a subnet
mask on the LAN behind your ZyWALL.
When the remote network is configured for a single IP address, this field is not
applicable. When the remote network is configured for a range IP address, this
is the end (static) IP address, in a range of computers on the network behind the
remote IPSec router. When the remote network is configured for a subnet, this is
a subnet mask on the network behind the remote IPSec router.
Chapter 3 Wizard Setup 69
Page 71
ZyWALL P1 User’s Guide
Table 17 VPN Wizard: VPN Status (continued)
LABEL DESCRIPTION
IKE Tunnel Setting
(IKE Phase 1)
Negotiation Mode This shows Main Mode or Aggressive Mode. Multiple SAs connecting through
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES or AES.
Authentication
Algorithm
Key Group This is the key group you chose for phase 1 IKE setup.
SA Life Time
(Seconds)
Pre-Shared Key This is a pre-shared key identifying a communicating party during a phase 1 IKE
IPSec Setting (IKE
Phase 2)
Encapsulation Mode This shows Tun nel mode or Transport mode.
IPSec Protocol ESP or AH are the security protocols used for an SA.
Encryption Algorithm This is the method of data encryption. Options can be DES, 3DES, AES or
Authentication
Algorithm
SA Life Time
(Seconds)
Perfect Forward
Secret (PFS)
Back Click Back to return to the previous screen.
Finish Click Finish to complete and save the wizard setup.
a secure gateway must have the same negotiation mode.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
negotiation.
NULL.
MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash
algorithms used to authenticate packet data.
This is the length of time before an IKE SA automatically renegotiates.
Perfect Forward Secret (PFS) is disabled (None) by default in phase 2 IPSec SA
setup. Otherwise, DH1 or DH2 are selected to enable PFS.
3.4.6 VPN Wizard Setup Complete
Congratulations! You have successfully set up the VPN rule after any existing rule(s) for your
ZyWALL.
70 Chapter 3 Wizard Setup
Page 72
Figure 22 VPN Wizard: Complete
ZyWALL P1 User’s Guide
Chapter 3 Wizard Setup 71
Page 73
ZyWALL P1 User’s Guide
72 Chapter 3 Wizard Setup
Page 74
This chapter describes how to configure LAN settings.
4.1 LAN Overview
Local Area Network (LAN) is a shared communication system to which many computers are
attached. The LAN screens can help you configure a LAN DHCP server and manage IP
addresses.
4.2 DHCP Setup
ZyWALL P1 User’s Guide
CHAPTER 4
LAN Screens
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual
clients to obtain TCP/IP configuration at start-up from a server. You can configure the
ZyWALL as a DHCP server or disable it. When configured as a server, the ZyWALL provides
the TCP/IP configuration for the DHCP client. If DHCP service is disabled, you must have
another DHCP server on your LAN, or else the computer must be manually configured.
4.2.1 IP Pool Setup
The ZyWALL is pre-configured to provide one IP address of 169.254.1.33 to a DHCP client.
This configuration leaves 253 IP addresses (excluding the ZyWALL itself) in the lower range
for other server computers, for instance, servers for mail, FTP, TFTP, web, etc., that you may
have.
4.2.2 DNS Servers
Use the DNS screens to configure the DNS server information that the ZyWALL sends to the
DHCP client devices on the LAN.
There are three places where you can configure DNS setup on the ZyWALL.
1 Use the MAINTENANCE General screen to configure the ZyWALL to use a DNS
server to resolve domain names for ZyWALL system features like VPN, DDNS and the
time server.
2 Use the LAN screen to configure the DNS server information that the ZyWALL sends to
the DHCP client devices on the LAN.
Chapter 4 LAN Screens 73
Page 75
ZyWALL P1 User’s Guide
4.3 LAN TCP/IP
The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers
to systems that support DHCP client capability.
4.3.1 Factory LAN Defaults
The LAN parameters of the ZyWALL are preset in the factory with the following values:
• IP address of 192.168.167.1 with subnet mask of 255.255.255.0.
• DHCP server enabled with one client IP address of 192.168.167.33.
These parameters should work for the majority of installations. If your ISP gives you explicit
DNS server address(es), read the embedded web configurator help regarding what fields need
to be configured.
4.3.2 IP Address and Subnet Mask
Refer to Section 3.2.2.2 on page 52 for this information.
4.3.3 RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange
routing information with other routers. RIP Direction controls the sending and receiving of
RIP packets. When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically. When set to Both or In Only, it will incorporate the RIP information that it
receives; when set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version controls the format and the broadcasting method of the RIP packets that the
ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported;
but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you
have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-
2B uses subnet broadcasting while RIP-2M uses multicasting. Multicasting can reduce the
load on non-router machines since they generally do not listen to the RIP multicast address
and so will not receive the RIP packets. However, if one router uses multicasting, then all
routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
74 Chapter 4 LAN Screens
Page 76
4.3.4 Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1
recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to
a group of hosts on the network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish
membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC
2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between IGMP
version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is
used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address
224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP.
The address 224.0.0.2 is assigned to the multicast routers group.
The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At
start up, the ZyWALL queries all directly connected networks to gather group membership.
After that, the ZyWALL periodically updates this information. IP multicasting can be enabled/
disabled on the ZyWALL LAN and/or WAN interfaces in the web configurator (LAN;
WA N). Select None to disable IP multicasting on these interfaces.
ZyWALL P1 User’s Guide
4.4 Configuring LAN
Click LAN to open the LAN screen.
Figure 23 LAN: LAN
Chapter 4 LAN Screens 75
Page 77
ZyWALL P1 User’s Guide
The following table describes the labels in this screen.
Table 18 LAN: LAN
LABEL DESCRIPTION
LAN TCP/IP
IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.167.1 is
IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your
RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to
RIP Version The RIP Version field controls the format and the broadcasting method of the RIP
Multicast Select IGMP V-1 or IGMP V-2 or None. IGMP (Internet Group Multicast Protocol) is
DHCP Setup
DHCP DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows
DHCP Client
Address
DHCP Server
Address
the factory default. Alternatively, click the right mouse button to copy and/or paste
the IP address.
ZyWALL automatically calculate the subnet mask based on the IP address that you
assign. Unless you are implementing subnetting, use the subnet mask computed
by the ZyWALL.
exchange routing information with other routers. The RIP Direction field controls
the sending and receiving of RIP packets. Select the RIP direction from Both/In
Only/Out Only/None. When set to Both or Out Only, the ZyWALL will broadcast
its routing table periodically. When set to Both or In Only, it will incorporate the RIP
information that it receives; when set to None, it will not send any RIP packets and
will ignore any RIP packets received. Both is the default.
packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1
is universally supported but RIP-2 carries more information. RIP-1 is probably
adequate for most networks, unless you have an unusual network topology. Both
RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being
that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting.
Multicasting can reduce the load on non-router machines since they generally do
not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use
multicasting, also. By default, RIP direction is set to Both and the Version set to
RIP-1.
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to
read more detailed information about interoperability between IGMP version 2 and
version 1, please see sections 4 and 5 of RFC 2236.
individual clients (workstations) to obtain TCP/IP configuration at startup from a
server.
Select Server to set the ZyWALL to assign network information (IP address, DNS
information etc.) to an Ethernet device connected to the LAN port.
Select None to to stop the ZyWALL from acting as a DHCP server. you must have
another DHCP server on your LAN, or else the computer must be manually
configured.
Select Relay to set the ZyWALL to forward network configuration requests to a
DHCP server on the LAN network
This field is applicable when you select Server in the DHCP field.
Specify the IP address for the DHCP client. Make sure the IP address is in the
same range as the ZyWALL’s LAN IP address.
This field is applicable when you select Relay in the DHCP field.
Enter the IP address (in dotted decimal notation) of a DHCP server on the LAN.
76 Chapter 4 LAN Screens
Page 78
Table 18 LAN: LAN (continued)
LABEL DESCRIPTION
ZyWALL P1 User’s Guide
DNS Servers
Assigned by
DHCP Server
First DNS Server
Second DNS
Server
Third DNS Server
Windows
Networking
(NetBIOS over
TCP/IP)
Allow between
LAN and WAN
Apply Click Apply to save your changes back to the ZyWALL.
Reset Click Reset to begin configuring this screen afresh.
The ZyWALL passes a DNS (Domain Name System) server IP address (in the
order you specify here) to the DHCP client. The ZyWALL only passes this
information to the LAN DHCP client when you select the DHCP Server check box.
When you clear the DHCP Server check box, DHCP service is disabled and you
must have another DHCP sever on your LAN, or else the computers must have
their DNS server addresses manually configured.
Select From ISP if your ISP dynamically assigns DNS server information (and the
ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP
address that the ISP assigns in the field to the right.
Select User-Defined if you have the IP address of a DNS server. Enter the DNS
server's IP address in the field to the right. If you chose User-Defined, but leave
the IP address set to 0.0.0.0, User-Defined changes to None after you click Apply.
If you set a second choice to User-Defined, and enter the same IP address, the
second User-Defined changes to None after you click Apply.
Select DNS Relay to have the ZyWALL act as a DNS proxy. The ZyWALL's LAN IP
address displays in the field to the right (read-only). The ZyWALL tells the DHCP
client on the LAN that the ZyWALL itself is the DNS server. When a computer on
the LAN sends a DNS query to the ZyWALL, the ZyWALL forwards the query to the
ZyWALL's system DNS server (configured in the DNS System screen) and relays
the response back to the computer. You can only select DNS Relay for one of the
three servers; if you select DNS Relay for a second or third DNS server, that choice
changes to None after you click Apply.
Select None if you do not want to configure DNS servers. If you do not configure a
DNS server, you must know the IP address of a computer in order to access it.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
However it may sometimes be necessary to allow NetBIOS packets to pass
through to the WAN in order to find a computer on the WAN.
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN
and from the WAN to the LAN.
4.5 Configuring Static DHCP
This table allows you to assign one IP address on the LAN to a specific computer based on the
MAC address.
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
To change your ZyWALL’s static DHCP settings, click LAN, then the Static DHCP tab. The
screen appears as shown.
Chapter 4 LAN Screens 77
Page 79
ZyWALL P1 User’s Guide
Figure 24 LAN: Static DHCP
The following table describes the labels in this screen.
Table 19 LAN: Static DHCP
LABEL DESCRIPTION
# This is the index number of the Static IP table entry (row).
MAC Address Type the MAC address (with colons) of a computer on your LAN.
IP Address Type the IP address that you want to assign to the computer on your LAN.
Apply Click Apply to save your changes back to the ZyWALL.
Reset Click Reset to begin configuring this screen afresh.
Alternatively, click the right mouse button to copy and/or paste the IP address.
78 Chapter 4 LAN Screens
Page 80
This chapter describes how to configure WAN settings.
5.1 WAN Overview
See Chapter 3 on page 51 for more information on the fields in the WAN screens.
5.1.1 TCP/IP Priority (Metric)
The metric represents the "cost of transmission". A router determines the best route for
transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the
measurement of cost, with a minimum of "1" for directly connected networks. The number
must be between "1" and "15"; a number greater than "15" means the link is down. The
smaller the number, the lower the "cost".
ZyWALL P1 User’s Guide
CHAPTER 5
WAN Screens
The metric sets the priority for the ZyWALL's routes to the Internet. Each route must have a
unique metric.
5.1.2 WAN MAC Address
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address
is assigned at the factory and consists of six pairs of hexadecimal characters, for example,
00:A0:C5:00:00:02.
Table 20 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address
Subnet mask 255.255.255.0
Gateway (or default route) 192.168.167.1(ZyWALL LAN IP)
5.2 WAN Route Setup
Click WA N to open the Route screen.
192.168.167.2 ~ 192.168.167.32; 192.168.167.34 ~
192.168.167.254.
Chapter 5 WAN Screens 79
Page 81
ZyWALL P1 User’s Guide
Figure 25 WAN: Route
The following table describes the labels in this screen.
Table 21 WAN: Route
LABEL DESCRIPTION
Route Priority
WAN The default WAN connection is "1” as your broadband connection via the WAN port
should always be your preferred method of accessing the WAN.
Windows
Networking
(NetBIOS over
TCP/IP):
Allow between
WAN and LAN
Allow Trigger Dial Select this option to allow NetBIOS packets to initiate calls.
Apply Click Apply to save your changes back to the ZyWALL.
Reset Click Reset to begin configuring this screen afresh.
NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that
enable a computer to connect to and communicate with a LAN. For some dial-up
services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
Select this check box to forward NetBIOS packets from the LAN to the WAN and
from the WAN to the LAN. If your firewall is enabled with the default policy set to
block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall
rule that forwards NetBIOS traffic.
Clear this check box to block all NetBIOS packets going from the LAN to the WAN
and from the WAN to the LAN.
5.3 Configuring WAN Setup
To change your ZyWALL's WAN ISP, IP and MAC settings, click WA N , then the WA N tab.
The screen differs by the encapsulation.
5.3.1 Ethernet Encapsulation
The screen shown next is for Ethernet encapsulation.
80 Chapter 5 WAN Screens
Page 82
Figure 26 WAN: WAN: Ethernet
ZyWALL P1 User’s Guide
The following table describes the labels in this screen.
Table 22 WAN: WAN: Ethernet
LABEL DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation You must choose the Ethernet option when the WAN port is used as a regular
Ethernet.
Service Type Choose from Standard, Te lstra (RoadRunner Telstra authentication method), RR-
User Name Type the user name given to you by your ISP.
Password Type the password associated with the user name above.
Retype to Confirm Type your password again to make sure that you have entered is correctly.
Login Server IP
Address
Login Server
(Telia Login only)
Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner
Toshiba authentication method) or Telia Login.
The following fields do not appear with the Standard service type.
Type the authentication server IP address here if your ISP gave you one.
This field is not available for Telia Login.
Type the domain name of the Telia login server, for example login1.telia.com.
Chapter 5 WAN Screens 81
Page 83
ZyWALL P1 User’s Guide
Table 22 WAN: WAN: Ethernet (continued)
LABEL DESCRIPTION
Relogin
Every(min)
(Telia Login only)
WAN IP Address
Assignment
Get automatically
from ISP
Use Fixed IP
Address
My WAN IP
Address
My WAN IP
Subnet Mask
Gateway IP
Address
Advanced Setup
Enable NAT
(Network Address
Translation)
RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information
RIP Version The RIP Version field controls the format and the broadcasting method of the RIP
Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is
The Telia server logs the ZyWALL out if the ZyWALL does not log in periodically.
Type the number of minutes from 1 to 59 (30 default) for the ZyWALL to wait
between logins.
Select this option If your ISP did not assign you a fixed IP address. This is the
default selection.
Select this option If the ISP assigned a fixed IP address.
Enter your WAN IP address in this field if you selected Use Fixed IP Address.
Enter the IP subnet mask (if your ISP gave you one) in this field if you selected Use
Fixed IP Address.
Enter the gateway IP address (if your ISP gave you one) in this field if you selected
Use Fixed IP Address.
Network Address Translation (NAT) allows the translation of an Internet protocol
address used within one network (for example a private IP address used in a local
network) to a different IP address known within another network (for example a
public IP address used on the Internet).
Select this checkbox to enable NAT.
For more information about NAT see Chapter 11 on page 177.
with other routers. The RIP Direction field controls the sending and receiving of
RIP packets.
Choose Both, None, In Only or Out Only.
When set to Both or Out Only, the ZyWALL will broadcast its routing table
periodically.
When set to Both or In Only, the ZyWALL will incorporate RIP information that it
receives.
When set to None, the ZyWALL will not send any RIP packets and will ignore any
RIP packets received.
By default, RIP Direction is set to Both.
packets that the ZyWALL sends (it recognizes both formats when receiving).
Choose RIP-1, RIP-2B or RIP-2M.
RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is
probably adequate for most networks, unless you have an unusual network
topology. Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the
difference being that RIP-2B uses subnet broadcasting while RIP-2M uses
multicasting. Multicasting can reduce the load on non-router machines since they
generally do not listen to the RIP multicast address and so will not receive the RIP
packets. However, if one router uses multicasting, then all routers on your network
must use multicasting, also. By default, the RIP Version field is set to RIP-1.
a network-layer protocol used to establish membership in a Multicast group - it is
not used to carry user data.
82 Chapter 5 WAN Screens
Page 84
ZyWALL P1 User’s Guide
Table 22 WAN: WAN: Ethernet (continued)
LABEL DESCRIPTION
Multicast Version Choose None (default), IGMP-V1 or IGMP-V2. IGMP (Internet Group Multicast
Protocol) is a session-layer protocol used to establish membership in a Multicast
group – it is not used to carry user data. IGMP version 2 (RFC 2236) is an
improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If
you would like to read more detailed information about interoperability between
IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236.
Spoof WAN MAC
Address
Clone the
computer’s MAC
address – IP
Address
Apply Click Apply to save your changes back to the ZyWALL.
Reset Click Reset to begin configuring this screen afresh.
You can use the factory assigned default MAC Address or cloning the MAC
address from a computer on your LAN.
Otherwise, select the check box next to Spoof WAN MAC Address and enter the
IP address of the computer on the LAN whose MAC you are cloning. Once it is
successfully configured, the address will be copied to the rom file (ZyNOS
configuration file). It will not change unless you change the setting or upload a
different ROM file.
Enter the IP address of the computer on the LAN whose MAC you are cloning.
It is recommended that you clone the MAC address prior to hooking up the WAN
port.
5.3.2 PPPoE Encapsulation
The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF
Draft standard (RFC 2516) specifying how a computer interacts with a broadband modem
(DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using
PPPoE.
For the service provider, PPPoE offers an access and authentication method that works with
existing access control systems (for example Radius). PPPoE provides a login and
authentication method that the existing Microsoft Dial-Up Networking software can activate,
and therefore requires no new learning or procedures for Windows users.
One of the benefits of PPPoE is the ability to let you access one of multiple network services,
a function known as dynamic service selection. This enables the service provider to easily
create and offer new IP services for individuals.
Operationally, PPPoE saves significant effort for both you and the ISP or carrier, as it requires
no specific configuration of the broadband modem at the customer site.
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the
computers on the LAN do not need PPPoE software installed, since the ZyWALL does that
part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
The screen shown next is for PPPoE encapsulation.
Chapter 5 WAN Screens 83
Page 85
ZyWALL P1 User’s Guide
Figure 27 WAN: WAN: PPPoE
The following table describes the labels not previously discussed.
Table 23 WAN: WAN: PPPoE
LABEL DESCRIPTION
ISP Parameters
for Internet
Access
Encapsulation The PPPoE choice is for a dial-up connection using PPPoE. The router supports
PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard
(RFC 2516) specifying how a computer interacts with a broadband modem (i.e.
DSL, cable, wireless, etc.) connection. Operationally, PPPoE saves significant effort
for both the end user and ISP/carrier, as it requires no specific configuration of the
broadband modem at the customer site. By implementing PPPoE directly on the
router rather than individual computers, the computers on the LAN do not need
PPPoE software installed, since the router does that part of the task. Further, with
NAT, all of the LAN's computers will have access.
Service Name Type the PPPoE service name provided to you. PPPoE uses a service name to
identify and reach the PPPoE server.
84 Chapter 5 WAN Screens
Page 86
Table 23 WAN: WAN: PPPoE (continued)
LABEL DESCRIPTION
Nailed-Up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL
automatically disconnects from the PPPoE server.
Refer to Table 22 on page 81 for other field descriptions.
5.3.3 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of
data from a remote client to a private server, creating a Virtual Private Network (VPN) using
TCP/IP-based networks.
PPTP supports on-demand, multi-protocol and virtual private networking over public
networks, such as the Internet. The screen shown next is for PPTP encapsulation.
ZyWALL P1 User’s Guide
Chapter 5 WAN Screens 85
Page 87
ZyWALL P1 User’s Guide
Figure 28 WAN: WAN: PPTP
The following table describes the labels not previously discussed.
Table 24 WAN: WAN: PPTP
LABEL DESCRIPTION
ISP Parameters for
Internet Access
Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables
secure transfer of data from a remote client to a private server, creating a Virtual
Private Network (VPN) using TCP/IP-based networks. PPTP supports ondemand, multi-protocol, and virtual private networking over public networks, such
as the Internet. The ZyWALL supports only one PPTP server connection at any
given time. To configure a PPTP client, you must configure the User Name and
Password fields for a PPP connection and the PPTP parameters for a PPTP
connection.
86 Chapter 5 WAN Screens
Page 88
ZyWALL P1 User’s Guide
Table 24 WAN: WAN: PPTP (continued)
LABEL DESCRIPTION
Nailed-up Select Nailed-Up if you do not want the connection to time out.
Idle Timeout This value specifies the time in seconds that elapses before the ZyWALL
PPTP
Configuration
My IP Address Type the (static) IP address assigned to you by your ISP.
My IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP
Server IP Address Type the IP address of the PPTP server.
Connection ID/
Name
automatically disconnects from the PPTP server.
address that you assign. Unless you are implementing subnetting, use the subnet
mask computed by the ZyWALL.
Type your identification name for the PPTP server.
Refer to Table 22 on page 81 for other field descriptions.
5.4 Dynamic DNS
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
Note: You must go to the Dynamic DNS service provider’s website and register a
user account and a domain name before you can use the Dynamic DNS
service with your ZyWALL.
5.4.1 DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
Note: If you have a private WAN IP address, then you cannot use Dynamic DNS.
Chapter 5 WAN Screens 87
Page 89
ZyWALL P1 User’s Guide
5.4.2 Configuring Dynamic DNS
To change your ZyWALL’s DDNS, click WA N, then the DDNS tab. The screen appears as
shown.
Figure 29 WAN: DDNS
The following table describes the labels in this screen.
Table 25 WAN: DDNS
LABEL DESCRIPTION
Account Setup
Enable DDNS Select this check box to use dynamic DNS.
Service Provider This is the name of your Dynamic DNS service provider.
DDNS Type Select the type of service that you are registered for from your Dynamic DNS
service provider.
Select Dynamic DNS if you have the Dynamic DNS service.
Select Static DNS if you have the Static DNS service.
Select Custom DNS if you have the Custom DNS service.
Username Enter your user name. You can use up to 31 alphanumeric characters (and the
Password Enter the password associated with the user name above. You can use up to 31
Domain Name 1~3 Enter the host names in these fields.
Enable Wildcard
Options
underscore). Spaces are not allowed.
alphanumeric characters (and the underscore). Spaces are not allowed.
Select the check box to enable DYNDNS Wildcard.
88 Chapter 5 WAN Screens
Page 90
Table 25 WAN: DDNS (continued)
LABEL DESCRIPTION
ZyWALL P1 User’s Guide
Enable off line option
(Only applies to
custom DNS)
IP Address Update
Policy
This option is applicable when Custom DNS is selected in the DDNS Type field.
Check with your Dynamic DNS service provider to have traffic redirected to a
URL (that you can specify) while you are off line.
Select Use WAN IP Address to have the ZyWALL update the domain name
with the WAN port's IP address.
Select DDNS server auto detect IP Address only when there are one or more
NAT routers between the ZyWALL and the DDNS server. This feature has the
DDNS server automatically detect and use the IP address of the NAT router that
has a public IP address.
Select Use specified IP Address and enter the IP address if you have a static
IP address.
Note: The DDNS server may not be able to detect the proper IP
address if there is an HTTP proxy server between the
ZyWALL and the DDNS server.
Apply Click Apply to save your changes back to the ZyWALL.
Reset Click Reset to begin configuring this screen afresh.
Chapter 5 WAN Screens 89
Page 91
ZyWALL P1 User’s Guide
90 Chapter 5 WAN Screens
Page 92
This chapter gives some background information on firewalls and introduces the ZyWALL
firewall.
6.1 Firewall Overview
Originally, the term firewall referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term firewall is a system or group of
systems that enforces an access-control policy between two networks. It may also be defined
as a mechanism used to protect a trusted network from an untrusted network. Of course,
firewalls cannot solve every security problem. A firewall is one of the mechanisms used to
establish a network security perimeter in support of a network security policy. It should never
be the only mechanism or method employed. For a firewall to guard effectively, you must
design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
ZyWALL P1 User’s Guide
CHAPTER 6
Firewalls
6.2 Types of Firewalls
There are three main types of firewalls:
1 Packet Filtering Firewalls
2 Application-level Firewalls
3 Stateful Inspection Firewalls
6.2.1 Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network
address of a packet and the type of application.
6.2.2 Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they
use programs written for specific Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specific data. Application-level gateways have
a number of general advantages over the default mode of permitting application traffic directly
to internal hosts:
Chapter 6 Firewalls 91
Page 93
ZyWALL P1 User’s Guide
1 Information hiding prevents the names of internal systems from being made known via
DNS to outside systems, since the application gateway is the only host whose name must
be made known to outside systems.
2 Robust authentication and logging pre-authenticates application traffic before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with
standard host logging. Filtering rules at the packet filtering router can be less complex
than they would be if the router needed to filter application traffic and direct it to a
number of specific systems. The router need only allow application traffic destined for
the application gateway and reject the rest.
6.2.3 Stateful Inspection Firewalls
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency; however, they
may lack the granular application level access control or caching that some proxies support.
See Section 6.5 on page 97 for more information on Stateful Inspection.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
6.3 Introduction to ZyXEL’s Firewall
The ZyWALL firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated. The ZyWALL’s purpose is to allow a private Local
Area Network (LAN) to be securely connected to the Internet. The ZyWALL can be used to
prevent theft, destruction and modification of data, as well as log events, which may be
important to the security of your network. The ZyWALL also has packet-filtering capabilities.
The ZyWALL is installed between the LAN and a broadband modem connecting to the
Internet. This allows it to act as a secure gateway for all data passing between the Internet and
the LAN.
The ZyWALL has one Ethernet WAN port and one Ethernet LAN port, which are used to
physically separate the network into the following areas.
• The WAN (Wide Area Network) port attaches to the broadband modem (cable or DSL)
connecting to the Internet.
• The LAN (Local Area Network) port attaches to a network of computers, which needs
security from the outside world. These computers will have access to Internet services
such as e-mail, FTP, and the World Wide Web. However, inbound access will not be
allowed unless the remote host is authorized to use a specific service.
92 Chapter 6 Firewalls
Page 94
Figure 30 ZyWALL Firewall Application
6.4 Denial of Service
ZyWALL P1 User’s Guide
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no
longer have access to network resources. The ZyWALL is pre-configured to automatically
detect and thwart all known DoS attacks.
6.4.1 Basics
Computers share information over the Internet using a common language called TCP/IP. TCP/
IP, in turn, is a set of application protocols that perform specific functions. An extension
number, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web),
FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default uses
TCP port 80.
When computers communicate on the Internet, they are using the client/server model, where
the server "listens" on a specific TCP/UDP port for information requests from remote client
computers on the network. For example, a Web server typically listens on port 80. Please note
that while a computer may be intended for use over a single port, such as Web on port 80,
other ports are also active. If the person configuring or managing the computer is not careful, a
hacker could attack it over an unprotected port.
Some of the most common IP ports are:
Table 26 Common IP Ports
21 FTP 53 DNS
23 Telnet 80 HTTP
25 SMTP 110 POP3
Chapter 6 Firewalls 93
Page 95
ZyWALL P1 User’s Guide
6.4.2 Types of DoS Attacks
There are four types of DoS attacks:
1 Those that exploit bugs in a TCP/IP implementation.
2 Those that exploit weaknesses in the TCP/IP specification.
3 Brute-force attacks that flood a network with useless data.
4 IP Spoofing.
•"Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of
various computer and host systems.
a Ping of Death uses a "ping" utility to create an IP packet that exceeds
the maximum 65,536 bytes of data allowed by the IP specification.
The oversize packet is then sent to an unsuspecting system. Systems
may crash, hang or reboot.
b Teardrop attack exploits weaknesses in the reassembly of IP packet
fragments. As data is transmitted through a network, IP packets are
often broken up into smaller chunks. Each fragment looks like the
original IP packet except that it contains an offset field that says, for
instance, "This fragment is carrying bytes 200 through 400 of the
original (non fragmented) IP packet." The Teardrop program creates a
series of IP fragments with overlapping offset fields. When these
fragments are reassembled at the destination, some systems will
crash, hang, or reboot.
• Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND"
attacks. These attacks are executed during the handshake that initiates a communication
session between two applications.
Figure 31 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN
(synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
a SYN Attack floods a targeted system with a series of SYN packets.
Each packet causes the targeted system to issue a SYN-ACK
94 Chapter 6 Firewalls
Page 96
Figure 32 SYN Flood
ZyWALL P1 User’s Guide
response. While the targeted system waits for the ACK that follows
the SYN-ACK, it queues up all outstanding SYN-ACK responses on
what is known as a backlog queue. SYN-ACKs are moved off the
queue only when an ACK comes back or when an internal timer
(which is set at relatively long intervals) terminates the three-way
handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for
legitimate users.
b In a LAND Attack, hackers flood SYN packets into the network with
a spoofed source IP address of the targeted system. This makes it
appear as if the host computer sent the packets to itself, making the
system unavailable while the target system tries to respond to itself.
•A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification
known as directed or subnet broadcasting, to quickly flood the target network with
useless data. A Smurf hacker floods a router with Internet Control Message Protocol
(ICMP) echo request packets (pings). Since the destination IP address of each packet is
the broadcast address of the network, the router will broadcast the ICMP echo request
packet to all hosts on the network. If there are numerous hosts, this will create a large
amount of ICMP echo request and response traffic. If a hacker chooses to spoof the
source IP address of the ICMP echo request packet, the resulting ICMP traffic will not
only clog up the "intermediary" network, but will also congest the network of the spoofed
source IP address, known as the "victim" network. This flood of broadcast traffic
consumes all available bandwidth, making communications impossible.
Chapter 6 Firewalls 95
Page 97
ZyWALL P1 User’s Guide
Figure 33 Smurf Attack
6.4.2.1 ICMP Vulnerability
ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types
trigger an alert:
Table 27 ICMP Commands That Trigger Alerts
5 REDIRECT
13 TIMESTAMP_REQUEST
14 TIMESTAMP_REPLY
17 ADDRESS_MASK_REQUEST
18 ADDRESS_MASK_REPLY
6.4.2.2 Illegal Commands (NetBIOS and SMTP)
The only legal NetBIOS commands are the following - all others are illegal.
Table 28 Legal NetBIOS Commands
MESSAGE:
REQUEST:
POSITIVE:
NEGATIVE:
RETARGET:
KEEPALIVE:
96 Chapter 6 Firewalls
Page 98
All SMTP commands are illegal except for those displayed in the following tables.
Table 29 Legal SMTP Commands
AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP
QUIT RCPT RSET SAML SEND SOML TURN VRFY
6.4.2.3 Traceroute
Traceroute is a utility used to determine the path a packet takes between two endpoints.
Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute
the firewall gaining knowledge of the network topology inside the firewall.
Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their
attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to
magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized
access to computers by tricking a router or firewall into thinking that the communications are
coming from within the trusted network. To engage in IP spoofing, a hacker must modify the
packet headers so that it appears that the packets originate from a trusted host and should be
allowed through the router or firewall. The ZyWALL blocks all IP Spoofing attempts.
ZyWALL P1 User’s Guide
6.5 Stateful Inspection
With stateful inspection, fields of the packets are compared to packets that are already known
to be trusted. For example, if you access some outside service, the proxy server remembers
things about your original request, like the port number and source and destination addresses.
This remembering is called saving the state. When the outside system responds to your
request, the firewall compares the received packets with the saved state to determine if they
are allowed in. The ZyWALL uses stateful packet inspection to protect the private LAN from
hackers and vandals on the Internet. By default, the ZyWALL’s stateful inspection allows all
communications to the Internet that originate from the LAN, and blocks all traffic to the LAN
that originates from the Internet. In summary, stateful inspection:
• Allows all sessions originating from the LAN (local network) to the WAN (Internet).
• Denies all sessions originating from the WAN to the LAN.
Chapter 6 Firewalls 97
Page 99
ZyWALL P1 User’s Guide
Figure 34 Stateful Inspection
The previous figure shows the ZyWALL’s default firewall rules in action as well as
demonstrates how stateful inspection works. User A can initiate a Telnet session from within
the LAN and responses to this request are allowed. However other Telnet traffic initiated from
the WAN is blocked.
6.5.1 Stateful Inspection Process
In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:
1 The packet travels from the firewall's LAN to the WAN.
2 The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).
3 The firewall inspects packets to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the
new connection. If there is not a firewall rule for this packet and it is not an attack, then
the setting in the Firewall Default Rule screen determines the action for this packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list
98 Chapter 6 Firewalls
Page 100
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
6.5.2 Stateful Inspection and the ZyWALL
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
1 Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
2 Allow certain types of traffic from the Internet to specific hosts on the LAN.
3 Allow access to a Web server to everyone but competitors.
ZyWALL P1 User’s Guide
4 Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it
is possible to disable all firewall protection or block all access to the Internet.
Use extreme caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may
either be defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with
the "virtual connections" created for UDP and ICMP).
6.5.3 TCP Security
The ZyWALL uses state information embedded in TCP packets. The first packet of any new
connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All
packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see Section 6.5.5 on
page 100), these packets are dropped and logged.
Chapter 6 Firewalls 99
Loading...