The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a
retrieval system, translated into any language, or transmitted in any form or by any means, electronic,
mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written
permission of ZyXEL Communications Corporation.
Published by ZyXEL Communications Corporation. All rights reserved.
Disclaimer
ZyXEL does not assume any liability arising out of the application or use of any products, or software
described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
ZyXEL further reserves the right to make changes in any products described herein without notice. This
publication is subject to change without notice.
Trademarks
ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc.
Other trademarks mentioned in this publication are used for identification purposes only and may be
properties of their respective owners.
iiCopyright
ZyWALL 1 Internet Security Gateway
Federal Communications Commission (FCC)
Interference Statement
This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:
• This device may not cause harmful interference.
• This device must accept any interference received, including interference that may cause undesired
operations.
This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to
Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference in a commercial environment. This equipment generates, uses, and can radiate radio frequency
energy, and if not installed and used in accordance with the instructions, may cause harmful interference to
radio communications.
If this equipment does cause harmful interference to radio/television reception, which can be determined by
turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of
the following measures:
1. Reorient or relocate the receiving antenna.
2. Increase the separation between the equipment and the receiver.
3. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
4. Consult the dealer or an experienced radio/TV technician for help.
Notice 1
Changes or modifications not expressly approved by the party responsible for compliance could void the
user's authority to operate the equipment.
Certifications
Refer to the product page at www.zyxel.com.
FCCiii
ZyWALL 1 Internet Security Gateway
Information for Canadian Users
The Industry Canada label identifies certified equipment. This certification means that the equipment meets
certain telecommunications network protective operation and safety requirements. The Industry Canada label
does not guarantee that the equipment will operate to a user's satisfaction.
Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of
the local telecommunications company. The equipment must also be installed using an acceptable method of
connection. In some cases, the company's inside wiring associated with a single line individual service may
be extended by means of a certified connector assembly. The customer should be aware that compliance with
the above conditions may not prevent degradation of service in some situations.
Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by
the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, may
give the telecommunications company cause to request the user to disconnect the equipment.
For their own protection, users should ensure that the electrical ground connections of the power utility,
telephone lines, and internal metallic water pipe system, if present, are connected together. This precaution
may be particularly important in rural areas.
Caution
Users should not attempt to make such connections themselves, but should contact the appropriate electrical
inspection authority, or electrician, as appropriate.
Note
This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set
out in the radio interference regulations of Industry Canada.
ivInformation for Canadian Users
ZyWALL 1 Internet Security Gateway
ZyXEL Limited Warranty
ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or
workmanship for a period of up to one year from the date of purchase. During the warranty period, and upon
proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials,
ZyXEL will, at its discretion, repair or replace the defective products or components without charge for
either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to
proper operating condition. Any replacement will consist of a new or re-manufactured functionally
equivalent product of equal value, and will be solely at the discretion of ZyXEL. This warranty shall not
apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to
abnormal working conditions.
Note
Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This
warranty is in lieu of all other warranties, express or implied, including any implied warranty of
merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect
or consequential damages of any kind of character to the purchaser.
To obtain the services of this warranty, contact ZyXEL's Service Center for your Return Material
Authorization number (RMA). Products must be returned Postage Prepaid. It is recommended that the unit be
insured when shipped. Any returned products without proof of purchase or those with an out-dated warranty
will be repaired or replaced (at the discretion of ZyXEL) and the customer will be billed for parts and labor.
All repaired or replaced products will be shipped by ZyXEL to the corresponding return address, Postage
Paid. This warranty gives you specific legal rights, and you may also have other rights that vary from country
to country.
Online Registration
Don't forget to register your ZyXEL product (fast, easy online registration at www.zyxel.com) for free future
product updates and information.
ZyXEL Limited Warrantyv
ZyWALL 1 Internet Security Gateway
Customer Support
Please have the following information ready when you contact customer support.
• Product model and serial number.
• Warranty Information.
• Date that you received your device.
• Brief description of the problem and the steps you took to solve it.
ZyXEL Communications
Services GmbH. Thaliastrasse
125a/2/2/4 A-1160 Vienna,
Austria
ZyXEL Deutschland GmbH.
Adenauerstr. 20/A4 D-52146
Wuerselen, Germany
Lot B2-06, PJ Industrial Park,
Section 13, Jalan Kemajuan,
46200 Petaling Jaya Selangor
Darul Ehasn, Malaysia
viCustomer Support
ZyWALL 1 Internet Security Gateway
Table of Contents
Copyright...................................................................................................................................................... ii
Federal Communications Commission (FCC) Interference Statement ................................................. iii
Information for Canadian Users ................................................................................................................iv
Customer Support .......................................................................................................................................vi
List of Figures...............................................................................................................................................xi
List of Tables ...............................................................................................................................................xii
List of Diagrams........................................................................................................................................ xiii
GETTING STARTED ..................................................................................................................................... I
Chapter 1 Getting to Know Your ZyWALL ...........................................................................................1-1
1.1The ZyWALL 1 Internet Security Gateway............................................................................... 1-1
1.2Features of the ZyWALL 1 ........................................................................................................ 1-1
8.1Problems Starting Up the ZyWALL ........................................................................................... 8-1
8.2Problems with the Password ....................................................................................................... 8-1
8.3Problems with the LAN Interface ............................................................................................... 8-2
8.4Problems with the WAN Interface..............................................................................................8-2
8.5Problems with Internet Access....................................................................................................8-3
8.6Problems with the Firewall .........................................................................................................8-3
Appendix A PPPoE...................................................................................................................................... A
Appendix B PPTP........................................................................................................................................ C
Appendix C Power Adapter Specifications ................................................................................................F
Glossary........................................................................................................................................................ G
Index ...........................................................................................................................................................Q
xTable of Contents
ZyWALL 1 Internet Security Gateway
List of Figures
Figure 1-1 Internet Access Application ......................................................................................................... 1-4
Figure 2-1 Front Panel ................................................................................................................................... 2-1
Figure 7-2 Restore Using FTP Session Example........................................................................................... 7-6
Figure 7-3 FTP Session Example of Firmware File Upload..........................................................................7-7
List of Figuresxi
ZyWALL 1 Internet Security Gateway
List of Tables
Table 2-1 LED Descriptions...........................................................................................................................2-1
Table 2-2 Ethernet Cable Requirements for LAN 10/100M Port Connections ..............................................2-4
Table 4-1 Private IP Address Ranges .............................................................................................................4-3
Table 4-2 Example of Network Properties for LAN Servers with Fixed IP Addresses..................................4-4
Table 5-1 Services and Port Numbers.............................................................................................................5-5
Table 5-2 VPN and NAT..............................................................................................................................5-14
Table 5-3 Telecommuter and Headquarters Configuration Example ...........................................................5-16
Table 5-4 AH and ESP..................................................................................................................................5-19
Table 5-5 SA Monitor Tab Fields.................................................................................................................5-20
Diagram 5 Example Message Exchange between PC and an ANT .................................................................. D
List of Diagramsxiii
ZyWALL 1 Internet Security Gateway
Preface
About Your Gateway
Congratulations on your purchase of the ZyWALL 1 Internet Security Gateway.
The ZyWALL 1 is a dual Ethernet broadband Internet security gateway integrated with an ICSA certified
firewall and network management features designed for telecommuters or home offices and small businesses
to access the Internet via cable/xDSL modem.
Your ZyWALL 1 is easy to install and to configure. The embedded web configurator is a convenient
platform-independent GUI (Graphical User Interface) that allows you to access the ZyWALL's management
settings. Use the web configurator for actual configuration of your ZyWALL.
About This User's Guide
This user's guide helps you connect your ZyWALL hardware, explains how to access the web configurator,
gives you more detail about the features of your ZyWALL and provides some instruction on how to use
FTP/TFTP for a limited number of functions. Advanced users may use the CI commands listed in the support
notes.
Screen specific help (embedded help) is included with the web configurator and
will guide you through ZyWALL configuration.
Related Documentation
¾Supporting Disk
More detailed information and examples can be found in our included disk (as well as on the zyxel.com web
site). This disk contains information on configuring your ZyWALL for Internet Access, general and
advanced FAQs, Application Notes, Troubleshooting, a reference for CI Commands and bundled software.
¾Quick Start Guide
Our Quick Start Guide is designed to help you get up and running right away. It contains a detailed easy-tofollow connection diagram, default settings, handy checklists and information on setting up your network and
configuring for Internet access.
¾
You can access product certifications, release notes and firmware upgrade information at ZyXEL web and
FTP sites. Refer to the Customer Support page for more information.
¾
The ZyXEL download library at www.zyxel.com contains additional support documentation.
xivPreface
ZyXEL Web Page and FTP Server Site
ZyXEL Web Site
Syntax Conventions
•The ZyWALL 1 may be referred to as the ZyWALL in this guide.
ZyWALL 1 Internet Security Gateway
Prefacexv
Getting Started
PPaarrtt II:
:
Getting Started
This section helps you connect and install your ZyWALL.
I
ZyWALL 1 Internet Security Gateway
Chapter 1
Getting to Know Your ZyWALL
This chapter introduces the main features and applications of the ZyWALL as well as a checklist
for fast Internet access.
1.1 The ZyWALL 1 Internet Security Gateway
The ZyWALL 1 is a dual Ethernet Internet Security Gateway with an integrated 4-port switch and robust
network management features for Internet access via external cable/xDSL modem. Equipped with a 10Mbps
Ethernet WAN port, four auto-negotiating 10/100Mbps Ethernet LAN ports and the Network Address
Translation (NAT) feature, the ZyWALL is uniquely suited as a broadband Internet access sharing gateway
for telecommuters and home offices.
1.2 Features of the ZyWALL 1
The following are the main features of the ZyWALL 1.
IPSec VPN Capability
Establish a Virtual Private Network (VPN) to connect to your (home) office using data encryption and the
Internet to provide secure communications without the expense of leased site-to site lines. The ZyWALL 1
VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products. The
ZyWALL 1 supports 1 SA (Security Association).
Firewall
The ZyWALL uses a stateful inspection firewall with DoS (Denial of Service) protection. By default, when
the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from
the LAN. The ZyWALL firewall supports TCP/UDP inspection, DoS detection and prevention, real time
alerts, reports and logs.
4-Port Switch
A combination of switch and router makes your ZyWALL a cost-effective and viable network solution. You
can add up to four computers to the ZyWALL without the cost of a hub. Add more than four computers to
your LAN by using a hub.
Auto-negotiating LAN 10/100M Ethernet/Fast LAN Interface
A bandwidth-sensitive 10/100Mbps switch provides greater network efficiency than traditional hubs because
the bandwidth is dedicated and not shared. This auto-negotiation feature allows the ZyWALL to detect the
Getting to Know Your ZyWALL1-1
ZyWALL 1 Internet Security Gateway
speed of incoming transmissions and adjust appropriately without manual intervention. It allows data transfer
of either 10 Mbps or 100 Mbps in either half-duplex or full-duplex mode depending on your Ethernet
network.
Content Filtering
The ZyWALL can block web features such as ActiveX controls, Java applets and cookies, as well as disable
web proxies. The ZyWALL can also block specific URLs by using the keyword feature.
Web Configurator
Your ZyWALL includes an intuitive web configurator that makes setup and configuration easy. Included
with the web configurator is embedded help designed to assist you during setup/configuration.
NAT (Network Address Translation)/SUA (Single User Account)
NAT (RFC 1631) or SUA allows the translation of an Internet Protocol address used within one network to a
different IP address known within another network. NAT/SUA allows you to direct traffic to individual
computers on your LAN, or to a designated default server computer, based on the port number request of
incoming traffic. You may enter a single port number or a range of port numbers to be forwarded, and the
local IP address of the desired server.
SNMP
SNMP (Simple Network Management Protocol) is a protocol used for exchanging management information
between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyWALL supports SNMP
agent functionality, which allows a manager station to manage and monitor the ZyWALL through the
network. The ZyWALL supports SNMP version one (SNMPv1).
DHCP Support
DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the
TCP/IP configuration at start-up from a centralized DHCP server. The ZyWALL has built-in DHCP server
capability, enabled by default, which means it can assign IP addresses, an IP default gateway and DNS
servers to Windows 9X, Windows NT and other systems that support the DHCP client. The ZyWALL can
also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real
DHCP server to the clients.
Dynamic DNS Support
With Dynamic DNS support, you can have a static host name alias for a dynamic IP address, allowing the
host to be more easily accessible from various locations on the Internet. You must register for this service
with a Dynamic DNS client.
IP Multicast
Traditionally, IP packets are transmitted in two ways - unicast or broadcast. Multicast is a third way to
deliver IP packets to a group of hosts. IGMP (Internet Group Management Protocol) is the protocol used to
1-2Getting to Know Your ZyWALL
ZyWALL 1 Internet Security Gateway
support multicast groups. The latest version is version 2 (see RFC 2236). The ZyWALL supports versions 1
and 2.
PPPoE Support
PPPoE facilitates the interaction of a host with a broadband modem to achieve access to high-speed data
networks via a familiar "dial-up networking" user interface.
PPTP Support
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a
remote client to a private server, creating a Virtual Private Network (VPN) using a TCP/IP-based network.
PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the
Internet. Use PPTP to connect to a broadband modem to achieve access to high-speed data networks via a
familiar "dial-up networking" user interface.
Full Network Management
Your ZyWALL has a convenient web configurator and also supports an FTP (File Transfer Protocol) server
for remote management and TFTP (Trivial FTP). Advanced users can also use FTP/TFTP and CI commands
for configuration and management.
RoadRunner Support
In addition to standard cable modem services, the ZyWALL supports Time Warner's RoadRunner Service.
Time and Date
The ZyWALL gets the current time and date from an external server when you turn it on. The real time is
then displayed in the web configurator and logs.
Logging and Tracing
Built-in message logging and packet tracing.
Embedded FTP and TFTP Servers
The ZyWALL's embedded FTP and TFTP servers enable fast firmware upgrades as well as configuration file
backups and restoration.
1.3 ZyWALL VPN Application
A cable or DSL modem can connect to the ZyWALL for broadband Internet access via Ethernet port on the
modem. It provides not only high speed Internet access, but also management features and protection for
your internal network. A typical Internet access application is shown next.
Getting to Know Your ZyWALL1-3
ZyWALL 1 Internet Security Gateway
Figure 1-1 Internet Access Application
1-4Getting to Know Your ZyWALL
ZyWALL 1 Internet Security Gateway
Hardware Installation
This chapter shows you how to connect hardware and perform the initial setup.
2.1 ZyWALL Front and Rear Panels
2.1.1 Front Panel LEDs
The LEDs on the front panel indicate the operational status of the ZyWALL.
Figure 2-1 Front Panel
Chapter 2
The following table describes ZyWALL LED functions.
Table 2-1 LED Descriptions
LEDCOLORSTATUSDESCRIPTION
SYSGreenOnThe ZyWALL is on and receiving power.
OffThe ZyWALL is not receiving power.
FlashingThe ZyWALL is performing a self-test.
WANGreenOnThe WAN link is connected.
OffThe WAN link is not ready, or has failed.
FlashingThe 10M WAN link is sending/receiving packets.
LAN 1-4GreenOnThe ZyWALL is connected to a 10M LAN.
OffThe 10M LAN is not connected.
Hardware Installation2-1
ZyWALL 1 Internet Security Gateway
LEDCOLORSTATUSDESCRIPTION
FlashingThe 10M LAN is sending/receiving packets.
OrangeOnThe ZyWALL is connected to a 100Mbps LAN.
OffThe 100M LAN is not connected.
FlashingThe 100M LAN is sending/receiving packets.
2.2 ZyWALL Rear Panel and Connections
The following figure shows the rear panel of your ZyWALL 1 and related connections.
Figure 2-2 ZyWALL 1 Rear Panel Connections
2-2Hardware Installation
ZyWALL 1 Internet Security Gateway
2.2.1 WAN 10M Port
Connecting the ZyWALL to a Cable Modem
1. Connect the WAN 10M port on the ZyWALL to the Ethernet port on your cable modem using the
Ethernet cable that came with your cable modem. The Ethernet port on a cable modem is sometimes
labeled "PC" or "Workstation".
Connecting the ZyWALL to a DSL Modem
Connect the WAN 10M port on the ZyWALL to the Ethernet port on your DSL modem using the Ethernet
cable that came with your DSL modem.
2.2.2 LAN 10/100M Ports
You can connect up to four computers directly to the ZyWALL. For each computer, connect a 10/100M
LAN port on the ZyWALL to the Network Adapter on the computer using a straight-through Ehternet cable.
If you want to connect more than four computers to your ZyWALL, you must use an external hub. Connect a
10/100M LAN port on the ZyWALL to a port on the hub using a crossover Ethernet cable.
When the ZyWALL is on and correctly connected to a computer or hub, the
corresponding LAN LED on the front panel will turn on.
2.2.3 UPLINK Button
Pushing the UPLINK button in ("on") lets you connect LAN 10/100M port 4 on the ZyWALL directly to a
computer using a straight-through Ethernet cable. If the UPLINK button is off “not on", you must use a
crossover Ethernet cable for this connection.
When connecting the ZyWALL LAN 10/100M port 4 to a hub, press the UPLINK button in (“on”) order to
use a crossover Ethernet cable instead of a straight-through cable.
Hardware Installation2-3
ZyWALL 1 Internet Security Gateway
2.2.4 LAN 10/100M Connections/Uplink Button Usage at a Glance
Table 2-2 Ethernet Cable Requirements for LAN 10/100M Port Connections
LAN 10/100M
PORT NUMBER
1straight-throughcrossover
2straight-throughcrossover
3straight-throughcrossover
UPLINK
4
UPLINK button “off”
4
button “on”
straight-throughcrossover
crossoverstraight-through
TYPE OF ETHERNET CABLE FOR
CONNECTING THE ZYWALL TO A …
COMPUTERHUB
2.2.5 POWER 5VDC Port
Connect the female end of the power adapter to the port labeled POWER 5VDC on the rear panel of your
ZyWALL.
To avoid damage to the ZyWALL, make sure you use the correct power adapter.
Refer to the Power Adapter Specification Appendix for this information.
2.2.6 RESET Button
Refer to section 2.5 for information on the RESET button.
2.3 Additional Installation Requirements
1. A computer(s) with an installed Ethernet NIC (Network Interface Card).
2. A cable/xDSL modem and an ISP account.
2.4 Turning on Your ZyWALL
At this point, you should have connected the LAN port(s), the WAN port and the POWER port to the
appropriate devices or lines. Plug the power adapter into an appropriate power source.
The SYS LED turns on. The WAN LED and the LAN LED (s) turn on after the system tests are complete if
proper connections have been made to the LAN and WAN ports.
2-4Hardware Installation
ZyWALL 1 Internet Security Gateway
2.5 Resetting the ZyWALL
If you have forgotten your password or cannot access the ZyWALL you will need to use the RESET button
on the rear panel of the ZyWALL to reload the factory-default configuration file. Uploading the
configuration file replaces the current configuration file with the default configuration file and deletes all
previous ZyWALL configurations. The following are ZyWALL factory defaults.
• IP address: 192.168.1.1
• Password: 1234
2.5.1 Procedure To Use The RESET Button
Step 1. Use a pen or pointed object to press the RESET button for 5-10 seconds, then release it.
Step 2. If the LAN LEDs flash within 30 seconds, the factory defaults have been restored and the
ZyWALL restarts. Otherwise, go to step 3.
Step 3. Turn the ZyWALL off.
Step 4. While pressing the RESET button, turn the ZyWALL on.
Step 5. Continue to hold the RESET button for about 30 seconds. The ZyWALL restarts.
Step 6. Release the RESET button and wait for the ZyWALL to finish restarting.
2.6 ZyWALL Configuration
2.6.1 Using the Web Configurator
The quickest and easiest way to configure the ZyWALL is via the web configurator. Some configuration
options are available using FTP/TFTP (for example, you can use FTP to upload firmware) and CI commands,
but the web configurator is by far the most comprehensive and user-friendly way to configure your
ZyWALL. Find out how to access the web configurator by reading Chapter 3 or referring to the Quick StartGuide.
2.6.2 Using FTP/TFTP
Refer to Chapter 7 to learn how to upload firmware and configuration files using FTP/TFTP.
2.6.3 Using CI Commands
CI commands are recommended for advanced users only. Refer to the support notes for a list of CI
commands.
Hardware Installation2-5
The Web Configurator Screens
PPaarrtt IIII:
:
The Web Configurator Screens
This section introduces and describes the ZyWALL web configurator screens including MAIN
MENU, WIZARD SETUP, ADVANCED and MAINTENANCE.
II
ZyWALL 1 Internet Security Gateway
Chapter 3
Introducing the Web Configurator
This chapter describes how to access the ZyWALL web configurator and provides an overview of
ZyWALL features.
3.1 Accessing the ZyWALL Web Configurator
Step 1. Make sure your ZyWALL hardware is properly connected (refer to instructions in Chapter 2).
Step 2. Prepare your computer/computer network to connect to the Internet (refer to the Preparing Your
Network portion of the Quick Start Guide).
Step 3. Launch your web browser.
Step 4. Type “192.168.1.1” as the URL.
Step 5. Type “1234” (default) as the password and click Login. In some versions, the default password
appears automatically – if this is the case, click Login. You should see a screen asking you to
change your password (highly recommended).
Step 6. Type a new password (and retype it to confirm) and click Apply or click Ignore.
Step 7. You should now see the MAIN MENU screen.
Congratulations, you have successfully accessed the web configurator. Refer to the next section for a
summary of how to navigate the web configurator.
The ZyWALL gives priority of use on a "first come, first serve" basis. That is, if
you have already connected to your ZyWALL via the web configurator, you will not
be logged out if another user logs in and vice versa.
The ZyWALL automatically times out after five minutes of inactivity. Simply log
back into the ZyWALL if this happens to you.
3.2 Navigating the ZyWALL Web Configurator
The following summarizes how to navigate the web configurator from the MAIN MENU screen.
Introducing the Web Configurator3-1
ZyWALL 1 Internet Security Gateway
Click WIZARD SETUP for
initial configuration including
general setup, ISP parameters
for Internet Access and WAN
IP/DNS Server/MAC address
assignment.
Click ADVANCED to configure advanced features such as
SYSTEM (General Setup, Dynamic DNS, Password, Time
Zone), LAN (DHCP Setup, TCP/IP Setup), WAN (ISP, IP,
MAC), SUA/NAT, STATIC ROUTE (Route Entry),FIREWALL (Log Settings, Content Filtering, Show Logs) and
VPN/IPSec (Setup, Monitor, Logs).
Click LOGOUT
at any time to exit
the web
configurator.
Figure 3-1 The MAIN MENU Screen of the Web Configurator
Follow the instructions you see in the MAIN MENU screen or click the icon
(located in the top right corner of most screens) to view embedded help.
The icon does not appear in the MAINMENU screen.
If you forget your password, refer to section 2.5 to reset the default configuration file.
Click MAINTENANCE to view information about your ZyWALL or
upgrade configuration/firmware files. Maintenance includes SYSTEM
STATUS (Statistics), DHCP TABLE, F/W (firmware) UPGRADE and
CONFIGURATION (Backup, Restore Default).
3.3 Overview of the ZyWALL Web Configurator
The following figure illustrates an overview of the features of the web configurator.
3-2Introducing the Web Configurator
ZyWALL 1 Internet Security Gateway
Figure 3-2 Overview of the ZyWALL Web Configurator
Introducing the Web Configurator3-3
ZyWALL 1 Internet Security Gateway
Chapter 4
The Wizard Setup Screens
This chapter provides information on the Wizard Setup screens in the web configurator.
4.1 Wizard Setup – Screen 1
4.1.1 General Setup and System Name
General Setup contains administrative and system-related information. System Name is for identification
purposes. However, because some ISPs check this name you should enter your computer's "Computer
Name".
•In Windows 95/98 click Start -> Settings -> Control Panel -> Network. Click the Identification tab,
note the entry for the Computer Name field and enter it as the System Name.
•In Windows 2000, click Start -> Settings-> Control Panel and then double-click System. Click the
Network Identification tab and then the Properties button. Note the entry for the Computer name
field and enter it as the System Name.
•In Windows XP, click start -> My Computer -> View system information and then click the
Computer Name tab. Note the entry in the Full computer name field and enter it as the Prestige
System Name.
4.1.2 Domain Name
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the
domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name)
on each individual computer, the domain name can be assigned from the ZyWALL via DHCP.
4.2 Wizard Setup - Screen 2
The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE.
4.2.1 Ethernet
Choose Ethernet when the WAN port is used as a regular Ethernet.
The Wizard Setup Screens4-1
ZyWALL 1 Internet Security Gateway
4.2.2 PPTP Encapsulation
Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfer of data from a remote
client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
PPTP supports on-demand, multi-protocol, and virtual private networking over public networks, such as the
Internet.
For more information on PPTP, please refer to the PPTP Appendix.
The ZYWALL supports one PPTP server connection at any given time.
4.2.3 PPPoE Encapsulation
Point-to-Point Protocol over Ethernet (PPPoE) functions as a dial-up connection. PPPoE is an IETF (Internet
Engineering Task Force) draft standard specifying how a host personal computer interacts with a broadband
modem (for example xDSL, cable, wireless, etc.) to achieve access to high-speed data networks. It preserves
the existing Microsoft Dial-Up Networking experience and requires no new learning or procedures.
For the service provider, PPPoE offers an access and authentication method that works with existing access
control systems (for instance, Radius). For the user, PPPoE provides a login and authentication method that
the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or
procedures for Windows users.
One of the benefits of PPPoE is the ability to let end users access one of multiple network services, a function
known as dynamic service selection. This enables the service provider to easily create and offer new IP
services for specific users.
Operationally, PPPoE saves significant effort for both the end user and ISP/carrier, as it requires no specific
configuration of the broadband modem at the customer site.
By implementing PPPoE directly on the ZyWALL (rather than individual computers), the computers on the
LAN do not need PPPoE software installed, since the ZyWALL does that part of the task. Furthermore, with
NAT, all of the LAN's computers will have access.
For more information on PPPoE, please refer to the PPPoE Appendix.
4.3 Wizard Setup – Screen 3
4.3.1 WAN IP Address Assignment
Every computer on the Internet must have a unique IP address. If your networks are isolated from the
Internet, for instance, only between your two branch offices, you can assign any IP addresses to the hosts
4-2The Wizard Setup Screens
ZyWALL 1 Internet Security Gateway
without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following
three blocks of IP addresses specifically for private networks:
Table 4-1 Private IP Address Ranges
10.0.0.0- 10.255.255.255
172.16.0.0- 172.31.255.255
192.168.0.0- 192.168.255.255
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you
belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the
Internet addresses for your local networks. On the other hand, if you are part of a much larger organization,
you should consult your network administrator for the appropriate IP addresses.
Regardless of your particular situation, do not create an arbitrary IP address;
always follow the guidelines above. For more information on address assignment,
please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466,
Guidelines for Management of IP Address Space.
4.3.2 IP Address and Subnet Mask
Similar to the way houses on a street share a common street name, so too do computers on a LAN share one
common network number.
Where you obtain your network number depends on your particular situation. If the ISP or your network
administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP
addresses and the subnet mask.
If the ISP did not explicitly give you an IP network number, then most likely you have a single user account
and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is
recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the
Network Address Translation (NAT) feature of the ZyWALL. The Internet Assigned Number Authority
(IANA) reserved this block of addresses specifically for private use; please do not use any other number
unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254
individual addresses, from 192.168.1.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first
three numbers specify the network number while the last number identifies an individual workstation on that
network.
Once you have decided on the network number, pick an IP address that is easy to remember, for instance,
192.168.1.1, for your ZyWALL, but make sure that no other device on your network is using that IP.
The Wizard Setup Screens4-3
ZyWALL 1 Internet Security Gateway
The subnet mask specifies the network number portion of an IP address. Your ZyWALL will compute the
subnet mask automatically based on the IP address that you entered. You don't need to change the subnet
mask computed by the ZyWALL unless you are instructed to do otherwise.
4.3.3 DNS Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for
instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because
without it, you must know the IP address of a computer before you can access it.
There are two ways that an ISP disseminates the DNS server addresses.
1. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign
up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup.
2. Leave the DNS Server fields in DHCP Setup blank (for example 0.0.0.0). The ZyWALL acts as a DNS
proxy when this field is blank.
Table 4-2 Example of Network Properties for LAN Servers with Fixed IP Addresses
Choose an IP address192.168.1.2-192.168.1.32; 192.168.1.65-192.168.1.254.
Subnet mask255.255.255.0
Gateway (or default route)192.168.1.1(ZyWALL LAN IP)
4.3.4 WAN Setup
You can configure the WAN port's MAC Address by either using the factory default or cloning the MAC
address from a workstation on your LAN. Once it is successfully configured, the address will be copied to
the "rom" file (ZyNOS configuration file). It will not change unless you change the setting or upload a
different "rom" file.
ZyXEL recommends you clone the MAC address from a workstation on your LAN
even if your ISP does not require MAC address authentication.
Your ZyWALL WAN Port is always set at half-duplex mode as most cable/DSL modems only support halfduplex mode. Make sure your modem is in half-duplex mode.
Your ZyWALL supports full duplex mode on the LAN side.
4.4 Basic Setup Complete
Well done! You have successfully set up your ZyWALL to operate on your network and access the Internet.
4-4The Wizard Setup Screens
ZyWALL 1 Internet Security Gateway
Chapter 5
The Advanced Screens
This chapter provides information on the Advanced screens in the web configurator.
5.1 The System Screen
This section briefly describes the General, DDNS, Password and Time Zone tabs in the System screen.
5.1.1 General Setup
Refer to section 4.1.1.
5.1.2 Dynamic DNS
Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS
services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP
server or Web site on your own computer using a DNS-like address (for instance myhost.dhs.org, where
myhost is a name of your choice) which will never change instead of using an IP address that changes each
time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP
address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people
with a dynamic IP from their ISP or DHCP server that would still like to have a DNS name. The Dynamic
DNS service provider will give you a password or key.
DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address
as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example,
www.yourhost.dyndns.org and still reach your hostname.
If you have a private WAN IP address, then you can not use Dynamic DNS.
5.1.3 Password
This screen allows you to change the ZyWALL password (recommended).
The Advanced Screens5-1
ZyWALL 1 Internet Security Gateway
5.1.4 Time Zone
Use this screen to configure ZyWALL time based on your local time zone.
5.2 The LAN Screen
This section details DHCP setup and LAN TCP/IP in the LAN screen.
5.2.1 DHCP Setup
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain
TCP/IP configuration at start-up from a server. You can configure the ZyWALL as a DHCP server or disable
it. When configured as a server, the ZyWALL provides the TCP/IP configuration for the clients. If set to
None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the
computer must be manually configured. The ZyWALL can also act as a surrogate DHCP server (DHCP
Relay) where it relays IP address assignment from the actual DHCP server to the clients.
IP Pool Setup
The ZyWALL is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64.
This configuration leaves 31 IP addresses (excluding the ZyWALL itself) in the lower range for other server
computers, for instance, servers for mail, FTP, TFTP, web, etc., that you may have.
Primary and Secondary DNS Server
Refer to section 4.3.2.
5.2.2 LAN TCP/IP
The ZyWALL has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that
support DHCP client capability.
Factory LAN Defaults
The LAN parameters of the ZyWALL are preset in the factory with the following values:
1. IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits)
2. DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.
These parameters should work for the majority of installations. If your ISP gives you explicit DNS server
address(es), read the embedded web configurator help regarding what fields need to be configured.
IP Address and Subnet Mask
Refer to section 4.3.2 for this information.
5-2The Advanced Screens
ZyWALL 1 Internet Security Gateway
RIP Setup
RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing
information with other routers. RIP Direction controls the sending and receiving of RIP packets. When set
to Both or Out Only, the ZyWALL will broadcast its routing table periodically. When set to Both or InOnly, it will incorporate the RIP information that it receives; when set to None, it will not send any RIP
packets and will ignore any RIP packets received.
RIP Version controls the format and the broadcasting method of the RIP packets that the ZyWALL sends
(it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more
information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Both RIP-2B and RIP-2M send routing data in RIP-2 format; the difference being that RIP-2B uses subnet
broadcasting while RIP-2M uses multicasting. Multicasting can reduce the load on non-router machines
since they generally do not listen to the RIP multicast address and so will not receive the RIP packets.
However, if one router uses multicasting, then all routers on your network must use multicasting, also.
By default, RIP Direction is set to Both and RIP Version to RIP-1.
Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or
Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the
network - not everybody and not just 1.
IGMP (Internet Group Multicast Protocol) is a session-layer protocol used to establish membership in a
Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over
version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed
information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of
RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to
239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers.
The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address
224.0.0.2 is assigned to the multicast routers group.
The ZyWALL supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the
ZyWALL queries all directly connected networks to gather group membership. After that, the ZyWALL
periodically updates this information. IP Multicasting can be enabled/disabled on the ZyWALL LAN and/or
WAN interfaces in the web configurator (ADVANCED->LAN; ADVANCED->WAN). Select None to
disable IP Multicasting on these interfaces.
5.3 The WAN Screen
This screen allows you to configure the WAN parameters of your ZyWALL. Refer to section 4.3. Read
about Network Address Translation in the next section.
The Advanced Screens5-3
ZyWALL 1 Internet Security Gateway
5.4 The SUA/NAT Screen
This section discusses SUA (Single User Account)/NAT (Network Address Translation) applications of the
ZyWALL.
5.4.1 Introduction
SUA (Single User Account) is a ZyNOS implementation of a subset of NAT (Network Address Translation).
5.4.2 The SUA Server Screen
A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can
make visible to the outside world even though SUA makes your whole inside network appear as a single
computer to the outside world.
You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of
the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on
port 21. In some cases, such as for unknown services or where one server can support more than one service
(for example both FTP and web service), it might be better to specify a range of port numbers. You can
allocate a server IP address that corresponds to a port or a range of ports.
Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or
FTP server) from your location. Your ISP may periodically check for servers and may suspend your account
if it discovers any active services at your location. If you are unsure, refer to your ISP.
Default Server IP Address
In addition to the servers for specified services, NAT supports a default server IP address. A default server
receives packets from ports that are not specified in this screen.
If you do not assign a Default Server IP Address, then all packets received for
ports not specified in this screen will be discarded.
5.4.3 Services and Port Numbers
The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further
information about port numbers. Please also refer to the Supporting CD for more examples and details on
SUA/NAT.
5-4The Advanced Screens
ZyWALL 1 Internet Security Gateway
Table 5-1 Services and Port Numbers
SERVICESPORT NUMBER
ECHO7
FTP (File Transfer Protocol)21
SMTP (Simple Mail Transfer Protocol)25
DNS (Domain Name System)53
Finger79
HTTP (Hyper Text Transfer protocol or WWW, Web)80
POP3 (Post Office Protocol)110
NNTP (Network News Transport Protocol)119
SNMP (Simple Network Management Protocol)161
SNMP trap162
PPTP (Point-to-Point Tunneling Protocol)1723
5.4.4 Configuring Servers Behind SUA (Example)
Let’s say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP
address of 192.168.1.35 as shown in the next figure.
The Advanced Screens5-5
ZyWALL 1 Internet Security Gateway
Figure 5-1 Multiple Servers Behind NAT Example
Step 1. In the web configurator, click ADVANCED->SUA/NAT.
Step 2. Configure the SUA/NAT screen as follows.
5-6The Advanced Screens
ZyWALL 1 Internet Security Gateway
Figure 5-2 SUA/NAT Web Configurator Screen
If you do not assign a Default Server IP Address, then all packets received for ports
not specified in this screen will be discarded.
5.5 The Static Route Screen
Static routes tell the ZyWALL routing information that it cannot learn automatically through other means.
This can arise in cases where RIP is disabled on the LAN.
5.5.1 General Information About Static Routes
Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL
has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the
following figure through remote node Router 1. However, the ZyWALL is unable to route a packet to
network N3 because it doesn’t know that there is a route through the same remote node Router 1 (via
The Advanced Screens5-7
ZyWALL 1 Internet Security Gateway
gateway Router 2). The static routes are for you to tell the ZyWALL about the networks beyond the remote
nodes.
Figure 5-3 Example of Static Routing Topology
5.5.2 IP Static Route Setup
In the web configurator, click ADVANCED ->STATIC ROUTE. Click a static route index number, then
click Edit. Use the embedded help to assist you in filling out the required information for each static route.
5.6 The Firewall Screen
This section provides a brief overview of the firewall portion of your ZyWALL using the web configurator.
You can filter content, restrict services and track/maintain the functions of your firewall in this screen.
5.6.1 Introduction
What is a Firewall?
Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from
one room to another. The networking term “firewall” is a system or group of systems that enforces an accesscontrol policy between two networks. It may also be defined as a mechanism used to protect a trusted
network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is
one of the mechanisms used to establish a network security perimeter in support of a network security policy.
It should never be the only mechanism or method employed. For a firewall to guard effectively, you must
design and deploy it appropriately. This requires integrating the firewall into a broad information-security
policy. In addition, specific policies must be implemented within the firewall itself.
5-8The Advanced Screens
ZyWALL 1 Internet Security Gateway
The ZyWALL is a Stateful Inspection Firewall.
Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make
access control decisions based on IP address and protocol. They also "inspect" the session data to assure the
integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best
speed and transparency, however, they may lack the granular application level access control or caching that
some proxies support. Firewalls, of one type or another, have become an integral part of standard security
solutions for enterprises.
About the ZyWALL Firewall
The ZyWALL firewall is a stateful inspection firewall and is designed to protect against Denial of Service
attacks when activated (click ADVANCED ->LOG SETTINGS and then click the Firewall Active check
box). The ZyWALL’s purpose is to allow a private Local Area Network (LAN) to be securely connected to
the Internet. The ZyWALL can be used to prevent theft, destruction and modification of data, as well as log
events, which may be important to the security of your network.
The ZyWALL is installed between the LAN and a broadband modem connecting to the Internet. This allows
it to act as a secure gateway for all data passing between the Internet and the LAN.
The ZyWALL has one Ethernet WAN port and four Ethernet LAN ports, which are used to physically
separate the network into two areas.
The WAN (Wide Area Network) port attaches to the broadband (cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security from the
outside world. These computers will have access to Internet services such as e-mail, FTP and the World
Wide Web. However, “inbound access” is not be allowed (by default) unless the remote host is
authorized to use a specific service.
Guidelines For Enhancing Security With Your Firewall
1. Change the default password via web configurator.
2. Think about access control before you connect to the network in any way, including attaching a modem
to the port.
3. Limit who can access your router.
4. Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could
present a potential security risk. A determined hacker might be able to find creative ways to misuse the
enabled services to access the firewall or the network.
5. For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the services
at specific interfaces.
6. Protect against IP spoofing by making sure the firewall is active.
The Advanced Screens5-9
ZyWALL 1 Internet Security Gateway
7.Keep the firewall in a secured (locked) room.
Security In General
You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches.
Below are some generalizations about what you can do to minimize them.
1. Encourage your company or organization to develop a comprehensive security plan. Good network
administration takes into account what hackers can do and prepares against attacks. The best defense
against hackers and crackers is information. Educate all employees about the importance of security and
how to minimize risk. Produce lists like this one!
2. DSL or cable modem connections are “always-on” connections and are particularly vulnerable because
they provide more opportunities for hackers to crack your system. Turn your computer off when not in
use.
3. Never give out a password or any sensitive information to an unsolicited telephone call or e-mail.
4. Never e-mail sensitive information such as passwords, credit card information, etc.,without encrypting
the information first.
5. Never submit sensitive information via a web page unless the web site uses secure connections. You can
identify a secure connection by looking for a small “key” icon on the bottom of your browser (Internet
Explorer 3.02 or better or Netscape 3.0 or better). If a web site uses a secure connection, it is safe to
submit information. Secure web transactions are quite difficult to crack.
6. Never reveal your IP address or other system networking information to people outside your company.
Be careful of files e-mailed to you from strangers. One common way of getting BackOrifice on a system
is to include it as a Trojan horse with other files.
7. Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult
passwords to crack are those with upper and lower case letters, numbers and a symbol such as % or #.
8. Upgrade your software regularly. Many older versions of software, especially web browsers, have well
known security deficiencies. When you upgrade to the latest versions, you get the latest patches and
fixes.
9. If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers.
5-10The Advanced Screens
ZyWALL 1 Internet Security Gateway
10. If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that
cause your system to slowly become unstable or unusable.
11. Always shred confidential information, particularly about your computer, before throwing it away. Some
hackers dig through the trash of companies or individuals for information that might help them in an
attack.
5.6.2 Tabs in the Firewall Screen
To access the tabs described next, click ADVANCED and then FIREWALL.
Log Settings
Use this screen to activate the firewall, enter your email/mail server address information, activate Send
Alert/Log features and to assign a trusted computer IP address.
Filter (or Content Filtering)
Use this screen to enable URL keyword blocking, enter/delete/modify keywords you want to block and the
date/time you want to block them.
Services (or Service Blocking)
Use this screen to enable service blocking, enter/delete/modify the services you want to block and the
date/time you want to block them.
Logs (or Show Logs)
Use this screen to view your firewall and content filtering logs.
5.7 About VPN/IPSec
This section provides information about VPN/IPSec.
5.7.1 VPN
A VPN (Virtual Private Network) provides secure communications between sites without the expense of
leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication and access
control used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite
for communication.
The Advanced Screens5-11
ZyWALL 1 Internet Security Gateway
5.7.2 IPSec
Internet Protocol Security (IPSec) is a standards-based VPN that offers flexible solutions for secure data
communications across a public network like the Internet. IPSec is built around a number of standardized
cryptographic techniques to provide confidentiality, data integrity and authentication at the IP layer.
5.7.3 Security Association
A Security Association (SA) is a contract between two parties indicating what security parameters, such as
keys and algorithms they will use.
5.7.4 Other Terminology
¾ Encryption
Encryption is a mathematical operation that transforms data from "plaintext" (readable) to
"ciphertext" (scrambled text) using a "key". The key and clear text are processed by the encryption
operation, which leads to the data scrambling that makes encryption secure. Decryption is the
opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext.
Decryption also requires a key.
Figure 5-4 Encryption and Decryption
¾ Data Confidentiality
The IPSec sender can encrypt packets before transmitting them across a network.
¾ Data Integrity
The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been
altered during transmission.
¾ Data Origin Authentication
The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity
service.
5-12The Advanced Screens
5.8 IPSec Architecture
The overall IPSec architecture is shown as follows.
ZyWALL 1 Internet Security Gateway
Figure 5-5 IPSec Architecture
5.8.1 IPSec Algorithms
The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol
(RFC 2402) describe the packet formats and the default standards for packet structure (including
implementation algorithms).
The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption
Standard) and Triple DES algorithms.
The Authentication Algorithms, HMAC-MD5 (RFC 2403) and HMAC-SHA-1 (RFC 2404, provide an
authentication mechanism for the AH and ESP protocols.
The Advanced Screens5-13
ZyWALL 1 Internet Security Gateway
5.9 IPSec and NAT
Read this section if you are running IPSec on a host computer behind the ZyWALL.
NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the
AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended
to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one
of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by
computing its own hash value, and complain that the hash value appended to the received packet doesn't
match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that
the data has been maliciously altered.
IPSec using ESP in Tunnel mode encapsulates the entire original packet (including headers) in a new IP
packet. The new IP packet's source address is the outbound address of the sending VPN gateway, and its
destination address is the inbound address of the VPN device at the receiving end. When using ESP protocol
with authentication, the packet contents (in this case, the entire original packet) are encrypted. The encrypted
contents, but not the new headers, are signed with a hash value appended to the packet.
Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over
the combination of the "original header plus original payload," which is unchanged by a NAT device.
Transport mode ESP with authentication is not compatible with NAT.
Table 5-2 VPN and NAT
SECURITY PROTOCOLMODENAT
AH
AH
ESP
ESP
TransportN
TunnelN
TransportN
TunnelY
5.10 The VPN/IPSec Screen - Fields in the VPN/IPSec Setup Tab
To access the VPN/IPSec Setup tab, click ADVANCED and then VPN/IPSec. This section describes the
fields in the VPN/IPSec Setup tab. Fields in this screen vary depending on what you select in the IPSecKeying Mode field.
5.10.1 Active Field
Select this check box to activate this VPN policy.
5-14The Advanced Screens
ZyWALL 1 Internet Security Gateway
5.10.2 IPSec Keying Mode Field
Select IKE or Manual from the scroll down menu. Manual is useful for troubleshooting; IKE is more user
friendly.
Make sure the remote gateway has the same configuration in this field.
IKE Phases
There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase
2 (Key Exchange). A phase 1 exchange establishes an IKE SA (Security Association) and the second one
uses that SA to negotiate SAs for IPSec.
Figure 5-6 Two Phases to set up the IPSec SA
5.10.3 Negotiation Mode Field
Select Main or Aggressive from the scroll down menu.
The Negotiation Mode you select determines how the Security Association (SA) will be established for each
connection through IKE negotiations.
¾Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips (SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number)). This mode
features identity protection (your identity is not revealed in the negotiation).
¾Aggressive Mode is quicker than Main Mode because it eliminates several steps when the
communicating parties are negotiating authentication (phase 1). However the trade-off is that
faster speed limits its negotiating power and it also does not provide identity protection. It is
The Advanced Screens5-15
ZyWALL 1 Internet Security Gateway
useful in remote access situations where the address of the initiator is not know by the
responder and both parties want to use pre-shared key authentication.
Make sure the remote gateway has the same configuration in this field.
5.10.4 Source Address Field
Enter the IP address of the computer using the VPN IPSec feature of your ZyWALL.
5.10.5 Destination Address Start Field
Enter the beginning IP address (in a range) of computers on the remote network behind the remote IPSec
gateway.
5.10.6 Destination Address End Field
Enter the end IP address (in a range) of computers on the remote network behind the remote IPSec gateway.
5.10.7 My IP Address Field
My IP Addr is the (initiator) ZyWALL WAN IP address. If this field is configured as 0.0.0.0, then the
ZyWALL will use the current ZyWALL WAN IP address (static or dynamic) to set up the VPN tunnel. If the
My IP Addr changes after setup, then the VPN tunnel will have to be rebuilt again.
5.10.8 Secure Gateway IP Address Field
Secure Gateway IP Address is the WAN IP address of the remote IPSec router. Normally it is a static
public IP address (for traffic going through the Internet) but if the peer has a dynamic WAN IP address, set
this field to 0.0.0.0. This may be useful for telecommuters initiating a VPN tunnel to headquarters where
headquarters do not know the WAN IP address of the telecommuter’s device. Only the telecommuter may
initiate the VPN tunnel in this case. See the following table for an example configuration.
Table 5-3 Telecommuter and Headquarters Configuration Example
TELECOMMUTERHEADQUARTERS
My IP
address:
Secure
Gateway IP
Address:
5-16The Advanced Screens
0.0.0.0 (dynamic IP address
assigned by the ISP)
Public static IP address.0.0.0.0
Public static IP address.
With this IP address only the
telecommuter can initiate the IPSec
tunnel.
ZyWALL 1 Internet Security Gateway
Figure 5-7 Telecommuter’s ZyWALL Configuration
The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE
key negotiation and not Manual key negotiation.
A ZyWALL with Secure Gateway IP Address set to 0.0.0.0 may receive multiple VPN
connection requests using the same VPN rule at the same time.
5.10.9 Encapsulation Mode Field
The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode.
Figure 5-8 Transport and Tunnel Mode IPSec Encapsulation
The Advanced Screens5-17
ZyWALL 1 Internet Security Gateway
Transport Mode
Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In
Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP
header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header
information and options are not used in the authentication process. Therefore, the originating IP address
cannot be verified for integrity against the data.
With the use of AH as the security protocol, protection is extended forward into the IP header to verify the
integrity of the entire packet by use of portions of the original IP header in the hashing process.
Tunnel Mode
Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for
gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with
authentication and encryption. This is the most common mode of operation. Tunnel mode is required for
gateway to gateway and host to gateway communications. Tunnel mode communications have two sets of
IP headers:
¾ Outside header: The outside IP header contains the destination IP address of the VPN gateway.
¾ Inside header: The inside IP header contains the destination IP address of the final system behind
the VPN gateway. The security protocol appears after the outer IP header and before the inside IP
header.
5.10.10 IPSec Protocol Field
The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec
VPN. An SA is built from the authentication provided by the AH and ESP protocols. The primary function
of key management is to establish and maintain the SA between systems. Once the SA is established, the
transport of data may commence.
AH (Authentication Header) Protocol
AH protocol (RFC 2402) was designed for integrity, authentication, sequence integrity (replay resistance),
and non-repudiation but not for confidentiality, for which the ESP was designed.
In applications where confidentiality is not required or not sanctioned by government encryption restrictions,
an AH can be employed to ensure integrity. This type of implementation does not protect the information
from dissemination but will allow for verification of the integrity of the information and authentication of the
originator.
5-18The Advanced Screens
ZyWALL 1 Internet Security Gateway
ESP (Encapsulating Security Payload) Protocol
The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. ESP
authenticating properties are limited compared to the AH due to the non-inclusion of the IP header
information during the authentication process. However, ESP is sufficient if only the upper layer protocols
need to be authenticated.
An added feature of the ESP is payload padding, which further protects communications by concealing the
size of the packet being transmitted.
Table 5-4 AH and ESP
ESPAH
Select DES for minimal security and 3DES for maximum.Select MD5 for minimal security and SHA-1 for
maximum security.
DES
(default)
Data Encryption Standard (DES) is a widely-used method
of data encryption using a private (secret) key. DES
applies a 56-bit key to each 64-bit block of data.
3DES
Triple DES (3DES) is a variant of DES, which iterates
three times with three separate keys (3 x 56 = 168 bits),
effectively doubling the strength of DES.
MD5
(default)
MD5 (Message Digest 5) produces a 128-bit
digest to authenticate packet data.
SHA1
SHA1 (Secure Hash Algorithm) produces a
160-bit digest to authenticate packet data.
You may configure one IPSec rule in the ZyWALL 1.
5.10.11 Pre-Shared Key Field
A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called “pre-shared”
because you have to share it with another party before you can communicate with them over a secure
connection.
ZyWALL gateways authenticate an IKE VPN session by matching pre-shared keys. Pre-shared keys are best
for small networks with fewer than ten nodes. Enter your pre-shared key here. Enter up to 31 characters. Any
character may be used, including spaces, but trailing spaces are truncated.
5.10.12 Encryption Algorithm Field
When DES is used for data communications, both sender and receiver must know the same secret key, which
can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
ZyWALL DES encryption algorithm uses a 56-bit key.
The Advanced Screens5-19
ZyWALL 1 Internet Security Gateway
Strong Encryption, or Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a result, 3DES is
more secure than DES. It also requires more processing power, resulting in slightly increased latency and
decreased throughput.
Press the [SPACE BAR] to choose from 3DES or DES and then press [ENTER].
5.10.13 Authentication Algorithm Field
Authentication algorithms offer strong integrity and authentication by adding authentication information to
IP packets. This authentication information is calculated using header and payload data in the IP packet. This
provides an additional level of security. Choices are MD5 (default - 128 bits) and SHA1(160 bits).
Using an authentication algorithm and ESP increases the ZyWALL’s processing requirements and
communications latency (delay).
Encapsulation Mode, IPSec Protocol, Pre-Shared Key, Encryption Algorithm and
Authentication Algorithm fields must contain the same parameters as your remote
gateway.
5.11 The VPN/IPSec Screen - Fields in the SA Monitor Tab
A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen
displays active VPN connections. Use the Refresh function to display active VPN connections. This screen
is read-only. The following table describes the fields in this tab.
An SA times out automatically after one minute if there is no traffic.
Table 5-5 SA Monitor Tab Fields
FIELDDESCRIPTIONEXAMPLE
#This is the security association index number.
NameThis field displays the identification name for this VPN policy.
Encapsulation
IPSec
Algorithm
This field displays Tunnel mode or Transport mode. See previous for
discussion.
This field displays the security protocols used for an SA.
confidentiality and integrity of data by encrypting the data and
encapsulating it into IP packets. Encryption methods include 56-bit DES
and 168-bit
The Authentication Header provides strong integrity and authentication by
adding authentication information to IP packets. This authentication
information is calculated using header and payload data in the IP packet.
3DES
.An incoming SA may have an AH in addition to
ESP
provides
ESP
.
Taiwan
Tunnel
ESP DES MD5
5-20The Advanced Screens
ZyWALL 1 Internet Security Gateway
FIELDDESCRIPTIONEXAMPLE
This provides an additional level of security. AH choices are
- 128 bits) and SHA1(160 bits).
MD5
(default
5.12 The VPN/IPSec Screen - Fields in the View IPSec Log Tab
View IPSec and IKE connection logs in this screen. This screen is useful for troubleshooting. The following
table describes the fields in this tab.
Table 5-6 View IPSec Log Tab Fields
FIELDDESCRIPTIONEXAMPLE
PageSelect a number from the drop down list and select a number
to view the corresponding page.
#This is the index number of the IKE/IPSec log. 128 entries are
available and are numbered from 0 to 127. Once they are all
used, the log will wrap around and the old logs will be lost.
TimeThis is the time the log was recorded in this format.01 Jan 00:01:11
MM Receiving IKE Packet = 2LogsThis field shows the IKE process by displaying packet
exchange information. When the IKE process is successful,
the VPN (IKE) tunnel will be listed in the SA Monitor screen.
MM means Main Mode, QM means Quick Mode and AG
means Aggressive mode.
Sending IKE Packet = 3
1
001
5.12.1 Example Logs
The following figure shows a typical IPSec and IKE connection log from the initiator of a VPN connection.
The Advanced Screens5-21
ZyWALL 1 Internet Security Gateway
Figure 5-9 Example VPN Initiator IPSec Log
The following figure shows a typical log from the VPN connection peer.
5-22The Advanced Screens
ZyWALL 1 Internet Security Gateway
Figure 5-10 Example VPN Responder IPSec Log
5.12.2 Example Log Messages
Log messages are useful for troubleshooting. The following tables help explain the logs in Figure 5-9 and
Figure 5-10.
Double exclamation marks (!!) denote an error or warning message.
The Advanced Screens5-23
ZyWALL 1 Internet Security Gateway
The following tables show example log messages during IKE key exchange.
Table 5-7 Sample IKE Key Exchange Logs
LOG MESSAGEDESCRIPTION
Cannot find outbound SA for rule <#d>
The packet matches the rule index number (#d), but
Phase 1 or Phase 2 negotiation for outbound (from the
VPN initiator) traffic is not finished yet.
Send Main Mode request to <IP>
Send Aggressive Mode request to <IP>
Recv Main Mode request from <IP>
Recv Aggressive Mode request from <IP>
Send:<Symbol><Symbol>
Recv:<Symbol><Symbol>
Phase 1 IKE SA process done
Start Phase 2: Quick Mode
!! IKE Negotiation is in process
!! Duplicate requests with the same
cookie
!! No proposal chosen
!! Verifying Local ID failed
!! Verifying Remote ID failed
!! Local / remote IPs of incoming
request conflict with rule <#d>
The ZyWALL has started negotiation with the peer.
The ZyWALL has received an IKE negotiation request
from the peer.
IKE uses the ISAKMP protocol (refer to RFC2408 –
ISAKMP) to transmit data. Each ISAKMP packet
contains payloads of different types that show in the
log - see Table 5-9.
Phase 1 negotiation is finished.
Phase 2 negotiation is beginning using Quick Mode.
The ZyWALL has begun negotiation with the peer for
the connection already, but the IKE key exchange has
not finished yet.
The ZyWALL has received multiple requests from the
same peer but it is still processing the first IKE packet
from that peer.
The parameters configured for Phase 1 or Phase 2
negotiations don’t match. Please check all protocols
and settings for these phases. For example, one party
may be using 3DES encryption, but the other party is
using DES encryption, so the connection will fail.
During IKE Phase 2 negotiation, both parties exchange
policy details, including local and remote IP address
ranges. If these ranges differ, then the connection fails.
If the security gateway is “0.0.0.0”, the ZyWALL will
use the peer’s “Local Addr” as its “Remote Addr”. If this
5-24The Advanced Screens
Table 5-7 Sample IKE Key Exchange Logs
LOG MESSAGEDESCRIPTION
!! Invalid IP <IP start>/<IP end>
!! Remote IP <IP start> / <IP end>
conflicts
!! Active connection allowed exceeded
!! IKE Packet Retransmit
!! Failed to send IKE Packet
!! Too many errors! Deleting SA
ZyWALL 1 Internet Security Gateway
IP (range) conflicts with a previously configured rule
then the connection is not allowed.
The peer’s “Local IP Addr” range is invalid.
If the security gateway is “0.0.0.0”, the ZyWALL will
use the peer’s “Local Addr” as its “Remote Addr”. If a
peer’s “Local Addr” range conflicts with other
connections, then the ZyWALL will not accept VPN
connection requests from this peer.
The ZyWALL limits the number of simultaneous Phase
2 SA negotiations. The IKE key exchange process fails
if this limit is exceeded.
The ZyWALL did not receive a response from the peer
and so retransmits the last packet sent.
The ZyWALL cannot send IKE packets due to a
network error.
The ZyWALL deletes an SA when too many errors
occur.
The following table shows sample log messages during packet transmission.
Table 5-8 Sample IPSec Logs During Packet Transmission
LOG MESSAGEDESCRIPTION
!! WAN IP changed to <IP>
!! Cannot find Phase 2 SA
!! Discard REPLAY packet
!! Inbound packet
authentication failed
!! Inbound packet decryption
If the ZyWALL’s WAN IP changes, all configured “My IP Addr” are
changed to b “0.0.0.0”.. If this field is configured as 0.0.0.0, then
the ZyWALL will use the current ZyWALL WAN IP address (static
or dynamic) to set up the VPN tunnel.
The ZyWALL cannot find a phase 2 SA that corresponds with the
SPI of an inbound packet (from the peer); the packet is dropped.
If the ZyWALL receives a packet with the wrong sequence number
it will discard it.
The authentication configuration settings are incorrect. Please
check them.
The decryption configuration settings are incorrect. Please check
The Advanced Screens5-25
ZyWALL 1 Internet Security Gateway
Table 5-8 Sample IPSec Logs During Packet Transmission
LOG MESSAGEDESCRIPTION
failed
Rule <#d> idle time out,
disconnect
them.
If an SA has no packets transmitted for a period of time
(configurable via CI command), the ZyWALL drops the connection.
The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC
for detailed information on each type.
Table 5-9 RFC-2408 ISAKMP Payload Types
LOG DISPLAYPAYLOAD TYPE
SA
PROP
TRANS
KE
ID
CER
CER_REQ
HASH
SIG
NONCE
NOTFY
DEL
VID
Security Association
Proposal
Transform
Key Exchange
Identification
Certificate
Certificate Request
Hash
Signature
Nonce
Notification
Delete
Vendor ID
5-26The Advanced Screens
ZyWALL 1 Internet Security Gateway
Chapter 6
The Maintenance Screens
This chapter briefly describes the Maintenance screens in the web configurator.
6.1 Introduction
The web configurator allows easy maintenance of your ZyWALL and is recommended for all users. If you
prefer to maintain your ZyWALL via FTP/TFTP, refer to Chapter 7. Advanced users may use the CI
commands included in the support notes.
The following are Maintenance screens located in the web configurator. From the MAIN MENU, clickMAINTENANCE and the appropriate link to access each of the following screens.
6.2 The System Status Screen
Read-only information here includes system name, ZyNOS firmware version and routing protocols. Also
provided are the IP address, DHCP status and IP subnet mask of both the LAN and WAN.
6.2.1 System Status
Read-only information here includes port status and packet specific statistics. Also provided are “system up
time” and “poll interval(s)”. The Poll Interval(s) field is configurable.
6.3 The DHCP Table Screen
Read-only information here relates to your DHCP status. The DHCP table shows current DHCP Client
information (including IP Address, Host name and MAC Address) of all network clients using the DHCP
server.
6.4 The F/W (Firmware) Upgrade Screen
Follow the instructions in this screen to upload firmware to your ZyWALL.
6.5 The Configuration Screen
Backup, Restore and Default tabs are located in the CONFIGURATION screen. Follow the instructions in
each screen to perform the action described next.
The Maintenance Screens6-1
ZyWALL 1 Internet Security Gateway
6.5.1 Backup
This screen backs up your current ZyWALL configuration to your computer.
6.5.2 Restore
This screen restores a previously saved configuration file from your computer to your ZyWALL.
6.5.3 Default
This screen clears all user-entered configuration information and returns the ZyWALL to its factory defaults.
You can also press the RESET button on the rear panel to reset the factory defaults of your ZyWALL. Refer
to section 2.5 for more information on the RESET button.
6-2The Maintenance Screens
Advanced Management Using FTP/TFTP
PPaarrtt IIIIII:
:
Advanced Management Using FTP/TFTP
This section provides information on Firmware and Configuration File Maintenance using
FTP/TFTP.
III
ZyWALL 1 Internet Security Gateway
Chapter 7
Firmware and Configuration File
Maintenance
This chapter tells you how to back up and restore your configuration file as well as upload new
firmware and a new configuration file using FTP/TFTP.
It is strongly recommended that you use the web configurator to perform functions mentioned in this chapter
(refer to Chapter 6). The web configurator is less technical and more intuitive than using FTP/TFTP. Refer to
Chapter 3 to connect to the web configurator. If you wish use FTP/TFTP, then follow the instructions in this
chapter.
7.1 Filename Conventions
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus
such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a "rom" filename extension.
Once you have customized ZyWALL settings, they can be saved back to your computer under a filename of
your choosing.
ZyNOS (ZyXEL Network Operating System sometimes referred to as the "ras" file) is the system firmware
and has a "bin" filename extension. With many FTP and TFTP clients, the filenames are similar to those seen
next.
ftp> put firmware.bin ras
This is a sample FTP session showing the transfer of the computer file " firmware.bin" to the ZyWALL.
ftp> get rom-0 config.cfg
This is a sample FTP session saving the current configuration to the computer file "config.cfg".
If your (T)FTP client does not allow you to have a destination filename different than the source, you will
need to rename them as the ZyWALL only recognizes "rom-0" and "ras". Be sure you keep unaltered copies
of both files for later use.
The following table is a summary. Please note that the internal filename refers to the filename on ZyWALL
and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network
or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS
FirmwareVersion field in the web configurator by clicking MAINTENANCE->SYSTEMSTATUS to
confirm that you have uploaded the correct firmware version.
Firmware and Configuration File Maintenance7-1
ZyWALL 1 Internet Security Gateway
Table 7-1 Filename Conventions
FILE TYPEINTERNAL
NAME
Configuration
File
FirmwareRas*.binThis is the generic name for the ZyNOS firmware on the
Rom-0*.romThis is the configuration filename on the ZyWALL. Uploading
EXTERNAL
NAME
DESCRIPTION
the rom-0 file replaces the entire ROM file system, including
your ZyWALL configurations, system-related data (including
the default password), the error log and the trace log.
ZyWALL.
7.2 Backup Configuration
FTP is the preferred method for backing up your current configuration to your computer because it is very
fast.
Please note that terms "download" and "upload" are relative to the computer. Download means to transfer
from the ZyWALL to the computer, while upload means from your computer to the ZyWALL.
7.2.1 Using the FTP Command from the Command Line
Step 1. Launch the FTP client on your computer.
Step 2. Enter "open", followed by a space and the IP address of your ZyWALL.
Step 3. Press [ENTER] when prompted for a username.
Step 4. Enter your password as requested (the default is "1234").
Step 5. Enter "bin" to set transfer mode to binary.
Step 6. Use "get" to transfer files from the ZyWALL to the computer, for example, "get rom-0
config.rom" transfers the configuration file on the ZyWALL to your computer and renames it
"config.rom". See earlier in this chapter for more information on filename conventions.
Step 7. Enter "quit" to exit the ftp prompt.
7-2Firmware and Configuration File Maintenance
ZyWALL 1 Internet Security Gateway
7.2.2 Example of FTP Commands from the Command Line
331 Enter PASS command
Password:
230 Logged in
ftp> bin
200 type I OK
ftp> get rom-0 zyxel.rom
200 Port command okay
150 Opening data connection for STOR ras
226 file received OK
ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ftp> quit
Figure 7-1 FTP Session Example
7.2.3 GUI-based FTP Clients
The following table describes some of the commands that you may see in GUI-based FTP clients.
Table 7-2 General Commands for GUI-based FTP Clients
COMMANDDESCRIPTION
Host AddressEnter the address of the host server.
Login TypeAnonymous.
This is when a user I.D. and password is automatically supplied to the server for
anonymous access. Anonymous logins will work only if your ISP or service
administrator has enabled this option.
Normal.
The server requires a unique User ID and Password to login.
Transfer TypeTransfer files in either ASCII (plain text format) or in binary mode.
Initial Remote DirectorySpecify the default remote directory (path).
Initial Local DirectorySpecify the default local directory (path).
7.2.4 Backup Configuration Using TFTP
The ZyWALL supports the up/downloading of the firmware and the configuration file using TFTP (Trivial
File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended.
To backup the configuration file, follow the procedure shown next.
Step 1. Because TFTP does not have any security checks, the ZyWALL records the IP address of the
telnet client and accepts TFTP requests only from this address.
Firmware and Configuration File Maintenance7-3
ZyWALL 1 Internet Security Gateway
Step 2. Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to
binary before starting data transfer.
Step 3. Use the TFTP client (see the next example) to transfer files between the ZyWALL and the
computer. The file name for the configuration file is "rom-0" (rom-zero, not capital letter "O").
For details on TFTP commands (see following example), please consult the
documentation of your TFTP client program. For UNIX, use "get" to transfer from
the ZyWALL to the computer and "binary" to set binary transfer mode.
7.2.5 TFTP Command Example
The following is an example TFTP command:
tftp [-i] host get rom-0 config.rom
where "i" specifies binary image transfer mode (use this mode when transferring binary files), "host" is the
ZyWALL IP address, "get" transfers the file source on the ZyWALL (rom-0, name of the configuration file
on the ZyWALL) to the file destination on the computer and renames it config.rom.
7.2.6 GUI-based TFTP Clients
The following table describes some of the fields that you may see in GUI-based TFTP clients.
Table 7-3 General Commands for GUI-based TFTP Clients
COMMANDDESCRIPTION
HostEnter the IP address of the ZyWALL. 192.168.1.1 is the ZyWALL's default IP address when
shipped.
Send/FetchUse "Send" to upload the file to the ZyWALL and "Fetch" to back up the file on your computer.
Local FileEnter the path and name of the firmware file (*.bin extension) or configuration file (*.rom
extension) on your computer.
Remote FileThis is the filename on the ZyWALL. The filename for the firmware is "ras" and for the
configuration file, is "rom-0".
BinaryTransfer the file in binary mode.
AbortStop transfer of the file.
7-4Firmware and Configuration File Maintenance
ZyWALL 1 Internet Security Gateway
7.3 Restore or Upload a Configuration File
This section shows you how to restore a previously saved configuration. Note that this function erases the
current configuration before restoring a previous back up configuration; please do not attempt to restore
unless you have a backup configuration file stored on disk.
FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP
file transfer is fast. Please note that you must wait for the system to automatically restart after the file
transfer is complete.
WARNING!
DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY
DAMAGE YOUR ZYWALL. WHEN THE RESTORE CONFIGURATION PROCESS IS
COMPLETE, THE ZYWALL WILL AUTOMATICALLY RESTART.
7.3.1 Restore Using FTP
For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this
chapter.
Step 1. Launch the FTP client on your computer.
Step 2. Enter "open", followed by a space and the IP address of your ZyWALL.
Step 3. Press [ENTER] when prompted for a username.
Step 4. Enter your password as requested (the default is "1234").
Step 5. Enter "bin" to set transfer mode to binary.
Step 6. Find the "rom" file (on your computer) that you want to restore to your ZyWALL.
Step 7. Use "put" to transfer files from the ZyWALL to the computer, for example, "put config.rom rom-
0" transfers the configuration file "config.rom" on your computer to the ZyWALL. See earlier in
this chapter for more information on filename conventions.
Step 8. Enter "quit" to exit the ftp prompt. The ZyWALL will automatically restart after a successful
restore process.
Firmware and Configuration File Maintenance7-5
ZyWALL 1 Internet Security Gateway
7.3.2 Restore Using FTP Session Example
ftp> put config.rom rom-0
200 Port command okay
150 Opening data connection for STOR rom-0
226 File received OK
221 Goodbye for writing flash
ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec.
Typ>quit
Figure 7-2 Restore Using FTP Session Example
7.4 Uploading a Firmware File
This section shows you how to upload a firmware file. You can upload a configuration file by following the
procedure in section 7.3.
WARNING!
DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY
DAMAGE YOUR ZYWALL.
7.4.1 Firmware File Upload
FTP is the preferred method for uploading firmware and configuration files. To use this feature, your
computer must have an FTP client.
7.4.2 FTP File Upload Command from the DOS Prompt Example
Step 1. Launch the FTP client on your computer.
Step 2. Enter "open", followed by a space and the IP address of your ZyWALL.
Step 3. Press [ENTER] when prompted for a username.
Step 4. Enter your password as requested (the default is "1234").
Step 5. Enter "bin" to set transfer mode to binary.
Step 6. Use "put" to transfer files from the computer to the ZyWALL, for example, "put firmware.bin
ras" transfers the firmware on your computer (firmware.bin) to the ZyWALL and renames it
"ras". See earlier in this chapter for more information on filename conventions.
Step 7. Enter "quit" to exit the ftp prompt.
7-6Firmware and Configuration File Maintenance
ZyWALL 1 Internet Security Gateway
7.4.3 FTP Session Example of Firmware File Upload
331 Enter PASS command
Password:
230 Logged in
ftp> bin
200 type I OK
ftp> put firmware.bin ras
200 Port command okay
150 Opening data connection for STOR ras
226 File received OK
ftp: 1103936 bytes sent in 1.10Seconds 297.89Kbytes/sec.
ftp> quit
Figure 7-3 FTP Session Example of Firmware File Upload
More commands (found in GUI-based FTP clients) are listed earlier in this chapter.
7.4.4 TFTP File Upload
The ZyWALL also supports the uploading of firmware files using TFTP (Trivial File Transfer Protocol) over
LAN. Although TFTP should work over WAN as well, it is not recommended.
To transfer the firmware and the configuration file, follow the procedure shown next.
Step 1. Because TFTP does not have any security checks, the ZyWALL records the IP address of the
telnet client and accepts TFTP requests only from this address.
Step 2. Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to
binary before starting data transfer.
Step 3. Use the TFTP client (see the example below) to transfer files between the ZyWALL and the
computer. The file name for the firmware is "ras".
For details on TFTP commands (see following example), please consult the documentation of your TFTP
client program. For UNIX, use "get" to transfer from the ZyWALL to the computer, "put" the other way
around, and "binary" to set binary transfer mode.
7.4.5 TFTP Upload Command Example
The following is an example TFTP command:
tftp [-i] host put firmware.bin ras
where "i" specifies binary image transfer mode (use this mode when transferring binary files), "host" is the
ZyWALL's IP address, "put" transfers the file source on the computer (firmware.bin - name of the firmware
on the computer) to the file destination on the remote host (ras - name of the firmware on the ZyWALL).
Commands that you may see in GUI-based TFTP clients are listed earlier in this chapter.
Firmware and Configuration File Maintenance7-7
Troubleshooting and Additional Information
PPAARRTT IIVV:
:
Troubleshooting and Additional Information
This section provides information about solving common problems, some Appendices, as well as a
Glossary and Index.
IV
ZyWALL 1 Internet Security Gateway
Chapter 8
Troubleshooting
This chapter covers potential problems and possible remedies. After each problem description,
some instructions are provided to help you to diagnose and to solve the problem. See the
Supporting CD for further information.
8.1 Problems Starting Up the ZyWALL
Table 8-1 Troubleshooting the Start-Up of your ZyWALL
PROBLEMCORRECTIVE ACTION
None of the LEDs are on when
I turn on the ZyWALL.
Make sure that you have the correct 5 VDC power adapter connected to the
ZyWALL and plugged in to an appropriate power source.
If the error persists, you may have a hardware problem. In this case, you
should contact your vendor.
8.2 Problems with the Password
Table 8-2 Troubleshooting the Password
PROBLEMCORRECTIVE ACTION
I forgot my password
The default password is “1234”. Enter it in the Login screen.
If you have changed your password and cannot remember it, reset the
ZyWALL using the procedure in section
If the error persists, you may have a hardware problem. In this case, you
should contact your vendor.
2.5.1
.
Troubleshooting8-1
ZyWALL 1 Internet Security Gateway
8.3 Problems with the LAN Interface
Table 8-3 Troubleshooting the LAN Interface
PROBLEMCORRECTIVE ACTION
I cannot access the ZyWALL
from the LAN.
I cannot ping any computer on
the LAN.
Check your Ethernet cable type and connections. Refer to section 2.2 for
LAN connection instructions.
Make sure your NIC (Network Interface Card) is installed and functioning
properly.
If all of the 10/100M LAN LEDs are off, check the cables between the
ZyWALL and your computer or hub.
Verify that the IP addresses and subnet masks of the ZyWALL and the
computers on the LAN are on the same subnet.
8.4 Problems with the WAN Interface
Table 8-4 Troubleshooting the WAN Interface
PROBLEMCORRECTIVE ACTION
I cannot get a WAN IP
address from the ISP.
The WAN IP is provided after the ISP verifies the MAC address, host name or user
ID.
Find out the verification method used by your ISP.
If the ISP checks the WAN MAC Address, click MAINTENANCE and then DHCP
Table
to display the ZyWALL's WAN MAC address. Send it to the ISP.
If the ISP does not allow you to use a new MAC, click ADVANCED, WAN and then
the MAC tab. Clone the MAC from the LAN as the WAN. ZyXEL recommends that
you configure this menu even if your ISP presently does not require MAC address
authentication.
If the ISP checks the host name, enter your computer’s name (refer to Chapter 4 in
the User’s Guide) in the System Name field in the first screen of the WIZARD
SETUP
.
If the ISP checks the user ID, click
service type, user name, and password.
ADVANCED, WAN
and the
ISP
tab. Check your
8-2Troubleshooting
ZyWALL 1 Internet Security Gateway
8.5 Problems with Internet Access
Table 8-5 Troubleshooting Internet Access
PROBLEMCORRECTIVE ACTION
I cannot access
the Internet.
Check the ZyWALL’s connection to the cable/xDSL device.
Check whether your cable/xDSL device requires a crossover or straight-through cable.
Click ADVANCED and then WAN and verify your settings.
8.6 Problems with the Firewall
Table 8-6 Troubleshooting the Firewall
PROBLEMCORRECTIVE ACTION
I cannot configure the firewall.You will not be able to access the web configurator from the WAN if :
The firewall is activated, as the firewall, by default, blocks all WAN to LAN
traffic. To access the web configurator from the WAN when the firewall is
activated, you will need to create a firewall rule to allow web traffic initiated
from the WAN.
You have blocked a critical web service. Click ADVANCED-> FIREWALL->SERVICES to review what services are currently blocked.
Troubleshooting8-3
ZyWALL 1 Internet Security Gateway
Appendix A
PPPoE
PPPoE in Action
An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an
ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP
session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN.
PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Benefits of PPPoE
PPPoE offers the following benefits:
1. It provides you with a familiar dial-up networking (DUN) user interface.
2. It lessens the burden on the carriers of provisioning virtual circuits all the way to the ISP on multiple
switches for thousands of users. For GSTN (PSTN & ISDN), the switching fabric is already in place.
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide
differentiated services.
Traditional Dial-up Scenario
The following diagram depicts a typical hardware configuration where PCs use traditional dial-up
networking.
Diagram 1 Single-PC per Modem Hardware Configuration
Appendix AA
ZyWALL 1 Internet Security Gateway
How PPPoE Works
The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the
modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is
acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP
frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
With PPPoE, the VC (Virtual Circuit) is equivalent to the dial-up connection and is between the modem and
the AC, as opposed to all the way to the ISP. However, the PPP negotiation is between the PC and the ISP.
The ZyWALL as a PPPoE Client
When using the ZyWALL as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of
PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Diagram 2 ZyWALL as a PPPoE Client
BAppendix A
ZyWALL 1 Internet Security Gateway
Appendix B
PPTP
What is PPTP?
PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is
informational only) to tunnel PPP frames.
How can we transport PPP frames from a PC to a broadband modem over Ethernet?
A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the
short haul between the PC and the modem over Ethernet. For the rest of the connection, the PPP frames are
transported with PPP over AAL5 (RFC 2364). The PPP connection, however, is still between the PC and the
ISP. The various connections in this setup are depicted in the following diagram. The drawback of this
solution is that it requires one separate ATM VC per destination.
Diagram 3 Transport PPP frames over Ethernet
PPTP and the ZyWALL
When the ZyWALL is deployed in such a setup, it appears as a PC to the ANT (ADSL Network
Termination).
In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and
NT clients to an NT server in a remote location. The pass-through feature allows users on the network to
access a different remote server using the ZyWALL's Internet connection. In NAT mode, the ZyWALL is
able to pass the PPTP packets to the internal PPTP server (for example NT server) behind the NAT. In the
case above as the PPTP connection is initialized by the remote PPTP Client, the user must configure the
PPTP clients. The ZyWALL initializes the PPTP connection, hence there is no need to configure the remote
PPTP clients.
Appendix BC
ZyWALL 1 Internet Security Gateway
PPTP Protocol Overview
PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco's Layer 2 Forwarding).
Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP
Access Concentrator) and the PPTP user. The PNS is the box that hosts both the PPP and the PPTP stacks
and forms one end of the PPTP tunnel. The PAC is the box that dials/answers the phone calls and relays the
PPP frames to the PNS. The PPTP user is not necessarily a PPP client (can be a PPP server too). Both the
PNS and the PAC must have IP connectivity; however, the PAC must in addition have dial-up capability.
The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP
user is unaware of the tunnel between the PAC and the PNS.
Diagram 4 PPTP Protocol Overview
Microsoft includes PPTP as a part of the Windows OS. In Microsoft's implementation, the PC, and hence the
ZyWALL, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364
server.
Control and PPP Connections
Each PPTP session has distinct control connection and PPP data connection.
Call Connection
The control connection runs over TCP. Similar to L2TP, a tunnel control connection is first established
before call control messages can be exchanged. Please note that a tunnel control connection supports
multiple call sessions.
The following diagram depicts the message exchange of a successful call setup between a PC and an ANT.
Diagram 5 Example Message Exchange between PC and an ANT
DAppendix B
ZyWALL 1 Internet Security Gateway
PPP Data Connection
The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC
1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE
header.
Appendix BE
ZyWALL 1 Internet Security Gateway
Power Adapter Specifications
JAPAN, TAIWAN AND USA PLUG STANDARDS
Model NumberDSA-0151A-05A
Input PowerAC100-120V 50/60Hz
Output Power5VDC, 2.4A
Power Consumption12w
Safety StandardsUL, FCC, CE
EUROPEAN PLUG STANDARDS
Model NumberDSA-0151A-05A (U)
Input PowerAC200-240V 50-60Hz 0.4A
Output Power5VDC, 2.4A
Power Consumption12w
Safety StandardsUL, FCC, CE
UNITED KINGDOM PLUG STANDARDS
Appendix C
Model NumberDSA-0151A-05A (K)
Input PowerAC200-240Volts/50Hz/0.2A
Output Power5VDC, 2.4A
Power Consumption12w
Safety StandardsUL, FCC, CE
FAppendix C
ZyWALL 1 Internet Security Gateway
Glossary
100Base-T
10Base-S Mode
10Base-T
A
ADSL
AH
ARP
ATM
Authentication
Algorithm
The 100-Mbps baseband Ethernet specification uses two pairs of twisted-pair wire with
a maximum distance of 100 meters between the hub and the workstation.
This is a VDSL mode. Each mode operates in a specific frequency band allocation
with associated upstream and downstream speeds.
Twisted-pair cable with maximum segment lengths of 100 meters.
Asymmetrical Digital Subscriber Line is an asymmetrical technology which means that
the downstream data rate of the line is much higher than the upstream data rate. ADSL
operates in a frequency range that is above the frequency range of voice services, so
the two systems can operate over the same cable.
Authentication Header (RFC 2402) is a protocol that IPSec uses to verify integrity of a
data packet (including the header) and the identity of it’s sender.
Address Resolution Protocol is a protocol for mapping an Internet Protocol address (IP
address) to a physical computer address that is recognized in the local network.
Asynchronous Transfer Mode. ATM is a LAN and WAN networking technology that
provides high-speed data transfer. ATM uses fixed-size packets of information called
cells. With ATM, a high QoS (Quality of Service) can be guaranteed.
This is an established, step-by-step procedure for verifying the identity of a packet’s
sender.
B
Bandwidth
Bit
Boot Module
Commands
Brute Force
Hacking
GlossaryG
This is the capacity on a link usually measured in bits-per-second (bps).
A Binary Digit (either a one or a zero); a single digit number in base-2. A bit is the
smallest unit of computerized data.
Boot Module Commands, available in the debug mode via SMT (some devices may
not have SMTs), help you initialize the configuration of the basic functions and
features of your device(s) such as uploading firmware, changing the console port speed
and viewing product-related information.
A technique used to find passwords or encryption keys. Force Hacking involves trying
every possible combination of letters, numbers, etc., until the code is broken.
ZyWALL 1 Internet Security Gateway
Byte
C
Command Line
Interface
Crossover
Ethernet Cable
DES
DHCP
Diffie-Hellman
(DH)
A set of bits that represent a single character. There are eight bits in a byte.
A command line interface is a computer environment in which you enter predefined
commands on the command line to modify, configure and display information about a
device or devices. A command line is the line on the display screen where a command
is expected. Generally, the command line is the line that contains the most recently
displayed command prompt. An interface is a set of commands (for example, a ZyXEL
Command Line Interface) or menus (for example, a ZyXEL web configurator) used to
communicate with a program. A command-driven interface is an interface in which
you enter commands.
A cable that wires a pin to its opposite pin, for example, RX+ is wired to TX+. This
cable connects two similar devices, for example, two data terminal equipment (DTE)
or data communications equipment (DCE) devices.
Data Encryption Standard is a widely-used method of data encryption that uses a
private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
Dynamic Host Configuration Protocol automatically assigns IP addresses to clients
when they log on. DHCP centralizes IP address management on central computers that
run the DHCP server program. DHCP leases addresses, for a period of time, which
means that past addresses are "recycled" and made available for future reassignment to
other systems.
Diffie-Hellman is a public-key cryptography protocol that allows two parties to
establish a shared secret over an unsecured communications channel. Diffie-Hellman is
used within IKE SA setup to establish session keys.
DNS
Domain Name
E
Encryption
HGlossary
Domain Name System links names to IP addresses. When you access Web sites on the
Internet you can type the IP address of the site or the DNS name. When you type a
domain name in a Web browser a query is sent to the primary DNS server defined in
your Web browser's configuration dialog box. The DNS server converts the name you
specified to an IP address and returns this address to your system. Thereafter, the IP
address is used in all subsequent communications.
The unique name that identifies an Internet site. Domain Names always have two or
more parts that are separated by dots. The part on the left is the most specific and the
part on the right is the most general.
An Encryption Algorithm describes the use of encryption techniques such as DES
ZyWALL 1 Internet Security Gateway
Algorithm
Encryption
Algorithm
ESP
ESP
Ethernet
F
Firewall
FTP
(Data Encryption Standard) and Triple DES algorithms.
An Encryption Algorithm describes the use of encryption techniques such as DES
(Data Encryption Standard) and Triple DES algorithms.
Encapsulating Security Payload (RFC 2406) is a protocol that IPSec uses to encrypt
data to ensure confidentiality.
Encapsulating Security Payload (RFC 2406) is a protocol that IPSec uses to encrypt
data to ensure confidentiality.
A very common method of networking computers in a LAN. There are a number of
adaptations to the IEEE 802.3 Ethernet standard, including adaptations with data rates
of 10 Mbits/sec and 100 Mbits/sec over coaxial cable, twisted-pair cable and fiberoptic cable. The latest version of Ethernet, Gigabit Ethernet, has a data rate of 1
Gbit/sec.
A hardware or software "wall" that restricts access in and out of a network. Firewalls
are most often used to separate an internal LAN or WAN from the Internet.
File Transfer Protocol is an Internet file transfer service that operates on the Internet
and over TCP/IP networks. FTP is basically a client/server protocol in which a system
running the FTP server accepts commands from a system running an FTP client. The
service allows users to send commands to the server for uploading and downloading
files. FTP is popular on the Internet because it allows for speedy transfer of large files
between two systems.
G
Gateway
GSTN
H
Hash
Host
GlossaryI
A gateway is a computer system or other device that acts as a translator between two
systems that do not use the same communication protocols, data formatting structures,
languages, and/or architecture.
A GSTN (General Switched Telephone Network) denotes an analog network (PSTN)
or digital network (ISDN).
This is a type of encryption that transforms plain text input into encrypted output of a
fixed length called the message digest.
Any computer on a network that is a repository for services available to other
computers on the network. It is quite common to have one host machine provide
ZyWALL 1 Internet Security Gateway
several services, such as WWW and USENET.
HTTP
I
IANA
ICMP
IKE
Internet
internet
Intranet
Hyper Text Transfer Protocol. The most common protocol used on the Internet. HTTP
is the primary protocol used for web sites and web browsers. It is also prone to certain
kinds of attacks.
Internet Assigned Number Authority acts as the clearing house to assign and
coordinate the use of numerous Internet protocol parameters such as Internet addresses,
domain names, protocol numbers, and more. Use a search engine to find the current
IANA web site.
Internet Control Message Protocol is a message control and error-reporting protocol
between a host server and a gateway to the Internet ICMP uses Internet Protocol (IP)
datagrams, but the messages are processed by the TCP/IP software and are not directly
apparent to the application user.
Internet Key Exchange is a two-phase security negotiation and key management
service – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange
establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.
(Upper case "I"). The vast collection of inter-connected networks that use TCP/IP
protocols evolved from the ARPANET (Advanced Research Projects Agency
Network) of the late 1960's and early 1970's.
(Lower case "i"). Any time you connect two or more networks together, you have an
internet.
A private network inside a company or organization that uses the same kinds of
software that you would find on the public Internet, but that is only for internal use.
IP
IP Pool
IPSec
IPSec
JGlossary
Internet Protocol. (Currently IP version 4 or IPv4). The underlying protocol for
routing packets on the Internet and other TCP/IP-based networks.
Internet Protocol Pool refers to the collective group of IP addresses located in any
particular place (for example, LAN, WAN, Ethernet, etc.).
Internet Protocol Security is a standards-based VPN (Virtual Private Network) that
offers flexible solutions for secure data communications across a public network like
the Internet. IPSec is built around a number of standardized cryptographic techniques
to provide confidentiality, data integrity and authentication at the IP layer.
Internet Protocol Security is a standards-based VPN (Virtual Private Network) that
offers flexible solutions for secure data communications across a public network like
ZyWALL 1 Internet Security Gateway
the Internet. IPSec is built around a number of standardized cryptographic techniques
to provide confidentiality, data integrity and authentication at the IP layer.
ISP
J
K
Keys
L
LAN
LED
M
Internet Service Providers provide connections into the Internet for home users and
businesses. There are local, regional, national, and global ISPs. You can think of local
ISPs as the gatekeepers into the Internet.
Keys are used like passwords to lock and unlock messages with encryption and
authentication functions. While encryption algorithms are often well known and
published, the key must be kept secret.
Local Area Network is a shared communication system to which many computers are
attached. A LAN, as its name implies, is limited to a local area. This has to do more
with the electrical characteristics of the medium than the fact that many early LANs
were designed for departments, although the latter accurately describes a LAN as well.
LANs have different topologies, the most common being the linear bus and the star
configuration.
Light Emitting Diode. LEDs are visual indicators that relay information about the
status of specific device functions to the user by lighting up, turning off or blinking.
LEDs are usually found on the front panel of the physical device. Examples include
Status, Power and System LEDS.
MAC
MD5
N
Name Resolution
NAT
GlossaryK
On a local area network (LAN) or other network, the MAC (Media Access Control)
address is a computer's unique hardware number. (On an Ethernet LAN, it's the same
as your Ethernet address). The MAC layer frames data for transmission over the
network, then passes the frame to the physical layer interface where it is transmitted as
a stream of bits.
Message Digest 5, HMAC-MD5 (RFC 2403) is a hash algorithm used to verify the
identity of a data packet’s source.
The allocation of an IP address to a host name. See also DNS.
Network Address Translation is the translation of an Internet Protocol address used
ZyWALL 1 Internet Security Gateway
within one network to a different IP address known within another network - see also
SUA.
NetBIOS
Network
NIC
O
P
PAC
Perfect Forward
Secrecy
POP
Port
Network Basic Input/Output System. NetBIOS is an extension of the DOS BIOS that
enables a computer to connect to and communicate with a LAN.
Any time you connect two or more computers together, allowing them to share
resources, you have a computer network. Connect two or more networks together and
you have an internet.
Network Interface Card. A board that provides network communication capabilities to
and from a computer system. Also called an adapter.
The PPTP Access Concentrator (PAC) is the box that calls/answers the phone call and
relays the PPP frames to the PNS (PPTP Network Server). A PAC must have IP and
dial-up capability.
Perfect Forward Secrecy (PFS) is an IPSec keying method that uses a brand new key
for each new IPSec SA setup. The keys are created by new key exchanges, see DiffieHellman.
Post Office Protocol. This is a common protocol used for sending, receiving, and
delivering mail messages.
An Internet port refers to a number that is part of a URL, appearing after a colon (:),
directly following the domain name. Every service on an Internet server listens on a
particular port number on that server. Most services have standard port numbers, for
instance Web servers normally listen on port 80.
Port (H/W)
POTS
PPP
LGlossary
An interface on a computer for connecting peripherals or devices to the computer. A
printer port, for example, is an interface that is designed to have a printer connected to
it. Ports can be defined by specific hardware (such as a keyboard port) or through
software.
Plain Old Telephone Service is the analog telephone service that runs over copper
twisted-pair wires and is based on the original Bell telephone system. Twisted-pair
wires connect homes and businesses to a neighborhood central office. This is called the
local loop. The central office is connected to other central offices and long-distance
facilities.
Point to Point Protocol. PPP encapsulates and transmits IP (Internet Protocol)
ZyWALL 1 Internet Security Gateway
datagrams over serial point-to-point links. PPP works with other protocols such as IPX
(Internetwork Packet Exchange). The protocol is defined in IETF (Internet Engineering
Task Force) RFC 1661 through 1663. PPP provides router-to-router, host-to-router,
and host-to-host connections.
PPPoE
PPTP
Protocol
PSTN
Q
QoS
PPPoE (Point-to-Point Protocol over Ethernet) relies on two widely accepted
standards: PPP and Ethernet. PPPoE is a specification for connecting the users on an
Ethernet to the Internet through a common broadband medium, such as a single DSL
line, wireless device or cable modem. All the users over the Ethernet share a common
connection, so the Ethernet principles supporting multiple users in a LAN combine
with the principles of PPP, which apply to serial connections. From authentication,
accounting and secure access to configuration management, PPPoE supports a broad
range of existing applications and services.
Point-to-Point Tunneling Protocol.
A "language" for communicating on a network. Protocols are sets of standards or rules
used to define, format and transmit data across a network. There are many different
protocols used on networks. For example, most web pages are transmitted using the
HTTP protocol.
Public Switched Telephone Network was put into place many years ago as a voice
telephone call-switching system. The system transmits voice calls as analog signals
across copper twisted cables from homes and businesses to neighborhood COs (central
offices); this is often called the local loop. The PSTN is a circuit-switched system,
meaning that an end-to-end private circuit is established between caller and the person
called.
Quality of Service refers to both a network’s ability to deliver data with minimum
delay, and the networking methods used to provide bandwidth for real-time multimedia
applications.
R
ras
RFC
GlossaryM
This is the name of the firmware on the ZyXEL device. Renaming may be necessary
when uploading new firmware to the device.
An RFC (Request for Comments) is an Internet formal document or standard that is the
result of committee drafting and subsequent review by interested parties. Some RFCs
are informational in nature. Of those that are intended to become Internet standards,
the final version of the RFC becomes the standard and no further comments or changes
are permitted. Change can occur, however, through subsequent RFCs.
ZyWALL 1 Internet Security Gateway
RIP
Rom-0
Router
S
SA
SHA1
SNMP
Static Routing
Routing Information Protocol is an interior or intra-domain routing protocol that uses
distance-vector routing algorithms. RIP is used on the Internet and is common in the
NetWare environment as a method for exchanging routing information between
routers.
This is the name of the configuration file on your ZyXEL device. Renaming may be
necessary when uploading a new configuration file to your ZyXEL device.
A device that connects two networks together. Routers monitor, direct and filter
information that passes between these networks. Because of their location, routers are a
good place to install traffic or mail filters. Routers are also prone to attacks because
they contain a great deal of information about a network.
A Security Association (SA) is a contract between two parties indicating what security
parameters, such as keys and algorithms they will use.
Secure Hash Algorithm HMAC-SHA-1 (RFC 2404), is a hash algorithm used to verify
the identity of a data packet’s source.
Simple Network Management Protocol is a popular management protocol defined by
the Internet community for TCP/IP networks. It is a communication protocol for
collecting information from devices on the network.
Static routes tell routing information that a networking device cannot learn
automatically through other means. The need for static routing can arise in cases where
RIP is disabled on the LAN or a remote network is beyond the one that is directly
connected to a remote node.
STP
Straight-through
Ethernet cable
SUA
Subnet Mask
NGlossary
Shielded Twisted-Pair cable consists of copper-core wires surrounded by an insulator.
Two wires are twisted together to form a pair; the pair form a balanced circuit. The
twisting prevents interference problems, STP provides protection against external
crosstalk.
A cable that wires a pin to its equivalent pin. This cable connects two dissimilar
devices, for example, a data terminal equipment (DTE) device and a data
communications equipment (DCE) device. A straight through Ethernet cable is the
most commonly used Ethernet cable.
Single User Account. Your system's SUA feature allows multiple user Internet access
for the cost of a single ISP account. See also NAT.
The subnet mask specifies the network number portion of an IP address. Your device
ZyWALL 1 Internet Security Gateway
will compute the subnet mask automatically based on the IP Address that you entered.
You do not need to change the computer subnet mask unless you are instructed to do
so.
T
TCP
Terminal
Terminal
Software
TFTP
Transport
Triple DES
Tunnel
Twisted Pair
Transmission Control Protocol is a connection-oriented transport service that ensures
the reliability of message delivery. It verifies that messages and data were received.
A device that allows you to send commands to a computer somewhere else. At a
minimum, this usually means a keyboard, display screen and some simple circuitry.
Software that pretends to be (emulates) a physical terminal and allows you to type
commands to a computer somewhere else.
Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP (File
Transfer Protocol), but it is scaled back in functionality so that it requires fewer
resources to run. TFTP uses the UDP (User Datagram Protocol) rather than TCP
(Transmission Control Protocol).
IPSec uses transport mode to protect upper layer protocols and affects only the data in
the IP packet. The IP packet contains the security protocol (AH or ESP) located after
the original IP header and options, but before any upper layer protocols contained in
the packet (such as TCP and UDP).
This is a stronger variant of DES (Data Encryption Standard). Triple DES is a widelyused method of data encryption that applies three separate private (secret) 56-bit keys
to each 64-bit block of data.
IPSec uses tunnel mode to encapsulate the entire IP packet and transmit it securely.
Tunnel mode is fundamentally an IP tunnel with authentication and encryption and is
required for gateway services to provide access to internal systems.
Two insulated wires, usually copper, twisted together and often bound into a common
sheath to form multi-pair cables. In ISDN, the cables are the basic path between a
subscriber's terminal or telephone and the PBX or the central office.
U
UDP
UNIX
GlossaryO
User Datagram Protocol. DP is a connectionless transport service that dispenses with
the reliability services provided by TCP. UDP gives applications a direct interface with
the Internet Protocol (IP) and the ability to address a particular application process
running on a host via a port number without setting up a connection session.
A widely-used operating system in large networks. Usually used on workstations and
ZyWALL 1 Internet Security Gateway
servers.
V
W
WAN
Web
Configurator
WWW
X
xDSL
Y
Z
ZyNOS
Wide Area Networks link geographically dispersed offices in other cities or around the
globe. Just about any long-distance communication medium can serve as a WAN link
including switched and permanent telephone circuits, terrestrial radio systems and
satellite systems.
This is a HTML-based configurator that allows easy setup and management..
World Wide Web. Frequently used (incorrectly) when referring to "The Internet".
WWW has two major definitions. One, the whole constellation of resources that can
be accessed using Gopher, FTP, HTTP, USENET, WAIS and other tools. Two, the
universe of hypertext servers (HTTP servers).
Digital Subscriber Line(s) where x, when specified, denotes a particular flavor of DSL,
eg., ADSL, G.SHDSL, SDSL, VDSL, RDSL, etc.
ZyXEL Network Operating System is the firmware used in many ZyXEL products.