ZyXEL Communications IDP 10 User Manual

ZyWALL IDP 10

Intrusion Detection Prevention Appliance

Support Notes

Version 1.0

Aug 2004

IDP Support Notes

INDEX

Application Notes............................................................................................................................ 4

Deploy IDP ................................................................................................................................4

Register ZyWALL IDP............................................................................................................10

Firmware Upgrade...................................................................................................................16

Signature Update......................................................................................................................17

Configure User Defined Policy................................................................................................18

IDP FAQ......................................................................................................................................... 23

What is HIDS?.........................................................................................................................23

What is NIDS?.........................................................................................................................23

What is HIPS?..........................................................................................................................23

What is NIPS (IDP)?................................................................................................................23

What’s the difference between false positive and false negative?...........................................23

Is IDP able to investigate VPN traffic?....................................................................................24

Product FAQ.................................................................................................................................. 24

What is ZyWALL IDP10?........................................................................................................24

Why do I need ZyWALL IDP, if I already have ZyWALL 5/35/70?.......................................24

Will I lose network access if my ZyWALL IDP 10 lost power or crash?................................24

If I forget IDP’s password, how to reset the password to default? ..........................................25

How to access IDP through console?.......................................................................................25

How to trouble shoot the false positive and false negative cases? ..........................................26

What's the difference between Inline, Monitor and Bypass mode?.........................................26

When should I use VLAN Tag function?.................................................................................27

How to restart device from WEB GUI, Console?....................................................................27

What does "Stealth" mean, why should I need it?...................................................................29

I can not remote manage my ZyWALL IDP 10 at home, why?...............................................29

Why should I define Policy Check on WAN/LAN port?.........................................................29

What's Pre-defined signature? .................................................................................................30

Why should I need to update signature?..................................................................................30

Where can I get the description of a policy or advisory? ........................................................30

How do I make sure my ZyWALL IDP10 already gets the latest policy?...............................30

I can’t download the latest policy from update server. How can I fix the problem?...............31

How many User-defined policies can I have on ZyWALL IDP 10?........................................32

How many policies does ZyWALL IDP 10 support in total? ..................................................32

Does configuration backup include Pre-defined/Updated signatures?....................................32

What’s the default password of ZyWALL IDP10?..................................................................32

IDP Support Notes

Why can’t I input mail server address by domain name?........................................................32

What’s “Drop” and “Block Connection” for Action of User Defined Policy?........................33

How to use URL String in Content setup of User-defined policy?..........................................33

What’s the definition of “Incoming” and “Outgoing” direction in a policy setup?.................33

How to decide which Interface should be applied for policy check?......................................34

In User-defined policy, what’s the meaning of Matching Offset, Matching Depth? ...............35

How does IDP check multiple contents?.................................................................................35

What’s the priority among Pre-defined policy and User-defined policy? ...............................36

Trouble Shooting........................................................................................................................... 36

Unable to Run Applications.....................................................................................................36

CLI Command List.......................................................................................................................39

System related Command........................................................................................................39

Debug mode CLI Command....................................................................................................42

IDP Support Notes

Application Notes

Deploy IDP

IDP functions as a plug and play bridge device filtering malicious traffic from attacking your networks. With continuous signatures update, users can get free from network-based intrusions. In this example, we describe how to deploy and configure ZyWALL IDP10 in a network. Since ZyWALL IDP10 is a bridge device, users don’t need to change the existing network topology when they deploy it. Two things matter are Determine the target network/systems to protect. Assign an IP address to “Management” port to make management of ZyWALL IDP10 possible in your existing network. The following diagram and table illustrate the network topology and IP address assignment of the example network.

IP Address assignment: Network WAN DMZ LAN

Segment 211.1.1.0/28 192.168.2.0/24 192.168.1.0/24

IDP Support Notes

Servers/PC 192.168.2.5-10 LAN1: 192.168.1.5-50

LAN2: 192.168.1.51-100 WLAN: 192.168.1.101-130

Data Center: 192.168.1.131-140 Device IDP (A) IDP (B) IDP (C) IP Address 192.168.1.141 192.168.1.142 192.168.1.143 Device IDP (D) IDP (E) IDP (F) IP Address 192.168.1.144 192.168.1.145 192.168.1.146

Purpose:

IDP (A) Since network devices may also have vulnerabilities, once the firewall device at gateway is compromised, the protected networks are also endangered. The IDP device outside firewall can block attacks to firewall/VPN gateways from Internet. So we apply policy protection on WAN port of IDP (A).

IDP (B) Servers in DMZ zone are the most critical point in your network. Since malicious attacks may flow into DMZ along with legitimate traffic. The attacks may come from Internet and to prevent the infected server from attacking internal networks, so we apply policy protection on both WAN and LAN port of IDP (B).

IDP (C), IDP (D) The purpose of IDP (C) and IDP (D) is to separate internal network into blocks, and thus once a PC gets infected by some worms/virus, the infection won’t spread into the whole network. Therefore we apply policy protection on both WAN and LAN port of IDP (C) and IDP (D).

IDP (E) Since IDP (E) protects the data center of the network, and we assume data center is always waiting for internal users to access, there are no connections initiated from the data center area. We apply policy protection on WAN port of IDP (E).

IDP (F) Wireless LAN is a popular application nowadays due to its mobility. However, WLAN does raise some security concerns into network applications also because of its mobility. Administrators can’t predict when a mobile notebook will be cracked, and trying to spread worms/virus through WLAN. So we suggest users to place an IDP device before WLAN connects to internal network. The policy protection applies on LAN port of IDP (F).

IDP Support Notes

Setup IP address of IDP (A, B, C, D, E, F)

1. Configure each IDP device’s IP address. Since IDP is a bridge device, it only has one IP address for management purpose, IDP also uses this IP address to update signatures and the send system logs through sys log/E-mail/FTP. To configure the system IP address of IDP device, users can choose two methods,

- Through Console

1. Make sure the baud rate/data/parity/stop/flow control settings are as below.

2. Default Login/password is “admin/1234”

3. Issue the following commands on IDP (A) $>set system ip 192.168.1.141

Change ZyWALL IDP 10 IP address OK. $>set system mask 255.255.255.0

Change ZyWALL IDP 10 netmask OK. $>set system gateway 192.168.1.254

Change ZyWALL IDP 10 default gateway OK. $>set system dns 168.95.1.1

Change ZyWALL IDP 10 default DNS server OK.

4. Repeat the step 3 to configure IDP (B, C, D, E, F) according to IP address assignment table.

- Through WEB GUI or Telnet

IDP Support Notes

1. Connect one PC to IDP’s management port by crossed Ethernet cable. Make sure MGMT port

light is on.

2. Go to Start->Settings->Network and Dial-up Connections, and select the Ethernet connection

you are connecting to IDP device.

3. Change PC’s IP address to 192.168.1.5, subnet mask= 255.255.255.0 from properties.

4. Log into IDP’s WEB GUI via browser.

IDP Support Notes

5. Go to SYSTEM->General->Device, input IDP (A,)’s IP address, subnet mask, default gateway,

DNS server’s IP address.

6. Repeat step 1-5 to configure IDP (B, C, D, E, F) according to IP address assignment table.

IDP Support Notes

Connect the MGMT/LAN/WAN ports of all IDP devices to the network according to the

deployment topology (192.168.1.0/24).

Login IDP (A, E)’s WEB GUI; go to SYSTEM->INTERFACE->Policy Check. Then enable policy checking on WAN port of IDP (A, E).

Login IDP (B, C, D)’s WEB GUI, go to SYSTEM->INTERFACE->Policy Check. Then enable policy checking on WAN and LAN port of IDP (A).

IDP Support Notes

Register ZyWALL IDP

ZyWALL IDP comes with a “pre-defined” policy set which requires subscription and can be update at regular bases. Having an up-to-date policy set is essential as new attack types evolve.

1. A “Device License Key” card is included in ZyWALL IDP package for one year free subscription.

IDP Support Notes

2. Go to ZyXEL Communications online services center. http://www.myZyXEL.com.

3. In case you haven't got an account on myZyXEL.com, you need to get a new account. Please follow the instruction on myZyXEL.com; we skip the description of detailed procedure in this article. If you get into trouble in this step, please contact ZyXEL support.

4. Login into myZyXEL.com using your account. “Click here” to register ZyWALL ID P.

IDP Support Notes

5. Press add button to add the ZyWALL IDP you have.

6. In this step you need to enter Serial Number, Authentication Code (MAC address), and a Friendly Name for your product. You can find serial number and MAC address at the bottom of your device.

IDP Support Notes

7. Input the date you purchase the product, and the purpose of the buying.

8. You would get a successful message. Then press Continue button.

+ 29 hidden pages