Zyxel-communications Internet Security Gateway 10~100 Series User Manual

ZyWALL 10~100 Series Internet Security Gateway Reference Guide Versions 3.52, 3.60 and 3.61 March 2003

ZyWALL 10~100 Series Internet Security Gateway x List of Charts List of Charts Chart 8-1 Classes of IP Addresses ...

ZyWALL 10~100 Series Internet Security Gateway List of Charts xi Chart 13-11 Sample IPSec Logs During Packet Transmission ...

ZyWALL 10~100 Series Internet Security Gateway xii Preface Preface About Your ZyWALL Congratulations on your purchase of the ZyWALL Security Gateway.

ZyWALL 10~100 Series Internet Security Gateway Preface xiii Syntax Conventions • “Enter” means for you to type one or more characters and press the

General Information I Part I: General Information This part provides background information about setting up your computer’s IP address, triangl

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-1 Chapter 1 Setting up Your Computer’s IP Address All comput

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-2The Network window Configuration tab displays a list of inst

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-3 1. Click the IP Address tab. -If your IP address is dynami

ZyWALL 10~100 Series Internet Security Gateway ii Copyright Copyright Copyright © 2003 by ZyXEL Communications Corporation. The contents of this publ

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-43. Click the Gateway tab. -If you do not know your gateway

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-5 1. For Windows XP, click start, Control Panel. In Windows

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-64. Select Internet Protocol (TCP/IP) (under the General tab

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-7 6. -If you do not know your gateway's IP address, re

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-8 7. In the Internet Protocol TCP/IP Properties window (the G

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-9 1. Click the Apple menu, Control Panel and double-click TC

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-104. For statically assigned settings, do the following: -F

ZyWALL 10~100 Series Internet Security Gateway Setting Up Your Computer’s IP Address 1-11 2. Click Network in the icon bar. - Select Automatic f

ZyWALL 10~100 Series Internet Security Gateway Triangle Route 2-1 Chapter 2 Triangle Route The Ideal Setup When the firewall is on, your ZyWALL a

ZyWALL 10~100 Series Internet Security Gateway FCC iii Federal Communications Commission (FCC) Interference Statement This device complies with Part

ZyWALL 10~100 Series Internet Security Gateway Triangle Route 2-2 Diagram 2-2 “Triangle Route” Problem The “Triangle Route” Solutions This section p

ZyWALL 10~100 Series Internet Security Gateway Triangle Route 2-3 Gateways on the WAN Side A second solution to the “triangle route” problem is to

ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-1 Chapter 3 The Big Picture The following figure gives an overview of how filteri

ZyWALL 10~100 Series Internet Security Gateway The Big Picture 3-2

ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.11 4-1 Chapter 4 Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provi

ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-2The IEEE 802.11 specifies three different transmission methods for the PHY, the

ZyWALL 10~100 Series Internet Security Gateway Wireless LAN and IEEE 802.11 4-3 Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network Infras

ZyWALL 10~100 Series Internet Security Gateway The Big Picture 4-4could be any type of network, it is almost invariably an Ethernet LAN. Mobile no

ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-1 Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks becom

ZyWALL 10~100 Series Internet Security Gateway iv Information for Canadian Users Information for Canadian Users The Industry Canada label identifie

ZyWALL 10~100 Series Internet Security Gateway Wireless LAN with IEEE 802.1x 5-2• Support for RADIUS (Remote Authentication Dial In User Service,

ZyWALL 10~100 Series Internet Security Gateway PPPoE 6-1 Chapter 6 PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over

ZyWALL 10~100 Series Internet Security Gateway 6-2 PPPoE How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and th

ZyWALL 10~100 Series Internet Security Gateway PPTP 7-1 Chapter 7 PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft propri

ZyWALL 10~100 Series Internet Security Gateway 7-2 PPTP PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F

ZyWALL 10~100 Series Internet Security Gateway PPTP 7-3 Diagram 7-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP fra

ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-1 Chapter 8 IP Subnetting IP Addressing Routers “route” based on the network numbe

ZyWALL 10~100 Series Internet Security Gateway 8-2 IP Subnetting  A class “B” address (16 host bits) can have 216 –2 or 65534 hosts. A class “A” ad

ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-3 With subnetting, the class arrangement of an IP address is ignored. For example, a

ZyWALL 10~100 Series Internet Security Gateway Warranty v ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this produ

ZyWALL 10~100 Series Internet Security Gateway 8-4 IP Subnetting The first three octets of the address make up the network number (class “C”). You wa

ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-5 192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with

ZyWALL 10~100 Series Internet Security Gateway 8-6 IP Subnetting Subnet Address: 192.168.1.128 Lowest Host ID: 192.168.1.129 Broadcast Address: 192.1

ZyWALL 10~100 Series Internet Security Gateway IP Subnetting 8-7 Chart 8-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUB

ZyWALL 10~100 Series Internet Security Gateway 8-8 IP Subnetting Chart 8-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNET

Command and Log Information II Part II: Command and Log Information This part provides information on the command interpreter interface, firewal

ZyWALL 10~100 Series Internet Security Gateway Command Interpreter 9-1 Chapter 9 Command Interpreter The following describes how to use the command

ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-1 Chapter 10 Firewall Commands The following describes the firewall commands.

ZyWALL 10~100 Series Internet Security Gateway vi Customer Support Customer Support When you contact your customer support representative please have

ZyWALL 10~100 Series Internet Security Gateway 10-2 Firewall Commands Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config displa

ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-3 Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit fir

ZyWALL 10~100 Series Internet Security Gateway 10-4 Firewall Commands Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firew

ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-5 Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit fir

ZyWALL 10~100 Series Internet Security Gateway 10-6 Firewall Commands Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION Config edit f

ZyWALL 10~100 Series Internet Security Gateway Firewall Commands 10-7 Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit fir

ZyWALL 10~100 Series Internet Security Gateway 10-8 Firewall Commands Chart 10-1 Firewall Commands FUNCTION COMMAND DESCRIPTION config delete fir

ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-1 Chapter 11 NetBIOS Filter Commands The following describes the NetBIOS

ZyWALL 10~100 Series Internet Security Gateway 11-2 NetBIOS Filter Commands This command gives a read-only list of the current NetBIOS filter mode

ZyWALL 10~100 Series Internet Security Gateway NetBIOS Filter Commands 11-3 Chart 11-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN

ZyWALL 10~100 Series Internet Security Gateway Table of Contents vii Table of Contents Copyright...

ZyWALL 10~100 Series Internet Security Gateway 11-4 NetBIOS Filter Commands <on|off> = For types 0 and 1, use on to enable the filter and b

ZyWALL 10~100 Series Internet Security Gateway Boot Commands 12-1 Chapter 12 Boot Commands The BootModule AT commands execute from within the route

ZyWALL 10~100 Series Internet Security Gateway 12-2 Boot Commands Diagram 12-2 Boot Module Commands AT just answer OK ATHE pr

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-1 Chapter 13 Log Descriptions Chart 13-1 System Error Logs LOG MESSAGE DESCRIP

ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Chart 13-2 System Maintenance Logs TELNET Login Fail Someone has failed to log

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-3 Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION attack IGMP The firewall detec

ZyWALL 10~100 Series Internet Security Gateway 13-4 Log Descriptions Chart 13-5 Attack Logs LOG MESSAGE DESCRIPTION syn flood TCP The firewall dete

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-5 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall default policy: TCP (

ZyWALL 10~100 Series Internet Security Gateway 13-6 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule match: IGMP (set:

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-7 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall rule NOT match: OSPF

ZyWALL 10~100 Series Internet Security Gateway viii Table of Contents Index ...

ZyWALL 10~100 Series Internet Security Gateway 13-8 Log Descriptions Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Filter match DROP <set %d/ru

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-9 Chart 13-6 Access Logs LOG MESSAGE DESCRIPTION Firewall sent TCP reset packet

ZyWALL 10~100 Series Internet Security Gateway 13-10 Log Descriptions Chart 13-7 ACL Setting Notes ACL SET NUMBER DIRECTION DESCRIPTION 9 DMZ to DMZ

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-11 Chart 13-8 ICMP Notes TYPE CODE DESCRIPTION 0 Echo message 11 Time Exceede

ZyWALL 10~100 Series Internet Security Gateway 13-12 Log Descriptions Diagram 13-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The foll

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-13 The following table shows sample log messages during IKE key exchange. Char

ZyWALL 10~100 Series Internet Security Gateway 13-14 Log Descriptions Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Remote IP

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-15 Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION vs. My Loca

ZyWALL 10~100 Series Internet Security Gateway 13-16 Log Descriptions The following table shows RFC-2408 ISAKMP payload types that the log displays

ZyWALL 10~100 Series Internet Security Gateway Log Descriptions 13-17 Log Commands Go to the command interpreter interface (the Command Interpreter

ZyWALL 10~100 Series Internet Security Gateway List of Diagrams ix List of Diagrams Diagram 2-1 Ideal Setup ...

ZyWALL 10~100 Series Internet Security Gateway 13-2 Log Descriptions Use the sys logs display [log category] command to show the logs in an individu

ZyWALL 10~100 Series Internet Security Gateway Brute-Force Password Guessing Protection 14-1 Chapter 14 Brute-Force Password Guessing Protection Th

Index III Part III: Index This part provides an Index of key terms.

ZyWALL 10~100 Series Internet Security Gateway Index A Index A Ad-hoc Configuration ... 4-2 Alternative Subnet M

ZyWALL 10~100 Series Internet Security Gateway B Index Infrastructure Configuration ....... 4-3 IP Addressing ......