ZyWALL IDP 10 Intrusion Detection and Prevention Appliance User’s Guide Version 2.
ZyWALL IDP 10 User’s Guide Copyright Copyright © 2005 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
ZyWALL IDP 10 User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
ZyWALL IDP 10 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information. • Use ONLY the dedicated power supply for your device.
ZyWALL IDP 10 User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
ZyWALL IDP 10 User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE support@zyxel.com.tw +886-3-578-3942 sales@zyxel.com.tw +886-3-578-2439 www.zyxel.com ZyXEL Communications Corp. www.europe.zyxel.
ZyWALL IDP 10 User’s Guide TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE support@zyxel.co.uk +44 (0) 1344 303044 08707 555779 (UK only) www.zyxel.co.uk sales@zyxel.co.uk +44 (0) 1344 303034 ftp.zyxel.co.uk METHOD SUPPORT E-MAIL REGULAR MAIL LOCATION UNITED KINGDOM ZyXEL Communications UK Ltd.,11, The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK) a. “+” is the (prefix) number you enter to make an international telephone call.
ZyWALL IDP 10 User’s Guide Table of Contents Copyright .................................................................................................................. 2 Federal Communications Commission (FCC) Interference Statement ............... 3 Safety Warnings ....................................................................................................... 4 ZyXEL Limited Warranty.......................................................................................... 5 Customer Support.....
ZyWALL IDP 10 User’s Guide Chapter 4 Interface Screens ................................................................................................... 36 4.1 10/100M Auto-Sensing Ethernet Ports ...............................................................36 4.2 Configuring Link .................................................................................................36 4.3 Stealth ................................................................................................................
ZyWALL IDP 10 User’s Guide 6.3.14 Policy Actions .........................................................................................65 6.4 Configuring Pre-defined Policies ........................................................................65 6.4.1 Search Example .......................................................................................68 6.4.2 Query Example .........................................................................................69 6.4.3 Modify Screen ................
ZyWALL IDP 10 User’s Guide Introduction to Ports ............................................................................................... 108 Introduction to Denial of Service ............................................................................ 108 Scanning ................................................................................................................ 111 Malicious Programs................................................................................................
ZyWALL IDP 10 User’s Guide List of Figures Figure 1 ZyWALL ................................................................................................................ 19 Figure 2 Installation Example 1 ........................................................................................... 21 Figure 3 Installation Example 2 ........................................................................................... 21 Figure 4 Installation Example 3 ..................................................
ZyWALL IDP 10 User’s Guide Figure 39 Search Example .................................................................................................. 69 Figure 40 Query Example ................................................................................................... 70 Figure 41 Pre-defined Policies: Modify ............................................................................... 71 Figure 42 Update Policies ...................................................................................
ZyWALL IDP 10 User’s Guide List of Tables Table 1 Web Configurator HOME Screen ........................................................................... 26 Table 2 Screens Summary .................................................................................................. 27 Table 3 Example Configuration Settings ............................................................................. 28 Table 4 General: Device ...................................................................................
ZyWALL IDP 10 User’s Guide 15 List of Tables
ZyWALL IDP 10 User’s Guide Preface Congratulations on your purchase of the ZyWALL IDP 10. About This User's Guide Congratulations on your purchase of the ZyWALL IDP 10 Intrusion Detection Prevention Appliance This manual is designed to guide you through the configuration of your ZyWALL for its various applications Related Documentation • Support Disk: Refer to the included CD for support documents. • Quick Start Guide: The Quick Start Guide is designed to help you get up and running right away.
ZyWALL IDP 10 User’s Guide Graphics Icons Key 17 Prestige Computer Modem Switch Firewall Server Intrusion Block an intrusion Security Hole Preface
ZyWALL IDP 10 User’s Guide CHAPTER 1 Introducing the ZyWALL IDP 10 This chapter introduces the main features and applications of the ZyWALL. 1.1 Introduction An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect anomaly detections based on violations of protocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as port scans. The rules that define how to identify and respond to intrusions are called “signatures”.
ZyWALL IDP 10 User’s Guide Figure 1 ZyWALL 1.2 Features LAN, WAN and Management Ports You can also manage the ZyWALL via the LAN or WAN port, but the MGMT port is dedicated for management. If you manage the ZyWALL via the LAN or WAN port then the ZyWALL itself may be susceptible to being compromised.
ZyWALL IDP 10 User’s Guide • Traffic flow anomalies where certain applications such as peer-topeer applications for example are defined as “abnormal” and therefore an “intrusion”. • Stateful pattern matching based on reassembling TCP screams to make the complete string available to the detection engine. • User-defined rules allow: • Multiple Attack Pattern Detection • Multiple string match • IP/TCP/UDP/ICMP and IGMP packets filters that block suspect attack sources.
ZyWALL IDP 10 User’s Guide Figure 2 Installation Example 1 In installation example 2 (see Figure 3 on page 21) the ZyWALL (A) protects the LAN from intrusions from the Internet and the DMZ servers from intrusions from the LAN (and vice versa). The ZyWALL itself receives firewall protection too. However, it does not protect the firewall (B) nor the DMZ servers from intrusions from the Internet.
ZyWALL IDP 10 User’s Guide Figure 4 Installation Example 3 In installation example 4 (see Figure 5 on page 22) ZyWALLs (A1 and A3) protect the LAN and DMZ from intrusions from the Internet and from each other. ZyWALLs (A1 and A3) also receive firewall protection. ZyWALL (A2) protects the firewall (B), DMZ servers (and LAN). However, ZyWALL (A2) does not receive firewall protection.
ZyWALL IDP 10 User’s Guide 23 Chapter 1 Introducing the ZyWALL IDP 10
ZyWALL IDP 10 User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The embedded web configurator (eWC) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
ZyWALL IDP 10 User’s Guide Figure 7 Login Screen 4 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 8 Change Password Screen 5 You should now see the HOME screen (see Figure 9 on page 26). 2.3 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen.
ZyWALL IDP 10 User’s Guide Figure 9 Web Configurator HOME Screen Use submenus to configure ZyWALL features. Click MAINTENANCE to view information about your ZyWALL or upgrade configuration/ firmware files. Maintenance includes Password, Time Setting, F/W (firmware) Upload, Configuration (Backup, Restore, Default), and Restart. Click LOGOUT at any time to exit the web configurator. The following table describes the labels in this screen.
ZyWALL IDP 10 User’s Guide Table 1 Web Configurator HOME Screen (continued) LABEL DESCRIPTION Up Time This field displays the total time in seconds since the ZyWALL was last turned on. Memory The first number shows how many kilobytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is used by the ZYWALL operating system. The second number shows the ZyWALL's total heap memory (in kilobytes). The bar displays what percent of the ZyWALL's heap memory is in use.
ZyWALL IDP 10 User’s Guide Table 2 Screens Summary (continued) LINK REMOTE MGMT IDP TAB FUNCTION Policy Check Policy check determines the interface on which traffic will be checked against the ZyWALL policy rules (both pre-defined and user-defined). By selecting LAN port, then only traffic coming into the LAN and out through the WAN will be checked. Similarly, by selecting WAN port, then only traffic coming into the WAN and out through the LAN will be checked.
ZyWALL IDP 10 User’s Guide Table 3 Example Configuration Settings FIELD EXAMPLE CONFIGURATION Gateway 10. 10. 1.
ZyWALL IDP 10 User’s Guide CHAPTER 3 General Settings This chapter describes how to configure the ZyWALL’s TCP, VLAN and State settings. 3.1 Device Enter the ZyWALL IP address, subnet mask, gateway IP address and DNS server IP address in the next screen. The gateway and DNS entries relate to the e-mail, syslog and SNMP functions of the ZyWALL. The DNS server maps a domain name to its corresponding IP address and vice versa.
ZyWALL IDP 10 User’s Guide Table 4 General: Device LABEL DESCRIPTION System Name Enter a descriptive name of up to 128 single-Byte or double-Byte characters for identification purposes. Administrator Inactivity Timer Type how many minutes a management session (either via the web configurator or SSH) can be left idle before the session times out. After it times out you have to log in with your password again. Very long idle timeouts may have security risks.
ZyWALL IDP 10 User’s Guide The VLAN ID associates a frame with a specific VLAN and provides the information that switches need to process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information, a tagged header starts after the source address field of the Ethernet frame).
ZyWALL IDP 10 User’s Guide Figure 11 General: VLAN The following table describes the fields in this screen. Table 5 General: VLAN LABEL DESCRIPTION Management Traffic VLAN Setup VLAN Tag Select ON to have the ZyWALL tag outgoing frames with the VLAN ID specified in the next field. VLAN ID If you enabled VLAN tagging, enter the tag for outgoing frames here; the valid range is between 1 and 4094. Apply Click this button to save your changes back to the ZyWALL.
ZyWALL IDP 10 User’s Guide Table 6 General: State LABEL DESCRIPTION Device Operation State Setup Device Operation State: Inline: The ZyWALL will both identify suspicious or malicious packets and perform the action dictated by the rule for that type of intrusion (block, log, drop, send an alarm). Monitor: Monitor means the ZyWALL will function as a traditional IDS (Intrusion Detection System) by identifying suspicious or malicious packets and then sending alerts (only).
ZyWALL IDP 10 User’s Guide 35 Chapter 3 General Settings
ZyWALL IDP 10 User’s Guide CHAPTER 4 Interface Screens This chapter shows you how to configure the ZyWALL ports. 4.1 10/100M Auto-Sensing Ethernet Ports The ZyWALL supports 10/100Mbps auto-negotiating Ethernet. There are two factors related to the connection of two Ethernet ports: speed and duplex mode. In a 10/100Mbps fast Ethernet, the speed can be 10Mbps or 100Mbps and the duplex mode can be half duplex or full duplex.
ZyWALL IDP 10 User’s Guide Figure 13 Interface: Link The following table describes the fields in this screen. Table 7 Interface: Link LABEL DESCRIPTION WAN Select the speed (10 or 100 Mbps) and duplex mode (Full, Half, Auto) for this port. LAN Select the speed (10 or 100 Mbps) and duplex mode (Full, Half, Auto) for this port. Management Select the speed (10 or 100 Mbps) and duplex mode (Full, Half, Auto) for this port. Apply Click this button to save your changes back to the ZyWALL.
ZyWALL IDP 10 User’s Guide Figure 14 Interface: Stealth The following table describes the fields in this screen. Table 8 Interface: Stealth LABEL DESCRIPTION Interface Stealth Setup WAN Port Select ON to enable stealth on the WAN port. LAN Port Select ON to enable stealth on the LAN port. Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 4.
ZyWALL IDP 10 User’s Guide Figure 15 Policy Checking ZyWALL Policy Engine 4.4.1 Policy Direction Do not confuse policy check with a policy rule direction (see the IDP pre-defined and userdefined policy screens) that refers to the intent of the policy rules (both pre-defined and userdefined). Incoming means the policy applies to traffic coming from the WAN to the LAN. Outgoing means the policy applies to traffic coming from the LAN to the WAN.
ZyWALL IDP 10 User’s Guide Figure 16 Interface: Policy Check The following table describes the fields in this screen. Table 9 Interface: Policy Check LABEL DESCRIPTION Policy Check Setup WAN Port Select ON to have the ZyWALL check traffic coming into the WAN and out through the LAN against the ZyWALL policy rules (both pre-defined and user-defined).
ZyWALL IDP 10 User’s Guide 41 Chapter 4 Interface Screens
ZyWALL IDP 10 User’s Guide CHAPTER 5 Remote Management The remote management screens allow you to which ports are allowed web and SSH access and configure SNMP 5.1 Remote Management Overview Remote management allows you to determine which services can access which ZyWALL interface (if any) from which computers.
ZyWALL IDP 10 User’s Guide HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL. HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL. 5.1.2 Remote Management and Stealth If you enable Stealth on a port, you cannot perform remote management via that port. 5.
ZyWALL IDP 10 User’s Guide Table 10 Remote Management: WWW (continued) LABEL DESCRIPTION Server Access You can allow only secure web configurator access by setting the HTTP Server Access field to Disable and setting the HTTPS Server Access field to an interface(s). Options are LAN + MGMT, WAN + MGMT, MGMT, ALL and Disable. Secure Client IP Address A secure client is a “trusted” computer that is allowed to communicate with the ZyWALL using this service.
ZyWALL IDP 10 User’s Guide Figure 18 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
ZyWALL IDP 10 User’s Guide • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. 5.3.
ZyWALL IDP 10 User’s Guide The following table describes the fields in this screen. Table 12 Remote Management: SNMP LABEL DESCRIPTION SNMP Configuration Get Community This is the “password” for the incoming Get and GetNext requests from the management station. Set Community This is the “password” for incoming Set requests from the management station. Trap Community Type the trap community, which is the password sent with each trap to the SNMP manager.
ZyWALL IDP 10 User’s Guide Figure 21 How SSH Works 1. Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server. The client automatically saves any new server public keys. In subsequent connections, the server public key is checked against the saved version on the client computer. 2.
ZyWALL IDP 10 User’s Guide Figure 22 Remote Management: SSH The following table describes the fields in this screen. Table 13 Remote Management: SSH LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. The default is Disable. You need to select a port in order to access the ZyWALL using SSH. Options are LAN + MGMT, WAN + MGMT, MGMT (only), ALL (WAN + LAN + MGMT) and Disable. Select Disable to totally prevent SSH access to the ZyWALL.
ZyWALL IDP 10 User’s Guide Figure 23 PuTTY Settings 4 You may see a PuTTY security alert next. Click Yes to continue. Figure 24 PuTTY Security Alert 5 You see the login screen of the ZyWALL next. Enter the username (default is “admin”) and password (default is ‘1234”) to log in.
ZyWALL IDP 10 User’s Guide Figure 25 ZyWALL Command Interface Login Screen 51 Chapter 5 Remote Management
ZyWALL IDP 10 User’s Guide CHAPTER 6 IDP Policies This chapter describes how to configure your ZyWALL’s IDP settings. 6.1 IDP Overview An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect “misuse” detections based on pre-defined attack patterns and “anomaly” detections based on violations of protocol standards (RFCs – Requests for Comments) or abnormal flows such as port scans.
ZyWALL IDP 10 User’s Guide For more information on mySecurity zone, please visit http://www.mysecurity.zyxel.com. 6.3 Signature Categories This section defines some IDP terms used in the ZyWALL. See the appendices for more detailed information on IDP term definitions. The following are both the pre-defined (not editable) and user-defined signature categories (you may refer to these policy categories when categorizing your own user-defined rules. 6.3.
ZyWALL IDP 10 User’s Guide Figure 26 P2P Signatures 6.3.2 IM IM (Instant Messaging) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. To find a list of all IM signatures supported by the ZyWALL, do a policy search by name (IM or chat) or policy query by type (IM).
ZyWALL IDP 10 User’s Guide Figure 27 IM (Chat) Signatures 6.3.3 SPAM Spam is unsolicited "junk" e-mail sent to large numbers of people to promote products or services. To find a list of all spam signatures supported by the ZyWALL, do a policy search by name (spam) or policy query by type (SPAM). The following screen shows some spam signatures supported by the ZyWALL at the time of writing. Figure 28 Spam Signatures 6.3.
ZyWALL IDP 10 User’s Guide Figure 29 DoS/DDoS Signatures 6.3.5 Scan Scan refers to all port, IP or vulnerability scans. Hackers scan ports to find targets. They may use a TCP connect() call, SYN scanning (half-open scanning), Nmap etc. After a target has been found, a layer-7 scanner can be used to exploit vulnerabilities. To find a list of all scanrelated signatures supported by the ZyWALL, do a policy search by name (scan) or policy query by type (Scan).
ZyWALL IDP 10 User’s Guide Figure 30 Scan Signatures 6.3.6 Buffer Overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices.
ZyWALL IDP 10 User’s Guide Figure 31 Buffer Overflow Signatures 6.3.7 Virus/Worm A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm’s uncontrolled replication consumes system resources thus slowing or stopping other tasks.
ZyWALL IDP 10 User’s Guide Figure 32 Worm/Virus Signatures 6.3.8 Backdoor/Trojan A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that s hidden inside apparently harmless programs or data. To find a list of all backdoor/Trojan related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Backdoor/Trojan).
ZyWALL IDP 10 User’s Guide Figure 33 Backdoor/Trojan Signatures 6.3.9 Access Control Access control refers to procedures and controls that limit or detect access. Access control is used typically to control user access to network resources such as servers, directories, and files. To find a list of all access control related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Access Control).
ZyWALL IDP 10 User’s Guide Figure 34 Access Control Signatures 6.3.10 Web Attack Web attack signatures refer to attacks on web servers such as IIS. To find a list of all web attack related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Web Attack). The following screen shows some of the web attack related signatures supported by the ZyWALL at the time of writing.
ZyWALL IDP 10 User’s Guide Figure 35 Web Attack Signatures 6.3.11 Porn The ZyWALL can block web sites if their URLs contain certain pornographic words. It cannot block web pages containing those words if the associated URL does not. To find a list of all porn related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Porn). The following screen shows some of the porn related signatures supported by the ZyWALL at the time of writing.
ZyWALL IDP 10 User’s Guide Figure 36 Porn Signatures 6.3.12 Others This category refers to signatures for attacks that do not fall into the previously mentioned categories. To find a list of all “others” related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Others). The following screen shows some of the “others” related signatures supported by the ZyWALL at the time of writing.
ZyWALL IDP 10 User’s Guide Figure 37 Others Signatures 6.3.13 Policy Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action. Table 14 Policy Severity SEVERITY DESCRIPTION Severe (5) These are intrusions that try to run arbitrary code or gain system privileges. The default action for this level of intrusion is to block the traffic.
ZyWALL IDP 10 User’s Guide 6.3.14 Policy Actions The following table describes the (configurable) actions for a policy. Table 15 Policy Actions ACTION DESCRIPTION No Action The intrusion is detected and an alarm may be sent (if the Alarm check box is selected) but no other action is taken. If the Alarm check box is also cleared, it is recommended you simply disable the rule.
ZyWALL IDP 10 User’s Guide Figure 38 Pre-defined IDP Policies Summary Table 16 Selecting Pre-defined Policies LABEL DESCRIPTION Pre-defined Policy Group Setting Modify Click this button to display a screen where you can batch enable or disable policy types based on severity and/or target operating system. You can also batch enable or disable peer-to-peer, instant messaging and spam signature categories.
ZyWALL IDP 10 User’s Guide Table 16 Selecting Pre-defined Policies (continued) LABEL DESCRIPTION Policy Search You can search for policies based on policy name or ID number. Select By Name or By Policy ID form the drop-down list box, enter a (partial) name or a complete, exact ID number in the text box and then click Search. The name entered in the text box is not case sensitive. After a search is performed, click IDP in the navigation panel to display all policies again.
ZyWALL IDP 10 User’s Guide Table 16 Selecting Pre-defined Policies (continued) LABEL DESCRIPTION Action This field defines the action to be taken for a rule match. See Table 15 on page 65 for details on actions. You can change the specified default action for pre-defined rules. After you apply these changes, your specified actions for pre-defined rules remain in effect even after you update new rules or change modes (Inline to Monitor and back to Inline again).
ZyWALL IDP 10 User’s Guide Figure 39 Search Example 6.4.2 Query Example The following screen shows severe and high impact DoS/DDoS policies for intrusions that exploit vulnerabilities on Windows 2000 and Windows XP computers. Use the key to select multiple items. If the query finds more polices than one page can display, then click Query again to display the next page.
ZyWALL IDP 10 User’s Guide Figure 40 Query Example 6.4.3 Modify Screen Click Modify in Pre-defined IDP Policies Summary6-13 to display a screen where you can batch enable or disable policy types based on severity and/or target operating system. You can also batch enable or disable peer-to-peer, instant messaging and spam signature categories. As you can enable certain “attack group” items and at the same time disable certain “application group” items (and vice versa), in some instances, conflict may occur.
ZyWALL IDP 10 User’s Guide Figure 41 Pre-defined Policies: Modify Table 17 Pre-defined IDP Policies 71 LABEL DESCRIPTION ALL Select this checkbox and then select Enable or Disable to automatically enable or disable all policies. When ALL is selected, Attack Group and Application Group choices are not available. When ALL is cleared, you can enable or disable a group of policies by severity (see Table 14 on page 64), operating system or signature category (P2P, IM or SPAM – see Section 6.3 on page 53).
ZyWALL IDP 10 User’s Guide 6.5 Update The ZyWALL comes with a “pre-defined” set of policies that can be regularly updated. Regular updates are vital as new intrusions evolve. Use the Update screen to immediately download or schedule (pre-defined) new policy downloads. You should have already registered the ZyWALL (see the Registration screen). Click IDP from the navigation panel and then click the Update tab.
ZyWALL IDP 10 User’s Guide 6.6 User-defined Policies You need some knowledge of packet header types and OSI (Open System Interconnection) to create your own User-defined rules. Rule ordering is important as rules are applied in turn. You can order user-defined rules as you wish. The total number of pre-defined and user-defined rules allowed on the ZyWALL is 3,000. The total number of user-defined rules allowed is 128.
ZyWALL IDP 10 User’s Guide Figure 43 User-defined Policies Table 19 User-defined Policies LABEL DESCRIPTION Enable Userdefined Policy This checkbox must be selected to have the ZyWALL check traffic using your custom IDP rules. You may clear it to keep the rules but not have them applied to traffic. Import Userdefined Policy Use these fields to import another person’s user-defined rules.
ZyWALL IDP 10 User’s Guide Table 19 User-defined Policies (continued) LABEL DESCRIPTION Alarm An alarm is an action (an e-mail is sent) to be taken on the policy when a packet matches a rule. Alarm e-mails are not sent instantly but rather at periodic intervals (minimum five minutes). Select this checkbox to enable the alarm action. For other actions, select from the Action drop-down list box. Type Assign a signature category to your rule as described in Section 6.3 on page 53.
ZyWALL IDP 10 User’s Guide Table 19 User-defined Policies (continued) LABEL DESCRIPTION Move Type the rule number that should be moved in the first textbox (that follows this label), type the index number it should be moved to in the second textbox and then click Move to rearrange this rule. Rule ordering is important as rules are applied in turn. Apply Click this button to save your changes back to the ZyWALL. 6.6.
ZyWALL IDP 10 User’s Guide Figure 44 Configuring a User-defined IDP Policy 77 Chapter 6 IDP Policies
ZyWALL IDP 10 User’s Guide Table 20 Configuring a User-defined IDP Policy LABEL DESCRIPTION Attributions The “attributions” define the characteristics of the intrusion for which you’re configuring a policy. A traffic flow must match your operating system selections, your protocol definition and your repetition designation before your rule is invoked. Name Type a meaningful rule name to identify this policy. You can enter up to 128 singleByte or double-Byte characters.
ZyWALL IDP 10 User’s Guide Table 20 Configuring a User-defined IDP Policy (continued) LABEL DESCRIPTION Source IP Select whether the policy applies to source packets that match (Equal), don’t match (Not Equal), are within the range (In Set), are outside the range (Not In Set), have IP addresses that come after the number specified in the range (Greater), have IP addresses that come before the number specified in the range (Lesser) or all source IP addresses (Don’t Care) Then type an IP address and subne
ZyWALL IDP 10 User’s Guide Table 20 Configuring a User-defined IDP Policy (continued) LABEL DESCRIPTION Packet Content Packet Content parameters are for searching packet payloads. Do a traffic packet trace when an attack occurs and then isolate the part of the trace that identifies the attack, so you can paste the identifying portion into the following field(s) to identify the attack. Matching Offset and Matching Depth apply to all strings.
ZyWALL IDP 10 User’s Guide 6.7 Registering your ZyWALL Use the Registration screen to enable IDP service on the ZyWALL. You need to do this before you update new policies. Follow this procedure to do this. 1 Go to http://www.myZyXEL.com, ZyXEL Communications online services center. 2 If you have not already done so for another ZyXEL product, create a myZyXEL.com account containing a login name and password.
ZyWALL IDP 10 User’s Guide Figure 45 Registering ZyWALL Table 21 Registering ZyWALL LABEL DESCRIPTION Registration Status This read-only label displays Unregistered even after you paste the Activation Key and click Apply in this screen. It will only display Registered after you paste the Activation Key, click Apply in this screen and then update your pre-defined policies at updateidp.zyxel.com or updateidp.zyxel.com.tw. Activation Key Paste the generated key as described on page 81.
ZyWALL IDP 10 User’s Guide 83 Chapter 6 IDP Policies
ZyWALL IDP 10 User’s Guide CHAPTER 7 Log and Report This chapter describes how to use the Log and Report screens. 7.1 Logs To view logs and alert messages, click LOGS under the LOG & REPORT heading in the MAIN MENU of the Web Configurator. The log wraps around and deletes the old entries after it fills. You can re-order the logs according to time generated by clicking the Time column title. A triangle indicates the direction of the sort order.
ZyWALL IDP 10 User’s Guide Table 22 View Log LABEL DESCRIPTION Logs Display Select a log category from the drop down list box to display logs within the selected category: All Logs (view all logs) System Log (view logs related with the ZyWALL such as login to the ZyWALL or startup) IDP Event Log (view logs related to detected intrusions) Clear Click this button clear all the logs. Refresh Click this button to refresh the log screen. Page Use the dropdown list to select the log page you want.
ZyWALL IDP 10 User’s Guide Figure 47 Report: E-Mail The following table describes the fields in this screen. Table 23 Report: E-Mail LABEL DESCRIPTION E-Mail Setup Active Click this button to enable e-mailed reports and allow editing of the fields below. Report Schedule Select the frequency of e-mailed reports: weekly, daily, hourly, or only when the log is full. If the Weekly or Daily option is selected, specify a time of day when the e-mail should be sent.
ZyWALL IDP 10 User’s Guide Table 23 Report: E-Mail (continued) LABEL DESCRIPTION Subject Type a title that you want to be in the subject line of the report that the ZyWALL sends. SMTP SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Authentication Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication if your mail server requires a user name and password.
ZyWALL IDP 10 User’s Guide Table 24 Report: syslog (continued) LABEL DESCRIPTION Log Facility Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server. Refer to the documentation of your syslog program for more details. Traffic Logging Send Raw Traffic Statistics to Syslog Server for Analysis Select the check box and click Apply to have the ZyWALL send unprocessed traffic statistics to a syslog server for analysis.
ZyWALL IDP 10 User’s Guide Table 25 Alarm LABEL DESCRIPTION Alarm Schedule 89 Active Select this field to activate your ZyWALL's alarm schedule as configured in the fields below. Period This field is used to configure the frequency of alarm messages. Alarm messages are not sent instantaneously. There is a minimum wait period of five minutes between when alarm messages are sent out. Mail Server Type the IP address or URL of the mail server.
ZyWALL IDP 10 User’s Guide CHAPTER 8 Maintenance 8.1 Maintenance Overview Use the maintenance screens to change the ZyWALL password, ZyWALL time, upload firmware, manage configuration files and restart the ZyWALL. 8.2 Password Use the Password screen to change the ZyWALL password. You should do this regularly for security reasons.
ZyWALL IDP 10 User’s Guide 8.2.1 Forget Password If you forgot your password, then you will have to reset it to the factory defaults (“1234”) from debug mode via the console port. 1 Turn off and then turn on the ZyWALL or use the reboot command to restart the ZyWALL. 2 As the ZyWALL restarts you must enter debug mode before the login screen appears. Press within 5 seconds of when the console screen displays “Press ENTER to enter Debug Mode”. 3 Type reset after the “debug” prompt.
ZyWALL IDP 10 User’s Guide 8.3.1 Pre-defined NTP Time Servers List The ZyWALL uses the following pre-defined list of NTP time servers if you do not specify a timeserver or it cannot synchronize with the timeserver you specified. Note: The ZyWALL can use this pre-defined list of time servers regardless of the Time Protocol you select. When the ZyWALL uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it.
ZyWALL IDP 10 User’s Guide Figure 52 Maintenance: Time Setting Table 28 Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyWALL. Each time you reload this page, the ZyWALL synchronizes the time with the timeserver (if configured). Current Date This field displays the date of your ZyWALL. Each time you reload this page, the ZyWALL synchronizes the date with the timeserver (if configured).
ZyWALL IDP 10 User’s Guide Table 28 Time and Date (continued) LABEL DESCRIPTION New Date (yyyy-mm-dd) This field displays the last updated date from the timeserver or the last date configured manually. When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Server Select this radio button to have the ZyWALL get the time and date from the timeserver you specify below. Time Protocol Select the time service protocol that your time server uses.
ZyWALL IDP 10 User’s Guide Figure 53 Synchronization in Process Click the Return button to go back to the Time and Date screen after the time and date is updated successfully. Figure 54 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 55 Synchronization Fail 8.4 Firmware Upload Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "zywall.
ZyWALL IDP 10 User’s Guide Figure 56 Maintenance: F/W Upload Table 29 Maintenance: F/W Upload LABEL DESCRIPTION Local Upgrade File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the BIN file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
ZyWALL IDP 10 User’s Guide Table 29 Maintenance: F/W Upload (continued) LABEL DESCRIPTION Check Click Check to check that the link to the remote server is valid. Update Now Click Update Now to immediately download the firmware file from the server and upload it your ZyWALL. Auto Download & Update Click Enable to allow your ZyWALL to automatically download and update firmware (need restart) on the days and times specified below.
ZyWALL IDP 10 User’s Guide Figure 58 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 59 Firmware Upload Error 8.5 Configuration Use the Configuration screen to backup and restore ZyWALL configuration files or reset to the factory default configuration file.
ZyWALL IDP 10 User’s Guide Figure 60 Maintenance: Configuration 8.5.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings.
ZyWALL IDP 10 User’s Guide After you see a “configuration upload successful” screen, you must then wait one minute before logging into the device again. The device automatically restarts in this time causing a temporary network disconnect. If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address. See your Quick Start Guide for details on how to set up your computer’s IP address.
ZyWALL IDP 10 User’s Guide 101 Chapter 8 Maintenance
ZyWALL IDP 10 User’s Guide CHAPTER 9 Command Line Interface Overview This chapter briefly introduces the command line interface and lists the available commands. See the Support CD for detailed information on using commands. In addition to the web configurator, you can use commands to configure the ZyWALL. However, if you have problems with your ZyWALL, customer support may request that you issue some of these commands to assist them in troubleshooting.
ZyWALL IDP 10 User’s Guide [on|off] means that you can use either on or off. 6 “Command” refers to a command used in the command line interface (CLI command). 9.1.1 Help Facility You can issue the help or help all command at any time. The system will display a list of available commands in response. 9.2 Login When you log in you will be prompted for the username (“admin”) and password (default is “1234”). If you changed the password in the web configurator, then use that new password here.
ZyWALL IDP 10 User’s Guide Table 31 Commands Summary (continued) COMMAND detect vpnbypass Allow/disallow bypass of VPN packets it doesn’t recognize. portscan Allow/disallow port scanning fragment Enable/disable fragment function stateful Enable/disable TCP state check integrity Enable /disable TCP packet state integrity using this command tcptimeout Set the maximum TCP idle timeout (this is how long a TCP connection is allowed to remain idle.
ZyWALL IDP 10 User’s Guide Table 31 Commands Summary (continued) COMMAND Remote snmp DESCRIPTION on Enable remote snmp access from LAN+MGMT/ WAN+MGMT/MGMT ONLY/ ALL port off Disable remote snmp access acl Set up access control list ip address commnuity ssh web Get Reboot 105 ro Set up community read only string rw Set up community read/write string trap Set up snmp trap system name Set up remote snmp system name
ZyWALL IDP 10 User’s Guide Table 31 Commands Summary (continued) COMMAND DESCRIPTION Help Displays a “help” message Reset Resets the ZyWALL to the factory defaults and erases all user-defined policies. Reset All As Reset and erases all predefined policies too. Netstat Display network state Ping Perform Ping from the ZyWALL Arp Display address resolution protocol information (device MAC address and IP address table).
ZyWALL IDP 10 User’s Guide 107 Chapter 9 Command Line Interface Overview
ZyWALL IDP 10 User’s Guide Appendix A Introduction to Intrusions Introduction to Ports Computers share information over the Internet using a common language called TCP/IP. An “extension number”, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web), FTP (File Transfer Protocol), POP3 (e-mail), etc. For example, Web traffic by default uses TCP port 80.
ZyWALL IDP 10 User’s Guide Ping of Death Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang or reboot. Teardrop Teardrop attack exploits weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks.
ZyWALL IDP 10 User’s Guide Figure 63 SYN Flood LAND Attack In a LAND attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. Smurf Attack A Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data.
ZyWALL IDP 10 User’s Guide Figure 64 Smurf Attack Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. IP Spoofing Often, many DoS attacks also employ a technique known as IP spoofing as part of their attack.
ZyWALL IDP 10 User’s Guide A TCP connect() call is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. SYN scanning (half-open scanning) does not open a full TCP connection. A SYN packet is sent, pretending to open a genuine connection and waits for a response. A SYN/ACK will indicate that the port is listening. If a SYN/ACK is received, a RST is sent to tear down the connection.
ZyWALL IDP 10 User’s Guide Example Intrusions The following are some examples of intrusions. SQL Slammer Worm W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.
ZyWALL IDP 10 User’s Guide MyDoom MyDoom W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension bat, cmd, exe, pif, scr, or zip. When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources. In addition, the backdoor can download and execute arbitrary files.
ZyWALL IDP 10 User’s Guide 115 Appendix A Introduction to Intrusions
ZyWALL IDP 10 User’s Guide Appendix B Intrusion Protection Firewalls and Intrusions Firewalls are designed to block clearly suspicious traffic and forward other traffic through. Many exploits take advantage of weaknesses in the protocols that are allowed through the firewall, so that once an inside server has been compromised it can be used as a backdoor to launch attacks on other servers. Firewalls are usually deployed at the network outskirts.
ZyWALL IDP 10 User’s Guide Network Intrusions Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised, resulting in the equivalent of a LAN Denial of Service (DoS) attack.
ZyWALL IDP 10 User’s Guide The protocol decode engine first applies rules defined by the appropriate RFCs to look for violations. This can help to certain anomalies such as binary data in an HTTP request, or a suspiciously long piece of data where it should not be (a sign of a possible buffer overflow attempt). Heuristic Analysis Heuristic-based signatures use algorithms based often on statistics to judge whether a warning is warranted.
ZyWALL IDP 10 User’s Guide 119 Appendix B Intrusion Protection
ZyWALL IDP 10 User’s Guide Index Numerics 10/100Mbps 36 110V AC 4 230V AC 4 A Abnormal Working Conditions 5 AC 4 Access control 60 Accessories 4 Activation Key.
ZyWALL IDP 10 User’s Guide DNS server 30, 31 DoS 19 Basics 108 Types 108 duplex 36, 37 Dust 4 E e-Donkey 53 Electric Shock 4 Electrocution 4 E-MAIL 85 E-mail virus 112 e-Mule 53 Equal Value 5 Europe 4 Export 75 Exposure 4 F Factory Defaults 100 Failure 5 FCC 3 Compliance 3 Rules, Part 15 3 FCC Rules 3 Federal Communications Commission 3 File Infector 112 Finland, Contact Information 6 Firmware Upgrade 20 Firmware Upload 95, 97, 98 Fitness 5 Flash Usage 27 flow control 102 France, Contact Information 6 Fu
ZyWALL IDP 10 User’s Guide License 2 Lightning 4 Liquids, Corrosive 4 Local Upgrade 96 Log Facility 88 Login 103 LOGS 84 M Macro Virus 112 Mail Server 86, 89 Malicious Programs 112 Management Information Base (MIB) 45 Matching Depth 80 Matching Offset 80 Materials 5 Merchantability 5 misuse 52 Modifications 3 Monitor 19, 27, 34, 68 MyDoom 114, 117 mySecurity Zone 52 N Navigation Panel 27 New 5 Nimda 113, 117 Nmap 56, 112 North America 4 North America Contact Information 6 Norway, Contact Information 6 NT
ZyWALL IDP 10 User’s Guide Q S Qualified Service Personnel 4 Quick Start Guide 24 Safety Warnings 4 Sasser 68 Scanning 111 Secure Client IP Address 44, 47, 49 Separation Between Equipment and Receiver 3 Serial Number 6 Server 94 Server Access 44, 47, 49 Service 4, 5 Service Personnel 4 Shipping 5 Shock, Electric 4 Signature Categories 53 Access Control 60 Backdoor/Trojan 59 Buffer Overflow 57 DoS/DDoS 55 IM 54 Others 63 P2P 53 Porn 62 Scan 56 Spam 55 Virus/Worm 58 Web Attack 61 Smurf 110, 111 Smurf Atta
ZyWALL IDP 10 User’s Guide syslog 27, 28, 30, 31, 32 T Tampering 5 TCP connect() 112 TCP Header 79 TCP/IP 108 TCP_RST 37 Teardrop 109 Telephone 6 Television Interference 3 Television Reception 3 Terminal Emulation 102 Terminal emulation 102 Three-Way Handshake 109 Thunderstorm 4 Time (RFC 868) 94 Time and Date 91, 93, 94, 95 Manual 93 Time Protocol 92, 94 Time Zone 93, 94 Traceroute 111 Trademark 2 Trademark Owners 2 Trademarks 2 Translation 2 Trojan Horse 19, 112 Trojan horse 59 TV Technician 3 U UDP He
