ZyWALL IDP 10 Intrusion Detection Prevention Appliance Support Notes Version 1.
IDP Support Notes INDEX Application Notes ............................................................................................................................ 4 Deploy IDP ................................................................................................................................4 Register ZyWALL IDP ............................................................................................................10 Firmware Upgrade .....................................................
IDP Support Notes Why can’t I input mail server address by domain name? ........................................................32 What’s “Drop” and “Block Connection” for Action of User Defined Policy? ........................33 How to use URL String in Content setup of User-defined policy?..........................................33 What’s the definition of “Incoming” and “Outgoing” direction in a policy setup?.................33 How to decide which Interface should be applied for policy check? .........
IDP Support Notes Application Notes Deploy IDP IDP functions as a plug and play bridge device filtering malicious traffic from attacking your networks. With continuous signatures update, users can get free from network-based intrusions. In this example, we describe how to deploy and configure ZyWALL IDP10 in a network. Since ZyWALL IDP10 is a bridge device, users don’t need to change the existing network topology when they deploy it. Two things matter are Determine the target network/systems to protect.
IDP Support Notes Servers/PC Device IP Address Device IP Address 192.168.2.5-10 IDP (A) 192.168.1.141 IDP (D) 192.168.1.144 IDP (B) 192.168.1.142 IDP (E) 192.168.1.145 LAN1: 192.168.1.5-50 LAN2: 192.168.1.51-100 WLAN: 192.168.1.101-130 Data Center: 192.168.1.131-140 IDP (C) 192.168.1.143 IDP (F) 192.168.1.146 Purpose: IDP (A) Since network devices may also have vulnerabilities, once the firewall device at gateway is compromised, the protected networks are also endangered.
IDP Support Notes Setup IP address of IDP (A, B, C, D, E, F) 1. Configure each IDP device’s IP address. Since IDP is a bridge device, it only has one IP address for management purpose, IDP also uses this IP address to update signatures and the send system logs through syslog/E-mail/FTP. To configure the system IP address of IDP device, users can choose two methods, - Through Console 1. Make sure the baud rate/data/parity/stop/flow control settings are as below. 2. 3.
IDP Support Notes 1. Connect one PC to IDP’s management port by crossed Ethernet cable. Make sure MGMT port light is on. 2. Go to Start->Settings->Network and Dial-up Connections, and select the Ethernet connection you are connecting to IDP device. 3. Change PC’s IP address to 192.168.1.5, subnet mask= 255.255.255.0 from properties. 4. Log into IDP’s WEB GUI via browser. 7 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 5. Go to SYSTEM->General->Device, input IDP (A,)’s IP address, subnet mask, default gateway, DNS server’s IP address. 6. Repeat step 1-5 to configure IDP (B, C, D, E, F) according to IP address assignment table. 8 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes Connect the MGMT/LAN/WAN ports of all IDP devices to the network according to the deployment topology (192.168.1.0/24). Login IDP (A, E)’s WEB GUI; go to SYSTEM->INTERFACE->Policy Check. Then enable policy checking on WAN port of IDP (A, E). Login IDP (B, C, D)’s WEB GUI, go to SYSTEM->INTERFACE->Policy Check. Then enable policy checking on WAN and LAN port of IDP (A). Login IDP (F)’s WEB GUI; go to SYSTEM->INTERFACE->Policy Check. Then enable policy checking on LAN port of IDP (F).
IDP Support Notes Register ZyWALL IDP ZyWALL IDP comes with a “pre-defined” policy set which requires subscription and can be update at regular bases. Having an up-to-date policy set is essential as new attack types evolve. 1. A “Device License Key” card is included in ZyWALL IDP package for one year free subscription. 10 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 2. Go to ZyXEL Communications online services center. http://www.myZyXEL.com. 3. In case you haven't got an account on myZyXEL.com, you need to get a new account. Please follow the instruction on myZyXEL.com; we skip the description of detailed procedure in this article. If you get into trouble in this step, please contact ZyXEL support. 4. Login into myZyXEL.com using your account. “Click here” to register ZyWALL IDP.
IDP Support Notes 5. Press add button to add the ZyWALL IDP you have. 6. In this step you need to enter Serial Number, Authentication Code (MAC address), and a Friendly Name for your product. You can find serial number and MAC address at the bottom of your device. 12 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 7. Input the date you purchase the product, and the purpose of the buying. 8. You would get a successful message. Then press Continue button. 13 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 9. From ZyWALL IDP’s Applicable Service List, you will have a service "IDP Signature Update" available. Click Activate. 10. Enter the license key you get from “Device License Key” card. Then press Submit button. 14 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 11. After clicking Submit button, you will get an “Activation Key” and “Service Set Key”. An email with these keys will be send to your email address as well. 12. You can copy & paste “Activation Key” to ZyWALL IDP’s Registration page. 15 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes Firmware Upgrade 1. Under Maintenance you can find F/W Upload tab. Click browse to select firmware file (.bin) and click Upload button to start firmware upload. 2. It may take few minutes for firmware upload process to finish. ZyWALL IDP will reboot when firmware upload completed. 16 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes Signature Update *Make sure you have registered your ZyWALL IDP before you do the signature update. To update pre-defined policy for your ZyWALL IDP, login into ZyWALL IDP via HTTP, go to IDP > Update and enter Update Server’s domain name (updateidp.zyxel.com) 1. You could click Update Now to force ZyWALL IDP to perform signature update immediately. 2. Enable “Auto Download & Update” if you want to perform update during non-peak hour.
IDP Support Notes Configure User Defined Policy In this example, we describe the procedure of using user defined policy. We take eMule application as an example. eMule is a P2P file sharing application. In the following description we break down the procedure of how to get and analysis eMule traffic pattern, and how to setup user defined policy in IDP. 1. Get Ethereal installed on a PC. Ethereal is a freeware packet capturing tool, you can get a freed download from http://www.ethereal.com. 2.
IDP Support Notes 4. Start ethereal packet capturing. 5. Initiate eMule connection from the internal PC, be sure to reduce unnecessary traffic if possible. 6. Stop packet capturing. 7. Analyze the packet. In ethereal, you will get 3 sub-windows. The first window displays summary of each packet in time sequence. In the second window, you can check the parsed details of the selected packet. In the third window, the selected packet is displayed in Hexadecimal and ASCII format respectively.
IDP Support Notes 8. Count the TCP offset and the length of “http://emule-prjoect.net” 9. Create User-defined policy in IDP. Login to IDP’s WEB GUI; go to IDP->User-defined. We’ll create a user-defined policy for TCP protocol, with offset=38 bytes, matching depth=24 bytes. Please note that the starting point of offset depends on which protocol you select. For TCP (UDP/ICMP) protocol, the offset starts from the starting points of TCP (UDP/ICMP) payload. IP and TCP (UDP/ICMP) headers are not included.
IDP Support Notes After click Apply button, we get the summary of the user defined policy. 21 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes 22 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes IDP FAQ What is HIDS? Host intrusion detection systems are intrusion detection systems that are installed locally on host machines. This makes HIDS a very versatile system compared to NIDS. HIDS can be installed on many different types (roles) of machines namely servers, workstations and notebook computers. This methodology gives an organization the edge where as an NIDS will fail if it has to reach a segment beyond NDIS capability.
IDP Support Notes Is IDP able to investigate VPN traffic? No, VPN traffics are encrypted, IDP is not able to decrypted VPN traffics, and thus it could not investigate VPN packets. Product FAQ What is ZyWALL IDP10? ZyWALL IDP10 functions as a plug and play bridge device filtering malicious traffic from attacking your networks. With continuous signatures update, users can get free from network-based intrusions.
IDP Support Notes crash? ZyWall IDP 10 does not support hardware bypass, so if your ZyWALL IDP 10 lost power or crashed, you will need to either replace it or take it off the network immediately. If I forget IDP’s password, how to reset the password to default? The default IDP user name/password is “admin/1234”. Customers can modify the default user name/password for security reason.
IDP Support Notes 9600bps baud rate N81 data format (No Parity, 8 data bits, 1 stop bit) The baud rate of IDP10 is unchangeable. How to trouble shoot the false positive and false negative cases? Please capture the problematic packets through the following steps and send the packet trace back to ZyXEL support. The capturing can be done as follows: Prepare a PC with a packet capturing software. (Go to http://www.ethereal.com for free download.) Calibrate time on PC and IDP.
IDP Support Notes When should I use VLAN Tag function? Virtual LAN, a groups of network devices (PC, router, etc…) that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. If the computer you use to manage ZyWALL IDP is in LAN with VLAN ID3, you must configure your ZyWALL IDP with VLAN ID3.
IDP Support Notes Select Maintenance from the menu, and click Restart Tab Click Restart button to restart your ZyWALL IDP. It may take few minutes before you can access the device again. Console Login using admin/1234, and type the command “reboot” to restart your device. 28 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes What does "Stealth" mean, why should I need it? When you enable Stealth mode on an interface (WAN/LAN/MGMT), it will not respond to any type of traffic intended for it; it will not respond to traffic like ICMP echo request. Before hacker/cracker could infiltrate your network, hacker/cracker would need to take down your ZyWALL IDP before attacking your internal network. Configure your ZyWALL IDP’s interfaces in Stealth mode, so hacker/cracker would not be able to attack it.
IDP Support Notes What's Pre-defined signature? Pre-defined signatures are signatures created by ZyXEL Security Response Team (ZSRT). These signatures are attack patterns or misuse network behavior researched and studied by ZSRT, then compiled into a “pre-defined” policy set available for update. Why should I need to update signature? Intrusion detection is much like virus protection; an IDP system that hasn’t been updated for a year will miss common new attacks.
IDP Support Notes And you should make sure your ZyWALL IDP 10 has updated policy to the latest version. Go to WEB InterfaceÆHome. I can’t download the latest policy from update server. How can I fix the problem? We recommend users to update policy, send E-mail reports or syslogs through ZyWALL IDP10’s MGMT port (management port). Please make sure your ZyWALL IDP10 can go to Internet through MGMT port.
IDP Support Notes stealth mode on WAN (or LAN) interface. Additionally, since ZyWALL IDP10 downloads the latest policies periodically from the update server (updateidp.zyxel.com). DNS server should be configured correctly on ZyWALL IDP10 (SYSTEM/GENEARL/Device/DNS Server). How many User-defined policies can I have on ZyWALL IDP 10? You can create up to 128 User-defined policies on a ZyWALL IDP 10.
IDP Support Notes What’s “Drop” and “Block Connection” for Action of User Defined Policy? Action of “Drop”, will drop the traffic that matches the defined policy silently. So the sender would not get any response or error/warning message about the action. “Block Connection” is for TCP traffic, since UDP is a connectionless protocol. When users choose to Block the connection which matches the defined policy, then the device will send TCP Reset to the both ends of the TCP connection.
IDP Support Notes created to check Outgoing direction, it is applied on LAN interface. While a policy is set Bi-directional, it is applied on both WAN and LAN interfaces. How to decide which Interface should be applied for policy check? Users can setup policy check from WEB GUI/SYSTEM/INTERFACE/Policy Check. Policy check acts as a switch to enable or disable checking mechanism on WAN or LAN port. A policy is bound to either WAN or LAN interface based on the direction defined during setup.
IDP Support Notes If the IDP is placed on the entry point of a Wireless LAN network, we recommend you to apply policy check on the WAN interface, due to the lack of security protection of Wireless LAN. In User-defined policy, what’s the meaning of Matching Offset, Matching Depth? Matching Offset defines the payload start point. If Protocol type is IP, then the matching starting point is at the end of the layer-3 header; otherwise, it would start matching from the end of the layer-4 header.
IDP Support Notes What’s the priority among Pre-defined policy and User-defined policy? The User-defined policies are always checked before the Pre-defined policy. Trouble Shooting In this part we’ll introduce the steps to trouble shoot when problems occur at customer side. Unable to Run Applications Step1. First of all, please switch your IDP to Monitor state and click Apply. Step2. Try the application again. If it’s still unable to run then it should be nothing to do with IDP 10.
IDP Support Notes Step4. Search this policy by the Policy ID in IDP>>Pre-defined>>Policy Search. Step5. Under the search result, please change the Action taken to Log ONLY and click Apply. 37 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes Step6. Switch your IDP back to Inline state and activate them by clicking Apply. Then try to run the application again. Step7. Finally, it should be able to run now. If possible, please provide us the application’s name & version and the policy ID and system information including IDP 10’s firmware version and policy version; it will be great help for us to trace the root cause. 38 All contents copyright (c) 2004 ZyXEL Communications Corporation.
IDP Support Notes Step8. If it was still unable to run then please repeat step 3, 4, 5 until identify and correct this False Positives policy.
IDP Support Notes stateful Enable/disable TCP state check integrity Setup TCP idle timeout tcptimeout Setup maximum ping length pinglen pingmax policy interface link wan Setup maximum ping packet number per second wan Setup maximum ping packet accepted at wan port lan Setup maximum ping packet accepted at lan port wan Setup policy check on/off wan port lan Setup policy check on/off loan port 10 Setup wan port speed
IDP Support Notes web off Disable remote SSH access acl Setup access control list ip address on Enable remote web access from get off Disable remote we access acl Setup access control list ip address state Get system state log Get device log system Get system information time Get device time interface Get interface information all Get all information remote Get remote access information
IDP Support Notes Debug mode CLI Command Command set system ip Description Setup device temporary ip address in the debug mode mask Setup device temporary ip mask in the debug mode upgrade Tftp gateway Setup device temporary ip gateway in the debug mode server Setup device temporary server ip address in the debug mode Using TFTP function to upgrade firmware reboot Reboot device reset Reset configuration to factory default
