Prestige 312 Broadband Security Gateway User’s Guide Version 3.
P312 Broadband Security Gateway Prestige 312 Broadband Security Gateway Copyright Copyright © 2000 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation.
P312 Broadband Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a CLASS B digital device pursuant to Part 15 of the FCC Rules.
P312 Broadband Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
P312 Broadband Security Gateway Declaration of Conformity We, the Manufacturer/Importer, ZyXEL Communications Corp. No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, Taiwan, 300 R.O.
P312 Broadband Security Gateway vi CE Doc
P312 Broadband Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
P312 Broadband Security Gateway Customer Support When you contact your customer support representative please have the following information ready: ♦ Prestige Model and serial number. ♦ Information in Menu 24.2.1 –System Information. ♦ Warranty Information. ♦ Date you received your Prestige. ♦ Brief description of the problem and the steps you took to solve it Method Region EMAIL – Support Telephone Web Site EMAIL – Sales support@zyxel.com.tw support@europe.zyxel.com Fax +886-3-578-3942 FTP Site www.
P312 Broadband Security Gateway Table of Contents Table of Contents ........................................................................................................................... ix List of Figures ...............................................................................................................................xvi List Of Tables .............................................................................................................................. xxiii Customer Support.....
P312 Broadband Security Gateway 2.10.1 LAN Port Filter Setup .......................................................................................................2-12 Chapter 3 Internet Access .............................................................................................................3-1 3.1 TCP/IP and DHCP for LAN .......................................................................................................3-1 3.1.1 Factory LAN Defaults...........................................
P312 Broadband Security Gateway 6.1.4 NAT Mapping Types.......................................................................................................... 6-2 6.1.5 SUA (Single User Account) Versus NAT .......................................................................... 6-3 6.1.6 NAT Application ................................................................................................................ 6-4 6.2 SMT Menus........................................................................
P312 Broadband Security Gateway 9.1 System Status ..............................................................................................................................9-2 9.2 System Information and Console Port Speed..............................................................................9-4 9.2.1 System Information .............................................................................................................9-4 9.2.2 Console Port Speed ........................................
P312 Broadband Security Gateway 12.2 Telnet Under NAT.................................................................................................................... 12-1 12.3 Telnet Capabilities.................................................................................................................... 12-1 12.3.1 Single Administrator ........................................................................................................ 12-1 12.3.2 System Timeout..............................
P312 Broadband Security Gateway 15.3 E-Mail .......................................................................................................................................15-3 15.3.1 What are Alerts?................................................................................................................15-3 15.3.2 What are Logs? .................................................................................................................15-4 15.3.3 SMTP Error Messages .....................
P312 Broadband Security Gateway 20.1 Restrict Web Features............................................................................................................... 20-1 20.1.1 ActiveX ............................................................................................................................ 20-1 20.1.2 Java................................................................................................................................... 20-1 20.1.3 Cookies..............................
P312 Broadband Security Gateway List of Figures Figure 1-1 Secure Internet Access via Cable............................................................................................1-3 Figure 1-2 Secure Internet Access via DSL..............................................................................................1-4 Figure 2-1 Front Panel.............................................................................................................................
P312 Broadband Security Gateway Figure 4-5 Remote Node Network Layer Options .................................................................................. 4-8 Figure 4-6 Remote Node Filter (Ethernet Encapsulation)...................................................................... 4-10 Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation).......................................................... 4-10 Figure 5-1 Example of Static Routing Topology ..........................................
P312 Broadband Security Gateway Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule............................................................6-20 Figure 6-23 Example 4 - Menu 15.1.1 - Address Mapping Rules ............................................................6-20 Figure 7-1 Outgoing Packet Filtering Process ..........................................................................................7-1 Figure 7-2 Filter Rule Process ......................................................
P312 Broadband Security Gateway Figure 9-9 Call-Triggering Packet Example .......................................................................................... 9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagnostic ....................................................................9-11 Figure 9-11 WAN & LAN DHCP............................................................................................................ 9-12 Figure 10-1 Menu 24.
P312 Broadband Security Gateway Figure 14-2 Menu 21 - Filter and Firewall Setup .....................................................................................14-1 Figure 14-3 Menu 21.2 – Firewall Setup ..................................................................................................14-2 Figure 14-4 View Firewall Log ................................................................................................................
P312 Broadband Security Gateway Figure 19-9 Example 2 - Local Network Rule Summary .................................................................. 19-10 Figure 19-10 Example 2 - Internet to Local Network Rule Summary ..................................................19-11 Figure 19-11 Custom Port for Syslog .................................................................................................. 19-12 Figure 19-12 Syslog Rule Configuration .................................................
P312 Broadband Security Gateway List Of Tables Table 2-1 LED functions ........................................................................................................................ 2-1 Table 2-2 Main Menu Commands .......................................................................................................... 2-5 Table 2-3 Main Menu Summary.............................................................................................................
P312 Broadband Security Gateway Table 7-2 Abbreviations Used If Filter Type Is IP ..................................................................................7-7 Table 7-3 Abbreviations Used If Filter Type Is GEN..............................................................................7-7 Table 7-4 TCP/IP Filter Rule Menu Fields..............................................................................................7-8 Table 7-5 Generic Filter Rule Menu Fields .........................
P312 Broadband Security Gateway Table 16-5 Timeout Menu .................................................................................................................... 16-14 Table 17-1 Custom Ports ........................................................................................................................ 17-2 Table 17-2 Creating/Editing A Custom Port........................................................................................... 17-4 Table 18-1 Log Screen.................
P312 Broadband Security Gateway Preface About Your Router Congratulations on your purchase of the Prestige 312 Broadband Security Gateway. Don’t forget to register your Prestige (fast, easy online registration at www.zyxel.com) for free future product updates and information. The Prestige 312 is a dual Ethernet Broadband Security Gateway integrated with robust firewall solutions and network management features that allows access to the Internet via Cable/ADSL modem or broadband router.
P312 Broadband Security Gateway Regardless of your particular application, it is important that you follow the steps outlined in Chapters 1-2 to connect your Prestige to your LAN. You can then refer to the appropriate chapters of the manual, depending on your applications. Related Documentation " Supporting CD More detailed information about the Prestige and examples of its use can be found in our included disk (as well as on the zyxel.com web site).
Getting Started Part I: Getting Started Chapters 1-3 are structured as a step-by-step guide to help you connect, install and setup your Prestige to operate on your network and access the Internet.
P312 Broadband Security Gateway Chapter 1 Getting to Know Your Prestige This chapter introduces the main features and applications of the Prestige. 1.1 The Prestige 312 Broadband Security Gateway The Prestige 312 is a dual Ethernet Broadband Security Gateway integrated with a robust firewall and network management features designed for home offices and small businesses to access the Internet via Cable/ADSL modem or broadband router.
P312 Broadband Security Gateway Dynamic DNS Support With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS client to use this service. IP Multicast Traditionally, IP packets are transmitted in two ways - unicast or broadcast. Multicast is a third way to deliver IP packets to a group of hosts.
P312 Broadband Security Gateway not choose a time service protocol that your timeserver will send when the Prestige powers up you can enter the time manually but each time the system is booted, the time & date will be reset to 1/1/1970 0:0:0. Logging and Tracing The Prestige has the following features: ♦ Built-in message logging and packet tracing. ♦ Unix syslog facility support. Upgrade Prestige Firmware via LAN The firmware of the Prestige 312 can be upgraded via the LAN.
P312 Broadband Security Gateway Figure 1-2 Secure Internet Access via DSL You can also use your xDSL modem in the bridge mode for always-on Internet access and high speed data transfer.
P312 Broadband Security Gateway Chapter 2 Hardware Installation & Initial Setup This chapter shows you how to connect the hardware and perform the initial setup. 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the Prestige.
P312 Broadband Security Gateway LEDs WAN 2.2 Function Indicator Status WAN Green Active Description Flashing The 100M LAN is sending/receiving packets. Off The WAN Link is not ready, or has failed. On The WAN Link is ok. Flashing The 10M WAN link is sending/receiving packets. Prestige 312 Rear Panel and Connections The following figure shows the rear panel of your Prestige 312 and the connection diagram.
P312 Broadband Security Gateway connector on the back of the cable modem. Connect an xDSL Modem to the xDSL Wall Jack. Please also see Appendix C for important safety instructions on making connections to the Prestige. Step 1. Connecting the Console Port For the initial configuration of your Prestige, you need to use terminal emulator software on a workstation and connect it to the Prestige through the console port.
P312 Broadband Security Gateway ♦ 9600 Baud. ♦ No parity, 8 Data bits, 1 Stop bit, Flow Control set to None. 3. A cable/xDSL modem and an ISP account. After the Prestige is properly set up, you can make future changes to the configuration through telnet connections. 2.4 Housing Your Prestige's ventilated housing has clip-out legs that fit snugly into grooves, enabling compact, sturdy stacking with airflow between routers. You should not stack more than 4 routers for maximum stability. 2.
P312 Broadband Security Gateway Enter Password : XXXX Figure 2-4 2.6 Password Screen Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
P312 Broadband Security Gateway 2.6.1 Main Menu After you enter the password, the SMT displays the Prestige 312 Main Menu, as shown below. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. Prestige 312 Main Menu Getting Started Advanced Management 21. Filter and Firewall Setup 1. General Setup 22. SNMP Configuration 2. WAN Setup 23. System Password 3. LAN Setup 24. System Maintenance 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 15. NAT Setup 26.
P312 Broadband Security Gateway 99 2.7 Exit To exit from SMT and return to a blank screen. Changing the System Password The first thing your should do before anything else is to change the default system password by following the steps below. Step 1. Enter 23 in the Main Menu to open Menu 23 - System Password as shown below. Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: Figure 2-6 Menu 23 - System Security Step 2.
P312 Broadband Security Gateway 2.8 General Setup Menu 1 - General Setup contains administrative and system-related information. The fields for General Setup are as shown next. System Name is for identification purposes. However, because some ISPs check this name you should enter your PC’s “Computer Name” (Start -> Settings -> Control Panel -> Network. Click the Identification tab, note the entry for the Computer name” field). It is the domain name that will be propagated to the DHCP clients on the LAN.
P312 Broadband Security Gateway Table 2-4 Field General Setup Menu Field Description Example System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted. P312 Domain Name Enter the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP.
P312 Broadband Security Gateway Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example www.ddns.org Service Provider Enter the name of your Dynamic DNS client. Active Press [SPACE BAR] to toggle between Yes or No. Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider. EMAIL Enter your e-mail address. User Enter your user name. Password Enter the password assigned to you. Enable Wildcard Your Prestige supports DYNDNS Wildcard.
P312 Broadband Security Gateway Menu 2 - WAN Setup MAC Address: Assigned By=IP address attached on LAN IP Address= 192.168.1.12 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle Figure 2-9 Menu 2 – WAN Setup The MAC address field allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a workstation on your LAN. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file).
P312 Broadband Security Gateway Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 2-10 Menu 3 - LAN Setup 2.10.1 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Menu 3.
P312 Broadband Security Gateway Chapter 3 Internet Access This chapter shows you how to configure the LAN as well as the WAN of your Prestige for Internet access. 3.1 TCP/IP and DHCP for LAN The Prestige has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 3.1.1 Factory LAN Defaults The LAN parameters of the Prestige are preset in the factory with the following values: 1. IP address of 192.168.1.1 with subnet mask of 255.255.255.
P312 Broadband Security Gateway The subnet mask specifies the network number portion of an IP address. Your Prestige will compute the subnet mask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the Prestige unless you are instructed to do otherwise. 3.1.3 Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, e.g.
P312 Broadband Security Gateway 3.1.5 DHCP Configuration DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows the individual clients (workstations) to obtain the TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients.
P312 Broadband Security Gateway The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The Prestige supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the Prestige queries all directly connected networks to gather group membership.
P312 Broadband Security Gateway Menu 3 – LAN Setup 1. 2. LAN Port Filter Setup TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 3-3 Menu 3 - LAN Setup (10/100 Mbps Ethernet) To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP/IP and DHCP Ethernet Setup as shown next. Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.
P312 Broadband Security Gateway Follow the instructions in the following table on how to configure the DHCP fields. Table 3-1 Field LAN DHCP Setup Menu Fields Description Example DHCP= This field enables/disables the DHCP server. If it is set to Server, None your Prestige will act as a DHCP server. If set to None, DHCP Server (default) service will be disabled and you must have another DHCP sever on your LAN, or else the workstation must be manually configured.
P312 Broadband Security Gateway Field Description Example Edit IP Alias The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. Press the space bar to toggle No to Yes, then press [ENTER] to bring you to menu 3.2.1 Yes No (default) When you have completed this menu, press [Enter] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [Esc] at any time to cancel. 3.2.
P312 Broadband Security Gateway RIP Direction Press the space bar to select the RIP direction from None, Both/In Only/Out Only. None Version Press the space bar to select the RIP version from RIP-1/RIP2B/RIP-2M. RIP-1 Incoming Protocol Filters Enter the filter set(s) you wish to apply to the incoming traffic between this node and the Prestige. Outgoing Protocol Filters Enter the filter set(s) you wish to apply to the outgoing traffic between this node and the Prestige.
P312 Broadband Security Gateway The following table describes this screen. Table 3-4 Field Internet Access Setup Menu Fields Description ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Encapsulation Press the [SPACE BAR] and the press [ENTER] to choose Ethernet. The encapsulation method influences your choices for IP Address.
P312 Broadband Security Gateway 3.3.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring the User Name and Password for PPP connection, press [SPACE BAR] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option. This brings up the following screen.
P312 Broadband Security Gateway For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (e.g., Radius). For the user, PPPoE provides a login & authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
P312 Broadband Security Gateway Table 3-6 New Fields in Menu 4 (PPPoE) screen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices for IP Address. PPPoE Service Name Enter the PPPoE service name provided to you. PPPoE uses a service name to identify and reach the PPPoE server.
Advanced Applications Part II: Advanced Applications Advanced Applications (Chapters 4-6) describe the advanced applications of your Prestige, such as Remote Node Setup IP Static routes and NAT.
P312 Broadband Security Gateway Chapter 4 Remote Node Setup This chapter shows you how to configure a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use Menu 4 to set up Internet access, you are actually configuring a remote node. We will show you how to configure Menu 11.1 Remote Node Profile, Menu 11.3 - Remote Node Network Layer Options and Menu 11.
P312 Broadband Security Gateway Table 4-1 Fields in Menu 11.1 Field Description Examples Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. LAoffice Active Press the [SPACE BAR] to toggle between Yes and No and activate (deactivate) the remote node. Yes Encapsulation Ethernet is the default encapsulation. Press the [SPACE BAR] if you wish to change to PPPoE encapsulation.
P312 Broadband Security Gateway 4.1.2 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the Prestige with an xDSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE. Menu 11.
P312 Broadband Security Gateway Table 4-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) Field Authen Description This field sets the authentication protocol used for outgoing calls. Examples CHAP/PAP Options for this field are: CHAP/PAP - Your Prestige will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only. Telco Option: Allocated Budget The field sets a ceiling for outgoing call time for this remote node.
P312 Broadband Security Gateway Menu 11.
P312 Broadband Security Gateway 4.2 Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in Menu 11.1, then press the [SPACE BAR] to toggle and set the value to Yes. Press [Enter] to open Menu 11.3 - Network Layer Options. Menu 11.
P312 Broadband Security Gateway Field Description Example between 1 and 15. In practice, 2 or 3 is usually a good number. Private This field is valid only for PPTP/ PPPoE encapsulation. This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
P312 Broadband Security Gateway Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Address= N/A Rem Subnet Mask= N/A My WAN Addr= 0.0.0.0 Network Address Translation= Full Feature Metric= 1 Private= No RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Press Space Bar to Toggle. Figure 4-5 Remote Node Network Layer Options The next table gives you instructions about configuring remote node network layer options.
P312 Broadband Security Gateway between 1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. RIP Press the [SPACE BAR] to select the RIP direction from Both/ None/In Only/Out Only and None.
P312 Broadband Security Gateway Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Menu 11.
P312 Broadband Security Gateway Chapter 5 IP Static Route Setup This chapter shows you how to configure static routes with your Prestige. Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote node specifies only the network to which the gateway is directly connected, and the Prestige has no knowledge of the networks beyond.
P312 Broadband Security Gateway 5.1 IP Static Route Setup You configure IP static routes in Menu 12. 1, by selecting one of the IP static routes as shown below. Enter 12 from the Main Menu. Menu 12 - IP Static Route Setup 1. 2. 3. 4. 5. 6. 7. 8. ________ ________ ________ ________ ________ ________ ________ ________ Enter selection number: Figure 5-2 Menu 12 - IP Static Route Setup Now, enter the index number of one of the static routes you want to configure. Menu 12.
P312 Broadband Security Gateway Table 5-1 Field IP Static Route Menu Fields Description Route # This is the index number of the static route that you chose in Menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number.
P312 Broadband Security Gateway Chapter 6 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 6.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, e.g., the source address of an outgoing packet, used within one network to a different IP address known within another network. 6.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the Prestige, e.g.
P312 Broadband Security Gateway them accessible to the outside world. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping – see below), NAT offers the additional benefit of firewall protection. If no server is defined in these cases, all incoming inquiries will be filtered out by your Prestige, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT). 6.1.
P312 Broadband Security Gateway 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today’s routers). 3. Many to Many Overload: In Many-to-Many Overload mode, the Prestige maps the multiple local IP addresses to shared global IP addresses. 4.
P312 Broadband Security Gateway remote node basis. They are reusable, but only one set is allowed for each remote node. The Prestige supports 2 sets since there is only one remote node. The second set (SUA Only option in Menu 15.1) is a convenient, pre-configured, read only Many-to-1 port mapping set, sufficient for most purposes (see section 6.4 for some examples) and helpful to people already familiar with SUA in previous ZyNOS versions. 6.1.
P312 Broadband Security Gateway Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 6-3 Applying NAT for Internet Access This figure shows how you apply NAT to the remote node in Menu 11.1. Step 1. Enter 11 from the Main Menu. Step 2.
P312 Broadband Security Gateway Table 6-3 Field Network Address Translation Applying NAT in Menus 4 & 11.3 Options Description Full Feature When you select this option the SMT will use Address Mapping Set 1 (Menu 15.1 – see section 6.2.3 for further discussion). You can configure any of the 5 mapping types described in Table 6-2. None NAT is disabled when you select this option. SUA Only When you select this option the SMT will use Address Mapping Set 255 (Menu 15.1 – see section 6.2.3).
P312 Broadband Security Gateway Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: Figure 6-6 Menu 15.1 Address Mapping Sets Let’s look first at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers (see section 6.1.4). The fields in this menu cannot be changed. Entering 255 brings up this screen. Menu 15.1.255 - Address Mapping Rules Set Name= SUA Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------0.0.0.
P312 Broadband Security Gateway Table 6-4 Field SUA Address Mapping Rules Description Set Name This is the name of the set you selected in Menu 15.1 or enter the name of a new set you want to create. Idx This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA) (see Figure 6-1). Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255.
P312 Broadband Security Gateway Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx --1. 2 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------- Local End IP --------------- Action= Edit Global Start IP --------------- Global End IP --------------- Type ------ Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 6-8 First Set in Menu 15.1.1 The Type, Local and Global Start/End IPs are configured in Menu 15.1.1.1 (described later) and the values are displayed here.
P312 Broadband Security Gateway moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action, the Select Rule item will be disabled). When you choose Edit, Insert Before or Delete in the previous field the cursor jumps to this field to allow you to select the rule to apply the action in question. Select Rule N.B.
P312 Broadband Security Gateway Field Local IP Start End Description examples. Only local IP fields are N/A for server; Global IP fields MUST be set for Server. This is the starting local IP address (ILA). This is the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for Oneto-One and Server types. Option/Example and Server This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.
P312 Broadband Security Gateway Figure 6-10 Multiple Servers Behind NAT 6.3.2 Configuring a Server behind NAT Follow the steps below to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup. Step 2. Enter 2 to go to Menu 15.2 - NAT Server Setup. Step 3. Enter the service port number in the Port # field and the inside IP address of the server in the IP Address field. Step 4.
P312 Broadband Security Gateway Menu 15.2 - NAT Server Setup Port # IP Address -----------------0.0.0.0 1.Default 2.21 192.168.1.33 3.23 4.25 5.80 6. 0 7. 0 8. 0 9. 0 192.168.1.34 192.168.1.35 192.168.1.36 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 10. 0 11. 0 12. 1025 0.0.0.0 0.0.0.0 RR Reserved Press ENTER to Confirm or ESC to Cancel: Figure 6-11 Menu 15.
P312 Broadband Security Gateway Figure 6-12 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 6-13 Internet Access & NAT Example From Menu 4 shown above, simply choose the SUA Only option from the Network Address Tr
P312 Broadband Security Gateway 6.4.2 Example 2 – Internet Access with an Inside Server Figure 6-14 NAT Example 2 In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Menu 15.2 - NAT Server Setup Port # IP Address -----------------192.168.1.10 1.Default 2.0 0.0.0.0 3.0 4.0 5.0 6. 0 7. 0 8. 0 9. 0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 10. 0 11. 0 12.
P312 Broadband Security Gateway server and the other IGA is used by all. We want to map the FTP servers to the first two of our IGAs and the other LAN traffic to the remaining IGA. We also want to map out third IGA to an inside web server and mail server. We need to configure 4 rules, 2 bi-directional and 2 one directional as follows. Rule 1. We map our first IGA to our first inside FTP server for FTP traffic in both directions (1: 1 mapping, giving both local and global IP addresses). Rule 2.
P312 Broadband Security Gateway Step 5. Step 6. Step 7. Select Type= as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 6-18) Repeat the previous step for rules 2 to 4 as outlined above. When finished, Menu 15.1.1 should look like as shown in Figure 6-19. Menu 11.
P312 Broadband Security Gateway When we have configured all four rules, Menu 15.1.1 should look as follows. Menu 15.1.1 - Address Mapping Rules Set Name= Example3 Idx Local Start IP --- --------------1. 192.168.1.10 2 192.168.1.11 3. 0.0.0.0 4. 5. 6. 7. 8. 9. 10. Local End IP --------------- 255.255.255.255 Action= Edit Global Start IP --------------10.132.50.1 10.132.50.2 10.132.50.3 10.132.50.
P312 Broadband Security Gateway 6.4.4 Example 4 –NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types. The following figure illustrates this. Figure 6-21 NAT Example 4 Other applications, e.g.
P312 Broadband Security Gateway Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule After you’ve configured this menu, you should see the following screen. Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------192.168.1.
Advanced Management Part III: Advanced Management Chapters 7 - 12 provide information on Prestige filtering, System Information and Diagnosis, Transferring Files and Telnet.
P312 Broadband Security Gateway Chapter 7 Filter Configuration This chapter shows you how to create and apply filter(s). 7.1 About Filtering Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
P312 Broadband Security Gateway 7.1.1 The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set.
P312 Broadband Security Gateway Start Packet into filter Fetch First Filter Set Filter Set Fetch Next Filter Set Fetch First Filter Rule Fetch Next Filter Rule Yes Yes Next Filter Set Available? No Next filter Rule Available? No Active? Yes No Check Next Rule Execute Filter Rule Forward Drop Drop Packet Accept Packet Figure 7-2 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets.
P312 Broadband Security Gateway 7.2 Configuring a Filter Set To configure a filter set, follow the procedure below. For more information on Menus 21.2 and 21.3, please see Part 4. Step 1. Select option 21. Filter Set Configuration from the Main Menu to open Menu 21. Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup 3. View Firewall Log Enter Menu Selection Number: Figure 7-4 Step 2. Menu 21 – Filter and Firewall Setup Enter 1 to b ring up the following menu. Menu 21.
P312 Broadband Security Gateway Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N 3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D N 4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N 6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.
P312 Broadband Security Gateway 7.2.1 Filter Rules Summary Menu This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus. Table 7-1 Abbreviations Abbreviations Used in the Filter Rules Summary Menu Description # Refers to the filter rule number (1-6). A Shows whether the rule is active or not. Display [Y] means the filter rule is active. [N] means the filter rule is inactive.
P312 Broadband Security Gateway The protocol dependent filter rules abbreviation are listed as follows: ! If the filter type is IP, the following abbreviations listed in the following table will be used. Table 7-2 Abbreviations Used If Filter Type Is IP Abbreviation ! Description Pr Protocol SA Source Address SP Source Port number DA Destination Address DP Destination Port number If the filter type is GEN (generic), the following abbreviations listed in the following table will be used.
P312 Broadband Security Gateway Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 7-9 Menu 21.1.1.
P312 Broadband Security Gateway Field Description Option don’t-care if it is 0. None/Less/Greater/ Equal/Not Equal] Destination: Port # Comp Select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Source: IP Address Enter the source IP Address of the packet you wish to filter. This field is a don’t-care if it is 0.0.0.0. Source: IP Mask Enter the IP mask to apply to the Source: IP Addr.
P312 Broadband Security Gateway Field Description Option Once you have completed filling in Menu 21.1.1.1 - TCP/IP Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. The following diagram illustrates the logic flow of an IP filter.
P312 Broadband Security Gateway Packet into IP Filter Filter Active? No Yes Apply SrcAddrMask to Src Addr Check Src IP Addr Not Matched Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Not Matched Matched Check IP Protocol Not Matched Matched Check Src & Dest Port Not Matched Matched More? Yes No Action Not Matched Action Matched Check Next Rule Check Next Rule Drop Drop Packet Forward Forward Check Next Rule Figure 7-10 Filters Drop Accept Packet Executing an IP Filter 7
P312 Broadband Security Gateway 7.2.4 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
P312 Broadband Security Gateway The following table describes the fields in the Generic Filter Rule Menu. Table 7-5 Field Generic Filter Rule Menu Fields Description Option Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use the [SPACE BAR] to toggle between both types of rules. Parameters displayed below each type will be different.
P312 Broadband Security Gateway Drop Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. 7.3 Example Filter Let’s look at the third default ZyXEL filter, TELNET_WAN (see Figure 7-8) as an example. Please see our included disk for more example filters.
P312 Broadband Security Gateway Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. There are no more rules to check.
P312 Broadband Security Gateway Menu 21.1.3 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- --------------------------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23). M = N means an action can be taken immediately.
P312 Broadband Security Gateway packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the Prestige is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port. The following diagram illustrates this. Figure 7-15 7.
P312 Broadband Security Gateway Menu 3.1 – LAN Port Filter Setup Input Filter Sets: protocol filters= 2 device filters= Output Filter Sets: Protocol filters= device filters= Apply Default Filter 2 here. Press ENTER to Confirm or ESC to Cancel: Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters Go to Menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
P312 Broadband Security Gateway Chapter 8 SNMP Configuration This chapter discusses SNMP (Simple Network Management Protocol) for network management and monitoring. 8.1 About SNMP Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. Keep in mind that SNMP is only available if TCP/IP is configured on your Prestige. 8.
P312 Broadband Security Gateway The following table describes the SNMP configuration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Get Community Enter the get community, which is the password for the incoming Get- and GetNext- requests from the management station. public Set Community Enter the set community, which is the password for incoming Setrequests from the management station.
P312 Broadband Security Gateway Chapter 9 System Information & Diagnosis This chapter talks you through SMT Menus 24.1 to 24 .4. This chapter covers the diagnostic tools that help you to maintain your Prestige. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below. Menu 24 - System Maintenance 1.
P312 Broadband Security Gateway 9.1 System Status The first selection, System Status, gives you information on the version of your system firmware and the status and statistics of the ports, as shown in the figure below. System Status is a tool that can be used to monitor your Prestige. Specifically, it gives you information on your system firmware version, number of packets sent and number of packets received. To get to the System Status: Step 1. Enter number 24 to go to Menu 24 - System Maintenance.
P312 Broadband Security Gateway The following table describes the fields present in Menu 24.1 - System Maintenance - Status. Table 9-1 System Maintenance - Status Menu Fields Field Description Port The WAN or LAN port. Status Shows the port speed and duplex setting if you’re using Ethernet Encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you’re using PPPoE Encapsulation.
P312 Broadband Security Gateway 9.2 System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds. To get to the System Information and Console Port Speed: Step 1. Enter 24 to go to Menu 24 – System Maintenance. Step 2. Enter 2 to open, Menu 24.2 - System Information and Console Port Speed. Step 3. From this Menu you have two choices as shown in the next figure: Menu 24.2 - System Information and Console Port Speed 1.
P312 Broadband Security Gateway Table 9-2 Fields in System Maintenance Field Description Name This is the Prestige's system name + domain name assigned in Menu 1. E.G., System Name= xxx; Domain Name= baboo.mickey.com Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your Prestige.
P312 Broadband Security Gateway 9.3.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select option 24 from the Main Menu to open Menu 24 - System Maintenance. Step 2. From Menu 24, select option 3 to open Menu 24.3 - System Maintenance - Log and Trace. Step 3. Select the first option from Menu 24.3 - System Maintenance - Log and Trace to display the error log in the system.
P312 Broadband Security Gateway Menu 24.3.2 -- System Maintenance - UNIX Syslog and Accounting UNIX Syslog: Active= No Syslog IP Address= ? Log Facility= Local 1 Types: CDR= No Packet Triggered= No Filter log= No PPP log= No Firewall log= No Press ENTER to Confirm or ESC to Cancel: Figure 9-8 Menu 24.3.2 - System Maintenance – UNIX Syslog You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log.
P312 Broadband Security Gateway 1. CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
P312 Broadband Security Gateway Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:31 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 12:00:52 202.132.155.
P312 Broadband Security Gateway 9.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in Menu 24.1 in hex format. An example is shown next.
P312 Broadband Security Gateway Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. Internet Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A Figure 9-10 Menu 24.4 - System Maintenance - Diagnostic Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the Main Menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4.
P312 Broadband Security Gateway Figure 9-11 WAN & LAN DHCP The following table describes the diagnostic tests available in Menu 24.4 for your Prestige and the connections. Table 9-4 Number 9-12 System Maintenance Menu Diagnostic Field Description 1 Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address= field below. 2 WAN DHCP Release Enter 2 to release your WAN DHCP settings.
P312 Broadband Security Gateway Chapter 10 Transferring Files This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 10.1 Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup etc. It arrives from ZyXEL with a name of P312.ROM or similar.
P312 Broadband Security Gateway Table 10-1 File Type Internal Name Filename Conventions External Name Description AT Command Configuration File Rom-0 *.rom This is the router configuration filename on the Prestige. Uploading the rom-0 file replaces the entire ROM file system, including your Prestige configurations, system-related data (including the baud rate and default password), the error log and the trace log. ATLC Firmware Ras *.
P312 Broadband Security Gateway 10.3 Restore Configuration Menu 24.6 -- System Maintenance - Restore Configuration allows you to restore the configuration via the console port. FTP and TFTP are the preferred methods for restoring your current workstation configuration to your Prestige since FTP and TFTP are faster. Please note that the system reboots automatically after the file transfer is complete. Menu 24.6 -- System Maintenance - Restore Configuration Ready to restore Configuration via Xmodem.
P312 Broadband Security Gateway Step 4. After successful firmware upload, enter atgo to restart the Prestige. Menu 24.7.1 - System Maintenance - Upload Router Firmware FTP and TFTP are the preferred methods for uploading router firmware to your Prestige since FTP and TFTP are faster. To upload router firmware: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atur" after "Enter Debug Mode" message. 3.
P312 Broadband Security Gateway Menu 24.7.2 - System Maintenance - Upload Router Configuration File FTP and TFTP are the preferred methods for uploading router firmware to your Prestige since FTP and TFTP are faster. To upload router configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2. Enter "atlc" after "Enter Debug Mode" message. 3. Wait for "Starting XMODEM upload" message before activating Xmodem upload on your terminal. 4.
P312 Broadband Security Gateway Note: If you upload the firmware to the Prestige, it will reboot automatically when the file transfer is completed (the SYS LED will flash). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
P312 Broadband Security Gateway 10.6 FTP File Transfer In addition to uploading the firmware and configuration via the console port and TFTP client, you can also upload the Prestige firmware and configuration files using FTP. To use this feature, your workstation must have an FTP client. When you telnet into the Prestige, you will see the following screens for uploading firmware and the configuration file using FTP. Menu 24.7.
P312 Broadband Security Gateway Menu 24.7.2 - System Maintenance - Upload Router Configuration File To upload the router configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested. 3. Type "put configurationfilename rom-0" where "configurationfilename" is the name of your router configuration file on your workstation, which will be transferred to the "rom-0" file on the router.
P312 Broadband Security Gateway Connected to 312.x.x.x 220 P312 FTP version 1.0 ready at Thu Jan 20 18:00:02 2000 User (312.x.x.x:(none)): 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put p312e.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 327680 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit Figure 10-8 FTP Session Example The system reboots after a successful upload.
P312 Broadband Security Gateway Chapter 11 System Maintenance & Information This chapter leads you through SMT menus 24.8 to 24.11. 11.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main router firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. The CI can be entered from the SMT by selecting menu 24.8.
P312 Broadband Security Gateway 11.2 Call Control Support The Prestige provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the Prestige within certain times.
P312 Broadband Security Gateway The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
P312 Broadband Security Gateway Table 11-2 Field Call History Fields Description Phone Number The PPPoE service names are shown here. Dir This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number. Max This is the length of time of the longest telephone call. Min This is the length of time of the shortest telephone call.
P312 Broadband Security Gateway Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= None Time Server IP Address= N/A Current Time: New Time (hh:mm:ss): 00 : 00 : 00 00 : 04 :42 Current Date: New Date (yyyy-mm-dd): 2000 - 01 - 01 2000 - 01 - 01 Time Zone= GMT+0800 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
P312 Broadband Security Gateway zone and Greenwich mean Time (GMT). Be aware if/when daylight savings time alters this time difference for your time zone. Once you have filled in the new time and date, press [Enter] to save the setting and press [Esc] to return to Menu 24. 11.4 Remote Management Setup Telnet and FTP do not support encryption, so for very strong security both services should be shut down. This is done in Menu 24.11 - Remote Management Control. Enter 11 from Menu 24 to bring up this menu.
P312 Broadband Security Gateway Table 11-4 Menu 24.11 - Remote Management Control Field Description Option FTP service active Press the [SPACE BAR] to toggle Yes to No and press [Enter] to disable all FTP activity (both LAN and WAN). Yes No Telnet service active Press the [SPACE BAR] to toggle Yes to No and press [Enter] to disable all Telnet activity (both LAN and WAN). Yes No Secured Client IP The default value for Secured Client IP is 0.0.0.
P312 Broadband Security Gateway AT ATHE ATBAx ATENx,(y) ATSE ATTI(h,m,s) ATDA(y,m,d) ATDS ATDT ATDUx,y ATWBx,y ATWWx,y ATWLx,y ATRBx ATRWx ATRLx ATGO(x) ATGR ATGT AT%Tx ATBTx ATRTw,x,y(,z) ATWEa(,b,c,d) ATCUx ATCB ATCL ATSB ATBU ATSH ATWMx ATCOx ATFLx ATSTx ATSYx ATVDx ATPNx ATFEx,y,... ATMP ATDOx,y ATTD ATUPx,y ATUR ATLC ATUXx(,y) ATERx,y ATWFx,y,z ATXSx ATLOa,b,c,d ======= Debug Command Listing ======= just answer OK print help change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
P312 Broadband Security Gateway Chapter 12 Telnet Configuration and Capabilities This chapter covers the Telnet Configuration and Capabilities of the Prestige. 12.1 About Telnet Configuration Before the Prestige is properly setup for TCP/IP, the only option for configuring it is through the console port. Once your Prestige is configured, you can use telnet to configure it remotely as shown below. Figure 12-1 Telnet Configuration on a TCP/IP Network 12.
P312 Broadband Security Gateway 12.3.2 System Timeout There is a system timeout of 5 minutes (300 seconds) for either the console port or telnet. Your Prestige will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in Menu 24.1 or when "sys stdio" has been changed on the command line. 12.
Firewall and Content Filters Part IV: Firewall and Content Filters Chapters 13 – 20 describe types of firewalls, how to configure your Prestige firewall using the Prestige Web Configurator, as well as types of Denial of Services (DoS) attacks and Content Filtering.
P312 Broadband Security Gateway Chapter 13 What is a Firewall This chapter gives some background information on firewalls. Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The network term firewall is typically defined as a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network.
P312 Broadband Security Gateway needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest. 13.1.3 Stateful Inspection firewalls Stateful Inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol.
P312 Broadband Security Gateway Figure 13-1 Prestige Firewall Application 13.3 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Prestige is pre-configured to automatically detect and thwart all known DoS attacks. 13.3.
P312 Broadband Security Gateway Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 13.3.2 Types of DoS attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4. IP Spoofing. 1. "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.
P312 Broadband Security Gateway Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response.
P312 Broadband Security Gateway 4. Figure 13-4 Smurf Attack Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network.
P312 Broadband Security Gateway Figure 13-5 Stateful Inspection Figure 13-5 shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is not allowed. 13.4.
P312 Broadband Security Gateway 7. 8. 9. The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary. Based on the updated state information, the inbound extended access list temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection.
P312 Broadband Security Gateway When any subsequent packet hits the box (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN). 13.4.4 UDP/ICMP Security UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
P312 Broadband Security Gateway 3. 4. Limit who can Telnet into your router. Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5. For local services that are enabled, protect against misuse.
P312 Broadband Security Gateway 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in a social intrusion.
P312 Broadband Security Gateway Chapter 14 Introducing the Prestige Firewall This chapter shows you how to get started with the Prestige Firewall. Please see Chapter 13 for some background information on firewalls. 14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter Set and Firewall Configuration. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. Prestige 312 Main Menu Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4.
P312 Broadband Security Gateway Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2.
P312 Broadband Security Gateway ICMP Echo A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
P312 Broadband Security Gateway Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Teardrop Teardrop attacks exploit weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks.
P312 Broadband Security Gateway Table 14-4 Field View Firewall Log Description # This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure Menu 24.10 for real time; otherwise the clock started at Jan 1 70, 00:00:00 the last time the P312 was reset. mm:dd:yy e.g., Jan 1 70 hh:mm:ss e.g.
P312 Broadband Security Gateway Figure 14-5 Big Picture - Filtering, Firewall and NAT 14.3 Packet Filtering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions. 14.3.1 Packet Filtering: ! ! ! The router filters packets as they pass through the router’s interface according to the filter rules you designed. Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.
P312 Broadband Security Gateway When To Use Filtering 1. To block/allow LAN packets by their MAC address. 2. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
P312 Broadband Security Gateway Chapter 15 Introducing the Prestige Web Configurator This chapter shows you how to configure your firewall with the Web Configurator. 15.1 Web Configurator Login and Welcome Screens Launch your web browser and enter 192.168.1.1 as the URL. This is the factory default IP of the Prestige when shipped. You will then see the Login screen. Figure 15-1 1. Login screen as seen in Netscape The default Username and Password is "admin" and "1234" respectively. 2.
P312 Broadband Security Gateway Figure 15-2 Prestige Web Configurator Welcome Screen 15.2 Enabling the Firewall Click Firewall, then Configuration, then the Rule Config tab to enable the firewall as seen in the following screen.
P312 Broadband Security Gateway Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent. 15.3.1 What are Alerts? Alerts are reports on events such as attacks, which you may want to know about right away.
P312 Broadband Security Gateway To field and schedule times for sending alerts in the Alert Timer fields in the E-Mail screen (following screen). 15.3.2 What are Logs? A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 16-4). You can also choose not to create a log for a rule in this screen. An attack automatically generates a log.
P312 Broadband Security Gateway Table 15-1 Field E-Mail Description Options Address Information Mail Server Enter the IP address of your mail server in dot decimal format. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via E-mail. Mail Subject Enter a subject that you want to appear in the subject field of your e-mail here (see Figure 15-5).
P312 Broadband Security Gateway 15.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the accompanying CD for information on other types of error messages. E-mail error messages appear as "SMTP action request failed. ret= ??" where ?? is described in the following table.
P312 Broadband Security Gateway Subject: Firewall Alert From Prestige Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com To: user@zyxel.com You may edit the subject title The date format here is Date-Month-Year The date format here is To:192.168.1.255 |default permit |forward Month-Date-Year 1|Apr 7 00 |From:192.168.1.1 | 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> | 2|Apr 7 00 |From:192.168.1.131 To:192.168.1.
P312 Broadband Security Gateway You can use the default threshold values, or you can change them to values more suitable to your security requirements. 15.4.1 Threshold Values: You really just need to tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for normal small offices with ADSL bandwidth. Factors influencing choices for threshold values are: 1. The maximum number of opened sessions. 2.
P312 Broadband Security Gateway The Prestige deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold. 2. If the Blocking Time timeout is greater than 0: The Prestige blocks all new connection requests to the host giving the server time to handle the present connections. The Prestige continues to block all new connection requests until the Blocking Time expires.
P312 Broadband Security Gateway Table 15-3 Field Generate alert when attack detected Attack Alert Description Default Values A detected attack automatically generates a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See section 15.3 for more information on logs and alerts. Denial of Services Thresholds One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
P312 Broadband Security Gateway Field Description Default Values rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Max-Incomplete Low number.
P312 Broadband Security Gateway Chapter 16 Creating Custom Rules 16.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
P312 Broadband Security Gateway 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN. 16.2.2 Security Ramifications Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule: 1.
P312 Broadband Security Gateway 16.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 16.3.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure Policy -> LAN to WAN -> Rules, you in essence want to limit some or all users from accessing certain services on the WAN. See the following figure.
P312 Broadband Security Gateway Figure 16-2 WAN to LAN Traffic 16.4 Services Supported The list box in the Rule Config(uration) screen (see Figure 16-4) displays all services that the Prestige supports. Custom services may also be configured using the Custom Ports function discussed later. Next to the name of the protocol, two fields appear in brackets. The first field indicates the IP port number that defines the service (TCP Port, UDP Port, or ICMP Type).
P312 Broadband Security Gateway Table 16-1 SERVICE BGP(TCP:179) BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67) CU-SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) FINGER(TCP:79) FTP(TCP:20.
P312 Broadband Security Gateway 16.5 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet, so the discussion below refers to both. Click on Firewall, then Local Network to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. Special Note: The ordering of your rules is important as rules are applied in turn.
P312 Broadband Security Gateway Table 16-2 Field Firewall Rules Summary – First Screen Description Option General Name Default Permit Log The default action for packets not matching following rules. Firewall Rule Summary This is the name of the firewall rule set. Check this box to log all matched rules in the ACL default set. Should packets that do not match the following rules be blocked or forwarded? Make your choice from the drop down list box.
P312 Broadband Security Gateway Field Description Option section 16.5.1 for more details. Delete Press this button to delete an existing firewall rule. Note that subsequent firewall rules move up by one when you take this action. Move Rule You may reorder your rules using this function. Select by clicking (in the Firewall Rule Summary box) on the rule you want to move. The ordering of your rules is important as rules are applied in turn.
P312 Broadband Security Gateway Field Source Address Destination Address Services Creating Custom Rules Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Creating/Editing A Firewall Rule Description Option Press SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses. SrcAdd Press DestAdd to add a new address, DestEdit to edit an existing one or DestDelete to delete one.
P312 Broadband Security Gateway Field Description Option from the Available Services box on the left, then press >> to select it. The selected service shows up on the Selected Services box on the right. To remove a service, click on it in the Selected Services box on the right, then press <<. Action for Matched Packets Log Should packets that match this rule be blocked or forwarded? Make your choice from the drop down list box. Note that “block” means the firewall silently discards the packet.
P312 Broadband Security Gateway Figure 16-5 Adding/Editing Source & Destination Addresses Table 16-4 Adding/Editing Source & Destination Addresses Field Address Type Description Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.
P312 Broadband Security Gateway When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the discussion below refers to both. 16.6.
P312 Broadband Security Gateway Figure 16-6 Creating Custom Rules Timeout Screen 16-13
P312 Broadband Security Gateway Table 16-5 Field Timeout Menu Description Default Value This is the length of time the Prestige waits for a TCP session to reach the established state before dropping the session. 30 seconds This is the length of time a TCP session remains open after the firewall detects a FIN-exchange (indicating the end of the TCP session). 60 seconds This is the length of time of inactivity a TCP connection remains open before the Prestige considers the connection closed.
P312 Broadband Security Gateway Chapter 17 Custom Ports 17.1 Introduction You will need to configure customized ports for services not included in the services provided in the scrolling list box in the screen shown in Figure 16-4. For further information on these services, please read section 16.4. To configure a custom port, click Custom Ports to bring up the following screen. Figure 17-1 The next table describes the fields in this screen.
P312 Broadband Security Gateway Table 17-1 Field Custom Ports Description Customized Services No Name Protocol Port This is the number of your customized port. This is the name of your customized port. This shows the IP protocol (TCP, UDP or Both) that defines your customized port. This is the port number or range that defines your customized port. Add a New Entry Click this button to create a new service (custom port). Edit Click this button to edit an existing service (custom port).
P312 Broadband Security Gateway Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen.
P312 Broadband Security Gateway Table 17-2 Field Creating/Editing A Custom Port Description Service Name Enter a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or Both) that defines your customized port from the drop down list box. Option TCP UDP Both Port Configuration Type Port Number Click the Single radio button to specify one port only or Range radio button to specify a span of ports that define your customized service.
P312 Broadband Security Gateway Chapter 18 Logs 18.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 16-4). Click on the Logs to bring up the next screen. Firewall logs may also be viewed in SMT Menu 21.3 (see section 14.1.1) or via syslog (SMT Menu 24.3.2 - System Maintenance - UNIX Syslog). Syslog is an industry standard protocol used for capturing log information for devices on a network.
P312 Broadband Security Gateway Table 18-1 Log Screen Field Description No. This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure Menu 24.10 for real time; otherwise you get the time shown in these examples. dd:mm:yy e.g., Jan 1 0 hh:mm:ss e.g.
P312 Broadband Security Gateway Field Description When you have finished viewing this screen, click another link to exit.
P312 Broadband Security Gateway Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever you open a hole in the firewall to forward a service from the Internet to the local network, and NAT is also enabled, you may have to also configure a server behind NAT using SMT menu 15.2. Please see the chapter on NAT for more detailed information on NAT and also see Figure 14-5 for a view of how Filtering, the Firewall and NAT interact. 19.1.
P312 Broadband Security Gateway Check here to activate the firewall. You may also activate the firewall in SMT menu 21.2. Step 2. 19-2 Figure 19-1 Activate The Firewall Now we configure our E-mail screen as follows. Click the E-Mail tab to bring up the next screen.
P312 Broadband Security Gateway Enter 10.100.1.2, the IP address of the mail server here. Enter a subject for these e-mails here. This is where we send the alerts. We want to send an alert at this time. Step 3. Step 4. Step 5. Step 6. Figure 19-2 Example 1 – E-Mail Screen Now we configure our firewall rule as shown in the following screen. The default firewall blocks all Internet traffic entering our local network, but we want to create a hole for web service from the Internet.
P312 Broadband Security Gateway This is an Internet to Local Network rule. Click DestAdd to configure the destination address as the IP of our server on the LAN. See the next screen. Select this service (web service) from the Available Services list box and click >>. We want to forward the packet when it matches this rule (remember the default is to block all packets from the Internet), log packets that match this rule and to send alerts when this happens.
P312 Broadband Security Gateway 10.100.1.2 is the IP of our server on the LAN (supporting FTP, HTTP, Telnet and mail services) to which we wish to forward traffic originating from the Internet.
P312 Broadband Security Gateway We choose to block packets that don’t match the rules specified below. We want a log of packets that match this rule in the ACL Default Set. The first rule is a default rule to allow DHCP negotiation between the ISP and the P312. The second rule is what we configured in the last 2 screens. See Table 16-2 for a detailed explanation of each field. Figure 19-5 Click Apply in this screen when you have finished configuring to save your configuration back to the Prestige.
P312 Broadband Security Gateway Step 1. First we want to send alerts when there is an attack. Go to the Attack Alert screen (click Configuration, then the Attack Alert tab) shown next. Check this box to send alerts when there is an attack. Step 2. Step 3. Figure 19-6 Send Alerts When Attacked Configure the E-Mail screen as shown in example 1 – our mail server’s IP is 192.168.10.2. Now we want to restrict access to the Internet except for the HTTP proxy server and our mail server.
P312 Broadband Security Gateway Type a name for this custom port and select TCP service. Click Single and enter a port number of 110. Click Apply when you’ve finished. Step 4. Step 5. 19-8 Figure 19-7 Configuring A POP Custom Port Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traffic originating from the HTTP proxy server and our mail server. Click Internet to see the Rule Summary screen. Now click an available No.
P312 Broadband Security Gateway This is the IP of our mail server. We select these mail services. Note that our customized service has an “*” before the name to distinguish it as such. We want to forward packets that match these rules. Step 6. Step 7. Click Apply when finished. Figure 19-8 Example 2 - Local Network Rule 1 Configuration Similarly configure another local network to Internet rule allowing traffic from our web (HTTP) proxy server. The Rule Summary screen should look like Figure 19-9.
P312 Broadband Security Gateway Check this box to log all matched rules in the ACL Default Set. Rules 1 forwards SMTP and POP traffic from our mail server and Rule 2 forwards HTTP traffic from the proxy web server. We don’t want a log. Don’t forget to click Apply to save your settings back to the Prestige. Step 8. Step 9. 19-10 Figure 19-9 Example 2 - Local Network Rule Summary Now we want an FTP server (IP of 192.168.10.3) to be accessible from the Internet.
P312 Broadband Security Gateway We want to block all other WAN to LAN traffic. This is the IP of our FTP server to which we want to forward traffic from the Internet. Click Apply to save your settings back to the Prestige. Figure 19-10 Example 2 - Internet to Local Network Rule Summary 19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rules examples to: 1. Allow DHCP negotiation between the ISP and the P312. 2.
P312 Broadband Security Gateway Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. Step 2. 19-12 Figure 19-11 Custom Port for Syslog Follow the procedures outlined in the previous examples to configure all your rules. When finished, your rule summary screen should look like the following.
P312 Broadband Security Gateway This is the address range of the syslog servers. This is our Syslog custom port. Click Apply when finished.
P312 Broadband Security Gateway Rule 1: Allow DHCP negotiation between the ISP and the P312. Rule 2: Allow a syslog connection from the WAN. Click Apply to save your settings back to the Prestige.
P312 Broadband Security Gateway Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets, cookies as well as disable web proxies. The Prestige can also block specific URLs by using the keyword feature. Please note that content filtering means the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1. 20.1 Restrict Web Features 20.1.
P312 Broadband Security Gateway 20.1.3 Cookies Cookies are used by Web servers to track usage. Cookies provide service based on ID. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities. Because they represent a potential loss of privacy, some people may choose to block cookies. 20.1.4 Web Proxy When a proxy server is located on the WAN it is possible for LAN users to circumvent content filtering by pointing to this proxy server.
P312 Broadband Security Gateway Figure 20-1 Content Filtering Screen Table 20-1 Content Filtering Fields Field Restrict Web Features Block Web URLs Content Filtering Description Check the box(es) to restrict that feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. Enter a domain name as discussed above, then press Add Domain Name. The page reloads and the new domain name appears in the Block Web URLs box.
Troubleshooting, Appendices, Glossary and Index Part V: Troubleshooting, Appendices, Glossary and Index Chapter 21 provides information about solving common problems, followed by some Appendices, a Glossary of Terms and an Index.
P312 Broadband Security Gateway Chapter 21 Troubleshooting This chapter covers the potential problems you may run into and the possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the problem. Please see our supporting disk for further information. 21.
P312 Broadband Security Gateway 21.2 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface Problem Corrective Action Can’t ping any workstation on the LAN Check the 10M/100M LEDs on the front panel. One of these LEDs should be on. If they are both off, check the cables between your Prestige and hub or the station. Verify that the IP address and the subnet mask are consistent between the Prestige and the workstations. 21.
P312 Broadband Security Gateway 21.4 Problems with Internet Access Table 21-4 Problem Cannot access the Internet. Troubleshooting Internet Access Corrective Action Connect your Cable/xDSL modem with the Prestige using appropriate cable. Check with the manufacturer of your Cable/xDSL modem about the cable requirement because for some modems you may require crossover cable and for others regular patch cable. Verify your settings in Menu 3.2 and Menu 4. 21.
P312 Broadband Security Gateway Appendix A PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
P312 Broadband Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
P312 Broadband Security Gateway Appendix B PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
P312 Broadband Security Gateway PNS and the PAC must have IP connectivity; however, the PAC must in addition have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS. Microsoft includes PPTP as a part of the Windows OS.
P312 Broadband Security Gateway Appendix C Hardware Specifications Power Specification I/P AC 120V / 60Hz ; O/P DC 12V 1200 mA MTBF 100000 hrs Operation Temperature 0º C ~ 40º C Ethernet Specification for WAN 10Mbit Half Duplex Ethernet Specification for LAN 10/100 Mbit Half / Full Auto-negotiation Console Port RS – 232 Pin 1 = NON ; Pin 2 = DTE-RXD; Pin 3 = DTE-TXD; Pin 4 = DTE-DTR; Pin 5 = GND; Pin 6 = DTE-DSR; Pin 7 = DTE-RTS; Pin 8 = DTE-CTS; PIN 9 = NON.
P312 Broadband Security Gateway Appendix D Important Safety Instructions The following safety instructions apply to the Prestige: 1. Be sure to read and follow all warning notices and instructions. 2. The maximum recommended ambient temperature for the Prestige is 40º(104º). Care must be taken to allow sufficient air circulation or space between units when the Prestige is installed inside a closed rack assembly.
P312 Broadband Security Gateway Appendix E Firewall CLI Commands The following table describes the syntax used to configure your firewall using Command Line Interface (CLI) commands. Select option 24.8 Command Interpreter Mode from the Main Menu to go into CLI mode. For details on other CLI commands to configure your Prestige, please consult the supporting CD.
P312 Broadband Security Gateway Function Attack Sets L CLI Syntax Description config edit firewall e-mail email-to Edits the mail address which you want to send the alert to config edit firewall e-mail policy Edits whether the current firewall traffic log contents are sent through e-mail when the log is full, hourly, daily, or weekly.
P312 Broadband Security Gateway Function Rules CLI Syntax Description config edit firewall set default-permit Edits whether a packet is dropped or allowed through, when it does not meet a rule within the set config edit firewall set icmp-timeout Edits the time limit, in seconds, for an idle ICMP session, before it is terminated config edit firewall set udp-idle-timeout Edits the time limit, in seconds, for an idle UDP session, before it
P312 Broadband Security Gateway Function N CLI Syntax Description config edit firewall set rule srcaddr-subnet Selects and edits a source address and subnet mask of traffic which comply to this rule config edit firewall set rule srcaddr-range Selects and edits a source address range of traffic which comply to this rule config edit firewall set rule destaddr-single Selects
P312 Broadband Security Gateway Function CLI Syntax Description Delete config delete firewall e-mail Removes all the settings for e-mail alert config delete firewall attack Resets all the settings for attack to default setting config delete firewall set Removes the specified set from the firewall configuration config delete firewall set rule Removes the specified rule in a set from the firewall configuration CLI Commands O
P312 Broadband Security Gateway Appendix F Power Adapter Specs AC Power Adapter Specifications North America AC Power Adapter model MW48-1201200 Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards Safety standards: UL, CUL (UL 1310, CSA C22.2 No.233-M91) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards Safety standards: UL, CUL (UL1950, CSA C22.
P312 Broadband Security Gateway Japan AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Japan standards Safety standards: T-Mark Australia and New Zealand AC Power Adapter model AD-1201200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.
P312 Broadband Security Gateway Glossary of Terms 10BaseT The 10-Mbps baseband Ethernet specification that uses two pairs of twisted-pair cabling (Category 3 or 5): one pair for transmitting data and the other for receiving data. ARP Address Resolution Protocol is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. Proof that the information came from the person or location that reportedly sent it.
P312 Broadband Security Gateway Cookie Countermeasures Cracker Cracker Tools Cracking Crossover Ethernet cable Cryptoanalysis A string of characters saved by a web browser on the user's hard disk. Many web pages send cookies to track specific user information. Cookies can be used to retain information as the user browses a web site. For example, cookies are used to 'remember' the items a shopper may have in a shopping cart.
P312 Broadband Security Gateway Digital Signature DNS Domain Name Digital code that authenticates whomever signed the document or software. Software, messages, Email, and other electronic documents can be signed electronically so that they cannot be altered by anyone else. If someone alters a signed document, the signature is no longer valid. Digital signatures are created when someone generates a hash from a message, then encrypts and sends both the hash and the message to the intended recipient.
P312 Broadband Security Gateway Events These are network activities. Some activities are direct attacks on your system, while others might be depending on the circumstances. Therefore, any activity, regardless of severity is called an event. An event may or may not be a direct attack on your system. FAQ (Frequently Asked Questions) -- FAQs are documents that list and answer the most common questions on a particular subject.
P312 Broadband Security Gateway Integrity Proof that the data is the same as originally intended. Unauthorized software or people have not altered the original information. internet (Lower case i) Any time you connect 2 or more networks together, you have an internet. Internet (Upper case I) The vast collection of inter-connected networks that all use the TCP/IP protocols and that evolved from the ARPANET of the late 60’s and early 70’s.
P312 Broadband Security Gateway Name Resolution NAT NDIS NetBIOS Network as a stream of bits. The allocation of an IP address to a host name. See DNS Network Address Translation is the translation of an Internet Protocol address used within one network to a different IP address known within another network - see also SUA.
P312 Broadband Security Gateway Plain Text Prestige Web Configurator POP Port (H/W) Port The opposite of Cipher Text, Plain Text is readable by anyone. This is a web-based Prestige router (not all) configurator that includes an Internet Access Wizard, Advanced and Firewall (not all Prestige models) configurations. Post Office Protocol. This is a common protocol used for sending, receiving, and delivering mail messages. An interface on a computer for connecting peripherals or devices to the computer.
P312 Broadband Security Gateway Public Key Encryption PVC Reconnaissance RFC RIP Router SAP SATAN Server Shoulder Surfing SNMP Snooping SOCKS Glossary system, meaning that an end-to-end private circuit is established between caller and callee. System of encrypting electronic files using a key pair. The key pair contains a public key used during encryption, and a corresponding private key used during decryption. Permanent Virtual Circuit.
P312 Broadband Security Gateway SPAM Unwanted e-mail, usually in the form of advertisements. Spoofing To forge something, such as an IP address. IP Spoofing is a common way for hackers to hide their location and identity Technology that allows you to send information that only the server can read. SSL allows servers and browsers to encrypt data as they communicate with each other. This makes it very difficult for third parties to understand the communications.
P312 Broadband Security Gateway VPN Vulnerability WAN War Dialer Warez Wire Tapping Worm WWW Glossary on a host system. Objects include directories and an assortment of file types, including text files, graphics, video, and audio. A URL is the address of an object that is normally typed in the Address field of a Web browser. The URL is basically a pointer to the location of an object. Virtual Private Network. These networks use public connections (such as the Internet) to transfer information.
P312 Broadband Security Gateway Index A Action for Matched Packets .......................... 16-10 Activate The Firewall ...................................... 19-2 ActiveX ........................................................... 20-1 Add Keyword .................................................. 20-3 Alert Schedule ................................................ 15-5 Application-level Firewalls .............................. 13-1 AT command ..................................................
P312 Broadband Security Gateway Encapsulation PPP over Ethernet.................................................... E Ethernet Encapsulation3-8, 4-1, 4-5, 4-6, 4-10, 611, 6-12 Example E-Mail Log ........................................15-6 Examples ........................................................19-1 F Factory Default................................................2-11 Filename Conventions.....................................10-1 Filter .................................................
P312 Broadband Security Gateway L one-minute high ..............................................15-8 LAN Setup ........................2-6, 2-11, 2-12, 3-4, 3-5 LAN to WAN Rules ......................................... 16-3 LAND............................................ 13-4, 13-5, 14-2 Local Network Rule Summary ................................................... 16-6 log..................................................................... 9-5 Log Facility ............................................
P312 Broadband Security Gateway S System Timeout ..............................................12-2 Safety Instructions................................................ J Safety Instructions................................................ J saving the state ...............................................13-6 Security In General .......................................13-10 Security Ramifications.....................................16-2 Send Alerts When Attacked ............................
P312 Broadband Security Gateway WAN Setup............................2-6, 2-10, 2-11, 21-2 WAN to LAN Rules ......................................... 16-3 Web Configurator ........................................... 13-9 Web Proxy ...................................................... 20-2 Welcome screen............................................. 15-1 X XMODEM protocol ..........................................10-2 Z ZyNOS .............2-11, 6-4, 6-6, 9-3, 9-5, 10-1, 10-2 ZyNOS F/W Version.............