ZyXEL Communications ZyXEL ZyWALL IDP 10, User Manual

Page 1: ...ZyWALL IDP 10 Intrusion Detection Prevention Appliance User s Guide Version 1 July 2004 ...

Page 2: ...f ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described her...

Page 3: ...nstructions may cause harmful interference to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and t...

Page 4: ...mpliance with the above conditions may not prevent degradation of service in some situations Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated by the supplier Any repairs or alterations made by the user to this equipment or equipment malfunctions may give the telecommunications company cause to request the user to disconnect the equipment For t...

Page 5: ...under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser To obtain the services of this warranty contact ZyXEL s Ser...

Page 6: ... 92806 2001 U S A support zyxel de 49 2405 6909 0 www zyxel de GERMANY sales zyxel de 49 2405 6909 99 ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany 33 0 4 72 52 97 97 FRANCE info zyxel fr 33 0 4 72 52 19 20 www zyxel fr ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France support zyxel es 34 902 195 420 SPAIN sales zyxel es 34 913 005 345 www zyxel es ZyXEL Communicati...

Page 7: ...2 2 Accessing the ZyWALL Web Configurator 2 1 2 3 Navigating the ZyWALL Web Configurator 2 3 2 4 Example Configuration Settings 2 6 General Interface and Remote Management II Chapter 3 General Settings 3 1 3 1 Device 3 1 3 2 Introduction to VLANs 3 2 3 3 Configuring VLAN on the ZyWALL 3 3 Chapter 4 Interface Screens 4 1 4 1 10 100M Auto Sensing Ethernet Ports 4 1 4 2 Configuring Link 4 1 4 3 Steal...

Page 8: ... Password 8 1 8 3 Time and Date 8 2 8 4 Firmware Upload 8 6 8 5 Configuration 8 10 8 6 Restart 8 12 Chapter 9 Command Line Interface Overview 9 1 9 1 Command Syntax Conventions 9 1 9 2 Login 9 2 9 3 Commands 9 2 Appendices Index VI Appendix A Introduction to Intrusions A 1 A 1 Introduction to Ports A 1 A 2 Introduction to Denial of Service A 1 A 3 DoS Examples A 1 A 4 Scanning A 3 A 5 Malicious Pr...

Page 9: ...yWALL Policy Check 4 3 Figure 4 4 Interface Policy Check 4 4 Figure 5 1 Remote Management WWW 5 1 Figure 5 2 SNMP Management Model 5 2 Figure 5 3 Remote Management SNMP 5 4 Figure 5 4 SSH Communication Example 5 5 Figure 5 5 How SSH Works 5 5 Figure 5 6 Remote Management SSH 5 6 Figure 5 7 PuTTY settings 5 7 Figure 5 8 PuTTY Security Alert 5 7 Figure 5 9 ZyWALL Command Interface Login Screen 5 8 F...

Page 10: ... 1 Figure 7 2 Report E Mail 7 3 Figure 7 3 Report syslog 7 4 Figure 7 4 Alarm 7 5 Figure 8 1 Maintenance Password 8 1 Figure 8 2 Debug Mode Reset Example 8 2 Figure 8 3 Maintenance Time Setting 8 4 Figure 8 4 Synchronization in Process 8 6 Figure 8 5 Synchronization is Successful 8 6 Figure 8 6 Synchronization Fail 8 6 Figure 8 7 Maintenance F W Upload 8 7 Figure 8 8 Firmware Upload in Progress 8 ...

Page 11: ...nt SSH 5 6 Table 6 1 Policy Severity 6 12 Table 6 2 Policy Actions 6 13 Table 6 3 Selecting Pre defined Policies 6 15 Table 6 4 Pre defined IDP Policies 6 18 Table 6 5 Update Policies 6 20 Table 6 6 User defined Policies 6 21 Table 6 7 Configuring a User defined IDP Policy 6 25 Table 6 8 Registering ZyWALL 6 29 Table 7 1 View Log 7 2 Table 7 2 Report E Mail 7 3 Table 7 3 Report syslog 7 4 Table 7 ...

Page 12: ...uct page at www zyxel com for information on product certifications ZyXEL Glossary and Web Site Please refer to www zyxel com for an online glossary of networking terms and additional support documentation Syntax Conventions This manual will refer to the ZyWALL IDP 10 Intrusion Detection Prevention Appliance simply as the ZyWALL The version number on the title page is the latest firmware version t...

Page 13: ...s for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan Thank you Graphics Icon Key ZyWALL IDP Modem Notebook Computer Computer Server Firewall Router Switch Intrusion source Blocked intrusion Security hole ...

Page 14: ...Getting Started I P Pa ar rt t I I Getting Started This part introduces intrusions ZyWALL features applications and the web configurator ...

Page 15: ...e detailed information on intrusions intrusion examples and detection types The ZyWALL is an Intrusion Detection and Prevention IDP Appliance designed to protect against network based intrusions The ZyWALL functions as a transparent plug and play bridge designed to protect networks from intrusions while allowing safe Internet access The ZyWALL comes with a built in signature set that can be regula...

Page 16: ...s based on exceeding statistical thresholds such as abnormal port scan probes o Pattern Matching where a signature database identifies malicious code strings in packets o Protocol Anomaly Detection based on RFC protocol violations o Traffic flow anomalies where certain applications such as peer to peer applications for example are defined as abnormal and therefore an intrusion o Stateful pattern m...

Page 17: ...rewall or switch to protect the DMZ servers from intrusions from the local network due to an infected LAN computer for example or ideally install one in front of the firewall and two others behind the firewall In installation example 1 Figure 1 2 the ZyWALL A protects the firewall router B DMZ servers and LAN computers from network intrusions from the Internet However it does not protect the DMZ s...

Page 18: ... ZyWALL A protects the LAN from intrusions from the Internet and the DMZ servers from intrusions from the LAN and vice versa The ZyWALL itself receives firewall protection too However it does not protect the firewall B nor the DMZ servers from intrusions from the Internet Figure 1 3 Installation Example 2 ...

Page 19: ... ZyWALL A protects the DMZ servers from intrusions from the Internet and also from intrusions from the LAN and vice versa The ZyWALL itself receives firewall protection too However it does not protect the LAN computers nor the firewall B from intrusions from the Internet Figure 1 4 Installation Example 3 ...

Page 20: ...re 1 5 ZyWALLs A1 and A3 protect the LAN and DMZ from intrusions from the Internet and from each other ZyWALLs A1 and A3 also receive firewall protection ZyWALL A2 protects the firewall B DMZ servers and LAN However ZyWALL A2 does not receive firewall protection Figure 1 5 Installation Example 4 ...

Page 21: ...cript enabled It is recommended that you set your screen resolution to 1024 by 768 pixels The screens you see in the web configurator may vary somewhat from the ones shown in this document due to differences between individual firmware versions 2 2 Accessing the ZyWALL Web Configurator 1 Make sure your ZyWALL hardware is properly connected and prepare your computer computer network to connect to t...

Page 22: ... 2 Login Screen 4 You should see a screen asking you to change your password highly recommended as shown next Type a new password and retype it to confirm and click Apply or click Ignore Figure 2 3 Change Password Screen 5 You should now see the HOME screen see Figure 2 4 ...

Page 23: ...top right corner of most screens to view online help You can configure the ZyWALL s IP address in order to access it for management All LAN WAN DNZ and WLAN ports act as a hub and share the same IP address Figure 2 4 Web Configurator HOME Screen The following table describes the labels in this screen Use submenus to configure ZyWALL features Click MAINTENANCE to view information about your ZyWALL ...

Page 24: ...ws the amount of flash non volatile memory used by the ZyWALL The bar displays what percentage of disk space is in use The bar is green when less than 70 is in use and red when more than 70 is in use The second number shows the total available disk space in megabytes Current TCP Session This field displays number of TCP sessions currently established Policy Number This field displays the number of...

Page 25: ...LL SNMP Use this screen to configure Simple Network Management Protocol SNMP ZyWALL management SSH Use this screen to configure through which interface s and from which IP address es users can use Secure Shell to manage the ZyWALL IDP Pre defined All pre defined IDP policies are already stored in the ZyWALL by default Use this screen to see all pre defined policies or search fro specific ones Upda...

Page 26: ...e shows an example setup for your ZyWALL In this setup the ZyWALL is behind a NAT router or firewall and is given a private IP address The gateway is also in a private network The LAN and WAN ports are both in stealth mode and remote management is only allowed from the MGMT port Table 2 3 Example Configuration Settings ZyWALL Settings IP Address 10 10 1 1 private IP address Subnet Mask 255 255 255...

Page 27: ...General Interface and Remote Management II P Pa ar rt t I II I General Interface and Remote Management This part covers configuration of the General Interface and Remote Management screens ...

Page 28: ......

Page 29: ...es relate to the e mail syslog and SNMP functions of the ZyWALL The DNS server maps a domain name to its corresponding IP address and vice versa If you configure a DNS server you can enter an IP address or domain name for e mail syslog etc servers If you change the ZyWALL IP address you will need to access it again using the new IP address To change your ZyWALL s network settings click GENERAL the...

Page 30: ... to VLANs A VLAN Virtual Local Area Network allows a physical network to be partitioned into multiple logical networks Devices on a logical network belong to one group A device can belong to more than one group With VLAN a device cannot directly talk to or hear from devices that are not in the same group s the traffic must first go through a router VLAN increases network performance by limiting br...

Page 31: ...eiving tagged or untagged frames The ZyWALL does not alter the VLAN ID of a frame if it is already tagged however when an untagged frame enters the ZyWALL it can If VLAN tagging is enabled then the frame is transmitted as a tagged frame with the VLAN ID you assign here otherwise it is transmitted as an untagged frame VLAN on the ZyWALL is for management functions of the ZyWALL If your management c...

Page 32: ...erform the action dictated by the rule for that type of intrusion block log drop send an alarm Monitor Monitor means the ZyWALL will function as a traditional IDS Intrusion Detection System by identifying suspicious or malicious packets and then sending alerts only Monitor state may be advisable when you first deploy the ZyWALL in your network so valid traffic is not blocked false positives nor in...

Page 33: ...hen auto negotiation is turned on the Ethernet port of the ZyWALL negotiates with the peer Ethernet port on the Ethernet cable automatically to determine the optimal connection speed and duplex mode If the peer Ethernet port does not support auto negotiation or turns off this feature the ZyWALL determines the connection speed by detecting the signal on the cable and using half duplex mode When the...

Page 34: ...port with no response to the sender The ZyWALL doesn t respond to ICMP requests such as Ping that is it doesn t send ICMP_ECHO_REPLY packets It doesn t send TCP_RST packets if a TCP connection is blocked nor does it send ICMP_PORT UNREACHABLE packets for UDP requests or forwarded traffic Replies to outgoing traffic from the ZyWALL are also not allowed When a port is in stealth mode you cannot do r...

Page 35: ...tion example 4 you might apply policy checking on the LAN only By selecting one interface instead of both the default ZyWALL throughput will increase Figure 4 3 ZyWALL Policy Check 4 4 1 Policy Direction Do not confuse policy check with a policy rule direction see the IDP pre defined and user defined policy screens that refers to the intent of the policy rules both pre defined and user defined Inc...

Page 36: ...o have the ZyWALL check traffic coming into the WAN and out through the LAN against the ZyWALL policy rules both pre defined and user defined LAN Port Select ON to have the ZyWALL check traffic coming into the LAN and out through the WAN against the ZyWALL policy rules both pre defined and user defined Apply Click this button to save your changes back to the ZyWALL Reset Click this button to begin...

Page 37: ...over LAN or WAN will not work when there is already another remote management session of the same type web or SSH running You may only have one remote management session of the same type running at one time 5 1 1 Remote Management and Stealth If you enable Stealth on a port you cannot perform remote management via that port 5 2 Configuring WWW Click Remote Management to open the following screen W...

Page 38: ...o access the ZyWALL using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyWALL using this service Apply Click this button to save your changes back to the ZyWALL Reset Click this button to begin configuring this screen afresh 5 3 SNMP Simple Network Management Protocol is a protocol used for exchanging management information between netw...

Page 39: ...tocol operations Get Allows the manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables wi...

Page 40: ... ZyWALL using this service Define the rule for server access by selecting from the drop down menu Options are LAN MGMT WAN MGMT MGMT ALL and Disable Secure Client IP Address A secure client is a trusted computer that is allowed to communicate with the ZyWALL using this service Select All to allow any computer to access the ZyWALL using this service Choose Selected to just allow the computer with t...

Page 41: ...ype of encryption method to use Figure 5 5 How SSH Works 3 Authentication and Data Transmission After the identification is verified and data encryption activated a secure tunnel is established between the client and the server The client then sends its authentication information user name and password to the server to log in to the server 5 4 2 SSH Implementation on the ZyWALL Your ZyWALL support...

Page 42: ... allowed to communicate with the ZyWALL using SSH Select Selected or All If you choose Selected you must enter an IP address in the field provided The ZyWALL will check if the client IP address matches the value here when an SSH session is up If it does not match the ZyWALL will disconnect the session immediately Select All if you want to allow computers with any IP address to access the ZyWALL vi...

Page 43: ...ttings 4 You may see a PuTTY security alert next Click Yes to continue Figure 5 8 PuTTY Security Alert 5 You see the login screen of the ZyWALL next Enter the username default is admin and password default is 1234 to log in Enter the IP address of the ZyWALL Click Open ...

Page 44: ...ZyWALL IDP 10 User s Guide 5 8 Remote Management Figure 5 9 ZyWALL Command Interface Login Screen ...

Page 45: ...IDP III P Pa ar rt t I II II I IDP This part covers configuration of the IDP Policy screens ...

Page 46: ......

Page 47: ...ady been ordered for you and cannot be re ordered User defined rules are checked before pre defined rules The total number of pre defined and user defined rules maximum 128 rules permitted allowed on the ZyWALL is 3 000 The ZyWALL cannot check encrypted traffic such as VPN tunnel traffic There is a log entry every hour that shows how many encrypted packets have passed through the ZyWALL in one hou...

Page 48: ...ules 6 3 1 P2P Peer to peer P2P is where computing devices link directly to each other and can directly initiate communication with each other they do not need an intermediary A device can be both the client and the server In the ZyWALL P2P refers to peer to peer applications such as e Mule e Donkey BitTorrent iMesh etc To find a list of all peer to peer signatures supported by the ZyWALL do a pol...

Page 49: ...f all IM signatures supported by the ZyWALL do a policy search by name IM or chat or policy query by type IM The following screen shows some IM signatures supported by the ZyWALL at the time of writing Figure 6 2 IM Chat Signatures 6 3 3 SPAM Spam is unsolicited junk e mail sent to large numbers of people to promote products or services To find a list of all spam signatures supported by the ZyWALL...

Page 50: ...tack is one in which multiple compromised systems attack a single target thereby causing denial of service for users of the targeted system To find a list of all Denial of Service or Distributed Denial of Service signatures supported by the ZyWALL do a policy search by name DoS or policy query by type DoS DDoS The following screen shows some of the DoS DDoS signatures supported by the ZyWALL at th...

Page 51: ...ing Figure 6 5 Scan Signatures 6 3 6 Buffer Overflow A buffer overflow occurs when a program or process tries to store more data in a buffer temporary data storage area than it was intended to hold The excess information can overflow into adjacent buffers corrupting or overwriting the valid data held in them Intruders could run codes in the overflow buffer region to obtain control of the system in...

Page 52: ...ram that is designed to copy itself from one computer to another on a network A worm s uncontrolled replication consumes system resources thus slowing or stopping other tasks To find a list of all virus worm related signatures supported by the ZyWALL do a policy search by name or policy query by type Virus Worm The following screen shows some of the virus worm related signatures supported by the Z...

Page 53: ... a program online service or an entire computer system A Trojan horse is a harmful program that s hidden inside apparently harmless programs or data To find a list of all backdoor Trojan related signatures supported by the ZyWALL do a policy search by name or policy query by type Backdoor Trojan The following screen shows some of the backdoor Trojan related signatures supported by the ZyWALL at th...

Page 54: ... Access control is used typically to control user access to network resources such as servers directories and files To find a list of all access control related signatures supported by the ZyWALL do a policy search by name or policy query by type Access Control The following screen shows some of the access control related signatures supported by the ZyWALL at the time of writing ...

Page 55: ...k signatures refer to attacks on web servers such as IIS To find a list of all web attack related signatures supported by the ZyWALL do a policy search by name or policy query by type Web Attack The following screen shows some of the web attack related signatures supported by the ZyWALL at the time of writing ...

Page 56: ...n certain pornographic words It cannot block web pages containing those words if the associated URL does not To find a list of all porn related signatures supported by the ZyWALL do a policy search by name or policy query by type Porn The following screen shows some of the porn related signatures supported by the ZyWALL at the time of writing ...

Page 57: ...tures for attacks that do not fall into the previously mentioned categories To find a list of all others related signatures supported by the ZyWALL do a policy search by name or policy query by type Others The following screen shows some of the others related signatures supported by the ZyWALL at the time of writing ...

Page 58: ... traffic High 4 These are known serious vulnerabilities or intrusions that are probably not false alarms The default action for this level of intrusion is to block the traffic Medium 3 These are medium threats access control intrusions or intrusions that could be false alarms The default action for this level of intrusion is to log the traffic Low 2 These are mild threats or intrusions that could ...

Page 59: ... if the Alarm check box is selected Log Block Connection The packet is marked as an intrusion a log is recorded and the whole TCP connection session is blocked including subsequent TCP packets belonging to the same connection with both sender and receiver being sent TCP RST packets An alarm may also be sent if the Alarm check box is selected Log Drop Packet Block Connection The packet is marked as...

Page 60: ...ZyWALL IDP 10 User s Guide 6 14 IDP Policies Figure 6 13 Pre defined IDP Policies Summary ...

Page 61: ...be fulfilled before a match is deemed found Logical OR means that at least one of the criteria must be fulfilled before a match is deemed found By Severity Select one item or hold the CTRL key to select multiple items See Table 6 1 for more information on policy severity By Operating System This search category finds policies that were intended to defend specific operating systems due to the intru...

Page 62: ...r a rule match See Table 6 2 for details on actions You can change the specified default action for pre defined rules After you apply these changes your specified actions for pre defined rules remain in effect even after you update new rules or change modes Inline to Monitor and back to Inline again An alarm is also an action to be taken on the policy but you must select the Alarm checkbox to have...

Page 63: ...reen shows severe and high impact DoS DDoS policies for intrusions that exploit vulnerabilities on Windows 2000 and Windows XP computers Use the CTRL key to select multiple items If the query finds more polices than one page can display then click Query again to display the next page Figure 6 15 Query Example ...

Page 64: ...isable a group of policies by severity see Table 6 1 operating system or signature category P2P IM or SPAM see section 6 3 Attack Group Select Enable to enable all policies that meet the following criteria Severity If ALL is cleared not selected you may choose to enable or disabled policies based on their seriousness pre determined by the IDP policy engineering team See also Table 6 1 Operation Lo...

Page 65: ...es back to the ZyWALL Cancel Click this button to close this screen without saving any changes 6 5 Update The ZyWALL comes with a pre defined set of policies that can be regularly updated Regular updates are vital as new intrusions evolve Use the Update screen to immediately download or schedule pre defined new policy downloads You should have already registered the ZyWALL see the Registration scr...

Page 66: ...creen without saving any changes 6 6 User defined Policies You need some knowledge of packet header types and OSI Open System Interconnection to create your own User defined rules Rule ordering is important as rules are applied in turn You can order user defined rules as you wish User defined rules are checked before pre defined rules The total number of pre defined and user defined rules allowed ...

Page 67: ...le Path Save the file with the user defined rules you want to import to your computer first Then type the file path and name in the text box or click Browse to find it on your computer and finally click Import to import the file You can import up to a maximum of 128 rules as long as the total pre defined and user defined number of rules does not exceed 3 000 User defined rules of the same name are...

Page 68: ...ou configured for this intrusion type Direction A policy rule direction refers to the intent of the policy rule o Incoming means the policy applies to traffic coming from the WAN to the LAN o Outgoing means the policy applies to traffic coming from the LAN to the WAN o Bidirectional means the policy applies to traffic coming from and going to either direction Action This field defines the action t...

Page 69: ...el type the index number it should be moved to in the second textbox and then click Move to rearrange this rule Rule ordering is important as rules are applied in turn Apply Click this button to save your changes back to the ZyWALL 6 6 1 Configuring a User defined IDP Policy All policy attributions have a logical AND relationship that is all policy attributions criteria must be met before a match ...

Page 70: ...ZyWALL IDP 10 User s Guide 6 24 IDP Policies Figure 6 19 Configuring a User defined IDP Policy Policy attributions Packet contents ...

Page 71: ...eriousness of the intrusion for which you re configuring a policy See Table 6 1 as a reference on policy severity Frequency For the protocol defined type how many packets of the type defined received on the ZyWALL per second constitute an intrusion Action Select what the ZyWALL should do in response to detecting packets with the above defined attributes You can choose to drop the packet block the ...

Page 72: ...ports that match Equal don t match Not Equal are greater than or lesser than the port range you type in the From and To text boxes that follows Destination Port Select whether the policy applies to destination ports that match Equal don t match Not Equal are greater than or lesser than the port range you type in the From and To text boxes that follows UDP Header These fields are only editable when...

Page 73: ...oint If Protocol type is IP then the matching starting point is at the end of the layer 3 header otherwise it starts matching from the end of the layer 4 header Matching Depth Matching Depth the length of the payload to search for a match Method Choose from Case sensitive upper case and lower case letters are considered different Case insensitive upper case and lower case letters are considered th...

Page 74: ...in name and password You will need a valid e mail address to which a subscription code is sent that validates your e mail address and login name password 3 Register your ZyXEL product for example the ZyWALL IDP 10 You will need the product serial number and authentication code product MAC address which should be found on a label in the package that contained the product 4 After you have registered...

Page 75: ...e the Activation Key and click Apply in this screen It will only display Registered after you paste the Activation Key click Apply in this screen and then update your pre defined policies at updateidp zyxel com or updateidp zyxel com tw Activation Key Paste the generated key as described in step 5 section 6 7 Be careful to avoid pasting trailing spaces Apply Click this button to save your changes ...

Page 76: ...Log and Report IV P Pa ar rt t I IV V Log and Report This part explains how to configure logs setup reports and schedule alarms ...

Page 77: ... in the MAIN MENU of the Web Configurator The log wraps around and deletes the old entries after it fills You can re order the logs according to time generated by clicking the Time column title A triangle indicates the direction of the sort order To configure your ZyWALL s system logs click LOGS in the MAIN MENU of the Web Configurator Figure 7 1 View Log The following table describes the fields i...

Page 78: ...as recorded Time This field displays the date and time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the packet that caused the log Destination This field lists the destination IP address and the port number of the packet that caused the log Action This field displays the action taken on the packet that ca...

Page 79: ...should be sent If the When Log is Full option is selected a log is sent as soon as the log fills up Day to report Select which day of the week to send the logs Time to report Type the time of the day in 24 hour format for example 23 00 equals 11 00 PM to send the logs Mail Server Type the IP address or URL of the mail server If this field is left blank reports will not be sent via e mail Your mail...

Page 80: ... Syslog Logging Active Click Active to enable syslog logging Syslog Server Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details 7 3 Alar...

Page 81: ...re sent out Mail Server Type the IP address or URL of the mail server If this field is left blank alarms will not be sent via e mail Your mail server must not request a username or password If it does you must disable this first before using it to send ZyWALL alarms Send From Type the sender e mail address in this field Recipient s Type up to three e mail address es separated by semi colons of peo...

Page 82: ...Maintenance V P Pa ar rt t V V Maintenance CLI This part provides information on how to the ZyWALL maintenance screens and an introduction to the Command Line Interface CLI ...

Page 83: ...ord or the existing password you use to access the system in this field New Password Type your new system password minimum of 1 to 64 printable characters Note that as you type a password the screen displays an asterisk for each character you type Password Confirm Type the new password again in this field Apply Click this button to save your changes back to the ZyWALL Reset Click this button to be...

Page 84: ...efaults while in debug mode Figure 8 2 Debug Mode Reset Example 8 3 Time and Date To change your ZyWALL s time and date click MAINTENANCE then the Time and Date tab The screen appears as shown Use this screen to configure the ZyWALL s time based on your local time zone 8 3 1 Pre defined NTP Time Servers List The ZyWALL uses the following pre defined list of NTP timeservers if you do not specify a ...

Page 85: ...ies to synchronize with it If the synchronization fails then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre defined NTP timeservers have been tried Table 8 2 Default Time Servers ntp1 cs wisc edu ntp1 gbg netnod se ntp2 cs wisc edu tock usno navy mil ntp3 cs wisc edu ntp cs strath ac uk ntp1 sp se time1 stupi se tick stdt...

Page 86: ...me you reload this page the ZyWALL synchronizes the time with the timeserver if configured Current Date This field displays the date of your ZyWALL Each time you reload this page the ZyWALL synchronizes the date with the timeserver if configured Time and Date Setup Manual Select this radio button to enter the time and date manually When you configure a new time and date manually the Time Zone sett...

Page 87: ...Synchronize Now Click this button and wait for one minute to have the ZyWALL get the time and date from a timeserver see the Time Server Address field This also saves your changes including the time server address Time Zone Setup Time Zone This field is only applicable when the ZyWALL gets the time from a timeserver Choose the time zone of the location of the ZyWALL from the drop down list box Thi...

Page 88: ...ssful the following screen appears Click Return to go back to the Time and Date screen Figure 8 6 Synchronization Fail 8 4 Firmware Upload Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension e g zywall bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot Use the...

Page 89: ...ill restart automatically after a firmware upload is performed Figure 8 7 Maintenance F W Upload Table 8 4 Maintenance F W Upload LABEL DESCRIPTION Local Upgrade File Path Type in the location of the file you want to upload in this field or click Browse to find it ...

Page 90: ...loading and updating firmware Apply Click Apply to save your changes back to the ZyWALL Schedule You need to select Enable in the Auto Download Update field before setting a schedule Check Download Select the day s to check for new firmware downloads Select the time hour and minutes to check for new firmware downloads If there is new firmware found on the specified update server it is downloaded t...

Page 91: ...porary network disconnect In some operating systems you may see the following icon on your desktop Figure 8 9 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System Status screen If the upload was not successful the following screen will appear Click Return to go back to the F W Upload screen ...

Page 92: ...Upload Error 8 5 Configuration Use the Configuration screen to backup and restore ZyWALL configuration files or reset to the factory default configuration file The ZyWALL configuration file includes all ZyWALL system settings and user defined rules but NOT pre defined rules ...

Page 93: ...nges The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the ZyWALL s current configuration to your computer 8 5 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyWALL Table 8 5 Restore Configuration LABEL DESCRIPTION File Path Type in the lo...

Page 94: ...uick Start Guide for details on how to set up your computer s IP address If the upload was not successful you will see a Restore configuration error screen 8 5 3 Back to Factory Defaults Pressing the Reset button in this section clears all user entered configuration information including user defined rules nut not pre defined rules and returns the ZyWALL to its factory defaults as shown on the scr...

Page 95: ...uter to the console port and use terminal emulation software configured to the following parameters VT100 terminal emulation 9600 bps No parity 8 data bits 1 stop bit No flow control 9 1 Command Syntax Conventions The command keywords are in courier new font 1 There is no command history Previously typed commands are not remembered and must be reentered 2 The command keywords must be entered exact...

Page 96: ...om that port 9 3 Commands The following table lists all of the commands that you can use with the ZyWALL Refer to the Support CD for detailed information on using commands in the command line interface Table 9 1 Commands Summary COMMAND DESCRIPTION Set Log logmax Set the maximum number of logs the device generates every second System passwd value Set up the login password This is same password use...

Page 97: ...n port Interface link wan 10 half full Set up wan port speed 10 at full half duplex 100 half full Set up wan port speed 100 at full half duplex auto half full Enable auto negotiation lan 10 half full Set up lan port speed 10 at full half duplex 100 half full Set up lan port speed 100 atfull half duplex auto half full Enable auto negotiation stealth wan ON OFF Enable disable stealth mode on the wan...

Page 98: ... on LAN MGMT WAN MGMT MGMT ALL Enable remote web access from LAN MGMT WAN MGMT MGMT ONLY ALL port off Disable remote we access acl ip address Set up access control list ip address Get State Get system state Inline Monitor or Bypass Log Get device log System Get system information Time Get device time Interface Get interface information All Get all information Remote Get remote access information R...

Page 99: ...ZyWALL IDP 10 User s Guide CLI Overview 9 5 Table 9 1 Commands Summary COMMAND DESCRIPTION Arp Display address resolution protocol information device MAC address and IP address table ...

Page 100: ...Appendices Index VI P Pa ar rt t V VI I Appendices Index This part provides some adbanced background information on IDP ...

Page 101: ...Buffer Overflow Attacks A buffer overflow occurs when a program or process tries to store more data in a buffer temporary data storage area than it was intended to hold The excess information can overflow into adjacent buffers corrupting or overwriting the valid data held in them Intruders could run codes in the overflow buffer region to obtain control of the system install a backdoor or use the v...

Page 102: ...YN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively lon...

Page 103: ... also employ a technique known as IP spoofing as part of their attack IP spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing...

Page 104: ...ram that embeds itself in a legitimate program A file infector is able to copy and attach itself to other programs that are executed on an infected computer Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executs during startup The virus causes computer crashes and to some extend renders the infected computer inoperable Macro Virus Macros are small p...

Page 105: ...end an e mail with a readme exe attachment to the addresses in the local Windows address book A user who opens or previews this attachment which is a Web page with the JavaScript propagates the virus further Server administrators should get and apply the cumulative IIS patch that Microsoft has provided for previous viruses and ensure that no one at the server opens e mail You should update your In...

Page 106: ......

Page 107: ...ies of IDP Host IDP and Network IDP B 2 1 Host Intrusions The goal of host based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer You must install Host IDP directly on the system being protected It works closely with the operating system monitoring and intercepting system calls to th...

Page 108: ...rforms a full protocol analysis decoding and processing the packet in order to highlight anomalies in packet contents This is quicker than doing a search of a signature database It is more flexible in capturing attacks that would be very difficult to catch using pattern matching techniques as well as new variations of old attacks which would require a new signature in the database The protocol dec...

Page 109: ... History no 9 1 Commands Summary 9 2 Community 5 4 configuration file 8 10 8 11 8 12 Daylight Saving 8 5 DDoS A 3 1 2 debug mode 8 1 8 2 9 4 Denial of Service A 1 Direction 6 18 6 24 6 27 DNS server 3 1 3 2 DoS 1 2 Basics A 1 Types A 1 duplex 4 1 4 2 e Donkey 6 2 E MAIL 7 2 E mail virus A 4 e Mule 6 2 encrypted traffic 6 1 6 22 Export 6 25 Factory Defaults 8 12 File Infector A 4 Firmware Upgrade 1...

Page 110: ...5 B 1 Nmap A 4 6 6 NTP Time Servers 8 2 OSI Open System Interconnection 6 1 OSI Open System Interconnection 6 22 Outgoing 6 18 6 24 6 27 Packet Content 6 29 6 30 password 2 1 2 2 2 4 2 5 8 1 8 2 9 2 Password 8 1 Forget 8 1 Pattern Matching 1 2 Ping of Death A 1 Policy Actions 6 15 Types 6 15 Policy check 4 3 Policy Check 2 5 Policy Direction 4 3 Policy Query 6 17 Policy Search 6 17 Policy Severity...

Page 111: ...ort CD 9 1 9 2 SYN Attack A 2 SYN scanning A 4 6 6 SYN ACK A 2 Synchronize 8 5 syslog 2 4 2 5 3 1 3 2 3 3 Syslog 7 4 TCP connect A 4 TCP Header 6 28 TCP IP A 1 TCP_RST 4 2 Teardrop A 1 Terminal emulation 9 1 Terminal Emulation 9 1 Three Way Handshake A 2 Time and Date 8 2 8 4 8 5 8 6 Manual 8 4 Time Protocol 8 3 8 5 Time Zone 8 4 8 5 Traceroute A 3 Trojan horse 6 9 Trojan Horse A 4 1 2 UDP Header ...