Page 1 Prestige 312 Broadband Security Gateway User’s Guide Version 3.20 November 2000...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3: Fcc Statement
P312 Broadband Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Canadian Users
P312 Broadband Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Declaration Of Conformity
EN 61000-4-8 Voltage dips, short interruptions and voltage variations immunity EN 61000-4-11 tests Warranty We, the Manufacturer/Importer, ZyXEL Communications Corp. No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, Taiwan, 300 R.O.C declare that the product Prestige 312 is in conformity with...
Page 6 P312 Broadband Security Gateway CE Doc...
Page 7 P312 Broadband Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Page 8: Customer Support
RMA/Repair hotline +49-2405-6909-99 ftp.europe.zyxel.com Regular Mail ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, HsinChu, Taiwan. ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A. ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark. ZyXEL Communications Services GmbH.,...
Page 9: Table Of Contents
Table of Contents ... ix List of Figures ...xvi List Of Tables ... xxiii Customer Support...viii Preface... xxvii Getting Started ... I Chapter 1 Getting to Know Your Prestige...1-1 The Prestige 312 Broadband Security Gateway ... 1-1 Features of The Prestige 312 ... 1-1 Applications for Prestige 312 ...
Page 10 P312 Broadband Security Gateway 2.10.1 LAN Port Filter Setup ...2-12 Chapter 3 Internet Access ...3-1 TCP/IP and DHCP for LAN ...3-1 3.1.1 Factory LAN Defaults...3-1 3.1.2 IP Address and Subnet Mask ...3-1 3.1.3 Private IP Addresses ...3-2 3.1.4 RIP Setup ...3-2 3.1.5 DHCP Configuration...3-3 3.1.6...
Page 11 6.1.4 NAT Mapping Types... 6-2 6.1.5 SUA (Single User Account) Versus NAT ... 6-3 6.1.6 NAT Application ... 6-4 SMT Menus... 6-4 6.2.1 Applying NAT in the SMT Menus... 6-4 6.2.2 Configuring NAT ... 6-6 Address Mapping Sets and NAT Server Sets:... 6-6 NAT Server Sets...
Page 12 P312 Broadband Security Gateway System Status ...9-2 System Information and Console Port Speed...9-4 9.2.1 System Information ...9-4 9.2.2 Console Port Speed ...9-5 Log and Trace ...9-5 9.3.1 Viewing Error Log ...9-6 9.3.2 UNIX Syslog...9-6 9.3.3 Call-Triggering Packet ...9-10 Diagnostic ...9-10 9.4.1 WAN DHCP ...9-11 Chapter 10 Transferring Files ...10-1...
Page 13 12.2 Telnet Under NAT... 12-1 12.3 Telnet Capabilities... 12-1 12.3.1 Single Administrator ... 12-1 12.3.2 System Timeout... 12-2 12.4 Telnet Under the Firewall... 12-2 Firewall and Content Filters...IV Chapter 13 What is a Firewall...13-1 13.1 Types of Firewalls ... 13-1 13.1.1 Packet Filtering Firewalls...
Page 14 P312 Broadband Security Gateway 15.3 E-Mail ...15-3 15.3.1 What are Alerts?...15-3 15.3.2 What are Logs? ...15-4 15.3.3 SMTP Error Messages ...15-6 15.3.4 Example E-Mail Log...15-6 15.4 Attack Alert...15-7 15.4.1 Threshold Values: ...15-8 15.4.2 Half-Open Sessions ...15-8 Chapter 16 Creating Custom Rules...16-1 16.1 Rules Overview...16-1 16.2...
Page 15 20.1 Restrict Web Features... 20-1 20.1.1 ActiveX ... 20-1 20.1.2 Java... 20-1 20.1.3 Cookies... 20-2 20.1.4 Web Proxy... 20-2 20.2 Blocking URLs... 20-2 20.3 Content Filtering Using the PWC... 20-2 Troubleshooting, Appendices, Glossary and Index...V Chapter 21 Troubleshooting ...21-1 21.1 Problems Starting Up the Prestige...
Page 16: List Of Figures
P312 Broadband Security Gateway Figure 1-1 Secure Internet Access via Cable...1-3 Figure 1-2 Secure Internet Access via DSL...1-4 Figure 2-1 Front Panel...2-1 Figure 2-2 Prestige 312 Rear Panel and Connections...2-2 Figure 2-3 Initial Screen ...2-4 Figure 2-4 Password Screen ...2-5 Figure 2-5 Prestige 312 Main Menu ...2-6 Figure 2-6...
Page 17 Figure 4-5 Remote Node Network Layer Options ... 4-8 Figure 4-6 Remote Node Filter (Ethernet Encapsulation)... 4-10 Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation)... 4-10 Figure 5-1 Example of Static Routing Topology ... 5-1 Figure 5-2 Menu 12 - IP Static Route Setup ... 5-2 Figure 5-3 Menu 12.
Page 18 P312 Broadband Security Gateway Figure 6-22 Example 4- Menu 15.1.1.1 - Address Mapping Rule...6-20 Figure 6-23 Example 4 - Menu 15.1.1 - Address Mapping Rules ...6-20 Figure 7-1 Outgoing Packet Filtering Process ...7-1 Figure 7-2 Filter Rule Process ...7-3 Figure 7-4 Menu 21 –...
Page 19 Figure 9-9 Call-Triggering Packet Example ... 9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagnostic ...9-11 Figure 9-11 WAN & LAN DHCP... 9-12 Figure 10-1 Menu 24.5 - System Maintenance - Backup Configuration ... 10-2 Figure 10-2 Menu 24.6 - System Maintenance - Restore Configuration ... 10-3 Figure 10-3 Menu 24.7 - System Maintenance - Upload Firmware...
Page 20 P312 Broadband Security Gateway Figure 14-2 Menu 21 - Filter and Firewall Setup ...14-1 Figure 14-3 Menu 21.2 – Firewall Setup ...14-2 Figure 14-4 View Firewall Log ...14-4 Figure 14-5 Big Picture - Filtering, Firewall and NAT...14-6 Figure 15-1 Login screen as seen in Netscape...15-1 Figure 15-2 Prestige Web Configurator Welcome Screen ...15-2 Figure 15-3...
Page 21 Figure 19-9 Example 2 - Local Network Rule Summary ... 19-10 Figure 19-10 Example 2 - Internet to Local Network Rule Summary ...19-11 Figure 19-11 Custom Port for Syslog ... 19-12 Figure 19-12 Syslog Rule Configuration ... 19-13 Figure 19-13 Example 3 Rule Summary...
Page 23: List Of Tables
Table 2-1 LED functions ... 2-1 Table 2-2 Main Menu Commands ... 2-5 Table 2-3 Main Menu Summary... 2-6 Table 2-4 General Setup Menu Field... 2-9 Table 2-5 Configure Dynamic DNS Menu Fields ... 2-10 Table 2-6 WAN Setup Menu Fields... 2-11 Table 3-1 LAN DHCP Setup Menu Fields ...
Page 24 P312 Broadband Security Gateway Table 7-2 Abbreviations Used If Filter Type Is IP ...7-7 Table 7-3 Abbreviations Used If Filter Type Is GEN...7-7 Table 7-4 TCP/IP Filter Rule Menu Fields...7-8 Table 7-5 Generic Filter Rule Menu Fields ...7-13 Table 8-1 SNMP Configuration Menu Fields ...8-2 Table 9-1 System Maintenance - Status Menu Fields ...9-3...
Page 25: Log Screen
Table 16-5 Timeout Menu ... 16-14 Table 17-1 Custom Ports ... 17-2 Table 17-2 Creating/Editing A Custom Port... 17-4 Table 18-1 Log Screen... 18-2 Table 20-1 Content Filtering Fields ... 20-3 Table 21-1 Troubleshooting the Start-Up of your Prestige... 21-1 Table 21-2 Troubleshooting the LAN Interface...
Page 27: Preface
About Your Router Congratulations on your purchase of the Prestige 312 Broadband Security Gateway. Don’t forget to register your Prestige (fast, easy online registration at www.zyxel.com) for free future product updates and information. The Prestige 312 is a dual Ethernet Broadband Security Gateway integrated with robust firewall solutions and network management features that allows access to the Internet via Cable/ADSL modem or broadband router.
Page 28 P312 Broadband Security Gateway Regardless of your particular application, it is important that you follow the steps outlined in Chapters 1-2 to connect your Prestige to your LAN. You can then refer to the appropriate chapters of the manual, depending on your applications.
Page 29: Getting Started
Getting Started Part I: Getting Started Chapters 1-3 are structured as a step-by-step guide to help you connect, install and setup your Prestige to operate on your network and access the Internet.
Page 31: Features Of The Prestige 312
This chapter introduces the main features and applications of the Prestige. The Prestige 312 Broadband Security Gateway The Prestige 312 is a dual Ethernet Broadband Security Gateway integrated with a robust firewall and network management features designed for home offices and small businesses to access the Internet via Cable/ADSL modem or broadband router.
Page 32: Dhcp (Dynamic Host Configuration Protocol)
P312 Broadband Security Gateway Dynamic DNS Support With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS client to use this service.
Page 33: Applications For Prestige 312
not choose a time service protocol that your timeserver will send when the Prestige powers up you can enter the time manually but each time the system is booted, the time & date will be reset to 1/1/1970 0:0:0. Logging and Tracing The Prestige has the following features: Built-in message logging and packet tracing.
Page 34: Figure 1-2 Secure Internet Access Via Dsl
P312 Broadband Security Gateway Figure 1-2 Secure Internet Access via DSL You can also use your xDSL modem in the bridge mode for always-on Internet access and high speed data transfer. Getting to Know Your Prestige...
Page 35: Chapter 2 Hardware Installation & Initial Setup
Hardware Installation & Initial Setup This chapter shows you how to connect the hardware and perform the initial setup. Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the front panel indicate the operational status of the Prestige. The following table describes the LED functions: LEDs Function Indicator...
Page 36: Prestige 312 Rear Panel And Connections
P312 Broadband Security Gateway LEDs Function Indicator Status Green Prestige 312 Rear Panel and Connections The following figure shows the rear panel of your Prestige 312 and the connection diagram. Figure 2-2 This section outlines how to connect your Prestige 312 to the LAN and the WAN. In the case of connecting a Cable Modem you must connect the coaxial cable from your cable service to the threaded coaxial cable Active Flashing...
Page 37: Additional Installation Requirements
connector on the back of the cable modem. Connect an xDSL Modem to the xDSL Wall Jack. Please also see Appendix C for important safety instructions on making connections to the Prestige. Step 1. Connecting the Console Port For the initial configuration of your Prestige, you need to use terminal emulator software on a workstation and connect it to the Prestige through the console port.
Page 38: Housing
When you power on your Prestige, it performs several internal tests as well as line initialization. After the tests, the Prestige asks you to press [ Copyright (c) 1994 - 2000 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:a0:c5:41:51:61 initialize ch =1, ethernet address: 00:a0:c5:41:51:62 Press ENTER to continue...
Page 39: Navigating The Smt Interface
Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Operation Keystrokes Move down to...
Page 40: Main Menu
NAT Setup Filter and Firewall Setup SNMP Configuration System Password System Maintenance Schedule Setup Copyright (c) 1994 - 2000 ZyXEL Communications Corp. Prestige 312 Main Menu Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24. System Maintenance 26.
Page 41: Changing The System Password
Exit Changing the System Password The first thing your should do before anything else is to change the default system password by following the steps below. Step 1. Enter 23 in the Main Menu to open Menu 23 - System Password as shown below. Old Password= ? New Password= ? Retype to confirm= ?
Page 42: General Setup
P312 Broadband Security Gateway General Setup Menu 1 - General Setup contains administrative and system-related information. The fields for General Setup are as shown next. System Name is for identification purposes. However, because some ISPs check this name you should enter your PC’s “Computer Name” (Start -> Settings -> Control Panel -> Network. Click the Identification tab, note the entry for the Computer name”...
Page 43: Configuring Dynamic Dns
Table 2-4 Field System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
Page 44: Wan Setup
P312 Broadband Security Gateway Table 2-5 Field Service Enter the name of your Dynamic DNS client. Provider Press [SPACE BAR] to toggle between Yes or No. Active Host Enter the domain name assigned to your Prestige by your Dynamic DNS provider. EMAIL Enter your e-mail address.
Page 45: Lan Setup
MAC Address: Assigned By=IP address attached on LAN IP Address= 192.168.1.12 Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle The MAC address field allows users to configure the WAN port's MAC Address by either using the factory default or cloning the MAC address from a workstation on your LAN.
Page 46: Figure 2-11 Menu 3.1 – Lan Port Filter Setup
P312 Broadband Security Gateway 2.10.1 LAN Port Filter Setup This menu allows you to specify the filter sets that you wish to apply to the LAN traffic. You seldom need to filter the LAN traffic, however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches.
Page 47: Chapter 3 Internet Access
This chapter shows you how to configure the LAN as well as the WAN of your Prestige for Internet TCP/IP and DHCP for LAN The Prestige has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability.
Page 48: Private Ip Addresses
P312 Broadband Security Gateway The subnet mask specifies the network number portion of an IP address. Your Prestige will compute the subnet mask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the Prestige unless you are instructed to do otherwise. 3.1.3 Private IP Addresses Every machine on the Internet must have a unique address.
Page 49: Dhcp Configuration
3.1.5 DHCP Configuration DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows the individual clients (workstations) to obtain the TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients.
Page 50: Figure 3-2 Partitioned Logical Networks
P312 Broadband Security Gateway The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 51: Figure 3-3 Menu 3 - Lan Setup (10/100 Mbps Ethernet)
LAN Port Filter Setup TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 3-3 To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP/IP and DHCP Ethernet Setup as shown next. Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= Server Client IP Pool Starting Address= 192.168.1.33...
Page 52 P312 Broadband Security Gateway Follow the instructions in the following table on how to configure the DHCP fields. Table 3-1 Field DHCP= This field enables/disables the DHCP server. If it is set to Server, your Prestige will act as a DHCP server. If set to None, DHCP service will be disabled and you must have another DHCP sever on your LAN, or else the workstation must be manually configured.
Page 53: Ip Alias Setup
Field Edit IP Alias The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. Press the space bar to toggle No to Yes, then press [ENTER] to bring you to menu 3.2.1 When you have completed this menu, press [Enter] at the prompt [Press ENTER to Confirm…] to save your configuration, or press [Esc] at any time to cancel.
Page 54: Internet Access Setup
P312 Broadband Security Gateway RIP Direction Press the space bar to select the RIP direction from None, Both/In Only/Out Only. Press the space bar to select the RIP version from RIP-1/RIP- Version 2B/RIP-2M. Incoming Enter the filter set(s) you wish to apply to the incoming traffic Protocol Filters between this node and the Prestige.
Page 55: Pptp Encapsulation
The following table describes this screen. Table 3-4 Field ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Encapsulation Press the [SPACE BAR] and the press [ENTER] to choose Ethernet. The encapsulation method influences your choices for IP Address.
Page 56: Configuring The Pptp Client
P312 Broadband Security Gateway 3.3.3 Configuring the PPTP Client To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring the User Name and Password for PPP connection, press [SPACE BAR] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.
Page 57: Figure 3-8 Internet Access Setup (Pppoe)
For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (e.g., Radius). For the user, PPPoE provides a login & authentication method that the existing Microsoft Dial-Up Networking software can activate, and therefore requires no new learning or procedures for Windows users.
Page 58: Basic Setup Complete
P312 Broadband Security Gateway Table 3-6 Field Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices for IP Address. Service Name Enter the PPPoE service name provided to you. PPPoE uses a service name to identify and reach the PPPoE server.
Page 59: Advanced Applications
Advanced Applications Part II: Advanced Applications Advanced Applications (Chapters 4-6) describe the advanced applications of your Prestige, such as Remote Node Setup IP Static routes and NAT.
Page 60: Chapter 4 Remote Node Setup
A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. Note that when you use Menu 4 to set up Internet access, you are actually configuring a remote node. We will show you how to configure Menu 11.1 Remote Node Profile, Menu 11.3 - Remote Node Network Layer Options and Menu 11.5 - Remote Node Filter.
Page 61 P312 Broadband Security Gateway Field Rem Node Name Enter a descriptive name for the remote node. This field can be up to eight characters. Active Press the [SPACE BAR] to toggle between Yes and No and activate (deactivate) the remote node. Encapsulation Ethernet is the default encapsulation.
Page 62: Pppoe Encapsulation
4.1.2 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the Prestige with an xDSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen. Please see the Appendices for more information on PPPoE.
Page 63: Pptp Encapsulation
P312 Broadband Security Gateway Table 4-2 Field Authen This field sets the authentication protocol used for outgoing calls. Options for this field are: CHAP/PAP - Your Prestige will accept either CHAP or PAP when requested by this remote node. CHAP - accept CHAP only. PAP - accept PAP only.
Page 64: Remote Node Setup
Rem Node Name= ChangeMe Active= Yes Encapsulation= PPTP Service Type= Standard Service Name=N/A Outgoing= My Login= My Password= ******** Authen= CHAP/PAP PPTP : IP Addr= Server IP Addr= Connection ID/Name= Press Space Bar to Toggle. Figure 4-3 The next table shows how to configure fields in Menu 11.1 not previously discussed above. Table 4-3 Field Encapsulation...
Page 65: Editing Tcp/Ip Options (With Ethernet Encapsulation)
P312 Broadband Security Gateway Editing TCP/IP Options (with Ethernet Encapsulation) Move the cursor to the Edit IP field in Menu 11.1, then press the [SPACE BAR] to toggle and set the value to Yes. Press [Enter] to open Menu 11.3 - Network Layer Options. Press Space Bar to Toggle Figure 4-4 The next table gives you instructions about configuring remote node network layer options.
Page 66: Editing Tcp/Ip Options (With Pptp Encapsulation)
Field between 1 and 15. In practice, 2 or 3 is usually a good number. Private This field is valid only for PPTP/ PPPoE encapsulation. parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 67: Figure 4-5 Remote Node Network Layer Options
P312 Broadband Security Gateway Menu 11.3 - Remote Node Network Layer Options Press Space Bar to Toggle. Figure 4-5 The next table gives you instructions about configuring remote node network layer options. Table 4-5 Field IP Address If your ISP did not assign you an explicit IP address, select Dynamic; Assignment otherwise select Static and enter the IP address &...
Page 68: Editing Tcp/Ip Options (With Pppoe Encapsulation)
between 1 and 15. In practice, 2 or 3 is usually a good number. Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast.
Page 69: Figure 4-6 Remote Node Filter (Ethernet Encapsulation)
P312 Broadband Security Gateway Figure 4-6 Figure 4-7 4-10 Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CANCEL: Remote Node Filter (Ethernet Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3...
Page 70: Chapter 5 Ip Static Route Setup
P312 Broadband Security Gateway Chapter 5 IP Static Route Setup This chapter shows you how to configure static routes with your Prestige. Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN. Each remote node specifies only the network to which the gateway is directly connected, and the Prestige has no knowledge of the networks beyond.
Page 71: Figure 5-2 Menu 12 - Ip Static Route Setup
P312 Broadband Security Gateway IP Static Route Setup You configure IP static routes in Menu 12. 1, by selecting one of the IP static routes as shown below. Enter 12 from the Main Menu. 1. ________ 2. ________ 3. ________ 4.
Page 72 Table 5-1 Field Route # This is the index number of the static route that you chose in Menu 12. Route Name Enter a descriptive name for this route. This is for identification purposes only. Active This field allows you to activate/deactivate this static route. Destination IP This parameter specifies the IP network address of the final destination.
Page 74: Chapter 6 Network Address Translation (Nat)
Network Address Translation (NAT) Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, e.g., the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 75: How Nat Works
P312 Broadband Security Gateway them accessible to the outside world. If you do not define any servers (for Many-to-One and Many-to-Many Overload mapping – see below), NAT offers the additional benefit of firewall protection. If no server is defined in these cases, all incoming inquiries will be filtered out by your Prestige, thus preventing intruders from probing your network.
Page 76: Sua (Single User Account) Versus Nat
Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL’s Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today’s routers). Many to Many Overload: In Many-to-Many Overload mode, the Prestige maps the multiple local IP addresses to shared global IP addresses.
Page 77: Nat Application
P312 Broadband Security Gateway remote node basis. They are reusable, but only one set is allowed for each remote node. The Prestige supports 2 sets since there is only one remote node. The second set (SUA Only option in Menu 15.1) is a convenient, pre-configured, read only Many-to-1 port mapping set, sufficient for most purposes (see section 6.4 for some examples) and helpful to people already familiar with SUA in previous ZyNOS versions.
Page 78: Figure 6-4 Applying Nat To The Remote Node
Figure 6-3 This figure shows how you apply NAT to the remote node in Menu 11.1. Step 1. Enter 11 from the Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the default No to Yes, then press [ENTER] to bring up Menu 11.3 - Remote Node Network Layer Options.
Page 79: Configuring Nat
P312 Broadband Security Gateway Table 6-3 Field Network Full Feature Address Translation SUA Only 6.2.2 Configuring NAT To configure NAT, enter 15 from the Main Menu to bring up the following screen. 6.2.3 Address Mapping Sets and NAT Server Sets: Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to machines on the LAN.
Page 80: Figure 6-7 Sua Address Mapping Rules
Figure 6-6 Let’s look first at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers (see section 6.1.4). The fields in this menu cannot be changed. Entering 255 brings up this screen. Set Name= SUA Local Start IP --------------- 0.0.0.0 Figure 6-7...
Page 81 P312 Broadband Security Gateway Table 6-4 Field Set Name This is the name of the set you selected in Menu 15.1 or enter the name of a new set you want to create. This is the index or rule number. Local Start IP Local Start IP is the starting local IP address (ILA) (see...
Page 82: Ordering Your Rules
Set Name= NAT_SET Local Start IP --------------- Action= Edit Press ENTER to Confirm or ESC to Cancel: The Type, Local and Global Start/End IPs are configured in Menu 15.1.1.1 (described Ordering Your Rules Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored.
Page 83: Figure
P312 Broadband Security Gateway moved down by one rule. Delete means to delete the selected rule and then all the rules after the selected one will be advanced one rule. Save Set means to save the whole set (note when you choose this action, the Select Rule item will be disabled).
Page 84: Nat Server Sets
Field Local IP Start Global IP Start Note: For all Local and Global IPs, the End IP address must begin after the IP Start address, i.e., you cannot have an End IP address beginning before the Start IP NAT Server Sets A NAT server set is a list of inside servers (behind NAT on the LAN) that you can make visible to the outside world.
Page 85: Configuring A Server Behind Nat
P312 Broadband Security Gateway Figure 6-10 6.3.2 Configuring a Server behind NAT Follow the steps below to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup. Step 2. Enter 2 to go to Menu 15.2 - NAT Server Setup.
Page 86: Figure 6-11 Menu 15.2 – Nat Server Setup
Figure 6-11 FTP (File Transfer Protocol) Telnet SMTP (Simple Mail Transfer Protocol) DNS(Domain Name System) HTTP (Hyper Text Transfer protocol or WWW, Web) 80 PPTP (Point-to-Point Tunneling Protocol) Examples 6.4.1 Internet Access Only In our Internet access example, we only need one rule where all our ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by our ISP.
Page 87: Figure 6-13 Internet Access & Nat Example
P312 Broadband Security Gateway Figure 6-13 From Menu 4 shown above, simply choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 6.1.4. The SUA Only read only option from the Network Address Translation field in Menus 4 and 11.3 is specifically pre-configured to handle this case.
Page 88: Example 2 - Internet Access With An Inside Server
6.4.2 Example 2 – Internet Access with an Inside Server In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Figure 6-15 6.4.3 Example 3 –...
Page 89: Figure 6-16 Nat - Example 3
P312 Broadband Security Gateway server and the other IGA is used by all. We want to map the FTP servers to the first two of our IGAs and the other LAN traffic to the remaining IGA. We also want to map out third IGA to an inside web server and mail server.
Page 90 Step 5. Select Type= as One-to-One (direct mapping for packets going both ways), and enter the local Start IP as 192.168.1.10 (the IP address of FTP Server 1), the global Start IP as 10.132.50.1 (our first IGA). (See Figure 6-18) Step 6.
Page 91: Figure 6-19 Example 3 Final Menu 15.1.1
P312 Broadband Security Gateway When we have configured all four rules, Menu 15.1.1 should look as follows. Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 6-19 Now we configure our IGA3 to map to our web server and mail server on the LAN. Step 8.
Page 92: Figure 6-21 Nat Example 4
P312 Broadband Security Gateway 6.4.4 Example 4 –NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types.
Page 93 P312 Broadband Security Gateway Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Figure 6-22 After you’ve configured this menu, you should see the following screen. Set Name= Example4 Local Start IP --------------- 192.168.1.10 Figure 6-23 6-20...
Page 94: Advanced Management
Advanced Management Part III: Advanced Management Chapters 7 - 12 provide information on Prestige filtering, System Information and Diagnosis, Transferring Files and Telnet.
Page 96: Chapter 7 Filter Configuration
About Filtering Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
Page 97: The Filter Structure Of The Prestige
P312 Broadband Security Gateway 7.1.1 The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 98: Filter Set
Fetch Next Filter Set Next Filter Set Available? Drop Packet You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. Filters Filter Set Fetch Next...
Page 99: Configuring A Filter Set
P312 Broadband Security Gateway Configuring a Filter Set To configure a filter set, follow the procedure below. For more information on Menus 21.2 and 21.3, please see Part 4. Step 1. Select option 21. Filter Set Configuration from the Main Menu to open Menu 21. Figure 7-4 Step 2.
Page 100: Figure 7-6 Netbios_Wan Filter Rules Summary
# A Type - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, 2 Y IP Pr=6, 3 Y IP Pr=6, 4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 Figure 7-6 # A Type...
Page 101: Filter Rules Summary Menu
P312 Broadband Security Gateway 7.2.1 Filter Rules Summary Menu This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus. Table 7-1 Abbreviations Refers to the filter rule number (1-6).
Page 102: Configuring A Filter Rule
The protocol dependent filter rules abbreviation are listed as follows: If the filter type is IP, the following abbreviations listed in the following table will be used. Table 7-2 Abbreviation If the filter type is GEN (generic), the following abbreviations listed in the following table will be used.
Page 103: Figure
P312 Broadband Security Gateway Press Space Bar to Toggle. Figure 7-9 The following table describes how to configure your TCP/IP filter rule. Table 7-4 Field Active This field activates/deactivates the filter rule. IP Protocol Protocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 17 and ICMP is 1.
Page 104 Field don’t-care if it is 0. Destination: Port # Select the comparison to apply to the destination port in Comp the packet against the value given in Destination: Port #. Source: IP Address Enter the source IP Address of the packet you wish to filter.
Page 105 P312 Broadband Security Gateway Field Once you have completed filling in Menu 21.1.1.1 - TCP/IP Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary.
Page 106 Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched Drop Drop Packet Filters Not Matched...
Page 107: Figure 7-11 Menu 21.4.1.1 - Generic Filter Rule
P312 Broadband Security Gateway 7.2.4 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 108: Table 7-5 Generic Filter Rule Menu Fields
The following table describes the fields in the Generic Filter Rule Menu. Table 7-5 Field Filter # This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the second filter set and the third rule of that set. Filter Type Use the [SPACE BAR] to toggle between both types of rules.
Page 109: Example Filter
P312 Broadband Security Gateway Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [Enter] at the message [Press Enter to Confirm] to save your configuration, or press [Esc] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. Example Filter Let’s look at the third default ZyXEL filter, TELNET_WAN (see Figure 7-8) as an example.
Page 110: Figure 7-13 Example Filter – Menu 21.1.1.1
Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 111: Filter Types And Nat
P312 Broadband Security Gateway Menu 21.1.3 - Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination...
Page 112: Figure 7-15 Protocol And Device Filter Sets
packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the Prestige is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port. The following diagram illustrates this.
Page 113: Remote Node Filters
P312 Broadband Security Gateway 7.6.2 Remote Node Filters Go to Menu 11.5 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas.
Page 114: Chapter 8 Snmp Configuration
This chapter discusses SNMP (Simple Network Management Protocol) for network management About SNMP Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network. Keep in mind that SNMP is only available if TCP/IP is configured on your Prestige.
Page 115 P312 Broadband Security Gateway The following table describes the SNMP configuration parameters. Table 8-1 Field Description Enter the get community, which is the password for the incoming Community Get- and GetNext- requests from the management station. Enter the set community, which is the password for incoming Set- Community requests from the management station.
Page 116: Chapter 9 System Information & Diagnosis
This chapter covers the diagnostic tools that help you to maintain your Prestige. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Page 117: System Status
P312 Broadband Security Gateway System Status The first selection, System Status, gives you information on the version of your system firmware and the status and statistics of the ports, as shown in the figure below. System Status is a tool that can be used to monitor your Prestige.
Page 118: Table 9-1 System Maintenance - Status Menu Fields
The following table describes the fields present in Menu 24.1 - System Maintenance - Status. Table 9-1 Field Port Status TxPkts RxPkts Cols Tx B/s Rx B/s Up Time Ethernet Address IP Address IP Mask DHCP Ethernet Address IP Address IP Mask DHCP System up Time...
Page 119: System Information And Console Port Speed
P312 Broadband Security Gateway System Information and Console Port Speed This section describes your system and allows you to choose different console port speeds. To get to the System Information and Console Port Speed: Step 1. Enter 24 to go to Menu 24 – System Maintenance. Step 2.
Page 120: Console Port Speed
Table 9-2 Field Name Routing ZyNOS F/W Version Ethernet Address IP Address IP Mask DHCP 9.2.2 Console Port Speed You can change the speed of the console port through Menu 24.2.2 – Console Port Speed. Your Prestige supports 9600 (default), 19200, 38400, 57600, and 115200 bps for the console port. Use the [SPACE BAR] to select the desired speed in Menu 24.2.2, as shown below.
Page 121: Viewing Error Log
P312 Broadband Security Gateway 9.3.1 Viewing Error Log The first place you should look for clues when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1. Select option 24 from the Main Menu to open Menu 24 - System Maintenance. Step 2.
Page 122: Figure 9-8 Menu 24.3.2 - System Maintenance - Unix Syslog
Menu 24.3.2 -- System Maintenance - UNIX Syslog and Accounting Figure 9-8 You need to configure the UNIX syslog parameters described in the following table to activate syslog then choose what you want to log. Table 9-3 Parameter UNIX Syslog: Active Press the [SPACE BAR] to turn on or off syslog.
Page 123: Filter Log
P312 Broadband Security Gateway 1. CDR CDR Message Format SdcmdSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No.
Page 124: Firewall Log
Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 12:00:31 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 12:00:52 202.132.155.97 ZyXEL: GEN[ffffffffffff0080] }S05>R01mF Mar 03 12:00:57 202.132.155.97 ZyXEL: GEN[00a0c5f502010080] }S05>R01mF...
Page 125: Call-Triggering Packet
P312 Broadband Security Gateway 9.3.3 Call-Triggering Packet Call-Triggering Packet displays information about the packet that triggered a dial-out call in an easy readable format. Equivalent information is available in Menu 24.1 in hex format. An example is shown next. IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version...
Page 126: Wan Dhcp
Figure 9-10 Follow the procedure below to get to Menu 24.4 - System Maintenance – Diagnostic. Step 1. From the Main Menu, select option 24 to open Menu 24 - System Maintenance. Step 2. From this menu, select option 4. Diagnostic. This will open Menu 24.4 - System Maintenance - Diagnostic.
Page 127: Figure
P312 Broadband Security Gateway The following table describes the diagnostic tests available in Menu 24.4 for your Prestige and the connections. Table 9-4 Number Field Ping Host WAN DHCP Release WAN DHCP Renewal Internet Setup Test Reboot System Host IP Address= 9-12 Figure 9-11 WAN &...
Page 128: Figure 9-4 Menu 24.2.1 System Maintenance - Information
P312 Broadband Security Gateway Chapter 10 Transferring Files This chapter tells you how to back up and restore your configuration file as well as upload new firmware and a new configuration file. 10.1 Filename conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup etc.
Page 129: Firmware Development
P312 Broadband Security Gateway File Type Internal Name Configuration Rom-0 File Firmware 10.1.1 Firmware Development It is important to upgrade your firmware regularly, especially if there are problems. If you discover an unexpected behavior, or bug, see if your problem is mentioned in the release notes. Load it according to instructions (e.g., see if the default configuration file is needed also).
Page 130: Restore Configuration
10.3 Restore Configuration Menu 24.6 -- System Maintenance - Restore Configuration allows you to restore the configuration via the console port. FTP and TFTP are the preferred methods for restoring your current workstation configuration to your Prestige since FTP and TFTP are faster. Please note that the system reboots automatically after the file transfer is complete.
Page 131: Uploading Router Configuration File
P312 Broadband Security Gateway Step 4. After successful firmware upload, enter atgo to restart the Prestige. Menu 24.7.1 - System Maintenance - Upload Router Firmware FTP and TFTP are the preferred methods for uploading router firmware to your Prestige since FTP and TFTP are faster. To upload router firmware: 1.
Page 132: Tftp File Transfer
Menu 24.7.2 - System Maintenance - Upload Router Configuration File FTP and TFTP are the preferred methods for uploading router firmware to your Prestige since FTP and TFTP are faster. To upload router configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 133: Example Tftp Command
P312 Broadband Security Gateway Note: If you upload the firmware to the Prestige, it will reboot automatically when the file transfer is completed (the SYS LED will flash). Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer.
Page 134: Ftp File Transfer
10.6 FTP File Transfer In addition to uploading the firmware and configuration via the console port and TFTP client, you can also upload the Prestige firmware and configuration files using FTP. To use this feature, your workstation must have an FTP client. When you telnet into the Prestige, you will see the following screens for uploading firmware and the configuration file using FTP.
Page 135: Using The Ftp Command From The Dos Prompt
P312 Broadband Security Gateway Menu 24.7.2 - System Maintenance - Upload Router Configuration File To upload the router configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your router. Then type "root" and SMT password as requested.
Page 136: Figure 10-8 Ftp Session Example
Connected to 312.x.x.x 220 P312 FTP version 1.0 ready at Thu Jan 20 18:00:02 2000 User (312.x.x.x:(none)): <Enter> 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put p312e.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 327680 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 138: Chapter 11 System Maintenance & Information
System Maintenance. A list of valid commands can be found by typing [help] or [?] at the command prompt. Type “exit” to return to the SMT main menu when finished. Figure 11-1 Copyright (c) 1994 - 2000 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 139: Figure 11-4 Budget Management
P312 Broadband Security Gateway 11.2 Call Control Support The Prestige provides two call control functions: budget management and call history. Please note that this menu is only applicable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the Prestige within certain times.
Page 140: Call History
The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control.
Page 141: Call History Fields
P312 Broadband Security Gateway Field Phone Number The PPPoE service names are shown here. This shows whether the call was incoming or outgoing. Rate This is the transfer rate of the call. #call This is the number of calls made to or received from that telephone number.
Page 142: Figure 11-6 System Maintenance - Time And Date Setting
Press Space Bar to Toggle. Figure 11-6 Table 11-3 Field Use Time Server when Bootup= Time Server IP Address= Current Time: New Time Current Date: New Date Time Zone= GMT+0800 System Maintenance & Information Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= None Time Server IP Address= N/A Current Time:...
Page 143: Remote Management Setup
P312 Broadband Security Gateway Once you have filled in the new time and date, press [Enter] to save the setting and press [Esc] to return to Menu 24. 11.4 Remote Management Setup Telnet and FTP do not support encryption, so for very strong security both services should be shut down. This is done in Menu 24.11 - Remote Management Control.
Page 144: Boot Commands
Table 11-4 Field FTP service active Press the [SPACE BAR] to toggle Yes to No and press [Enter] to disable all FTP activity (both LAN and WAN). Telnet service active Press the [SPACE BAR] to toggle Yes to No and press [Enter] to disable all Telnet activity (both LAN and WAN).
Page 145: Figure
P312 Broadband Security Gateway just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS...
Page 146: Figure 12-1 Telnet Configuration On A Tcp/Ip Network
P312 Broadband Security Gateway Chapter 12 Telnet Configuration and Capabilities This chapter covers the Telnet Configuration and Capabilities of the Prestige. 12.1 About Telnet Configuration Before the Prestige is properly setup for TCP/IP, the only option for configuring it is through the console port.
Page 147: System Timeout
P312 Broadband Security Gateway 12.3.2 System Timeout There is a system timeout of 5 minutes (300 seconds) for either the console port or telnet. Your Prestige will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in Menu 24.1 or when "sys stdio"...
Page 148: Firewall And Content Filters
Firewall and Content Filters Part IV: Firewall and Content Filters Chapters 13 – 20 describe types of firewalls, how to configure your Prestige firewall using the Prestige Web Configurator, as well as types of Denial of Services (DoS) attacks and Content Filtering.
Page 149: Chapter 13 What Is A Firewall
Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The network term firewall is typically defined as a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network.
Page 150: Stateful Inspection Firewalls
P312 Broadband Security Gateway needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest. 13.1.3 Stateful Inspection firewalls Stateful Inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol.
Page 151: Denial Of Service
P312 Broadband Security Gateway Figure 13-1 Prestige Firewall Application 13.3 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 152: Types Of Dos Attacks
P312 Broadband Security Gateway 13.3.2 Types of DoS attacks There are four types of DoS attacks: Those that exploit bugs in a TCP/IP implementation. Those that exploit weaknesses in the TCP/IP specification. Brute-force attacks that flood a network with useless data. IP Spoofing.
Page 153: Figure 13-3 Syn Flood
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
Page 154: Stateful Inspection
P312 Broadband Security Gateway Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack.
Page 155: Stateful Inspection Process
Figure 13-5 shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is not allowed. 13.4.1 Stateful Inspection Process In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface.
Page 156: Stateful Inspection & The Prestige
P312 Broadband Security Gateway The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary. Based on the updated state information, the inbound extended access list temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection.
Page 157: Udp/Icmp Security
When any subsequent packet hits the box (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN). 13.4.4 UDP/ICMP Security UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
Page 158: Security In General
P312 Broadband Security Gateway Limit who can Telnet into your router. Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined, hostile party might be able to find creative ways to misuse the enabled services to access the firewall or the network.
Page 159 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in a social intrusion. What Is a Firewall? P312 Broadband Security Gateway 13-11...
Page 161: Chapter 14 Introducing The Prestige Firewall
This chapter shows you how to get started with the Prestige Firewall. Please see Chapter 13 for 14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter Set and Firewall Configuration. Copyright (c) 1994 - 2000 ZyXEL Communications Corp. Getting Started 1. General Setup 2.
Page 162: View Firewall Log
P312 Broadband Security Gateway The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so Active: No...
Page 163: Table 14-1 Icmp Commands That Trigger Alerts
ICMP Echo A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
Page 164: Syn Flood
P312 Broadband Security Gateway Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Teardrop Teardrop attacks exploit weaknesses in the reassembly of IP packet fragments.
Page 165: The Big Picture - Filtering, Firewall And Nat
Field This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure Menu 24.10 for real time;...
Page 166: Packet Filtering Vs Firewall
P312 Broadband Security Gateway Figure 14-5 14.3 Packet Filtering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions. 14.3.1 Packet Filtering: The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 167: Firewall
When To Use Filtering To block/allow LAN packets by their MAC address. To block/allow special IP packets which are neither TCP, UDP, nor ICMP packets. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 169: Figure 15-1 Login Screen As Seen In Netscape
Introducing the Prestige Web Configurator This chapter shows you how to configure your firewall with the Web Configurator. 15.1 Web Configurator Login and Welcome Screens Launch your web browser and enter 192.168.1.1 as the URL. This is the factory default IP of the Prestige when shipped.
Page 170: Enabling The Firewall
P312 Broadband Security Gateway Figure 15-2 Prestige Web Configurator Welcome Screen 15.2 Enabling the Firewall Click Firewall, then Configuration, then the Rule Config tab to enable the firewall as seen in the following screen. 15-2 Introducing the Prestige Web Configurator...
Page 171: E-Mail
P312 Broadband Security Gateway Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows you to specify your mail server, where e-mail alerts should be sent as well as when and how often they should be sent. 15.3.1 What are Alerts? Alerts are reports on events such as attacks, which you may want to know about right away.
Page 172: What Are Logs
P312 Broadband Security Gateway To field and schedule times for sending alerts in the Alert Timer fields in the E-Mail screen (following screen). 15.3.2 What are Logs? A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 16-4).
Page 173 Field Address Information Mail Server Enter the IP address of your mail server in dot decimal format. Your Internet Service Provider (ISP) should be able to provide this information. If this field is left blank, log and alert messages will not be sent via E-mail. Mail Subject Enter a subject that you want to appear in the subject field of your e-mail here (see...
Page 174: Smtp Error Messages
P312 Broadband Security Gateway 15.3.3 SMTP Error Messages If there are difficulties in sending e-mail the following error messages appear. Please see the Support Notes on the accompanying CD for information on other types of error messages. E-mail error messages appear as "SMTP action request failed. ret= ??" where ?? is described in the following table.
Page 175: Attack Alert
Subject: Firewall Alert From Prestige Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 | 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> 2|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |default permit |forward | 09:54:17 |UDP src port:00520 dest port:00520 |<1,00> 3|Apr 7 00 |From:192.168.1.6 | 09:54:19 |UDP src port:03516 dest port:00053 |<1,01>...
Page 176: Threshold Values
P312 Broadband Security Gateway You can use the default threshold values, or you can change them to values more suitable to your security requirements. 15.4.1 Threshold Values: You really just need to tune these parameters when something is not working and after you have checked the firewall counters.
Page 177: Figure 15-6 Attack Alert
P312 Broadband Security Gateway The Prestige deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold. If the Blocking Time timeout is greater than 0: The Prestige blocks all new connection requests to the host giving the server time to handle the present connections.
Page 178 P312 Broadband Security Gateway Field Generate alert when A detected attack automatically generates attack detected a log entry. Check this box to generate an alert (as well as a log) whenever an attack is detected. See section 15.3 for more information on logs and alerts.
Page 179 Field rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Max-Incomplete Low number. TCP Maximum This is the number of existing half-open Incomplete TCP sessions with the same destination host IP address that causes the firewall to...
Page 181: Chapter 16 Creating Custom Rules
16.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
Page 182: Security Ramifications
P312 Broadband Security Gateway What computers on the LAN are to be affected (if any)? What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 183: Connection Direction
P312 Broadband Security Gateway 16.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 16.3.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN.
Page 184: Services Supported
P312 Broadband Security Gateway Figure 16-2 WAN to LAN Traffic 16.4 Services Supported The list box in the Rule Config(uration) screen (see Figure 16-4) displays all services that the Prestige supports. Custom services may also be configured using the Custom Ports function discussed later. Next to the name of the protocol, two fields appear in brackets.
Page 185 SERVICE BGP(TCP:179) BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67) CU-SEEME(TCP/UDP:7648, 24032) DNS(UDP/TCP:53) FINGER(TCP:79) FTP(TCP:20.21) HTTP(TCP:80) HTTPS ICMP ICQ(UDP:4000) IRC(TCP/UDP:6667) NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) Creating Custom Rules Table 16-1 Services Supported Border Gateway Protocol DHCP Client...
Page 186: Rule Summary
P312 Broadband Security Gateway 16.5 Rule Summary The fields in the Rule Summary screens are the same for Local Network and Internet, so the discussion below refers to both. Click on Firewall, then Local Network to bring up the following screen. This screen is a summary of the existing rules.
Page 187: Table 16-2 Firewall Rules Summary - First Screen
Table 16-2 Field General Name Default Permit Log The default action for packets not matching following rules. Firewall Rule Summary Source IP Destination IP Service Action Alert Apply Edit Creating Custom Rules Firewall Rules Summary – First Screen Description This is the name of the firewall rule set. Check this box to log all matched rules in the ACL default set.
Page 188: Creating/Editing Firewall Rules
P312 Broadband Security Gateway Field Delete Move Rule To Rule Number Move 16.5.1 Creating/Editing Firewall Rules To create a new rule, click a number (No.) then click Edit button from the screen above to display the following screen. 16-8 Description section 16.5.1 for more details.
Page 189: Figure 16-4 Creating/Editing A Firewall Rule
Figure 16-4 Table 16-3 Field Source Address Destination Address Services Creating Custom Rules Creating/Editing A Firewall Rule Creating/Editing A Firewall Rule Description Press SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one. Please see the next section for more information on adding and editing source addresses.
Page 190: Source & Destination Addresses
P312 Broadband Security Gateway Field Action for Matched Packets Alert When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.5.2 Source &...
Page 191 Figure 16-5 Table 16-4 Field Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop down list box Start IP Address Enter the single IP address or the starting IP address in a range here.
Page 192: Timeout
P312 Broadband Security Gateway When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen. 16.6 Timeout The fields in the Timeout screens are the same for Local and Internet networks, so the 16.6.1 Factors Influencing Choices for Timeout Values: The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values –...
Page 193: Figure 16-6 Timeout Screen
P312 Broadband Security Gateway Figure 16-6 Timeout Screen Creating Custom Rules 16-13...
Page 194 P312 Broadband Security Gateway Field TCP Timeout Values Connection Timeout FIN-Wait Timeout Idle Timeout UDP Idle Timeout ICMP Timeout Help When you have finished, click on Apply to apply your changes. 16-14 Table 16-5 Timeout Menu Description This is the length of time the Prestige waits for a TCP session to reach the established state before dropping the session.
Page 195: Figure 17-1 Custom Ports
P312 Broadband Security Gateway Chapter 17 Custom Ports 17.1 Introduction You will need to configure customized ports for services not included in the services provided in the scrolling list box in the screen shown in Figure 16-4. For further information on these services, please read section 16.4.
Page 196: Creating/Editing A Custom Port
P312 Broadband Security Gateway Field Customized Services Protocol Add a New Entry Edit Delete Help When you have finished viewing this screen, click another link to exit. 17.2 Creating/Editing A Custom Port Click Edit to create a new custom port or edit an existing one. This displays the following screen. 17-2 Table 17-1 Custom Ports...
Page 197: Figure 17-2 Creating/Editing A Custom Port
P312 Broadband Security Gateway Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen. Custom Ports 17-3...
Page 198 P312 Broadband Security Gateway Table 17-2 Field Service Name Service Type Port Configuration Type Port Number When you have finished, click Apply to save your customized settings and exit this screen, Cancel to exit this screen without saving, or Help for online HTML help on fields in this screen.
Page 199: Chapter 18 Logs
P312 Broadband Security Gateway Chapter 18 Logs 18.1 Log Screen When you configure a new rule you also have the option to log events that match, don’t match (or both) this rule (see Figure 16-4). Click on the Logs to bring up the next screen. Firewall logs may also be viewed in SMT Menu 21.3 (see section 14.1.1) or via syslog (SMT Menu 24.3.2 - System Maintenance - UNIX Syslog).
Page 200: Chapter 13 For A More Detailed
P312 Broadband Security Gateway Field This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format.
Page 201 P312 Broadband Security Gateway Field Description When you have finished viewing this screen, click another link to exit. Logs 18-3...
Page 203: Chapter 19 Example Firewall Rules
19.1 Examples Please note that whenever you open a hole in the firewall to forward a service from the Internet to the local network, and NAT is also enabled, you may have to also configure a server behind NAT using SMT menu 15.2.
Page 204: Figure 19-1 Activate The Firewall
P312 Broadband Security Gateway Step 2. Now we configure our E-mail screen as follows. Click the E-Mail tab to bring up the next screen. 19-2 Check here to activate the firewall. You may also activate the firewall in SMT menu 21.2. Figure 19-1 Activate The Firewall Examples Firewall Rules...
Page 205: Figure 19-2 Example 1 – E-Mail Screen
Figure 19-2 Step 3. Now we configure our firewall rule as shown in the following screen. The default firewall blocks all Internet traffic entering our local network, but we want to create a hole for web service from the Internet. Go to the Rule Summary screen under the (click Internet). Configure this screen as shown in Figure 19-3.
Page 206: Figure 19-3 Example 1 – Configuring A Rule
P312 Broadband Security Gateway This is an Internet to Local Network rule. We want to forward the packet when it matches this rule (remember the default is to block all packets from the Internet), log packets that match this rule and to send alerts when this happens.
Page 207: Figure 19-4 Example 1: Destination Address For Traffic Originating From The Internet
P312 Broadband Security Gateway 10.100.1.2 is the IP of our server on the LAN (supporting FTP, HTTP, Telnet and mail services) to which we wish to forward traffic originating from the Internet. Figure 19-4 Example 1: Destination Address for Traffic Originating From The Internet Example Firewall Rules 19-5...
Page 208: Example 2 - Small Office With Mail, Ftp And Web Servers
P312 Broadband Security Gateway The first rule is a default rule to allow DHCP negotiation between the ISP and the P312. The second rule is what we configured in the last 2 screens. See Table 16-2 for a detailed explanation of each field. Figure 19-5 19.1.2 Example 2 –...
Page 209: Figure 19-6 Send Alerts When Attacked
Step 1. First we want to send alerts when there is an attack. Go to the Attack Alert screen (click Configuration, then the Attack Alert tab) shown next. Figure 19-6 Step 2. Configure the E-Mail screen as shown in example 1 – our mail server’s IP is 192.168.10.2. Step 3.
Page 210: Figure 19-7 Configuring A Pop Custom Port
P312 Broadband Security Gateway Figure 19-7 Step 4. Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traffic originating from the HTTP proxy server and our mail server. Click Internet to see the Rule Summary screen.
Page 211 We want to forward packets that match these rules. Figure 19-8 Step 6. Similarly configure another local network to Internet rule allowing traffic from our web (HTTP) proxy server. Step 7. The Rule Summary screen should look like Figure 19-9. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige.
Page 212: Figure
P312 Broadband Security Gateway Rules 1 forwards SMTP and POP traffic from our mail server and Rule 2 forwards HTTP traffic from the proxy web server. We don’t want a log. Figure 19-9 Step 8. Now we want an FTP server (IP of 192.168.10.3) to be accessible from the Internet. Remember the default Internet to Local Network ACL set blocks all traffic from the Internet, so we want to create a hole for this server.
Page 213: Example 3: Dhcp Negotiation And Syslog Connection From The Internet
This is the IP of our FTP server to which we want to forward traffic from the Internet. Figure 19-10 19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet The following are some Internet firewall rules examples to: Allow DHCP negotiation between the ISP and the P312.
Page 214: Figure
P312 Broadband Security Gateway Step 2. Follow the procedures outlined in the previous examples to configure all your rules. When finished, your rule summary screen should look like the following. 19-12 Figure 19-11 Custom Port for Syslog Custom ports show up with an “*”...
Page 215: Syslog Rule Configuration
Figure 19-12 Example Firewall Rules P312 Broadband Security Gateway This is the address range of the syslog servers. Click Apply when finished. Syslog Rule Configuration This is our Syslog custom port. 19-13...
Page 216: Figure 19-13 Example 3 Rule Summary
P312 Broadband Security Gateway Rule 1: Allow DHCP negotiation between the ISP and the P312. Rule 2: Allow a syslog connection from the WAN. 19-14 Click Apply to save your settings back to the Prestige. Figure 19-13 Example 3 Rule Summary Examples Firewall Rules...
Page 217: Chapter 20 Content Filtering
P312 Broadband Security Gateway Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets, cookies as well as disable web proxies. The Prestige can also block specific URLs by using the keyword feature. Please note that content filtering means the ability to block certain web features or specific URLs and should not be confused with packet filtering via SMT menu 21.1.
Page 218: Cookies
P312 Broadband Security Gateway 20.1.3 Cookies Cookies are used by Web servers to track usage. Cookies provide service based on ID. Unfortunately, cookies can be programmed not only to identify the visitor to the site, but also to track that visitor's activities. Because they represent a potential loss of privacy, some people may choose to block cookies.
Page 219: Figure 20-1 Content Filtering Screen
Field Restrict Web Features Check the box(es) to restrict that feature. When you download a page containing a restricted feature, that part of the web page will appear blank or grayed out. Block Web URLs Enter a domain name as discussed above, then press Add Domain Name. The page reloads and the new domain name appears in the Block Web URLs box.
Page 220: Troubleshooting, Appendices, Glossary And Index
Troubleshooting, Appendices, Glossary and Index Part V: Troubleshooting, Appendices, Glossary and Index Chapter 21 provides information about solving common problems, followed by some Appendices, a Glossary of Terms and an Index.
Page 222: Chapter 21 Troubleshooting
This chapter covers the potential problems you may run into and the possible remedies. After each problem description, some instructions are provided to help you to diagnose and to solve the 21.1 Problems Starting Up the Prestige Table 21-1 Problem None of the LEDs are on when you power on the Prestige Cannot access the Prestige via...
Page 223: Problems With The Lan Interface
P312 Broadband Security Gateway 21.2 Problems with the LAN Interface Table 21-2 Problem Can’t ping any workstation on the 21.3 Problems with the WAN interface Table 21-3 Problem Cannot get WAN IP from the ISP Can’t connect to a remote node or 21-2 Troubleshooting the LAN Interface Corrective Action...
Page 224: Problems With Internet Access
21.4 Problems with Internet Access Table 21-4 Problem Cannot access the Connect your Cable/xDSL modem with the Prestige using Internet. appropriate cable. Check with the manufacturer of your Cable/xDSL modem about the cable requirement because for some modems you may require crossover cable and for others regular patch cable.
Page 226: Appendix Apppoe
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 227 P312 Broadband Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 228: Appendix Bpptp
P312 Broadband Security Gateway Appendix B PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 229 P312 Broadband Security Gateway PNS and the PAC must have IP connectivity; however, the PAC must in addition have dial-up capability. The phone call is between the user and the PAC and the PAC tunnels the PPP frames to the PNS. The PPTP user is unaware of the tunnel between the PAC and the PNS.
Page 230: Appendix C Hardware Specifications
Power Specification MTBF Operation Temperature Ethernet Specification for Ethernet Specification for Console Port RS – 232 Pin 9 WAN/LAN Cable Pin Layout: Straight-Through (Switch) IRD + IRD - OTD + OTD - Hardware Specifications Hardware Specifications I/P AC 120V / 60Hz ; O/P DC 12V 1200 mA 100000 hrs 0º...
Page 231: Appendix D Important Safety Instructions
P312 Broadband Security Gateway The following safety instructions apply to the Prestige: Be sure to read and follow all warning notices and instructions. The maximum recommended ambient temperature for the Prestige is 40º(104º). Care must be taken to allow sufficient air circulation or space between units when the Prestige is installed inside a closed rack assembly.
Page 232: Appendix E Firewall Cli Commands
The following table describes the syntax used to configure your firewall using Command Line Interface (CLI) commands. Select option 24.8 Command Interpreter Mode from the Main Menu to go into CLI mode. For details on other CLI commands to configure your Prestige, please consult the supporting CD. Function CLI Syntax config edit firewall active <yes...
Page 233: Cli Commands
P312 Broadband Security Gateway Function CLI Syntax config edit firewall e-mail email-to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly> config edit firewall e-mail day <sunday | monday | tuesday | wednesday | thursday | friday | saturday>...
Page 234 Function CLI Syntax config edit firewall set <set #> default-permit <forward | block> config edit firewall set <set #> icmp-timeout <seconds> config edit firewall set <set #> udp-idle-timeout <seconds> config edit firewall set <set #> connection-timeout <seconds> config edit firewall set <set #> fin-wait-timeout <seconds>...
Page 235 P312 Broadband Security Gateway Function CLI Syntax config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> config edit firewall set <set #> rule <rule #> srcaddr-range <start ip address> <end ip address> config edit firewall set <set #> rule <rule #>...
Page 236 Function CLI Syntax config delete firewall e-mail config delete firewall attack config delete firewall set <set #> config delete firewall set <set #> rule <rule #> CLI Commands P312 Broadband Security Gateway Description Removes all the settings for e-mail alert Resets all the settings for attack to default setting Removes the specified set from the firewall configuration Removes the specified rule in a set from the firewall...
Page 237: Appendix F Power Adapter Specs
P312 Broadband Security Gateway North America AC Power Adapter model MW48-1201200 Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards Safety standards: UL, CUL (UL 1310, CSA C22.2 No.233-M91) AC Power Adapter model AD48-1201200DUY Input power: AC120Volts/60Hz Output power: DC12Volts/1.2A Power consumption: 9 W Plug: North American standards...
Page 238 P312 Broadband Security Gateway Japan AC Power Adapter model JOD-48-1124 Input power: AC100Volts/ 50/60Hz/ 27VA Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Japan standards Safety standards: T-Mark Australia and New Zealand AC Power Adapter model AD-1201200DS Input power: AC240Volts/50Hz/0.2A Output power: DC12Volts/1.2A Power consumption: 9 W Plug: Australia and New Zealand standards...
Page 239: Glossary Of Terms
P312 Broadband Security Gateway 10BaseT The 10-Mbps baseband Ethernet specification that uses two pairs of twisted-pair cabling (Category 3 or 5): one pair for transmitting data and the other for receiving data. Address Resolution Protocol is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
Page 240 Cookie A string of characters saved by a web browser on the user's hard disk. Many web pages send cookies to track specific user information. Cookies can be used to retain information as the user browses a web site. For example, cookies are used to 'remember' the items a shopper may have in a shopping cart.
Page 241 P312 Broadband Security Gateway Digital Signature Digital code that authenticates whomever signed the document or software. Software, messages, Email, and other electronic documents can be signed electronically so that they cannot be altered by anyone else. If someone alters a signed document, the signature is no longer valid.
Page 242 Events These are network activities. Some activities are direct attacks on your system, while others might be depending on the circumstances. Therefore, any activity, regardless of severity is called an event. An event may or may not be a direct attack on your system. (Frequently Asked Questions) -- FAQs are documents that list and answer the most common questions on a particular subject.
Page 243 P312 Broadband Security Gateway Integrity Proof that the data is the same as originally intended. Unauthorized software or people have not altered the original information. internet (Lower case i) Any time you connect 2 or more networks together, you have an internet.
Page 244 as a stream of bits. Name Resolution The allocation of an IP address to a host name. See DNS Network Address Translation is the translation of an Internet Protocol address used within one network to a different IP address known within another network - see also SUA.
Page 245 P312 Broadband Security Gateway Plain Text The opposite of Cipher Text, Plain Text is readable by anyone. Prestige Web This is a web-based Prestige router (not all) configurator that includes an Internet Configurator Access Wizard, Advanced and Firewall (not all Prestige models) configurations. Post Office Protocol.
Page 246 system, meaning that an end-to-end private circuit is established between caller and callee. Public Key System of encrypting electronic files using a key pair. The key pair contains a public Encryption key used during encryption, and a corresponding private key used during decryption. Permanent Virtual Circuit.
Page 247 P312 Broadband Security Gateway SPAM Unwanted e-mail, usually in the form of advertisements. Spoofing To forge something, such as an IP address. IP Spoofing is a common way for hackers to hide their location and identity SSL (Secured Technology that allows you to send information that only the server can read. SSL Socket Layer) allows servers and browsers to encrypt data as they communicate with each other.
Page 248 on a host system. Objects include directories and an assortment of file types, including text files, graphics, video, and audio. A URL is the address of an object that is normally typed in the Address field of a Web browser. The URL is basically a pointer to the location of an object.
Page 250: Index
Action for Matched Packets ... 16-10 Activate The Firewall ... 19-2 ActiveX ... 20-1 Add Keyword ... 20-3 Alert Schedule ... 15-5 Application-level Firewalls ... 13-1 AT command ... 10-1 Attack Reasons ... 18-2 Attack Alert ... 15-7, 15-9, 15-10 Attack Types...
Page 251 P312 Broadband Security Gateway Encapsulation PPP over Ethernet... E Ethernet Encapsulation3-8, 4-1, 4-5, 4-6, 4-10, 6- 11, 6-12 Example E-Mail Log ...15-6 Examples ...19-1 Factory Default...2-11 Filename Conventions...10-1 Filter ... 2-12, 4-9, 7-1 About... 7-1 Applying... 7-17 Configuring ... 7-4 Example...
Page 252 LAN Setup ...2-6, 2-11, 2-12, 3-4, 3-5 LAN to WAN Rules ... 16-3 LAND... 13-4, 13-5, 14-2 Local Network Rule Summary ... 16-6 log... 9-5 Log Facility ... 9-7 Log Screen ... 18-1 Login screen ... 15-1 MAC Address ... 2-11, 21-2 Mail Server ...15-5 Main Menu...
Page 253 P312 Broadband Security Gateway Safety Instructions... J Safety Instructions... J saving the state ...13-6 Security In General ...13-10 Security Ramifications...16-2 Send Alerts When Attacked ...19-7 Server1-2, 3-3, 3-6, 3-9, 4-2, 6-3, 6-6, 6-8, 6-10, 6- 11, 6-11, 6-12, 6-13, 6-15, 6-16, 11-5, R, X, Y Service ...16-2 Service Type ...3-9, 4-2, 6-11, 6-12, 17-4, 21-2 Services Supported...16-5...
Page 254 WAN Setup...2-6, 2-10, 2-11, 21-2 WAN to LAN Rules ... 16-3 Web Configurator ... 13-9 Web Proxy ... 20-2 Welcome screen... 15-1 xDSL modem... 1-3, 1-4, 2-3, 2-4, 4-3, 21-2, 21-3 Index P312 Broadband Security Gateway XMODEM protocol ...10-2 ZyNOS ...2-11, 6-4, 6-6, 9-3, 9-5, 10-1, 10-2 ZyNOS F/W Version...

This manual is also suitable for:

Prestige 312

ZyXEL Communications Broadband Security Gateway P-312 User Manual

Getting Started

Chapter 1 Getting to Know Your Prestige

Chapter 2 Hardware Installation & Initial Setup

Chapter 3 Internet Access

Advanced Applications

Chapter 4 Remote Node Setup

Chapter 5 IP Static Route Setup

Chapter 6 Network Address Translation (NAT)

Advanced Management

Chapter 7 Filter Configuration

Chapter 8 SNMP Configuration

Chapter 9 System Information & Diagnosis

Chapter 10 Transferring Files

Chapter 11 System Maintenance & Information

Chapter 12 Telnet Configuration and Capabilities

Firewall and Content Filters

Chapter 13 What Is a Firewall

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ZyXEL Communications Broadband Security Gateway P-312

Summary of Contents for ZyXEL Communications Broadband Security Gateway P-312