ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3
ZyWALL 10~100 Series Internet Security Gateway Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
ZyWALL 10~100 Series Internet Security Gateway Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
ZyWALL 10~100 Series Internet Security Gateway ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Diagrams...ix List of Charts ...x Preface ...xii General Information ... I Chapter 1 Setting up Your Computer’s IP Address ... 1-1 Chapter 2 Triangle Route...
Page 8
ZyWALL 10~100 Series Internet Security Gateway Index ... A viii Table of Contents...
ZyWALL 10~100 Series Internet Security Gateway List of Diagrams Diagram 2-1 Ideal Setup ... 2-1 Diagram 2-2 “Triangle Route” Problem ... 2-2 Diagram 2-3 IP Alias... 2-2 Diagram 2-4 Gateways on the WAN Side... 2-3 Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT ... 3-1 Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network...
About Your ZyWALL Congratulations on your purchase of the ZyWALL Security Gateway. About This User's Manual This manual is designed to provide background information on some of the ZyWALL’s features. It also includes commands for use with the command interpreter. This manual may refer to the ZyWALL Internet Security Gateway as the ZyWALL.
Syntax Conventions • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose” means for you to use one of the predefined choices. • The SMT menu titles and labels are in Bold Times New Roman font. •...
General Information Part I: General Information This part provides background information about setting up your computer’s IP address, triangle route, how functions are related, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting.
ZyWALL 10~100 Series Internet Security Gateway Chapter 1 Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 18
The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Page 19
Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Click the DNS Configuration tab.
Page 20
Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 21
For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway Right-click Local Area Connection and then click Properties.
Page 22
Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 23
ZyWALL 10~100 Series Internet Security Gateway -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 24
In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 25
Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list. Setting Up Your Computer’s IP Address ZyWALL 10~100 Series Internet Security Gateway...
For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyWALL in the Router address box. Close the TCP/IP Control Panel.
Page 27
Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
The Ideal Setup When the firewall is on, your ZyWALL acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyWALL to protect your LAN against attacks. The “Triangle Route”...
The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyWALL supports up to three logical LAN interfaces with the ZyWALL being the gateway for each logical network.
ZyWALL 10~100 Series Internet Security Gateway Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyWALL to your LAN.
ZyWALL 10~100 Series Internet Security Gateway Chapter 3 The Big Picture The following figure gives an overview of how filtering, the firewall, VPN and NAT are related. Diagram 3-1 Big Picture— Filtering, Firewall, VPN and NAT The Big Picture...
Page 34
ZyWALL 10~100 Series Internet Security Gateway The Big Picture...
Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 36
ZyWALL 10~100 Series Internet Security Gateway The IEEE 802.11 specifies three different transmission methods for the PHY, the layer responsible for transferring data between nodes. Two of the methods use spread spectrum RF signals, Direct Sequence Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band.
ZyWALL 10~100 Series Internet Security Gateway Diagram 4-1 Peer-to-Peer Communication in an Ad-hoc Network Infrastructure Wireless LAN Configuration For Infrastructure WLANs, multiple Access Points (APs) link the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood.
ZyWALL 10~100 Series Internet Security Gateway could be any type of network, it is almost invariably an Ethernet LAN. Mobile nodes can roam between Access Points and seamless campus-wide coverage is possible. Diagram 4-2 ESS Provides Campus-Wide Coverage The Big Picture...
ZyWALL 10~100 Series Internet Security Gateway Chapter 5 Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
ZyWALL 10~100 Series Internet Security Gateway • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
ZyWALL 10~100 Series Internet Security Gateway How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ZyWALL 10~100 Series Internet Security Gateway Chapter 7 PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
ZyWALL 10~100 Series Internet Security Gateway PPTP Protocol Overview PPTP is very similar to L2TP, since L2TP is based on both PPTP and L2F (Cisco’s Layer 2 Forwarding). Conceptually, there are three parties in PPTP, namely the PNS (PPTP Network Server), the PAC (PPTP Access Concentrator) and the PPTP user.
ZyWALL 10~100 Series Internet Security Gateway Diagram 7-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header. PPTP...
IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
ZyWALL 10~100 Series Internet Security Gateway A class “B” address (16 host bits) can have 2 A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 49
With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits.
Page 50
The first three octets of the address make up the network number (class “C”). You want to have two separate networks. Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit.
Page 51
192.168.1.0 with mask 255.255.255.128 is the subnet itself, and 192.168.1.127 with mask 255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254.
Subnet Address: 192.168.1.128 Broadcast Address: 192.168.1.191 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C”...
NO. “BORROWED” HOST BITS Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B”...
Command and Log Information Part II: Command and Log Information This part provides information on the command interpreter interface, firewall and NetBIOS commands and logs and password protection.
The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and Command Syntax The command keywords are in courier new font.
The following describes the firewall commands. See the Command Interpreter appendix for information on the command structure. FUNCTION config edit firewall active <yes | no> config retrieve firewall config save firewall config display firewall config display firewall set <set #> config display firewall set <set #>...
The following describes the NetBIOS packet filter commands. See the Command Interpreter appendix for information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that does not have DMZ. =============== NetBIOS Filter Status =============== Diagram 11-1 NetBIOS Display Filter Settings Command Without DMZ Example Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyWALL that has DMZ.
Chart 11-1 NetBIOS Filter Default Settings NAME WAN to DMZ This field displays whether NetBIOS packets are blocked or forwarded from the WAN to the DMZ. DMZ to LAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the LAN. DMZ to WAN This field displays whether NetBIOS packets are blocked or forwarded from the DMZ to the WAN.
Page 70
<on|off> = For types 0 and 1, use on to enable the filter and block NetBIOS packets. Use off to disable the filter and forward NetBIOS packets. For type 6, use on to block NetBIOS packets from being sent through a VPN connection.
The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyWALL, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATLC firmware) and...
just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time ATDA(y,m,d) change system date to year/month/day or show current date ATDS dump RAS stack ATDT...
LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login Successfully SMT Login Fail WEB Login Successfully WEB Login Fail TELNET Login Successfully...
TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! LOG MESSAGE UPnP pass through Firewall CATEGORY LOG MESSAGE URLFOR IP/Domain Name URLBLK IP/Domain Name JAVBLK IP/Domain Name LOG MESSAGE attack TCP attack UDP 13-2 Chart 13-2 System Maintenance Logs Someone has failed to log on to the router via telnet.
Page 75
LOG MESSAGE attack IGMP attack ESP attack GRE attack OSPF attack ICMP (type:%d, code:%d) land TCP land UDP land IGMP land ESP land GRE land OSPF land ICMP (type:%d, code:%d) ip spoofing - WAN TCP ip spoofing - WAN UDP ip spoofing - WAN IGMP ip spoofing - WAN ESP...
Page 76
LOG MESSAGE syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP ip spoofing - no routing entry TCP ip spoofing - no routing entry UDP ip spoofing - no routing entry IGMP ip spoofing - no routing entry ESP ip spoofing - no...
Page 80
LOG MESSAGE Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match DROP <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d> Filter match FORWARD <set %d/rule %d>...
LOG MESSAGE Firewall sent TCP reset packets Packet without a NAT table entry blocked Out of order TCP handshake packet blocked Drop unsupported/out- of-order ICMP Router sent ICMP response packet (type:%d, code:%d) ACL SET DIRECTION NUMBER LAN to WAN WAN to LAN DMZ to LAN DMZ to WAN WAN to DMZ...
ZyWALL 10~100 Series Internet Security Gateway ACL SET DIRECTION NUMBER DMZ to DMZ/ZyWALL TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench...
TYPE CODE Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message LOG MESSAGE Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"...
Index: Date/Time: ------------------------------------------------------------ 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:22 01 Jan 08:02:24 01 Jan 08:02:24 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 01 Jan 08:02:26 Clear IPSec Log (y/n): Diagram 13-1 Example VPN Initiator IPSec Log VPN Responder IPSec Log The following figure shows a typical log from the VPN connection peer.
The following table shows sample log messages during IKE key exchange. Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE Send <Symbol> Mode request to <IP> Send <Symbol> Mode request to <IP> Recv <Symbol> Mode request from <IP> Recv <Symbol> Mode request from <IP>...
Page 86
Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet !! Too many errors! Deleting SA !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type found...
Chart 13-10 Sample IKE Key Exchange Logs LOG MESSAGE vs. My Local <IP address> -> <symbol> Error ID Info The following table shows sample log messages during packet transmission. Chart 13-11 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! WAN IP changed to <IP> !! Cannot find IPSec SA !! Cannot find outbound SA for rule <%d>...
The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Chart 13-12 RFC-2408 ISAKMP Payload Types PROP TRANS CER_REQ HASH NONCE NOTFY 13-16 LOG DISPLAY PAYLOAD TYPE Security Association Proposal Transform...
Log Commands Go to the command interpreter interface (the Command Interpreter Appendix explains how to access and use the commands). Configuring What You Want the ZyWALL to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyWALL is to record.
Use the sys logs display [log category] command to show the logs in an individual ZyWALL log category. Use the sys logs clear command to erase all of the ZyWALL’s logs. Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras>...
Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure. Chart 14-1 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0...
Page 93
Index Part III: Index This part provides an Index of key terms.
Page 95
Ad-hoc Configuration ... 4-2 Alternative Subnet Mask Notation... 8-3 Basic Service Set... 4-2 Big Picture ... 3-1 Bold Times font ...See Syntax Conventions Boot commands ... 12-1 Broadband Access Security Gateway ... xii BSS ... See Basic Service Set Canada ... iv Caution...
Page 96
Infrastructure Configuration ... 4-3 IP Addressing ... 8-1 IP Classes... 8-1 Log Descriptions... 13-1 Network Topology With RADIUS Server Example ... 5-2 Notice... iii Online Registration...v Packing List Card ...xii PPTP ... 7-1 Read Me First ...xii Related Documentation...xii Repairs ...v Replacement ...v Return Material Authorization Number...v RF signals ...