1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Firewall
  5. ZyXEL ZyWALL IDP 10
  6. User manual

ZyXEL Communications ZYWALL IDP 10 User Manual

Intrusion detection prevention appliance
Hide thumbs Also See for ZYWALL IDP 10:
Table of Contents

Advertisement

Quick Links

Download this manual
ZyWALL IDP 10
Intrusion Detection Prevention Appliance
User's Guide
Version 1
July 2004

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications ZYWALL IDP 10

Summary of Contents for ZyXEL Communications ZYWALL IDP 10

  • Page 1 ZyWALL IDP 10 Intrusion Detection Prevention Appliance User’s Guide Version 1 July 2004...

  • Page 2: Copyright

    Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
  • Page 3 Certifications 1. Go to www.zyxel.com. 2. Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3. Select the certification you wish to view from this page.

  • Page 4: Information For Canadian Users

    ZyWALL IDP10 User’s Guide Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.

  • Page 5: Zyxel Limited Warranty

    ZyXEL shall in no event be held liable for indirect or consequential damages of any kind of character to the purchaser.

  • Page 6: Customer Support

    Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com ZyXEL Communications Corp. 6 Innovation Road II www.europe.zyxel.com Science Park Hsinchu 300 sales@zyxel.com.tw +886-3-578-2439 ftp.zyxel.com Taiwan ftp.europe.zyxel.com NORTH support@zyxel.com +1-800-255-4101 www.us.zyxel.com...

  • Page 7: Table Of Contents

    Information for Canadian Users..................... iv ZyXEL Limited Warranty ......................... v Customer Support.......................... vi Preface............................xii Getting Started ...........................I Chapter 1 Introducing the ZyWALL IDP 10..................1-1 Introduction ........................1-1 Features ...........................1-2 Application Examples.......................1-3 Chapter 2 Introducing the Web Configurator................2-1 Web Configurator Overview.....................2-1 Accessing the ZyWALL Web Configurator...............2-1...
  • Page 8 ZyWALL IDP10 User’s Guide mySecurity Zone ......................6-1 Signature Categories ...................... 6-2 Configuring Pre-defined Policies................... 6-13 Update........................... 6-19 User-defined Policies ....................6-20 Registering your ZyWALL ..................... 6-28 Log and Report..........................IV Chapter 7 Log and Report ......................7-1 Logs..........................7-1 Report..........................
  • Page 9 ZyWALL IDP10 User’s Guide List of Figures Figure 1-1 ZyWALL ............................1-1 Figure 1-2 Installation Example 1........................1-3 Figure 1-3 Installation Example 2........................1-4 Figure 1-4 Installation Example 3........................1-5 Figure 1-5 Installation Example 4........................1-6 Figure 2-1 Default Web Configurator IP Address ....................2-1 Figure 2-2 Login Screen ............................
  • Page 10 ZyWALL IDP10 User’s Guide Figure 6-11 Porn Signatures ..........................6-11 Figure 6-12 Others Signatures ..........................6-12 Figure 6-13 Pre-defined IDP Policies Summary....................6-14 Figure 6-14 Search Example ..........................6-17 Figure 6-15 Query Example ..........................6-17 Figure 6-16 Pre-defined Policies: Modify ......................6-18 Figure 6-17 Update Policies ..........................6-19 Figure 6-18 User-defined Policies ........................6-21 Figure 6-19 Configuring a User-defined IDP Policy ..................6-24 Figure 6-20 Registering ZyWALL........................6-29...
  • Page 11 ZyWALL IDP10 User’s Guide List of Tables Table 2-1 Web Configurator HOME Screen ......................2-4 Table 2-2 Screens Summary ..........................2-5 Table 2-3 Example Configuration Settings ......................2-6 Table 3-1 General: Device ........................... 3-2 Table 3-2 General: VLAN............................ 3-3 Table 3-3 General: State............................3-4 Table 4-1 Interface: Link............................

  • Page 12: Preface

    ZyWALL IDP10 User’s Guide Preface About This User's Manual Congratulations on your purchase of the ZyWALL IDP 10 Intrusion Detection Prevention Appliance . This manual is designed to guide you through the configuration of your ZyWALL for its various applications.
  • Page 13 User’s Guide Feedback Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.

  • Page 14: Getting Started

    Getting Started Getting Started This part introduces intrusions, ZyWALL features, applications and the web configurator.

  • Page 15: Chapter 1 Introducing The Zywall Idp 10

    ZyWALL IDP10 User’s Guide Chapter 1 Introducing the ZyWALL IDP 10 This chapter introduces the main features and applications of the ZyWALL. Introduction An IDP system can detect malicious or suspicious packets and respond instantaneously. It can detect anomaly detections based on violations of protocol standards (RFCs – Requests for Comments) or traffic flows and abnormal flows such as port scans.

  • Page 16: Features

    Multiple string match o IP/TCP/UDP/ICMP and IGMP packets filters that block suspect attack sources. Firmware Upgrade Automatically schedule download and upgrade Logs & Reports Automatically schedule reports sent by E-mail. Alarms are urgent notification of attacks. Introducing the ZyWALL IDP 10...

  • Page 17: Application Examples

    LAN computers from network intrusions from the Internet. However, it does not protect the DMZ servers from intrusions from the LAN (and vice versa), and the ZyWALL itself is vulnerable, as it does not receive firewall protection. Figure 1-2 Installation Example 1 Introducing the ZyWALL IDP 10...

  • Page 18: Figure 1-3 Installation Example 2

    Internet and the DMZ servers from intrusions from the LAN (and vice versa). The ZyWALL itself receives firewall protection too. However, it does not protect the firewall (B) nor the DMZ servers from intrusions from the Internet. Figure 1-3 Installation Example 2 Introducing the ZyWALL IDP 10...

  • Page 19: Figure 1-4 Installation Example 3

    Internet and also from intrusions from the LAN (and vice versa). The ZyWALL itself receives firewall protection too. However, it does not protect the LAN computers nor the firewall (B) from intrusions from the Internet. Figure 1-4 Installation Example 3 Introducing the ZyWALL IDP 10...

  • Page 20: Figure 1-5 Installation Example 4

    Internet and from each other. ZyWALLs (A1 and A3) also receive firewall protection. ZyWALL (A2) protects the firewall (B), DMZ servers (and LAN). However, ZyWALL (A2) does not receive firewall protection. Figure 1-5 Installation Example 4 Introducing the ZyWALL IDP 10...

  • Page 21: Chapter 2 Introducing The Web Configurator

    ZyWALL IDP10 User’s Guide Chapter 2 Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. Web Configurator Overview The embedded web configurator (eWC) allows you to manage the ZyWALL from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.

  • Page 22: Figure 2-2 Login Screen

    ZyWALL IDP10 User’s Guide Figure 2-2 Login Screen You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 2-3 Change Password Screen You should now see the HOME screen (see Figure 2-4).

  • Page 23: Navigating The Zywall Web Configurator

    ZyWALL IDP10 User’s Guide The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires. Simply log back into the ZyWALL if this happens to you. Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. Click the help icon (located in the top right corner of most screens) to view online help.

  • Page 24: Table 2-1 Web Configurator Home Screen

    ZyWALL IDP10 User’s Guide Table 2-1 Web Configurator HOME Screen LABEL DESCRIPTION Wizard… Click Quick Setup to start the ZyWALL setup wizard. Quick Setup Device Information System Name The system name identifies your device type. The system name should also be on a sticker on your device.

  • Page 25: Table 2-2 Screens Summary

    ZyWALL IDP10 User’s Guide Table 2-2 Screens Summary LINK FUNCTION HOME This screen shows the ZyWALL’s general device information. Use this screen to access the setup wizard. SYSTEM Access the GENERAL, INTERFACE and REMOTE MGMT links from here. GENERAL Device Use this screen to configure device TCP/IP settings and TCP idle timeout.

  • Page 26: Example Configuration Settings

    ZyWALL IDP10 User’s Guide Table 2-2 Screens Summary LINK FUNCTION Restart This screen allows you to reboot the ZyWALL without turning the power off. LOGOUT Click this link to log out of and exit the web configurator. For security reasons, you should do this after each management session. See the Quick Start Guide for information on using the wizard to configure the ZyWALL for the first time.

  • Page 27: General, Interface, And Remote Management

    General, Interface, and Remote Management General, Interface, and Remote Management This part covers configuration of the General, Interface, and Remote Management screens.

  • Page 29: Chapter 3 General Settings

    ZyWALL IDP 10 User’s Guide Chapter 3 General Settings This chapter describes how to configure the ZyWALL’s TCP, VLAN and State settings. Device Enter the ZyWALL IP address, subnet mask, gateway IP address and DNS server IP address in the next screen.

  • Page 30: Introduction To Vlans

    ZyWALL IDP 10 User’s Guide Table 3-1 General: Device LABEL DESCRIPTION System Name Enter a descriptive name of up to 128 single-Byte or double-Byte characters for identification purposes. Administrator Type how many minutes a management session (either via the web configurator or SSH) Inactivity Timer can be left idle before the session times out.

  • Page 31: Configuring Vlan On The Zywall

    ZyWALL IDP 10 User’s Guide TPID User Priority VLAN ID 2 Bytes 3 Bits 1 Bit 12 bits TPID has a defined value of 8100 (hex). The first three bits of the TCI define user priority (giving eight priority levels). The CFI (Canonical Format Indicator) is a single-bit flag, always set to zero for Ethernet switches.

  • Page 32: Figure 3-3 General: State

    ZyWALL IDP 10 User’s Guide Table 3-2 General: VLAN LABEL DESCRIPTION between 1 and 4094. Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 3.3.1 State To change your ZyWALL’s State settings, click GENERAL, then the State tab.

  • Page 33: Chapter 4 Interface Screens

    ZyWALL IDP 10 User’s Guide Chapter 4 Interface Screens This chapter shows you how to configure the ZyWALL ports. 10/100M Auto-Sensing Ethernet Ports The ZyWALL supports 10/100Mbps auto-negotiating Ethernet. There are two factors related to the connection of two Ethernet ports: speed and duplex mode. In a 10/100Mbps fast Ethernet, the speed can be 10Mbps or 100Mbps and the duplex mode can be half duplex or full duplex.

  • Page 34: Stealth

    ZyWALL IDP 10 User’s Guide Table 4-1 Interface: Link LABEL DESCRIPTION Select the speed (10 or 100 Mbps) and duplex mode (Full, Half, Auto) for this port. Select the speed (10 or 100 Mbps) and duplex mode (Full, Half, Auto) for this port.

  • Page 35: Policy Check

    ZyWALL IDP 10 User’s Guide Table 4-2 Interface: Stealth LABEL DESCRIPTION Interface Stealth Setup WAN Port Select ON to enable stealth on the WAN port. Select ON to enable stealth on the LAN port. LAN Port Apply Click this button to save your changes back to the ZyWALL.

  • Page 36: Figure 4-4 Interface: Policy Check

    ZyWALL IDP 10 User’s Guide Figure 4-4 Interface: Policy Check The following table describes the fields in this screen. Table 4-3 Interface: Policy Check LABEL DESCRIPTION Policy Check Setup WAN Port Select ON to have the ZyWALL check traffic coming into the WAN and out through the LAN against the ZyWALL policy rules (both pre-defined and user-defined).

  • Page 37: Chapter 5 Remote Management

    ZyWALL IDP 10 User’s Guide Chapter 5 Remote Management The remote management screens allow you to which ports are allowed web and SSH access and configure SNMP Remote Management Overview Remote management allows you to determine which services can access which ZyWALL interface (if any) from which computers.

  • Page 38: Snmp

    ZyWALL IDP 10 User’s Guide The following table describes the fields in this screen. Table 5-1 Remote Management: WWW LABEL DESCRIPTION HTTP Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Define the rule for server access by selecting from the drop-down menu.

  • Page 39: Table 5-2 Snmp Traps

    ZyWALL IDP 10 User’s Guide An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.

  • Page 40: Ssh Overview

    ZyWALL IDP 10 User’s Guide Figure 5-3 Remote Management: SNMP The following table describes the fields in this screen. Table 5-3 Remote Management: SNMP LABEL DESCRIPTION SNMP Configuration Get Community This is the “password” for the incoming Get and GetNext requests from the management station.

  • Page 41: Ssh (Secure Shell) Configuration

    ZyWALL IDP 10 User’s Guide Figure 5-4 SSH Communication Example 5.4.1 How SSH works The following table summarizes how a secure connection is established between two remote hosts. 1. Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key.

  • Page 42: Figure 5-6 Remote Management: Ssh

    ZyWALL IDP 10 User’s Guide Figure 5-6 Remote Management: SSH The following table describes the fields in this screen. Table 5-4 Remote Management: SSH LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service.

  • Page 43: Figure 5-7 Putty Settings

    ZyWALL IDP 10 User’s Guide Enter the IP address of the ZyWALL. Click Open. Figure 5-7 PuTTY settings 4. You may see a PuTTY security alert next. Click Yes to continue. Figure 5-8 PuTTY Security Alert 5. You see the login screen of the ZyWALL next. Enter the username (default is “admin”) and password (default is ‘1234”) to log in.

  • Page 44: Figure 5-9 Zywall Command Interface Login Screen

    ZyWALL IDP 10 User’s Guide Figure 5-9 ZyWALL Command Interface Login Screen Remote Management...

  • Page 45: Idp

    This part covers configuration of the IDP Policy screens.

  • Page 47: Chapter 6 Idp Policies

    ZyWALL in one hour. mySecurity Zone mySecurity Zone is a web portal that provides all "security" related information for ZyXEL security products. You can find the policy description here that gives a detailed description about the intrusion for which the policy was written.

  • Page 48: Signature Categories

    ZyWALL IDP 10 User’s Guide Signature Categories This section defines some IDP terms used in the ZyWALL. See the appendices for more detailed information on IDP term definitions. The following are both the pre-defined (not editable) and user- defined signature categories (you may refer to these policy categories when categorizing your own user-defined rules.

  • Page 49: Figure 6-2 Im (Chat) Signatures

    ZyWALL IDP 10 User’s Guide 6.3.2 IM IM (Instant Messaging) refers to chat applications. Chat is real-time, text-based communication between two or more users via networked-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. To find a list of all IM signatures supported by the ZyWALL, do a policy search by name (IM or chat) or policy query by type (IM).

  • Page 50: Figure 6-3 Spam Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-3 Spam Signatures 6.3.4 DoS/DDoS The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet. A distributed denial-of-service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.

  • Page 51: Figure 6-5 Scan Signatures

    ZyWALL IDP 10 User’s Guide 6.3.5 Scan Scan refers to all port, IP or vulnerability scans. Hackers scan ports to find targets. They may use a TCP connect() call, SYN scanning (half-open scanning), Nmap etc. After a target has been found, a layer-7 scanner can be used to exploit vulnerabilities.

  • Page 52: Figure 6-6 Buffer Overflow Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-6 Buffer Overflow Signatures 6.3.7 Virus/Worm A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network.

  • Page 53: Figure 6-7 Worm/Virus Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-7 Worm/Virus Signatures 6.3.8 Backdoor/Trojan A backdoor (also called a trapdoor) is software or a hardware mechanism that can be triggered hidden gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that s hidden inside apparently harmless programs or data.

  • Page 54: Figure 6-8 Backdoor/Trojan Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-8 Backdoor/Trojan Signatures 6.3.9 Access Control Access control refers to procedures and controls that limit or detect access. Access control is used typically to control user access to network resources such as servers, directories, and files.

  • Page 55: Figure 6-9 Access Control Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-9 Access Control Signatures 6.3.10 Web Attack Web attack signatures refer to attacks on web servers such as IIS. To find a list of all web attack related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Web Attack).

  • Page 56: Figure 6-10 Web Attack Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-10 Web Attack Signatures 6.3.11 Porn The ZyWALL can block web sites if their URLs contain certain pornographic words. It cannot block web pages containing those words if the associated URL does not. To find a list of all porn related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Porn).

  • Page 57: Figure 6-11 Porn Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-11 Porn Signatures 6.3.12 Others This category refers to signatures for attacks that do not fall into the previously mentioned categories. To find a list of all “others” related signatures supported by the ZyWALL, do a policy search by name or policy query by type (Others).

  • Page 58: Figure 6-12 Others Signatures

    ZyWALL IDP 10 User’s Guide Figure 6-12 Others Signatures 6.3.13 Policy Severity Intrusions are assigned a severity level based on the following table. The intrusion severity level then determines the default signature action (see Table 6-2). Table 6-1 Policy Severity...

  • Page 59: Configuring Pre-Defined Policies

    ZyWALL IDP 10 User’s Guide 6.3.14 Policy Actions Table 6-2 Policy Actions ACTION DESCRIPTION No Action The intrusion is detected and an alarm may be sent (if the Alarm check box is selected) but no other action is taken. If the Alarm check box is also cleared, it is recommended you simply disable the rule.

  • Page 60: Figure 6-13 Pre-Defined Idp Policies Summary

    ZyWALL IDP 10 User’s Guide Figure 6-13 Pre-defined IDP Policies Summary 6-14 IDP Policies...

  • Page 61: Table 6-3 Selecting Pre-Defined Policies

    ZyWALL IDP 10 User’s Guide Table 6-3 Selecting Pre-defined Policies LABEL DESCRIPTION Pre-defined Policy Group Setting Modify Click this button to display a screen where you can batch enable or disable policy types based on severity and/or target operating system. You can also batch enable or disable peer-to-peer, instant messaging and spam signature categories.
  • Page 62 ZyWALL IDP 10 User’s Guide Table 6-3 Selecting Pre-defined Policies LABEL DESCRIPTION Direction A policy rule direction refers to the intent of the policy rule. Incoming means the policy applies to traffic coming from the WAN to the LAN. Outgoing means the policy applies to traffic coming from the LAN to the WAN.

  • Page 63: Figure 6-14 Search Example

    ZyWALL IDP 10 User’s Guide Figure 6-14 Search Example 6.4.2 Query Example The following screen shows severe and high impact DoS/DDoS policies for intrusions that exploit vulnerabilities on Windows 2000 and Windows XP computers. Use the <CTRL> key to select multiple items.

  • Page 64: Figure 6-16 Pre-Defined Policies: Modify

    ZyWALL IDP 10 User’s Guide 6.4.3 Modify Screen Click Modify in Figure 6-13 to display a screen where you can batch enable or disable policy types based on severity and/or target operating system. You can also batch enable or disable peer-to-peer, instant messaging and spam signature categories (see section 6.3).

  • Page 65: Update

    ZyWALL IDP 10 User’s Guide Table 6-4 Pre-defined IDP Policies LABEL DESCRIPTION Application Group If ALL is cleared (not selected), you may choose to enable or disabled policies based on their signature category (P2P, IM or SPAM – see section 6.3.) The action determined under “application group”...

  • Page 66: User-Defined Policies

    DESCRIPTION Update Server Enter the IP address or URL of the IDP policy server (from which you download the updated IDP policies).The default server at the time of writing is updateidp.zyxel.com. It is also possible to use updateidp.zyxel.com.tw. Check Click this button to have the ZyWALL verify that the connection to the specified Update Server is valid.

  • Page 67: Figure 6-18 User-Defined Policies

    ZyWALL IDP 10 User’s Guide Edit Delete Figure 6-18 User-defined Policies Table 6-6 User-defined Policies LABEL DESCRIPTION Enable User- This checkbox must be selected to have the ZyWALL check traffic using your custom defined Policy IDP rules. You may clear it to keep the rules but not have them applied to traffic.
  • Page 68 ZyWALL IDP 10 User’s Guide Table 6-6 User-defined Policies LABEL DESCRIPTION Enable Use this checkbox to enable or disable an individual user-defined rule without deleting it. Clear this checkbox to have the ZyWALL skip this (user-defined) rule when detecting intrusions.
  • Page 69 ZyWALL IDP 10 User’s Guide Table 6-6 User-defined Policies LABEL DESCRIPTION Export Select the rule(s) you want to export and the click the Export button. You are then prompted to save the file to your computer. A name is generated for the file but you may change this name to something more meaningful.

  • Page 70: Figure 6-19 Configuring A User-Defined Idp Policy

    ZyWALL IDP 10 User’s Guide “Policy attributions” “Packet contents” Figure 6-19 Configuring a User-defined IDP Policy 6-24 IDP Policies...

  • Page 71: Table 6-7 Configuring A User-Defined Idp Policy

    ZyWALL IDP 10 User’s Guide Table 6-7 Configuring a User-defined IDP Policy LABEL DESCRIPTION Attributions The “attributions” define the characteristics of the intrusion for which you’re configuring a policy. A traffic flow must match your operating system selections, your protocol definition and your repetition designation before your rule is invoked.
  • Page 72 ZyWALL IDP 10 User’s Guide Table 6-7 Configuring a User-defined IDP Policy LABEL DESCRIPTION Source IP Select whether the policy applies to source packets that match (Equal), don’t match (Not Equal), are within the range (In Set), are outside the range (Not In Set), have IP...
  • Page 73 ZyWALL IDP 10 User’s Guide Table 6-7 Configuring a User-defined IDP Policy LABEL DESCRIPTION Type Select whether the policy applies to IGMP types that match (Equal), don’t match (Not Equal), are greater than (>), or lesser than (<) the IGMP type you type in the text box that follows.

  • Page 74: Registering Your Zywall

    3. Register your ZyXEL product, for example the ZyWALL IDP 10. You will need the product serial number and authentication code (product MAC address), which should be found on a label in the package that contained the product.

  • Page 75: Figure 6-20 Registering Zywall

    ZyWALL IDP 10 User’s Guide 7. Paste the key generated in step 5 in to the Registration screen and click Apply. Figure 6-20 Registering ZyWALL Table 6-8 Registering ZyWALL LABEL DESCRIPTION Registration Status This read-only label displays Unregistered even after you paste the Activation Key and click Apply in this screen.
  • Page 76 Log and Report Log and Report This part explains how to configure logs, setup reports and schedule alarms.

  • Page 77: Log And Report

    ZyWALL IDP 10 User’s Guide Chapter 7 Log and Report This chapter describes how to use the Log and Report screens. Logs To view logs and alert messages, click LOGS under the LOG & REPORT heading in the MAIN MENU of the Web Configurator.

  • Page 78: Chapter 7 Log And Report

    ZyWALL IDP 10 User’s Guide Table 7-1 View Log LABEL DESCRIPTION Logs Display Select a log category from the drop down list box to display logs within the selected category: All Logs (view all logs) System Log (view logs related with the ZyWALL such as login to the ZyWALL or...

  • Page 79: Figure 7-2 Report: E-Mail

    ZyWALL IDP 10 User’s Guide Figure 7-2 Report: E-Mail The following table describes the fields in this screen. Table 7-2 Report: E-Mail LABEL DESCRIPTION E-Mail Setup Active Click this button to enable e-mailed reports and allow editing of the fields below.

  • Page 80: Alarm Schedule

    ZyWALL IDP 10 User’s Guide Table 7-2 Report: E-Mail LABEL DESCRIPTION Apply Click this button to save your changes back to the ZyWALL. Reset Click this button to begin configuring this screen afresh. 7.2.2 Syslog Syslog logging sends a log to an external syslog server used to store logs.

  • Page 81: Figure 7-4 Alarm

    ZyWALL IDP 10 User’s Guide Figure 7-4 Alarm The following table describes the fields in this screen. Table 7-4 Alarm LABEL DESCRIPTION Alarm Schedule Active Select this field to activate your ZyWALL's alarm schedule as configured in the fields below.

  • Page 82: Maintenance & Cli

    Maintenance Maintenance & CLI This part provides information on how to the ZyWALL maintenance screens and an introduction to the Command Line Interface (CLI).

  • Page 83: Chapter 8 Maintenance

    ZyWALL IDP 10 User’s Guide Chapter 8 Maintenance Maintenance Overview Use the maintenance screens to change the ZyWALL password, ZyWALL time, upload firmware, manage configuration files and restart the ZyWALL. Password Use the Password screen to change the ZyWALL password. You should do this regularly for security reasons.

  • Page 84: Time And Date

    The following screen is an example of how you reset the ZyWALL to the factory defaults while in debug mode. IDS system kernel loader v1.0.0.0 2004/04/02 (ZyXEL) Press ENTER to enter Debug Mode Enter DEBUG Mode ….. Loading Kernel Image <DBGBOOT>...

  • Page 85: Table 8-2 Default Time Servers

    ZyWALL IDP 10 User’s Guide The ZyWALL can use this pre-defined list of timeservers regardless of the Time Protocol you select. When the ZyWALL uses the pre-defined list of NTP timeservers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the ZyWALL goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP timeservers have been tried.

  • Page 86: Figure 8-3 Maintenance: Time Setting

    ZyWALL IDP 10 User’s Guide Figure 8-3 Maintenance: Time Setting Table 8-3 Time and Date LABEL DESCRIPTION Current Time and Date Current This field displays the time of your ZyWALL. Time Each time you reload this page, the ZyWALL synchronizes the time with the timeserver (if configured).
  • Page 87 ZyWALL IDP 10 User’s Guide Table 8-3 Time and Date LABEL DESCRIPTION New Time This field displays the last updated time from the timeserver or the last time configured manually. (hh:mm:ss) When you set Time and Date Setup to Manual, enter the new time in this field and then click Apply.

  • Page 88: Firmware Upload

    Figure 8-6 Synchronization Fail Firmware Upload Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Use the Firmware Upload screen to schedule and upload firmware to the ZyWALL.

  • Page 89: Figure 8-7 Maintenance: F/W Upload

    ZyWALL IDP 10 User’s Guide The ZyWALL will restart automatically after a firmware upload is performed. Figure 8-7 Maintenance: F/W Upload Table 8-4 Maintenance: F/W Upload LABEL DESCRIPTION Local Upgrade File Path Type in the location of the file you want to upload in this field or click Browse ... to find it.
  • Page 90 ZyWALL. Remember that you must first decompress compressed (.ZIP) files. Update Server The default server at the time of writing is updateidp.zyxel.com. It is also possible to use updateidp.zyxel.com.tw. Check Click Check to check that the link to the remote server is valid.

  • Page 91: Figure 8-8 Firmware Upload In Progress

    ZyWALL IDP 10 User’s Guide Figure 8-8 Firmware Upload in Progress The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 8-9 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen.

  • Page 92: Configuration

    ZyWALL IDP 10 User’s Guide Figure 8-10 Firmware Upload Error Configuration Use the Configuration screen to backup and restore ZyWALL configuration files or reset to the factory default configuration file. The ZyWALL configuration file includes all ZyWALL system settings and user-defined rules, but NOT pre-defined rules.

  • Page 93: Figure 8-11 Maintenance: Configuration

    ZyWALL IDP 10 User’s Guide Figure 8-11 Maintenance: Configuration 8.5.1 Backup Configuration Backup Configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.

  • Page 94: Restart

    ZyWALL IDP 10 User’s Guide The ZyWALL will restart automatically after a configuration restore is performed. Do not turn off the device while configuration file upload is in progress. After you see a “configuration upload successful” screen, you must then wait one minute before logging into the device again.

  • Page 95: Chapter 9 Command Line Interface Overview

    ZyWALL IDP 10 User’s Guide Chapter 9 Command Line Interface Overview This chapter briefly introduces the command line interface and lists the available commands. See the Support CD for detailed information on using commands. In addition to the web configurator, you can use commands to configure the ZyWALL.

  • Page 96: Login

    ZyWALL IDP 10 User’s Guide 9.1.1 Help Facility You can issue the help or help all command at any time. The system will display a list of available commands in response. Login When you log in you will be prompted for the username (“admin”) and password (default is “1234”).
  • Page 97 ZyWALL IDP 10 User’s Guide Table 9-1 Commands Summary COMMAND DESCRIPTION stateful <ON/OFF> Enable/disable TCP state check integrity <ON/OFF> Enable /disable TCP packet state integrity using this command tcptimeout <value> Set the maximum TCP idle timeout (this is how long a TCP connection is allowed to remain idle.
  • Page 98 ZyWALL IDP 10 User’s Guide Table 9-1 Commands Summary COMMAND DESCRIPTION rw <value> Set up community read/write string trap Set up snmp trap <value> system name <value> Set up remote snmp system name trap <ON/OFF> Enable/disable remote snmp trap trap ip <value>...
  • Page 99 ZyWALL IDP 10 User’s Guide Table 9-1 Commands Summary COMMAND DESCRIPTION Display address resolution protocol information (device MAC address and IP address table). CLI Overview...

  • Page 100: Appendices & Index

    Appendices & Index Appendices & Index This part provides some adbanced background information on IDP.

  • Page 101: Appendix A Introduction To Intrusions

    ZyWALL IDP10 User’s Guide Appendix A Introduction to Intrusions A.1 Introduction to Ports Computers share information over the Internet using a common language called TCP/IP. An “extension number”, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web), FTP (File Transfer Protocol), POP3 (e-mail), etc.

  • Page 102: Figure A-1 Three-Way Handshake

    ZyWALL IDP10 User’s Guide creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. A.3.4 SYN Attack This attack is executed during the handshake that initiates a communication session between two applications.

  • Page 103: A.4 Scanning

    ZyWALL IDP10 User’s Guide A.3.6 Smurf Attack A Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings).

  • Page 104: A.5 Malicious Programs

    ZyWALL IDP10 User’s Guide A TCP connect() call is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, otherwise the port isn't reachable. SYN scanning (half-open scanning) does not open a full TCP connection. A SYN packet is sent, pretending to open a genuine connection and waits for a response.
  • Page 105 ZyWALL IDP10 User’s Guide A.6.2 Blaster W32.Worm This is a worm that exploits the DCOM RPC vulnerability (see Microsoft Security Bulletin MS03-026 and Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable (if not properly patched), the worm is not coded to replicate to those systems.

  • Page 107: Appendix B Intrusion Protection

    ZyWALL IDP10 User’s Guide Appendix B Intrusion Protection B.1 Firewalls and Intrusions Firewalls are designed to block clearly suspicious traffic and forward other traffic through. Many exploits take advantage of weaknesses in the protocols that are allowed through the firewall, so that once an inside server has been compromised it can be used as a backdoor to launch attacks on other servers.

  • Page 108: B.3 Detection Methods

    ZyWALL IDP10 User’s Guide not. If a malicious packet is detected, an action is taken. The remaining packets that make up that particular TCP session are also discarded. B.3 Detection Methods An IDP system employs a mix of detection methods to identify attacks. B.3.1 Pattern Matching Pattern matching identifies a fixed sequence of bytes in a single packet.

  • Page 109: Appendix C Index

    ZyWALL IDP10 User’s Guide Appendix C Index 10/100Mbps ..........4-1 Direction ........6-18, 6-24, 6-27 Access control..........6-10 DNS server........... 3-1, 3-2 Activation Key..........6-30 DoS ..............1-2 Alarm......6-15, 6-17, 6-18, 6-24 Basics............A-1 ALARM............7-4 Types............A-1 AND/OR ............. 6-17 duplex...........
  • Page 110 ZyWALL IDP10 User’s Guide IGMP Header ..........6-28 Password............8-1 Incoming........6-18, 6-24, 6-27 Forget ............8-1 Inline......1-2, 2-4, 2-5, 3-4, 6-18 Pattern Matching ..........1-2 Internet Control Message Protocol (ICMP) . A-3 Ping of Death..........A-1 Intrusion Detection & Prevention (IDP ..1-2 Policy Actions ..........6-15 Intrusions Types.............
  • Page 111 ZyWALL IDP10 User’s Guide Secure Client IP Address....5-2, 5-4, 5-6 Syslog............7-4 Server............8-5 TCP connect() ..........A-4 Server Access......5-1, 5-2, 5-4, 5-6 TCP Header ..........6-28 Signature Categories ........6-2 TCP/IP............A-1 Access Control........6-10 TCP_RST .............4-2 Backdoor/Trojan........6-9 Teardrop............A-1 Buffer Overflow ........

Table of Contents