Instruction/ maintenance manual of the product P-312 ZyXEL Communications
Go to page of 254
Pr estige 312 Broadba nd Securit y Gateway User’s Guide Version 3.20 November 2000.
P312 Br oadband S ecurity G ateway ii Copyright Prestige 312 Broadband Securi ty Gatew ay Copyright Copyright © 2 000 by ZyXE L Communicat ions Corp oration.
P312 Br oadband S ecurity G ateway FCC Statem ent iii Federal Commu nication s Commission (F CC) Interf erence Statement This devic e complies w ith Part 15 of FCC rules. O perat ion is sub ject to the follow ing two conditio ns: This devic e may not cause h armful interference.
P312 Br oadband S ecurity G ateway iv Canadian Us ers Informatio n for Can adian User s The Industry Canad a label iden tif ies certifi ed equi pme nt. T his cer tifi cat ion mea ns that the equipment meets certain tele communications network pro tective, operation, and safety require m ents.
P312 Br oadband S ecurity G ateway Warranty v Declaration of Confor mit y We, the Manufacturer/Importer, ZyXEL Communications Cor p . No. 6, Innovation Rd.
P312 Br oadband S ecurity G ateway vi CE Doc.
P312 Br oadband S ecurity G ateway Warranty vi i ZyXEL Limited W arranty ZyXE L warrants to the or iginal end user (pur chaser) that this pro duct is free from any defects in materials or workmans hip for a peri od of up to two y ears from t he date of purchase .
P312 Br oadband S ecurity G ateway viii Customer Su pport Customer Support When y ou contact y our customer support representa tive pleas e have the followi ng informati on ready: ♦ Prestig e Model and seri al num ber. ♦ Information in Menu 24.2.1 –S ystem Inform ation .
P312 Br oadband S ecurity G ateway T able Of C ontents ix T able of Contents T able of Contents .............................................................................................................. ............. ix List of Fig ures ..........
P312 Br oadband Security G ateway x T able Of C ontents 2.10.1 LAN Port Filter Setup .................................................................................................... ... 2-12 Chapter 3 Internet Access ..............................
P312 Br oadband S ecurity G ateway T able Of C ontents xi 6.1.4 NAT Mapping Ty pe s ......................................................................................................... .6 - 2 6.1.5 SUA (Single User Accoun t) Versus NAT ..........
P312 Br oadband Security G ateway xii T able Of Conte nts 9.1 System Status ............................................................................................................... ...............9-2 9.2 System Inf ormation and Console Port Speed .
P312 Br oadband S ecurity G ateway T able Of C ontents xiii 12.2 Telnet Under NAT........................................................................................................... ......... 12-1 12.3 Telnet Capabilities ......................
P312 Br oadband Security G ateway xiv T able Of Conte nts 15.3 E-Mail ..................................................................................................................... ..................15-3 15.3.1 What are Alerts?.................
P312 Br oadband S ecurity G ateway T able Of C ontents xv 20.1 Restrict Web Features...................................................................................................... ......... 20-1 20.1.1 ActiveX ..................................
P312 Br oadband Security G ateway xvi List Of Figur es List of Figures Figure 1-1 Secure Internet Access v ia Cable ..................................................................................... ....... 1-3 Figure 1-2 Secure Internet Access v ia DSL.
P312 Br oadband S ecurity G ateway List Of Fi gures xvii Figure 4-5 Remote Node Netw or k Layer Options .................................................................................. 4 -8 Figure 4-6 Rem ote Node Filter (Ethernet Encapsulation)....
P312 Br oadband Security G ateway xviii List Of Figures Figure 6-22 Example 4- Me nu 15.1.1.1 - Address Mapping Ru le ............................................................ 6-20 Figure 6-23 Example 4 - Me nu 15.1.1 - A ddress Mapping Rules .....
P312 Br oadband S ecurity G ateway List Of Fi gures xix Figure 9-9 Call-T riggering Packet Example ....................................................................................... ... 9-10 Figure 9-10 Menu 24.4 - System Maintenance - Diagn ostic .
P312 Br oadband Security G ateway xx List Of Fi gures Figure 14-2 Menu 21 - Filter and Firewall Setup ................................................................................. .... 14-1 Figure 14-3 Menu 21.2 – Firew all Se tup ..............
P312 Br oadband S ecurity G ateway List Of Fi gures xxi Figure 19-9 Example 2 - Local Net work Ru le Summary .................................................................. 19-10 Figure 19-10 Exam ple 2 - Internet to Local Network Rule Summary ....
.
P312 Br oadband S ecurity G ateway List of T ab les xxiii List Of T ables T able 2-1 LED functions ........................................................................................................ ................ 2-1 T able 2-2 Main Menu Co mmands .
P312 Br oadband Security G ateway xxiv List of T ables T able 7- 2 Abbreviations Used If Filter T y pe Is IP .............................................................................. ....7-7 T able 7- 3 Abbreviations Used If Filter T ype Is GEN .
P312 Br oadband S ecurity G ateway List of T ab les xxv T able 16-5 T imeout Menu ......................................................................................................... ........... 16-14 T able 17-1 Cus tom Ports ...................
.
P312 Br oadband S ecurity G ateway Preface xxvii Preface A bout Y our Router Congratu lations on your pu rchase of the Prestig e 312 Broadband Security Gate way. Don’t fo rget to reg ister you r Prestig e (fast, e asy onlin e regist ration at w ww .
P312 Br oadband Security G ateway xxviii Preface Regardless of your particular applicatio n, it is i mportant that you follow the steps o u tli ned in C hapters 1-2 to connect y our Prestige to your LAN. You can then refer to the appropriate ch apters of the manual, depending on your applications.
Getting Starte d I Part I: Getti ng Started Chapters 1-3 are s tructured as a step-b y-step guide to h elp you connect, i nstall a nd setup your Prestig e to oper ate on your network and acces s the Inter net.
.
P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-1 Chapter 1 Getting to Know Your Prestige This chapt er intr oduces the main f eatures and appl ications of the Pr estige.
P312 Br oadband S ecurity G ateway 1-2 Getting to Know Y o ur Prestige Dynamic DNS Support With Dyn amic DNS support , you can h ave a static hos tname alias for a dy namic IP address , allow i ng the host to be more eas ily accessible from v arious locations on the In ternet.
P312 Br oadband Security G ateway Getting to Know Y o ur Prest ige 1-3 not choose a time service protocol that your timeserver will send when the Prestige powers up you can enter the time m a nually bu t each tim e the system is booted, the t ime & date w ill be reset to 1/1/197 0 0:0:0 .
P312 Br oadband S ecurity G ateway 1-4 Getting to Know Y o ur Prestige Figure 1-2 Secure Int ernet Access v ia DSL You can als o use your xDSL modem in the bridge mode f or al ways- on Internet access and h igh speed data transfer.
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 Chapter 2 Hardware Installation & Initial Setup This chapt er shows you how to connec t the har dware an d perform the in itial setup . 2.1 Front Panel LEDs and Back Panel Ports 2.
P312 Br oadband S ecurity G ateway 2-2 Hardware Installa tion & Initia l Se tup LEDs Function Indicator Status Activ e Description Flashing The 100M LAN is sending/re ceiving packet s. Off The W AN Link is not ready, or has fa iled. On The W AN Link is ok .
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-3 connector on the back of the cable m ode m. Connect an x DSL Modem to the xDSL Wall Jack. Please also see Appendix C f o r important safety ins tructions on making conn ections to the Prest ige.
P312 Br oadband S ecurity G ateway 2-4 Hardware Installa tion & Initia l Se tup ♦ 9600 Baud. ♦ No parity, 8 Data bits, 1 Stop b it, Flo w Control set to None. 3. A cable/xDSL m ode m and an ISP account . After th e Prestige is properly set up, y ou can make future ch anges to the conf i gurati on through te lnet connections.
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-5 Figure 2- 4 Pas sword Screen 2.6 Navigating the SM T Inter face The SMT (System Management Terminal) is the interface that y ou use to configure your Prestige.
P312 Br oadband S ecurity G ateway 2-6 Hardware Installa tion & Initia l Se tup 2.6.1 Main Menu After you enter the password, the SMT displa ys the Prestige 312 Main Menu , as s hown below .
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-7 99 Exit To exit from SM T and return to a bla nk screen. 2.7 Changing the System Pass w ord The first thing y our should do bef o re anything els e i s to chan ge t he default system password by foll owing the steps below.
P312 Br oadband S ecurity G ateway 2-8 Hardware Installa tion & Initia l Se tup 2.8 General Setup Menu 1 - General Setup contains administrative and sys te m-related inf ormation. The fields for General Setup are as shown nex t. Syste m Name is for identification purposes .
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-9 Table 2-4 Genera l Setup Menu Field Field Description Example System Na me Choose a d escriptiv e name for ident ification p urposes. It is recommende d you enter your co mputer’ s “Computer name” in th is field.
P312 Br oadband S ecurity G ateway 2-10 Hardware Inst a lla ti on & Initia l Se tup Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example Service Provider Enter the na me of your Dynamic DNS client. www.d dns.org Active Press [SPACE BAR] to togg le betw een Yes or No .
P312 Br oadband Security G ateway Hardwar e Inst a lla ti on & Initia l Se tup 2-1 1 Figure 2-9 Menu 2 – WAN Setup The MAC address field allows users to conf igure the WAN port' s MAC Address by either u si n g the factory default or clon ing the MAC address f rom a workstation on your LA N.
P312 Br oadband S ecurity G ateway 2-12 Hardware Inst a lla ti on & Initia l Se tup Figure 2-10 Menu 3 - LAN Setup 2.10.1 LA N Port Filter Setu p This menu allows you to specif y the filter sets that you wish to apply to the LAN traffic.
P312 Br oadband Security G ateway Internet Acc ess 3-1 Chapter 3 Internet Access This chapt er shows y ou how to configur e the LAN as we ll as the W AN of your Presti ge for Int ernet access.
P312 Br oadband S ecurity G ateway 3-2 Internet Acc ess The subnet mask specifies the net work number portion of an IP address. Your Pr estige will compute the subnet m ask automatically based on the IP address that you entered. You don’t need to change the subnet mask computed by the Prestige un less you are instructed to do otherw ise.
P312 Br oadband Security G ateway Internet Acc ess 3-3 3.1.5 DHCP Configuration DHCP (Dy namic Host Conf iguration Protocol, RF C 2131 and R FC 2132) all ow s the indi vidual cli ents (wor ks tat i ons ) to o bta i n the T CP/ I P co nfigur a tio n at sta rt -up fro m a se r ver .
P312 Br oadband S ecurity G ateway 3-4 Internet Acc ess The address 224.0. 0.1 is used f or query messages an d i s assi gned to the perm anent group of all IP h o sts (inclu di ng ga teways). Al l hosts must join the 224.0. 0.1 group in order to parti cipate in IGMP.
P312 Br oadband Security G ateway Internet Acc ess 3-5 Figure 3-3 Menu 3 - LAN Setup (1 0/100 Mbps Etherne t) To edit the TCP/IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP /IP and DHCP Ethernet Setup as s ho wn ne xt. Figure 3-4 Menu 3.2 – TCP/IP and DHCP Ethernet Setup Menu 3 – LAN Setup 1.
P312 Br oadband S ecurity G ateway 3-6 Internet Acc ess Follow the instruction s in the following table on how to confi gure the DHCP fields. T able 3-1 LAN DHCP Setup Menu Fields Field Description Example DHCP= This field enables/disables the DHCP server.
P312 Br oadband Security G ateway Internet Acc ess 3-7 Field Description Example Edit IP Alia s The Prestige supp orts three log ical LAN interfac es via its single physical Et hernet in terface with t he Prestige itself a s the gateway for each LAN netw ork.
P312 Br oadband S ecurity G ateway 3-8 Internet Acc ess RIP Direction Press the space bar t o select the RIP d irection from None, Both/In Onl y/Out Onl y .
P312 Br oadband Security G ateway Internet Acc ess 3-9 The following table describes t his screen. Table 3- 4 Internet Access S etup M enu F ields Field Description ISP’s Name Enter the name of your Internet Servi ce Provider, e .g., myISP. T his information i s for identificatio n purposes only.
P312 Br oadband S ecurity G ateway 3-10 Internet Acc ess 3.3.3 Configuring the PPTP Client T o co nfigur e a P P T P c lient, you mu st co nfi gur e t he My Login and Passwo rd fields for a PPP connection a nd the PPTP parameters for a PPTP connection .
P312 Br oadband Security G ateway Internet Acc ess 3-1 1 For the service prov ider, P PPoE offe rs an access and authen tication method that works with existing access control sy stems (e.
P312 Br oadband S ecurity G ateway 3-12 Internet Acc ess Tabl e 3-6 New Fields in M enu 4 ( PPPoE) s creen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE . The encapsu lation method influences your choices for IP Address.
Advance d App licatio ns II Part II: Advanced Applications Advance d App licatio ns (Chap ters 4-6) describ e the adva nced ap plicati ons of your Prest ige, suc h as Rem ote Node Setup IP Sta tic routes and N A T .
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-1 Chapter 4 Remote Node Setup This chapt er shows y ou how to configur e a rem ote node. A remote node is required for placing calls to a remote gateway. A rem ote node represents both the remote gate way and the ne twor k be hind it a cro ss a W AN con nectio n.
P312 Br oadband S ecurity G ateway 4-2 Remote N ode Set up Table 4-1 Fields in Menu 11.1 Field Description Examples Rem Node Name Enter a descri ptive name for the re mote no de. This fi eld can be up to eight characters. LAoffice Act ive Press the [SPACE BAR] to toggle be tween Yes and No and activate (de activate) the remote node.
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-3 4.1.2 PPPoE Encapsulat ion The Pre stig e supports PPPoE (Point- to-Poin t Protocol ov er Eth ernet ). You ca n only use PPPoE encapsulation when you’ re using the Prestige with an xDSL modem as the WAN device.
P312 Br oadband S ecurity G ateway 4-4 Remote N ode Set up Table 4- 2 Fields in M enu 11.1 ( PPPoE Encapsu lation Sp ecific) Field Description Examples Authen This field sets the authent ication protocol u sed for outgoing calls.
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-5 Figure 4-3 Remote Nod e Profil e for PPT P Encap sulatio n The next table shows ho w to configure fi elds in Menu 11.1 n ot previously dis cussed above. Tabl e 4-3 Fields in M enu 11.1 (PPT P Encapsu latio n) Field Description Examples Encapsulation T oggle the spac e bar to choose PPTP .
P312 Br oadband S ecurity G ateway 4-6 Remote N ode Set up 4.2 Editi ng TCP/IP Options (with Ether net Encapsulati on) Move the cursor to the Edit IP fie ld in Menu 1 1.1 , then press the [ SPACE BAR] to toggle and set the value to Yes . Press [Enter] to open Menu 11.
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-7 Field Description Example between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This f ield is valid on ly for PPTP/ PP Po E enc apsu lat io n. Th is parameter deter mines if the Pre stige w ill include the route to this remote no de in its R IP broad casts.
P312 Br oadband S ecurity G ateway 4-8 Remote N ode Set up Figure 4-5 Remote Node Network Layer Options The next tab le gi ves yo u ins truct io ns a bout c onfi guri ng re mote no de ne t work la yer op tio ns.
P312 Br oadband S ecurity G ateway Remote N ode Setup 4-9 between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good numb er. Private This para m eter determines if the Prestige will include the route to this remote no de in its R IP broad casts. If set t o Yes , this ro ute is kept private and n ot included in RIP broadcast.
P312 Br oadband S ecurity G ateway 4-10 Remote N ode Set up Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.
P312 Br oadband S ecurity G ateway IP Static Route Setup 5-1 Chapter 5 IP Static Route Setup This chapt er shows y ou how to configur e static routes wi th your Prestige. Static routes tell the Prestige routing in for mation that it cannot learn automatically through other means.
P312 Br oadband S ecurity G ateway 5-2 IP Stat ic Route Setup 5.1 IP Static Route S etup You co nfig ure I P stat i c rout e s in M e nu 1 2. 1 , by selecting on e o f the IP static rout es as shown below.
P312 Br oadband S ecurity G ateway IP Static Route Setup 5-3 Table 5- 1 IP Stat ic Route M enu Field s Field Description Route # This is the index number of the sta tic route th at you chose in M enu 12. Route Name Enter a descri ptive name for this route.
.
P312 Br oadband S ecurity G ateway NA T 6-1 Chapter 6 Network Address Translation (NAT) This chapt er dis cusses how to conf igure NAT on the Prestige. 6.1 Introducti on NAT (Netw ork Address Translation - NA T, RFC 1631) is th e translat ion of the IP add ress of a h ost in a packet, e.
P312 Br oadband S ecurity G ateway 6-2 NA T them accessi ble to the outside w o rld. If you do n ot define any s ervers (for Many-to- One a nd Many- to-Many Overload mapping – see below), NAT offers the additional be nefit of fire wall protectio n.
P312 Br oadband S ecurity G ateway NA T 6-3 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. T his is equivalent to SUA (i.e., PAT, port addr ess translation), ZyXEL’s Single User Account feature th at previous ZyXEL rout ers supported (th e SUA Only opti on in today’ s routers).
P312 Br oadband S ecurity G ateway 6-4 NA T remote node basi s. They are reus able, but only on e set is allowed for each rem o te node. The Prestige supports 2 sets s ince there is on ly one rem ote node. The secon d set ( SUA Onl y option in Menu 15.
P312 Br oadband S ecurity G ateway NA T 6-5 Figure 6-3 Applying NAT for In ternet Access This fig ure shows how you apply N AT to the remote node in Menu 11.1. Step 1. Enter 11 f rom th e Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the def ault No to Yes , then pr ess [ ENT ER] t o bring up Menu 11.
P312 Br oadband S ecurity G ateway 6-6 NA T Table 6- 3 Applying N AT in Men us 4 & 11.3 Field Options Description Full Feature W hen y ou selec t this option the SM T will us e Address M apping Set 1 (M enu 15.1 – see se ctio n 6.2.3 for further dis cu ssion).
P312 Br oadband S ecurity G ateway NA T 6-7 Figure 6-6 Men u 15.1 Addres s Map ping Sets Let’s look firs t at Option 255. Opt ion 255 i s equiv ale nt to SUA in previ ous ZyXEL rou ters ( see section 6.1.4) . The fields i n this menu cann ot be changed.
P312 Br oadband S ecurity G ateway 6-8 NA T Table 6- 4 SUA A ddres s Map ping Rules Field Description Options/Exa mple Set Name This is the name of the set you sele cted in Menu 15.1 or ent er the name of a new set you w ant to create. SUA Idx This is the index or rule number.
P312 Br oadband S ecurity G ateway NA T 6-9 Figure 6-8 First Set in Menu 15.1.1 The Ty pe, Loca l and Gl obal Start/En d IPs are co nfigure d in Me nu 15.1. 1.1 (described later) a nd the value s are displa yed he re. Ordering Y our Rules Ordering your rules is important becaus e the Prestige applies the rules in the order th at you specify .
P312 Br oadband S ecurity G ateway 6-10 NA T moved dow n by one rule. Delete means t o delete the selected rul e and then all t he rule s after the se lected one will b e advanced one rule. Save Set means to save the w hole set (note when y ou cho ose this a c tion, the Select Rul e item will b e disabled).
P312 Br oadband S ecurity G ateway NA T 6-1 1 Field Description Option/Exam ple examples. and Serv er Local IP Only local IP f ields ar e N/A for server; Global IP fie lds M UST be set for Server . Start T his is the starting lo cal IP address (I LA).
P312 Br oadband S ecurity G ateway 6-12 NA T Figure 6-1 0 Multip le Servers Beh ind N AT 6.3.2 Configuring a Server behind NA T Follow the steps below to con f igure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 – NAT Setup.
P312 Br oadband S ecurity G ateway NA T 6-13 Figure 6-1 1 M enu 15.2 – N A T Serv er Set up Tabl e 6-7 Servic es & Port n umbe rs Services Port Number FTP (File Tr ansfer Protoco l) 21 Telnet 23.
P312 Br oadband S ecurity G ateway 6-14 NA T Figure 6-1 2 NAT Example 1 Figure 6-1 3 Internet Access & NAT Examp le From Menu 4 s ho wn above, simply choose the SUA Only option from the Network Add re ss Tran slation field. Thi s is the Many -to-One mapping dis cussed in section 6.
P312 Br oadband S ecurity G ateway NA T 6-15 6.4.2 Example 2 – Intern et Access with an Inside Server Figure 6-1 4 NAT Example 2 In this case, we do exactly as abov e (use the conven ie nt pre-conf igured SU A Only set) and also go to Menu 15.2 to s pecify the Inside Serv er behind th e NAT as shown in th e next figu re.
P312 Br oadband S ecurity G ateway 6-16 NA T server an d the other IGA is us ed by all. We want to m ap the FTP servers to the fi rst two of our IGAs an d the other LAN traff ic to t he remaining IGA. We also want to map ou t third IGA to an inside w eb server and mail server.
P312 Br oadband S ecurity G ateway NA T 6-17 Step 5. Select Type = as One-to-One (direct m apping for packets goin g both w ays) , and enter the local Start IP as 192.168 .1.10 (the IP address of FTP S erver 1), the g lobal Start IP as 10.132.5 0.1 (our firs t IGA).
P312 Br oadband S ecurity G ateway 6-18 NA T When we have configu red all fou r rules, Menu 15.1.1 shou ld look as follows . Figure 6-19 Example 3 Final M enu 15.1.1 Now we conf i gure ou r IG A3 to m ap to our w eb server and m ai l server on the LAN.
P312 Br oadband S ecurity G ateway NA T 6-19 6.4.4 Example 4 –NA T Unfriendly Application Programs Some appli cations do not su pport NAT Mappin g usi ng TCP or UDP po rt address t ransl ation.
P312 Br oadband S ecurity G ateway 6-20 NA T Figure 6-2 2 Example 4- M enu 15.1. 1.1 - Address M apping Rule After you’ve configured this menu, you should see the following screen. Figure 6-2 3 Example 4 - M enu 15.1. 1 - Address M apping Rules Menu 15.
Advance d Mana gem ent III Part III: Advanced Manage ment Chapters 7 - 12 pro vide inf orm ation on Pres tige filter ing, S ystem Inform ation and Diagn osis, Transferring Files and T elnet.
.
P312 Br oadband S ecurity G ateway Filters 7-1 Chapter 7 Filter Configuration This chapt er shows you how to create a nd app ly filter( s). 7.1 About Filtering Your Prestige uses filters to decid e whether to allow passage of a data packet and/or to make a call.
P312 Br oadband S ecurity G ateway 7-2 Filters 7.1.1 The Filter Structure of t he Prest ige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descripti ve name.
P312 Br oadband S ecurity G ateway Filters 7-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set.
P312 Br oadband S ecurity G ateway 7-4 Filters 7.2 Configur i ng a Fil ter Set To configu re a filter set, f ollow the procedure below . For more inf o r mation on Menus 21.2 and 21.3, pleas e see Part 4. Step 1. Select option 21. F ilt er Set Configuration fro m the M a in M enu to op en M e nu 21 .
P312 Br oadband S ecurity G ateway Filters 7-5 Figure 7-6 NetBIOS_W AN Filter Rules Su mmary Figure 7-7 NetBIOS _L AN Filter Rules Summary Figure 7-8 TEL_FT P_WEB_W AN Filter Rules S ummar y Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, SA=0.
P312 Br oadband S ecurity G ateway 7-6 Filters 7.2.1 Filter Rules Summary Menu This screen shows the summary o f the existing rules in the filter set. The follow ing tables contain a brief description of the abbreviati ons used in the previous m e nus.
P312 Br oadband S ecurity G ateway Filters 7-7 The protocol dependent filter rules abbreviation are listed as follows: ! If the filter type is IP, the following abbreviations listed in the following table will be used.
P312 Br oadband S ecurity G ateway 7-8 Filters Figure 7-9 Menu 21.1.1.1 - TCP/I P Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 7-4 T CP/IP Filter Rule M enu Fields Field Description Option Active This field a ctivates/deactiv ates the fi lter rule.
P312 Br oadband S ecurity G ateway Filters 7-9 Field Description Option don’t-care if it is 0. Destinatio n: Port # Comp Select the compar ison to apply to t he destination port in the packet a gainst the value g iven in Destination : Port #.
P312 Br oadband S ecurity G ateway 7-10 Filters Field Description Option Once you h ave co mpleted fi lling in Menu 21.1.1.1 - TCP/IP Filter Rule , press [E nter] at the m essage [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel.
P312 Br oadband S ecurity G ateway Filters 7-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Dr.
P312 Br oadband S ecurity G ateway 7-12 Filters 7.2.4 Generic Filter Rul e This section shows you ho w to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
P312 Br oadband S ecurity G ateway Filters 7-13 The following table describes the fields in the Generic Filter Rule Me nu. Table 7-5 Generic Filter Rule Menu Fields Field Description Option Filter # This is the filter set, f ilter rule co-ordi nates, i.
P312 Br oadband S ecurity G ateway 7-14 Filters Drop Once you h ave co mpleted fi lling in Menu 21.4.1.1 - G eneric Filter Rule , pre ss [Enter ] at the message [Press Enter to C onfir m] to save y our co nfiguration, or press [Esc] to ca ncel. This data w ill now be displayed on Menu 21.
P312 Br oadband S ecurity G ateway Filters 7-15 Figure 7-1 3 Exampl e Filter – M enu 21.1. 1.1 When y o u press [Enter] to co nfirm, you will see the following screen.
P312 Br oadband S ecurity G ateway 7-16 Filters Figure 7-1 4 Exampl e Filter Rule s Summar y – Menu 21.1.3 After you’ve created the filter set, you must apply it. Step 1. Enter 11 from the main menu to go to Men u 11. Step 2. Go to the Edit Filter Sets field, press th e [SPA CEBAR ] to to g gle Yes to No and press [ENTER] .
P312 Br oadband S ecurity G ateway Filters 7-17 packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at th e point when the Prestige is receiving and sending the pack ets; i.
P312 Br oadband S ecurity G ateway 7-18 Filters Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters Go to Menu 11.5 (shown below – note that call filter sets are only present for PP PoE encapsulation) and enter the number(s) of the filter set(s) as appropriate.
P312 Br oadband S ecurity G ateway SNMP 8-1 Chapter 8 SNMP Configuration This chapt er dis cusses SNMP (Simp le Networ k Manage ment Pro tocol) for network m anagem ent and monitor ing. 8.1 About SNMP Your Presti ge supports SNMP agent functi onality, whi ch allows a manag er station t o manage and m o nitor the Prestige through the network.
P312 Br oadband S ecurity G ateway 8-2 SNMP The following table describes the SNMP co nfiguration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Get Community Enter th e get community , which i s the pa ssword for the incomi ng Get- and GetN ext- request s from the managem ent station.
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 Chapter 9 System Information & Diagnosis This chapt er talk s you thro ugh SMT Menus 2 4.1 to 24 .4. This chapter covers the diagnost ic to ols that help you to maintai n your Prestige.
P312 Br oadband S ecurity G ateway 9-2 System I nformati on & Diagn osis 9.1 System Status The fi rst sel e ctio n, S yste m St a tus, give s you in for matio n on th e ver sion o f your s yste m fir mwar e and the status and s tatistics of the ports, as sh own in the figure below.
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-3 The following table describes the fields present in Menu 24.1 - System Maint enance - Sta t us . T able 9-1 System M ainten ance - Statu s Men u Fields Field Description Port The W AN or LAN port.
P312 Br oadband S ecurity G ateway 9-4 System I nformati on & Diagn osis 9.2 S ystem Information and Console Port Speed This secti on descri bes your sys te m and al lows you t o choose diff ere nt consol e port speeds. To g et to the Syst em Inf or mation a nd Cons ole Port Speed: Step 1.
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-5 Table 9- 2 Fields in System M aintenance Field Description Name This is the Prest ige's sy stem nam e + domain nam e assigned in Menu 1. E.G., Syste m Name= xx x; Domain Name= baboo.
P312 Br oadband S ecurity G ateway 9-6 System I nformati on & Diagn osis 9.3.1 Viewing Error Log The first place you should look for clu es when something goes wrong is the error/trace log. Follow the procedure below to view the local error/trace log: Step 1.
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-7 Figure 9-8 M enu 24.3.2 - Syst em Main tenance – UNI X Syslog You need to conf i gure the UNIX syslog param eters described in the following table to activ ate syslog then choose w hat y o u want to log.
P312 Br oadband S ecurity G ateway 9-8 System I nformati on & Diagn osis 1. CDR CDR Message Format Sdcm dSyslogS end( SYSLOG_CDR, SYSLOG_INFO, String ); String = board xx line xx channel xx, call .
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-9 Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.
P312 Br oadband S ecurity G ateway 9-10 System I nformati on & Diagn osis 9.3.3 Call-T riggering Packet Call-Triggering Packet display s information about the packet that trigg ered a dial-out call in an easy readable form at. Equivalent information is available in Menu 24.
P312 Br oadband S ecurity G ateway System I nformati on & D iagnosis 9-1 1 Figure 9-10 M enu 24.4 - Sy stem M aintenance - Dia gnostic Follow the proced ure b e lo w to get to M enu 24.4 - S ystem M aintenance – Diagn ostic. Step 1. From the Main Menu, select option 24 to open Menu 24 - Syst e m Maintena nce .
P312 Br oadband S ecurity G ateway 9-12 System I nformati on & Diagn osis Figure 9-11 WAN & L AN DHCP The follo wing table describes t he diagnostic tests a vailable in Menu 24.
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-1 Chapter 10 T ransferring Files This chapt er tells you how to bac k up and restore y our confi guratio n file as well as upload n ew firmware an d a new c onfigurat ion file.
P312 Br oadband S ecurity G ateway 10-2 T ransferring F iles Table 10-1 Filename Conventions File Ty pe Internal Name External Name Description AT Command Configurati on File Rom-0 *.
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-3 10.3 Restore Configuration Menu 2 4.6 -- System Maint enance - Restore Configuration allo ws you to restore the configuratio n via the console port.
P312 Br oadband S ecurity G ateway 10-4 T ransferring F iles Step 4. After successful firmware u pload, enter atgo to restart the Prestige. Figure 10- 4 Menu 24.
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-5 Figure 10-5 M enu 24.7.2 - Sy stem Maintenance - Upload Router Configuration File 10.5 TFTP File T r ansfer In addition to the direct con .
P312 Br oadband S ecurity G ateway 10-6 T ransferring F iles Note: If you upload the firm ware to the Prestige, i t will reboo t automa ticall y when the file tra nsfer is completed (t he SY S LED will flash). Note that the telnet connection must be active a nd the SMT in CI mode before and during the TFTP transfer.
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-7 10.6 FTP File T ransfer In addition to uploading the firmware and configuration via the console port and T FTP client, you can al so upload the Prestige firmware an d config uration files using FTP.
P312 Br oadband S ecurity G ateway 10-8 T ransferring F iles Figure 10- 7 Telnet in to Menu 24.7.2 - System M aintenance To transfer the f irmware and the configuration file, follow these examples: 10.6.1 Using the FTP command from the DOS Prompt Step 1.
P312 Br oadband S ecurity G ateway T r ansferring F iles 10-9 Figure 1 0-8 F TP Session Examp le The sy stem re boot s aft er a succes sful upload . The follow ing tabl e describes s ome of the fields t hat you may see in third part y F TP clients.
.
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-1 Chapter 11 System Maintenance & Information This chapt er leads you throu gh SMT menus 2 4.8 to 24.11 . 11.1 Command Interp reter Mo de The Command Interpreter (C I) is a part of the main rout er firmw are.
P312 Br oadband S ecurity G ateway 1 1- 2 System Mai nten ance & I nform ati on 11.2 Call Contr ol Support The Prestige provides two call control fun ctions: budget manag ement and call history. Please note that this menu is on l y appl icable when Encapsulation is set to PPPoE or PPTP in Menu 4 or Menu 11.
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-3 The total budget is the time limit on the accu mulated ti me for outgoing calls to a remote node. When this limit is reached, th e call will be dropped and fu rther outgoing calls to that remote node w ill be blocked.
P312 Br oadband S ecurity G ateway 1 1- 4 System Mai nten ance & I nform ati on Table 11- 2 Call Hi story Field s Field Description Phone Number The PPPoE service name s are show n here. Dir This sh ows w hether the call was in coming or outgo ing.
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-5 Figure 11-6 System Maintenance – Time and Date Setting Table 11-3 T ime and Date Setting Fields Field Description Use Time S erver w hen Bootup= Enter the time service protocol t hat your timeserver w ill send when the Prestige pow ers up.
P312 Br oadband S ecurity G ateway 1 1- 6 System Mai nten ance & I nform ati on zone and G reenwich mean Time (GM T). Be aware if/w hen daylight savings ti me alters this ti me difference for your time zone. Once you h ave filled in the new time and date, press [E nter] to save the s etting a nd press [Es c ] to return to Menu 2 4 .
P312 Br oadband S ecurity G ateway System Mai nten ance & I nform ati on 1 1-7 Table 11-4 M enu 24.11 - Re mote Management Control Field Description Option FTP service a c tive Press the [SPACE BAR] to t oggle Yes to No and press [Enter] to disable all FTP activity (both LAN and WAN).
P312 Br oadband S ecurity G ateway 1 1- 8 System Mai nten ance & I nform ati on Figure 11-9 Boot Module Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
P312 Br oadband S ecurity G ateway Te l n e t 12-1 Chapter 12 Telnet Configuration and Capabilities This chapt er cov ers the T elnet C onfigura tion and C apabili ties of th e Pres tige. 12.1 About T elnet Configurati on Before the Prestige is properly setup for T CP/IP, the only option for configuring it is through the console port.
P312 Br oadband S ecurity G ateway 12-2 Te l n e t 12.3.2 Syst em T imeout There is a sy stem timeou t o f 5 minu te s (300 seconds) for eith er the console port or teln et. Your Pres tige will automatically log you out if you do nothin g in this ti meout period, except when it is continuousl y updating the status in M enu 24.
Firewall and Cont ent F ilter s IV Part IV: Firewall and Co ntent Filters Chapters 13 – 20 des crib e types of fire walls, ho w to conf igure your Pres tige f irewall using th e Prestig e Web Configurat or , as well as t ypes of Den ial of Ser vices (D oS) attac ks and Content Filter ing.
P312 Br oadband Security G ateway What Is a Firewall? 13-1 Chapter 13 What is a Firewall This chapter giv es some bac kg rou nd infor mation on fir ew al ls . Ori gin ally , the te r m firewall referred to a cons tructio n techniqu e desi gned to prevent the spread of fi re from one room to another.
P312 Br oadband Security G ateway 13-2 W hat Is a Firewall ? needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the applicatio n gate way and reject the rest.
P312 Br oadband Security G ateway What Is a Firewall? 13-3 Figure 13-1 Prestige Firew all Application 13.3 Denial of Serv ice Denials of Service (DoS) attack s are aimed at devices and networks with a con nection to the Internet.
P312 Br oadband Security G ateway 13-4 W hat Is a Firewall ? Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 13.3.2 T y pes of DoS att acks There are four types o f DoS attacks: 1. Those that exploit bugs in a T CP/IP implementation.
P312 Br oadband Security G ateway What Is a Firewall? 13-5 Under normal circumstances , the application that initiates a session sends a SYN (synchron ize) packet to the receiving s erver. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (ackno wled g ment).
P312 Br oadband Security G ateway 13-6 W hat Is a Firewall ? Figure 13-4 Smurf Attack 4. Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack . IP Spoofing may be us ed to break into systems , to hide th e hacker's iden tity, or to ma gnify th e effect of t he DoS attack.
P312 Br oadband Security G ateway What Is a Firewall? 13-7 Figure 13-5 Stateful Inspection Figure 13-5 shows the Presti ge’s d efault firewall rules in action as well as demonstrates ho w stateful inspection works. User A can initiate a T elnet session fro m w i thin the LAN and resp o nses to this request are allowed.
P312 Br oadband Security G ateway 13-8 W hat Is a Firewall ? 7. The packet is ins pected by a firewall rule, and the connection 's state table entry is updated as necessary.
P312 Br oadband Security G ateway What Is a Firewall? 13-9 When any subs eq uent packet hi ts the box (from the Internet or from the LAN), its conn ection information is extracted and ch ecked against the cache.
P312 Br oadband Security G ateway 13-10 W hat Is a Firewall ? 3. Limit who can Telnet into your router. 4. Don't enable any l ocal service (su c h as SNMP or NTP) th at you don't us e. Any enabled serv ice could present a potential security risk.
P312 Br oadband Security G ateway What Is a Firewall? 13-1 1 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of co mpanies or individ uals for information that mig ht help them in a social intrusio n.
.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-1 Chapter 14 Introducing the Prestige Firewall This chapt er shows y ou how to get st arted with the Prest ige Firew all. Ple ase see Chap ter 13 for some bac kground informatio n on f irewalls.
P312 Br oadband Security G ateway 14-2 Introducing the Pres tige F irewall Figure 14-3 M enu 21.2 – Fire wall Setup Please n ote that you can onl y configure the fire wall rules u sing the Pres tige Web Configur ator or CLI co mmands. 14.1.1 V iew Firewall Log Enter 3 from menu 21 to view the firewall log.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-3 ICMP Echo A brute-force attack, su ch as a "Smurf" attack, targets a feature in the IP specifi cation known as directed or subn et broadcasting , to quickly flood th e target network with useless data.
P312 Br oadband Security G ateway 14-4 Introducing the Pres tige F irewall T racerout e Traceroute is a u tility used t o determin e the path a packet tak e s between tw o endpoints.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-5 Table 14-4 View Firewall Log Field Description # This is the index number of the firewall log. 128 entries are availa ble numbered fro m 0 to 127. Once t hey are all used, the log will wr ap around and t he old logs w ill be lost.
P312 Br oadband Security G ateway 14-6 Introducing the Pres tige F irewall Figure 14-5 Big Picture - Filtering, Firew all and NA T 14.3 Packet F iltering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige F irewall 14-7 When T o Use F iltering 1. To block/allow LAN pack ets by their MAC address .
.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 Chapter 15 Introducing the Prestige Web Configurator This chapt er shows y ou how to configur e your fir ewall w ith the W eb Conf igurator. 15.1 Web Configurator Login and Welcome Screens Launch y o ur web brow ser and en ter 192.
P312 Br oadband Security G ateway 15-2 Introduc ing the Prestige Web Config urator Figure 15-2 Prestige Web Configurator We lcom e Screen 15.2 Enabling the Firewall Click Firewall, then Con figuration, then the Rule Config tab to enable the fire wall a s seen in t he following screen.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-3 Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows y ou to specify your mail server, where e-m a i l alerts should be sent as well as when and how often they should be sen t.
P312 Br oadband Security G ateway 15-4 Introduc ing the Prestige Web Config urator To field and schedule times f or sending alerts in the Alert Timer fields in the E- Mail screen (following screen).
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-5 Table 15- 1 E-Mail Field Description Options Address Inform ation Mail Serv er Enter the IP address of your mai l server in dot dec imal format. Y our Internet S ervice Pr ovider (ISP) sh ould be able to pr ovide this information.
P312 Br oadband Security G ateway 15-6 Introduc ing the Prestige Web Config urator 15.3.3 SMTP Error Me ssages If there are diff iculties in sending e-mail the following error messag es appear. Please see the Support Notes on the accom panying CD for inform atio n on other ty pe s of error m e ssages.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-7 Figure 15-5 E-M ail Log 15.4 A ttack A l ert In this screen you may choose to generate an alert when ever an attack is detected. For DoS attacks, the Prestig e uses thres holds t o determine when to drop sess ions th at do not becom e fully esta blished.
P312 Br oadband Security G ateway 15-8 Introduc ing the Prestige Web Config urator You can use the default threshold values, or you can change them to values more suitable to your security requirements.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-9 The Prestige deletes the oldest exi sti ng half-open session for the host for every new connectio n request to the host. This ens ures that the num b er of half-open s essions to a give n host will never ex ceed the threshold.
P312 Br oadband Security G ateway 15-10 Introduc ing the Pr estige Web Conf igur ator Table 15- 3 A t tac k Alert Field Description Default Values Generate alert w hen attack dete cted A dete cted attack automa tically generates a log entry. Che ck this box to genera te an alert (as w ell as a log) w henever an atta ck is detected.
P312 Br oadband S ecurity G ateway Introduc ing the Pr estige Web Conf igur ator 15-1 1 Field Description Default Values rises abov e this number, the Pre s tige deletes half-ope n session s as required to accommoda te new connection requests. Do not set Maximum Inco mplet e High to lower than t he current M ax-Incomplete Low number.
.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 Chapter 16 Creating Custom Rules 16.1 Rules Overvie w Firewall rules are subdiv ided into “Local Network ” and “Internet”.
P312 Br oadband Security G ateway 16-2 Creating Custom Rules 5. What computers on the LAN are to be affected (if any ) ? 6. What computers on the Internet w ill be affected? The more specific, the better.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-3 16.3 Connection Direction This section talks about con fi gur in g firewall rules for connections going fro m LAN to WAN and WAN to LA N in you r fir ewa ll.
P312 Br oadband Security G ateway 16-4 Creating Custom Rules Figure 16-2 W AN to LAN Traffic 16.4 Services Supported The list box in the Rule Config (uration) screen ( see Figur e 16-4 ) displays all s ervices that the Prestige supports . Custom services may also be configured u sing the Custom Ports function discussed later.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-5 Table 16-1 Services Supported SERVIC E DESCRIPTI ON BGP(TCP:179) Border Gateway Protocol BOOTP_CLIENT (UDP: 68) DHCP Client BOOTP_SERVE R(UDP :67) DHCP Server CU-SEEME(TCP/UDP: 7648, 24032) A popular videoc onferencing solution f rom White P ines Software.
P312 Br oadband Security G ateway 16-6 Creating Custom Rules 16.5 Rule Summary The fiel ds in the Rule Su mma ry screen s are the sa me for Local Network and Int erne t , so the discuss ion below refers to both. Click on Firewall , then Local Ne t work to bring up the follo wing scree n.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-7 Table 16- 2 Firewall Rules Su mmary – F irst S creen Field Description Option General Name T his is the name of the firewall rule set. Default Permit L og Check this box to log all matched rule s in the ACL default set.
P312 Br oadband Security G ateway 16-8 Creating Custom Rules Field Description Option section 16.5.1 f or more details. Delete Press this bu tton to delet e an existing firew all rule. Note that s ubsequent f irewall rules mov e up by on e when y ou take this a c tion.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-9 Figure 16-4 Creating/Editing A Firewall Rule Table 16-3 Crea ting/Editing A Firewall Rule Field Description Option Source Address Press SrcA dd to add a n ew addres s, SrcEdit to edit an ex isting one or Sr cDelete to delete one.
P312 Br oadband Security G ateway 16-10 Creating C ustom Rules Field Description Option from the A vailable Serv ices box on the left, then pres s >> to select it. T he selecte d service sh ows up on the Select ed Services box on the rig ht. To remove a servi ce, click on it in t he Selected Serv ices box on the right, then press <<.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-1 1 Figure 16-5 Adding/Editing Source & Destination A ddresses Table 16-4 Adding/Editing Source & Destination Addr esses Field Description Option Address Ty pe Do y ou want your rule to a pply to pa ckets with a part icular (single) IP , a range of IP addresses (e.
P312 Br oadband Security G ateway 16-12 Creating C ustom Rules When you hav e finished, clic k Apply to save your custo mized sett ings and exit thi s screen, Cancel to exit this s creen w ithout savin g , or Hel p for online HTM L help on fields in this screen.
P312 Br oadband S ecurity G ateway Creating C ustom Rules 16-13 Figure 16-6 T imeout Scr een.
P312 Br oadband Security G ateway 16-14 Creating C ustom Rules Table 16-5 T imeout Menu Field Description Default Value TCP T imeout V alues Connectio n Timeout This is the length of time the Pre stige waits for a T CP session to r each the establi shed state b efore dropping the sessio n.
P312 Br oadband S ecurity G ateway Custom Ports 17-1 Chapter 17 Custom Ports 17.1 Introducti on You will need to configure customized por ts for services not included in t he services pr o vided in the scrolling list box in the screen sho wn in Figure 16-4 .
P312 Br oadband Security G ateway 17-2 Custom Ports Table 17- 1 Custom Ports Field Description Cus tom i zed Ser vices No T his is the number o f your cust omized port. Name T his is the name of yo ur customized port. Protocol This sh ows the IP protocol ( TCP , UDP or Both ) that defines your customized port.
P312 Br oadband S ecurity G ateway Custom Ports 17-3 Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen..
P312 Br oadband Security G ateway 17-4 Custom Ports Table 17- 2 Creating/Ed iting A Custom Port Field Description Option Service Na me Enter a unique name for your custo m port. Service Ty pe C hoose the IP por t ( TCP , UDP or Both ) that defines your customized port fr om the drop down list box.
P312 Br oadband S ecurity G ateway Logs 18-1 Chapter 18 Logs 18.1 Log Screen When y ou configure a n e w rule y ou also have the opti on to log ev e nts that match, don’ t match (or both ) this rule ( see Figur e 16-4 ). Click on the L ogs to b ring up the next sc reen.
P312 Br oadband Security G ateway 18-2 Logs Table 18-1 Log Screen Field Description No. This is the index number of the firew all log. 128 entr ies are av ailable numbered from 0 to 127. Once they ar e all used, the log w ill wrap aroun d and the old l ogs will be los t.
P312 Br oadband S ecurity G ateway Logs 18-3 Field Description When you hav e finished view ing this screen, cli ck another link to exit..
.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever you open a h ole in the firewall to forward a service f ro m the Internet to the local netwo rk, and NAT is also enab l ed, you ma y have to al so conf igur e a serve r be hi nd N AT usi n g SMT menu 15.
P312 Br oadband Security G ateway 19-2 Examples Fire wall R ules Figure 19-1 Activate The Firewall Step 2. Now we conf i gure our E- m ail screen a s follo ws. Click the E-Ma il tab t o br i ng up the next screen. Check here to activate the firew a ll.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-3 Figure 1 9-2 Example 1 – E-M ail Scre en Step 3. Now we configu re our firewall rule as shown in the following screen. The defau l t firewall blocks all Internet traff ic entering our local n etwork, but we want to create a hole f or web service from the Internet.
P312 Br oadband Security G ateway 19-4 Examples Fire wall R ules Figure 19-3 Example 1 – Configuring A Rule This is an Internet to Local Network rule. Click DestAdd to configure the destination address as t he IP of ou r server on th e LAN. See the ne xt scre e n.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-5 Figure 1 9-4 Example 1: D estinatio n Address for T raffic Orig inating From T he Internet 10.100.1. 2 is th e IP of ou r server on the LAN (su pporting FTP, HTTP, T elnet and mail services) to w hich we wish to forward traff ic originating from the Internet.
P312 Br oadband Security G ateway 19-6 Examples Fire wall R ules Figure 19- 5 Example 1 - Rule Summa ry Screen 19.1.2 Example 2 – Small Office With Mail, FTP and Web Serv ers Our small office has: i. A mail server with an IP of 192.168.10.2. ii. Two FTP servers.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-7 Step 1. First we want to send alerts whe n there is an attac k. Go to the Attack Alert scree n (click Configurat ion , then the Attack Alert tab) sh own next. Figure 1 9-6 Send Alerts When Attacked Step 2.
P312 Br oadband Security G ateway 19-8 Examples Fire wall R ules Figure 19-7 Configuring A POP Custom Por t Step 4. Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traff ic originating from the HTTP proxy server and ou r mail server.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-9 Figure 19- 8 Example 2 - Lo cal Net work Rule 1 Configu ration Step 6. Similarly configure another local network to Internet rule allowing traffic f rom our web (HTTP) proxy server. Step 7.
P312 Br oadband Security G ateway 19-10 Examples Firewa ll Rules Figure 1 9-9 Example 2 - L ocal N etwo rk Rule Summar y Step 8. Now we want an FTP server (IP of 192.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-1 1 Figure 19- 10 Examp le 2 - Internet to Local Netw ork Rule Summary 19.1.3 Example 3: DHCP Negotiation and S y slog Connection from the Internet The following are some Internet firew all rules examples to: 1.
P312 Br oadband Security G ateway 19-12 Examples Firewa ll Rules Figure 19-11 Custom Port for Syslog Step 2. Follow the procedures outli ned in t he previous examples to configure all your rules. Whe n finished, your rule summary screen should look like the following.
P312 Br oadband S ecurity G ateway Example F irewall Rules 19-13 Figure 19-12 Syslog Rule Configuration This is our Sy slog custom port. Click Apply whe n fi nis hed .
P312 Br oadband Security G ateway 19-14 Examples Firewa ll Rules Figure 19- 13 Exampl e 3 Rule Summary Rule 1: Allow D HCP negotiati on between t he ISP an d the P312. Rule 2: Allow a syslog connection fro m the WAN. Click Apply t o save your settings back to the Prestige.
P312 Br oadband S ecurity G ateway Content Fi ltering 20-1 Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets , cookies as well as disable web proxies. The Prestige can als o block specific URLs by using the keyword featu r e.
P312 Br oadband Security G ateway 20-2 Content Fi ltering 20.1.3 Cookies Cookies are used b y Web s ervers to track usag e. Cookies prov ide service based on ID. U nfortunat ely, cookies can be progra mmed not onl y to id entify the visitor to the site, but also to track that visito r 's activities.
P312 Br oadband S ecurity G ateway Content Fi ltering 20-3 Figure 20-1 Content Filtering Sc reen Table 20-1 Content Filtering Fields Field Description Restrict Web Feat ures Check the box(es) to re strict that featur e. When you download a page containing a restricted feat ure, that part o f the web page w ill appear blank or grayed out.
T r oubleshoot ing, A ppendic es, Glossar y and In dex V Part V: Troubleshooting, Append ices, Glossary and Index Chapter 21 provid es inf ormation a bout sol ving comm on probl em s, followed b y som e Appendic es, a Glossar y of T erms and an Index.
.
P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-1 Chapter 21 Troubleshooting This chapt er cov ers the pote ntial pr oblems you may run int o and the p ossible r emedies . After each pro blem desc ription, so me instr uctions are prov ided to help you to diagnos e and to s olve t he problem.
P312 Br oadband S ecurity G ateway 21-2 T roubleshoot ing 21.2 Problems w ith the LA N Interface Table 21-2 T roubleshooting the LA N Inte rface Problem Correctiv e Action Check the 10M/100M LEDs on the front panel. O ne of the se LEDs should be on . If they are both off, chec k the cables betw een your Prestige and h ub or the station.
P312 Br oadband S ecurity G ateway T r oubleshoot ing 21-3 21.4 Problems with Internet A ccess Table 21-4 T roubleshooting Inter net Access Problem Corrective Action Connect your C able/x DSL modem with the Pres tige using appropriat e cable .
.
P312 Br oadband S ecurity G ateway PPPo E E Appendix A PPPoE PPPoE in Action An AD SL modem bridges a PPP session over Ethernet (PPP over Et hern et, RFC 2516) f rom you r PC to an ATM PVC (Permanent Virtual Circuit) which conn ects to a xDSL Access Concentrator where the PPP sess io n term inates (see t he next figure ).
P312 Br oadband S ecurity G ateway PPPo E F How PPPoE Works The P PPoE d riv er mak es th e Etherne t appear as a serial link to th e PC an d the PC r uns PPP over it, wh ile the modem bridg es the Ethernet frames to the Access C oncentrator (AC).
P312 Br oadband S ecurity G ateway PPTP G Appendix B PPTP What is PPT P? PPTP (Poin t-to-Poin t T unnel ing Protocol) is a Micros oft proprietary protocol (RFC 2637 f or PPTP is inf or mati onal only ) to tu nnel PPP fram es.
P312 Br oadband S ecurity G ateway PPTP H PNS and the PAC must have IP co nnectivity; however, the PAC must in addition have dial-up capability. The ph one call is betw een the us er and th e PAC and t he PAC tu nnels th e PPP fram es to t he PN S. Th e PP TP user is una ware o f the tu nnel be twee n the P AC and the PN S.
P312 Br oadband S ecurity G ateway Hardware Sp ec if icati ons I Appendix C Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O /P DC 12V 1200 mA MTBF 100000 hr s Operation T emperatur.
P312 Br oadband S ecurity G ateway J Safety Ins tructions Appendix D Important Safety Instructions The following safety instructio ns appl y to the Prestige: 1. Be sure to read and follow all warning notices and instruction s. 2. The maximum recommended am bient temperature for the Prestige is 40º(10 4º).
P312 Br oadband S ecurity G ateway CLI Commands K Appendix E Firewall CLI Commands The follo wing tab le d escri b es t he syn tax use d to conf i gure your fi r ewal l usi ng Co mma nd Line I nte r face (CLI) commands. S elect option 24.8 Comm and Interpreter Mo de from the Main Menu to go into CLI mode.
P312 Br oadband S ecurity G ateway L CLI Commands Function CLI Sy ntax Description config edit firewall e-mail email-to <e-mail address> Edits the mail address which you want to send t he alert .
P312 Br oadband S ecurity G ateway CLI Commands M Function CLI Sy ntax Description config edit firewall set <set #> default-permit <forward | block> Edits whether a pack et is dropped or a.
P312 Br oadband S ecurity G ateway N CLI Commands Function CLI Sy ntax Description config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> Sele.
P312 Br oadband S ecurity G ateway CLI Commands O Function CLI Sy ntax Description D D e e l l e e t t e e config delete firewall e-mail Removes all the settings for e-mail alert config delete firewal.
P312 Br oadband S ecurity G ateway P Power Adapt er Spec if ic ations Appendix F Power Adapter Specs AC Power Adapter Spec ifications North America AC Power Adapter model M W 48-1201 200 Input power: AC120Volts/ 60H z Output pow er: DC12Volts/1.
P312 Br oadband S ecurity G ateway Power Adapt er Spec if ic ati ons Q Japan AC Power Adapter model JOD-48-1124 Input pow er: AC100Volts/ 50/60Hz / 27VA Output pow er: DC12Volts/1.
P312 Br oadband S ecurity G ateway R Glossary Glossary of T erms 10BaseT The 10-M bps baseband Ethernet specification th at uses two pair s of tw isted-pair cabling (C ategory 3 or 5): one pair for tran smitting d ata and th e other for re ceiving data.
P312 Br oadband S ecurity G ateway Glossary S Cookie A string of characters saved by a w eb browser on the user' s hard d isk. M any web pages send cookies to tra ck specif ic user informatio n. Cookies can be used to retai n information a s the user brow ses a web site.
P312 Br oadband S ecurity G ateway T Glossary Digital Sig nature Digital c ode that authenticat es whomever si gned the do cument or softw are. Software, messages, E mail, and other ele ctronic document s can be signed e lectronically so that they cannot be altered by anyon e else.
P312 Br oadband S ecurity G ateway Glossary U Events These are netw ork activities. Som e activities are direct at tacks on your system, while others might be depending o n the cir cumstanc es. T herefore, any a ctivity, regardles s of severity i s called an event.
P312 Br oadband S ecurity G ateway V Glossary Integrity Proof that th e data is th e same as originally intend ed. Unautho rized software or people have not alter ed the original information. internet (Low er case i) Any t ime you connect 2 or more networks together, you have an internet.
P312 Br oadband S ecurity G ateway Glossary W as a stream of bits. Name Resol ution The allo cation of an IP address to a host na me. See DN S NAT Network Addres s Translation is t he translation o f an Inter net Proto col addres s used within one network to a differ ent IP addr ess know n within another netw ork - see also SUA.
P312 Br oadband S ecurity G ateway X Glossary Plain Tex t T he opposite of C ipher T ext, Plain T ext is readable by anyone. Prestige W eb Configurator T his is a web-based Pre stige router ( not all) config urator that in cludes an Internet Access W izard, A dvanced an d Firewall (not al l Prestige models) configurations.
P312 Br oadband S ecurity G ateway Glossary Y system, m eaning that an end-to-end priv ate cir cuit is es tablished between caller an d callee. Public Key Encryption Sy stem of encry pting electronic files u sing a key pair . The key p air contains a public key used d uring en cryption, and a corresponding pr ivate key used d uring decryption.
P312 Br oadband S ecurity G ateway Z Glossary SPAM Unwanted e-m ail, usually in the form of advertise ments. Spoofing To forge somethin g, such as an IP ad dress. IP Spoofing is a common way for hackers to hide their location and ident ity SSL (Secured Socket Layer) Technology that all ows you to send inf ormation that only the server can read.
P312 Br oadband S ecurity G ateway Glossary AA on a host system. O bjects includ e directories an d an assortmen t of fil e types, in cluding text files, g raphics, video, a nd audio. A URL is t he address of an ob ject that is nor mally typed in the A ddress field of a Web br owser.
.
P312 Br oadband S ecurity G ateway Index CC Index A Action for M atched Packe ts .......................... 16-10 Activate The F i rewall ...................................... 19-2 ActiveX ........................................................... 20-1 Add Keyword .
P312 Br oadband S ecurity G ateway DD Index Encapsulati on PPP over Ethernet.................................................... E Ethernet Encaps ulation3-8, 4- 1, 4-5, 4-6, 4-10, 6- 11, 6-12 Example E-M a il Log .....................................
P312 Br oadband S ecurity G ateway Index EE L LAN Setup ........................ 2-6, 2-11, 2-12, 3-4, 3-5 LAN to WAN Rules ......................................... 16-3 LAND ............................................ 13-4, 13-5, 14-2 Local Netw ork Rule Sum mary .
P312 Br oadband S ecurity G ateway FF Index S Safety Instruction s ................................................ J Safety Instruction s ................................................ J saving the state ............................................
P312 Br oadband S ecurity G ateway Index GG WAN Setup ............................ 2-6, 2-10, 2- 11, 21-2 WAN to LAN Rules ......................................... 16-3 Web Configurator ........................................... 13-9 Web Proxy .....
An important point after buying a device ZyXEL Communications P-312 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought ZyXEL Communications P-312 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data ZyXEL Communications P-312 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, ZyXEL Communications P-312 you will learn all the available features of the product, as well as information on its operation. The information that you get ZyXEL Communications P-312 will certainly help you make a decision on the purchase.
If you already are a holder of ZyXEL Communications P-312, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime ZyXEL Communications P-312.
However, one of the most important roles played by the user manual is to help in solving problems with ZyXEL Communications P-312. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device ZyXEL Communications P-312 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
