ZyXEL Communications Broadband Security Gateway P-312 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of ZyXEL Communications Broadband Security Gateway P-312, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of ZyXEL Communications Broadband Security Gateway P-312 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of ZyXEL Communications Broadband Security Gateway P-312. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of ZyXEL Communications Broadband Security Gateway P-312 should contain:
- informations concerning technical data of ZyXEL Communications Broadband Security Gateway P-312
- name of the manufacturer and a year of construction of the ZyXEL Communications Broadband Security Gateway P-312 item
- rules of operation, control and maintenance of the ZyXEL Communications Broadband Security Gateway P-312 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of ZyXEL Communications Broadband Security Gateway P-312 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of ZyXEL Communications Broadband Security Gateway P-312, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the ZyXEL Communications service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of ZyXEL Communications Broadband Security Gateway P-312.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the ZyXEL Communications Broadband Security Gateway P-312 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Pr estige 312 Broadba nd Securi ty Gateway User’s Guide Version 3.20 November 2000[...]

  • Page 2

    P312 Broadban d Security G ateway ii Copyright Prestige 312 Broadband Securi ty Gatew ay Copyright Copyright © 2000 by Zy XEL C ommunicat ions C orporati on. The conte nts of t his pub licati on may not be r eprod uced i n any pa rt or as a w hole, trans cribed, stor ed in a retrieval syste m, trans lated i nto any languag e, or tran smitte d in a[...]

  • Page 3

    P312 Broadban d Security G ateway FCC Statem ent iii Federal Co mmunicatio ns Commission ( FCC) Inte rference Statement This dev ice comp lie s with Part 15 o f FCC rul es. Op eration is sub ject to the f ollow ing tw o conditio ns: This dev ice may not cau se harmf ul interferen ce. This dev ice must accept any interfer ence re ceived , inclu din [...]

  • Page 4

    P312 Broadban d Security G ateway iv Canadia n Users Informat ion for Can adian U sers The Industry Canad a label iden tif ies certifi ed equi pme nt. This cer t ifi cat ion mea ns that the equ ipm ent meet s certain te lecom municatio ns network pro tectiv e, operat ion, and sa fety req uirement s. The I ndus try Canad a does not guarante e that t[...]

  • Page 5

    P312 Broadban d Security G ateway Warranty v Declaration of Con for mit y We, the Manufacturer/Im porter, ZyXEL Communica tions Corp . No. 6, Innovation Rd. II, Science-Based Industrial Park, Hsinchu, T aiwan , 300 R.O.C declare t hat the pr odu ct Prestige 312 is in co nform ity with (reference t o the spec ific at i on under which conformity is d[...]

  • Page 6

    P312 Broadban d Security G ateway vi CE Doc[...]

  • Page 7

    P312 Broadban d Security G ateway Warranty vi i ZyXE L Limited W arr anty ZyX EL warrants to t he origi nal end user (pur cha ser) that this pro duct is fre e from a ny defe cts in materia ls or workmans hip for a period of up to two y ears fr om the d ate of p urchase . Duri ng the w arranty peri od, and upon proof of pur chase, sh ould the produc[...]

  • Page 8

    P312 Broadban d Security G ateway viii Cust omer Su ppor t Customer Support When y ou contact your custom er support repres ent ative pl ease have the following information ready: ♦ Prestig e Model and s erial num ber. ♦ Information in Menu 24.2 .1 –System Inform ation . ♦ Warranty Information. ♦ Date you received y our Prestige. ♦ Brie[...]

  • Page 9

    P312 Broadban d Security G ateway T able Of C ontents ix T able of Contents T able of Conte nts .............................................................................................................. ............. ix List of Fig ures .............................................................................................................[...]

  • Page 10

    P312 Broadba nd Security Gateway x T able Of C ontents 2.10.1 LAN Port Filter Setup .................................................................................................... ...2-12 Chapter 3 Internet Access .............................................................................................................3- 1 3.1 TCP/IP and DH[...]

  • Page 11

    P312 Broadban d Security G ateway T able Of C ontents xi 6.1.4 NAT Mapping Types ......................................................................................................... .6 - 2 6.1.5 SUA (Singl e User Account) Versus NAT .......................................................................... 6-3 6.1.6 NAT Application ...........[...]

  • Page 12

    P312 Broadba nd Security Gateway xii T able Of Conte nts 9.1 System Status ............................................................................................................... ............... 9-2 9.2 System Inf ormation and Console Port Speed .............................................................................. 9-4 9.2.1 System [...]

  • Page 13

    P312 Broadban d Security G ateway T able Of C ontents xiii 12.2 Telnet Under NAT........................................................................................................... ......... 12-1 12.3 Telnet Capabilities ........................................................................................................ ............ 12-1[...]

  • Page 14

    P312 Broadba nd Security Gateway xiv T able Of Conte nts 15.3 E-Mail ..................................................................................................................... ..................15-3 15.3.1 What are Al erts? ......................................................................................................... .......15[...]

  • Page 15

    P312 Broadban d Security G ateway T able Of C ontents xv 20.1 Restrict Web Featu res...................................................................................................... ......... 20-1 20.1.1 ActiveX .................................................................................................................. .......... 20-1 20[...]

  • Page 16

    P312 Broadba nd Security Gateway xvi List Of Figur es List of Figures Figure 1-1 Secure In ternet Access via Cable ..................................................................................... ....... 1-3 Figure 1-2 Secure In ternet Access via DSL....................................................................................... .......[...]

  • Page 17

    P312 Broadban d Security G ateway List Of F igures xvii Figure 4-5 Remote Node Netw ork Layer Options .................................................................................. 4 -8 Figure 4-6 Rem ote Node Filter (Ethernet Encapsulation)...................................................................... 4-1 0 Figure 4-7 Remote Node Filte[...]

  • Page 18

    P312 Broadba nd Security Gateway xvi ii List Of F igures Figure 6- 22 Example 4- Menu 15.1.1. 1 - A ddress Mapping Ru le ............................................................ 6-20 Figure 6-23 Exam ple 4 - Menu 15.1.1 - Addres s Mapping Rules ............................................................ 6-20 Figure 7-1 Outgoing Packet Filterin[...]

  • Page 19

    P312 Broadban d Security G ateway List Of F igures xix Figure 9-9 Call-T rigg ering Packet Ex ample ....................................................................................... ... 9- 10 Figure 9-10 Menu 24.4 - System Maintenan ce - Diagnostic ....................................................................9-1 1 Figure 9-1 1 W A N &a[...]

  • Page 20

    P312 Broadba nd Security Gateway xx List Of F igures Figure 14-2 Menu 21 - Filter and Firewall Setup ................................................................................. .... 14-1 Figure 14-3 Menu 21.2 – Firew all Setup .......................................................................................... ........ 14-2 Figure 14-[...]

  • Page 21

    P312 Broadban d Security G ateway List Of F igures xxi Figure 19-9 Exam ple 2 - L ocal Net work Rule Summ ary .................................................................. 19-10 Figure 19-10 Ex ample 2 - Internet to Local Netw ork Rule Summary .................................................. 19-1 1 Figure 19-1 1 Custom Port for Syslog ......[...]

  • Page 22

    [...]

  • Page 23

    P312 Broadban d Security G ateway List of T ables xx iii List Of T ables T able 2-1 LED functions ........................................................................................................ ................ 2-1 T able 2-2 Main Menu Co mm ands ..............................................................................................[...]

  • Page 24

    P312 Broadba nd Security Gateway xxiv List of T ab les T able 7- 2 Abbrev iations Used If Filter T ype Is IP .............................................................................. ....7-7 T able 7- 3 Abbrev iations Used If Filter T y pe Is GEN .......................................................................... .... 7- 7 T able 7- 4 T[...]

  • Page 25

    P312 Broadban d Security G ateway List of T ables xxv T able 16-5 T im eou t Menu ......................................................................................................... ........... 16-14 T able 17-1 Cus tom Ports ......................................................................................................... ............[...]

  • Page 26

    [...]

  • Page 27

    P312 Broadban d Security G ateway Preface xxvii Preface A bout Y our Router Congrat ulation s on y our purch ase of the Presti ge 312 Broad band Secu rity Gateway . Don’t f orget to reg ister your Prestig e (fast, e asy onlin e regist ration at www .zy xel.com ) for free futur e product updates and information. The Prest ige 312 is a dual Ethern [...]

  • Page 28

    P312 Broadba nd Security Gateway xxvi ii Prefac e Regardless of your particular applicatio n, it is important that you follo w the steps outlined in Chapt ers 1-2 to connect y our Prestige to your LAN. You can then refer to the appropriate chapters of the m anual, depending on you r applications. Related Documentation " Support in g C D More d[...]

  • Page 29

    Getting S tarted I Part I: Getti ng Starte d Chapters 1-3 are s tructured as a step- by-step guide to h elp you connec t, install a nd set up your Prestig e to op erate on your networ k and acc ess the Inter net.[...]

  • Page 30

    [...]

  • Page 31

    P312 Broadba nd Security Gateway Getting to Know Y our Prest ige 1-1 Chapter 1 Getting to Know Your Prestige This c hapter intr oduces the main f eatures and appl ications of the Pr estige . 1.1 The Prestige 3 12 Broadband Security Gatewa y The Prest ige 312 is a dual Et hern et Broadband S ecurity Gatew ay integrated with a robust firew all and ne[...]

  • Page 32

    P312 Broadban d Security G ateway 1-2 Gettin g to Know Y our Prestige Dynamic DNS Support With Dyn amic DNS su pport, y ou can have a s tatic hostname alias for a dynami c IP address, al low ing th e host to be m ore easily accessi ble from various locations on the Intern et. You must regi ster for this serv ice with a Dynamic DNS client to use thi[...]

  • Page 33

    P312 Broadba nd Security Gateway Getting to Know Y our Prest ige 1-3 not choose a time service protocol that your ti meserver will send when the Prestige powers up you can enter the tim e manually but each ti me the sy stem is booted, th e tim e & date w ill be reset t o 1/1/197 0 0: 0:0 . Logging and T racing The Prestige has the following fea[...]

  • Page 34

    P312 Broadban d Security G ateway 1-4 Gettin g to Know Y our Prestige Figure 1- 2 Secure Int ernet Access v ia DSL You can als o use your xDSL m odem in the bridg e mode f or always- on Internet access and high speed data transfer.[...]

  • Page 35

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-1 Chapter 2 Hardware Installation & Initial Setup This c hapter shows you how to connec t the har dware an d perform the in itial s etup. 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs The LEDs on the f ront panel indicate the operation al statu[...]

  • Page 36

    P312 Broadban d Security G ateway 2-2 Hardware Insta llati on & Initia l Se tup LEDs Function Indicator Status Activ e Description Flashing The 100M LAN is sendi ng/re ceiv ing pac kets. Off The W AN Link is not ready, or ha s faile d. On The W AN L ink is ok . W A N W A N Green Flashing The 10M W AN link i s send ing/rece iv ing pac kets. 2.2 [...]

  • Page 37

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-3 connector on the back of the cable modem. C onnect an xDSL Modem to th e xDSL Wall Jack. Please also see Appendix C f or im portant safety instructi ons on making conn ections to th e Prestig e. Step 1. Connecting the Console Port For the initial configuration o f [...]

  • Page 38

    P312 Broadban d Security G ateway 2-4 Hardware Insta llati on & Initia l Se tup ♦ 9600 Baud. ♦ No parity, 8 Data bits, 1 Stop b it, Flow Control set to None. 3. A cable/xDSL modem and an ISP accoun t. After t he Pres tige is properl y set up, y ou can make future ch anges to th e config uration th rough t elnet connections. 2.4 Housing Your[...]

  • Page 39

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-5 Figure 2- 4 Passw ord Scr een 2.6 Navigating the SM T Interface The SMT (System Management Terminal) is the interf ace that you use to conf igure your Prestige. Several operations that you should be fa miliar wi th before you attempt to m odify the configuration ar[...]

  • Page 40

    P312 Broadban d Security G ateway 2-6 Hardware Insta llati on & Initia l Se tup 2.6.1 Main Menu After you enter the password, the SMT displa y s the Prestige 312 Main Menu , as shown bel ow. Figure 2- 5 Prestige 312 M ain M enu 2.6.2 S y stem Management T erminal Interf ace Summary Tab le 2-3 M ain Menu Su mmary # Menu Title Description 1 Gener[...]

  • Page 41

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-7 99 Exit To ex it from SM T and return t o a bla nk scre en. 2.7 Changing the Sy stem Password The firs t th ing your sh ould do bef ore any thing el se is to ch ange th e default system passw ord by followi ng the steps below. Step 1. Enter 23 in the Main Menu to o[...]

  • Page 42

    P312 Broadban d Security G ateway 2-8 Hardware Insta llati on & Initia l Se tup 2.8 General Setup Me nu 1 - General Setup contains administrative and system- related information. The fields for General Setup are as shown next. Syste m Name is for identifi cation purposes. How ever, because s ome ISPs check this name you should enter your PC’s[...]

  • Page 43

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-9 Table 2-4 Gener al Setup Menu Field Field Description Example System Na me Choose a des criptiv e name f or ident ificati on purpo ses. It is recomme nded y ou enter y our co mputer’ s “Computer na me” in th is field. T his nam e can b e up to 3 0 alpha nume [...]

  • Page 44

    P312 Broadban d Security G ateway 2-10 Hardwar e Ins ta lla ti on & Initia l Se tup Table 2-5 Configure Dynamic DNS Menu Fields Field Description Example Service Provider Enter the na me of your Dy namic DNS cl ient. www.d dns.org Active Press [SPACE BAR] to togg le betw een Yes or No . Yes Host Enter the do main n ame as signed to your Pr est [...]

  • Page 45

    P312 Broadba nd Security Gateway Hardwar e Ins ta lla ti on & Initia l Setup 2-1 1 Figure 2-9 Menu 2 – WAN Setup The MAC addres s field allows users to configu re the WAN port's MAC Address by either u sing the factory default or clon ing the MAC address from a works tation on your LA N. Once it is successfully configu red, the address w[...]

  • Page 46

    P312 Broadban d Security G ateway 2-12 Hardwar e Ins ta lla ti on & Initia l Se tup Figure 2-10 Menu 3 - LA N Setup 2.10.1 LA N Port Filt er Setup This menu allows you to specif y the filter sets that you wish to apply to the LAN traffic. You seldo m need to filter the LAN traffic, however, the filter sets may be useful to block certain packets[...]

  • Page 47

    P312 Broadba nd Security Gateway Internet Acc ess 3-1 Chapter 3 Internet Access This chapt er shows you how to confi gure the LAN as we ll as th e WAN of your Presti ge for Int ernet access. 3.1 TCP/I P and DHCP for LA N The Prestige has built -i n DH CP server capabilit y that assigns IP ad dresses and DNS servers to s ystems that support DHCP cli[...]

  • Page 48

    P312 Broadban d Security G ateway 3-2 Internet Ac cess The subnet mask speci fies the net w ork number portio n of an IP addr ess. Yo ur P restige will compute the subn et mask automatically based on th e IP address th at you entered. You don’t need to ch ange the subn et mask computed by th e Prestige unless you are inst ructed to do otherwis e.[...]

  • Page 49

    P312 Broadba nd Security Gateway Internet Acc ess 3-3 3.1.5 DHCP Configuration DHCP (Dy n amic Host C onfig uration Protocol, R FC 2131 an d RF C 2132) all ow s th e indiv idual cli ents ( wor ksta t ion s ) to o bta i n the T CP/ I P co nfigur atio n at st art -up fro m a se rver . Yo u can conf igure the Prestige as a DHCP server or disa ble it. [...]

  • Page 50

    P312 Broadban d Security G ateway 3-4 Internet Ac cess The address 224.0.0.1 i s us ed for qu ery messag es and is as signed to t he perm anent grou p of al l IP hos ts (incl uding g ateways ). All hosts must join th e 224.0.0.1 g roup in order t o part icipate i n IGMP. The address 224.0.0.2 is assign ed to the multicast routers group. The Presti [...]

  • Page 51

    P312 Broadba nd Security Gateway Internet Acc ess 3-5 Figure 3-3 Menu 3 - LA N Setup (10/ 100 Mbps Etherne t) To edit the T CP /IP and DHCP configuration, enter 2 to open Menu 3.2 - TCP /IP a nd DHCP Ethernet Setup as s hown next. Figure 3-4 Menu 3.2 – TCP/IP and DHCP Ethernet Setup Menu 3 – LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP[...]

  • Page 52

    P312 Broadban d Security G ateway 3-6 Internet Ac cess Follo w the instr uction s in the follo wing table on how to configure the DHCP fie ld s. T able 3-1 LAN DHCP Setup Menu Fields Field Description Example DHCP= This field enables/disables the DHCP server. If it is set to Serv er , your Prestige w ill act as a DHCP server. I f set to None , DHCP[...]

  • Page 53

    P312 Broadba nd Security Gateway Internet Acc ess 3-7 Field Description Example Edit IP Alia s The Prestige s upports three log ical LAN inter faces v ia its single physical Et herne t interfa ce with t he Presti ge itse lf as th e gatew ay for each LAN netw ork. Pr ess th e spac e bar to t ogg le No to Y es, th en press [ENTER] to bring y ou to me[...]

  • Page 54

    P312 Broadban d Security G ateway 3-8 Internet Ac cess RIP Direction Press the space bar to se lect th e RIP d irection from None, Bo th/In Onl y /Out Onl y. None Version Press the spa ce bar t o sele ct the RI P version fr om RIP-1/RIP- 2B/RIP-2M. RIP-1 Incomin g Protocol F ilters Enter the fi lter set( s) you w ish t o apply to the incomi ng traf[...]

  • Page 55

    P312 Broadba nd Security Gateway Internet Acc ess 3-9 The follo w ing table describes t his screen. Tab le 3-4 Internet Acces s Setup M enu F ields Field Description ISP’s Name Enter the na me of y our Intern et Service Prov ider, e .g., my ISP. This informati on is f or identi ficatio n purpo ses only . Encapsulation Press the [SPACE BAR] and th[...]

  • Page 56

    P312 Broadban d Security G ateway 3-10 Internet Ac cess 3.3.3 Configuring the PPTP Client T o co nfigur e a P PT P clie nt, you must c onfi gure the M y Login an d Passw ord fields for a PPP conn ection and the PPTP parameters for a PPTP conn ection. After con figur i ng t he User Name and Passw ord for PPP connection, pres s [ SP AC E BAR] in t he[...]

  • Page 57

    P312 Broadba nd Security Gateway Internet Acc ess 3-1 1 For the serv ice provider, PPPoE off ers an access and authentication method that w orks with existing access control sy stems (e.g., R adius). For the us er, PPPoE provides a log in & authentication method th at the existing Micros oft Dial-Up Netw orking software can activ ate, and there[...]

  • Page 58

    P312 Broadban d Security G ateway 3-12 Internet Ac cess Tab le 3-6 New Fields in M enu 4 (PPPoE) screen Field Description Examples Encapsulation Press the [SPACE BAR] and then press [ENTER] to choose PPPoE . The enca psulati on meth od influen ces your c hoice s for IP Address . PPPoE Service N ame Enter the PPPoE service na me provide d to you . P[...]

  • Page 59

    Advance d App licatio ns II Part II: Advanced Applicat ions Advance d App licatio ns (Chap ters 4-6) describ e the a dvanced applic ations of your Prest ige, suc h as Rem ote Node Se tup IP Sta tic rou tes and N A T .[...]

  • Page 60

    P312 Broadban d Security G ateway Remote N ode Set up 4-1 Chapter 4 Remote Node Setup This c hapter shows you how to confi gure a rem ote node . A rem ote node is req uired for placing calls to a remote gateway. A remote node represents both the remote gate way a nd the ne twor k be hind it a cro ss a W AN c onne ctio n. Note that when you use Menu[...]

  • Page 61

    P312 Broadban d Security G ateway 4-2 Remote N ode Set up Table 4-1 Fields in Menu 11.1 Field Description Examples Rem Node Name Enter a des criptive n ame for t he re mote no de. Thi s field c an be up to e ight ch aracters . LAoffice Act iv e Press the [SPACE BAR] to t oggle be tween Yes and No and activat e (deact ivate) th e remote node. Yes En[...]

  • Page 62

    P312 Broadban d Security G ateway Remote N ode Set up 4-3 4.1.2 PPPoE Encap sulation The Pr est ig e support s PP PoE (P oin t- to-Poin t Prot ocol ove r Eth erne t). You can only us e PPPoE encapsulation w hen you’re using the Prestige with an xDSL m odem as the WAN device. If you change the Encapsula tion to PP PoE, then y ou will see th e next[...]

  • Page 63

    P312 Broadban d Security G ateway 4-4 Remote N ode Set up Tab le 4-2 Fields in M enu 11.1 (PPPoE Encapsu lation Specific) Field Description Examples Authen T his fie ld sets the aut hentica tion protoco l used for outgoing cal ls. Options for t hi s field are: CHAP/PAP - Your Prestig e will a ccept e ither CHAP or PAP when reque sted by this re mot[...]

  • Page 64

    P312 Broadban d Security G ateway Remote N ode Set up 4-5 Figure 4- 3 Remote Nod e Profil e for P PTP En capsulat ion The nex t table sh ows h ow to conf igure fi elds in Menu 11.1 not prev iou sly dis cuss ed above. Tab le 4-3 Fields in Men u 11.1 (PPT P Encap sulati on) Field Description Examples Encapsulation T oggle the sp ace bar to choo se PP[...]

  • Page 65

    P312 Broadban d Security G ateway 4-6 Remote N ode Set up 4.2 Edit i ng TCP/IP Options (with Ethernet Encapsulati on) Move the cursor to the Edit IP fie ld i n Me nu 11.1 , then press th e [SPA CE B AR] to toggle and set the value to Yes . Press [Enter] to open Menu 11.3 - N etwork Layer Op tions . Figure 4-4 Remote Node Network Layer Options T he [...]

  • Page 66

    P312 Broadban d Security G ateway Remote N ode Set up 4-7 Field Description Example between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good n umb er. Private This field is valid only for PPT P/ PP PoE enc aps u lat io n. Thi s parameter determin es if t he Pre stige w ill incl ude the r oute to this remote no de in it s RIP br oad casts. If set [...]

  • Page 67

    P312 Broadban d Security G ateway 4-8 Remote N ode Set up Figure 4-5 Remote Node Network Layer Options T he next tab le gi ves yo u ins truct io ns a bout con figuri ng r emote node net work la yer o ptio ns. Table 4-5 Remote Node Network Layer Options Menu Fields Field Description Example IP Address Assignment If y our ISP did n ot ass ign you an [...]

  • Page 68

    P312 Broadban d Security G ateway Remote N ode Set up 4-9 between 1 a nd 15. In pra ctice, 2 or 3 is us ually a good n umb er. Private T his paramet er determ ines if the Prest ige w ill in clude th e route to thi s remote no de in it s RIP br oad casts. If set t o Yes , thi s route is kept private and n ot i nclude d in RIP broa dcast. If No , the[...]

  • Page 69

    P312 Broadban d Security G ateway 4-10 Remote N ode Set up Figure 4-6 Remote Node Filter (Ethernet Encapsulation) Figure 4-7 Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= 1 device filters= Enter here to CONFIRM or ESC to CA[...]

  • Page 70

    P312 Broadban d Security G ateway IP Stat ic Route Setup 5-1 Chapter 5 IP Static Route Setup This c hapter shows you how to confi gure stat ic routes with yo ur Prestige. Static routes tell the Presti ge routing in formation that it cannot learn automatically through other m eans. This can arise in cases where RIP is disabled on the LAN. Each remot[...]

  • Page 71

    P312 Broadban d Security G ateway 5-2 IP Stat ic Rout e Setup 5.1 IP Stat ic Route Setup You c onfig ure I P sta t ic ro utes in M enu 12. 1 , by selecting one of the IP static rou tes as show n below. Enter 12 from the Main Menu . Figure 5-2 Menu 12 - IP Sta tic Route Setup Now, ent er the in dex number of on e of the s tatic rou tes you w ant to [...]

  • Page 72

    P312 Broadban d Security G ateway IP Stat ic Route Setup 5-3 Tab le 5-1 IP Stat ic Route M enu F ields Field Description Route # This is the ind ex number of the sta tic rout e that y ou cho se in M enu 12. Route Na me Enter a des criptiv e name for this rout e. This is for i dentifi cat ion purpo ses on ly. Active This fie ld allow s you to activ [...]

  • Page 73

    [...]

  • Page 74

    P312 Broadban d Security G ateway NA T 6-1 Chapter 6 Network Address Translation (NAT) This c hapter d iscusses how to conf igure NAT on the Prestige. 6.1 Intr oduction NAT (Netw ork Addres s Translat ion - NAT, RFC 1631) i s th e trans lation of the IP address of a h ost in a packet, e.g., th e source address of an ou tgoing pack et, used w ithin [...]

  • Page 75

    P312 Broadban d Security G ateway 6-2 NA T them access ible to the outs ide world. If y ou do not def ine any se rvers (for Many -to-One and Many -to- Many Overload mapping – see below), NAT o ff ers the additional benefit of firewall protectio n. If no server is defined in these cases, all incoming i nquiries will b e filtered out b y your Prest[...]

  • Page 76

    P312 Broadban d Security G ateway NA T 6-3 2. Many to One: In Many-to-One mode, the Prestige maps multiple lo cal IP addresses to one global IP address. T his is equivalent to SUA (i.e., PAT, por t addr ess translation), Zy XEL’s Sin gle U ser A ccount feature th at prev ious ZyXEL routers su pported (th e SUA Only option in today’ s rout ers).[...]

  • Page 77

    P312 Broadban d Security G ateway 6-4 NA T remote node bas is. They are reu sable, but on ly one s et is allowed for each rem ote node. The Prestige support s 2 set s since there i s only one rem ote node. The secon d set ( SUA Onl y option i n Menu 15.1) is a conv enient, pre- confi gured, read only Many-to-1 port m appin g set, su ffi cient for m[...]

  • Page 78

    P312 Broadban d Security G ateway NA T 6-5 Figure 6- 3 Applyin g N A T for Int ernet Access This f igure sh ows how you apply NAT to th e remote node i n Menu 11.1. Step 1. Enter 11 f rom the Main Menu . Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to togg le the default No to Yes , then p r ess [ ENT ER] t o bring up Menu 11.[...]

  • Page 79

    P312 Broadban d Security G ateway 6-6 NA T Tabl e 6-3 A ppl ying N A T in M enus 4 & 11.3 Field Options Description Full Feature When you selec t this o ption the SMT will use Address M apping S et 1 (M enu 15.1 – see sec ti on 6.2.3 for further dis cu ss ion). You can con fig ure any of the 5 mapp ing ty pes des cribe d in Table 6-2. None NA[...]

  • Page 80

    P312 Broadban d Security G ateway NA T 6-7 Figure 6- 6 M enu 15.1 Addres s M apping Sets Let’s look first at Option 255. Opti on 255 i s equ ival ent to SUA in previous ZyXEL routers ( see section 6.1.4) . The fiel ds in this menu cann ot be chang ed. Ent ering 255 bri ngs up this s creen. Figure 6-7 SUA Address Mapping Rules The following table [...]

  • Page 81

    P312 Broadban d Security G ateway 6-8 NA T Tab le 6-4 SU A Addres s Map ping Rules Field Description Options/Exa mple Set Name This is the nam e of the set yo u sele cted in M enu 15.1 or ent er the na me of a new set you w ant to create. SUA Idx This is the ind ex or rule number . 1 Local Start IP Lo cal E nd IP Local Start IP is the st arti ng lo[...]

  • Page 82

    P312 Broadban d Security G ateway NA T 6-9 Figure 6-8 First Set in Men u 15.1.1 The Ty pe, Loc al a nd Glob al Start/ End I Ps are co nfigur ed i n Men u 15.1. 1.1 ( describe d later) a nd t he v alue s are d isp layed her e. Orderi ng Y our Rules Ordering y our rules is important becau se the Prestige applies the rules in the order that y ou speci[...]

  • Page 83

    P312 Broadban d Security G ateway 6-10 NA T moved d own by one rule. Delete mea ns t o delete the selecte d rule an d then a ll t he rule s after the sele cted one will b e advan ced one rul e. Save Set means to save the w hole set (note when y ou cho ose this a ction, the Select Rul e item w ill be d isa bled). Select Rule When you choos e Edit , [...]

  • Page 84

    P312 Broadban d Security G ateway NA T 6-1 1 Field Description Option/Exam ple ex amples. and Server Local IP Only loca l IP f ields a re N/A for server; Global IP fie lds M US T be set fo r Server . Start T his is the start ing lo cal IP ad dress (I LA). 0.0.0.0 End T his is the ending local IP addr ess (ILA). If the rule i s for al l local IPs, t[...]

  • Page 85

    P312 Broadban d Security G ateway 6-12 NA T Figure 6- 10 Mult iple Servers Beh ind N A T 6.3.2 Configuring a Server behind NA T Follow the steps below to configure a se rver behind NAT: Step 1. Enter 15 in the main menu to go to Menu 1 5 – NAT Setup. Step 2. Enter 2 to go to Menu 15.2 - NAT Server Setup . Step 3. Enter the service port number in [...]

  • Page 86

    P312 Broadban d Security G ateway NA T 6-13 Figure 6- 11 M enu 15.2 – N A T Serv er Set up Tab le 6-7 Servic es & Port numbe rs Services Port Number FTP (File T ransfer Proto col) 21 Telnet 23 SMT P (Simple M ail Tr ansfer Protoc ol) 25 DNS(Domain N ame Sy stem) 53 HTTP (H yper T ext Transfer prot ocol or WWW , W eb) 80 PPTP (Point-to-Poi nt [...]

  • Page 87

    P312 Broadban d Security G ateway 6-14 NA T Figure 6-1 2 N A T Example 1 Figure 6- 13 Internet Access & N A T Exampl e From Menu 4 sh own above, si mply choos e the SUA Only o p tion from the Network Addr ess Trans lation fiel d. This is the Many-t o-One mappi ng dis cuss ed in sect ion 6.1.4. Th e SUA Only read only option fro m the Network Ad[...]

  • Page 88

    P312 Broadban d Security G ateway NA T 6-15 6.4.2 Example 2 – Intern et A ccess with an Inside Serv er Figure 6-1 4 N A T Example 2 In this cas e, we do exactly as above (us e the conven ient pre-conf igured SU A Only set) and also go to Menu 15.2 t o specify the Insi de Server beh ind th e NAT as show n in the next f igure. Figure 6- 15 Specif y[...]

  • Page 89

    P312 Broadban d Security G ateway 6-16 NA T server an d the other IGA is used by all. We w ant to map the FTP servers to the f irst two of our IGAs and the other LAN traff ic to the rem aining IGA. We also want to m ap out third IGA to an inside w eb server an d mail server. We need to configure 4 rules, 2 bi-directional and 2 o ne directional as f[...]

  • Page 90

    P312 Broadban d Security G ateway NA T 6-17 Step 5. Select Type = as One-to-One (direct m apping for packets g oing both ways ) , and enter the local Start IP as 192.168 .1.10 (t he IP address of FTP S erver 1), th e global Star t IP as 10.132.5 0.1 (our fi rst IGA). ( See Figur e 6-18) Step 6. Repeat the previous step for rules 2 to 4 as outlined [...]

  • Page 91

    P312 Broadban d Security G ateway 6-18 NA T When w e have conf igured all fou r rules, Menu 15.1.1 sh ould look as f ollows . Figure 6-19 Example 3 Final Menu 15.1.1 Now we configu re our IGA 3 to map to ou r w eb server an d mail se rver on th e LAN. Step 8. Enter 15 f rom the Main Menu . Step 9. Now ent er 2 from this menu an d configure i t as s[...]

  • Page 92

    P312 Broadban d Security G ateway NA T 6-19 6.4.4 Example 4 –NA T Unfriendly A pplication Programs Some appl ication s do n ot support NA T Mapping us ing TCP or UD P port address t rans lation . In thi s case it is better to use Many-to- Many No Overl oad m apping as port n umbers do not chan ge for Many-to-Man y No Overload (and One- to-One ) N[...]

  • Page 93

    P312 Broadban d Security G ateway 6-20 NA T Figure 6-2 2 Example 4- Menu 15.1.1.1 - Address M appin g Rule After you’ve configured this menu, you should see the following screen. Figure 6-2 3 Example 4 - Menu 15.1.1 - Address M appin g Rules Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.[...]

  • Page 94

    Advance d Mana gem ent III Part III: Advanced Manag e ment Chapters 7 - 12 pr ovide inf orm ation on Pres tige fil tering, S ystem Inform ation and Dia gnosis, Transferring Fil es and T elnet.[...]

  • Page 95

    [...]

  • Page 96

    P312 Broadban d Security G ateway Filters 7-1 Chapter 7 Filter Configuration This c hapter shows you how to crea te and app ly filter( s). 7.1 About Filtering Your Prestige uses filters to decid e whether to allow passage of a data packet and/or to m ake a call. There are two types of filter applications: data filtering and call filtering. Filters [...]

  • Page 97

    P312 Broadban d Security G ateway 7-2 Filters 7.1.1 The Filter Structure of the Pr estige A filter set consists of one or more filter rules. Usuall y , you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descrip tive name. The Prestige allo ws y ou to configure up to t welv e filter sets with six rules in[...]

  • Page 98

    P312 Broadban d Security G ateway Filters 7-3 Start Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule Fetch Next Filter Rule Next filter Rule Available? Fetch Next Filter Set Next Filter Set Available? Accept Packet Drop Packet Yes No Yes No Yes Packet into filter Filter Set Forward Drop No Check Next Rule Figure 7-2 Filter[...]

  • Page 99

    P312 Broadban d Security G ateway 7-4 Filters 7.2 Configur ing a Filter Set To configu re a filter s et, follow the procedure below . For more inf ormation on Menus 21.2 and 21. 3, please see Part 4. Step 1. Select option 21. F ilt er Set Configurat ion fro m the M ain M enu t o op en M enu 21 . Figure 7-4 Menu 21 – Filter a nd Firewall Setup Ste[...]

  • Page 100

    P312 Broadban d Security G ateway Filters 7-5 Figure 7-6 NetBIOS_W AN Filter Rules Summ ary Figure 7-7 NetBIOS _LAN Filter Rules Summary Figure 7-8 TEL_FT P_WEB_W A N Filter Rules Summ ary Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------------- --------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=[...]

  • Page 101

    P312 Broadban d Security G ateway 7-6 Filters 7.2.1 Filter Rules Summary Menu This screen shows the summ ary of the existing rules in the filter set. The f ollowing tables cont ain a brief descripti on of the abbrev iati ons used in the previous menus . Tabl e 7-1 A bbr eviation s Used in th e Filter Rul es Summa ry Menu Abbr eviations Description [...]

  • Page 102

    P312 Broadban d Security G ateway Filters 7-7 The protocol d ependent filter rules abbreviation are listed as follows: ! If the filter ty pe is IP, the following abbreviation s lis ted in t he follo wing table will be used. Table 7-2 Abbrev iations Used If Filter T y pe Is IP Abbr eviation Description Pr Protocol SA Source Addre ss SP Source Port n[...]

  • Page 103

    P312 Broadban d Security G ateway 7-8 Filters Figure 7-9 Men u 21.1.1.1 - TCP/I P Filter Ru le The following table describes ho w to configure your TCP/IP filter rule. Table 7-4 T CP/IP Filter Rule M enu Fields Field Description Option Active This fie ld activ ates/d eactiv ates th e filter r ule. Yes/No IP Protocol Protocol refers to th e upper la[...]

  • Page 104

    P312 Broadban d Security G ateway Filters 7-9 Field Description Option don’t-care if it i s 0. Destinatio n: Por t # Comp Select the co mparis on to ap ply to t he d estinat ion port in the pack et agai nst the v alue g iven i n Destina tion : Port #. None/Less/G reater/ Equal/Not Equal] Source: IP Ad dress Enter the source IP Ad dress of the pa [...]

  • Page 105

    P312 Broadban d Security G ateway 7-10 Filters Field Description Option Once you h ave co mp leted fi lling i n Menu 21.1. 1.1 - TCP/IP Filt er Rule , press [E nter] at th e mes sage [Press Enter to Confir m] to save your co nfigurati on, or pre ss [Es c] to ca ncel. T his dat a w ill now be display ed on Menu 21.1.1 - Fi lter Rule s Summar y . The[...]

  • Page 106

    P312 Broadban d Security G ateway Filters 7-1 1 Packet into IP Filter Matched Matched Yes Action Matched Action Not Matched More? No Filter Active? Check IP Protocol Drop Drop Packet Accept Packet Drop Forward Check Next Rule Check Next Rule Check Next Rule Forward Not Matched Yes No Check Src IP Addr Apply SrcAddrMask to Src Addr Matched Check Des[...]

  • Page 107

    P312 Broadban d Security G ateway 7-12 Filters 7.2.4 Generic Filter Rul e This section sho ws you ho w to configure a generic filter rule. The purpose of generic rules is to allo w you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For gen eric rules, th e Presti ge treats a pack et as a byt e stream as oppos[...]

  • Page 108

    P312 Broadban d Security G ateway Filters 7-13 The follo wing table describes the fields in the Generic Filter R ule Me nu. Table 7-5 Generic Filter Rule Menu Fields Field Description Option Filter # This is the filt er s et, filter rule co-o rdinate s, i.e., 2,3 r efers to the se cond filter set and the thir d rule of that set . Filter Type Use th[...]

  • Page 109

    P312 Broadban d Security G ateway 7-14 Filters Drop Once you h ave co mp leted fi lling i n Menu 21.4. 1.1 - Gen eric Filter Rule , pre ss [Enter ] at the messa ge [Press Enter to Confir m] to save your co nfigurati on, or pre ss [Es c] to ca ncel. T his dat a w ill now be display ed on Menu 21.1.1 - Fi lter Rule s Summary . 7.3 Example Filter Let?[...]

  • Page 110

    P312 Broadban d Security G ateway Filters 7-15 Figure 7-1 3 Exampl e Filter – M enu 21.1. 1.1 When y ou pres s [Enter] to co nfirm, you will see the following screen. Note that there is only one filter rule in this set. Menu 21.1.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No De[...]

  • Page 111

    P312 Broadban d Security G ateway 7-16 Filters Figure 7-1 4 Example F ilter Rule s Summary – M enu 21.1 .3 After you’ve created the filter set, you must appl y it. Step 1. Enter 11 f rom the main menu t o go to Men u 11. Step 2. Go to the Edit Filter Sets field, press the [SPA CE BAR ] to toggle Yes to No and press [ENTER] . Step 3. This brin g[...]

  • Page 112

    P312 Broadban d Security G ateway Filters 7-17 packets and after NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the w ire. They are applied at the poin t when the Prestige is receiving an d sending the pack ets; i.e. the interf ace. The interface can be an Ethernet port or a[...]

  • Page 113

    P312 Broadban d Security G ateway 7-18 Filters Figure 7-16 Filtering LAN Traffic 7.6.2 Remote Node Filters Go to Menu 11.5 (sho wn below – note that call filter sets are only present for PP PoE encapsulation) and enter the number(s) of th e filter set(s) as appro priate. You can cascade up to four f ilter sets by entering their numbers separated [...]

  • Page 114

    P312 Broadban d Security G ateway SNMP 8- 1 Chapter 8 SNMP Configuration This c hapter d iscusses SNMP (Simp le Netw ork Manage ment Pro toco l) for network managem ent and monitor ing. 8.1 About SNMP Your Prest ige su pports S NMP agen t funct ionality, wh ich all ows a manage r station t o manage an d monitor the Prestige through the network. Kee[...]

  • Page 115

    P312 Broadban d Security G ateway 8-2 SN MP The follo wing table describes t he SNMP co nfiguration parameters. Table 8-1 SNMP Configuration Menu Fields Field Description Default Get Community Enter th e ge t comm unity , which i s the pa ssw ord for the incomi ng Get- and GetN ex t- request s from the m anagem ent stat ion. public Set Community En[...]

  • Page 116

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-1 Chapter 9 System Information & Diagnosis This c hapter talk s you thro ugh S M T Menus 24.1 t o 24 .4. This chapter covers the dia gnost ic to ols that help you to maintai n your Prestige. T hese too ls include updates on system status, port stat us, log and trace capab[...]

  • Page 117

    P312 Broadban d Security G ateway 9-2 System I nformati on & D iagnosis 9.1 S y stem Status T he first se l ectio n, S yste m Stat us, gi ves yo u info r mati on on t h e ver sio n o f your syste m fi r mwa r e and t he status an d statistics of the ports, as s hown in the figu re below. System Status is a tool that can be used to monit o r yo [...]

  • Page 118

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-3 The following table des cribes the fields presen t in Menu 2 4.1 - Syste m Maintena nce - Status . T able 9-1 System M aint enance - Stat us Men u Fields Field Description Port The W AN or LAN port. Status Shows the po rt speed and du plex setti ng if y ou’re us ing Ether[...]

  • Page 119

    P312 Broadban d Security G ateway 9-4 System I nformati on & D iagnosis 9.2 S ystem Information and Console Port Speed This sect ion des cribes y our sys tem and al lows you to choose dif fe rent console port speeds. To g et to t he Sy stem Informat ion an d Consol e Port Speed: Step 1. Enter 24 to go to Menu 2 4 – Syste m Maint enance . Step[...]

  • Page 120

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-5 Tab le 9-2 Fields in System M aintenance Field Descriptio n Name This is the Prest ige' s syste m na me + d omain n ame a ssigned in M enu 1. E.G., Syste m Name= x xx ; Domain Name= babo o.mic key.com Name= xx x .baboo.mick ey.co m Routing Refers to th e rout ing prot [...]

  • Page 121

    P312 Broadban d Security G ateway 9-6 System I nformati on & D iagnosis 9.3.1 Viewing Error Log The first place y ou should look f or clues w hen something goes wrong is th e error/trace log. Follow the procedure bel ow to v iew the local error/trace log: Step 1. Select opt ion 24 f rom the Main Menu t o open Menu 24 - System Ma int enance . St[...]

  • Page 122

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-7 Figure 9-8 Men u 24.3.2 - System M aint enance – UNI X Syslog You need to con figure the UNIX syslog parameters described in th e following table to activate syslog then choose w hat y o u want to log. Tab le 9-3 System Maint enance M enu Syslog P arameter s Parameter Des[...]

  • Page 123

    P312 Broadban d Security G ateway 9-8 System I nformati on & D iagnosis 1. CDR CDR Message Format Sdcm dSyslogSend( SYSLOG_CDR, SYSLOG_INFO, String ); Stri ng = board xx line xx channel xx , c all xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the W AN call = the call reference num ber which start[...]

  • Page 124

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-9 Mar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.[...]

  • Page 125

    P312 Broadban d Security G ateway 9-10 System I nformati on & D iagnosis 9.3.3 Call-T riggering Packet Call-Triggering Packet dis plays information about the pack et that triggered a dial-out call in an easy readable form at. Equivalent inf ormation is available in Menu 2 4.1 in h ex f orm at. An exam ple is sh ow n next. Figure 9-9 Call-Trigg [...]

  • Page 126

    P312 Broadban d Security G ateway System I nform ation & D iagnosis 9-1 1 Figure 9-10 M enu 24.4 - Sys tem M aintena nce - Diagnos tic Follo w the proced ure b elow to get to M enu 24 .4 - System M aintenan ce – Diagnos tic. Step 1. From the Main Menu, select optio n 24 to open Menu 24 - Syst em Mainte na nce . Step 2. From this menu, select [...]

  • Page 127

    P312 Broadban d Security G ateway 9-12 System I nformati on & D iagnosis Figure 9-11 W A N & L A N DHCP The follo w ing table describes t he diagnostic tests a vailable in Menu 24.4 for y our Prestige and the connections. Table 9-4 Sys tem M aintena nce Menu Diagnostic Number Field Description 1 Ping Host Enter 1 to p ing any machi ne (w it[...]

  • Page 128

    P312 Broadban d Security G ateway T ransferring F iles 10-1 Chapter 10 T ransferring Files This c hapter te lls you how to bac k up and restore y our co nfiguratio n file as well as uploa d new firmware and a new c onfigurat ion fi le. 10.1 Fil ename conventions The configuration file (often called the ro m file or rom-0) contains the factory defau[...]

  • Page 129

    P312 Broadban d Security G ateway 10-2 T ransferr ing Files Table 10-1 Filename Conv entions File Ty pe Internal Name External Name Description AT Command Configurati on File Rom-0 *.rom This is the router co nfigurat ion f ilenam e on the Prestige . Upl oading t he rom-0 file replaces the ent ire ROM file system, includi ng your Pr estige con figu[...]

  • Page 130

    P312 Broadban d Security G ateway T ransferring F iles 10-3 10.3 Restore Configuration Me nu 2 4.6 -- System Ma int e na nce - Restore Configuration allo ws you to restore the configuratio n via the cons ole port. FTP and TFTP are the preferre d m ethods f or restoring y our current w orkstation configu ration to your Prestig e since FTP and TFTP a[...]

  • Page 131

    P312 Broadban d Security G ateway 10-4 T ransferr ing Files Step 4. After successful firmware upload, enter atgo to restart the Prestige. Figure 1 0-4 Men u 24.7.1 - System M ainten ance - Uplo ad Router Fi rmware 10.4.2 Uploading Router Configuration File The configu ration data, system-related data, th e error log an d the trace log are all s tor[...]

  • Page 132

    P312 Broadban d Security G ateway T ransferring F iles 10-5 Figure 10-5 M enu 24.7.2 - System Maintenance - Upload Router Configura tion File 10.5 TFTP File T ransfer In addition to th e direct console port con nection , the Prestige supports the u p/downloading of th e firmware and th e config urati on file usi ng TFTP (Triv ial F ile Transf er Pr[...]

  • Page 133

    P312 Broadban d Security G ateway 10-6 T ransferr ing Files Note: If yo u uplo ad the firm war e to t he Pre stige, i t will r eb oot a utoma ticall y whe n t he file tra nsfe r is c omple ted (t he SYS LED will f lash) . Note that the telnet connection must b e active a nd the SMT in CI mode before and during the TFTP transfer. For details on TFTP[...]

  • Page 134

    P312 Broadban d Security G ateway T ransferring F iles 10-7 10.6 FTP File T ransfer In addition to uploading the firmware and configuration via the console port and T FTP client, y ou can also upload the Prestige firmw are and configuration files using FTP . To use this f eature, your workstation must have a n FT P clie nt. When you telnet into the[...]

  • Page 135

    P312 Broadban d Security G ateway 10-8 T ransferr ing Files Figure 1 0-7 Telnet into Men u 24.7.2 - System M aintenance To transfer the f irmware and the configu ration file, follow these examples: 10.6.1 Using the FTP command from the DOS Prompt Step 1. Launc h t he FT P clie nt on your wor kstat i on. Step 2. Ty p e open and th e IP address of y [...]

  • Page 136

    P312 Broadban d Security G ateway T ransferring F iles 10-9 Figure 1 0-8 FT P Session Example Th e system r eboot s aft er a succes sfu l upload . The follow ing table desc ribes some of the fields that y ou may see in third party FTP clien ts. Tab le 10-3 Th ird Party FT P Clients –G eneral fields Host A ddress Enter th e addres s of the host se[...]

  • Page 137

    [...]

  • Page 138

    P312 Broadban d Security G ateway System Mai nten anc e & Infor m ation 1 1-1 Chapter 11 System Maintenance & Information This c hapter leads you throu gh S M T me nus 24.8 t o 24.11 . 11.1 Comman d Interp rete r Mod e The Command In terpreter (CI) is a part of the m ain rout er firmw are. The CI provides m uch of the same functionality as [...]

  • Page 139

    P312 Broadban d Security G ateway 1 1- 2 System Mai nten anc e & Infor m ation 11.2 Call Control Suppor t The Prestige prov ides two call cont rol functions: bu dget management and call hi story. Please note that this menu is only applicable when Encapsulat ion is set to PPPoE or PPTP i n Menu 4 or Menu 11.1. The budget management function al l[...]

  • Page 140

    P312 Broadban d Security G ateway System Mai nten anc e & Infor m ation 1 1-3 The total budget is the time limit o n the accu mu lated ti m e for outgoing calls to a re mote node. When this limit is reached, th e call will be dropped an d furth er outgoing calls to that remote node w ill be blocked. After each period, th e total budg et is rese[...]

  • Page 141

    P312 Broadban d Security G ateway 1 1- 4 System Mai nten anc e & Infor m ation Tab le 11-2 Call Hi story Fi elds Field Description Phone Number The PPPoE serv ice na mes are show n here. Dir This sh ow s whether the cal l was in co ming or o utgoing. Rate T his is the tran sfer rate o f the ca ll. #call This is the num ber of c alls m ade to or[...]

  • Page 142

    P312 Broadban d Security G ateway System Mai nten anc e & Infor m ation 1 1-5 Figure 11-6 System Maintenance – Time and Date Setting Table 11-3 T ime and Da te Setting Fiel ds Field Description Use Time S erver w hen Bootup= Enter the ti me serv ice pro tocol t hat your timeserv er w ill send w hen th e Prestige p owers up. C hoi ces are Day [...]

  • Page 143

    P312 Broadban d Security G ateway 1 1- 6 System Mai nten anc e & Infor m ation zone and Greenw ich mea n T ime (GM T). Be aw are if/when day light savings ti me alters t his ti me differe nce for y our time z one. Once you h ave fil led in t he new time and date, pre ss [E nter] to save th e settin g and pr ess [Esc] to return to Menu 2 4 . 11.[...]

  • Page 144

    P312 Broadban d Security G ateway System Mai nten anc e & Infor m ation 1 1-7 Table 11-4 M enu 24.1 1 - Remote Management Control Field Description Option FTP serv ice active Press the [SPACE BAR] to t oggle Yes to No and press [Enter] to disable all FT P activity (both LAN and W AN). Yes No Telnet se rvice activ e Press the [SPACE BAR] to togg[...]

  • Page 145

    P312 Broadban d Security G ateway 1 1- 8 System Mai nten anc e & Infor m ation Figure 11-9 Boot M odule Commands ======= Debug Command Listing ======= AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATT[...]

  • Page 146

    P312 Broadban d Security G ateway Te l n e t 12-1 Chapter 12 Telnet Configuration and Capabilities This c hapter cov ers the T elnet C onfigura tion and C apabi lities of th e Pres tige. 12.1 About T elnet Configur ati on Before the Prestige is prop e rly setup for T CP/IP, the only option for configurin g it i s through the conso le port. Once y o[...]

  • Page 147

    P312 Broadban d Security G ateway 12-2 Te l n e t 12.3.2 Sy stem T imeout There is a sy stem t imeout of 5 minu tes (300 seconds ) for eit her th e console port or teln et. Your Pres tig e will automatically log you out if you do nothi n g in this timeout perio d, except when it is continuously updating the stat us i n M enu 24.1 or w hen "sys[...]

  • Page 148

    Firewall and Cont ent Filters IV Part IV: Firewall and Co ntent Filter s Chapters 13 – 20 describ e types of fire walls, h ow to conf igure your Pr estige f irewall using th e Prestig e Web Configur ator , as well as t ypes of Den ial of Ser vices ( DoS) at tack s and Content Filter ing.[...]

  • Page 149

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-1 Chapter 13 What is a Firewall This chapt er giv es some back gro u nd infor mat ion on firew al ls. Ori g in al ly , th e term firewall refe rred to a constru ction technique des igned to preven t the spread of f ire from one room to an other. The n etw ork term firewall is ty pically def [...]

  • Page 150

    P312 Broadba nd Security Gateway 13-2 W hat Is a Firewa ll? needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic desti ned for the applicatio n gateway and reject the rest. 13.1.3 Statef ul Inspection f irewall s Stateful Inspection firewalls restrict access by screening [...]

  • Page 151

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-3 Figure 13-1 Pr estige Firewall A pplication 13.3 Denial of Service Denials of Service (DoS) attack s are aimed at dev ices and netw orks with a con nection to the Intern et. Their goal is not to s teal information, but to disable a dev ice or netw ork so users n o longer have access to n e[...]

  • Page 152

    P312 Broadba nd Security Gateway 13-4 W hat Is a Firewa ll? Table 13-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMT P 110 POP3 13.3.2 T y pes of Do S attacks There are four ty pes of DoS attacks: 1. Those that exploit bugs i n a T CP/IP implementation. 2. Those that exploit weakn esses in the TCP/IP specification. 3. Brute-f orce attack s[...]

  • Page 153

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-5 Under normal circums tances, the application th at initiates a session sends a SYN (synchronize) packet to the receiving s erver. The receiver sen ds back an ACK (ackn owledgment) packet and its own SYN, and then the initiator responds with an ACK (ac kno wled g m ent). After this hands ha[...]

  • Page 154

    P312 Broadba nd Security Gateway 13-6 W hat Is a Firewa ll? Figure 13-4 Smurf A ttack 4. Often, many DoS attacks also employ a techniqu e known as "IP Spoofing " as part of their attack . IP Spoofi ng may be u sed to break in to systems , to hi de the hack er's identi ty, or to magn ify the effect of the DoS attack. IP Spoof ing is a[...]

  • Page 155

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-7 Figure 13-5 Stateful Inspection Figure 13-5 shows the Presti ge’s default fire wall rules i n action as well as de monstrates ho w stateful inspection works. User A ca n initiate a T elnet session fro m within the LAN and respo nse s to this request are allowed. However other Telnet traf[...]

  • Page 156

    P312 Broadba nd Security Gateway 13-8 W hat Is a Firewa ll? 7. The packet is ins pected by a firewall rule, and the conn ection's state table entry is updated as necessary. Based on the updated state inf ormation, the inbou nd extended access lis t temporary entries might be modified, in order to perm it only packets th at are valid for the cu[...]

  • Page 157

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-9 When any subsequent pack et hits the box (f rom the In ternet or from th e LAN), its conn ection information is extracted and ch ecked against the cach e. A packet is on ly allowed to pass th rough if it corresponds to a v alid connection (that is, if it is a response to a connection which[...]

  • Page 158

    P312 Broadba nd Security Gateway 13-10 W hat Is a Firewa ll? 3. Limit who can Telnet into your router. 4. Don' t enable any local s ervice (su ch as SNMP or NTP) th at you don' t use. Any enabl ed serv ice coul d present a potential security risk. A deter mined, hostile part y m ight be able to find creative ways to misuse the enabled ser[...]

  • Page 159

    P312 Broadba nd Security Gateway W hat Is a Firewall ? 13-1 1 12. Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of co m panies or individ uals for information that mig ht help them in a social intrusio n.[...]

  • Page 160

    [...]

  • Page 161

    P312 Broadban d Security G ateway Introduc ing the Pr estige F irewall 14-1 Chapter 14 Introducing the Prestige Firewall This chapt er shows you how to get st arted with the Prest ige Firew all. Ple ase see Cha pter 1 3 for some b ackground inform ation on f irewalls . 14.1 SMT Menus From the Main Menu (see below) enter 21 to go to Menu 21 - Filter[...]

  • Page 162

    P312 Broadba nd Security Gateway 14-2 Introduc ing the Pr estige F irewall Figure 14-3 M enu 21.2 – Fir ewall Setup Please n ote that yo u ca n onl y conf igur e the fire wall rules u sing t he Pre stige Web Configur at or or CL I co mman ds. 14.1.1 V iew Fire wall Log Enter 3 from menu 21 to view the firewall log. Fire wall logs may also b e vie[...]

  • Page 163

    P312 Broadban d Security G ateway Introduc ing the Pr estige F irewall 14-3 ICM P Echo A bru te-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subn et broadcastin g, t o quickl y flood th e targ et network with us eless data. A Smu rf hacker floods a router with Intern et Control Mes[...]

  • Page 164

    P312 Broadba nd Security Gateway 14-4 Introduc ing the Pr estige F irewall T racerou te Traceroute is a u til ity used to determ ine the pat h a packet tak es betw een two endpoin ts. Sometimes w hen a packet fi lter firewall is config ured incorrectly an attacker can traceroute th e firewall gaining knowledge of the n etwork topol ogy insi de the [...]

  • Page 165

    P312 Broadban d Security G ateway Introduc ing the Pr estige F irewall 14-5 Table 14-4 View Firewall Log Field Description # This is the ind ex number of the firew all log. 128 entr ies are av ailable numbere d from 0 to 127. Once t hey are all used, the log w ill w rap arou nd and t he old l og s will be lost. mm:dd:y y e.g., Jan 1 70 Time This is[...]

  • Page 166

    P312 Broadba nd Security Gateway 14-6 Introduc ing the Pr estige F irewall Figure 14-5 Big Pictu re - Filtering, Firewall and NA T 14.3 Packet F iltering Vs Fire w all Belo w are some comparis ons between the Prestige’s filtering and firewall functions. 14.3.1 Packet Filtering : ! The router filters packets as they pass through the router’s int[...]

  • Page 167

    P312 Broadban d Security G ateway Introduc ing the Pr estige F irewall 14-7 When T o Use Filtering 1. To block/allow LA N packets by their MAC addres s. 2. To block/allow s pecial IP packets which are n either TCP, UDP, nor ICMP packets. 3. To block/ allow both in boun d (WAN to LA N) and out boun d (LAN to WA N) traff ic between the s pecific insi[...]

  • Page 168

    [...]

  • Page 169

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-1 Chapter 15 Introducing the Prestige Web Configurator This c hapter shows you how to confi gure your firewall w ith the W eb Conf igurator. 15.1 W eb Configurator Logi n and W elcome Screens Laun ch your web brow ser an d ent er 192.168.1.1 as the U RL . This is the [...]

  • Page 170

    P312 Broadba nd Security Gateway 15-2 Introduc ing the Prest ige Web Config urator Figure 15-2 Prestige Web Configurator Welcome Scre e n 15.2 Enabling the Firewall Click Firewall, then Co n figuration, then the Rule Config tab to enable the fire wall as seen in the following screen.[...]

  • Page 171

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-3 Figure 15-3 Enabling the Firewall 15.3 E-Mail This screen allows y ou to specify your mail server, where e- m ail alerts sho uld be sent as well as when and how often they should be sen t. 15.3.1 What are A lerts? Alerts are report s on ev ent s such as attacks, w h[...]

  • Page 172

    P312 Broadba nd Security Gateway 15-4 Introduc ing the Prest ige Web Config urator To field and schedule tim es for sending alerts in the Alert Tim er fields in the E-Mail s creen (following screen). 15.3.2 What are Logs? A log is a detailed record t hat y o u create f or packets th at either ma tch a rule, don’ t m atch a rule or both wh en you [...]

  • Page 173

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-5 Tab le 15-1 E-Mail Field Description Options Address Inform ation Mail Serv er Enter the IP addre ss of y our mai l server in dot decimal format. Y our Inter net Serv ice Prov ider (ISP) sh ould be able to pr ovide t his inf orma tion. If t his fi eld is left blank,[...]

  • Page 174

    P312 Broadba nd Security Gateway 15-6 Introduc ing the Prest ige Web Config urator 15.3.3 SMTP Error Me ssag es If there are diff iculties in sending e-m ail the follo wing error messages appear. Please see th e Support Notes on the accom panying CD for information on oth er ty pes of error m essages . E-mail error m essa ges appear as "SMTP a[...]

  • Page 175

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-7 Figure 15-5 E-M ail Log 15.4 A ttack A lert In this screen you may choose to g enerate an alert whenever an attack is detected. For DoS attack s, the Prestig e us es threshol ds to dete rmine when to drop ses sions that do not becom e fully est ablishe d. These thre[...]

  • Page 176

    P312 Broadba nd Security Gateway 15-8 Introduc ing the Prest ige Web Config urator You can use the default threshold values, or you can change them to value s more suitable to your security requirements. 15.4.1 Threshold V alues : You really just need to tun e these parameters when something is n ot working and after you have check ed the firewall [...]

  • Page 177

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-9 The Prestige deletes the old est exi sting half-open session for the host for every new connectio n request to the host. This ens ures that the nu mber of h alf-open sessi ons to a given host will n ever exceed the thresh old. 2. If the Blocki ng T ime timeout is gr[...]

  • Page 178

    P312 Broadba nd Security Gateway 15-10 Introduc ing the Pr estige Web Configur ator Tab le 15-3 A ttac k Alert Field Description Default Values Generate aler t when attack dete cted A detected atta ck aut oma tically genera tes a log entry. C heck thi s box to generate an alert (as w ell a s a log) w henever an attack is dete cted. See sectio n 15.[...]

  • Page 179

    P312 Broadban d Security G ateway Introduc ing the Pr estige Web Configur ator 15-1 1 Field Description Default Values rises ab ove thi s numb er, the Pre stige deletes half-ope n se ssion s as require d to accommoda te new connection reque sts. Do not set Maximum Inco mplet e High to lower than t he curren t Max-Inc omplete Low number. half-open s[...]

  • Page 180

    [...]

  • Page 181

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-1 Chapter 16 Creating Custom Rules 16.1 Rules Overvie w Firewall rules are subdiv ided into “ Local Network” and “ Internet”. By def ault, the Prestige’s stateful packet inspection allows all communications to the Intern et that originate from the local network , and blocks all [...]

  • Page 182

    P312 Broadba nd Security Gateway 16-2 Creati ng Custom Rules 5. What computers on the LAN are to be aff ected (if any)? 6. What computers on the Internet will be affected? The m ore specific, the better. For exam ple, if traffic is being allowed from the Internet to the LAN, it is better to allo w only certain machines o n the Internet to access th[...]

  • Page 183

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-3 16.3 Connection Direction This section talks abo ut con figuring firewall rules for connection s goi ng from L AN to W AN and WAN to LA N in y o u r f i rew a ll. 16.3.1 LA N to W A N R ules The default ru le for LAN to WAN traffic is th at all users on the LAN are allowe d non-restrict[...]

  • Page 184

    P312 Broadba nd Security Gateway 16-4 Creati ng Custom Rules Figure 16-2 W AN to LAN Traffic 16.4 Services Supported The list box in the Rule Config (uration) screen ( see Figur e 16-4 ) display s all services that the Prestige support s. Cust om servi ces may also be configured u sing th e Custo m Ports function discussed later. Next to the name o[...]

  • Page 185

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-5 Table 16-1 Services Supported SERV ICE DESCRIPTI ON BGP(TCP:179) Border Gateway Protoc ol BOOTP_CLIE NT (UDP: 68) DHCP Client BOOTP_SERVE R(UDP:67) DHCP S erver CU-SEE ME(TC P/UDP:7648, 24032) A popular videoconferencing s olution from W hite Pines S oftware. DNS(UDP/ TCP:53) Domain Nam[...]

  • Page 186

    P312 Broadba nd Security Gateway 16-6 Creati ng Custom Rules 16.5 Rule Summary The fi elds in the Rule Su m mar y screens ar e th e same for Loc al Networ k and Int ern et , so the dis cussion below refers to both. Click on Firew all , then Local Net w ork to bring up the following scree n. This screen is a summary of the existing rules. Note the o[...]

  • Page 187

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-7 Tab le 16-2 Firewall Rules Summar y – First S creen Field Description Option General Name This is the name of the firewall rule set. Default Perm it Log Check this b ox to log all matched rules i n the ACL default set. The defau lt actio n for pa cke ts not matchin g follow ing ru les[...]

  • Page 188

    P312 Broadba nd Security Gateway 16-8 Creati ng Custom Rules Field Description Option section 16.5.1 f or more d etails. Delete Press this bu tton to d elet e an ex isting firewall r ule. Note that s ubseque nt firew all rules move u p by on e when y ou take thi s actio n. M ove Rule You may reorder y our rules using t hi s function. Select by cl i[...]

  • Page 189

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-9 Figure 16-4 Crea ting/Editing A Firewall Rule Table 16-3 Cre ating/Editing A Firewall Rule Field Description Option Source Addre ss Press Sr cA dd to add a n ew address, SrcEdit to edit an ex isting o ne or SrcD elete to delete one. Plea se see the nex t section for more i nformati on o[...]

  • Page 190

    P312 Broadba nd Security Gateway 16-10 Creating C ustom Rul es Field Description Option from the A vailable Ser vices box on the left, then pres s >> to sele ct it. T he sele cte d service show s up on the Select ed Serv ices box on the right. T o remov e a servi ce, cli ck on it in t he Selecte d Serv ices box on the right, then press <&l[...]

  • Page 191

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-1 1 Figure 16-5 Adding/Editing Source & Destination A ddresses Table 16-4 A d ding/Editing Source & Destination Addresses Field Description Option Address T ype Do you w ant your rule to a pply to packe ts w ith a part icular (single) IP , a range of IP addr es ses (e.g. , 192.16 [...]

  • Page 192

    P312 Broadba nd Security Gateway 16-12 Creating C ustom Rul es W he n y ou hav e fini shed, c lick A pply to save y our custo mized setting s and ex it this screen, Cancel to ex it this screen w ithout savin g, or He lp for online HTM L help on fie lds in this scre en. 16.6 T imeout The fi elds in the Timeout screen s are the same for Local and Int[...]

  • Page 193

    P312 Broadban d Security G ateway Creating C ustom Rul es 16-13 Figure 16-6 T imeout Sc reen[...]

  • Page 194

    P312 Broadba nd Security Gateway 16-14 Creating C ustom Rul es Table 16-5 Timeout Menu Field Description Default Value TCP T imeout V a lues Connectio n Timeo ut This is the len gth o f time t he Presti ge w aits for a T CP session to r ea ch the e stablished st ate before droppin g the sessio n. 30 seconds FIN- W ait T imeout This is the length o [...]

  • Page 195

    P312 Broadban d Security G ateway Custom Ports 17-1 Chapter 17 Custom Ports 17.1 Introducti on You will need to configure customized po r ts for services not included in t he services pr o vided in the scrolling list box in t he screen sho wn in Figur e 16-4 . For furth er information on these services, please read section 16.4. To con figu re a cu[...]

  • Page 196

    P312 Broadba nd Security Gateway 17-2 Custom Ports Tab le 17-1 Custom Ports Field Description Cus tom ize d Ser vices No This is the num ber of y our cust omiz ed por t. Name This is the nam e of yo ur custom ized port. Protocol T his show s the IP p rotocol ( TCP , UDP or Both ) that defines y our cu stomiz ed port. Port This is the port number or[...]

  • Page 197

    P312 Broadban d Security G ateway Custom Ports 17-3 Figure 17-2 Creating/Editing A Custom Port The next table describes the fields in this screen.[...]

  • Page 198

    P312 Broadba nd Security Gateway 17-4 Custom Ports Tab le 17-2 Creating/Ed iting A Custom Po rt Field Description Option Service Na me Enter a uni que nam e for you r custo m port. Service T ype Choose the IP por t ( TCP , UDP or Both ) tha t defines y our cu stomiz ed port fr om the drop down list box . TCP UDP Both Port Configura tion Type Click [...]

  • Page 199

    P312 Broadban d Security G ateway Logs 18-1 Chapter 18 Logs 18.1 Log Scr een When y ou configu re a new rule you als o have the opti on to log events that match , don’t match (or both ) thi s rule ( see Fi gure 16-4 ). Click on the Logs to br ing up the ne x t scre en. Fir ewa ll logs may a lso be viewed in SMT Menu 21.3 ( s ee section 1 4.1.1) o[...]

  • Page 200

    P312 Broadba nd Security Gateway 18-2 Logs Table 18-1 Log Screen Field Description No. This is the ind ex number of the firew all log. 128 entries are av ailable numbered from 0 to 127. Onc e they ar e al l used, the log w ill wrap aroun d and the o ld logs will be lost . dd:mm:yy e.g., Jan 1 0 Time This is the tim e th e log w as recorde d in this[...]

  • Page 201

    P312 Broadban d Security G ateway Logs 18-3 Field Description W he n you have fi ni shed v iewing thi s scre en, cli ck ano ther link to ex it.[...]

  • Page 202

    [...]

  • Page 203

    P312 Broadban d Security G ateway Example F irewall Rules 19-1 Chapter 19 Example Firewall Rules 19.1 Examples Please note that whenever y ou open a hole in the firewall to f orward a service from the Internet to the local net work, a nd NAT is also enab led, you ma y ha ve to al so conf igur e a serve r be hi nd N AT usi n g SMT menu 15.2. Please [...]

  • Page 204

    P312 Broadba nd Security Gateway 19-2 Examp les Fir ewall R ules Figure 19-1 Activate The Firewall Step 2. Now we configu re our E-mail screen as follo ws. Click the E-Ma il tab t o br i ng up the next screen. Check here to activate the firew all. You may also activate the firew all in SMT m enu 21.2.[...]

  • Page 205

    P312 Broadban d Security G ateway Example F irewall Rules 19-3 Figure 1 9-2 Exampl e 1 – E- Mail Scre en Step 3. Now we conf igure our firewall rule as shown in the f ollowing screen. The defau lt firewall blocks all In ternet traffic entering ou r local network, but w e want to create a hole for w eb service from the Internet. Go to the Ru l e S[...]

  • Page 206

    P312 Broadba nd Security Gateway 19-4 Examp les Fir ewall R ules Figure 19-3 Example 1 – Configuring A Rule This is an Internet to Local Network rule. Click DestAd d to configure the dest ination address as the IP of our server on the LAN. See the ne xt scre en. Click this butto n when you have finished editing scree ns. Select this service (web [...]

  • Page 207

    P312 Broadban d Security G ateway Example F irewall Rules 19-5 Figure 1 9-4 Example 1: Destinat ion A ddres s for T raffic Origin ating F rom Th e Internet 10.100.1. 2 is t he IP of our server on th e LAN (support ing FTP, HTT P, Telnet and mail services) to w hich we w ish to forward traff ic orig inating from the Internet.[...]

  • Page 208

    P312 Broadba nd Security Gateway 19-6 Examp les Fir ewall R ules Figure 1 9-5 Example 1 - Rule Su mmary Scr een 19.1.2 Example 2 – Sm all Off ice W ith Mail, FTP and Web Serv ers Our small offi ce has: i. A mail server wi th an IP of 192.168. 10.2 . ii. Two FTP servers. We w a nt FTP server On e (IP of 192.16 8.10.3) t o be accessi ble from t he [...]

  • Page 209

    P312 Broadban d Security G ateway Example F irewall Rules 19-7 Step 1. First we want to send alerts whe n there is an attack. Go to the Attack Alert screen (click Configura tion , then the Attack Alert tab) sh own n ext. Figure 1 9-6 Send Alerts Wh en Atta cked Step 2. Configu re the E-Mail screen as shown in exam ple 1 – our m ail serv er’s IP[...]

  • Page 210

    P312 Broadba nd Security Gateway 19-8 Examp les Fir ewall R ules Figure 19-7 Configuring A PO P Custom Por t Step 4. Now, we will create rules to block all outgoing traffic (from the local network to the Internet) except for traff ic originating from the HTTP proxy server and ou r mail server. Click Internet to see the Rule Summary screen. No w cli[...]

  • Page 211

    P312 Broadban d Security G ateway Example F irewall Rules 19-9 Figure 1 9-8 Example 2 - L ocal N etwo rk Rule 1 Config uration Step 6. Similarly configure another local netw ork to Internet rule allowing traffic from our web (HTTP) proxy se rver. Step 7. Th e Rule Summary screen sho uld lo o k like Figure 19-9 . Don’ t forget to click Apply wh e [...]

  • Page 212

    P312 Broadba nd Security Gateway 19-10 Examp les Firewa ll Rul es Figure 1 9-9 Example 2 - Local N etw ork Rule Summ ary Step 8. Now we want an FTP server (IP of 192.168. 10.3) to be access ible from the Intern et. Remember the default Internet to Local Net work ACL set b lo cks all traffic f rom the Internet, so we want to create a hole for this s[...]

  • Page 213

    P312 Broadban d Security G ateway Example F irewall Rules 19-1 1 Figure 1 9-10 Example 2 - Internet t o Local Net work Rule Summary 19.1. 3 Example 3: DHCP Negotiation and S y slog Connection from the Internet The following are some Internet firew all rules examples to: 1. Al low DHCP n egotiat ion bet ween th e ISP an d the P312. 2. Allow a syslog[...]

  • Page 214

    P312 Broadba nd Security Gateway 19-12 Examp les Firewa ll Rul es Figure 19-11 Custom Port for Syslog Step 2. Follo w the procedures o utli ned in t he pr evious exa m ples to co n figure all your rules. When finished, your rule summary screen should look like the following. C us t om por ts show up wi th a n “*” before th eir names in the Serv[...]

  • Page 215

    P312 Broadban d Security G ateway Example F irewall Rules 19-13 Figure 19-12 Syslog Rule Configuration This is our Sy slog cust om port. Click Apply whe n fi ni shed . This is the address ran ge of t he sy slog s ervers .[...]

  • Page 216

    P312 Broadba nd Security Gateway 19-14 Examp les Firewa ll Rul es Figure 1 9-13 Example 3 Ru le Summar y Rul e 1: Al low DHCP negot iation between t he ISP an d th e P312. Rule 2: Allow a syslog connection from the WAN. Click Apply to sa ve yo ur settings back to the Pr estige.[...]

  • Page 217

    P312 Broadban d Security G ateway Content Fi ltering 20-1 Chapter 20 Content Filtering The Prestige can block web features such as ActiveX controls, Java applets, cook ies as well as disable web proxies. The Prestige can also block specif ic URLs by using the k eyword featu re. Please n ote that c onten t filter ing mea ns the abili ty to b lock ce[...]

  • Page 218

    P312 Broadba nd Security Gateway 20-2 Content F iltering 20.1.3 Cookies Cooki es are used by Web serv ers to track usag e. Cookies provide s ervice bas ed on ID. U nfortun ately, cookies can be progra mmed not only to identify the visitor to the site, but also to track that visitor's activitie s. Because they repres ent a potential loss of pri[...]

  • Page 219

    P312 Broadban d Security G ateway Content Fi ltering 20-3 Figure 20-1 Conte nt Filtering Sc reen Table 20-1 Content Filtering Fields Field Description Restrict We b Features Check the box (es) to restri ct that f eatu re. When you dow nload a page containi ng a res tricted feature, t hat part of the w eb page w ill app ear blan k or grayed out. Blo[...]

  • Page 220

    T roubleshoot ing, A ppendic es, Glossar y and In dex V Part V: Troubleshooting, App end ices, Glossary and Index Chapter 21 provid es inf ormation a bout sol ving com mon pr oblem s, followed b y som e Appen dices, a Glossar y of T erm s and an Index.[...]

  • Page 221

    [...]

  • Page 222

    P312 Broadban d Security G ateway T roubleshoot ing 21-1 Chapter 21 Troubleshooting This c hapter cov ers the potential problems you may run int o and the p ossibl e remed ies. After each pro blem des cription, s ome ins tructions are pr ovided to help you to diagnos e and to s olve t he problem. Please se e our s upporting d isk for fur ther infor[...]

  • Page 223

    P312 Broadban d Security G ateway 21-2 T roublesh ooting 21.2 Problems with the LA N Interface Table 21-2 T roubleshooting the LAN Interface Problem Corr ective A ction Check the 10M /100M LEDs on the fron t panel. O ne of these LED s should b e on. If t hey are both off, ch eck the cable s betw een your Prestige a nd hub or the sta tion. Can’t p[...]

  • Page 224

    P312 Broadban d Security G ateway T roubleshoot ing 21-3 21.4 Problems w ith Internet A ccess Table 21-4 T roubleshooting Inte rnet A ccess Problem Correctiv e A ction Connect y our Cable/x DSL modem with th e Prestig e using appropriat e cable . Check w ith the manufa cturer of y our Cable /x DSL modem about th e cable req uiremen t becau se for s[...]

  • Page 225

    [...]

  • Page 226

    P312 Broadban d Security G ateway PPPo E E Appendix A PPPoE PPPoE in Action An A DSL modem bridges a PPP s ess ion over Et hern et (PPP ov er Eth ern et, R FC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) w hich connects to a xDSL Access Concentrator where th e PPP ses sion t erm inat es (see the next f igure). On e PVC can support a[...]

  • Page 227

    P312 Broadban d Security G ateway PPPo E F How PPPoE Work s The P PPoE d river ma kes th e Et hern et appear as a se ria l l ink t o th e PC an d th e PC run s PPP ov er it , w h ile th e m odem bridges the Ethe rnet fra mes to the Access Concentrator (AC ). Between the AC and an ISP, the AC is acting as a L2T P (Layer 2 T unneling P rotoco l) LAC [...]

  • Page 228

    P312 Broadban d Security G ateway PPTP G Appendix B PPTP What is PPT P? PPTP (Poi nt- to- Poin t Tunn eling Protocol) is a Micros oft prop riet ary protocol (R FC 2637 f or PPTP is inf orm ation al on ly ) to tunn el PPP f ram es. How can we transport PP P fram e s from a PC to a broadband modem over Ethernet? A solution is to build P PT P into the[...]

  • Page 229

    P312 Broadban d Security G ateway PPTP H PNS and the PAC must have IP connectivity; however, the PAC must in additio n have dial-up capability. The ph on e ca ll is betw een the use r an d th e P A C an d t he PAC tunn els th e PPP f ra m es to t he PNS . The PP TP user is una ware o f the tu nnel b e twee n the P AC and the PN S. Microsoft in clud[...]

  • Page 230

    P312 Broadban d Security G ateway Hardware Sp ec if ic ati ons I Appendix C Hardware Specifications Power Specifi cation I/P AC 120V / 60Hz ; O/P DC 12V 120 0 mA MT BF 10000 0 hrs Operation T emper ature 0º C ~ 40º C Ethernet Spe cification for WA N 10Mbit Half Dup lex Ethernet Spe cification for LAN 10/100 M bit Half / F ull Auto- nego tiation C[...]

  • Page 231

    P312 Broadban d Security G ateway J Safety Ins tructions Appendix D Important Safety Instructions The follo wing safet y instructio ns appl y to the Presti ge: 1. Be sure to read and follow all warning notices and instr uction s. 2. The maximum recommended ambient temperature for th e Prestige is 40º(104º). Care m ust be tak en to allow sufficien[...]

  • Page 232

    P312 Broadban d Security G ateway CLI Comm ands K Appendix E Firewall CLI Commands T he follo wing tab le d escri bes t he syn tax use d to conf i gure your fi re wa l l usi ng Co mmand Line I nte r face (CLI) comm ands. Select option 24.8 Comm a nd Interpreter Mode from the Main Menu to go into CLI m ode. For detail s on ot her CLI comm a nds to c[...]

  • Page 233

    P312 Broadban d Security G ateway L CLI Comm ands Function CLI Sy ntax Description config edit firewall e-mail email-to <e-mail address> Edits the m ail address which you want to send t he alert to config edit firewall e-mail policy <full | hourly | daily | weekly> Edits whether the c urrent firewall traffic l og contents are s ent thro[...]

  • Page 234

    P312 Broadban d Security G ateway CLI Comm ands M Function CLI Sy ntax Description config edit firewall set <set #> default-permit <forward | block> E di ts whether a pack et is dropped or allowed through, when it does not meet a rule within the set config edit firewall set <set #> icmp-timeout <seconds> Edits the time limit[...]

  • Page 235

    P312 Broadban d Security G ateway N CLI Comm ands Function CLI Sy ntax Description config edit firewall set <set #> rule <rule #> srcaddr-subnet <ip address> <subnet mask> Select s and edits a sourc e address and subnet mask of traffi c w hich co mp ly to thi s ru le config edit firewall set <set #> rule <rule #>[...]

  • Page 236

    P312 Broadban d Security G ateway CLI Comm ands O Function CLI Sy ntax Description D D e e l l e e t t e e config delete firewall e-mail Removes al l the sett i ngs for e-mai l alert config delete firewall attack Resets al l the sett i n gs for attack t o default setting config delete firewall set <set #> Removes t he specified set from the f[...]

  • Page 237

    P312 Broadban d Security G ateway P Power Adapt er Spec if ic ati ons Appendix F Power Adapter Specs AC Power Adapter Specificati ons North America AC Pow er Adapter mode l M W 48-1201200 Input power: AC120Volts/ 60Hz Output pow er: DC12Volt s/1.2A Power consu mption: 9 W Plug: North Am erican standard s Safety standar ds: U L, CUL (U L 1310 , CSA [...]

  • Page 238

    P312 Broadban d Security G ateway Power Adapt er Specif ications Q Japan AC Pow er Adapter mode l JOD-48-1 124 Input pow er: AC100Vo lts/ 50/ 60Hz/ 27VA Output pow er: DC12Volt s/1.2A Power consu mption: 9 W Plug: Japan stan dard s Safety standar ds: T -M ark Australia and New Zealand AC Power Adapter mode l AD-120120 0DS Input power: AC240Volts/ 5[...]

  • Page 239

    P312 Broadban d Security G ateway R Glossa ry Glossary of T erms 10BaseT T he 10-M bps baseban d Ethernet speci ficatio n that u ses tw o pair s of tw isted-pa ir cabling (C ategory 3 or 5): on e pair for tran smitti ng data and the o ther for re ceivi ng data. ARP Address Re solutio n Protoco l is a p rotocol for map ping an I nter net Protoc ol a[...]

  • Page 240

    P312 Broadban d Security G ateway Glossa ry S Cookie A string of charac ters sav ed by a web brow ser on the user' s hard d isk. M any w eb pages s end coo kies t o track spe cific user inf ormatio n. Coo kies can be u sed to r etai n informati on as t he user b row ses a w eb site . For ex ample, cookies ar e u sed to 'remember' the[...]

  • Page 241

    P312 Broadban d Security G ateway T Glossa ry Digital Sig natur e Digital code t hat auth enticat es w homever signed the do cument or so ftware. Softw are, messages, E ma il, and other ele ctronic docum ents c an be s igned e lectroni cally so that they can not be a ltered by anyon e else. If som eone al ters a sign ed docu ment, th e signature is[...]

  • Page 242

    P312 Broadban d Security G ateway Glossa ry U Events These are netw ork activit ies. Som e activ ities are dire ct attac ks on y our sy stem, w hile others m ight be d ependi ng on the cir cumst ances. Therefore , any a ctivity , regard less of severity i s calle d an ev ent. A n event may or may n ot be a d irect att ack on your sy stem. FAQ (Freq[...]

  • Page 243

    P312 Broadban d Security G ateway V Glossa ry Integrity Proof that th e data i s the s ame as origina lly in tended. Un autho rized software or people have not altered t he or iginal informa tion . internet (Low er case i) Any t ime y ou conne ct 2 or more netw orks together, y ou have an internet. Internet (Upper c ase I) T he vast colle ction of [...]

  • Page 244

    P312 Broadban d Security G ateway Glossa ry W as a stream of bits. Name Re solutio n T he allocati on of an IP ad dress t o a host name. S ee DN S NAT Netw ork Address T ranslati on is t he tr anslati on of an Internet Pr oto col addr ess us ed within one netw ork to a d ifferent IP addr ess k nown w ithin anot her netw ork - s ee also SUA. NDIS Ne[...]

  • Page 245

    P312 Broadban d Security G ateway X Glossa ry Plain Tex t The opposite of Ci pher Tex t, Plain Text is read able by anyone . Prestige W eb Configurator T his is a web-bas ed Presti ge router ( not all) con figurator that inclu des an I nternet Access W izard, A dvance d and Fir ew all (not all Pre stige m odels) configur atio ns. POP Post Offi ce P[...]

  • Page 246

    P312 Broadban d Security G ateway Glossa ry Y system, m eaning t hat an end-to-e nd priv ate cir cuit i s estab lished betw een call er and callee. Public Key Encryption Sy stem of en cryptin g el ectronic file s using a key pair . The key pair cont ains a public key used d uring encry ption, and a corre spondi ng pr ivate key us ed durin g decry p[...]

  • Page 247

    P312 Broadban d Security G ateway Z Glossa ry SPAM Unw anted e-mail, usual ly in the form of advert isemen ts. Spoofing T o forge some thing, such a s an IP ad dress. IP Spoofing is a c ommon way for hackers to hide th eir loc ation an d ident ity SSL (Secured Socket Layer) Technolo gy that allow s you to send inf ormation that on ly the s erver ca[...]

  • Page 248

    P312 Broadban d Security G ateway Glossa ry AA on a host syst em. Ob jects inc lude dir ect ories an d an as sortmen t of file ty pes, in clu ding tex t files, graph ics, v ideo, a nd audi o. A URL i s the a ddre ss of an object that i s nor mally typed in the Addre ss fiel d of a W eb br ow ser. The U RL is basic ally a pointer t o the location of[...]

  • Page 249

    [...]

  • Page 250

    P312 Broadban d Security G ateway Index CC Index A Action for M atched Pa ckets .......................... 16-10 Activate The F irew all ...................................... 19-2 ActiveX ........................................................... 20-1 Add Keyw ord .................................................. 20-3 Alert Schedule ............[...]

  • Page 251

    P312 Broadban d Security G ateway DD Index Encapsulati on PPP over Ethernet .................................................... E Ethernet Enc apsulat ion3-8, 4-1, 4-5 , 4-6, 4-1 0, 6- 11, 6-12 Example E-M ail Log ........................................15-6 Example s ........................................................19-1 F Factory Default .[...]

  • Page 252

    P312 Broadban d Security G ateway Index EE L LAN Setup ........................ 2-6, 2-11, 2- 12, 3-4, 3-5 LAN to W AN Rul es ......................................... 16-3 LAND ............................................ 13-4, 13-5, 14-2 Local Netw ork Rule Sum mary ................................................... 16- 6 log....................[...]

  • Page 253

    P312 Broadban d Security G ateway FF Index S Safety Instruc tions ................................................ J Safety Instruc tions ................................................ J saving the stat e ............................................... 13-6 Security In G eneral .......................................13-10 Security Ramif icatio ns[...]

  • Page 254

    P312 Broadban d Security G ateway Index GG W A N Setup ............................ 2-6, 2-10, 2- 11, 21-2 W AN t o LAN Rules ......................................... 16-3 W eb Configur ator ........................................... 13-9 W eb Prox y ...................................................... 20-2 W el come screen ....................[...]