ZyWALL Security Handbook

09/0665-100-010111GCopyright © 2006 ZyXEL Communications Corp. All rights reserved. ZyXEL, ZyXEL logo are registered trademarks of ZyXEL Communications Corp. All other brands, product names, or trademarks mentioned are the property of their respective owners. All specifications are subject to change without notice.

For more product information, visit us on the web www.ZyXEL.com

Corporate HeadquartersZyXEL Communications Corp.

Tel: +886-3-578-3942 Fax: +886-3-578-2439Email: [email protected]://www.zyxel.com http://www.zyxel.com.tw

ZyXEL North America

Tel: +1-714-632-0882Fax: +1-714-632-0858Email: [email protected]://www.us.zyxel.com

ZyXEL France SARL

Tel: +33 (0)4 72 52 97 97Fax: +33 (0)4 72 52 19 20Email: [email protected]://www.zyxel.fr

ZyXEL Spain

Tel: +34 902 195 420Fax: +34 913 005 345Email: [email protected]://www.zyxel.es

ZyXEL Costa Rica

Tel: +560-2017878Fax: +560-2015098Email: [email protected]://www.zyxel.co.cr

ZyXEL Norway A/S

Tel: +47 22 80 61 80Fax: +47 22 80 61 81Email: [email protected]://www.zyxel.no

ZyXEL Sweden A/S

Tel: +46 (0) 31 744 77 00Fax: +46 (0) 31 744 77 01Email: [email protected]://www.zyxel.se

ZyXEL Germany GmbH.

Tel: +49 (0) 2405-6909 0Fax: +49 (0) 2405-6909 99Email: [email protected]://www.zyxel.de

ZyXEL Czech s.r.o.

Tel: +420 241 091 350Fax: +420 241 091 359Email: [email protected]://www.zyxel.cz

ZyXEL Hungary

Tel: +36-1-336-1646Fax: +36-1-325-9100Email: [email protected]://www.zyxel.hu

ZyXEL UK Ltd.

Tel: +44 (0) 1344 303044Fax: +44 (0) 1344 303034Email: [email protected]://www.zyxel.co.uk

ZyXEL Poland

Tel: +48 (22) 3338250Fax: +48 (22) 3338251Email: [email protected]://www.pl.zyxel.com

ZyXEL Russia

Tel: +7 (095) 542-8920Fax: +7 (095) 542-8925Email: [email protected]://www.zyxel.ru

ZyXEL Ukraine

Tel: +380 44 494 49 31Fax: +380 44 494 49 32Email: [email protected]://www.ua.zyxel.com

ZyXEL Denmark A/S

Tel: +45 39 55 07 00Fax: +45 39 55 07 07Email: [email protected] http://www.zyxel.dk

ZyXEL Finland Oy

Tel: +358-9-4780 8400Fax: +358-9-4780 8448Email: [email protected] http://www.zyxel.fi

ZyXEL Kazakhstan

Tel: +7-327-2-590-699Fax: +7-327-2-590-689 Email: [email protected]://www.zyxel.kz

ZyWALL Security HandbookSolution for Small and Medium-Sized Businesses

ZyWALL Security HandbookSolution for Small and Medium-Sized Businesses

Table of Contents

About this Security Handbook 4

Chapter 1 ZyWALL 1050 At-a-Glance 7

Chapter 2 ZyWALL Success Story 11

Chapter 3 Feature Introduction 19

Chapter 4 Application Library 31

Chapter 5 FAQ 69

Chapter 6 ZyWALL Family Matrix 87

Chapter 7 Lab Test Report 91

Chapter 8 Glossary 97

Copyright © 2006 ZyXEL Communications Corp.

Copyright © 2006 ZyXEL Communications Corp. All rights reserved. ZyXEL, ZyXEL logo and ZyNOS are registered

trademarks of ZyXEL Communications Corp. All other brands, product names, or trademarks mentioned are the

property of their respective owners. All specifi cations are subject to change without notice.

ZyXEL Communications Corp. assumes no reponsibility for any inaccuracies in this document. ZyXEL reserves the

reight to change, modify, transfer, or other revise this publication without noitce.

4

About this Security Handbook

OverviewThis Security Handbook is designed to give a detailed overview of ZyXEL’s newest security product — the ZyWALL 1050. From product information to application library, FAQ to success stories,

you will fi nd everything needed to learn, plan, sell and maintain this product and the related solutions.

Intended AudienceThis security handbook is intended for:

• IT professionals responsible for acquiring, planning or deploying ZyXEL security products for resellers, distributors and customers.

• Security administrators, network administrators or IT procurement decision makers who are interested in ZyXEL’s comprehensive

security product lines.

• Security consultants, journalists of professional IT magazines/media or representatives of distributors and/or resellers who are willing

to know the details about ZyXEL’s latest progress on network security product lines.

How is this Security Handbook organized?

• Unveiling the ZyWALL 1050

In the fi rst three chapters, we’ll give detailed product information about ZyWALL 1050, ZyXEL’s fi rst security product targeting mid- to large organizations. Starting from the positioning,

physical layout, to the success stories of ZyWALL 1050, we are pleased to share the good customer experience with you, and you may take an overview of this fl agship of ZyXEL’s security

product range as well.

Chapter 1. ZyWALL 1050 At-a-Glance

Chapter 2. ZyWALL Success Story

Chapter 3. Feature Introduction

5

• Solutions for the SMB/Mid- to Large-Scale Organizations

Beginning from Chapter 4, there is application library illustrating how ZyXEL security products can be placed in various networking environments, to what extent the ZyWALL product range

can provide customers comprehensive protection, as well as business benefi ts from ZyXEL’s security products. These solutions are organized in categories: VPN applications, Security Policy

Enforcement and Seamless Incorporation. If you don’t have adequate time to read this material in its entirety, this part is the one that you can’t miss out!

The following Chapter 5 gives answers to the frequently asked questions (FAQ) about ZyWALL 1050 itself and its diverse applications.

Chapter 4. Application Library

Chapter 5. FAQ

Note. For detailed hands-on confi guration steps for each application in the library, please browse the Application Note in the Resource CD

• Additional Information

In the last part of this material, we’ll reveal the real performance data direct from ZyXEL’s PQA lab, a matrix of ZyXEL’s full security product range and a “common language” (terminologies)

glossary used by the security industry for your reference.

Chapter 6. ZyWALL Family Matrix

Chapter 7. Lab Test Report

Chapter 8. Glossary

• Contents of the Resource CD

1) Application Note to each scenario addressed in Chapter 4 Application Library

2) Demo GUI of ZyWALL 1050 — this is a great tool for IT professionals to demonstrate the ZyWALL 1050 GUI and/or a visual-aid for explaining features/specifi cations of ZyWALL 1050 in pre-

sales events/activities.

More InformationFor more information about ZyXEL products, please visit: http://www.zyxel.com

For latest news on security threat, please visit: http://mysecurity.zyxel.com/mysecurity/

For product collaterals and marketing tools, please visit: http://zypartner.zyxel.com/user/login.htm

7

ZyWALL 1050 At-a-Glance

Chapter 1

8

ZyWALL 1050 At-a-Glance

1Having an online presence on the Internet allows businesses, especially Small Businesses

(SB) and Small and Medium-sized Businesses (SMB), to gain effective and effi cient

communications with geographically distributed operation sites, partners and potential

customers.

However, the Internet-centric applications and communications could potentially pose

information leakage, mainly eavesdropping of confi dential information, and expose the entire

corporate network to security breaches.

Deploying a proven security solution with integrated product features is the key to

protecting the entire business network against internal and external security threats,

unplanned outages, and goodwill degradation.

ZyWALL 1050, the fi rst product based on ZLD, ZyXEL’s new security platform, is an Integrated

Security Appliance, equipped with comprehensive security features tailored for Small and

Medium Businesses (SMB) and mid- to large-scale organizations.

Target Segment of ZyWALL 1050

The ZyWALL 1050 PrimerBy incorporating comprehensive application inspection technologies and enterprise-class

networking capabilities into a single robust hardware platform, ZyWALL 1050 is capable of

providing real-time, non-stop protection to improve the overall security and productivity of IT

infrastructure for customers.

Equipped with hardware-acceleration technology, ZyWALL is capable of performing tasks

like wire-speed fi rewall protection on fast Ethernet networks, as well as VPN concentrator and

high-performance in-line IDP operations.

Enterprise500+ users

Mid-Large(100 ~ 500 users)

SMB(50 ~ 100 users)

SB(<50 users)

SOHO/Home

ZyWALL 70 UTM

ZyWALL 1050

ZyWALL 5 UTM

ZyWALL 35 UTM

ZyWALL P1 ZyWALL 2 Plus

ZyWALL Target Market

9

Defi nable GbE (Gigabit Ethernet) Interface x 5— Deliver fl exible network partitioning

Built-in VPN H/W Accelerator—Accelerates AES/3DES/DES encryption

Built-in SecuASIC— Accelerates L7 deep packet inspection

USB Port x 2— Removable storage for out-of-band confi guration exchange (future)

Mini-PCI and CardBus Slot— For feature acceleration (future)

HDD Expansion Slot— For local logging and archiving (future)

ZyWALL 1050 — Platform Design

Physical Layout of ZyWALL 1050

PerformanceFirewall=Over 300Mbps VPN=Over 100Mbps IDP=Over 100Mbps

With triple security processors onboard, the ZyWALL 1050 delivers a powerful combination of multiple market-proven technologies in a single, robust platform, making it

operationally and economically feasible for organizations to deploy comprehensive security services to more locations.

11

ZyWALL Success Story

Chapter 2

12


2Deploy High Volume VPN Concentrator With Device Redundancy, VPN High Availability To Enable “Multiple Entry Point” And Highly-Available Trusted Connectivity Operation.

Organization NameiPass Inc.

IndustryEnterprise Connectivity

ProfileiPass, a global leader in trusted connectivity, helps enterprises by building and managing broadband remote and mobile access solutions for mobile workers, branch offi ces and

home offi ces. The iPass virtual network spans 160 countries and includes one of the world’s largest Wi-Fi networks and the most complete fixed broadband coverage in North

America. Hundreds of Global 2000 companies such as General Motors, Dow Corning, and Mellon Financial choose iPass as their trusted connectivity provider.

Customer’s ChallengeA key piece of the iPass enterprise solution is to provide secured, trusted and highly-available broadband access to customer’s home offi ces, branch offi ces and retail locations. In

order to achieve this goal, the secured network needs to have the intelligence to provide the customer with high up-time requirements. To do this, monitoring mechanisms must

proactively scan the network and alert the network administrator when the device is functioning abnormally. By proactively scanning the network, the network administrator will be

instantly aware of the issue at hand and will be able to quickly take the necessary actions and prevent network down time.

1

13

ZyXEL SolutionTo provide customers with secure, trusted and highly-available broadband access to home

offi ces, branch offi ces and retail locations, iPass has choosen the ZyWALL 2/2 Plus with VPN

High Availability features and the ZyWALL 1050 with fl exible policy route settings. The ZyWALL

2/2 Plus has the intelligence to failover the VPN tunnel in order to assure that secured access is

always functioning. The customized private MIBs of the ZyWALL 2/2 Plus is able to provide iPass

with a great solution that can be easily integrated into the existing iPass network management

system. This allows the iPass network administrator to easily monitor the device status and take

the proper actions to avoid network failure in advance. In addition, the ZyWALL 1050 provides

iPASS with fl exible policy route settings to achieve “Multiple Entry Points”. The customized

private MIBs also help integration in the iPass network management system.

ZyXEL Product Listá ZyWALL 2 Internet Security Gateway for Tele-Home

á ZyWALL 2 Plus Integrated Security Appliance

á ZyWALL 1050 Internet Security Appliance — Professional VPN Concentrator/UTM Appliance

for SMB/Mid-Large Organization

Benefits of Choosing ZyXELZyXEL products are easy to maintain and upgradeable. They offer their users the fl exibility of

customization and secure device management through SSH/SSL protocols. The ZyXEL products

listed above can be effortlessly integrated into the existing iPass Network Management System

at a very affordable price.

Central Site

Redundant Site

iPass SLA ServerInternal Server

Dial-backup

Lease lineZyWALL 1050

ZyWALL 1050

ZyWALL 2 Plus

Internet

Periodically checking theavailability of remote sites

If the path (in blue) to Main Officeis not available, user can stillaccess the same network resourcevia backup path (in green)

Guaranteed non-stop operation—With deployment of MEP,availability of business-criticalapplication can be assured

IPSecVPNTunnel

Customer’s Application

14


2

ZyXEL SolutionAfter testing about 30 products, TÜV found that ZyWALL 2 (together with Vantage CNM)

and ZyWALL 1050 to be the best suite to meet all their needs at a reasonable price. And the

ZyWALL Product family is also fl exible enough to solve all the Internet connection issues.

á The target is to construct and manage a huge VPN with ZyWALL 2 with up to 4,400

locations (planned), and additional devices will follow. It has to be standardized since

the partner’s employees are mostly not savvy technicians.

á The VPN concentrators will be placed in 3 locations (Hamburg, Hannover and Essen)

with ZyWALL 1050. Two ZyWALL 1050s with Device HA will be deployed in each

location for 24-hour VPN availability.

á To enable “always on” remote access, VPN HA on ZyWALL 2 Plus can easily failover to

another VPN concentrator if any central site is down.

á Additionally, a lot of road warriors will be equipped with ZyWALL P1.

ZyXEL Product Listá ZyWALL 2: 7500 pcs. (Planned)

á P650H-E7: 7500 pcs.

á P653HI-17: Approx. 100 pcs.

á Vantage CNM: Project-based version supporting up to 20,000 nodes

á ZyWALL 1050: 6 pcs. (Planned)

High Availability, High Volume VPN Concentrator and Network Management System (Vantage CNM) for Easy-to-Manage “Multiple Entry Points” without Single Point Failures

Organization NameTÜV Nord Group

IndustryTechnical Service Provider

ProfileThe TÜV NORD Group, with a workforce of more than 6,600, is the number

one technical service provider in northern Germany. It has expertise in nearly

all aspects of technical safety, environmental protection, and the conformity

assessment of management systems and products — in other German regions

and 70 countries worldwide.

Customer’s Challenge“TÜV Nord and all its subsidiaries have more than 6,600 employees. 80% of them

get access to the company network from their home. To make sure the access can

be always available when working from home, preventing single point failures

becomes an important point. In addition, all the car service stations shall be better

included in this network while additional services are being planned, e.g. offering

free Internet access to customers waiting for their car to be checked. Since

there are locations with extremely high security needs in this network, strong

protection is necessary.”

2

15

Benefits of Choosing ZyXELá Easy deployment by non-technical staff; easy to maintain and upgrade.

á Fewer staff is needed

á Centrally manageable

á Reasonable price

á Complete portfolio (from the headquarter to the road warriors)

á Meet the needs for Professional Management System, High Volume VPN concentrator

with Device HA, remote site VPN HA, State-of-the-art encryption standards (3DES, AES)

and PKI

Testimonial“With the ZyXEL solution, the IT team of TÜV NORD is able to rollout a large number of VPN

endpoints and maintain them with a staff of 2 people. Also firmware upgrades and policy

changes are very simple and effi cient. The AES encryption and the professional fi rewall

features of the ZyWALL Series meet the high security needs of TÜV; no matter when we have

to connect from customers’ LAN, get a direct Internet link such as DSL, or when we have to

fulfill any future need, with the fl exibility of the ZyWALL we are always protected.”

Oliver Schulz/VPN Solutions/TÜV Nord Service GmbH & Co. KG


Remote Site N

Essen (LAN)

Leaseline

Leaseline

ZyWALL 1050

ATM 34Mbps

ATM 8Mbps(20Mbps planned)

ATM 34Mbps(154Mbps planned)

ZyWALL IDP10VPN=30 (300 planned)

ZyWALL 1050

ZyWALL 2

VPN=40 (500 planned)

PIX 515EVPN=346 (1000 planned)

Main traffic insideVPN tunnel:

1.Windows domain logon

2. SMTP

3. POP3

Windows XP SP2Windows VistaWindows 2000

Windows DCActive DirectoryMail server

CPfw1 cluster

CPfw1 cluster

Hamburg (LAN)


Hannover (LAN)


Internet

16


2Combining IPSec VPN and MPLS VPN to Provide a Cost-Effective VPN Solution

OrganizationCompany X (one of the tier-1 telecom in Taiwan)

IndustryTelco (Telecommunications, Telephone Company)

ProfileCompany X chiefl y provides telecommunication and information-related services covering local and long-distance calls, international calls, GSM, data communication, Internet

services, broadband networking, satellite communication, intelligent network, mobile data and multimedia broadband. As the most experienced and largest integrated

telecommunication operator in Taiwan, Company X is one of the most important partners for international telecommunication cooperation with circuits reaching over 200 countries.

Customer’s ChallengeAs Company X provides IP VPN (MPLS VPN) service to enterprises with many worldwide branches, and there are more and more locations from different companies, offering all

clients with MPLS VPN becomes a “costly” solution; thus a cost-effective solution is needed to expand the VPN services that Company X offers, and a redundant path for MPLS VPN

guarantees 100% uptime for customers’ VPN network. Finally, for companies wish to manage VPN for additional security, Company X also considers providing the fl exibility over

MPLS VPN.

3

17

ZyXEL SolutionCompany X surveyed several products and chose ZyXEL’s ZyWALL Series for combining IPSec

VPN with their MPLS VPN.

á ZyWALL 2 Plus/P1’s are deployed at the branches as remote IPSec VPN sites.

á ZyWALL 1050 terminates the IPSec tunnel before entering the MPLS backbone.

á As terminated by ZyWALL 1050, all traffi cs are within the MPLS VPN.

á If MPLS VPN is fails, IPSec VPN offers redundancy to the VPN network.

á If companies need to manage VPN by their own for additional security (Firewall/VPN...),

IPSec provides the fl exibility over MPLS VPN.

ZyXEL Product Listá ZyWALL P1 Palm-Sized Internet Security Appliance for Personal Network Protection

á ZyWALL 2 Plus Integrated Security Appliance

á ZyWALL 1050 Internet Security Appliance — Professional VPN Concentrator/UTM Appliance

for SMB/Mid-Large Organization

Benefits of Choosing ZyXELá Lower TCO to provide VPN services

á Flexibility to expand the VPN network

á Backup solution if MPLS VPN fails


Com-BLocation 1 Com-B

Location 3

Com-ALocation C

Com-ALocation A

Com-ALocation B

Com-BLocation 2

MPLS Locap Loop

IPsecVPNTunnel

ZyWALL 1050

ZyWALL 2 Plus

ZyWALL 2 Plus

Internet

IPSec VPN tunnelsterminate here!

MPLSBackbone

19

Feature Introduction

Chapter 3

20


3ZyWALL 1050 provides robust networking functionality and comprehensive security features.

Based on the advanced ZLD platform, ZyWALL 1050 can deliver cutting-edge technologies for

organizations demanding higher level of protection in terms of connectivity and security.

Key Features of ZyWALL 1050:

1. Robust ZLD Platform

A. Diverse Port–Interface Combination Makes Network Planning

Flexible

ZyWALL 1050 supports Layer-2 switching and Layer-3 virtualization technologies.

Taking advantage of both, IT administrators can easily confi gure ZyWALL 1050 to

interconnect network segments regardless of scale or complexity.

Port Grouping (Layer-2 Switching):

The technology provides embedded Layer-2 switching capability. When two physical

ports are grouped, hardware switch controller will forward packets in between based

on the destination MAC addresses without performing security (Firewall, IDP) checks.

Port Grouping is best used when administrators need to aggregate several physical

ports into one representative logical interface.

Layer-3 Virtualization:

In addition to Ethernet interfaces, ZyWALL 1050 supports virtual interfaces such as

VLAN (802.1Q tagged VLAN) and Virtual Interface (IP Alias).

The major benefi t to use VLAN is to extend the port density. There are only 5 physical

ports on ZyWALL 1050, however you can extend port density by defi ning the VLAN

interface (requires additional VLAN-capable switch) when needed.

With the use of VLAN, designers can plan and construct a more complex network.

PPPoEPPTP

Virtual Interface

VLAN Ethernet

Bridge

Port Grouping

Physical Ports

AUX

Layer 3

Layer 2

IP Alias

L2 Switching w/o Firewall

RJ45 Connection

RS232 Connection

Network layer hierarchy of ZyWALL 1050’s port and interface design

LAN1 LAN2 LAN3

without VLAN Tag

Three ports for three LANsOne port for three LANs —Using VLAN to extend port density

LAN1 LAN2 LAN3

without VLAN Tag

with VLAN Tag

Using VLAN to extend port density of ZyWALL 1050

21

Altogether, ZyWALL 1050 provides the most fl exible network hierarchy to be

integrated into any network regardless of the complexity.

An example to connect multiple logical network segments using single physical port

Interface & Port in m:1 relationshipVarious interface be based onone physical port

ge1 & VLAN1 & VLAN2 port 1ge2 & VLAN3 & VLAN4 port 2

ge1192.168.1.0/24

VLAN1172.16.0.0/24

VLAN210.1.1.0/24

ge2192.168.2.0/24

VLAN3172.16.3.0/24

VLAN410.4.4.0/24

Multiple Interfaces Based on Single Physical Port

An example to use both Port Grouping and Layer-3 Virtualization to connect multiple logical network segments

Port Grouping and Layer-3 Virtualization

ge1192.168.1.0/24

VLAN1172.16.1.0/24

VLAN210.2.2.0/24

ge3192.168.3.0/24

VLAN3172.16.3.0/24

VLAN410.4.4.0/24

ge3192.168.3.0/24

VLAN3172.16.3.0/24

VLAN410.4.4.0/24

VLAN-capable switch VLAN-capable switch

Interface & Port in m:n relationshipPhysical port can be grouped at layer 2.

This makes multiple ports map to a single Ethernet Interface.

ge1 & VLAN1 & VLAN2 port 1 & port 2

ge3 & VLAN3 & VLAN4 port 3 & port 4

ge1192.168.1.0/24

VLAN1172.16.1.0/24

VLAN210.2.2.0/24

VLAN-capable switch

VLAN-capable switch

VLAN-capable switch

VLAN-capable switch

Note. For detailed technical information, please refer to product manual and support notes available for

download at: http://www.zyxel.com

22


3 B. Custom Security Zone:

The ZyWALL 1050 implements zone-based inspection technologies: all interfaces defi ned

on ZyWALL 1050 (Ethernet/VLAN) can be grouped into zones and security policies can

be applied as well.

Putting these features together, the ZyWALL 1050 delivers the most fl exible deployment

to large or complex networking environments while maintaining effortless management

of security policies.

Concept of custom security zones

Custom ZoneZones can be fully customizable to meet customer’s complex environment. Corporate access policy can be enforced in between each zone.

Example:

Local zone: contains ge1 & VLAN1External zone: contains VLAN2Secret zone: contains ge2DMZ zone: contains VLAN3 & VLAN4

ge1192.168.1.0/24

VLAN1172.16.0.0/24

VLAN210.1.1.0/24

ge2192.168.2.0/24

VLAN3172.16.3.0/24

VLAN410.4.4.0/24

Local External

Secret DMZVLAN-capable switch

VLAN-capable switch

C. Policy-Based Routing

In addition to typical static routes, the ZyWALL 1050 provides robust policy routing

features that help users to control the traffi c fl ow regardless of service type of or

network complexity.

The policy routes enable IT administrators to manipulate both inbound and outbound

traffi c base on several criteria: user/group, time of access, origin of the access attempt,

destination and type of service, etc.

Beyond packet forwarding decisions, policy routes on ZyWALL 1050 also integrate the

settings of Network Address Translation (SNAT) and traffi c shaping (BWM).

Altogether, the policy route feature on ZyWALL 1050 is an extremely powerful tool to

construct the underlying IT infrastructure.

Configuration screen of policy routes

23

D. Dynamic Routing Protocols

In addition to supporting RIP (Router Information Protocol, both v1 and v2), ZyWALL

1050 is also equipped with native support to OSPF (Open Shortest Path First), the de

facto standard of dynamic routing protocols.

Like RIP, OSPF was designed and designated by the Internet Engineering Task Force

(IETF) as one of the Interior Gateway Protocols (IGPs) to replace the dated RIP.

Benefits of implementing OSPF in today’s corporate network are:

1). Changes on an OSPF network are propagated quickly.

2). OSPF is hierarchical, using area 0 as top of the hierarchy.

3). After initialization, OSPF only sends updates on routing table sections that have

been changed; it does not send which of the entire routing table.

4). Using areas, OSPF networks can be logically segmented to decrease the size of

routing tables. Table size can be further reduced by using route summarization.

5). Exchange of routing information can be authenticated with text or MD5 method.

6). OSPF is an open standard unaffi liated with any particular vendor.

In summary, dynamic routing protocols is prevailing on today’s corporate networks.

It helps ensuring network route availability, easy integration with existing routing

infrastructure and dramatically lowering the maintenance overhead on networking

infrastructures.

E. User-Aware Policy Engine

In addition to typical access control capabilities, the ZyWALL 1050 is equipped with

intelligent user-aware policy engine which makes packet forwarding decisions based on

advanced criteria: user ID, user group, time of access and network quota.

Furthermore, the enforcement can be applied to all security features such as VPN, Content

Filtering and Application Patrol.

Coupled with well-designed network partitioning, the corporate security policies could

be effectively enforced so that policy violations/resource abuses could be stopped.

“User-Awareness” integrated into the firewall ACL

However, there are roadblocks to enforcing user-aware access control on today’s

corporate networks — users usually have to log into the security gateway before access

granted and the mechanism would be perceived as clumsy.

Good news is that the authentication mechanism on ZyWALL 1050 can be transparent to

users — by confi guring the “Force User Authentication” policy, the unauthorized access

attempts will be intercepted and the authentication dialog box automatically pops up for

entering access credentials. This scenario can avoid the above drawbacks and achieves a

good balance between usability and policy enforcement.

24


3 F. Network Objects

The ZLD is object-based architecture — setting should be confi gured in an object.

When confi guring a specifi c feature/function, the setting should be specifi ed with a

predefi ned “object” instead of entering a value.

Types of objects on ZyWALL 1050 include: Address, Service, Schedule, AAA Server, Auth

Method, Certifi cate and User/Group.

The obvious benefi ts of object-based architecture are:

1). Automatic “Change Update”

Once the value of a setting changed, the change will be automatically updated system-

wise. The behavior helps administrators maintaining the integrity and consistency of

the system confi gurations without hassle.

2). Object Reuse

The user-defi ned objects can be reused. As a result, administration effort can be

drastically reduced in a complex confi guration pertaining to a larger-scale networking

environment or strict corporate security policy.

Screenshot of the “Address” object confi guration screen

G. User Management

The fundamental task for user-aware policy enforcement is user account management.

Security administrator is required to manage user accounts and access credentials then

to defi ne access privilege in each security module on ZyWALL 1050.

The ZyWALL 1050 provides different methods for managing user accounts, such as

internal database and common directory servers:

Local Database

RADIUS

LDAP

Microsoft AD

ZyWALL 1050 can use any one of the above directory servers to authenticate users like

access users or VPN users.

With the diversity in place, ZyWALL 1050 can leverage the existing user database to

authenticate users without redundant management effort.

25

H. Configuration Management

Confi guration fi le carries settings/values to all features system-wise on ZyWALL

1050 and therefore it is a critical task for security administrator to maintain those

confi guration fi les on the security gateway.

There are several advanced designs on ZyWALL 1050 regarding confi guration

management:

1). Editable: the confi guration fi le on ZyWALL 1050 is text-based so that the security

administrator can easily modify/edit it using any text editor of choice. Furthermore,

sensitive information in the confi guration fi le, e.g. password, is hashed to prevent

from credential disclosure.

2). Multiple confi guration fi les: In a complex networking environment, security

administrator may need to maintain multiple sets of confi guration fi le to ensure

effective access control and security policy enforcement. ZyWALL 1050 can hold

multiple sets of confi guration fi les.

3). Changes take effect on the fl y: You can apply a different confi guration fi le to

ZyWALL 1050 without rebooting. New settings will take effect immediately.

Maintaining multiple sets of confi guration fi les

I. Introducing WAN Trunk for managing multiple ISP links

ZyWALL 1050 can handle more than two ISP links. Multiple ISP links can be based on

single physical port or span over multiple physical ports.

Furthermore, ZyWALL 1050 can provide a fault tolerance mechanism to ensure

automatic failover when ISP link failure happens and achieve load balancing to ensure

maximum availability and optimized bandwidth utilization.

Aside from the robust functionality, it’s very easy to manage multiple ISP links on

ZyWALL 1050. To make life easier, simply add WAN connections into the “WAN Trunk”.

In WAN Trunk, IT administrators can choose any of the 3 algorithms for optimizing

bandwidth utilization: Lease Load First, Weighted Round Robin and Spillover.

The task can be done in just few clicks.

Managing multiple ISP links using WAN Trunk

ISP1 ISP2 ISP3

Switch

Mixed WAN links can be based on single physical port on ZyWALL 1050

WAN Trunk

LAN DMZ

Easy to manage —Simply use “WAN Trunk” to manage multiple ISP links

Theoretically, ZyWALL 1050 supports up to 48 ISP links, so you can rest assured that

there’d be no more bandwidth insuffi ciency problem!

26


32. Virtual Private Network

ZyWALL 1050 allows organizations to establish Virtual Private Network (VPN) connections

among remote branch offi ces, business partner sites and remote teleworkers.

The VPNs adopt data encryption technologies to establish secure communication

channels and protect confi dential data being transmitted via Internet. Therefore, these VPN

tunnels are immune to session hijacking and data theft. Furthermore, those functionalities

on ZyWALL 1050 are seamlessly integrated so that traffi c coming in through the VPN

tunnel shall be securely inspected prior to entering the trusted networks.

The Hub and Spoke VPN feature dramatically can reduce the management overhead and

complexity involving multi-site/complex networking infrastructures across the Internet.

VPN Specifications:

á ASIC accelerated VPN

á IKE: Pre-shared Key, Certifi cates, Manual Keys

á Extensive user authentication: RADIUS, LDAP/Microsoft AD, Local Database, X-Auth

support for ZyXEL’s SoftRemote VPN Client/ZyWALL P1 hardware-based VPN client

á VPN inspection — Firewalling, IDP, Content Filtering

á Hub-and-spoke confi guration

á Traffi c shaping prioritizes traffi c across VPNs

Deploying IPSec VPN to extend the Intranet, construct Extranet and provide secure remote access to teleworkers

Partner Site

ZyWALL 5 UTM

ZyWALL 1050

AccessPoints

Public Kiosk

ProtectedServers

DMZ Servers

WirelessClient

Home

ZyWALL 70ZyWALL 2

Branch Office Remote Office

Teleworker

Central Site Internet

IPSecVPNTunnel

27

3. Application Patrol

In modern networking environments, two major headaches may arise when IT

administrators need to effectively control running services/applications:

1). Applications running on non-standard ports

There is a trend that applications would run on non-standard ports; e.g. HTTP proxy server

listens to port 8080 instead of standard HTTP port 80.

Conversely, there may also be malicious applications running on standard ports; e.g. a

hazardous backdoor virus may run on HTTP port 80.

These scenarios could cause security breaches within corporate networks and need to be

well monitored and controlled regardless of the company size.

2). Services/Protocols running on non-fixed/dynamic ports

Until now, Microsoft MSN instant messaging service still runs on port 80 that causes

security headache for administrator to control effectively.

To iron out the two aforementioned problems, we need a different approach to identify

the new and probably suspicious applications breeds, control the use of them, and

therefore mitigate security breaches from happening.

Application Patrol is designed to provide a convenient way to manage those undesirable

applications — Instant Messaging (IM), Peer-to-Peer (P2P) on the network.

Instead of looking into exotic port numbers, Application Patrol deploys advanced

“application classifi er” which accurately identifi es the application/service types by parsing

the application payload on OSI layer 7 regardless of the ports they run on.

Furthermore, Application Patrol integrates more exciting capabilities like user-awareness,

rate limiting and scheduling to provide access granularity against the use of those

suspicious applications on the network.

Application Patrol Confi guration Screen

The obvious benefi ts here are:

Effective — port-less application management

Comprehensive — covering common IM/P2P applications and essential services in today’s

corporate networks

Easy-to-use — managing complex/dynamic applications with fewer clicks

28


34. Intrusion Detection and Prevention

Equipped with signature-based IDP engine, the ZyWALL 1050 can perform L7 deep

packet inspection. It also supports statistics/protocol anomaly, behavior pattern matching

technologies.

DNAT

Incoming Packet

Forwarded Packet

Routing

Firewall

SNAT

BWM

L3TA

L4TA

ACL

L3 PA

L7TA

L7 PA

Signature analysi's

L7 Inspection

Acronym:

PA: Protocol Anomaly

PI: Packet Inspection

TA: Traffic Anomaly

L4 PA

ZyWALL 1050’s IDP Packet Inspection Flow

As a result, the ZyWALL 1050 can provide comprehensive Intrusion Detection and

Prevention capability to continually cleanse the traffi c contaminants, such as worms,

viruses, Trojans, VoIP threats, among others.

With ZSRT (signature development team) in place, the new IDP signatures/patterns against

latest vulnerabilities/exploits will be released on a weekly basis and the latest signature

packages can be automatically downloaded and deployed via our rock-solid ZSDN service

platform into the devices.

Specifi cations of IDP feature on ZyWALL 1050

á Accelerated by SecuASIC provides over 100Mbps throughput

á Automatic updates of IDP signatures

á IDP signatures of over 2,200+

á User-defi ned custom IDP signatures

á Zone-based IDP inspection provides maximum fl exibility

á Inspection of VPN content

á Signature and protocol anomaly engines

á Detailed logging and reporting

For more information about application/deployment of IDP on today’s corporate networks,

please refer to the Application Library on the next few pages.

29

5. Content Filtering

The content fi ltering feature allows schools or mid- to large-scale organizations to create

and enforce Internet access policies tailor-made for them. The security administrators can

select categories, such as porn or racial sites, to block or monitor from a pre-defi ned list.

Since Internet contents are constantly changing, the URL database must be constantly

updated. With the content fi ltering subscription ZyXEL offers, the ZyWALL 1050 is eligible

to query the most up-to-date URL database so that the access restrictions to new or

relocated sites are properly enforced thus the policy compliance can be assured.

Content Filtering on ZyWALL 1050 is also a user-aware feature. As such, different user can

have different access privileges.

Benefi ts for using Content Filtering service:

Increased employee productivity — helps employees to focus on their job

Legislation compliance — eliminate inappropriate Web surfi ng

Optimized bandwidth usage — block traffi c unrelated to business operations

Content Filtering Specifi cations:

á Industry-leading rating database

á URL database is classifi ed into 60 categories, including Anti-Spyware, Anti-Phishing, etc.

á Cost-effective per-device subscription, regardless of the number of protected users

á URL database is updated constantly

á Simple setup fully integrated into ZyWALL 1050’s user-aware policy engine

6. Hardware Failover

To prevent security gateways from becoming a single point of failure or a bottleneck,

companies with Internet-centric or connectivity-centric business need a redundant

hardware solution for the security gateway.

ZyWALL 1050 implements Device High Availability to help customers avoiding the

connectivity outage.

Default GatewayFor PC1, PC2,

PC3, PC4

Master

PC1 PC2PC3

PC4

Active Stand-By

Backup

LAN Segment A

Internet

Virtual Router V1,VRID=11

1 ISP: Dynamic Assigned IP

1 LAN Segment

Benefi ts of Device High Availability:

á Minimized unplanned/planned downtime

á System maintenance can be performed during business hours

á Avoid losing customers/business/goodwill

The hardware failover mechanism

31

Application Library

Chapter 4

32

Application Library

4

1 Deploying VPN

1-1 Extended Intranets

1-2 Extranet Deployment

1-3 Remote Access VPN

1-4 Large-Scale VPN Deployment

1-5 Access via Central Site

1-6 Multiple Entry Points

1-7 Device High Availability

1-8 VoIP Over VPN

Security Policy Enforcement

2-1 Managing IM/P2P Applications

2-2 Managing WLAN

2-3 Employee Internet Usage Management

Seamless Incorporation

3-1 Zone-Based IDP Protection

3-2 Network Partitioning Using VLAN

3-3 Connecting Multiple ISP Links

3-4 Guaranteed Quality of Service

2

3

Solutions for SMB and Mid- to Large-Scale Organizations

33

Deploying VPN

What is a VPN?

á A Virtual Private Network uses the Internet to connect branch offices, remote

teleworkers and business partners to the internal offi ce resources

What can your business benefi t from deploying VPN?

á Security and Reliability

á Improved communications

á Increased fl exibility

á Lower cost

1

Deploying VPN



Partner Site

ZyWALL 5 UTM

ZyWALL 1050

AccessPoints

Public Kiosk

ProtectedServers

DMZ Servers

Outsider

WirelessClient

Home

ZyWALL 70ZyWALL 2

Branch Office Remote Office

Teleworker

Central Site Internet

IPSecVPNTunnel

34

Application Library

41-1 Extended Intranets

Business Requirements

á Companies with geographically distributed branch offi ces

á Need a de facto standard technology to securely connect private offi ce networks across

the Internet

á To prevent confi dential information transmitted via Internet from eavesdropping

Deploying VPN



ZyWALL 1050

ZyWALL 70

Main Office

Branch Office

Intranet

Now part of the Intranet

IPSec VPN TunnelCommonly used applicationsinside LAN can be extended toserve users on remote siteswithout hassle…and in a securecommunication channel!

More desktops can gainaccess to the network,because a VPN allows newusers to be added almostinstantly.

DomainController

Desktop users

EIP FileServer

Desktop users

Internet

á Need to comply with security policies

á Solution TCO must be affordable

The Application

35

Benefits

á Break the distance limitation of LAN

• Connect all geographically distributed private networks

• Bring remote servers closer as if they are local

• Provide LAN-like user experience across the Internet

• VPN provides private network connectivity and reliability to smaller branch offi ces,

franchise sites, and remote workers

á Deploying state-of-the-art encryption technology

• Communication channels among offi ces are encrypted and authenticated

• Encryption: AES/3DES/DES

• Authentication: IKE and XAuth

• Integrity: SHA-1/MD5

á High-Performance VPN

• Offl oad intensive processes to optimized software modules or dedicated processors

- Improves system throughput

- Free host CPU resources for other tasks

á Lower Costs

• Instead of subscribing expensive IP-VPN (MPLS), IPSec VPN can leverage existing cost-

effective DSL lines while providing even better protection

á Legislation Compliance

• Helping SMBs protect privacy and integrity of the information entrusted to them

á Ease of Management

• Intelligent VPN Wizard to quickly setup VPN tunnels in pairs

Product List

Model Description P/N

For Main Offices

ZyWALL 1050 VPN Concentrator for SMB/Mid- to

91-009-020001B Large-Scale Organizations

For Branch Offices

ZyWALL 70 Budget Internet Security Appliance Recommended

91-009-002001B for SMB

ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B

ZyWALL 5 Best-of-Breed Technology Internet Security

91-009-014001B Appliance for SB

ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance

91-009-029001B for SB/SOHO

Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to

the end of Chapter 6 in this handbook.

36

Application Library

41-2 Extranet Deployment


á Enabling external parties to securely access designated network resources to streamline business processes

á Security policy and access control must be in place to protect shared network resources among operating sites

á The solution should be able to work with diverse VPN products

The Application

Main Office

Branch Office

It’s easy to establish VPN connectivity with customer/partner sites regardless of what their VPN gateway is

The VPN provides access to both extranets and wide-area intranets in a secure channel

L 70

Remote Office

35

Customer Site

n

Partner Site

Internet

IPSec VPN Tunnel

Deploying VPN



37

Benefits

á Secure access from/to partner networks

• Open the door for improved client service, vendor support and company

communications

• Customers can order equipments over VPN

• Suppliers can check on orders electronically

• Employees can collaborate on project documents and customer profi les

á Interoperability

• ZyWALL series are ICSA IPSec certifi ed

• It communicates with other VPN-enabled devices from ZyXEL as well as VPN gateways

from other vendors, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro, Juniper

NetScreen series and more...

á Integrated VPN/UTM solution

• Includes SPI fi rewall and Layer-7 inspection to protect shared network resources on each

operating site

Product List


For Main Offices



For Branch Offices


91-009-002001B for SMB





91-009-029001B for SB/SOHO



38

Application Library

41-3 Remote Access VPN


á Provide secure remote access to offsite and traveling employees

á Protect corporate network resources and VPN users’ systems

á Reduce telecommunication costs

á Minimize end-user support costs

á Streamline deployment and maintenance

The Application

Deploying VPN



ZyWALL 1050

Main Office

PrivateNetwork

PrivateNetwork

Branch Office

Teleworker

Remote teleworkerscan access to networkresources withinprivate networks ofMain offices or Branchoffices, no matterwhere they are.

Through the use of VPN,organizations can get rid ofcostly RAS dial-in and reduceoperation cost for remoteaccess…in a secure manner

LDAP Server

Internal FTP

Mail EIP Workflow

ZyWALL 70

Internet

IPSecVPNTunnel

Application access

39

Product List


For Main Offices



For Branch Offices


91-009-002001B for SMB





91-009-029001B for SB/SOHO

For Teleworkers

ZyWALL P1 Palm-Sized Internet Security Appliance for

91-009-018001B Personal Network Protection

ZyWALL Remote Software-Based VPN Client 91-009-016001B

Security Client

Benefits

á Mobility

• An employee on the road (a.k.a. teleworker) can simply gain full network access via

Internet connection

• Mobile offi ce” enabler: working at airports, cyber cafés or any hotspot

á Secure Access

• Communication channels from the “untrused networks” are authenticated and encrypted

á Lowered Operation Cost

• Replacing costly RAS dial-in remote access to company networks

• Users can connect to the network via Internet, eliminating expensive long-distance or

collect call dial-in costs

á Secured End Point

• With deployment of ZyWALL P1 VPN client, the corporate security policy can be

automatically downloaded

• Ensures security policy enforcement on remote user systems

á Reduced Management Overhead

• ZyWALL P1 is a hardware-based VPN client solution that minimizes the maintenance

overhead and reduces help desk calls



40

Application Library

41-4 Large-Scale VPN Deployment

If the number of remote sites is huge...

ZyWALL 1050 supports various VPN topology types to meet the needs of organizations

of any size

VPN topology supported

Fully-Meshed topology can be deployed if the number of remote sites is small

Star topology is recommended if the number of remote sites is huge

Star-Mesh mixed topology (cascading topology) — it takes proximity into

consideration in a globally distributed networking environment

Deploying VPN



3

Fully-Meshed Topology

In a fully-meshed VPN topology,

a user can access to resources

on remote VPN sites if a VPN

tunnel was readily established

All ZyWALL models

supports Fully-meshed

VPN topology. The

models are: ZyWALL 2

Plus/5/35/70/1050

HannoverParis

OsloMadrid

London

In this topology, each site plays the

same role — handles incoming

encrypted traffic or encrypts outgoing

traffic designated to a remote site

2

1

1

41

Star Topology

Hannover

OsloMadrid

London

In a Star VPN topology, ZyWALL 1050 acts as a

central site (enabling Hub & Spoke VPN) and

spoke sites can be any ZyWALL model

Paris

Amsterdam

Central Site

In a Star VPN topology, any

user on a spoke site (Madrid

in this example) can access

resources on another spoke

site (London) via the central

site in Amsterdam

A user on a spoke

site (Oslo) can access

resources on the central

site in Amsterdam

Star-Mesh Mixed Topology

Frankfurt

Amsterdam

London

Singapore

Tokyo

EU Central Site

Asia Central Site

Taipei

In a Star-Mesh mixed VPN

topology, any user on a spoke

site (Frankfurt in this case) can

access resources on another

spoke site (London) via the EU

central site in Amsterdam

In a Star-mesh mixed VPN topology, ZyWALL 1050 acts as

a regional central site (enabling Hub & Spoke VPN) and

spoke sites can be any ZyWALL model

A user in a spoke site

(Taipei) can access

resources on the regional

central site in Singapore

If a user in London needs to

access resources outside the EU,

e.g. the Tokyo site, the traffi c will

be routed to the Asia central site

(Singapore) then again routed to

the fi nal destination in Tokyo

Backup tunnel

2 3

42

Application Library

4Product List


For Central Sites (Hub/Concentrator)



For Remote Sites (Spoke Sites)


91-009-002001B for SMB





91-009-029001B for SB/SOHO

Benefits

á Scalable VPN Topology

• Basic — Fully-Meshed VPN topology

• Advanced — Star VPN topology and cascading VPN topology for distributed networks

á Reliability

• Status Monitoring of VPN tunnels

• Device High Availability and VPN Backup Gateway feature can ensure the availability of

VPN connections among operating sites

á Reduced Management/Maintenance Effort

• Easy-to-use VPN Wizard

• Automatically generate confi guration scripts for peer gateways

• When confi guring large number VPN tunnels:

- VPN Concentrator for easy, straight-forward VPN tunnel management

- Leveraging confi guration scripts to create a large number of VPN rules

• Comprehensive logging for troubleshooting



Deploying VPN



43

1-5 Access via Central Sites


á An effective approach is required to deal with the Insecure Internet connection

• Virus, bots, spyware, exploits and attacks are all coming in from the Internet

• It’s already a common security practice to avoid multiple Internet connections on a

corporate network

• Traffi cs among private networks should be encrypted

á How about multi-site, distributed corporate networks?

• Through network planning, centralized Internet connectivity can be achieved

• Lack of IT staff on remote offi ces/branch offi ces

• Security policies should be centrally managed and enforced

The Application

InternetZyWALL 1050

ZyWALL 70

Main Office

Private Network

Private Network

Branch Office

Centralized Access— Alloutgoing traffics originatedfrom a branch office is routedto the Main Office, bothencrypted and non-encrypted

If the traffic is designated tothe Internet, ZyWALL 1050 canroute the traffic to itsdestination on the Internet

Intranet access may carryconfidential information so thetraffic should be transmittedvia a secure VPN tunnel

LDAP Server

Mail EIP Workflow

ZyWALL 1050IPSecVPNTunnel

Internet Access

Intranet Access

44

Application Library

4Product List


For Main Offices



For Branch Offices


91-009-002001B for SMB





91-009-029001B for SB/SOHO

Benefits

á Secure Communication Channels

• Through the deployment of extended Intranet VPN, all communications among

operating sites are authenticated and encrypted to provide better connectivity and

better security

á Centrally Managed Internet Access

• Internet access, regardless types of services/applications, are aggregated into a single

gateway

• Eliminates the diffi culties from lacking IT professionals on remote sites

- Avoid unmanaged/less-watched communication channels within corporate Intranet

- Avoid the impact of misconfi gurations on Internet gateways



Deploying VPN



45

1-6 Multiple Entry Points


á The solution must provide an infrastructure for secure communication channels

• Traffi cs must be encrypted and authenticated

á The solution must guarantee non-stop operation of mission-critical applications/

resources to eliminate:

• Failure of WAN connections

• Failure of secure gateways

• Failure of connectivity within ISP clouds

The Application

ZyWALL 1050 ZyWALL 1050

ZyWALL 2 Plus

Central Site

Redundant Site

If the path (in blue) to Main Office isnot available, user can still access thesame network resource via backuppath (in green)

IPSecVPNTunnel

Internal Server

Internet

Leased line

Guaranteed non-stop operation—With deployment of MEP,

availability of business-critical application can be assured

46

Application Library

4Product List


For Central Sites/Redundant Sites



For Remote Site


91-009-029001B for SB/SOHO

Benefits

á Secure Communication Channels

• Through the deployment of extended Intranet VPN, all communications among

operating sites are authenticated and encrypted to provide better connectivity and

security

á Ensuring that the network path is always available

• When the primary network path failed, user can access the same network resources/

applications via the backup path

• The redundancy mechanism covers failures of both ISP links and VPN gateways

á Easy to maintain

• SNAT ensures packets can always be forwarded to the right path

• Does not require complex confi gurations

á Affordable TCO

• Does not require investment on excessive/expensive L7 load balancing equipments



Deploying VPN



47

1-7 Device High Availability


á Increasing dependence of critical business activities on Internet and VPN

connectivity

• E-commerce

• Intranet VPNs and extranet VPNs

• Remote access VPNs

á Secure gateway failure can pose a major risk

• Loss of revenue

• Loss of customers

• Loss of productivity

• Loss of goodwill

The Application

ZyWALL 1050 (Master)

ZyWALL 2 Plus

ZyWALL 35

ZyWALL 1050 (Backup)

Main Office

Remote Site 1

Remote Site 2

Resilience of WAN connectivity — VPN HAsupports redundant gateways for thenetwork path of VPN to be always available

Mitigate the impact of Single Point of Failure—device HA greatly reduces the devicedowntime and guarantees non-stop operation

Internet

48

Application Library

4Product List


For Main Offices



For Remote Sites


91-009-002001B for SMB





91-009-029001B for SB/SOHO

Benefits

á Eliminates Impact of Single Point of Failure

• The unplanned/planned downtime can be minimized

• Avoid losing customers/business/goodwill

á Offl ine Maintenance

• During business hours, simply switch off the target node and bring up the opposite node

to perform system maintenance on the target node

á Easy to Manage/Maintain

• Automatically sync the confi guration fi les on master nodes and backup node



Deploying VPN



49

ZyWALL 1050

VoIP ATA orVoIP Gateway

Server farm

Main Office

Branch OfficeInternet

ZyWALL 70

VoIP ATA orVoIP Gateway

ZyWALL can seamlessly workwith VoIP traffics – switchbetween SIP sessions (call setup)and RTP traffic dynamically

VoIP calls can be protected byVPN to provide cost-effectivesolution to VoIP security issues

IPSecVPNTunnel

VoIP Call

1-8 VoIP Over VPN


á Dealing with common VoIP security issues

• Unauthorized VoIP calls

• Call hijacking

• Identity theft

• Denial of Service

The Application

50

Application Library

4Product List


For Main Offices



For Branch Offices


91-009-002001B for SMB





91-009-029001B for SB/SOHO

Benefits

á Benefi ts for using ZyWALL to protect the converged networks

• Prevent unauthorized clients from placing calls (VoIP-aware fi rewall)

• Prevent the system from call hijacking (VoIP over VPN)

• Prevent the system from identity theft (VoIP over VPN)



Deploying VPN



51

Deploying VPN




What is a security policy?

á Security policy, in the context of information security, defi nes the access privilege of an individual/object to information assets

á It’s a mandatory process to protect information assets

What your business can benefi t from deploying security policy?

á Protecting information assets

á Increased productivity

á Mitigate impact of malicious application or misuse

á Regulatory compliance

The need to enforce corporate access policy

á Securing valuable information assets

á Reduced misuse against shared network resources

á Improved utilization of bandwidth resources

Use ZyWALL 1050 to enforce corporate access policies and achieve the following scenario:

á Great user experience — user are not required to log into any specifi c gateway prior to their normal access. Instead, user simply point to their desired URL and the

authentication mechanism would be triggered automatically

á Access granularity — in addition to IP/service ports, IT admin can defi ne access policies based on additional criteria like time of access, user/group or bandwidth

occupied

2

52

Application Library

42-1 Managing IM/P2P Applications


á An effective mechanism to restrict IM/P2P applications on corporate networks to

avoid the following threats/misuses:

• Infected fi les — Trojans and viruses

• Misconfi gured fi le sharing

• Unencrypted communication

• Theft of identity

Deploying VPN



á Eliminating the potential misuse of the common IM/P2P applications

• Bandwidth occupied

• Social engineer

• Message logging

• Copyright infringement

á The mechanism needs to provide granular access control to avoid the rigid

“all-or-nothing” approach

• Achieve different access privileges for different group of users

The ApplicationFor Manager

IM OK

P2P OK

Time=All

Max BW=200k

For Employee

IM Blocked

P2P Scheduling

Time=18:00~22:00

Max BW=100k

Employee B

Employee A

ManagerIDP Inspection

Rate-limit Bandwidth Usage

Scheduling Control

á Access Granularity for controlling hazardous

IM/P2P applications

• By User/Group

• By Time of access

• By Bandwidth

53

Product List


For Access Granularity Against IM/P2P Applications(with “user-aware” capability)



For Managing IM/P2P Applications (without “user-aware” capability)

ZyWALL 70 UTM Budget UTM Security Appliance Recommended

91-009-002009B for SMB

iCard, AV+IDP, AV+IDP 1-Year Service Subscription 91-995-004001G

Gold, 1-YR (For ZyWALL 70 UTM)

ZyWALL 35 UTM Cost-Effective UTM Security Appliance for SB 91-009-010011B



ZyWALL 5 UTM Best-of-Breed Technology UTM Security



Silver, 1-YR (For ZyWALL 5 UTM)

Benefits

á Mitigating Security Breaches

• Block IM/P2P applications

• Prevent malicious virus/trojans/bots/backdoors from entering the internal networks

á Increased Productivity

• Help employees focusing on their jobs

• Reduce misuse of network resources, e.g. costly WAN bandwidth

á Easy to use and maintain

• Application patrol: requires very little knowledge about IM/P2P to manage those

unwanted applications

• Portless application management: identifying applications running on non-standard or

dynamic ports

• Supports local user database or external directory servers such as LDAP, RADIUS or

Microsoft AD

á Access Granularity

• Provides the fl exibility to enforce IM/P2P access policies

• Access privileges can be granted according to user/group/time of access/type of

applicationNote. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to


54

Application Library

4Deploying

VPNSecurity Policy

EnforcementSeamless

Incorporation

2-2 Managing WLAN


á Wireless networks need managing to avoid harms under certain conditions:

• Misuse — Wardriving (AP probed by an unknown party), transferring confi dential data

with wireless links (risk of being eavesdropped)...etc.

• Misconfi gurations — Rogue AP on the Intranet (possible malicious break-in), weak WEP/

WAP passphrase (password is “password”... uh?)

á Best security practices of managing a WLAN

• Wireless AP must be isolated from the wired networks within the Intranet

• Requires a mechanism to centrally manage access credentials/privileges of

both wired and wireless users

The Application

WLAN

Server

Security policy enforcement point

— no matter where the destination

is, credentials must be presented

before access being granted

Access granted — the security policy

defines where the user is allowed to

access, e.g. access to DMZ/Internet or

internal servers. This can greatly

increase the WLAN security

Centrally managed user account —

all user accounts are managed on

the corporate LDAP server

Partitioning of wireless access

points — All the wireless APs are

connected to the WLAN zone

LDAP

InternetDMZ

LAN1

2

3

4

55

Benefits

á Isolates wireless access points

• Coupled with VLAN and custom security zone, wireless APs can be centrally

managed regardless of the scale of the corporate network

á Provides “Access Granularity” on wireless users

• May enforce strict access control on wireless users according to access

credentials/bandwidth occupied/timeframe

á Transparent authentication

• User are not required to repeatedly log into a separate authentication server

— simply point to intended destination in a browser

• Minimize impact on normal user behavior and therefore easier to enforce

security policies

Product List


For Main Offices





56

Application Library

4Deploying

VPNSecurity Policy

EnforcementSeamless

Incorporation

2-3 Employee Internet Management


á Protect users and their computers from visiting Web sites with undesirable or

harmful materials

á Defi nition of undesirable or harmful material should be confi gurable by the Web

fi lter category policy

á Always up-to-date: the URL category database should be constantly updated to cover

ever-changing URLs and Internet community

á The Web fi lter protection service should allow or block requested Web sites

according to the fi ltering policy selections

á In-depth Inspection: control access to Java/ActiveX/Cookie/embedded proxy links

The Application

ZyWALL Series

InternetWeb surfing

Allow

Query Query

Block

Customizableblack list/white list

Dynamic URLdatabase server

Redirect to thewarning page

Always up-to-date— the dynamic URLdatabase maintained by Bluecoat,ZyXEL’s best-in-class technologypartner, delivers comprehensive andprecise coverage

More secure— EIM can preventaccess to maliciousWeb sites that maycarry harmful contents —spyware/malware/bot

57

Benefits

á Increased productivity

• Employees can now focus on their jobs

á Reduced misuse

• Corporate resources can be protected for better bandwidth utilization and higher level

of security

á Regulatory compliance

• Filter porn/violent Web contents

• Access to porn/violent/racism URLs may pose legal implications

á Flexible access policy

• Enforcing access policy with granularity

á Always up-to-date

• Query dynamically-updated URL database

• Catch up with the ever-changing Internet communities

Product List




iCard, CF, Content Filter 1-Year Service Subscription

ZyWALL 1050, (For ZyWALL 1050)

91-995-006003G

1-YR

ZyWALL 70 UTM Budget UTM Security Appliance Recommended

91-009-002009B for SMB

iCard, CF, Content Filter 1-Year Service Subscription 91-995-003001G


ZyWALL 35 UTM Cost-Effective UTM Security Appliance for SB 91-009-010011B



ZyWALL 5 UTM Best-of-Breed Technology UTM Security



Silver, 1-YR (For ZyWALL 5 UTM)

ZyWALL 2 Plus Professional Entry-Level Internet Security

91-009-029001B Appliance for SB/SOHO


Silver, 1-YR (For ZyWALL 2 Plus)



58

Application Library

43 Seamless Incorporation

Robust Platform

á The rich networking functionalities enables ZyWALL 1050 to be easily integrate into the existing network infrastructure to perform required tasks

á For example:

• Tagged VLAN can be used to extend interfaces numbers

• Custom zone can be defi ned to create multiple logical segments/areas to fi t on large corporate networks

Multi-Service Gateway

á Based on the robust platform, the ZyWALL 1050 can deliver many security services: VPN, Policy-Based Routing, Access Control, Content Inspection, Application

Management and QoS

In the following sections, we’ll illustrate more security applications that can be easily incorporated into today’s

corporate network

á Zone-based IDP in a server-hosting environment

Can apply unique protection profi le to each network segment — best for MSP environment

á Networking Partitioning Using VLAN

Increased fl exibility when conduct network planning

á Managing WAN Connectivity

Introduces the capability to connect multiple ISP links to increase the bandwidth at competitive TCO

á Guaranteed Quality of Service

Illustrates how to prioritize the bandwidth to meet mission-critical application needs

Deploying VPN



59

3-1 Zone-Based IDP Protection


á IDP (Intrusion Detection and Prevention) must be able to detect and block malicious

or unwanted traffi cs

á IDP must deliver high performance to minimize the impact on traffi c throughput

and latency

á Deploying different inspection/checking profi les for different access areas

á IDP must keep up-to-date to detect/block the latest worms/exploits/threats

The Application

VLAN 1~3

Zone-based IDP protection for each customer—in a server hosting environment, securityrequirements of each customer may be different.Zone-based IDP protection provides mostflexible protection for each customer

Malicious attacks can be stopped at thegateway— customer servers are securelyprotected and a notification alert will be sent toinvolving parties/individuals

Customer-1

Customer-2

Customer-3

Protected by strict profiles

Protected by loose profiles

No IDP protection

Internet

60

Application Library

4Benefits

á Comprehensive Protection

• Works in both in-line mode and bridge mode — provides real-time intrusion detection

and prevention while maintaining fl exibility for alert/monitoring only

• Signature-based Layers 3-7 deep packet inspection

• Protocol anomaly to identify abnormal behavior of major protocols

• Traffi c Anomaly for scan detection and fl ood detection

á High-Performance IDP

• Delivers high throughput for IDP inspection

• Offl oad intensive processes to SecuASIC content inspection accelerator to

- Improves system throughput

- Free host CPU resources for other tasks

• Minimize impacts on performance when turning on the IDP inspection

á Zone-Based Detection Mechanism

• Maintains multiple sets of IDP profi les

• Different IDP profi les can be enforced on different security zones

á Automatic update

• With ZSRT (ZyXEL Security Response Team), new signature packages are released on a

weekly basis

• Keep the IDP up-to-date to provide protection against the latest threats/worms/exploits

Product List




iCard, IDP,

ZyWALL 1050, IDP 1-Year Service Subscription (For ZyWALL 1050) 91-995-004003G

1-YR



Deploying VPN



61

3-2 Network Partitioning Using VLAN


á A scalable mechanism to fi t the corporate network size, regardless of the complexity

of the network architecture

á Information assets with similar security levels should be aggregated into the same

access area

á Access policy should be enforced among different access areas

á The security solution should provide wire-speed connectivity between areas

The ApplicationWAN1All PPPoE links are included in WAN1

VLAN1

VLAN-capable L2 switch is

required to create VLAN tags

SECRETImportant servers, including Domain Controller, Directory server, database servers are placed in this zone. Strict access policy may apply to prevent misuse

VLAN7

LANCorporate Intranet

VLAN8 ~ VLAN10

WAN2All fi xed WAN links are included in WAN2

VLAN2Ensures highest level

of security — granular

access control can be

enforced between zones

FINANCEHighly confi dential fi nancial servers are placed in this zone. Access privilege only be granted to authorized users

VLAN11

DMZInternet-facing public servers

VLAN3

WLANAll the wireless access points are connected into this zone. Strict access policies should be applied to ensure internal security

VLAN4 ~ VLAN6

Customizable security zone

delivers highest fl exibility — can

contain multiple VLAN interfaces

Name of zoneZone description

VLAN ID included in the zone

Legend

VLAN1 ~ 2

VLAN3 ~ 6

VLAN7 ~11

62

Application Library

4Benefits

á Flexibility to manage access across VLANs by using security zone

á Extend the number of interfaces by simply using 802.1Q tagged VLAN

á High throughput performance — highest combined throughput in its class, for both

fi rewall and VPN applications

á Better security — strict/fl exible ACLs could be enforced across security zones

Product List






Deploying VPN



63

Managing WAN Connectivity

á Internet connectivity is always the primary concern for the following reasons:

• Internet-centric business operations

• The prevailing of distributed client-server applications

• The use of VPNs relies on underlying Internet connectivity

• Internal information exchange across the Internet

á In the following sections, we give two useful WAN connectivity applications on

today’s corporate networks

• Connecting multiple ISP links

• Quality of Service for WAN connections

3-3 Connecting Multiple ISP Links


á Support diverse types of WAN connections, including xDSL, FTTx, T1, E1 and T3

Handle the growing demand for bandwidth on the WAN side

á Make the most use of the ISP links to achieve optimized bandwidth utilization

á Provide a mechanism to improve the availability of WAN connections, even with

subscription to unreliable xDSL links

á Here we give 3 examples to illustrate how ZyWALL 1050 can fulfi ll the need to

connecting multiple ISP links

• Multiple PPPoE ISP links

• Multiple Fixed WAN links

• Mixed Types of WAN links

Easy to manage —

Simply use the “WAN

Trunk” to manage

multiple PPPoE links

xDSL

PPPoE1

xDSL xDSL

PPPoE2 PPPoE3

Internet

WAN Trunk

DMZLAN

On ZyWALL 1050,


can base on a single

physical port

1 Multiple PPPoE Links

L2 Switch

The Application

64

Application Library

4Deploying

VPNSecurity Policy

EnforcementSeamless

Incorporation

Easy to manage —


Trunk” to manage


E1 Router

WAN1 WAN2 WAN3

ISP2

WAN Trunk

DMZLAN

Flexible port role

— interfaces can be

freely mapped to

physical ports

2 Multiple Fixed WAN Links

E2 Router E3 Router

ISP1 ISP3

Customizable

security zone

— security zones

can be created to fit

actual needs

Easy to manage —


Trunk” to manage


ISP2

WAN Trunk

DMZLAN

Mixed WAN links can

be created on single

physical port on

ZyWALL 1050

3 Mixed Types of WAN Link

E3 Router

ISP1 ISP3

Switch

xDSL

PPPoE1 PPPoE2 PPPoE3

xDSL

The Application The Application

65

Benefits

á Multi-Connectivity

• Encapsulation supported: Ethernet and PPP (PPPoE)

• Supports different types of ISP links of your choice — ADSL/VDSL/FTTB/FTTH/T1/E1/T3/E3

á Highly Scalable

• With the use of 802.1Q tagged VLAN, it is possible to connect up to 48 ISP links

• High performance for multiple services

- Routing/Firewalling/VPN/Intrusion Detection and Prevention

á Failover and Load Balancing

• Automatic failover and fail-back when link failure is detected

• Outbound load balancing — based on three algorithms of your choice

- Least Load First

- Weighted Round-Robin

- Spill-Over

á Easy to Use

• By simply adding interfaces into WAN Trunk to simplify the management efforts

á Better TCO

• By connecting multiple DSL ISP links to the ZyWALL 1050, companies can have adequate

bandwidth on WAN side and the same level of reliability as the expensive lease lines

Product List


For Main Offices





66

Application Library

43-4 Guaranteed Quality of Service


á Prioritize the shared resource – the network

• Priority traffi cs was seriously, negatively affected by nonessential traffi cs

• For example: sales order processing should always own higher priority than

downloading images

á Serve different resource needs of different applications

• Data transfers: no-interruption

• Video/voice streaming: low latency

• Interactive video/voice: low latency

• Mission-critical: guaranteed bandwidth

• Web-based: typically lower priority

The Application

Deploying VPN



MAIL

400Kbps

WWW

800Kbps

FTP

100Kbps

RTP

300Kbps

Intranet

IT administrators can defi ne

bandwidth management

policy to ensure quality of

running services

Internet

Bandwidth management

policies based on type of

service, origin of the traffi c,

user/group to ensure

optimized bandwidth

utilization

Outgoing traffics

WAN Trunk

67

Benefits

á Optimized Bandwidth Utilization

• Prioritization of mission-critical applications

• Match network response to application requirements

• Real Time Session Monitoring

á Integrated Security and QoS

• Integration with VPN infrastructure

- Awareness to packet sizes before and after encryption/decryption

• Correctly classify encrypted or NAT traffic

• Knowledge of DMZ traffi c

á Reduced Costs

• Eliminates expense and complexity of multiple boxes

- No additional hardware

• Shared management architecture

- Integrated GUI and management architecture reduce management overhead and

fl atten the learning curve

Product List


For Main Offices





69

FAQ

Chapter 5

70

FAQ

5A. General

1. What is ZyWALL 1050?

ZyWALL 1050 is an Integrated Security appliance, equipped with complete security

features tailored for Small and Medium Business (SMB) and Mid-Large organizations.

2. When will ZyWALL 1050 be available?

ZyWALL 1050 is available from July 13th 2006; please contact ZyXEL distributors for details.

3. What’s new in ZyWALL 1050 in comparison to the existing

ZyWALL family?

1). Improved security

New OS platform (ZLD) to provide advanced features like: user-awareness, access

granularity, defi nable port/interface and device redundancy

2). Increased performance

New hardware architecture boosts both fi rewall/VPN/UTM performance to exceed

100Mbps for any service

3). Better scalability

Larger capacity, VLAN, multiple WAN, and customizable zone, etc.

4). Lowered Administration Effort

Object-based/CISCO-like CLI/text-based confi g fi le and more context-sensitive Web-

based help

4. What are the new key features of ZyWALL 1050?

1). High Performance: 300Mbps firewall, 100Mbps VPN and 100Mbps IDP

2). High Capacity: 128K NAT sessions, 1000 VPN tunnels and 1024

concurrent access users

3). Definable Zone: port, interface and zone are definable

4). User-aware Security: Firewall, IPSec VPN, Bandwidth Management,

Content Filtering, Multiple-WAN Load Balancing, Intrusion Detection

Prevention (IDP), Application Patrol, Anti-Virus* and Anti-SPAM*

5). High Availability: Redundant IPSec tunnel, Device High Availability

* Future release

5. Does ZyWALL 1050 support UTM functionalities?

Yes. In the 1.00 release, ZyWALL 1050 supports:

1). IDP (with purchase of IDP license)

2). Content Filtering (with purchase of CF license)

3). SPI firewall

4). IPSec VPN

5). Bandwidth Management

6). Multiple WANs Load Balancing

Please note that Anti-Virus and Anti-Spam features will be supported with fi rmware

upgrade in the near future

71

6. Does ZyWALL 1050 support Anti-Virus?

In ZLD 1.00: No

In ZLD 1.10: Yes. ZLD 1.10 will be released in Q1 of 2007

7. Does ZyWALL 1050 support Anti-Spam feature?

In ZLD 1.00: No

In ZLD 2.00: Yes. ZLD 2.00 will be released in Q3/07

8. Does ZyWALL 1050 support SSL VPN?

In ZLD 1.00: No

In ZLD 1.10: Yes. ZLD 1.10 will be released in Q1 of 2007

9. Does ZyWALL 1050 deploy HW-acceleration technology?

Yes. ZyWALL 1050 deploys HW-acceleration technology and

1). VPN performance: HW encryption to accelerate IPSec traffic and SSL VPN

(future release) as well.

2). UTM performance: SecuASIC CIP-2001 boosts IDP performance as well as

AV performance (future release).

10. Is ZyWALL 1050 based on ZyNOS?

No.

The ZyWALL 1050 is based on ZLD, which leverages Linux kernel to achieve better

fl exibility and scalability.

ZLD is well-hardened so that it’s more secure than typical Linux operating systems on the

market.

11. Why choose ZLD instead of ZyNOS?

1). ZLD is more suitable for high scalability products

2). ZLD is more flexible than ZyNOS as new features being introduced

12. Is there any hardware change needed for future fi rmware

upgrades?

No, ZyWALL 1050 hardware design reserves enough fl exibility/capacity for future

fi rmware support.

13. Does ZyWALL 1050 need ZyWALL Turbo Card to activate IDP or

future AV?

No, ZyWALL 1050 has SecuASIC built-in that runs IDP and AV (future release) without

ZyWALL Turbo Card.

14. Is HDD built into ZyWALL 1050?

HDD will be supported by future fi rmware release (ZLD 2.00) with purchase of HDD

package.

ZyWALL 1050 can perform security log archiving (local logging) with HDD.

15. What can I do with the USB ports?

The onboard USB ports are reserved for future use.

16. What can I do with the PCMCIA slot?

The PCMCIA slot is reserved for future use.

72

FAQ

517. What can I do with the Mini-PCI slot?

The Mini-PCI slot is reserved for future use.

18. Dose ZyWALL 1050 support Vantage Report?

Yes. ZyWALL 1050 supports VRPT 3.0, which will be available in Q4 of 2006.

19. Dose ZyWALL 1050 support Vantage CNM?

Yes. ZyWALL 1050 supports CNM 3.0, which will be available in Q2 of 2007.

B. Competition

1. What are the key differentiations of ZyWALL 1050?

1). High Volume VPN Concentrator (ZyWALL 1050 provides 1,000 IPSec VPN

tunnels)

2). High Performance with Triple Core Design (100+ Mbps for any service)

3). High Availability Features Guarantee Non-Stop Operation

3-1) Multiple WAN redundant, load-balanced links up to 48 ISPs

3-2) Device High Availability (or Hardware Failover)

4). User-Aware Policy Engine Enables Access Granularity (User-Aware +

Application Patrol)

5). 2-year hardware warranty

6). No extra cost to upgrade firmware

7). No extra cost for unlimited nodes

8). Hybrid VPN Upgradeable* (Future firmware upgrades offer both SSL VPN and

IPSec VPN without hardware replacement)

2. What products are competitors of ZyWALL 1050?

1). SonicWALL PRO 2040 or PRO 3060

2). Fortinet FortiGate 200A

3). WatchGuard X700 or X1000

4). Juniper NS204

5). 3Com X505

(optional)

73

3. What are the key competitive features from all comparable models?

Unlimited Users

VPN Tunnels

Performance VPN

(Mbps) Firewall

IDP

Concurrent Session

Up to 48 WAN HA/LB

Device HA

Application Patrol

Warranty

Free Firmware Upgrade

MSRP (US$)

Fortinet

FG200A

✓

200

70

150

N/A

400K

x (2)

x

x

1 year

90 days

$3,495

Juniper

NS204

✓

1000

175

375

180

128K

x (2)

✓

x

1 year

x

$9,995

Sonicwall

Pro2040

✓

50

50

200

40

32K

x (2)

✓ (optional)

x

1 year

x

$2,595

Sonicwall

Pro3060

✓

500/1000

75

300

N/A

128K

x (2)

✓ (optional)

x

1 year

x

$3,490

WatchGuard

X700

✓

100

40

150

N/A

50K

x (4, optional)

✓ (optional)

x

1 year

90 days

$2,840

WatchGuard

X1000

✓

500

75

225

N/A

200K

x (4, optional)

✓ (optional)

x

1 year

90 days

$3,790

3Com

X505

✓

1000 (Phase 2)

50

100

50

128K

x

x

✓

1 year

x

$3,750

ZyWALL

1050

✓

1000

150

300

150

128K

✓

✓

✓

2 year

✓

$3,490

4. What are the overall advantages of ZyWALL 1050?

1). Higher VPN, Firewall and IDP performance

2). Multiple (up to 48) WAN HA/LB and Device HA to help organizations easily set up a highly reliable and secure network for their business.

3). ZyXEL provides free firmware upgrades for constant feature renewal free of charge

4). ZyWALL provides a 2-year hardware warranty to lower TCO and protect investment.

74

FAQ

5C. SKU

1. What is iCard?

The iCard contains the license number required for AV/IDP/AS/CF service registration and

activation in your ZyWALL devices, including ZyWALL 1050.

2. What are the ZyWALL 1050 features that require an additional

service license purchase?

As of ZyWALL 1050, you need to buy an additional service license to use and activate the

following security features:

1). IDP

2). Content Filtering

3. What service licenses can I get for my ZyWALL 1050?

iCard/SKU mapping for the ZyWALL 1050

For ZyWALL 1050, we provide 3 types of iCards:

1). iCard for ZyWALL 1050, IDP, 1 year

2). iCard for ZyWALL 1050, IDP, 2 years

3). iCard for ZyWALL 1050, Content Filter, 1 year

4. Does ZyXEL offer free trial for paid services on ZyWALL 1050?

Trial period for each security service:

1). For IDP: 1-month free trial

2). For Content Filter: 1-month free trial

Please note that customers can simply activate the free trial service within the Web

confi gurator (Internet connectivity is required while activating the trial services)

5. For future AV, AS and SSL on ZyWALL 1050, do I need different

iCards?

Yes. Along with AV, AS and SSL in the future, we will create different iCards for each service.

6. Is there any bundle program for iCard and ZyWALL 1050?

ZyXEL will create different bundle programs to pack ZyWALL 1050 and iCard by market

demand.

7. Does ZyXEL provide bundle for device HA application?

No. There is no device HA bundle as of writing.

8. Do I have to pay for fi rmware upgrades?

No. The fi rmware upgrades are offered free of charge.

75

D. Hands-on

1. Can ZyWALL 1050 store multiple confi guration fi les onboard?

Yes. The ZyWALL 1050 supports multiple sets of confi guration fi les onboard. In addition to

that, security administrators can manipulate those confi guration fi les: copy, rename, delete,

apply and download it onto the desktop PC.

The text-based confi guration fi les are editable and viewable with text editors of your

choice.

2. Do I have to reboot the device after applying another

confi guration fi le?

No. You don’t have to reboot the system after applying a different set of confi guration fi le.

The ZyWALL 1050 can apply changes on-the-fl y without rebooting the system and the

changes can take effect immediately right after applying the new confi guration fi le.

3. Would it be bothersome that I have to create objects prior to

confi guring a specifi c feature?

No, it wouldn’t.

On the contrary, there are 2 obvious benefi ts to use objects in feature confi guration:

1). Automatic “Change Update”

Once the value of a setting changed, the change will be automatically applied system-

wise. The feature helps administrator maintaining the integrity and consistency of the

system confi gurations without hassle.

2). Object Reuse

The user-defi ned objects can be reused. As a result, administration effort can be

drastically reduced in a complex confi guration pertaining to a larger-scale networking

environment or strict corporate security policy.

4. What’s the benefi t for using zones?

1). Automatic change update

Without the zone concept, the administrator has to change the corresponding settings

once the interface setting has been changed, which may lead to inconsistency in

fi rewall policy confi guration.

2). Reduced Configuration Effort

By grouping interfaces/tunnels into zones, the confi guration settings can be applied to

each member inside a zone and therefore save confi guration efforts.

5. How do I activate the free trial services on ZyWALL 1050?

ZyXEL provides free trial services on ZyWALL 1050: IDP service and Content Filter service.

The procedure to activate the trial services is quite simple and straightforward:

1). Get connected to the Internet

2). Use a browser to log into the ZyWALL 1050 with administrative privilege

3). Jump to the “Registration” page and perform the device registration

4). Select the check box of each service and click the “Apply” button

6. Can I copy the IDP policy settings from existing ZyWALLs (e.g.

ZyWALL 35 UTM) to the new ZyWALL 1050?

No, you can’t. The format and data structure of the confi guration fi les on ZyWALL 1050 are

totally different from those on ZyNOS-based ZyWALLs, e.g. ZyWALL 35 UTM.

76

FAQ

57. Can I copy the IDP signature database from one ZyWALL 1050 to

another ZyWALL 1050?

No, you can’t. You can only download signature package from the ZSDN Update Server via

Internet.

However, you can copy IDP policy settings from one ZyWALL 1050 to another one.

8. How do I keep IDP signatures updated?

The IDP security service on ZyWALL 1050 supports “Automatic Update” which enables

security administrator to synchronize the IDP Signature Package to the latest version with

online update server.

To enable the automatic update, simply go to the ZyWALL 1050 > Confi guration > Policy

> IDP > Update page and click on the “Auto Update” check box.

Once the automatic update is enabled, the update will take place automatically on an

hourly, daily or weekly basis, depending on your confi guration.

Or, as an alternative, you can click on “Update Now” to update the signature package to the

latest version immediately.

The automatic update mechanism will ensure your device always up-to-date and therefore

the emerging threats/worms/attacks/exploits can be stopped by the IDP feature.

9. How often does ZyXEL update IDP signatures?

With ZSRT (ZyXEL Security Response Team) in place, ZyXEL releases IDP signature package

on a weekly basis to provide up-to-date protection for your valuable information assets

and eliminate the security breaches from happening on the corporate network.

10. How do I keep the Content Filtering database updated?

All the ZyWALLs, including ZyWALL 1050, can query the external Content Filtering

database on-the-fl y without draining the system resources.

Another inherited benefi t is that you don’t have to worry about the content fi ltering

database being outdated. The queries between CF-enabled ZyWALL devices and the

external database server take place dynamically and automatically on the background.

Alternatively, you can always manually maintain your own URL/keyword list on the

ZyWALL to maximize the effectiveness of the Content Filtering feature.

11. What are the built-in services on ZyWALL 1050?

The ZyWALL 1050 integrates a range of built-in servers to provide rich network services to

the users, including DNS, WWW, SSH, telnet, ftp and SNMP.

The built-in services can be disabled anytime to suit your needs.

12. What should I do if I’d like to connect but separate more than 5

logical subnets using ZyWALL 1050?

Although there are only 5 physical Ethernet ports onboard, customers can extend the

port density through the use of IEEE 802.1Q VLAN. With up to 32 VLANs supported,

administrators can always extend the number of the logical networks managed by the

ZyWALL 1050. A VLAN-enabled switch, however, is required to fulfi ll this application.

77

13. How do I confi gure NAT on ZyWALL 1050 if I don’t see any NAT

confi guration screen in the Web confi gurator?

ZyWALL 1050 supports NAT, of course.

The NAT settings are integrated into:

1). Policy Route (ZyWALL 1050 > Configuration > Policy > Route > Policy

Route): you can configure SNAT on the policy route configuration screens.

We consider SNAT settings related to the setting of a policy route since

defining the source IP address is necessary in a policy route.

2). Virtual Server (ZyWALL 1050 > Configuration > Policy > Virtual Server):

you can configure DNAT in a Virtual Server. A virtual server represents an IP

dose not physically exist, however the user can connect to it and finally reach

the physical server by performing DNAT on the NAT gateway.

14. What is a Virtual Server?

The Virtual Server feature (ZyWALL 1050 > Confi guration > Policy > Virtual Server) on

the ZyWALL is used to confi gure 1:1 NAT (DNAT).

Virtual Servers are computers on a private network behind the ZyWALL that you want to

make available outside the private network. If the ZyWALL has only one public IP address,

you can make the computers in the private network available by using ports to forward

packets to the appropriate private IP address. Through the use of virtual server, client

computer can reach out the intended destination by connect to the virtual server IP

while the ZyWALL performs address and/or port translation between the client computer

and the computer in the private network.

The similar function on ZyNOS-based fi rewalls is called “Port Forwarding”.

15. Can I use CLI commands to confi gure the device?

The ZyWALL 1050 supports full-feature CLI commands to provide nifty user experience

for “guru” administrators.

For the comprehensive CLI user guide, please refer to the “CLI Reference Guide”.

78

FAQ

5E. VPN Application

1. How many concurrent VPN tunnels does ZyWALL 1050 support?

The ZyWALL 1050 supports up to 1,000 VPN tunnels running simultaneously. For more

information about ZyWALL 1050’s VPN performance, please refer to the “Lab Test Report”

in this handbook.

2. What is a VPN Concentrator?

A VPN Concentrator combines several VPN connections into one secure network.

Hannover

OsloMadrid

London

Paris

Amsterdam

Central Site

Hub and Spoke VPN topology

For example, say there are VPN connections between each ZyWALL on the spoke sites

(London, Madrid, Paris, Hannover and Oslo in this case) and the ZyWALL, which uses the

VPN concentrator, on the hub site (Amsterdam).

The primary benefi t of a VPN concentrator is that it reduces the number of VPN

connections to be setup and maintained on a complex network.

3. Can I enforce security check against traffi c coming in through

VPN tunnels?

Yes, you can. The ZyWALL 1050 deploys route-based VPN whose tunnels are treated as

interfaces to the system kernel. In that case, security features can be applied when traffi cs

are forwarded through a specifi c interface.

In plain English, the traffi cs incoming through VPN tunnels can be inspected by security

features such as fi rewall, IDP, Content Filter and Bandwidth Management.

4. What is the ICSA VPN certifi cation status of ZyWALL 1050?

ZyXEL is planning to apply for ICSA IPSec VPN certifi cation for the ZyWALL 1050. The

timeframe to be ICSA-certifi ed will be in 1H, 2007.

79

F. User-Aware Applications

1. What does “user-awareness” mean?

User-awareness provides better granularity than the IP- and port-based access control.

In some cases the client IP addresses are dynamic and are therefore quite diffi cult to

defi ne access control policy base on those ever-changing criteria.

Another benefi t of user-awareness is that it provides better accountability for auditing.

Altogether, the user-aware security features may help improving the security level on

today’s corporate networks.

2. How to get authenticated?

Users must “authenticate” themselves before being permitted to access the network via

ZyWALL, provided that the user-aware access policy has been defi ned and enforced.

In this case, accessing users must fi rst connect to the ZyWALL before they can go

anywhere else. The most widely accepted way to authenticate ZyWALL access is using a

Web browser via HTTP protocol. However, TELNET/SSH authentication is also supported on

the ZyWALL.

After entering appropriate credentials, users are authenticated and cleared to access

resources according to their respective privileges.

3. What is “Force User Authentication”? Would it be bothersome?

The process to get authenticated may be bothersome to some people and the diffi culty

may become the roadblock to enforce user-aware access policy.

To make things easier, ZyWALL implements “Force User Authentication” that simplifi es the

authentication process to allow user access without repeated login process. Instead, users

simply use a Web browser to point to the intended destination, and ZyWALL will intercepts

the connection attempt and triggers the authentication process.

Once the access credentials are verifi ed, access privileges are granted.

If verifi cation failed, the access attempt will be blocked.

Please note that the Force User Authentication supports only HTTP protocol.

4. How do I manage user accounts on ZyWALL 1050?

The ZyWALL 1050 support various methods for administrator to manage access

credentials: local user database, and external user database.

In terms of external user database, ZyWALL 1050 supports RADIUS, LDAP and Microsoft

AD. Microsoft AD is compatible with LDAP and has been widely deployed in many

organizations.

5. What are the user-aware features in ZyWALL 1050?

The user-aware security features on the ZyWALL 1050 are:

Policy Route

Firewall

Application Patrol

VPN

Content Filtering

With user-aware security features in place, organizations can achieve better access

granularity to improve both accessibility and security.

80

FAQ

5G. Application Patrol

1. What is Application Patrol?

Application Patrol is designed to provide a convenient way to effectively control the use of

common protocols/applications on today’s corporate networks.

It accurately identifi es the application type by looking into the data payload at Layer-7 of a

packet, regardless of the running port.

More than just allowing/blocking a specifi c type of application based on a policy, the

Application Patrol provides access granularity and traffi c shaping capability against

running applications.

As a result, it’s a powerful feature to manage incoming/outgoing traffi cs from applications’

viewpoint and to help administrators enforcing corporate security policies.

2. Can I use Application Patrol feature to manage IM/P2P

applications?

Yes. Application Patrol supports some common IM/P2P applications including:

1). IM: MSN, AOL, ICQ, Yahoo Messenger and QQ (popular in China)

2). P2P: BitTorrent, eDonkey, FastTrack, Gnutella, Napster and SoulSeek

Access privileges can be granted according to access credential, type of application, access

time, as well as user origin and destination of the access attempt.

3. What applications does Application Patrol support?

The supported applications in Application Patrol can be categorized into:

1). General protocols — HTTP, FTP, SMTP, POP3 and IRC

2). IM — MSN, Yahoo Messenger, AOL-ICQ and QQ

3). P2P — BT, eDonkey, Fasttrack, Gnutella, Napster, H.323, SIP, SoulSeek

4). Streaming — RTSP (Real Time Streaming Protocol)

Please note that Application Patrol does not support custom protocols and/or

applications. Firmware upgrades are required for it to expand the supported application

types.

4. Is it possible to use Application Patrol to manage unsupported

applications?

No. However with fi rmware upgrades, it’s possible for Application Patrol to support new

applications types. ZyXEL will keep developing Application Patrol to support emerging

new applications to meet customer needs.

5. Do I have to pay additional fee for Application Patrol?

No, you don’t have to. The Application Patrol feature is totally free of charge.

81

H. Device High Availability

1. What’s the benefi t to deploy device HA?

The major benefi ts to deploy the device HA are:

1). Minimized unplanned/planned downtime

2). System maintenance can be performed during business hours

3). Avoid losing customers/business/goodwill

2. What is the requirement for device HA in ZyWALL 1050?

1). You’ll need two ZyWALL 1050 devices to enable the device HA feature: one as the

master node and another as the backup node.

2). Firmware version must be identical on both nodes.

If you run device HA using ZyWALL 1050 with different fi rmware versions, the automatic

synchronization mechanism will fail and unexpected behavior may occur. Please make

sure fi rmware of the same version are installed on both nodes in a device HA scenario.

3. Can device HA increase the throughput?

No, it can’t. With deployment of device HA, only one node is up and running at any given

time. As a result, the combined throughput will not increase.

4. Do I have to confi gure the device settings for the master node

and backup node separately because of the device HA scenario?

No, you don’t have to. Customer is not required to confi gure the device settings twice,

since the confi guration fi les on the backup node can be automatically synchronized with

the master. This mechanism will greatly reduce the confi guration overhead in a device HA

scenario and ensure the consistency of the confi guration settings/policies on both nodes.

The synchronization can be performed automatically or manually, depending on the

confi guration setting.

Furthermore, the synchronization connection is encrypted to avoid being eavesdropped.

5. What settings can be automatically synchronized from master

node to the backup node in a device HA scenario?

During synchronization, the master node sends the following information to the backup

node:

1). Startup confi guration fi le (startup-confi g.conf )

2). IDP signatures

3). Certifi cates (My Certifi cates and Trusted Certifi cates)

82

FAQ

56. Do both master and backup nodes share the same license key

used to subscribe IDP security service in a device HA scenario?

No, they don’t.

In a device HA scenario, the master node and backup node must apply separate IDP

license key to make IDP security feature work correctly.

This indicates that you need to purchase 2 IDP iCards for both nodes in a device HA

scenario.

Please note: during the synchronization in device HA scenario, the backup node cannot

get IDP signature updates for the IDP security service that it has not subscribed to.

The same rule can be applied to the Content Filtering security service.

7. As the interface is inactive when a device is in Standby

mode, how could I perform operations that require Internet

connection, e.g. service activation?

There are two ways to perform operations requiring Internet connection when device is in

Standby mode:

1). Administrators can confi gure a Management IP on top of the backup node and use the

management IP to connected to the Internet

2). Operations that require Internet access, such as service activation, could be done

before confi guring the backup node into the “Standby” status.

8. Do I have to pay for the device HA feature?

No. The device HA feature is free of charge. However, you have to purchase the ZyWALL

1050 devices in pairs to take advantage of device HA.

9. Dose ZyWALL 1050 supports Active-Active mode?

No. In ZLD 1.00, device HA only supports Active-Passive mode.

Active-Active mode will be supported in the 2.00 release.

I. VoIP Security

1. What’s the VoIP compatible list of ZyWALLs?

SIP Client

1). ZyXEL P2002 (ATA)

2). ZyXEL P2002L (ATA)

3). ZyXEL P2302R (VoIP Gateway)

4). ZyXEL P2302RL (VoIP Gateway)

5). ZyXEL P2000W (IP phone)

6). Windows Messenger v5.0

SIP Server:

1). SIP Server: Openser v1.1

2). SIP Server: Asterisk v1.291

3). SIP Server: VOCAL v1.50

83

2. Is VoIP traffi c secured by ZyWALL?

Yes. ZyWALL supports VoIP over IPSec, and it makes sure that VoIP is encrypted during

transmission.

3. Except for its own VoIP products, does ZyXEL plan to support

more VoIP devices?

Yes, ZyXEL is testing popular VoIP products and will soon support:

1). CISCO 2600 (VoIP Gateway)

2). CISCO 7900 (IP Phone)

3). CISCO ATA 186/188 (ATA)

4). SIPURA SPA-3000 (ATA)

J. Bandwidth Management

1. I don’t see the “Bandwidth Management” menu on the

Web confi gurator. Does ZyWALL 1050 support Bandwidth

Management?

Yes, ZyWALL 1050 provides more fl exible ways to control network bandwidth with routing

and applications. You can fi nd related Bandwidth Management confi gurations in two

places:

1). Policy Route

2). Application Patrol

2. What is the difference regarding the Bandwidth Management

feature between ZyNOS-based ZyWALL 2 Plus/5/35/70 and ZLD-

based ZyWALL 1050?

1). ZyNOS-based ZyWALL 2 Plus/5/35/70

ZyNOS BWM is based on Interface (LAN/WAN/DMZ) and then policy settings (IP/Port or

service FTP SIP H.323)

2). ZLD-based ZyWALL 1050

ZyWALL 1050 BWM has no Interface limitation, since it is an application-oriented BWM.

You can manage bandwidth based on more Applications (IM/P2P/HTTP/FTP...) or

granular Policy Route (User/IP/Port...).

3. How does Policy Route control bandwidth?

IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior

and to alter packet forwarding based on the policy defi ned by the network administrator.

A policy defi nes the matching criteria, as well as the actions to take when a packet

meets them. The criteria may include username, source address and incoming interface,

destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and the port used.

Organizations can allocate bandwidth to traffi cs matching the routing policy and priority

settings.

1). Specify the maximum bandwidth reserved for the route (in kbps).

2). Enter a number between 1 and 1024 to set the traffi c priority.

84

FAQ

54. How does Application Patrol control bandwidth?

Application Patrol provides a convenient way to manage instant messengers (IM) and

peer-to-peer (P2P) applications running on the network. It can also be used to manage a

few general protocols (HTTP and FTP, for example), as well as the RSTP streaming protocol.

Administrators can enable Bandwidth Shaping to restrict the bandwidth each application

is allowed to use.

K. ZSDN-Related

1. What is ZSDN?

ZSDN (ZyXEL Security Distribution Network) is a set of portals providing easy-to-use and

always-on services designed for ZyXEL customers and resellers. ZSDN is composed of

myZyXEL.com, mySecurityZone, the Update Server and ZSRT.

You can access ZyXEL security portals on the following Web sites:

myZyXEL.com

http://www.myzyxel.com/myzyxel/

mySecurityZone

https://mysecurity.zyxel.com/mysecurity/

Currently the Update Server does not provide a publicly accessible Web site. It is only

accessible to registered ZyWALL devices with services activated.

2. Why do I have to register the service?

You have to register your purchased ZyWALL devices for the following reasons:

1). If you’d like to use ZyWALL’s free IDP or CF trial services, you’ll have to activate them

through ZyWALL’s Web confi gurator.

2). If you’ve purchased iCard for a security service, e.g. IDP and CF, you must activate the

security service via the Web confi gurator.

3. What else can I do with the myZyXEL.com account?

1). Access to fi rmware and security service updates.

2). Receive update notifi cation about ZyWALL-related services, fi rmware, and products.

3). Manage (activate, change or delete) your ZyWALL security services online.

In summary, myZyXEL.com delivers a convenient, centralized way to register all your

ZyWALL security appliances and services. It eliminates the hassle of registering individual

ZyWALL appliances and upgrades to streamline the management to all your ZyWALL

security services.

Instead of registering each ZyWALL product individually, using myZyXEL.com allows you

to have a single user profi le where you can manage all your product registration and

service activation.

4. After registration completes, what kind of information is stored

on myZyXEL.com server?

Your user profi le is stored on myZyXEL.com after registration. User profi le information

includes user name, password, email address, country and your registered products and

services.

85

5. What is mySecurityZone?

1). mySecurityZone is a free service portal accessible to everyone.

2). Anyone can browse the latest security news and updates from ZSRT (ZyXEL Security

Response Team), access free resources and subscribe to our free newsletter.

3). For those who have a registered ZyWALL and a myZyXEL.com account, you can log into

mySecurityZone (with the same myZyXEL.com account information) to view detailed

description of Anti-Virus+IDP policies and perform virus searches. In addition, you’ll

automatically receive our advisory newsletters with the latest security updates and

other valuable information.

In mySecurityZone you can:

1). Access all security resources and get free advisory newsletters.

2). Publish or share ZyWALL security information (such as Anti-Virus/IDP policy)

3). Search for all ZyWALL product information

6. What is the Update Server?

The Update Server is designed for security service subscribers to ensure the signature fi le

on their devices is up-to-date. This allows effective virus detection and threat prevention.

Your ZyWALL regularly checks for any signature fi le updates and downloads signature fi les

from the Update Server.

The Update Server is hosted by ZyXEL to provide security protection with 24x7

monitoring service. With dedicated IDC (International Data Center) for a global distributed

architecture, we ensure top-notched Update Server service quality and zero downtime for

all security service subscribers.

7. Since keeping signatures updated is crucial, what has ZyXEL

done to ensure the Update Server availability to customers?

At ZyXEL, important steps are taken to ensure the availability of the Update Server. These

include the following:

1). Dedicated server rooms

We have deployed server farms in IDCs (International Data Centers) located in Taiwan and

Germany. The two IDCs are confi gured for redundancy and server load balancing to ensure

the maximum availability of our Update Server.

2). NOC-grade 24x7 monitoring

ZyXEL has created standard procedure and a dedicated team to monitor the status and

operation of the Update Server. This is to detect failures of any kind and fi x them in the

shortest time possible so that system downtime could be minimized. In addition, this helps

ZyXEL to ensure SLA (Service Level Agreement) to our valued customers.

8. Do I have to pay for myZyXEL.com and mySecurityZone

services?

No. You can access the free resources on myZyXEL.com and mySecurityZone sites without

additional fees.

On myZyXEL.com, you need to purchase an iCard to register and activate security services

on your device.

For those with a registered ZyWALL and a myZyXEL.com account, you get the latest

security advisory and access to IDP signature information on mySecurityZone.

87

ZyWALLFamily Matrix

Chapter 6

88

ZyWALL Family Matrix

6Model Name

System

Firewall Throughput

VPN Throughput (AES)

UTM Throughput

(AV+IDP+Firewall)

Unlimited User Licenses

Sessions

Simultaneous VPN connections

Default Port

Customizable Zone

Networking

Routing/NAT/SUA Mode

Bridge Mode

Mix Mode (Routing+Bridge)

VLAN Tagging (802.1Q)

Security

Firewall (ICSA Certified)

VPN (ICSA Certified)

Content Filtering (Bluecoat)

Anti-SPAM (Mailshell)

Anti-Virus (Kaspersky)

IDS/IDP

IM/P2P

Bandwidth Management

User-aware Management

ZyWALL P1

50Mbps

30Mbps

3Mbps

x

2,048

1

1 x LAN, 1 x WAN

-

x

x

-

-

x

x

-

-

x

x

x

-

-

ZyWALL 2 Plus

24Mbps

24Mbps

-

x

3,000

5

4 x LAN, 1 x WAN

-

x

-

-

-

x

x

x

-

-

-

-

-

-

ZyWALL 5 UTM

60Mbps

30Mbps

12Mbps

x

4,000

10

4 x LAN/DMZ, 1 x WAN

-

x

x

-

-

x

x

x

x

x

x

x

x

-

ZyWALL 35 UTM

75Mbps

35Mbps

14Mbps

x

10,000

35

4 x LAN/DMZ, 2 x WAN

-

x

x

-

-

x

x

x

x

x

x

x

x

-

ZyWALL 70 UTM

100Mbps

45Mbps

18Mbps

x

10,000

100

1 x LAN, 4 x DMZ, 2 x WAN

-

x

x

-

-

x

x

x

x

x

x

x

x

-

ZyWALL 1050

300Mbps

150Mbps

150Mbps*5

x

128,000

1,000

1 x LAN, 2 x DMZ, 2 x WAN

x

x

x

x

x

x*1

x*1

x

x*1

x*1

x

x

x

x

89

Model Name

High Availability

Device HA

VPN HA

Multiple WANs for

Load Balancing

Auto Fail-over, Fail-back

Dial Backup

User Database

Local database

Radius

LDAP

Microsoft AD

Management

WebGUI (HTTP and HTTPS)

Command Line

Vantage CNM

Vantage Report

Ordering Info

Standard

US

UK

Australia

ZyWALL P1

-

-

-

-

-

x

x

-

-

x

x

x

x

ZyWALL P1

91-009-018001B

91-009-018002B

91-009-018003B

91-009-018005B

ZyWALL 2 Plus

-

x

-

x

x

x

x

-

-

x

x

x

x

ZyWALL 2 Plus

91-009-029001B

91-009-029002B

91-009-029003B

91-009-029004B

ZyWALL 5 UTM

-

x

-

x

x

x

x

-

-

x

x

x*2

x

ZyWALL 5 UTM

91-009-014011B

91-009-014014B

91-009-014013B

91-009-014015B

ZyWALL 35 UTM

-

x

x

x

x

x

x

-

-

x

x

x*2

x

ZyWALL 35 UTM

91-009-010011B

91-009-010014B

91-009-002013B

91-009-010017B

ZyWALL 70 UTM

-

x

x

x

x

x

x

-

-

x

x

x*2

x

ZyWALL 70 UTM

91-009-002009B

91-009-002012B

91-009-002011B

91-009-002013B

ZyWALL 1050

x

x

x

x

x

x

x

x

x

x

x

x*3

x*4

ZyWALL 1050

91-009-020001B

91-009-020002B

91-009-020003B

91-009-020004B

*1: Future Release

*2: CNM 2.3 support

*3: CNM 3.0 support

*4: VRPT 3.0 support

*5: IDP+Firewall On

91

Lab Test Report

Chapter 7

92

Lab Test Report

7Summary — Test Result1

Model ZyWALL P1 ZyWALL 2 Plus ZyWALL 5 UTM ZyWALL 35 UTM ZyWALL 70 UTM ZyWALL 1050

Packet Size*1 Throughput Throughput Throughput Throughput Throughput Throughput

(Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec)

64 3.03 3.69 3.42 4.22 6.42 41.67

512 19.17 23.52 21.70 27.88 43.18 293.23

1518 57.13 70.03 64.49 76.81 100.00 370.12

IMIX*2 4.73 5.25 4.28 6.15 9.34 85.54

New Session Rate*3 585.32 538.54 402 573.66 609.14 8038

Note: *1: Measured in byte

*2: Packet sizes ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of

fi xed percentages of different packet sizes. IMIX traffi c contains a mixture of packet sizes in a ratio to each other that approximates the overall makeup of packet sizes observed in real Internet

traffi c. Using IMIX traffi c allows us to test the DUT under realistic conditions, as compared to single packet sizes tested sequentially.

*3: Pure Routing Performance without NAT and Firewall

Firewall Throughput (NAT+Firewall)

93


UTM Throughput (NAT+Firewall+UTM)

64 1.94 N/A*3 1.56 1.56 2.34 45.00

512 3.93 N/A*3 8.59 9.38 9.38 121.80

1518 4.57 N/A*3 13.28 14.84 16.41 153.59

IMIX*2 2.0 N/A*3 3.0 4.0 5.0 61.33

Throughput (Mbits/sec)

Packet Size*1 UDP UDP UDP UDP UDP UDP

IDP

64 0.71 N/A*3 0.67 0.71 0.85 N/A*3

512 2.63 N/A*3 6.81 7.76 8.37 N/A*3

1460 3.31 N/A*3 16.99 19.44 20.67 N/A*3


Packet Size*1 HTTP(1024k html file)

Anti-VirusHTTP

(1024k html file)HTTP




(1024k html file)

64 0.62 N/A*3 0.55 0.59 0.69 N/A*3

512 2.54 N/A*3 5.31 5.87 6.37 N/A*3

1460 3.19 N/A*3 8.61 13.08 15.07 N/A*3


Packet Size*1 HTTP(1024k html file)

IDP + Anti-VirusHTTP





(1024k html file)


*2: UDP Packet size ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of



*3: Not applicable (The product does not have this feature)

94

Lab Test Report

7


VPN Throughput (NAT enabled)

64 2.83 2.01 2.13 2.62 2.84 38.54

512 16.19 12.40 13.30 16.04 16.85 116.24

1424 36.81 30.46 31.78 37.60 45.99 153.73

IMIX*2 10.09 8.12 11.76 14.48 13.58 93.98


Packet Size*1AES AES AES AES AES AES


Packet Size*1AES+IDP


*2: UDP Packet size ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of



*3: Not applicable (The product does not have this feature)

64 1.71 N/A*3 2.12 2.53 2.83 30.50

512 3.42 N/A*3 11.05 12.78 13.88 80.64

1424 3.97 N/A*3 19.78 23.39 24.79 122.21

IMIX*2 3.4 N/A*3 7.28 8.16 9.06 67.98

AES+IDP AES+IDP AES+IDP AES+IDP AES+IDP

95

Testing Scenario and Topology2

• IXIA 1600T: Use ALM1000T8 card and STXS4 card (both support 10/100/1000)

• DUT: Device Under Test

• Remote Manager: Manage DUT

• Performance Test: Use IXIA Software (IxScriptMate, IxVPN, IxLoad)

Equipment List3Model Name Firmware Version* Profile

ZyWALL P1 4.01 (XJ.0) b1

ZyWALL 2 Plus 4.01 (XU.0) b1

ZyWALL 5 UTM 4.01 (XD.0) b4

ZyWALL 35 UTM 4.01 (WZ.0) b4

ZyWALL 70 UTM 4.01 (WM.0) b4

ZyWALL 1050 1.00 (XL.0)

Remote ManagerIXIA 1600T DUT

97

Glossary

Chapter 8

98

Glossary

83DES (Triple DES)

This is a stronger variant of DES (Data Encryption Standard). Triple DES is a widely-used

method of data encryption that applies three separate private (secret) 56-bit keys to each 64-

bit block of data. See also DES and AES.

A-end (IPSec)

This is the end of a VPN tunnel opposite the Z-end (see also Z-end).

AAA Server

Remote user authentication system. An AAA server handles the following tasks.

Authentication determines the identity of the users. Authorization determines the network

services available to authenticated users once they are connected to the network. Accounting

keeps track of the users’ network activity.

ACL (Access Control List)

Access control list refers to procedures and controls that limit or detect access. Access control

is used typically to control user access to network resources such as servers, directories,

and fi les.

ActiveX

ActiveX is the name Microsoft has given to a set of “strategic” object-oriented programming

technologies and tools. ActiveX is Microsoft’s answer to the Java technology from Sun

Microsystems. An ActiveX control is roughly equivalent to a Java applet.

Adware

A software application that can display advertising banners while the program is running or

via some other triggering mechanism. See also Spyware.

AES (Advanced Encryption Standard)

Advanced Encryption Standard is method of data encryption that uses a secret key. AES may

use a 128-bit, 192-bit or 256-bit key. AES is faster than 3DES. See also DES and 3DES.

AH (Authentication Header)

See ESP/AH

Application Layer Gateway (ALG)

An Application Layer Gateway (ALG) is a device that manages a specifi c protocol (such as SIP,

H.323 or FTP) at the application layer.

ASIC (Application Specifi c Integrated Circuit)

This is a chip engineered for a particular use or function.

Authentication

Authentication ensures that digital data transmissions are delivered to the intended receiver.

Authentication also assures the receiver of the integrity of the message and its source

(where or whom it came from). The simplest form of authentication requires a user name

and password to gain access to a particular account. Authentication protocols can also be

based on secret-key encryption, such as DES or 3DES, or on public-key systems using digital

signatures.

AV (Anti-Virus) Scanning

A mechanism for detecting and blocking viruses in File Transfer Protocol (FTP), Internet

Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer

Protocol (HTTP) — including HTTP webmail — and Post Offi ce Protocol version 3 (POP3)

traffi c. ZyWALL UTM integrates Anti-Virus solution.

99

Backbone

In OSPF, the backbone is the transit area to route packets between two areas. The backbone is

also known as area 0.

Backdoor

A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be

triggered to gain access to a program, online service or an entire system.

BackOrifi ce

BackOrifi ce is a remote administration tool that allows a user to control a computer across a

TCP/IP connection using a simple console or GUI application.

Bandwidth Control

Bandwidth control means defi ning a maximum allowable bandwidth for traffi c fl ows from

specifi ed source (s) to specifi ed destination (s). See also Bandwidth Management.

Bandwidth Management

Bandwidth management allows you to allocate bandwidth at an interface according to

defi ned policies.

Binary PKCS#7

Binary PKCS#7 is a standard that defi nes the general syntax for data (including digital

signatures) that may be encrypted.

Binary X.509

Binary X.509 is an ITU-T recommendation that defi nes the formats for X.509 certifi cates.

BitTorrent

BitTorrent is a peer-to-peer (P2P) application and also a fi le sharing protocol.

Bridge

A device that forwards traffi c between network segments based on data link layer

information. These segments share a common network layer address space.

Brute Force Hacking

A technique used to fi nd passwords or encryption keys. Brute Force Hacking involves trying

every possible combination of letters, numbers, etc., until the code is broken.

Brute-Force Password Guessing Protection

This is a protection mechanism to discourage brute-force password guessing attacks on a

device’s management interface. A wait-time must expire before entering the nth password

after n-1 incorrect passwords have been entered.

Buffer Overfl ow

A buffer overfl ow occurs when a program or process tries to store more data in a buffer

(temporary data storage area) than it was intended to hold. The excess information can

overfl ow into adjacent buffers, corrupting or overwriting the valid data held in them. Intruders

could run codes in the overfl ow buffer region to obtain control of the system, install a

backdoor or use the compromised device to launch attacks on other devices.

CA

A Certifi cation Authority (CA) issues certifi cates and guarantees the identity of each certifi cate

owner.

Certifi cates

Certifi cates (also called digital IDs) can be used to authenticate users. Certifi cates are based on

public-private key pairs. They provide a way to exchange public keys for use in authentication.

100

Glossary

8CF (Content Filtering)

Content fi ltering restricts or blocks access to certain web features or content from web pages.

CHAP

Challenge Handshake Authentication Protocol is an alternative protocol that avoids sending

passwords over the wire by using a challenge/response technique.

Classifi er

In computer networking, a classifi er groups traffi c based on specifi c criteria such as the IP

address, port or protocol, etc.

CLI

In this interface, you can use line commands to confi gure the device or perform advanced

device diagnostics and troubleshooting.

CNM

Vantage Centralized Network Management is a software suite that allows you to manage

many geographically dispersed ZyXEL devices from one location.

Community

This is the SNMP equivalent of a password.

Console

This is a device (usually a computer) that you use to manage a networking device via a serial

port (RS232) connection.

Cookie

A string of characters saved by a web browser on the user’s hard disk.

Data Integrity

The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has

not been altered during transmission.

DDNS (Dynamic Domain Name System)

With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address,

allowing the host to be more easily accessible from various locations on the Internet. You

must register for this service with a Dynamic DNS service provider to use this service.

DDoS (Distributed Denial of Service)

A DDoS attack is one in which multiple compromised systems attack a single target, thereby

causing denial of service for users of the targeted system. See also DoS.

Decryption

Decryption is the process of taking encrypted data and decoding it so that it becomes

readable. See also Encryption, Cipher, Plaintext, Ciphertext.

DES (Data Encryption Standard)

A 40- and 56-bit encryption algorithm that was developed by the National Institute of

Standards and Technology (NIST). DES is a block encryption method originally developed by

IBM. It has since been certifi ed by the U.S. government for transmission of any data that is not

classifi ed top secret. DES uses an algorithm for private-key encryption. The key consists of 64

bits of data, which are transformed and combined with the fi rst 64 bits of the message to be

sent. Although DES is fairly weak, with only one iteration, repeating it using slightly different

keys can provide excellent security. See also 3DES and AES.

101

DH

Diffi e-Hellman is a public-key cryptography protocol that allows two parties to establish a

shared secret over an unsecured communications channel. Diffi e-Hellman is used within IKE

SA setup to establish session keys.

DHCP (Dynamic Host Confi guration Protocol)

A method for automatically assigning IP addresses to hosts on a network. Depending upon

the specifi c device model, ZyWALL devices can allocate dynamic IP addresses to hosts, receive

dynamically assigned IP addresses, or receive DHCP information from a DHCP server and relay

the information to hosts.

DHCP Relay

Dynamic Host Confi guration Protocol Relay is a function that allows DHCP data to be

forwarded between the computer that requests the IP address and the DHCP server.

Dial Backup

Dial backup is an auxiliary WAN connection that you can use if your primary WAN link goes

down.

DMZ (Demilitarized Zone)

From the military term for an area between two opponents where fi ghting is prevented. DMZ

Ethernets connect networks and computers controlled by different bodies. They may be

external or internal. External DMZ Ethernets link regional networks with routers.

DNAT

DNAT (Destination NAT) is used to change the destination IP address in a packet.

DNS (Domain Name System)

Domain Name System links names to IP addresses. When you access Web sites on the Internet

you can type the IP address of the site or the DNS name.

DoS (Denial of Service)

Act of preventing customers, users, clients or other computers from accessing data on a

computer. This is usually accomplished by interrupting or overwhelming the computer with

bad or excessive information requests.

Dynamic DNS

With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address,

allowing the host to be more easily accessible from various locations on the Internet. You

must register for this service with a Dynamic DNS service provider to use this service.

Encryption

Encryption is the process of changing data into a form that can be read only by the intended

receiver. To decipher the message, the receiver of the encrypted data must have the proper

decryption key.

In traditional encryption schemes, the sender and the receiver use the same key to encrypt

and decrypt data. Public-key encryption schemes use two keys

a public key, which anyone may use, and a corresponding private key, which is possessed only

by the person who created it. With this method, anyone may send a message encrypted with

the owner’s public key, but only the owner has the private key necessary to decrypt it. DES

(Data Encryption Standard) and 3DES (Triple DES) are two of the most popular public-key

encryption schemes.

102

Glossary

8ESP/AH

The IP level security protocols, AH and ESP, were originally proposed by the Network Working

Group focused on IP security mechanisms, IPSec. The term IPSec is used loosely here to refer

to packets, keys, and routes that are associated with these protocols. The IP Authentication

Header (AH) protocol provides authentication. The Encapsulating Security Protocol (ESP)

provides both authentication and encryption.

Ethernet

A local area network technology invented at the Xerox Corporation, Palo Alto Research Center.

Ethernet is a best-effort delivery system that uses CSMA/CD technology. Ethernet can be run

over a variety of cable schemes, including thick coaxial, thin coaxial, twisted pair, and fi ber

optic cable. Ethernet is a standard for connecting computers into a local area network (LAN).

The most common form of Ethernet is called 10BaseT, which denotes a peak transmission

speed of 10 Mbps using copper twisted-pair cable.

Extranet

The connecting of two or more intranets. An intranet is an internal Web site that allows

users inside a company to communicate and exchange information. An extranet connects

that virtual space with the intranet of another company, thus allowing these two (or more)

companies to share resources and communicate over the Internet in their own virtual space.

This technology greatly enhances business-to-business communications.

Firewall

A device that protects and controls the connection of one network to another, for traffi c both

entering and leaving. Firewalls are used by companies that want to protect any network-

connected server from damage (intentional or otherwise) by those who log in to it. This could

be a dedicated computer equipped with security measures or it could be a software-based

protection.

Gateway

Also called a router, a gateway is a program or a special-purpose device that transfers IP

datagrams from one network to another until the fi nal destination is reached.

ICMP (Internet Control Message Protocol)

Occasionally a gateway or destination host uses ICMP to communicate with a source host,

for example, to report an error in datagram processing. ICMP uses the basic support of IP as

if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be

implemented by every IP module.

IDP (Intrusion Detection and Prevention)

An IDP system can detect malicious or suspicious packets and respond.

IEEE 802.1Q

IEEE 802.1Q was a project in the IEEE 802 standards process to develop a mechanism to allow

multiple bridged networks to transparently share the same physical network link without

leakage of information between networks (i.e. trunking). IEEE 802.1Q is also the name of

the standard issued by this process, and in common usage the name of the encapsulation

protocol used to implement this mechanism over Ethernet networks.

IGP (Interior Gateway Protocol)

An IGP is a protocol for exchanging routing information between gateways (hosts with

routers) within an autonomous network (for example, a system of corporate local area

networks). The routing information can then be used by the Internet Protocol (IP) or other

network protocols to specify how to route transmissions.

103

IKE (Internet Key Exchange)

Internet Key Exchange is a two-phase security negotiation and key management service

— phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an

IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.

IM (Instant Messaging)

IM refers to chat applications. Chat is real-time, text-based communication between two or

more users via networked-connected devices.

Ingress

Ingress is the act of entering something. An ingress port is an incoming port, that is, the port

that a data packet enters from another port. An ingress router is a router through which a

data packet enters a network from another network.

Internet

(Upper case “I”). The vast collection of inter-connected networks that use TCP/IP protocols

evolved from the ARPANET (Advanced Research Projects Agency Network) of the late 1960’s

and early 1970’s.

Intranet

A play on the word Internet, an intranet is a restricted-access network that works like the Web,

but isn’t on it. Usually owned and managed by a corporation, an intranet enables a company

to share its resources with its employees without confi dential information being made

available to everyone with Internet access.

IP (Internet Protocol)

An Internet standard protocol that defi nes a basic unit of data called a datagram. A datagram

is used in a connectionless, best-effort, delivery system. The Internet protocol defi nes how

information gets passed between systems across the Internet.

IP Multicast

Traditionally, IP packets are transmitted in one of either two ways - Unicast (one sender to one

recipient) or Broadcast (one sender to everybody on the network). IP Multicast is a third way

to deliver IP packets to a group of hosts on the network — not everybody.

IPSec (IP Security)

Security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite

that provides everything you need for secure communications — authentication, integrity,

and confi dentiality — and makes key exchange practical even in larger networks. See also

ESP/AH.

ISAKMP

The Internet Security Association and Key Management Protocol (ISAKMP) provides a

framework for Internet key management and provides the specifi c protocol support for

negotiation of security attributes. By itself, it does not establish session keys, however it can

be used with various session key establishment protocols to provide a complete solution to

Internet key management.

Java

Java is a programming language expressly designed for use in the distributed environment of

the Internet. It was designed to have the “look and feel” of the C++ language, but it is simpler

to use than C++ and enforces an object-oriented programming model.

104

Glossary

8LAN (Local Area Network)

Any network technology that interconnects resources within an offi ce environment, usually at

high speeds, such as Ethernet. A local area network is a short-distance network used to link a

group of computers together within a building. LANs are typically limited to distances of less

than 1,640 feet (500 meters) and provide low-cost, high-bandwidth networking capabilities

within a small geographical area.

Load Balancing

Load balancing is the process of dividing traffi c loads among interfaces (or ports). This

improves quality of services and maximizes bandwidth utilization.

MAC Address (Media Access Control Address)

An address that uniquely identifi es the network interface card, such as an Ethernet adapter.

For Ethernet, the MAC address is a 6 octet address assigned by IEEE. On a LAN or other

network, the MAC address is a computer’s unique hardware number (On an Ethernet LAN,

it’s the same as the Ethernet address). When you’re connected to the Internet from your

computer (or host as the Internet protocol thinks of it), a correspondence table relates your IP

address to your computer’s physical (MAC) address on the LAN. The MAC address is used by

the Media Access Control sub layer of the Data-Link Control (DLC) layer of telecommunication

protocols. There is a different MAC sub layer for each physical device type.

MD5

Message Digest 5, HMAC-MD5 (RFC 2403) is a hash algorithm that is used to authenticate

packet data. It produces a 128-bit message digest. See also SHA-1.

Metric

A value associated with a route that the virtual router uses to select the active route when

there are multiple routes to the same destination network with the same preference value.

The metric value for connected routes is always 0. The default metric value for static routes is

1, but you can specify a different value when defi ning a static route.

NAT (Network Address Translation)

The translation of the source IP address in a packet header to a different IP address. Translated

source IP addresses can come from a dynamic IP address pool or from the IP address of the

egress interface.

NAT-T (NAT-Traversal)

A method for allowing IPSec traffi c to pass through NAT devices along the data path of a VPN

by adding a layer of UDP encapsulation. The method fi rst provides a means for detecting NAT

devices during Phase 1 IKE exchanges, and then a means for traversing them after Phase 2 IKE

negotiations are complete.

Netmask

A netmask indicates which part of an IP address indicates network identifi cation and which

part indicates the host identifi cation. For example, the IP address and netmask 10.20.30.1

255.255.255.0 (or 10.20.30.1/24) refers to all the hosts in the 10.20.30.0 subnet. The IP address

and netmask 10.20.30.1 255.255.255.255 (or 10.20.30.1/32) refers to a single host. See also

Subnet Mask.

OSPF

OSPF is a link-state protocol designed to distribute routing information within an

autonomous system (AS).

105

P2P (Peer-to-Peer)

Peer-to-Peer (P2P) is where devices link to each other without an intermediary and either

device can initiate communications.

Phishing

Phishing is a type of security attack that relies on social engineering in that it lures the victim

into revealing information based on the human tendency to believe in the security of a brand

name because they associate the brand name with trustworthiness.

PKI (Public Key Infrastructure)

PKI is the framework of servers, software, procedures and policies that handles (public-key

cryptography) keys.

Policy Routing

Traditionally, routing is based on the destination address only and the router takes the

shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override

the default routing behavior and forward the packet based on the policy defi ned by the

network administrator.

PPPoE (Point-to-Point Protocol over Ethernet)

Allows multiple users at a site to share the same digital subscriber line, cable modem, or

wireless connection to the Internet. You can confi gure PPPoE client instances, including the

user name and password, on any or all interfaces on some ZyWALL devices.

Proxy

Proxy or proxy server is a technique used to cache information on a Web server and act

as an intermediary between a Web client and that Web server. It basically holds the most

commonly and recently used content from the World Wide Web for users in order to provide

quicker access and to increase server security.

QoS (Quality of Service)

Quality of Service refers to both a network’s ability to deliver data with minimum delay, and

the networking methods used to provide bandwidth for real-time multimedia applications.

RIP (Routing Information Protocol)

An interior or intra-domain routing protocol that uses distance-vector routing algorithms.

RIP is used on the Internet and is common in the NetWare environment as a method for

exchanging routing information between routers.

Rootkit

A root kit is a set of tools used by an intruder after cracking a computer system. These

tools can help the attacker maintain his or her access to the system and use it for malicious

purposes.

Router

A hardware device that distributes data to all other routers and receiving points in or outside

of the local routing domain. Routers also act as fi lters, allowing only authorized devices to

transmit data into the local network so that private information can remain secure. In addition

to supporting these connections, routers also handle errors, keep network usage statistics,

and handle security issues.

SA (Security Association)

An SA is a unidirectional agreement between the VPN participants regarding the

methods and parameters to use in securing a communication channel. For bidirectional

communication, there must be at least two SAs, one for each direction. The VPN participants

negotiate and agree to Phase 1 and Phase 2 SAs during an AutoKey IKE negotiation. See also

SPI.

106

Glossary

8SGMP

A proprietary protocol implemented in ZyXEL products for the purpose of communication in

between devices and centralized management station.

SHA-1

Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of

arbitrary length. It is generally regarded as more secure than MD5 because of the larger

hashes it produces.

SIP (Session Initiation Protocol)

SIP is an IETF (Internet Engineering Task Force)-standard protocol for initiating, modifying, and

terminating multimedia sessions over the Internet. Such sessions might include conferencing,

telephony, or multimedia, with features such as instant messaging and application-level

mobility in network environments.

SNAT

SNAT (Source NAT) is used to change the source IP address in a packet.

SNMP

SNMP is a popular management protocol defi ned by the Internet community for TCP/IP

networks. It is a communication protocol for collecting information from devices on the

network.

Spam

Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or

services.

Spyware

A general term for a program that surreptitiously monitors your actions. While they are

sometimes sinister, like a remote control program used by a hacker, software companies have

been known to use Spyware to gather data about customers. See also Adware.

SPI (Security Parameters Index)

An SPI is used to distinguish different SAs terminating at the same destination and using the

same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI

(Security Parameter Index) along with a destination IP address uniquely identify a particular

Security Association. See also SA.

SSH (Secure Shell)

A protocol that allows device administrators to remotely manage the device in a secure

manner. You can run either an SSH version 1 or version 2 server on the ZyWALL device.

Stateful Inspection

A method in which a fi rewall intercepts a packet at the network layer and then inspects the

entire packet to determine whether to let it through.

Static Routing

User-defi ned routes that cause packets moving between a source and a destination to take

a specifi ed path. Static routing algorithms are table mappings established by the network

administrator prior to the beginning of routing. These mappings do not change unless the

network administrator alters them. Algorithms that use static routes are simple to design and

work well in environments where network traffi c is relatively predictable and where network

design is relatively simple.

107

Subnet Mask

In larger networks, the subnet mask lets you defi ne subnetworks. For example, if you have

a class B network, a subnet mask of 255.255.255.0 specifi es that the fi rst two portions of

the decimal dot format are the network ID, while the third portion is a subnet ID. The fourth

portion is the host ID. If you do not want to have a subnet on a class B network, you would use

a subnet mask of 255.255.0.0.

A network can be subnetted into one or more physical networks which form a subset of the

main network. The subnet mask is the part of the IP address which is used to represent a

subnetwork within a network. Using subnet masks allows you to use network address space

which is normally unavailable and ensures that network traffi c does not get sent to the whole

network unless intended. See also Netmask.

SYN Attack

A SYN attack fl oods a targeted system with a series of SYN packets. Each packet causes the

targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK

that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog

queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal

timer terminates the three-way handshake. Once the queue is full, the system will ignore all

incoming SYN requests, making the system unavailable for legitimate users.

Syslog

A protocol that enables a device to send log messages to a host running the syslog daemon

(syslog server). The syslog server then collects and stores these log messages locally.

TCP/IP (Transmission Control Protocol/Internet Protocol)

TCP/IP is a set of communication protocols that support peer-to-peer connectivity functions

for both local and wide area networks. (A communication protocol is a set of rules that allow

computers with different operating systems to communicate with each other.) TCP/IP controls

how data is transferred between computers on the Internet.

Trojan (Trojan Horse)

A Trojan horse is a harmful program that s hidden inside apparently harmless programs or

data. See also Back Door.

UDP (User Datagram Protocol)

UDP is a connectionless transport service that dispenses with the reliability services provided

by TCP. UDP gives applications a direct interface with the Internet Protocol (IP) and the ability

to address a particular application process running on a host via a port number without

setting up a connection session.

UPnP (Universal Plug and Play)

Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP

for simple peer-to-peer network connectivity between devices. A UPnP-enabled device can

dynamically join a network, obtain an IP address, convey its capabilities and learn about other

devices on the network.

URL (Uniform Resource Locator)

A standard way developed to specify the location of a resource available electronically. Also

referred to as a location or address, URLs specify the location of fi les on servers. A general URL

has the syntax protocol://address. For example, http://www.zyxel.com/product/overview.php

specifi es that the protocol is HTTP and the address is www.zyxel.com/product/overview.php

Virtual Link

In OSPF, a virtual link establishes/maintains connectivity between a non-backbone area and

the backbone.

Virus

A computer virus is a small program designed to corrupt and/or alter the operation of other

legitimate programs.

108

Glossary

8VLAN (Virtual Local Area Network)

A VLAN allows a physical network to be partitioned into multiple logical networks. Only

stations within the same group can communicate with each other. Stations on a logical

network can belong to one or more groups.

VoIP (Voice over Internet Protocol)

Voice over Internet Protocol is the converting of the voice signal to data (IP) packets and

then sending the packets over an IP network.

VPN (Virtual Private Network)

A VPN is an easy, cost-effective and secure way for corporations to provide teleworkers and

mobile professionals local dial-up access to their corporate network or to another Internet

Service Provider (ISP). Secure private connections over the Internet are more cost-effective

than dedicated private lines. VPNs are possible because of technologies and standards such

as tunneling, screening, encryption, and IPSec.

VRRP

Virtual Routing Redundancy Protocol, defi ned in RFC 2338, allows you to create redundant

backup gateways to ensure that the default gateway of a host is always available.

Vulnerability

Point where a system can be attacked.

WAN (Wide Area Networks)

WANs link geographically dispersed offi ces in other cities or around the globe including

switched and permanent telephone circuits, terrestrial radio systems and satellite systems.

WINS (Windows Internet Naming Service)

WINS is a service for mapping IP addresses to NetBIOS computer names on Windows NT

server-based networks. A WINS server maps a NetBIOS name used in a Windows network

environment to an IP address used on an IP-based network.

Worms

A worm is a program that is designed to copy itself from one computer to another on a

network. A worm’s uncontrolled replication consumes system resources thus slowing or

stopping other tasks.

X.509 (Binary X.509)

X.509 is an ITU-T recommendation that defi nes the formats for X.509 certifi cates.

X-Auth (Extended Authentication)

X-Auth (Extended Authentication) provides added security for VPN by requiring each VPN

client to use a username and password.

Z-end (IPSec)

This is the end of a VPN tunnel opposite the A-end (see also A-end).

ZLD

ZLD is the fi rmware used in some ZyXEL’s products.

Zombie

A host/workstation being used by malicious software to perform a task without the

knowledge of the user.

Documents

ZyWALL Security Handbook