firewall training 2008
TRANSCRIPT
-
7/25/2019 Firewall Training 2008
1/258
ZyXEL Security Training
2008Zsolt Benk
ZyXEL Certified Master Trainer
ZyXEL Hungary
-
7/25/2019 Firewall Training 2008
2/258
IT security issues
-
7/25/2019 Firewall Training 2008
3/258
Todays Top 4 Security Headaches
IM and P2P applicationsIM and P2P applicationsCause productivity loss and even legal troublesHard to install & manage IM/P2P-managable firewalls
Virus and WormVirus and WormDamage computer infrastructures.Layer 7 Inspection degrade performance significantly
Unsolicited Spam mailsUnsolicited Spam mails
Contaminate legitimate messages; even cripplecorporate servers
NonNon--business web surfing, spyware, phishingbusiness web surfing, spyware, phishingLeak sensitive, valuable personal and corporateinformation.
-
7/25/2019 Firewall Training 2008
4/258
Protect computer networks against virusintrusions and attacks
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
Computer
-
7/25/2019 Firewall Training 2008
5/258
Control of IM/P2P applications use to increaseemployee productivity
File Sharing
ApplicationsConsume an excessive
amount of bandwidth
and share sensitive
corporate documents
Instant Messaging
ApplicationsIncrease potential
legal liability, waste
personnel Time and
network resources
Software Tunnel
ApplicationsBypass firewall to
expose organizations
to risk, and waste
network resources
Webmail/Posting
ApplicationsIncrease potential legal
liability, and share
sensitive corporate
documents
-
7/25/2019 Firewall Training 2008
6/258
Filter non-work related and unproductive websurfing to mitigate spyware and phishing threats
-
7/25/2019 Firewall Training 2008
7/258
Eliminate spam mails to block unwantedmessages everyday
-
7/25/2019 Firewall Training 2008
8/258
ZyXEL advanced technologies
-
7/25/2019 Firewall Training 2008
9/258
Reasons to buy a ZyWALL
Right Speed Matters
Breaking UTM Bottleneck
High Performance, while 8-in-1 Features
8-in-1(VPN/FW/LB/BWM/CF/AV/(AS)/IDP) Complete Security Features
Superb Performance Even with All Security Services Activated
Advanced Technology
Cutting-Edge ZLD v2 to Integrate 8 Security Modules
Integrated #1 Kaspersky Anti-Virus
Built-in High performance SecuASIC chipset
Less Efforts to Install and Setup
User-aware, object oriented setup with text based configuration files3
2
1
-
7/25/2019 Firewall Training 2008
10/258
High Performance,
while 8-in-1 Features
1
-
7/25/2019 Firewall Training 2008
11/258
Advantages Provides comprehensive security approach
Enterprise/Large-mid Security Demand- Approach to Complete Network Protection
VPN / FirewallVPN / FirewallInternet
Users AntiAnti--SpamSpam
IDS / IDPIDS / IDP
AntiAnti--VirusVirus
Web FiltersWeb Filters
Bandwidth MgmtBandwidth Mgmt
Load BalanceLoad Balance
Servers
Firewall: Control permitted traffic in and out
VPN: Delivering secure remote accessLoad Balance: Utilize multiple WANs
Bandwidth Mgmt: Traffic shaping
Web filters: Eliminate unproductive web-browsing
Anti-Virus: Protect from virus infection
IDS / IDP: Protect against malicious attacks
Anti-Spam: Reduce unwanted email
-
7/25/2019 Firewall Training 2008
12/258
SMB Security Demand:- Same threats as Enterprise/Large-Mid- Limited Budget- Limited IT staff
Apply to SMB Security Demand- Approach to Complete Network Protection
VPN / FirewallVPN / FirewallInternet
Users AntiAnti--SpamSpam
IDS / IDPIDS / IDP
AntiAnti--VirusVirus
Web FiltersWeb Filters
Bandwidth MgmtBandwidth Mgmt
Load BalanceLoad Balance
Servers
Advantages Provides comprehensive security approach
Potential Burden Requires multiple products (high cost)
Increases network complexity and operational
cost
UTMUTM
UTM (Unified Threat Management)
-
7/25/2019 Firewall Training 2008
13/258
Advanced Technology
2
-
7/25/2019 Firewall Training 2008
14/258
ZyWALL Core Advanced Technology
ZyWALL developed a Unique Security System for
Complete 8-in-1 and Real-Time Network Protection
Proprietary Security
Acceleration Chip
Hardware scanning
engine Hardware encryption
Real-time content
analysis
Linux based Security
Hardened OS
Networking operating
system
Optimized for security
enhanced processing
Designed for High
performance
Integrated Kaspersky
Gateway Anti-Virus
#1 Detection Rates
#1 Response Time toNew Treats
#1 Updating Frequency
21 3
-
7/25/2019 Firewall Training 2008
15/258
ZLD integrates 8 modules
VPN
Anti-Spam
Intrusion Prevention
Anti-Virus
Web Content Filtering
Bandwidth Management
Load Balance
Enterprise
Security Demand
SMB
Security Demand
USGUnified Security Gateway
Firewall
Designed to Solve
Top 4 Security Headaches
-
7/25/2019 Firewall Training 2008
16/258
The Power of ZyXEL SecuASICTM
Source: ZyXEL Internal
No ASICOther ASIC
Layer 3 Application
ZyXEL SecuASIC
Layer 7 Application
5X20X
AntiAnti--VirusVirus
IDPIDPFirewallFirewallPacketPacketFilterFilter
Software-based UTM:
99% Performance Drop
Other ASIC-based UTM:
Still No Effective Way
For Higher Performance
ZyXEL SecuASIC UTM:
Same performance even signatures growing
Other UTMs:
Lower performance day by day
Performance
InspectionFlow
ZyXEL SecuASIC UTM:Most Effective Way
For Higher Performance
-
7/25/2019 Firewall Training 2008
17/258
Current ASIC Solutions Problems
Right Step on ASIC solution
Good approach to accelerated AV & IDP functions, certainly a step in
the right direction.
Other ASIC Scheme Problems
String-Matching
Results in immense throughput degradation. The more rules growin the signature database, the more time inspection needs.
File-based Scanning
Multi-packet files be re-assembled first, and then scanned.
The file size inspected exceeds the available memory inside
simply can NOT be processed.
-
7/25/2019 Firewall Training 2008
18/258
ZyXEL SecuASIC Technologies
DFA (Deterministic FiniteAutomata) Algorithm:
Regardless of the size of the rules, number
of rules or rule complexity, the throughput
speed remains unaffected.
Stream-based Scanning
Packets processed sequentially, suspicious
code being detected and reported without
affecting throughput. Complete inspection
occurs with no limitations on file size.
-
7/25/2019 Firewall Training 2008
19/258
ZyWALL OverviewPortfolio
ZyWALL Landscape
Family Matrix
-
7/25/2019 Firewall Training 2008
20/258
User-AwareApplication Patrol (IM/P2P)IP-Based
ZyWALL UTMUnified Threat Management
IPSec VPN
IP-Based
Dual WAN
1000+ Signatures
Non-Certified
Anti-Spam
Content Filtering
Hybrid VPN(IPSec VPN + SSL VPN)
User-/Application-Based
Multiple WAN
ICSA-Certified10,000+ Signatures
NSS-Certified
Enhanced Anti-Spam
Secure Content Mgmt
Device HASecure Wireless MgmtMulti-lingual WebGUI
More
Next Generation ZyWALLUnified Security Gateway
Performance
- More horse power
Flexible- User-Aware/ App-Centric
- Object-based
- VLAN & Flexible Zone
Anti-X- AV/IDP: More signatures
- IM/P2P/Application Patrol
- AS: RBL/ORDBL
Hybrid VPN- IPSec VPN & SSL VPN
- L2TP VPN
Misc- Enterprise-level features
- User-Friendly
Our Technology Is Evolving
-
7/25/2019 Firewall Training 2008
21/258
Mid-Large(100-500 users)
SMB(50-100 users)
SB(
-
7/25/2019 Firewall Training 2008
22/258
SB
SMB
ZyWALL USG Series Positioning
Price
Features
ZyWALL
USG 1000
ZyWALLUSG 300
ZyWALL
USG 2000
ZyWALL
USG 200
3 WANs 100 IPSec, 10 SSL
M-WANs 200 IPSec, 25 SSL
19
Rack mount Flexible Zone
300M FW 1000 IPSec, 250 SSL
HDD support
SFP
Redundant power 2000 IPSec, 750 SSL
ZyWALL
USG 100
1. 2 WANs, 7 Giga ports, 2 USB
2. FW 100M, IPSec 50M, UTM 24M
3. Recommended: 1~25 PC users
ZyWALL USG seriesZyWALL USG series- Hybrid VPN (SSL +IPSec)
- UTM +- Web Security (HTTP firewall)
- IM/P2P management
- 3G, WLAN security
- ICSA certifications
1. 3 WANs, 7 Giga ports, 2 USB
2. FW 150M, IPSec 75M, UTM 24M
3. Recommended: 25~50 PC users
1. M WANs, 7 Giga ports, 2 USB
2. FW 200M, IPSec 100M, UTM 48M
3. Recommended: 50~75 PC users
1. M WANs, 5 Giga ports, 2 USB,
HDD
2. FW 350M, IPSec 150M, UTM 100M
3. Recommended: 75~200 PC users
1. M WANs, 8 Giga ports, 2 USB,
HDD
2. FW 2G, IPSec 500M, UTM 400M
3. Recommended: 200~500 PC users
Available
Q208
FCS
ENT
-
7/25/2019 Firewall Training 2008
23/258
ZyWALL Product Family - ZyWALL P1
!Worlds first Palm-sized Hardware VPN Client and Internet
Security Appliance for Personal Network Protection! ICSA-certified IPSec 1.1D VPN (1 VPN tunnel) and
SPI firewall (80 Mbps)
! Allows for mass, platform-independent
deployment without software installation efforts
!
Proactive endpoint security provides effectivenetwork protection
! ZyXEL Centralized Network Management (CNM)
support
! USB-powered
! Integrated gateway with built-in anti-virus and
intrusion detection/prevention (in future release)
-
7/25/2019 Firewall Training 2008
24/258
ZyWALL Product Family - ZyWALL 2WG
!Cutting-edge 3G+WiFi router with best security functions for
SOHO and remote offices
! Internet access through 3G networks (HSDPA,
UMTS, GPRS, EDGE)
! Dual-band, Tri-mode Access Point
(802.11a/b/g)
! Advanced ICSA certified ZyNOS SPI Firewall(24 Mbps) and IPSec VPN (5 VPN tunnels)
protection
! Configurable 4-port LAN/DMZ/WLAN zones
! Web-based Content Filtering services
Supported 3G Cards:
Sierra Wireless: AC595, AC850, AC860, AC875
Huawei: E612, E620 Option GT HSDPA 7.2 Ready, EC500
-
7/25/2019 Firewall Training 2008
25/258
ZyWALL 2WG
LEDs:PWR
Interface:Extension Card Slot
Dial-Backup: RJ454-Port LAN/DMZ
1-Port WAN
4 Port LAN/DMZ
Power Jack
WIFI Antenna:2 dBi Antenna x 2 WAN Port
Extension Card Slot:To install 3G/3.5G Card
-
7/25/2019 Firewall Training 2008
26/258
ZyWALL Product Family - ZyWALL 2 Plus
!Internet Security Appliance
! ICSA-certified IPSec VPN (5 VPN
tunnels) and SPI firewall (24 Mbps)
! Customizable Web content filtering
! DoS/DDoS intrusion prevention
! ZyXEL Centralized Network
Management (CNM) support
-
7/25/2019 Firewall Training 2008
27/258
ZyWALL Product Family - ZyWALL 5 UTM
!Integrated Internet Security Appliance with Unified Threat
Management
! ICSA-certified IPSec 1.1D VPN (10 VPN
tunnels) and SPI firewall (50 Mbps)
! Integrated high-performance gateway
with built-in anti-virus, anti-spam,
intrusion detection/prevention, andcontent filtering
! Flexible and configurable interfaces for
creating dynamic security policies
Bandwidth management and
! Centralized Network Management (CNM)
support
-
7/25/2019 Firewall Training 2008
28/258
ZyWALL Product Family - ZyWALL 35 UTM
!Dual-WAN high performance 8-in-1 UTM for Small
Business/Remote Office Branch Office! ICSA-certified IPSec 1.1D VPN (35 VPN
tunnels) and SPI firewall (60 Mbps)
! Integrated high-performance gateway
with built-in anti-virus, Anti-Spam, IDP,
and content filtering! Dual-WAN ports for auto-failover/
fallback and load balancing
! Flexible and configurable interfaces for
creating dynamic security policies
! Bandwidth management and
Centralized Network Management(CNM) support
-
7/25/2019 Firewall Training 2008
29/258
ZyWALL Product Family - ZyWALL 70 UTM
!Dual-WAN high performance 8-in-1 UTM for SMB (30 ~ 100
PC Users) ! ICSA-certified IPSec 1.1D VPN (100VPN tunnels) and SPI firewall (75
Mbps)
! Integrated high-performance gateway
with built-in anti-virus, Anti-Spam, IDP,
and content filtering
! Dual-WAN ports for auto-
failover/fallback and load balancing
! Dedicated 4 DMZ ports for public
Internet servers
! Bandwidth management and
Centralized Network Management(CNM) support
-
7/25/2019 Firewall Training 2008
30/258
ZyWALL USG 100LEDs:
PWR
SYSAUX (status of Dial Backup/Dial-In)
CARD (status of Extension Card Slot)
Interface:(1) WAN1: 10/100/1000
(1) WAN2: 10/100/1000(5) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role
(2) USB: 2.0, for 3Getc
Interface:
Console: DB-9 F
Interface:
Dial-Backup/Dial-In OOB:DB-9 M
AUX
Power:
12VDC100~240VAC
Extension Card Slot:Future Upgrade
1. 3G Cellular Card
2. Wireless LAN Card etc
-
7/25/2019 Firewall Training 2008
31/258
ZyWALL USG 100 vs ZyWALL 5 UTM
More Interface
All Gigabit Ethernet
SecuASIC Inside
USB, 3G
Multiple WAN
*: ZyWALL Turbo AV+IDP Accelerator
-
7/25/2019 Firewall Training 2008
32/258
ZyWALL USG 200LEDs:
PWR
SYSAUX (status of Dial Backup/Dial-In)
CARD (status of Extension Card Slot)
Interface:(2) WAN1, WAN2: 10/100/1000
(1) Optional: 10/100/1000 (can be 3rd WAN, or additional LAN/DMZ)(4) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role
(2) USB: 2.0, for 3Getc
Interface:
Console: DB-9 F
Interface:
Dial-Backup/Dial-In OOB:DB-9 M
AUX
Power:
12VDC100~240VAC
Extension Card Slot:
Future Upgrade1. 3G Cellular Card
2. Wireless LAN Card etc
-
7/25/2019 Firewall Training 2008
33/258
ZyWALL USG 200 vs ZyWALL 35 UTM
USB, 3G
*: ZyWALL Turbo - SMART Accelerator
OPT port
More Interface
All Gigabit Ethernet
SecuASIC Inside
-
7/25/2019 Firewall Training 2008
34/258
ZyWALL Product Family - ZyWALL USG 300
!Unified Security Gateway for Small and Medium-Sized
Businesses ! Hybrid VPN (IPSec/SSL VPN) androbust UTM security services
! High-performance multi-layer threat
protection powered by cutting-edge
SecuASIC technology
! AppPatrol to manage the use of
IM/P2P applications
! User-aware policy engine enables
access granularity
! Excellent manageability with object
and text-based configuration files as
well as centralized networkmanagement
-
7/25/2019 Firewall Training 2008
35/258
ZyWALL USG 300
LEDs:
PWRSYS
AUX (status of Dial Backup/Dial-In)
CARD1 (status of Extension Card Slot1)
CARD2 (status of Extension Card Slot2)
Interface:
(7) Gigabit Ethernet: 10/100/1000, Configurable Port Role(2) USB: 2.0, for printer, storageetc
Power:100~240VAC
Interface:Dial-Backup/Dial-In OOB: DB-9 M
Console: DB-9 F
Extension Card Slot:Future Upgrade
-
7/25/2019 Firewall Training 2008
36/258
ZyWALL Product Family - ZyWALL USG 1000
!Professional VPN concentrator/UTM Appliance for SMB/Mid-
to Large-Sized Organizations! Hybrid VPN (IPSec/SSL VPN)
and robust UTM security
! High-performance multi-layer
threat protection, powered by
SecuASIC technology
! AppPatrol to manage the use of
IM/P2P applications
! High Availability features
! Excellent object oriented, text
based manageability
-
7/25/2019 Firewall Training 2008
37/258
ZyWALL USG 1000
5 Definable GbE (Gigabit5 Definable GbE (GigabitEthernet) InterfacesEthernet) Interfaces -- DeliverDeliver
Flexible network partitioningFlexible network partitioning
5 Definable GbE (Gigabit5 Definable GbE (GigabitEthernet) InterfacesEthernet) Interfaces -- DeliverDeliver
Flexible network partitioningFlexible network partitioning
Power SwitchPower Switch
100~240VAC100~240VAC
Power SwitchPower Switch
100~240VAC100~240VAC
Extension Card Slot, HDDExtension Card Slot, HDDSlot and USB PortsSlot and USB Ports
(For future use)(For future use)
Extension Card Slot, HDDExtension Card Slot, HDDSlot and USB PortsSlot and USB Ports
(For future use)(For future use)
BuiltBuilt--in SecuASIC and VPNin SecuASIC and VPNcryptocrypto Delivers robust UTMDelivers robust UTM
and VPN performanceand VPN performance
BuiltBuilt--in SecuASIC and VPNin SecuASIC and VPNcryptocrypto Delivers robust UTMDelivers robust UTM
and VPN performanceand VPN performance
Ventilation FansVentilation FansVentilation FansVentilation Fans
Z WALL P d t F il Z WALL 1050
-
7/25/2019 Firewall Training 2008
38/258
ZyWALL Product Family - ZyWALL 1050
!Best performance UTM/VPN concentrator Security
Appliance for Mid-Large SMB (75 ~ 200 PC Users)!High firewall/VPN performance
(300 Mbps/150 Mbps) with Gigabit
Ethernet ports
!Anti-virus, Anti-Spam, IDP, and
content filtering!High availability with built-in device
and VPN redundancy
!User aware policy management,
and VLAN support
! Excellent object oriented, text basedmanageability
-
7/25/2019 Firewall Training 2008
39/258
ZyWALL USG 2000
Interface:6 GbE: 10/100/1000
(Auto MDI/MDIX)2 SFP: Dual-Personality
Combo Port
HDD Slot:HDD
Expansion Slot
AUX & Console:Dial-in Mgmt & RS-232
ConsolePower Redundancy:
Redundant Power Module
Security Extension Module:SEM-VPN:
SEM-UTM:SEM-DUAL:
Card Slot:CardBus slot
Fan:Ventilation Fans
LED:PWR: Power status
SYS: System status
AUX (Status of Dial-in Function)
HDD (Status of Hard Drive)
SEM (VPN/UTM accel.)
CARD: 3G card status
USB:USB 2.0 (Host) Ports x 2
Security Extension Card (SEM Card)
-
7/25/2019 Firewall Training 2008
40/258
Security Extension Card (SEM Card)
- for ZyWALL USG 2000
Card TypeCard TypeUTMUTM
PerformancePerformance
VPNVPN
PerformancePerformance
Max. IPSecMax. IPSec
VPN TunnelsVPN Tunnels
Max. SSLMax. SSL
VPN UsersVPN Users
SEM-DUAL
400Mbps 500Mbps 2,000 750
SEM-UTM
400Mbps 100Mbps 1,000 250
SEM-VPN
100Mbps 500Mbps 2,000 750
-
7/25/2019 Firewall Training 2008
41/258
ZyWALL USG SeriesUSG 100 USG 200 USG 300 USG 1000 USG 2000
CPU
Flash/DRAMSecuASIC
Freescale 8343E
255M/256MCIP1001 * 1
Freescale 8343E
256M/256MCIP1001 * 1
Freescale 8349E
256M/256MCIP1001 * 2
Pentium M 1.8G
256M/1GCIP2001 * 1
Intel E6400
256M/2GCIP3001 * 1*
System
"Firewall: 100M
"VPN: 50M
"UTM: 24M
"Session: 20k"Session Rate: 1k
"Firewall: 150M
"VPN: 75M
"UTM: 24M
"Session: 40k"Session Rate: 1.4k
"Firewall: 200M
"VPN: 100M
"UTM: 48M
"Session: 60k"Session Rate: 2k
"Firewall: 350M
"VPN: 150M
"UTM: 100M
"Session: 200k"Session Rate: 13k
"Firewall: 2G
"VPN: 500M*
"UTM: 400M*
"Session: 1kk"Session Rate: 20k
Interface
Gigabit Ethernet
2*WAN,5*LAN/DMZ
Gigabit Ethernet
2*WAN, 1*OPT4*LAN/DMZ
Gigabit Ethernet
7 Configurable
Gigabit Ethernet
5 Configurable
Gigabit Ethernet
6 Configurable2 SFP (combo)
IPSec VPN 50 100 200 1000 2000
SSL VPN 2 -> 5 2 -> 10 2 -> 10 -> 25** 5 -> 50 -> 250** 5 -> 200 -> 750**
USB 2 2 2 2 2
Extension Slot 1 (Cardbus) 1 (Cardbus) 2 (Cardbus) 1 (Cardbus) 1 (Cardbus)
SFP No No No No Yes
* Need SEM module on USG 2000
** In the future firmware release
ZyWALL Product Family ZyWALL SSL10
-
7/25/2019 Firewall Training 2008
42/258
ZyWALL Product Family - ZyWALL SSL10
!Professional Integrated SSLVPN appliance for small and
medium-sized businesses! Clientless secure remote access
! Seamless integration with the
current ZyWALL UTM Series
! Supports AD/LDAP/RADIUS and
two-factor authentication
! Endpoint security check
! Unified policy management with
object-based configuration
! Dual-mode (NAT/DMZ mode)
installation with setup wizard
ZyWALL Product Family ZyWALL OTP
-
7/25/2019 Firewall Training 2008
43/258
ZyWALL Product Family - ZyWALL OTP
!One-Time Password Token for Strong Two-Factor
Authentication Solution
! Strong Two-Factor
Authentication Solution
! One Token for Many Applications
! No Expiration Date for Lower
OpIntuitive and Easy to Install,
Use and Manage
! Seamless Integration with
ZyWALL Security Products
Z WALL P d t F il Z WALL OTP
-
7/25/2019 Firewall Training 2008
44/258
ZyWALL OTP Starter Kit
Includes 2 tokens and 1 CD (ZyXEL/AuthenexServer Software)
Designed for new/potential customers to testand use
ZyWALL OTP 5U
Includes 5 ZyWALL OTP tokens
Designed for customers who already boughtStarter Kit and need more tokens for moreusers
ZyWALL OTP 10U
Includes 10 ZyWALL OTP tokens
Designed for customers who already boughtStarter Kit and need more tokens for moreusers
ZyWALL Product Family - ZyWALL OTP
ZyWALL Product Family - ZyWALL IPSec VPN
-
7/25/2019 Firewall Training 2008
45/258
Client
!IPSec VPN Client Software for Mobile Users
! Windows Vista Support
! Interoperability with ZyWALL and
most IPSec VPN Gateways
! IPSec VPN Tunneling with
DES/3DES/AES Encryption
! User Authentication with X-Auth,
PEM or PKCS#12 Certificates,
PreShared Keys
! DPD and Redundant Gateway
ZyWALL Feature Matrix - Networking/Security
-
7/25/2019 Firewall Training 2008
46/258
ZyWALL Feature Matrix - Networking/Security
ZyWALL Feature Matrix - System/WAN Type
-
7/25/2019 Firewall Training 2008
47/258
ZyWALL Feature Matrix - System/WAN Type
ZyWALL Feature Matrix -
-
7/25/2019 Firewall Training 2008
48/258
HA/Authentication/Management
Solution Scenario - Less then 10 PC Users
-
7/25/2019 Firewall Training 2008
49/258
Solution Scenario Less then 10 PC Users
! Secures an office with a single broadband Internet connection.
! Provides secure remote access and protect endpoint devices.
! Measures mitigating application-level attacks should be taken.
Solution Scenario - 10 to 50 PC Users
-
7/25/2019 Firewall Training 2008
50/258
Solution Scenario - 10 to 50 PC Users
! Requires site-to-site and remote VPN access capabilities.
!
Requires firewall protection at the main and branch offices.! Each endpoint device needs to be secured.
! Application-level attacks should be taken so that valuable
information assets will be well protected.
Solution Scenario - 50 to 70 PC Users
-
7/25/2019 Firewall Training 2008
51/258
Solution Scenario 50 to 70 PC Users! protection in a distributed network. Prevents threat
from viruses, worms, trojans and remote attacks.
! Requires site-to-site and remote VPN access and firewall
! Each endpoint device needs to be secured.
! Requires high availability of Internet access and QoS
management at the main office.
-
7/25/2019 Firewall Training 2008
52/258
How about a coffee break?
-
7/25/2019 Firewall Training 2008
53/258
How about a coffee break?
-
7/25/2019 Firewall Training 2008
54/258
ZyWALL USG Anti-X
Security Services Introduction
Anti-Virus and IDP
Anti-Spam
Content Filtering
Best-of-breed Technologies Integrated
-
7/25/2019 Firewall Training 2008
55/258
g g
Kaspersky Anti-Virus Technology World fastest virus updater
Kaspersky Anti-Virus Technology World fastest virus updater
ZyXEL IDP & AppPatrol Technology More than 2000 signatures IM/P-2-P applications blocking
ZyXEL IDP & AppPatrol Technology More than 2000 signatures IM/P-2-P applications blocking
Mailshell Anti-Spam Technology Advanced SpamAdaptAI System: Fuzzy Logic Learning More than 300,000 rules with dynamically updated
Mailshell Anti-Spam Technology Advanced SpamAdaptAI System: Fuzzy Logic Learning More than 300,000 rules with dynamically updated
BlueCoat Content Filtering Technology Dynamically updated ratings of millions of web sites
56 content filtering categories
BlueCoat Content Filtering Technology Dynamically updated ratings of millions of web sites
56 content filtering categories
ZyWALL Security Services Overview
-
7/25/2019 Firewall Training 2008
56/258
y y
Subscription-based
Each ZyWALL supports an expanding array of subscription-basedsecurity services designed to integrate seamlessly into a network and
provide complete protection.
Auto Update With integrated support for Anti-Virus, IDP, Anti-Spam and Content
Filtering, ZyWALL intelligently enforce and update each of these
services as updates occur.
Easy to integrate and maintain With ZyWALL, businesses can avoid the integration and maintenance
problems that often result from sourcing, installing, and maintainingmultiple security products and services from multiple vendors.
-
7/25/2019 Firewall Training 2008
57/258
ZyWALL Gateway Anti-Virus service
Anti-Virus Specifications
-
7/25/2019 Firewall Training 2008
58/258
Stream-based gateway AV
ICSA-certified (in progress) Zone-based AV inspection
Protocol supported HTTP/SMTP/POP3/FTP/IMAP4
Performance HW-accelerated SecuASIC
Throughput over 96Mbps for ALL protocols
No file size limit; no concurrent session limit
Compression Archives ZIP/GZIP/PKZIP up to 100 concurrent archives
RAR up to 16 concurrent archives
Zone-Based Virus Inspection
-
7/25/2019 Firewall Training 2008
59/258
Enabling configuration
of different AV
inspection rules to
meet security policy
10,000
+
Anti-Virus cont
-
7/25/2019 Firewall Training 2008
60/258
BWL (Blacklist & Whitelist)
Supports blocking of user-definable filename and/or fileextensions, e.g. *.mp3
Up to 512 entries (BWL altogether)
Action on Virus Log / Alert
Destroy infected files Send Windows Message (to both origin and destination)
Reporting
In Dashboard Top-5 virus & Total virus detected
In Threat Report Virus statistics
Blacklist and Whitelist in AV
-
7/25/2019 Firewall Training 2008
61/258
Blacklist & Whitelist
Can detect then block (or allow, in whitelist)
files by file pattern (file extension), e.g. *.mp3,
*.mpeg
Anti-Virus SKU
-
7/25/2019 Firewall Training 2008
62/258
Trial period 30 days free trial
SKU
iCard, Anti-Virus 1-year,
ZyWALL 1050
iCard, Anti-Virus 2-year,
ZyWALL 1050
-
7/25/2019 Firewall Training 2008
63/258
ZyWALL Gateway AS Overview
-
7/25/2019 Firewall Training 2008
64/258
ZyWALL features High Catching Rate Anti-Spam and
Anti-PhishingZyWALL Gateway Anti-Spam, powered by
Real time Auto Updates for Consistent Accuracy
98% high spam catching rate and 0.05% low false positive rate
More than 1 million spam filter checks and constantly real-time updating
Block non-English language spam with language independent filters
Protect against Phishing in email with latest Antifraud filters
Customizable Blacklists and WhitelistsCreate blacklists to block spam by IP address, sender name, or MIME header
and customize whitelists for safe e-mail from customers, partners, or important
news sources.
How Anti-Spam Works?
-
7/25/2019 Firewall Training 2008
65/258
" Identify mail content
" Create digest and send it to rating server
" Get reply on digest score
" Take appropriate action (Pass or Spam)
!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
! "#$%&
' ( ) *$+, +- -
. /$01+2 0 "/+3+' 405 +2 0"/62 0"/+7 **"8$9
2 0"/' : $//+; 0&"1#+' $*8$*
BlueCoat Content Filtering
-
7/25/2019 Firewall Training 2008
66/258
Supported Since v4.0
HTTP is checked by Demand against BlueCoat Server
Internet
www.zyxel.com
BlueCoat Server
Query category ofwww.zyxel.com
1. Request to www.zyxel.com
2. Follow category result toforward/block HTTP response
Need a break..?
http://www.zyxel.com/http://www.zyxel.com/http://www.zyxel.com/ -
7/25/2019 Firewall Training 2008
67/258
-
7/25/2019 Firewall Training 2008
68/258
IPSec VPN
What is VPN?
-
7/25/2019 Firewall Training 2008
69/258
Virtual Private Network
Internet
Private Network
Why VPN?
-
7/25/2019 Firewall Training 2008
70/258
Security
Authentication
Encryption
Cost
Reducing number of access lines
Cut long distance phone charges
Benefit of VPN Tunnel
-
7/25/2019 Firewall Training 2008
71/258
Internet Internet
Cant reach
or
understandSniffer
IPSec
-
7/25/2019 Firewall Training 2008
72/258
Network Layer
(IPSec Protocol)
Data Link Layer
Physical Layer
Application Layer
Transport Layer
Internet Protocol Security
IPSec (cont.)
-
7/25/2019 Firewall Training 2008
73/258
Internet
Tunnel Mode
Tunnel Mode
Transport Mode
Two operation modes:
Transport mode Tunnel mode
IPSec (cont.)
-
7/25/2019 Firewall Training 2008
74/258
Benefits of IPSec Confidentiality
Integrity
Guarantee of Data Source
Replay protection
Security Association
-
7/25/2019 Firewall Training 2008
75/258
Security Contract
How data is protected
Security parameters exchange
AB
Internet
DES
MD5
Key
PFS
DES
MD5
Key
PFS
SA Creation
-
7/25/2019 Firewall Training 2008
76/258
Manually Offline Negotiation
Never expire
Debugging tool
Dynamically IKE (Internet Key Exchange)
SA Deletion
-
7/25/2019 Firewall Training 2008
77/258
SA lifetime expired
Seconds/Bytes
SA deletion requested
Connection Idle Time Out (ZyXEL)
Keys Compromised
Re-keying
IPSec doesnt provide the ability to refresh keys. Instead, we
have to delete an existing SA and negotiate/create a new SA.
-
7/25/2019 Firewall Training 2008
78/258
ZyXEL VPN
Applications
-
7/25/2019 Firewall Training 2008
79/258
Corporate to Corporate
Mobile User
SOHO User
Internet
CorporateMobile User
SOHO
user
= VPN
ZyWALL
ZyWALL
Corporate
Features
IPS P t l
-
7/25/2019 Firewall Training 2008
80/258
IPSec Protocol
AH, ESP
Address Type support
Single, Range, Subnet
Replay Detection
Protect against Replay Attacks
Key Management
IKE, Manual
Negotiation Mode
Phase 1 : Main, Aggressive Phase 2 : Quick
Security Protocols
-
7/25/2019 Firewall Training 2008
81/258
ESP (Encapsulation Security Payload)
AH (Authentication Header)
ESP
header
Protected
data
ESP
trailer
IP
header
Protected
data
IP
headerOriginal
ESP
AH
authenticated
ESP
header
Protected
data
ESP
trailer
IP
header
AH
header
Protected
data
authenticated
IP
header
AH
header
Protected
data
encrypted
Protected
data
ESP
trailer
Address Type
-
7/25/2019 Firewall Training 2008
82/258
Single: Only one host can use VPN
Range: A range of hosts can use VPN.
192.168.1.33
Start: 192.168.1.33
End: 192.168.1.254
Address Type (Cont.)
-
7/25/2019 Firewall Training 2008
83/258
Subnet: A subnet of hosts can use VPN
Start: 192.168.1.0
End: 255.255.255.0
Features (cont.)
-
7/25/2019 Firewall Training 2008
84/258
Party Identification
Pre-shared key
Digital Certificate
Encryption Algorithm
Phase 1 : DES, 3DES, AES
Phase 2 : DES, 3DES, AES, NULL
Authentication Algorithm
SHA1, MD5
Key Group
DH1, DH2
Perfect Forward Secrecy None, DH1, DH2
How IKE works
-
7/25/2019 Firewall Training 2008
85/258
Two Phase
Phase 1 Establish IKE SAs
Phase 2
Establish IPSec SAs
Three Modes
Main Mode
Aggressive Mode
Quick Mode
Phase 1
IKE SA
Phase 2
IPSec SA
Main Mode/
Aggressive Mode
Quick Mode
-
7/25/2019 Firewall Training 2008
86/258
Phase 2
IPSec SA
-
7/25/2019 Firewall Training 2008
87/258
IPSec SA
Security Protocol (ESP/AH)
Encryption algorithm
Authentication Method
Diffie-Hellman group if PFS
Mode (Transport/Tunnel)
Policy
Local/Remote Network
IPSec Overview
-
7/25/2019 Firewall Training 2008
88/258
phase 1 negotiation
phase 2 negotiation
DES
MD5Key
DES
MD5
Key
data data data data
3DES
SHA-1
Key
3DES
SHA-1
Key
UDP
Port: 500
ESP/AH
Port: none
Main Mode
-
7/25/2019 Firewall Training 2008
89/258
Initiator Responder
SA Header Header SA
Key Header Nonce KeyHeader Nonce
ID Header Hash
Encrypted Encrypted
IDHeader Hash
ID: Identification SA: Security Association
Key: Key Exchange Payload
Nonce: random value
Aggressive Mode
-
7/25/2019 Firewall Training 2008
90/258
HeaderNonce KeyID SA
Initiator Responder
Header NonceKey IDSA hash
Headerhash
Faster but less secure as Main Mode
Quick Mode
-
7/25/2019 Firewall Training 2008
91/258
Initiator Responder
Header NonceSA IDHash ID
HeaderHash
HeaderNonceIDID SA Hash
Phase 2 is quick
Identities have been verified in phase 1
-
7/25/2019 Firewall Training 2008
92/258
Setup ZyWALL for IPSec
LAN 1 LAN 2
-
7/25/2019 Firewall Training 2008
93/258
Information before IPSec setting:
IP Address
Security Protocol
Key Management Method
Encryption Algorithm
Authentication Algorithm
Key Group
Encapsulation Mode
Internet
IPSec ConnectionSecurity Gateway Security Gateway
Remote Access Today
Common form of secure remote access: IPSec VPN
-
7/25/2019 Firewall Training 2008
94/258
Common form of secure remote access: IPSec VPN
However, IPSec has the following drawbacks inmost remote access scenarios:
Its mandatory to pre-install and pre-configure tens, hundreds even
thousands of client-side encryption software
imagine that each installation requires a reboot!
Difficulty to traverse through a typical firewall ESP, UDP-500Uh?
Resulting in massive amount of help-desk calls Why my laptop showed BSOD (Blue Screen of Death)???
SSL VPN
h i SS / S
-
7/25/2019 Firewall Training 2008
95/258
! What is SSL/TLS
! Why SSL VPN
! SSL VPN Applications Reverse Proxy
! SSL VPN Applications Network Extension
! IPSec VPN vs. SSL VPN
What is SSL/TLS ?
-
7/25/2019 Firewall Training 2008
96/258
! SSL stands for Secure Socket Layer
!Originally created by Netscape.
!Uses RC4, MD5, RSA and other encryption methods
!Widely used for secure web browsing through HTTPS
(port 443)
!
Handles authentication and encryption!SSL v2, v3 are commonly deployed
! TLS stands for Transport Level Security
!IETF adopted SSL, made minor changes and called it TLS
!Successor of SSL
!Traverses NATs without problems
-
7/25/2019 Firewall Training 2008
97/258
What is SSL/TLS ?
-
7/25/2019 Firewall Training 2008
98/258
HTTPS (using SSL for encryption)
-
7/25/2019 Firewall Training 2008
99/258
HTTPS
(using
SSL for
encryptio
n)
A lockicon
near the bottom
right of screen
Whats SSL VPN ?
-
7/25/2019 Firewall Training 2008
100/258
Internet
Laptop
Mobile Device
Partner
Mainframe
Server
Desktop
Kiosk
Secured by
SSL
SSL VPN
Whats SSL VPN ?
f ( i l i k)
-
7/25/2019 Firewall Training 2008
101/258
! A type of VPN (Virtual Private Network)
! Secures communication between client and
server by SSL
! Authentication
! Data Encryption
Why SSL VPN?
! Advantages
-
7/25/2019 Firewall Training 2008
102/258
! Advantages
!Clientless!No extra configuration required on users machine
!Ideal for Mobile Access
SSL VPN Applications
D di h li i f i l
-
7/25/2019 Firewall Training 2008
103/258
! Depending on what applications of internal
resource can be accessed! Three Network Access Modes in SSL VPN:
!Reverse Proxy
!Port Forwarding (not supported by ZLD 2.0)
!Network Extension
Typical Example of SSL VPN Application
Home
Company
-
7/25/2019 Firewall Training 2008
104/258
Email Server
File Server
Authentication
Server
Other Servers
LDAP,RADIUS,
Active Directory
Home
Web browser on PC
What is a Reverse Proxy?
! A Forward Proxy acts as a proxy for client
-
7/25/2019 Firewall Training 2008
105/258
requests.
! A Reverse Proxy acts as a proxy for web servers.
! A forward proxy lowers server response time
and saves on bandwidth; Besides the above
two benefits, a Reverse Proxy protects web
servers from attacks.
Reverse Proxy vs. Forward Proxy
-
7/25/2019 Firewall Training 2008
106/258
Reverse Proxy
! Web Application Access
-
7/25/2019 Firewall Training 2008
107/258
Applications withWeb Interface
AuthenticationServer
https
https
http
httpClient browser
RADIUS, LDAP, NTLMActive Directory
Outlook WebAccess Server
-
7/25/2019 Firewall Training 2008
108/258
CIFS Action
! Browse (enter a folder)
-
7/25/2019 Firewall Training 2008
109/258
!
Create (folder)! Delete (file or folder)
! Rename (file or folder)
! Upload (file)
! Download (file)
File Sharing User Interface
-
7/25/2019 Firewall Training 2008
110/258
File Sharing User Interface
-
7/25/2019 Firewall Training 2008
111/258
Network Extension
! Assigns IP address to client
-
7/25/2019 Firewall Training 2008
112/258
! Allows client to participate in LAN directly
! Adds necessary routes on the client machine!Admin configures routes
!Users can also manually add routes
Network Extension Remote Access
! ZyWALL Security ExtenderAuthentication
Server
DesktopApplications
-
7/25/2019 Firewall Training 2008
113/258
(Windows-only for now)
! IPSeclike access for any
application.
! Firewall rules for access
control
SSL
Client browser
RADIUS, LDAP
Active Directory
Applications
File Server
Email Server
WAN PPTP
AnyProtocol
Layer 2driver/ PPTP
Client Appln
Other Servers
Network Extension Logon Flow
SSL VPN Gateway
-
7/25/2019 Firewall Training 2008
114/258
SSL
Download java applet
Search SSL VPN policy and
assign IP and routing entry,
DNS , WINS
Configure IP, routing
entry, DNS , WINS
Java Applet
Login portal
Negotiate PPTP connection over SSL
Browser
Java Applet
Java Applet :
SSL VPN GatewayClient
create PPP interface and ready
to negoitate PPTP connection.
O.KLoad Java Applet
Application Access (Network Extension)
172.21.0.0/16
-
7/25/2019 Firewall Training 2008
115/258
Internet
Laptop
ZyWALL
1050
172.23.0.0/16
Assign IP Addr
Provide routing list
192.168.192.75
172.21.0.0/16# 192.168.192.75
172.23.0.0/16# 192.168.192.75
eth0
vlan1
Application Access (Network Extension)
-
7/25/2019 Firewall Training 2008
116/258
Internet
Laptop
ZyWALL
1050
172.21.1.77
172.21.0.0/16
172.23.0.0/16
ge0
vlan1172.23.3.26
Network Extension Applic
-
7/25/2019 Firewall Training 2008
117/258
-
7/25/2019 Firewall Training 2008
118/258
Known SSL VPN Issues
SUN Java 6 Update 4 has a known
interoperability problem with ZyWALL SSL
-
7/25/2019 Firewall Training 2008
119/258
p y p y
VPN
Microsoft JRE (Java Runtime Environment) is
not compatible with ZyWALL SSL VPN
IPSec VPN vs. SSL VPN
Yes (Web browser)No (IPSec client)VPN Clientless
SSL VPNIPSec VPN (Dynamic rule)
-
7/25/2019 Firewall Training 2008
120/258
Wont have IPconflict issueNAT over IPSecIP conflict solution
Yes*NoHost integrity check
AAA, certificateXAUTH, certificateAuthentication
NoPre-configurationConfiguration
Yes (Web browser)No (IPSec client)VPN Clientless
Application layerNetwork layerApplication
Remote or mobileSide to sideIdeal for
ZyXEL SSL VPN Design Specification
! Maximum of 64 SSL application objects can be created.
! Maximum of one OWA-type SSL application object can be
-
7/25/2019 Firewall Training 2008
121/258
! Maximum ofone OWA type SSL application object can be
created.
! Maximum of eight SSL application objects can be added to
SSL VPN policy.
! Does not Support username and password within URL.!Authentication request will be prompted by your browser.
User name and password are NOT supported. common URLsyntax:
http://:@:/ however,
red parts are NOT supported.
SSL VPN Benefits
Clientless Remote Access No pre-installed client software
-
7/25/2019 Firewall Training 2008
122/258
p
No pre-configured by end users
Utilizes standard Web browser
Application/User-Aware Granular access policies over specific applications or users
Enforce corporate security policy by Endpoint Security Checks
Simplified deployment
Automatic agent download
No firewall or NAT traversal issues that IPSec may suffer from
Can survive almost every environment on this planet
Hybrid: SSL VPN & IPSec VPN
So how about integrating both VPN technology
into a single box?
-
7/25/2019 Firewall Training 2008
123/258
VPN Capacity on ZyWALL 1050 Up to 50 SSL VPN tunnels
Up to 1,000 IPSec VPN tunnels
Performance
75Mbps (SSL VPN) 150Mbps (IPSec VPN)
Main Features of Hybrid VPN Seamless Integration Clientless Secure Remote Access Comprehensive User Auth Mechanism
-
7/25/2019 Firewall Training 2008
124/258
Clientless Secure Remote Access
" Remote users can use standard web browser to easily access corporate
applications or file sharing without pre-installed or pre-configured VPN
software.
-
7/25/2019 Firewall Training 2008
125/258
Using standard browser to access Internal
network applications
Using standard browser to access Internal file-
sharing folder
software.
Comprehensive User Auth Method
Local Database
User
Group1User
Group2
ZyWALL OTP(One-Time Password)
ZyWALL 1050
-
7/25/2019 Firewall Training 2008
126/258
Remote Users
Internet
External Database
Active
Directory
LDAPRADIUS
Two-Factor Authentication
Server
justinzyxel
130201
Enter PIN code
displayed on the
ZyWALL OTP
token
justin
zyxel
130201
More VPNs L2TP
Specifications L2TP over IPSec
Shares tunnel upper bound with IPSec VPN: up to 1,000 tunnels
-
7/25/2019 Firewall Training 2008
127/258
Benefits for supporting L2TP VPN Extended VPN client MS Windows 2000 (and above) has L2TP
client built-in and is free of charge
Secure L2TP is more secure than PPTP
Interoperability can interoperatewith NAT gateway
Application Note Default IPSec policy for MS Windows L2TP users
For VPN Connection, users need to configure Local Policy andRemote Policy accordingly
For VPN Gateway, users need to configure My Address and Pre-Shared Key accordingly
For Policy Route, users need to add one policy route ruleaccordingly
Support PAP authentication only
L2TP VPN Scenarios
L2TP over IPSecConnecting
-
7/25/2019 Firewall Training 2008
128/258
ZyWALL 1050
Remote
Management
HTTP Service
Mail Service
IM/P2P Management (AppPatrol)
IM/P2P Access Granularity Differentiating access level of IM/P2P applications and enforcing
granular access policy
-
7/25/2019 Firewall Training 2008
129/258
Access level: Login, chat, file transfer, voice call, video call
More IM/P2P applications are supported in 2.00
BWM Enhancement Supports BWM in each rule can do BWM per user group
Can do BWM against inboundtraffic
Guaranteed (prioritize) per protocol/application
Maximize bandwidth utilization can borrowexcessive bandwidthdynamically
Real-time Bandwidth Monitor Show which connection uses which application (protocol) in Traffic
Report
Show graphical bandwidth usage and statistics of protocol
IM/P2P Access Granularity
-
7/25/2019 Firewall Training 2008
130/258
Access Granularity
Can differentiate access level per IM/P2P
application to enforce corporate access policy
User-Aware, Scheduling and BWM
IT staff can have full & granular control over
the access of IM/P2P application, together
with user-aware, scheduling and BWM
AppPatrol Against IM/P2P
AppPatrolAppPatrol ZLD 2.00ZLD 2.00 ZLD 1.0xZLD 1.0x ZyNOS 4.00 & afterZyNOS 4.00 & after
User-Aware $ $ -
-
7/25/2019 Firewall Training 2008
131/258
Integrated
BWM$ $ -
Scheduling $ $ -
Access
Granularity%$ - $
IM/P2P
Up-to-date$ & - $'
% Differentiating access level of IM/P2P applications and enforcinggranular access policy
& Requires valid IDP subscription
' Requires valid AV+IDP subscription
Statistical Graph in AppPatrol
-
7/25/2019 Firewall Training 2008
132/258
Statistical GraphLine chart to showcasing per-
application bandwidth usage
over a 60-min time frame
AppPatrol Signature Update
Keep Up-to-date
Can support newer version of (already) supported IM/P2P
applications via signature update
-
7/25/2019 Firewall Training 2008
133/258
How to Get AppPatrol Updated?
Trial activate IDP trial service and update IDP signatures
before trial expiration
30 days trial period
Constantly update requiring purchase of IDP subscription and
activate IDP standard service
IDP subscription 1-year
IDP subscription 2-year
IDP Enhancement
Enabling flexible direction for IDP inspection
Zone-to-zone protection
R ti
-
7/25/2019 Firewall Training 2008
134/258
Reporting Display Top-5 Attack detected (in dashboard)
IDP Report executive summary of events triggered by IDP
feature
-
7/25/2019 Firewall Training 2008
135/258
IDP versus ADP
IDP/ADP ComparisonIDP/ADP Comparison IDPIDP ADPADP
L7 I ti t St $
ADP is for Anomaly Detection & Protection
-
7/25/2019 Firewall Training 2008
136/258
L7 Inspection to Stop
Threats & Attacks$ -
Signature Update $ -
TA/PA% - $
Protecting ZyWALLItself
- $
Requiring iCard
Subscription$ -
% TA: Traffic Anomaly
PA: Protocol Anomaly
-
7/25/2019 Firewall Training 2008
137/258
GUI Enhancements
Dashboard Face-lift
New look nfeel
Add threat reports
-
7/25/2019 Firewall Training 2008
138/258
Add threat reports
In-line Object Creation
Creating missing objects on-the-fly (without leaving the current
config screen)
Language Options
Architecture for implementing multilingual GUI
Double-byte language supported (Japanese/SC/TC)
Mouse-over Info
Displaying detailed info when moving cursor over an item in
config screen
Dashboard Face-lift
Click on Morebutton to
view more details
-
7/25/2019 Firewall Training 2008
139/258
Top-5 intrusion &
virus detectedNew Active Sessions
counter to display active
session # on-the-fly
In-line Object Creation
Enabling user to create new objects on-the-fly without
leaving current page. The feature is system-wide.
-
7/25/2019 Firewall Training 2008
140/258
In the drop-down list of each feature, if a desired objectis not present, simply click on the Create Object
option to trigger apop-up windowto create the objecton-the-fly, without leaving current config page.
Certification
ICSA Firewall Version 4.1
ICSA IPSec Version 1.1D
-
7/25/2019 Firewall Training 2008
141/258
ICSA Anti-Virus
In progress
ICSA IDP
In progress
-
7/25/2019 Firewall Training 2008
142/258
-
7/25/2019 Firewall Training 2008
143/258
GUI Overview
ZyXEL Communications Corp.
Begin
Default management IP address:
192.168.1.1 on physical port 1 (from the left side of the
front panel)
-
7/25/2019 Firewall Training 2008
144/258
front panel)
Default administrator login:
User Name: admin
Password: 1234
GUI Access
Screen size : 1024*768
Multiple browser support
IE 6.0 and above
-
7/25/2019 Firewall Training 2008
145/258
IE 6.0 and above
Firefox 1.5.0 and above
Netscape 7.2 and above
Turn on JavaScript and Cookie setting in your
web browser. Turn off popup window blocking in your web
browser.
GUI Overview login page
-
7/25/2019 Firewall Training 2008
146/258
GUI Overview Status Page
Menu Tree Global Icon List
-
7/25/2019 Firewall Training 2008
147/258
Device Command StatusDevice command warning
messages
GUI Overview Menu Tree (cont.)
-
7/25/2019 Firewall Training 2008
148/258
Help
Wizard
Web Console
Site Map
Logout
About
GUI Overview Menu Tree
1. First, setup
Network Topology
configuration
-
7/25/2019 Firewall Training 2008
149/258
configuration
Start with Interface
2. Then, setup
Security Policy
configuration
Start with Route
GUI Overview Menu Tree (cont.)
System Built-In
Services
-
7/25/2019 Firewall Training 2008
150/258
Frequently
used objects
Log and Traffic
Statistics Report
-
7/25/2019 Firewall Training 2008
151/258
Quick Start
ZyXEL Communications Corp.
Basic component concept
Port: (Physical port)
A place where (L1/L2) frames go
through
A port can be shared by manyinterfaces
Interface: (Logical interface)
A place where (L3+) packets go
through
An interface is bound to a port or avirtual port
-
7/25/2019 Firewall Training 2008
152/258
Virtual Port (VLAN): make use ofVLAN tag (L2 virtualization)
Each port can be configured asWAN, LAN, or DMZ
Zone
A group of interfaces A set of hosts with the same
characteristic
A logical element used to makeconfiguration of firewall rules easier
Many interfaces can share a port
An interface is bound to one Zoneonly, not multiple ones.
Many interfaces can belong to aZone.
Alias I/F
by definition is a kind ofinterface (L3 virtualization), i.e.
Virtual Interface
Note cont.
The physical ports on the front panel of
ZyWALL 1050 are named in the system as
ge1, ge2, ge3, ge4, ge5.
-
7/25/2019 Firewall Training 2008
153/258
gestands for Gigabit Ethernet
The ZyWALL1050 Network Hierarchy
Virtual Interface IP Alias
ZyWALL1050
-
7/25/2019 Firewall Training 2008
154/258
Physical Ports
PortGrouping
EthernetVLAN
RJ45
Connection
L2 Switchingw/o Firewall
Bridge
Layer2 -
Layer3 +
PPP
AUX
T
R
U
NK
Internet Connection Setup Using Wizard -PPPoE
-
7/25/2019 Firewall Training 2008
155/258
-
7/25/2019 Firewall Training 2008
156/258
Wizard PPPoE (cont.)
-
7/25/2019 Firewall Training 2008
157/258
Wizard PPPoE (cont.)
-
7/25/2019 Firewall Training 2008
158/258
Setup of the Internet Connection (PPPoE)
Instead than using Wizard, user may also
configure a PPPoE connection using GUI.
Use the system default configuration1 LAN i t f
-
7/25/2019 Firewall Training 2008
159/258
ge1 as LAN interface
ge2& ge3 are combined as WAN_TRUNK
Use ge2as a base interface for this PPPoE
interface Connect port 2 (ge2) to a PPPoE server
Connect a host to a port1 (ge1)
Step 1 Setup ISP Account
-
7/25/2019 Firewall Training 2008
160/258
Idle timeout is used when PPPoE interface is in dial-on-demand mode.
If the idle timeout is zero, no idle timeout is applied.
Step 2 Create a PPPoE interface
-
7/25/2019 Firewall Training 2008
161/258
The current example uses Nail_up mode. If the PPPoE server is
available, this PPPoE connection will be always active.
Step 3 Check the PPPoE IP Address
-
7/25/2019 Firewall Training 2008
162/258
Make sure ppp0 obtains the correct IP address.
Step 4 Create a Policy Route for ppp0
-
7/25/2019 Firewall Training 2008
163/258
Set Next-Hop to ppp0. This policy route rule must be the first rule.
-
7/25/2019 Firewall Training 2008
164/258
Step - 6 Check LAN host connectivity
Verify that the LAN Host can ping outside
network.
Troubleshooting ppp0 interface obtains IP address.
-
7/25/2019 Firewall Training 2008
165/258
ppp0 interface obtains IP address.
policy route rules match
LAN Host DNS (for gaining the domain name)
PPPoE server availability
-
7/25/2019 Firewall Training 2008
166/258
-
7/25/2019 Firewall Training 2008
167/258
Firewall
Security Zone based
Global Zone
Address, Schedule, User Aware, Role Based
-
7/25/2019 Firewall Training 2008
168/258
Firewall Zone Concept
Internet
Tun
nel
Tunne
l
US_A
172.21.10.0/24China_Real_A
192.168.10.0/24
China_A
192.168.200.0/24
2M
512K/6
AD
ge3:1ge3:2
ge3:3
WAN Zone
VPN Zone
Intra-Zone
-
7/25/2019 Firewall Training 2008
169/258
ge1:1
ge1:2
ge1
:3
ge1:
4
1.5M/384KADSL
168.168.168.168
WWW_A
192.168.100.1:8080
US
_T
China
_Tun
Manager_A
192.168.10.0/24
Sales_A
192.168.20.0/24
RD_A
192.168.30.0/24
Finance_A
192.168.40.0/24
FTP_A192.168.100.2
2M/384K
Cable
64K
DSL
ge2
ge3:1
LAN Zone
DMZ Zone
Inter-Zone
Customizable
Multi-zone
Segmentation
-
7/25/2019 Firewall Training 2008
170/258
-
7/25/2019 Firewall Training 2008
171/258
-
7/25/2019 Firewall Training 2008
172/258
Global Policy
-
7/25/2019 Firewall Training 2008
173/258
Application Patrol
Managing from the application viewpoint v.s.
from policy (user/role) based firewall
viewpoint
Application Aware App. Classifier
-
7/25/2019 Firewall Training 2008
174/258
Identify application by inspecting payload
Supports more than 16 Applications
Application Management
-
7/25/2019 Firewall Training 2008
175/258
App. Patrol Summary Page
-
7/25/2019 Firewall Training 2008
176/258
App. Patrol Configuration
-
7/25/2019 Firewall Training 2008
177/258
Content Filtering
URL Filtering:
Multiple Filtering Profiles
Scheduling, User Aware Black List & White List
-
7/25/2019 Firewall Training 2008
178/258
Block by Keyword
Block Dangerous Web Features (ActiveX, Java,
Cookie, Web Proxy) Custom Deny Message & Redirect to URL
-
7/25/2019 Firewall Training 2008
179/258
-
7/25/2019 Firewall Training 2008
180/258
Intrusion Detection & Prevention (IDP)
IDP: Combination of inline NIDS & NIPS
Multi-Method Detectors
Traffic Anomaly
Protocol Anomaly
Si t b d (1800 i t )
-
7/25/2019 Firewall Training 2008
181/258
Signature based (1800+ signatures)
IDP sensor can sit in front of any zone
Support Custom Signatures
IDS & IPS Scenarios
Internet
NIDS Internal Network
-
7/25/2019 Firewall Training 2008
182/258
Internetinline NIDS
Internal Network
InternetIPS
Internal Network
Multi-Homing Policy Route
User Aware
Source-Based and Service-Based Routing
Route to Gateway
-
7/25/2019 Firewall Training 2008
183/258
VPN Tunnel
Trunk for load balancing & link backup
SNAT Load Balancing & Link HA
BWM
Policy Route Example
-
7/25/2019 Firewall Training 2008
184/258
-
7/25/2019 Firewall Training 2008
185/258
-
7/25/2019 Firewall Training 2008
186/258
NAT
SNAT Policy-Based
Supported NAT Types
One-to-One, Many-to-One
Many-to-Many Overload, Many One-to-One
Type will be determined automatically
-
7/25/2019 Firewall Training 2008
187/258
DNAT Virtual Server
One-to-One IP Mapping
Optional Single & Range Port Translation
Transparent Proxy (a usage of DNAT)
-
7/25/2019 Firewall Training 2008
188/258
-
7/25/2019 Firewall Training 2008
189/258
Flexible Port Configuration
Flexible Port Role
Any port can be configured as a LAN, WAN, DMZ or
other
Flexible Switching Ports
Any port can be configured as switching port
-
7/25/2019 Firewall Training 2008
190/258
Traffic between switching ports is not inspected by
ZyWALL
Virtual Port 802.1q VLAN port can be defined
Virtual port supports the same functions as physical
port does
-
7/25/2019 Firewall Training 2008
191/258
Scenario: Mix of NAT & Transparent Mode
!"#
$%&
#"+
+,-./0-,1.2
-
7/25/2019 Firewall Training 2008
192/258
'"# )'"# *
#"+
IPSec
User Aware (Prior login)
Route Based (Static)
HA by backup SG & DDNS
NAT over IPSec traffic
-
7/25/2019 Firewall Training 2008
193/258
IPSec VPN GUI
-
7/25/2019 Firewall Training 2008
194/258
Click on Add Gateway
IPSec VPN GUI
-
7/25/2019 Firewall Training 2008
195/258
-
7/25/2019 Firewall Training 2008
196/258
IPSec VPN GUI
-
7/25/2019 Firewall Training 2008
197/258
-
7/25/2019 Firewall Training 2008
198/258
-
7/25/2019 Firewall Training 2008
199/258
ZyWALL1050VLAN-aware Router
Tagged VLAN
VLAN 1VLAN 3
VLAN Scenario
192.168.1.254192 168 3 254
-
7/25/2019 Firewall Training 2008
200/258
VLAN-aware SW VLAN-aware SW
LAN 1LAN 2 LAN 3
Un-tagged VLAN
VLAN 2VLAN 3
192.168.2.254192.168.3.254
subnet 192.168.1.0subnet 192.168.2.0 subnet 192.168.3.0
-
7/25/2019 Firewall Training 2008
201/258
Text Configuration File
Configuration file is constructed by CLI
commands
Can be edited off-line by text editor
Easy to copy configuration to other devices
Script
-
7/25/2019 Firewall Training 2008
202/258
A batch of CLI commands contained in a file
Script files can be stored in ZyWALL1050
Multi Login
Allow users to login system simultaneously
Allow multiple administrators to configure
system concurrently
Administration Account:
Account used to manage system
-
7/25/2019 Firewall Training 2008
203/258
Access Account:
Account used by the user get through theZyWALL1050 device
User Aware User Object & User Group Object
Users must authenticate themselves before theycan get through ZyWALL
User-based policy scheme is an optional function
of ZyWALL1050 Embedded Auth. Server: HTTP & HTTPS
User Database
-
7/25/2019 Firewall Training 2008
204/258
Local Profile
Look up by LDAP, or
RADIUS Lease Timer & Re-authentication Timer, and global
Traffic idle Timer
Policy Route, Firewall, Content Filtering, App.Patrol, etc.
Configuration Object
Object can be reused, it makes configuration
task easier
User / User Group
AAA Server
Auth Method
S h d l
-
7/25/2019 Firewall Training 2008
205/258
Schedule
Address / Address Group
Service / Service Group
Certificate
ISP Account
-
7/25/2019 Firewall Training 2008
206/258
AAA Server Object
-
7/25/2019 Firewall Training 2008
207/258
Auth Method Object
-
7/25/2019 Firewall Training 2008
208/258
Schedule Object
-
7/25/2019 Firewall Training 2008
209/258
Address & Address/GW Group Object
-
7/25/2019 Firewall Training 2008
210/258
Log Implementation
Internal Buffer: 512 Entries
Log can be view by
Console/SSH/Telnet
Web GUI
E-mail System
-
7/25/2019 Firewall Training 2008
211/258
Two accounts
Sender Authentication
Syslog Server Four accounts
Log Viewer
-
7/25/2019 Firewall Training 2008
212/258
Log Configuration
-
7/25/2019 Firewall Training 2008
213/258
Maintenance Tool
ping
nslookup
Traceroute
Packet trace
Show socket
Sh t bl
-
7/25/2019 Firewall Training 2008
214/258
Show arp table
-
7/25/2019 Firewall Training 2008
215/258
Traffic Report
-
7/25/2019 Firewall Training 2008
216/258
Traffic Snapshot
-
7/25/2019 Firewall Training 2008
217/258
Dynamic Routing RIP
V1 & v2
Simple & MD5 Authentication
OSPF
Area: Normal, Stub & NSSA
Simple & MD5 Authentication
-
7/25/2019 Firewall Training 2008
218/258
Virtual Link
-
7/25/2019 Firewall Training 2008
219/258
-
7/25/2019 Firewall Training 2008
220/258
Hands-on: Lunch(
-
7/25/2019 Firewall Training 2008
221/258
OneTimePassword token
-
7/25/2019 Firewall Training 2008
222/258
One-Time Password for Two-Factor Authentication
Strong Authentication Solution with OTP
Strong Two-Factor Authentication Solution
One Token for Many Applications
No Expiration Date for Lower Operating Costs
I i i d E I ll U d M
ZyWALL OTP
-
7/25/2019 Firewall Training 2008
223/258
Intuitive and Easy to Install, Use and Manage
Seamless Integration with ZyWALL Security Products
ZyWALL OTP - Benefits
Strong Two-Factor Authentication Solution
One Token for Many Applications
No Expiration Date for Lower Operating Costs
Intuitive and Easy to Install, Use and Manage
Seamless Integration with ZyWALL Security Products
-
7/25/2019 Firewall Training 2008
224/258
Solution Diagram Central site: Customers need to install ZyXEL/Authenex Server as an
authentication server.
Remote User: ZyWALL OTP token for each remote user
Employee on
Home Computer
LANZyWALL OTP
Email Server BI System
ZyXEL/Authenex Server
ZyWALL OTP
-
7/25/2019 Firewall Training 2008
225/258
ZyWALL USG SeriesAuthorized PartnerAuthorized Customer
Employee LaptopIn Airport Kiosk
or In Hotel
InternetFile Share
Web-based
Application
Remote Desktop Network Extend
Application Server
(Inventory, Store..)
OA, ERP System
CRM System
Firewall
ZyWALL OTP
ZyWALL OTP
Management Tools
Vantage CNM and Report
-
7/25/2019 Firewall Training 2008
226/258
Vantage CNM and Report
-
7/25/2019 Firewall Training 2008
227/258
-
7/25/2019 Firewall Training 2008
228/258
-
7/25/2019 Firewall Training 2008
229/258
Group Device Configuration for Mass
deployments
BenefitBenefit
Low TCO for Massive
Deployments andMaintenance
Automatic Unattended
Upgrade
Firmware Upgrade
By Schedule
Immediately
Device Configuration and Policy
Group Configuration for multiple
devices
Configuration Template to simply
-
7/25/2019 Firewall Training 2008
230/258
g p p y
configuration task
Device Setting Backup/Restore
Real-time Monitoring, Alerting and
Comprehensive Graphic Reporting
BenefitBenefit
Real-time Monitor Devices
Active Alarm Notification
Centralized Logging &
Reporting
Real-time Monitoring Device Online/Offline Status
Device Alarm Status
VPN Tunnel Up/Down Status
Alerting Visual Icon
Email Notification
Comprehensive Graphic Reporting
More than 50 predefined reports including
-
7/25/2019 Firewall Training 2008
231/258
Reporting
Automatic Schedule Report
More than 50 predefined reports includingNetwork Threat and Traffic Report
Detail Drill-down information
Automatic Schedule Email Generation
-
7/25/2019 Firewall Training 2008
232/258
1.1 Topology Managed Security Provider
Managed
Service
Provider
Office 3
Company B
Company A
Internet
Internet
SecurityAppliance
Internet
Security
Appliance
-
7/25/2019 Firewall Training 2008
233/258
Vantage
CNM
Server
Office 1Office 2
Internet
Security
Appliance
Internet
Security
Appliance
1.2 Topology Distributed Enterprise
IT
Manager
Company C
Branch
Office
Internet
Internet
Security
Appliance
Internet
Security
Appliance
Dept. 1
-
7/25/2019 Firewall Training 2008
234/258
g
Dept. 2
Telecommuter
Vantage
CNM
Server
Personal
Security
Appliance
pp
Vantage CNM &
Reporting ServerSyslog
ZyWALL A Online Query from
Client with IE
1.3 Topology Centralized Logging and
Reporting
-
7/25/2019 Firewall Training 2008
235/258
Syslog
InternetZyWALL B
Vantage Report Example
-
7/25/2019 Firewall Training 2008
236/258
-
7/25/2019 Firewall Training 2008
237/258
1.2 UTM Management - License Management
Centralized License Management
Subscription
Monitor
Maintenance/Upgrade
License Monitor
-
7/25/2019 Firewall Training 2008
238/258
Subscription
MonitorMaintenance/Upgrade
1.3 UTM Management - Alarm Indication
Visual alarm indication immediately
Email Alert to Device Owner & Administrator
Problems identification through Alarm Monitor
E-mal Alert Content
-
7/25/2019 Firewall Training 2008
239/258
Deviceunder
Attack
2.1 VPN Management One-Click VPN
Easy VPN Creation by click and drag between
VPN gateways
(1) Click
(2) Drag
-
7/25/2019 Firewall Training 2008
240/258
(3) Configure both devices
-
7/25/2019 Firewall Training 2008
241/258
3.1 Device Maintenance Group
Firmware Upgrade
Group Firmware Upgrade
Scheduling
Immediately
Select devices for firmware upgrade
-
7/25/2019 Firewall Training 2008
242/258
Scheduling or Immediately
-
7/25/2019 Firewall Training 2008
243/258
4.1 Graphic Reporting predefined
reports Traffic Report Top Protocol Report
Bandwidth Monitor
-
7/25/2019 Firewall Training 2008
244/258
-
7/25/2019 Firewall Training 2008
245/258
-
7/25/2019 Firewall Training 2008
246/258
4.2 Graphic Reporting schedule reports
Schedule Report via Email
Daily/Weekly report generated automatically
Create Daily/Weekly Report
-
7/25/2019 Firewall Training 2008
247/258
Configure Daily/Weekly Report
4.2 Graphic Reporting schedule reports
Schedule Report via Email
HTML/PDF format report in Email attachment
Report Type: Both/HTML/PDF
-
7/25/2019 Firewall Training 2008
248/258
Report Content
Case Study
-
7/25/2019 Firewall Training 2008
249/258
Case Study
Dynamic IP Address
Zombie Tunnel
IPSec and NAT
-
7/25/2019 Firewall Training 2008
250/258
-
7/25/2019 Firewall Training 2008
251/258
Dynamic IP Both Sides
Internet
zywall.dyndns.org
Both sides are dynamic IP address Router A : DDNS enabled
Router B: Secure GW = DNS name
A B
-
7/25/2019 Firewall Training 2008
252/258
IPSec Tunnel Mode
My IP = 0.0.0.0
Secure GW =
zywall.dyndns.org
My IP = 0.0.0.0
Secure GW = 0.0.0.0
With DDNS enabled
Zombie Tunnel
Sometimes Zombie Tunnel may occur
IP Changes
System Restart
A BVPN
A B
Restart
B
Change IP
or
-
7/25/2019 Firewall Training 2008
253/258
A Zombie Tunnel
Fail:
New negotiation get
Local/Remote Network conflict
B
Initial - Contact
IF the following condition is met
Router B Restarts
Router B is ZyWALL
Router B is using Static IP
Initial Contact is Per Host based
A
Init-Contact
-
7/25/2019 Firewall Training 2008
254/258
B (static IP)Init Contact
No Matter its a initiatoror responder
Idle Time Out
Outbound Idle Time Out
Inbound Idle Time Out
B (dynamic IP)
No Outbound for # min
A
-
7/25/2019 Firewall Training 2008
255/258
No Inbound for # minA
B (dynamic IP)
SA Life Time and Idle Timer
Phase 1
phase 2 phase 2 phase 2
Phase 1
Idle timer
2 Minutes
-
7/25/2019 Firewall Training 2008
256/258
phase 2 phase 2 phase 2Idle timer
2 Minutes
IPSec and NAT
NAT Condition Supported IPSec Protocol
VPN Gateway
embedded NAT
AH Tunnel mode
ESP Tunnel mode
Is the host behind NAT allowed to use IPSec?
-
7/25/2019 Firewall Training 2008
257/258
VPN client/gateway behind NAT ESP Tunnel mode
NAT in Transport mode None
Q & AQ & AThankThank YouYou!!
-
7/25/2019 Firewall Training 2008
258/258