firewall training 2008

7/25/2019 Firewall Training 2008

1/258

ZyXEL Security Training

2008Zsolt Benk

ZyXEL Certified Master Trainer

ZyXEL Hungary


2/258

IT security issues


3/258

Todays Top 4 Security Headaches

IM and P2P applicationsIM and P2P applicationsCause productivity loss and even legal troublesHard to install & manage IM/P2P-managable firewalls

Virus and WormVirus and WormDamage computer infrastructures.Layer 7 Inspection degrade performance significantly

Unsolicited Spam mailsUnsolicited Spam mails

Contaminate legitimate messages; even cripplecorporate servers

NonNon--business web surfing, spyware, phishingbusiness web surfing, spyware, phishingLeak sensitive, valuable personal and corporateinformation.


4/258

Protect computer networks against virusintrusions and attacks

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer

Computer


5/258

Control of IM/P2P applications use to increaseemployee productivity

File Sharing

ApplicationsConsume an excessive

amount of bandwidth

and share sensitive

corporate documents

Instant Messaging

ApplicationsIncrease potential

legal liability, waste

personnel Time and

network resources

Software Tunnel

ApplicationsBypass firewall to

expose organizations

to risk, and waste

network resources

Webmail/Posting

ApplicationsIncrease potential legal

liability, and share

sensitive corporate

documents


6/258

Filter non-work related and unproductive websurfing to mitigate spyware and phishing threats


7/258

Eliminate spam mails to block unwantedmessages everyday


8/258

ZyXEL advanced technologies


9/258

Reasons to buy a ZyWALL

Right Speed Matters

Breaking UTM Bottleneck

High Performance, while 8-in-1 Features

8-in-1(VPN/FW/LB/BWM/CF/AV/(AS)/IDP) Complete Security Features

Superb Performance Even with All Security Services Activated

Advanced Technology

Cutting-Edge ZLD v2 to Integrate 8 Security Modules

Integrated #1 Kaspersky Anti-Virus

Built-in High performance SecuASIC chipset

Less Efforts to Install and Setup

User-aware, object oriented setup with text based configuration files3

2

1


10/258

High Performance,

while 8-in-1 Features

1


11/258

Advantages Provides comprehensive security approach

Enterprise/Large-mid Security Demand- Approach to Complete Network Protection

VPN / FirewallVPN / FirewallInternet

Users AntiAnti--SpamSpam

IDS / IDPIDS / IDP

AntiAnti--VirusVirus

Web FiltersWeb Filters

Bandwidth MgmtBandwidth Mgmt

Load BalanceLoad Balance

Servers

Firewall: Control permitted traffic in and out

VPN: Delivering secure remote accessLoad Balance: Utilize multiple WANs

Bandwidth Mgmt: Traffic shaping

Web filters: Eliminate unproductive web-browsing

Anti-Virus: Protect from virus infection

IDS / IDP: Protect against malicious attacks

Anti-Spam: Reduce unwanted email


12/258

SMB Security Demand:- Same threats as Enterprise/Large-Mid- Limited Budget- Limited IT staff

Apply to SMB Security Demand- Approach to Complete Network Protection

VPN / FirewallVPN / FirewallInternet

Users AntiAnti--SpamSpam

IDS / IDPIDS / IDP


Web FiltersWeb Filters

Bandwidth MgmtBandwidth Mgmt

Load BalanceLoad Balance

Servers

Advantages Provides comprehensive security approach

Potential Burden Requires multiple products (high cost)

Increases network complexity and operational

cost

UTMUTM

UTM (Unified Threat Management)


13/258

Advanced Technology

2


14/258

ZyWALL Core Advanced Technology

ZyWALL developed a Unique Security System for

Complete 8-in-1 and Real-Time Network Protection

Proprietary Security

Acceleration Chip

Hardware scanning

engine Hardware encryption

Real-time content

analysis

Linux based Security

Hardened OS

Networking operating

system

Optimized for security

enhanced processing

Designed for High

performance

Integrated Kaspersky

Gateway Anti-Virus

#1 Detection Rates

#1 Response Time toNew Treats

#1 Updating Frequency

21 3


15/258

ZLD integrates 8 modules

VPN

Anti-Spam

Intrusion Prevention

Anti-Virus

Web Content Filtering

Bandwidth Management

Load Balance

Enterprise

Security Demand

SMB

Security Demand

USGUnified Security Gateway

Firewall

Designed to Solve

Top 4 Security Headaches


16/258

The Power of ZyXEL SecuASICTM

Source: ZyXEL Internal

No ASICOther ASIC

Layer 3 Application

ZyXEL SecuASIC

Layer 7 Application

5X20X


IDPIDPFirewallFirewallPacketPacketFilterFilter

Software-based UTM:

99% Performance Drop

Other ASIC-based UTM:

Still No Effective Way

For Higher Performance

ZyXEL SecuASIC UTM:

Same performance even signatures growing

Other UTMs:

Lower performance day by day

Performance

InspectionFlow

ZyXEL SecuASIC UTM:Most Effective Way

For Higher Performance


17/258

Current ASIC Solutions Problems

Right Step on ASIC solution

Good approach to accelerated AV & IDP functions, certainly a step in

the right direction.

Other ASIC Scheme Problems

String-Matching

Results in immense throughput degradation. The more rules growin the signature database, the more time inspection needs.

File-based Scanning

Multi-packet files be re-assembled first, and then scanned.

The file size inspected exceeds the available memory inside

simply can NOT be processed.


18/258

ZyXEL SecuASIC Technologies

DFA (Deterministic FiniteAutomata) Algorithm:

Regardless of the size of the rules, number

of rules or rule complexity, the throughput

speed remains unaffected.

Stream-based Scanning

Packets processed sequentially, suspicious

code being detected and reported without

affecting throughput. Complete inspection

occurs with no limitations on file size.


19/258

ZyWALL OverviewPortfolio

ZyWALL Landscape

Family Matrix


20/258

User-AwareApplication Patrol (IM/P2P)IP-Based

ZyWALL UTMUnified Threat Management

IPSec VPN

IP-Based

Dual WAN

1000+ Signatures

Non-Certified

Anti-Spam

Content Filtering

Hybrid VPN(IPSec VPN + SSL VPN)

User-/Application-Based

Multiple WAN

ICSA-Certified10,000+ Signatures

NSS-Certified

Enhanced Anti-Spam

Secure Content Mgmt

Device HASecure Wireless MgmtMulti-lingual WebGUI

More

Next Generation ZyWALLUnified Security Gateway

Performance

- More horse power

Flexible- User-Aware/ App-Centric

- Object-based

- VLAN & Flexible Zone

Anti-X- AV/IDP: More signatures

- IM/P2P/Application Patrol

- AS: RBL/ORDBL

Hybrid VPN- IPSec VPN & SSL VPN

- L2TP VPN

Misc- Enterprise-level features

- User-Friendly

Our Technology Is Evolving


21/258

Mid-Large(100-500 users)

SMB(50-100 users)

SB(


22/258

SB

SMB

ZyWALL USG Series Positioning

Price

Features

ZyWALL

USG 1000

ZyWALLUSG 300

ZyWALL

USG 2000

ZyWALL

USG 200

3 WANs 100 IPSec, 10 SSL

M-WANs 200 IPSec, 25 SSL

19

Rack mount Flexible Zone

300M FW 1000 IPSec, 250 SSL

HDD support

SFP

Redundant power 2000 IPSec, 750 SSL

ZyWALL

USG 100

1. 2 WANs, 7 Giga ports, 2 USB

2. FW 100M, IPSec 50M, UTM 24M

3. Recommended: 1~25 PC users

ZyWALL USG seriesZyWALL USG series- Hybrid VPN (SSL +IPSec)

- UTM +- Web Security (HTTP firewall)

- IM/P2P management

- 3G, WLAN security

- ICSA certifications

1. 3 WANs, 7 Giga ports, 2 USB



1. M WANs, 7 Giga ports, 2 USB



1. M WANs, 5 Giga ports, 2 USB,

HDD



1. M WANs, 8 Giga ports, 2 USB,

HDD

2. FW 2G, IPSec 500M, UTM 400M


Available

Q208

FCS

ENT


23/258

ZyWALL Product Family - ZyWALL P1

!Worlds first Palm-sized Hardware VPN Client and Internet

Security Appliance for Personal Network Protection! ICSA-certified IPSec 1.1D VPN (1 VPN tunnel) and

SPI firewall (80 Mbps)

! Allows for mass, platform-independent

deployment without software installation efforts

!

Proactive endpoint security provides effectivenetwork protection

! ZyXEL Centralized Network Management (CNM)

support

! USB-powered

! Integrated gateway with built-in anti-virus and

intrusion detection/prevention (in future release)


24/258

ZyWALL Product Family - ZyWALL 2WG

!Cutting-edge 3G+WiFi router with best security functions for

SOHO and remote offices

! Internet access through 3G networks (HSDPA,

UMTS, GPRS, EDGE)

! Dual-band, Tri-mode Access Point

(802.11a/b/g)

! Advanced ICSA certified ZyNOS SPI Firewall(24 Mbps) and IPSec VPN (5 VPN tunnels)

protection

! Configurable 4-port LAN/DMZ/WLAN zones

! Web-based Content Filtering services

Supported 3G Cards:

Sierra Wireless: AC595, AC850, AC860, AC875

Huawei: E612, E620 Option GT HSDPA 7.2 Ready, EC500


25/258

ZyWALL 2WG

LEDs:PWR

Interface:Extension Card Slot

Dial-Backup: RJ454-Port LAN/DMZ

1-Port WAN

4 Port LAN/DMZ

Power Jack

WIFI Antenna:2 dBi Antenna x 2 WAN Port

Extension Card Slot:To install 3G/3.5G Card


26/258

ZyWALL Product Family - ZyWALL 2 Plus

!Internet Security Appliance

! ICSA-certified IPSec VPN (5 VPN

tunnels) and SPI firewall (24 Mbps)

! Customizable Web content filtering

! DoS/DDoS intrusion prevention

! ZyXEL Centralized Network

Management (CNM) support


27/258

ZyWALL Product Family - ZyWALL 5 UTM

!Integrated Internet Security Appliance with Unified Threat

Management

! ICSA-certified IPSec 1.1D VPN (10 VPN


! Integrated high-performance gateway

with built-in anti-virus, anti-spam,

intrusion detection/prevention, andcontent filtering

! Flexible and configurable interfaces for

creating dynamic security policies

Bandwidth management and

! Centralized Network Management (CNM)

support


28/258


!Dual-WAN high performance 8-in-1 UTM for Small

Business/Remote Office Branch Office! ICSA-certified IPSec 1.1D VPN (35 VPN



with built-in anti-virus, Anti-Spam, IDP,

and content filtering! Dual-WAN ports for auto-failover/

fallback and load balancing

! Flexible and configurable interfaces for

creating dynamic security policies

! Bandwidth management and

Centralized Network Management(CNM) support


29/258


!Dual-WAN high performance 8-in-1 UTM for SMB (30 ~ 100

PC Users) ! ICSA-certified IPSec 1.1D VPN (100VPN tunnels) and SPI firewall (75

Mbps)


with built-in anti-virus, Anti-Spam, IDP,

and content filtering

! Dual-WAN ports for auto-

failover/fallback and load balancing

! Dedicated 4 DMZ ports for public

Internet servers

! Bandwidth management and

Centralized Network Management(CNM) support


30/258

ZyWALL USG 100LEDs:

PWR

SYSAUX (status of Dial Backup/Dial-In)

CARD (status of Extension Card Slot)

Interface:(1) WAN1: 10/100/1000

(1) WAN2: 10/100/1000(5) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role

(2) USB: 2.0, for 3Getc

Interface:

Console: DB-9 F

Interface:

Dial-Backup/Dial-In OOB:DB-9 M

AUX

Power:

12VDC100~240VAC

Extension Card Slot:Future Upgrade

1. 3G Cellular Card

2. Wireless LAN Card etc


31/258

ZyWALL USG 100 vs ZyWALL 5 UTM

More Interface

All Gigabit Ethernet

SecuASIC Inside

USB, 3G

Multiple WAN

*: ZyWALL Turbo AV+IDP Accelerator


32/258

ZyWALL USG 200LEDs:

PWR

SYSAUX (status of Dial Backup/Dial-In)

CARD (status of Extension Card Slot)

Interface:(2) WAN1, WAN2: 10/100/1000

(1) Optional: 10/100/1000 (can be 3rd WAN, or additional LAN/DMZ)(4) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role

(2) USB: 2.0, for 3Getc

Interface:

Console: DB-9 F

Interface:

Dial-Backup/Dial-In OOB:DB-9 M

AUX

Power:

12VDC100~240VAC

Extension Card Slot:

Future Upgrade1. 3G Cellular Card

2. Wireless LAN Card etc


33/258

ZyWALL USG 200 vs ZyWALL 35 UTM

USB, 3G

*: ZyWALL Turbo - SMART Accelerator

OPT port

More Interface

All Gigabit Ethernet

SecuASIC Inside


34/258

ZyWALL Product Family - ZyWALL USG 300

!Unified Security Gateway for Small and Medium-Sized

Businesses ! Hybrid VPN (IPSec/SSL VPN) androbust UTM security services

! High-performance multi-layer threat

protection powered by cutting-edge

SecuASIC technology

! AppPatrol to manage the use of

IM/P2P applications

! User-aware policy engine enables

access granularity

! Excellent manageability with object

and text-based configuration files as

well as centralized networkmanagement


35/258

ZyWALL USG 300

LEDs:

PWRSYS

AUX (status of Dial Backup/Dial-In)

CARD1 (status of Extension Card Slot1)

CARD2 (status of Extension Card Slot2)

Interface:

(7) Gigabit Ethernet: 10/100/1000, Configurable Port Role(2) USB: 2.0, for printer, storageetc

Power:100~240VAC

Interface:Dial-Backup/Dial-In OOB: DB-9 M

Console: DB-9 F

Extension Card Slot:Future Upgrade


36/258

ZyWALL Product Family - ZyWALL USG 1000

!Professional VPN concentrator/UTM Appliance for SMB/Mid-

to Large-Sized Organizations! Hybrid VPN (IPSec/SSL VPN)

and robust UTM security

! High-performance multi-layer

threat protection, powered by

SecuASIC technology

! AppPatrol to manage the use of

IM/P2P applications

! High Availability features

! Excellent object oriented, text

based manageability


37/258

ZyWALL USG 1000

5 Definable GbE (Gigabit5 Definable GbE (GigabitEthernet) InterfacesEthernet) Interfaces -- DeliverDeliver

Flexible network partitioningFlexible network partitioning

5 Definable GbE (Gigabit5 Definable GbE (GigabitEthernet) InterfacesEthernet) Interfaces -- DeliverDeliver

Flexible network partitioningFlexible network partitioning

Power SwitchPower Switch

100~240VAC100~240VAC

Power SwitchPower Switch

100~240VAC100~240VAC

Extension Card Slot, HDDExtension Card Slot, HDDSlot and USB PortsSlot and USB Ports

(For future use)(For future use)

Extension Card Slot, HDDExtension Card Slot, HDDSlot and USB PortsSlot and USB Ports

(For future use)(For future use)

BuiltBuilt--in SecuASIC and VPNin SecuASIC and VPNcryptocrypto Delivers robust UTMDelivers robust UTM

and VPN performanceand VPN performance

BuiltBuilt--in SecuASIC and VPNin SecuASIC and VPNcryptocrypto Delivers robust UTMDelivers robust UTM

and VPN performanceand VPN performance

Ventilation FansVentilation FansVentilation FansVentilation Fans

Z WALL P d t F il Z WALL 1050


38/258

ZyWALL Product Family - ZyWALL 1050

!Best performance UTM/VPN concentrator Security

Appliance for Mid-Large SMB (75 ~ 200 PC Users)!High firewall/VPN performance

(300 Mbps/150 Mbps) with Gigabit

Ethernet ports

!Anti-virus, Anti-Spam, IDP, and

content filtering!High availability with built-in device

and VPN redundancy

!User aware policy management,

and VLAN support

! Excellent object oriented, text basedmanageability


39/258

ZyWALL USG 2000

Interface:6 GbE: 10/100/1000

(Auto MDI/MDIX)2 SFP: Dual-Personality

Combo Port

HDD Slot:HDD

Expansion Slot

AUX & Console:Dial-in Mgmt & RS-232

ConsolePower Redundancy:

Redundant Power Module

Security Extension Module:SEM-VPN:

SEM-UTM:SEM-DUAL:

Card Slot:CardBus slot

Fan:Ventilation Fans

LED:PWR: Power status

SYS: System status

AUX (Status of Dial-in Function)

HDD (Status of Hard Drive)

SEM (VPN/UTM accel.)

CARD: 3G card status

USB:USB 2.0 (Host) Ports x 2

Security Extension Card (SEM Card)


40/258

Security Extension Card (SEM Card)

- for ZyWALL USG 2000

Card TypeCard TypeUTMUTM

PerformancePerformance

VPNVPN

PerformancePerformance

Max. IPSecMax. IPSec

VPN TunnelsVPN Tunnels

Max. SSLMax. SSL

VPN UsersVPN Users

SEM-DUAL

400Mbps 500Mbps 2,000 750

SEM-UTM

400Mbps 100Mbps 1,000 250

SEM-VPN

100Mbps 500Mbps 2,000 750


41/258

ZyWALL USG SeriesUSG 100 USG 200 USG 300 USG 1000 USG 2000

CPU

Flash/DRAMSecuASIC

Freescale 8343E

255M/256MCIP1001 * 1

Freescale 8343E

256M/256MCIP1001 * 1

Freescale 8349E

256M/256MCIP1001 * 2

Pentium M 1.8G

256M/1GCIP2001 * 1

Intel E6400

256M/2GCIP3001 * 1*

System

"Firewall: 100M

"VPN: 50M

"UTM: 24M

"Session: 20k"Session Rate: 1k

"Firewall: 150M

"VPN: 75M

"UTM: 24M

"Session: 40k"Session Rate: 1.4k

"Firewall: 200M

"VPN: 100M

"UTM: 48M


"Firewall: 350M

"VPN: 150M

"UTM: 100M


"Firewall: 2G

"VPN: 500M*

"UTM: 400M*

"Session: 1kk"Session Rate: 20k

Interface

Gigabit Ethernet

2*WAN,5*LAN/DMZ

Gigabit Ethernet

2*WAN, 1*OPT4*LAN/DMZ

Gigabit Ethernet

7 Configurable

Gigabit Ethernet

5 Configurable

Gigabit Ethernet

6 Configurable2 SFP (combo)

IPSec VPN 50 100 200 1000 2000

SSL VPN 2 -> 5 2 -> 10 2 -> 10 -> 25** 5 -> 50 -> 250** 5 -> 200 -> 750**

USB 2 2 2 2 2

Extension Slot 1 (Cardbus) 1 (Cardbus) 2 (Cardbus) 1 (Cardbus) 1 (Cardbus)

SFP No No No No Yes

* Need SEM module on USG 2000

** In the future firmware release

ZyWALL Product Family ZyWALL SSL10


42/258

ZyWALL Product Family - ZyWALL SSL10

!Professional Integrated SSLVPN appliance for small and

medium-sized businesses! Clientless secure remote access

! Seamless integration with the

current ZyWALL UTM Series

! Supports AD/LDAP/RADIUS and

two-factor authentication

! Endpoint security check

! Unified policy management with

object-based configuration

! Dual-mode (NAT/DMZ mode)

installation with setup wizard

ZyWALL Product Family ZyWALL OTP


43/258

ZyWALL Product Family - ZyWALL OTP

!One-Time Password Token for Strong Two-Factor

Authentication Solution

! Strong Two-Factor

Authentication Solution

! One Token for Many Applications

! No Expiration Date for Lower

OpIntuitive and Easy to Install,

Use and Manage

! Seamless Integration with

ZyWALL Security Products

Z WALL P d t F il Z WALL OTP


44/258

ZyWALL OTP Starter Kit

Includes 2 tokens and 1 CD (ZyXEL/AuthenexServer Software)

Designed for new/potential customers to testand use

ZyWALL OTP 5U

Includes 5 ZyWALL OTP tokens

Designed for customers who already boughtStarter Kit and need more tokens for moreusers

ZyWALL OTP 10U

Includes 10 ZyWALL OTP tokens

Designed for customers who already boughtStarter Kit and need more tokens for moreusers

ZyWALL Product Family - ZyWALL OTP

ZyWALL Product Family - ZyWALL IPSec VPN


45/258

Client

!IPSec VPN Client Software for Mobile Users

! Windows Vista Support

! Interoperability with ZyWALL and

most IPSec VPN Gateways

! IPSec VPN Tunneling with

DES/3DES/AES Encryption

! User Authentication with X-Auth,

PEM or PKCS#12 Certificates,

PreShared Keys

! DPD and Redundant Gateway

ZyWALL Feature Matrix - Networking/Security


46/258

ZyWALL Feature Matrix - Networking/Security

ZyWALL Feature Matrix - System/WAN Type


47/258

ZyWALL Feature Matrix - System/WAN Type

ZyWALL Feature Matrix -


48/258

HA/Authentication/Management

Solution Scenario - Less then 10 PC Users


49/258

Solution Scenario Less then 10 PC Users

! Secures an office with a single broadband Internet connection.

! Provides secure remote access and protect endpoint devices.

! Measures mitigating application-level attacks should be taken.

Solution Scenario - 10 to 50 PC Users


50/258


! Requires site-to-site and remote VPN access capabilities.

!

Requires firewall protection at the main and branch offices.! Each endpoint device needs to be secured.

! Application-level attacks should be taken so that valuable

information assets will be well protected.



51/258

Solution Scenario 50 to 70 PC Users! protection in a distributed network. Prevents threat

from viruses, worms, trojans and remote attacks.

! Requires site-to-site and remote VPN access and firewall

! Each endpoint device needs to be secured.

! Requires high availability of Internet access and QoS

management at the main office.


52/258

How about a coffee break?


53/258

How about a coffee break?


54/258

ZyWALL USG Anti-X

Security Services Introduction

Anti-Virus and IDP

Anti-Spam

Content Filtering

Best-of-breed Technologies Integrated


55/258

g g

Kaspersky Anti-Virus Technology World fastest virus updater

Kaspersky Anti-Virus Technology World fastest virus updater

ZyXEL IDP & AppPatrol Technology More than 2000 signatures IM/P-2-P applications blocking

ZyXEL IDP & AppPatrol Technology More than 2000 signatures IM/P-2-P applications blocking

Mailshell Anti-Spam Technology Advanced SpamAdaptAI System: Fuzzy Logic Learning More than 300,000 rules with dynamically updated

Mailshell Anti-Spam Technology Advanced SpamAdaptAI System: Fuzzy Logic Learning More than 300,000 rules with dynamically updated

BlueCoat Content Filtering Technology Dynamically updated ratings of millions of web sites

56 content filtering categories

BlueCoat Content Filtering Technology Dynamically updated ratings of millions of web sites

56 content filtering categories

ZyWALL Security Services Overview


56/258

y y

Subscription-based

Each ZyWALL supports an expanding array of subscription-basedsecurity services designed to integrate seamlessly into a network and

provide complete protection.

Auto Update With integrated support for Anti-Virus, IDP, Anti-Spam and Content

Filtering, ZyWALL intelligently enforce and update each of these

services as updates occur.

Easy to integrate and maintain With ZyWALL, businesses can avoid the integration and maintenance

problems that often result from sourcing, installing, and maintainingmultiple security products and services from multiple vendors.


57/258

ZyWALL Gateway Anti-Virus service

Anti-Virus Specifications


58/258

Stream-based gateway AV

ICSA-certified (in progress) Zone-based AV inspection

Protocol supported HTTP/SMTP/POP3/FTP/IMAP4

Performance HW-accelerated SecuASIC

Throughput over 96Mbps for ALL protocols

No file size limit; no concurrent session limit

Compression Archives ZIP/GZIP/PKZIP up to 100 concurrent archives

RAR up to 16 concurrent archives

Zone-Based Virus Inspection


59/258

Enabling configuration

of different AV

inspection rules to

meet security policy

10,000

+

Anti-Virus cont


60/258

BWL (Blacklist & Whitelist)

Supports blocking of user-definable filename and/or fileextensions, e.g. *.mp3

Up to 512 entries (BWL altogether)

Action on Virus Log / Alert

Destroy infected files Send Windows Message (to both origin and destination)

Reporting

In Dashboard Top-5 virus & Total virus detected

In Threat Report Virus statistics

Blacklist and Whitelist in AV


61/258

Blacklist & Whitelist

Can detect then block (or allow, in whitelist)

files by file pattern (file extension), e.g. *.mp3,

*.mpeg

Anti-Virus SKU


62/258

Trial period 30 days free trial

SKU

iCard, Anti-Virus 1-year,

ZyWALL 1050

iCard, Anti-Virus 2-year,

ZyWALL 1050


63/258

ZyWALL Gateway AS Overview


64/258

ZyWALL features High Catching Rate Anti-Spam and

Anti-PhishingZyWALL Gateway Anti-Spam, powered by

Real time Auto Updates for Consistent Accuracy

98% high spam catching rate and 0.05% low false positive rate

More than 1 million spam filter checks and constantly real-time updating

Block non-English language spam with language independent filters

Protect against Phishing in email with latest Antifraud filters

Customizable Blacklists and WhitelistsCreate blacklists to block spam by IP address, sender name, or MIME header

and customize whitelists for safe e-mail from customers, partners, or important

news sources.

How Anti-Spam Works?


65/258

" Identify mail content

" Create digest and send it to rating server

" Get reply on digest score

" Take appropriate action (Pass or Spam)

!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!

!!!!!!

! "#$%&

' ( ) *$+, +- -

. /$01+2 0 "/+3+' 405 +2 0"/62 0"/+7 **"8$9

2 0"/' : $//+; 0&"1#+' $*8$*

BlueCoat Content Filtering


66/258

Supported Since v4.0

HTTP is checked by Demand against BlueCoat Server

Internet

www.zyxel.com

BlueCoat Server

Query category ofwww.zyxel.com

1. Request to www.zyxel.com

2. Follow category result toforward/block HTTP response

Need a break..?
http://www.zyxel.com/http://www.zyxel.com/http://www.zyxel.com/


67/258


68/258

IPSec VPN

What is VPN?


69/258

Virtual Private Network

Internet

Private Network

Why VPN?


70/258

Security

Authentication

Encryption

Cost

Reducing number of access lines

Cut long distance phone charges

Benefit of VPN Tunnel


71/258

Internet Internet

Cant reach

or

understandSniffer

IPSec


72/258

Network Layer

(IPSec Protocol)

Data Link Layer

Physical Layer

Application Layer

Transport Layer

Internet Protocol Security

IPSec (cont.)


73/258

Internet

Tunnel Mode

Tunnel Mode

Transport Mode

Two operation modes:

Transport mode Tunnel mode

IPSec (cont.)


74/258

Benefits of IPSec Confidentiality

Integrity

Guarantee of Data Source

Replay protection

Security Association


75/258

Security Contract

How data is protected

Security parameters exchange

AB

Internet

DES

MD5

Key

PFS

DES

MD5

Key

PFS

SA Creation


76/258

Manually Offline Negotiation

Never expire

Debugging tool

Dynamically IKE (Internet Key Exchange)

SA Deletion


77/258

SA lifetime expired

Seconds/Bytes

SA deletion requested

Connection Idle Time Out (ZyXEL)

Keys Compromised

Re-keying

IPSec doesnt provide the ability to refresh keys. Instead, we

have to delete an existing SA and negotiate/create a new SA.


78/258

ZyXEL VPN

Applications


79/258

Corporate to Corporate

Mobile User

SOHO User

Internet

CorporateMobile User

SOHO

user

= VPN

ZyWALL

ZyWALL

Corporate

Features

IPS P t l


80/258

IPSec Protocol

AH, ESP

Address Type support

Single, Range, Subnet

Replay Detection

Protect against Replay Attacks

Key Management

IKE, Manual

Negotiation Mode

Phase 1 : Main, Aggressive Phase 2 : Quick

Security Protocols


81/258

ESP (Encapsulation Security Payload)

AH (Authentication Header)

ESP

header

Protected

data

ESP

trailer

IP

header

Protected

data

IP

headerOriginal

ESP

AH

authenticated

ESP

header

Protected

data

ESP

trailer

IP

header

AH

header

Protected

data

authenticated

IP

header

AH

header

Protected

data

encrypted

Protected

data

ESP

trailer

Address Type


82/258

Single: Only one host can use VPN

Range: A range of hosts can use VPN.

192.168.1.33

Start: 192.168.1.33

End: 192.168.1.254

Address Type (Cont.)


83/258

Subnet: A subnet of hosts can use VPN

Start: 192.168.1.0

End: 255.255.255.0

Features (cont.)


84/258

Party Identification

Pre-shared key

Digital Certificate

Encryption Algorithm

Phase 1 : DES, 3DES, AES

Phase 2 : DES, 3DES, AES, NULL

Authentication Algorithm

SHA1, MD5

Key Group

DH1, DH2

Perfect Forward Secrecy None, DH1, DH2

How IKE works


85/258

Two Phase

Phase 1 Establish IKE SAs

Phase 2

Establish IPSec SAs

Three Modes

Main Mode

Aggressive Mode

Quick Mode

Phase 1

IKE SA

Phase 2

IPSec SA

Main Mode/

Aggressive Mode

Quick Mode


86/258

Phase 2

IPSec SA


87/258

IPSec SA

Security Protocol (ESP/AH)

Encryption algorithm

Authentication Method

Diffie-Hellman group if PFS

Mode (Transport/Tunnel)

Policy

Local/Remote Network

IPSec Overview


88/258

phase 1 negotiation

phase 2 negotiation

DES

MD5Key

DES

MD5

Key

data data data data

3DES

SHA-1

Key

3DES

SHA-1

Key

UDP

Port: 500

ESP/AH

Port: none

Main Mode


89/258

Initiator Responder

SA Header Header SA

Key Header Nonce KeyHeader Nonce

ID Header Hash

Encrypted Encrypted

IDHeader Hash

ID: Identification SA: Security Association

Key: Key Exchange Payload

Nonce: random value

Aggressive Mode


90/258

HeaderNonce KeyID SA

Initiator Responder

Header NonceKey IDSA hash

Headerhash

Faster but less secure as Main Mode

Quick Mode


91/258

Initiator Responder

Header NonceSA IDHash ID

HeaderHash

HeaderNonceIDID SA Hash

Phase 2 is quick

Identities have been verified in phase 1


92/258

Setup ZyWALL for IPSec

LAN 1 LAN 2


93/258

Information before IPSec setting:

IP Address

Security Protocol

Key Management Method

Encryption Algorithm

Authentication Algorithm

Key Group

Encapsulation Mode

Internet

IPSec ConnectionSecurity Gateway Security Gateway

Remote Access Today

Common form of secure remote access: IPSec VPN


94/258

Common form of secure remote access: IPSec VPN

However, IPSec has the following drawbacks inmost remote access scenarios:

Its mandatory to pre-install and pre-configure tens, hundreds even

thousands of client-side encryption software

imagine that each installation requires a reboot!

Difficulty to traverse through a typical firewall ESP, UDP-500Uh?

Resulting in massive amount of help-desk calls Why my laptop showed BSOD (Blue Screen of Death)???

SSL VPN

h i SS / S


95/258

! What is SSL/TLS

! Why SSL VPN

! SSL VPN Applications Reverse Proxy

! SSL VPN Applications Network Extension

! IPSec VPN vs. SSL VPN

What is SSL/TLS ?


96/258

! SSL stands for Secure Socket Layer

!Originally created by Netscape.

!Uses RC4, MD5, RSA and other encryption methods

!Widely used for secure web browsing through HTTPS

(port 443)

!

Handles authentication and encryption!SSL v2, v3 are commonly deployed

! TLS stands for Transport Level Security

!IETF adopted SSL, made minor changes and called it TLS

!Successor of SSL

!Traverses NATs without problems


97/258

What is SSL/TLS ?


98/258

HTTPS (using SSL for encryption)


99/258

HTTPS

(using

SSL for

encryptio

n)

A lockicon

near the bottom

right of screen

Whats SSL VPN ?


100/258

Internet

Laptop

Mobile Device

Partner

Mainframe

Server

Desktop

Kiosk

Secured by

SSL

SSL VPN

Whats SSL VPN ?

f ( i l i k)


101/258

! A type of VPN (Virtual Private Network)

! Secures communication between client and

server by SSL

! Authentication

! Data Encryption

Why SSL VPN?

! Advantages


102/258

! Advantages

!Clientless!No extra configuration required on users machine

!Ideal for Mobile Access

SSL VPN Applications

D di h li i f i l


103/258

! Depending on what applications of internal

resource can be accessed! Three Network Access Modes in SSL VPN:

!Reverse Proxy

!Port Forwarding (not supported by ZLD 2.0)

!Network Extension

Typical Example of SSL VPN Application

Home

Company


104/258

Email Server

File Server

Authentication

Server

Other Servers

LDAP,RADIUS,

Active Directory

Home

Web browser on PC

What is a Reverse Proxy?

! A Forward Proxy acts as a proxy for client


105/258

requests.

! A Reverse Proxy acts as a proxy for web servers.

! A forward proxy lowers server response time

and saves on bandwidth; Besides the above

two benefits, a Reverse Proxy protects web

servers from attacks.

Reverse Proxy vs. Forward Proxy


106/258

Reverse Proxy

! Web Application Access


107/258

Applications withWeb Interface

AuthenticationServer

https

https

http

httpClient browser

RADIUS, LDAP, NTLMActive Directory

Outlook WebAccess Server


108/258

CIFS Action

! Browse (enter a folder)


109/258

!

Create (folder)! Delete (file or folder)

! Rename (file or folder)

! Upload (file)

! Download (file)

File Sharing User Interface


110/258

File Sharing User Interface


111/258

Network Extension

! Assigns IP address to client


112/258

! Allows client to participate in LAN directly

! Adds necessary routes on the client machine!Admin configures routes

!Users can also manually add routes

Network Extension Remote Access

! ZyWALL Security ExtenderAuthentication

Server

DesktopApplications


113/258

(Windows-only for now)

! IPSeclike access for any

application.

! Firewall rules for access

control

SSL

Client browser

RADIUS, LDAP

Active Directory

Applications

File Server

Email Server

WAN PPTP

AnyProtocol

Layer 2driver/ PPTP

Client Appln

Other Servers

Network Extension Logon Flow

SSL VPN Gateway


114/258

SSL

Download java applet

Search SSL VPN policy and

assign IP and routing entry,

DNS , WINS

Configure IP, routing

entry, DNS , WINS

Java Applet

Login portal

Negotiate PPTP connection over SSL

Browser

Java Applet

Java Applet :

SSL VPN GatewayClient

create PPP interface and ready

to negoitate PPTP connection.

O.KLoad Java Applet

Application Access (Network Extension)

172.21.0.0/16


115/258

Internet

Laptop

ZyWALL

1050

172.23.0.0/16

Assign IP Addr

Provide routing list

192.168.192.75

172.21.0.0/16# 192.168.192.75

172.23.0.0/16# 192.168.192.75

eth0

vlan1

Application Access (Network Extension)


116/258

Internet

Laptop

ZyWALL

1050

172.21.1.77

172.21.0.0/16

172.23.0.0/16

ge0

vlan1172.23.3.26

Network Extension Applic


117/258


118/258

Known SSL VPN Issues

SUN Java 6 Update 4 has a known

interoperability problem with ZyWALL SSL


119/258

p y p y

VPN

Microsoft JRE (Java Runtime Environment) is

not compatible with ZyWALL SSL VPN

IPSec VPN vs. SSL VPN

Yes (Web browser)No (IPSec client)VPN Clientless

SSL VPNIPSec VPN (Dynamic rule)


120/258

Wont have IPconflict issueNAT over IPSecIP conflict solution

Yes*NoHost integrity check

AAA, certificateXAUTH, certificateAuthentication

NoPre-configurationConfiguration

Yes (Web browser)No (IPSec client)VPN Clientless

Application layerNetwork layerApplication

Remote or mobileSide to sideIdeal for

ZyXEL SSL VPN Design Specification

! Maximum of 64 SSL application objects can be created.

! Maximum of one OWA-type SSL application object can be


121/258

! Maximum ofone OWA type SSL application object can be

created.

! Maximum of eight SSL application objects can be added to

SSL VPN policy.

! Does not Support username and password within URL.!Authentication request will be prompted by your browser.

User name and password are NOT supported. common URLsyntax:

http://:@:/ however,

red parts are NOT supported.

SSL VPN Benefits

Clientless Remote Access No pre-installed client software


122/258

p

No pre-configured by end users

Utilizes standard Web browser

Application/User-Aware Granular access policies over specific applications or users

Enforce corporate security policy by Endpoint Security Checks

Simplified deployment

Automatic agent download

No firewall or NAT traversal issues that IPSec may suffer from

Can survive almost every environment on this planet

Hybrid: SSL VPN & IPSec VPN

So how about integrating both VPN technology

into a single box?


123/258

VPN Capacity on ZyWALL 1050 Up to 50 SSL VPN tunnels

Up to 1,000 IPSec VPN tunnels

Performance

75Mbps (SSL VPN) 150Mbps (IPSec VPN)

Main Features of Hybrid VPN Seamless Integration Clientless Secure Remote Access Comprehensive User Auth Mechanism


124/258

Clientless Secure Remote Access

" Remote users can use standard web browser to easily access corporate

applications or file sharing without pre-installed or pre-configured VPN

software.


125/258

Using standard browser to access Internal

network applications

Using standard browser to access Internal file-

sharing folder

software.

Comprehensive User Auth Method

Local Database

User

Group1User

Group2

ZyWALL OTP(One-Time Password)

ZyWALL 1050


126/258

Remote Users

Internet

External Database

Active

Directory

LDAPRADIUS

Two-Factor Authentication

Server

justinzyxel

130201

Enter PIN code

displayed on the

ZyWALL OTP

token

justin

zyxel

130201

More VPNs L2TP

Specifications L2TP over IPSec

Shares tunnel upper bound with IPSec VPN: up to 1,000 tunnels


127/258

Benefits for supporting L2TP VPN Extended VPN client MS Windows 2000 (and above) has L2TP

client built-in and is free of charge

Secure L2TP is more secure than PPTP

Interoperability can interoperatewith NAT gateway

Application Note Default IPSec policy for MS Windows L2TP users

For VPN Connection, users need to configure Local Policy andRemote Policy accordingly

For VPN Gateway, users need to configure My Address and Pre-Shared Key accordingly

For Policy Route, users need to add one policy route ruleaccordingly

Support PAP authentication only

L2TP VPN Scenarios

L2TP over IPSecConnecting


128/258

ZyWALL 1050

Remote

Management

HTTP Service

Mail Service

IM/P2P Management (AppPatrol)

IM/P2P Access Granularity Differentiating access level of IM/P2P applications and enforcing

granular access policy


129/258

Access level: Login, chat, file transfer, voice call, video call

More IM/P2P applications are supported in 2.00

BWM Enhancement Supports BWM in each rule can do BWM per user group

Can do BWM against inboundtraffic

Guaranteed (prioritize) per protocol/application

Maximize bandwidth utilization can borrowexcessive bandwidthdynamically

Real-time Bandwidth Monitor Show which connection uses which application (protocol) in Traffic

Report

Show graphical bandwidth usage and statistics of protocol

IM/P2P Access Granularity


130/258

Access Granularity

Can differentiate access level per IM/P2P

application to enforce corporate access policy

User-Aware, Scheduling and BWM

IT staff can have full & granular control over

the access of IM/P2P application, together

with user-aware, scheduling and BWM

AppPatrol Against IM/P2P

AppPatrolAppPatrol ZLD 2.00ZLD 2.00 ZLD 1.0xZLD 1.0x ZyNOS 4.00 & afterZyNOS 4.00 & after

User-Aware $ $ -


131/258

Integrated

BWM$ $ -

Scheduling $ $ -

Access

Granularity%$ - $

IM/P2P

Up-to-date$ & - $'

% Differentiating access level of IM/P2P applications and enforcinggranular access policy

& Requires valid IDP subscription

' Requires valid AV+IDP subscription

Statistical Graph in AppPatrol


132/258

Statistical GraphLine chart to showcasing per-

application bandwidth usage

over a 60-min time frame

AppPatrol Signature Update

Keep Up-to-date

Can support newer version of (already) supported IM/P2P

applications via signature update


133/258

How to Get AppPatrol Updated?

Trial activate IDP trial service and update IDP signatures

before trial expiration

30 days trial period

Constantly update requiring purchase of IDP subscription and

activate IDP standard service

IDP subscription 1-year

IDP subscription 2-year

IDP Enhancement

Enabling flexible direction for IDP inspection

Zone-to-zone protection

R ti


134/258

Reporting Display Top-5 Attack detected (in dashboard)

IDP Report executive summary of events triggered by IDP

feature


135/258

IDP versus ADP

IDP/ADP ComparisonIDP/ADP Comparison IDPIDP ADPADP

L7 I ti t St $

ADP is for Anomaly Detection & Protection


136/258

L7 Inspection to Stop

Threats & Attacks$ -

Signature Update $ -

TA/PA% - $

Protecting ZyWALLItself

- $

Requiring iCard

Subscription$ -

% TA: Traffic Anomaly

PA: Protocol Anomaly


137/258

GUI Enhancements

Dashboard Face-lift

New look nfeel

Add threat reports


138/258

Add threat reports

In-line Object Creation

Creating missing objects on-the-fly (without leaving the current

config screen)

Language Options

Architecture for implementing multilingual GUI

Double-byte language supported (Japanese/SC/TC)

Mouse-over Info

Displaying detailed info when moving cursor over an item in

config screen

Dashboard Face-lift

Click on Morebutton to

view more details


139/258

Top-5 intrusion &

virus detectedNew Active Sessions

counter to display active

session # on-the-fly

In-line Object Creation

Enabling user to create new objects on-the-fly without

leaving current page. The feature is system-wide.


140/258

In the drop-down list of each feature, if a desired objectis not present, simply click on the Create Object

option to trigger apop-up windowto create the objecton-the-fly, without leaving current config page.

Certification

ICSA Firewall Version 4.1

ICSA IPSec Version 1.1D


141/258

ICSA Anti-Virus

In progress

ICSA IDP

In progress


142/258


143/258

GUI Overview

ZyXEL Communications Corp.

Begin

Default management IP address:

192.168.1.1 on physical port 1 (from the left side of the

front panel)


144/258

front panel)

Default administrator login:

User Name: admin

Password: 1234

GUI Access

Screen size : 1024*768

Multiple browser support

IE 6.0 and above


145/258

IE 6.0 and above

Firefox 1.5.0 and above

Netscape 7.2 and above

Turn on JavaScript and Cookie setting in your

web browser. Turn off popup window blocking in your web

browser.

GUI Overview login page


146/258

GUI Overview Status Page

Menu Tree Global Icon List


147/258

Device Command StatusDevice command warning

messages

GUI Overview Menu Tree (cont.)


148/258

Help

Wizard

Web Console

Site Map

Logout

About

GUI Overview Menu Tree

1. First, setup

Network Topology

configuration


149/258

configuration

Start with Interface

2. Then, setup

Security Policy

configuration

Start with Route

GUI Overview Menu Tree (cont.)

System Built-In

Services


150/258

Frequently

used objects

Log and Traffic

Statistics Report


151/258

Quick Start

ZyXEL Communications Corp.

Basic component concept

Port: (Physical port)

A place where (L1/L2) frames go

through

A port can be shared by manyinterfaces

Interface: (Logical interface)

A place where (L3+) packets go

through

An interface is bound to a port or avirtual port


152/258

Virtual Port (VLAN): make use ofVLAN tag (L2 virtualization)

Each port can be configured asWAN, LAN, or DMZ

Zone

A group of interfaces A set of hosts with the same

characteristic

A logical element used to makeconfiguration of firewall rules easier

Many interfaces can share a port

An interface is bound to one Zoneonly, not multiple ones.

Many interfaces can belong to aZone.

Alias I/F

by definition is a kind ofinterface (L3 virtualization), i.e.

Virtual Interface

Note cont.

The physical ports on the front panel of

ZyWALL 1050 are named in the system as

ge1, ge2, ge3, ge4, ge5.


153/258

gestands for Gigabit Ethernet

The ZyWALL1050 Network Hierarchy

Virtual Interface IP Alias

ZyWALL1050


154/258

Physical Ports

PortGrouping

EthernetVLAN

RJ45

Connection

L2 Switchingw/o Firewall

Bridge

Layer2 -

Layer3 +

PPP

AUX

T

R

U

NK

Internet Connection Setup Using Wizard -PPPoE


155/258


156/258

Wizard PPPoE (cont.)


157/258

Wizard PPPoE (cont.)


158/258

Setup of the Internet Connection (PPPoE)

Instead than using Wizard, user may also

configure a PPPoE connection using GUI.

Use the system default configuration1 LAN i t f


159/258

ge1 as LAN interface

ge2& ge3 are combined as WAN_TRUNK

Use ge2as a base interface for this PPPoE

interface Connect port 2 (ge2) to a PPPoE server

Connect a host to a port1 (ge1)

Step 1 Setup ISP Account


160/258

Idle timeout is used when PPPoE interface is in dial-on-demand mode.

If the idle timeout is zero, no idle timeout is applied.

Step 2 Create a PPPoE interface


161/258

The current example uses Nail_up mode. If the PPPoE server is

available, this PPPoE connection will be always active.

Step 3 Check the PPPoE IP Address


162/258

Make sure ppp0 obtains the correct IP address.

Step 4 Create a Policy Route for ppp0


163/258

Set Next-Hop to ppp0. This policy route rule must be the first rule.


164/258

Step - 6 Check LAN host connectivity

Verify that the LAN Host can ping outside

network.

Troubleshooting ppp0 interface obtains IP address.


165/258

ppp0 interface obtains IP address.

policy route rules match

LAN Host DNS (for gaining the domain name)

PPPoE server availability


166/258


167/258

Firewall

Security Zone based

Global Zone

Address, Schedule, User Aware, Role Based


168/258

Firewall Zone Concept

Internet

Tun

nel

Tunne

l

US_A

172.21.10.0/24China_Real_A

192.168.10.0/24

China_A

192.168.200.0/24

2M

512K/6

AD

ge3:1ge3:2

ge3:3

WAN Zone

VPN Zone

Intra-Zone


169/258

ge1:1

ge1:2

ge1

:3

ge1:

4

1.5M/384KADSL

168.168.168.168

WWW_A

192.168.100.1:8080

US

_T

China

_Tun

Manager_A

192.168.10.0/24

Sales_A

192.168.20.0/24

RD_A

192.168.30.0/24

Finance_A

192.168.40.0/24

FTP_A192.168.100.2

2M/384K

Cable

64K

DSL

ge2

ge3:1

LAN Zone

DMZ Zone

Inter-Zone

Customizable

Multi-zone

Segmentation


170/258


171/258


172/258

Global Policy


173/258

Application Patrol

Managing from the application viewpoint v.s.

from policy (user/role) based firewall

viewpoint

Application Aware App. Classifier


174/258

Identify application by inspecting payload

Supports more than 16 Applications

Application Management


175/258

App. Patrol Summary Page


176/258

App. Patrol Configuration


177/258

Content Filtering

URL Filtering:

Multiple Filtering Profiles

Scheduling, User Aware Black List & White List


178/258

Block by Keyword

Block Dangerous Web Features (ActiveX, Java,

Cookie, Web Proxy) Custom Deny Message & Redirect to URL


179/258


180/258

Intrusion Detection & Prevention (IDP)

IDP: Combination of inline NIDS & NIPS

Multi-Method Detectors

Traffic Anomaly

Protocol Anomaly

Si t b d (1800 i t )


181/258

Signature based (1800+ signatures)

IDP sensor can sit in front of any zone

Support Custom Signatures

IDS & IPS Scenarios

Internet

NIDS Internal Network


182/258

Internetinline NIDS

Internal Network

InternetIPS

Internal Network

Multi-Homing Policy Route

User Aware

Source-Based and Service-Based Routing

Route to Gateway


183/258

VPN Tunnel

Trunk for load balancing & link backup

SNAT Load Balancing & Link HA

BWM

Policy Route Example


184/258


185/258


186/258

NAT

SNAT Policy-Based

Supported NAT Types

One-to-One, Many-to-One

Many-to-Many Overload, Many One-to-One

Type will be determined automatically


187/258

DNAT Virtual Server

One-to-One IP Mapping

Optional Single & Range Port Translation

Transparent Proxy (a usage of DNAT)


188/258


189/258

Flexible Port Configuration

Flexible Port Role

Any port can be configured as a LAN, WAN, DMZ or

other

Flexible Switching Ports

Any port can be configured as switching port


190/258

Traffic between switching ports is not inspected by

ZyWALL

Virtual Port 802.1q VLAN port can be defined

Virtual port supports the same functions as physical

port does


191/258

Scenario: Mix of NAT & Transparent Mode

!"#

$%&

#"+

+,-./0-,1.2


192/258

'"# )'"# *

#"+

IPSec

User Aware (Prior login)

Route Based (Static)

HA by backup SG & DDNS

NAT over IPSec traffic


193/258

IPSec VPN GUI


194/258

Click on Add Gateway

IPSec VPN GUI


195/258


196/258

IPSec VPN GUI


197/258


198/258


199/258

ZyWALL1050VLAN-aware Router

Tagged VLAN

VLAN 1VLAN 3

VLAN Scenario

192.168.1.254192 168 3 254


200/258

VLAN-aware SW VLAN-aware SW

LAN 1LAN 2 LAN 3

Un-tagged VLAN

VLAN 2VLAN 3

192.168.2.254192.168.3.254

subnet 192.168.1.0subnet 192.168.2.0 subnet 192.168.3.0


201/258

Text Configuration File

Configuration file is constructed by CLI

commands

Can be edited off-line by text editor

Easy to copy configuration to other devices

Script


202/258

A batch of CLI commands contained in a file

Script files can be stored in ZyWALL1050

Multi Login

Allow users to login system simultaneously

Allow multiple administrators to configure

system concurrently

Administration Account:

Account used to manage system


203/258

Access Account:

Account used by the user get through theZyWALL1050 device

User Aware User Object & User Group Object

Users must authenticate themselves before theycan get through ZyWALL

User-based policy scheme is an optional function

of ZyWALL1050 Embedded Auth. Server: HTTP & HTTPS

User Database


204/258

Local Profile

Look up by LDAP, or

RADIUS Lease Timer & Re-authentication Timer, and global

Traffic idle Timer

Policy Route, Firewall, Content Filtering, App.Patrol, etc.

Configuration Object

Object can be reused, it makes configuration

task easier

User / User Group

AAA Server

Auth Method

S h d l


205/258

Schedule

Address / Address Group

Service / Service Group

Certificate

ISP Account


206/258

AAA Server Object


207/258

Auth Method Object


208/258

Schedule Object


209/258

Address & Address/GW Group Object


210/258

Log Implementation

Internal Buffer: 512 Entries

Log can be view by

Console/SSH/Telnet

Web GUI

E-mail System


211/258

Two accounts

Sender Authentication

Syslog Server Four accounts

Log Viewer


212/258

Log Configuration


213/258

Maintenance Tool

ping

nslookup

Traceroute

Packet trace

Show socket

Sh t bl


214/258

Show arp table


215/258

Traffic Report


216/258

Traffic Snapshot


217/258

Dynamic Routing RIP

V1 & v2

Simple & MD5 Authentication

OSPF

Area: Normal, Stub & NSSA

Simple & MD5 Authentication


218/258

Virtual Link


219/258


220/258

Hands-on: Lunch(


221/258

OneTimePassword token


222/258

One-Time Password for Two-Factor Authentication

Strong Authentication Solution with OTP

Strong Two-Factor Authentication Solution

One Token for Many Applications

No Expiration Date for Lower Operating Costs

I i i d E I ll U d M

ZyWALL OTP


223/258

Intuitive and Easy to Install, Use and Manage

Seamless Integration with ZyWALL Security Products

ZyWALL OTP - Benefits

Strong Two-Factor Authentication Solution

One Token for Many Applications

No Expiration Date for Lower Operating Costs

Intuitive and Easy to Install, Use and Manage

Seamless Integration with ZyWALL Security Products


224/258

Solution Diagram Central site: Customers need to install ZyXEL/Authenex Server as an

authentication server.

Remote User: ZyWALL OTP token for each remote user

Employee on

Home Computer

LANZyWALL OTP

Email Server BI System

ZyXEL/Authenex Server

ZyWALL OTP


225/258

ZyWALL USG SeriesAuthorized PartnerAuthorized Customer

Employee LaptopIn Airport Kiosk

or In Hotel

InternetFile Share

Web-based

Application

Remote Desktop Network Extend

Application Server

(Inventory, Store..)

OA, ERP System

CRM System

Firewall

ZyWALL OTP

ZyWALL OTP

Management Tools

Vantage CNM and Report


226/258

Vantage CNM and Report


227/258


228/258


229/258

Group Device Configuration for Mass

deployments

BenefitBenefit

Low TCO for Massive

Deployments andMaintenance

Automatic Unattended

Upgrade

Firmware Upgrade

By Schedule

Immediately

Device Configuration and Policy

Group Configuration for multiple

devices

Configuration Template to simply


230/258

g p p y

configuration task

Device Setting Backup/Restore

Real-time Monitoring, Alerting and

Comprehensive Graphic Reporting

BenefitBenefit

Real-time Monitor Devices

Active Alarm Notification

Centralized Logging &

Reporting

Real-time Monitoring Device Online/Offline Status

Device Alarm Status

VPN Tunnel Up/Down Status

Alerting Visual Icon

Email Notification

Comprehensive Graphic Reporting

More than 50 predefined reports including


231/258

Reporting

Automatic Schedule Report

More than 50 predefined reports includingNetwork Threat and Traffic Report

Detail Drill-down information

Automatic Schedule Email Generation


232/258

1.1 Topology Managed Security Provider

Managed

Service

Provider

Office 3

Company B

Company A

Internet

Internet

SecurityAppliance

Internet

Security

Appliance


233/258

Vantage

CNM

Server

Office 1Office 2

Internet

Security

Appliance

Internet

Security

Appliance

1.2 Topology Distributed Enterprise

IT

Manager

Company C

Branch

Office

Internet

Internet

Security

Appliance

Internet

Security

Appliance

Dept. 1


234/258

g

Dept. 2

Telecommuter

Vantage

CNM

Server

Personal

Security

Appliance

pp

Vantage CNM &

Reporting ServerSyslog

ZyWALL A Online Query from

Client with IE

1.3 Topology Centralized Logging and

Reporting


235/258

Syslog

InternetZyWALL B

Vantage Report Example


236/258


237/258

1.2 UTM Management - License Management

Centralized License Management

Subscription

Monitor

Maintenance/Upgrade

License Monitor


238/258

Subscription

MonitorMaintenance/Upgrade

1.3 UTM Management - Alarm Indication

Visual alarm indication immediately

Email Alert to Device Owner & Administrator

Problems identification through Alarm Monitor

E-mal Alert Content


239/258

Deviceunder

Attack

2.1 VPN Management One-Click VPN

Easy VPN Creation by click and drag between

VPN gateways

(1) Click

(2) Drag


240/258

(3) Configure both devices


241/258

3.1 Device Maintenance Group

Firmware Upgrade

Group Firmware Upgrade

Scheduling

Immediately

Select devices for firmware upgrade


242/258

Scheduling or Immediately


243/258

4.1 Graphic Reporting predefined

reports Traffic Report Top Protocol Report

Bandwidth Monitor


244/258


245/258


246/258

4.2 Graphic Reporting schedule reports

Schedule Report via Email

Daily/Weekly report generated automatically

Create Daily/Weekly Report


247/258

Configure Daily/Weekly Report

4.2 Graphic Reporting schedule reports

Schedule Report via Email

HTML/PDF format report in Email attachment

Report Type: Both/HTML/PDF


248/258

Report Content

Case Study


249/258

Case Study

Dynamic IP Address

Zombie Tunnel

IPSec and NAT


250/258


251/258

Dynamic IP Both Sides

Internet

zywall.dyndns.org

Both sides are dynamic IP address Router A : DDNS enabled

Router B: Secure GW = DNS name

A B


252/258

IPSec Tunnel Mode

My IP = 0.0.0.0

Secure GW =

zywall.dyndns.org

My IP = 0.0.0.0

Secure GW = 0.0.0.0

With DDNS enabled

Zombie Tunnel

Sometimes Zombie Tunnel may occur

IP Changes

System Restart

A BVPN

A B

Restart

B

Change IP

or


253/258

A Zombie Tunnel

Fail:

New negotiation get

Local/Remote Network conflict

B

Initial - Contact

IF the following condition is met

Router B Restarts

Router B is ZyWALL

Router B is using Static IP

Initial Contact is Per Host based

A

Init-Contact


254/258

B (static IP)Init Contact

No Matter its a initiatoror responder

Idle Time Out

Outbound Idle Time Out

Inbound Idle Time Out

B (dynamic IP)

No Outbound for # min

A


255/258

No Inbound for # minA

B (dynamic IP)

SA Life Time and Idle Timer

Phase 1

phase 2 phase 2 phase 2

Phase 1

Idle timer

2 Minutes


256/258

phase 2 phase 2 phase 2Idle timer

2 Minutes

IPSec and NAT

NAT Condition Supported IPSec Protocol

VPN Gateway

embedded NAT

AH Tunnel mode

ESP Tunnel mode

Is the host behind NAT allowed to use IPSec?


257/258

VPN client/gateway behind NAT ESP Tunnel mode

NAT in Transport mode None

Q & AQ & AThankThank YouYou!!


258/258

firewall training 2008

Documents