zywall security handbook
DESCRIPTION
ÂTRANSCRIPT
09/0665-100-010111GCopyright © 2006 ZyXEL Communications Corp. All rights reserved. ZyXEL, ZyXEL logo are registered trademarks of ZyXEL Communications Corp. All other brands, product names, or trademarks mentioned are the property of their respective owners. All specifications are subject to change without notice.
For more product information, visit us on the web www.ZyXEL.com
Corporate HeadquartersZyXEL Communications Corp.
Tel: +886-3-578-3942 Fax: +886-3-578-2439Email: [email protected]://www.zyxel.com http://www.zyxel.com.tw
ZyXEL North America
Tel: +1-714-632-0882Fax: +1-714-632-0858Email: [email protected]://www.us.zyxel.com
ZyXEL France SARL
Tel: +33 (0)4 72 52 97 97Fax: +33 (0)4 72 52 19 20Email: [email protected]://www.zyxel.fr
ZyXEL Spain
Tel: +34 902 195 420Fax: +34 913 005 345Email: [email protected]://www.zyxel.es
ZyXEL Costa Rica
Tel: +560-2017878Fax: +560-2015098Email: [email protected]://www.zyxel.co.cr
ZyXEL Norway A/S
Tel: +47 22 80 61 80Fax: +47 22 80 61 81Email: [email protected]://www.zyxel.no
ZyXEL Sweden A/S
Tel: +46 (0) 31 744 77 00Fax: +46 (0) 31 744 77 01Email: [email protected]://www.zyxel.se
ZyXEL Germany GmbH.
Tel: +49 (0) 2405-6909 0Fax: +49 (0) 2405-6909 99Email: [email protected]://www.zyxel.de
ZyXEL Czech s.r.o.
Tel: +420 241 091 350Fax: +420 241 091 359Email: [email protected]://www.zyxel.cz
ZyXEL Hungary
Tel: +36-1-336-1646Fax: +36-1-325-9100Email: [email protected]://www.zyxel.hu
ZyXEL UK Ltd.
Tel: +44 (0) 1344 303044Fax: +44 (0) 1344 303034Email: [email protected]://www.zyxel.co.uk
ZyXEL Poland
Tel: +48 (22) 3338250Fax: +48 (22) 3338251Email: [email protected]://www.pl.zyxel.com
ZyXEL Russia
Tel: +7 (095) 542-8920Fax: +7 (095) 542-8925Email: [email protected]://www.zyxel.ru
ZyXEL Ukraine
Tel: +380 44 494 49 31Fax: +380 44 494 49 32Email: [email protected]://www.ua.zyxel.com
ZyXEL Denmark A/S
Tel: +45 39 55 07 00Fax: +45 39 55 07 07Email: [email protected] http://www.zyxel.dk
ZyXEL Finland Oy
Tel: +358-9-4780 8400Fax: +358-9-4780 8448Email: [email protected] http://www.zyxel.fi
ZyXEL Kazakhstan
Tel: +7-327-2-590-699Fax: +7-327-2-590-689 Email: [email protected]://www.zyxel.kz
ZyWALL Security HandbookSolution for Small and Medium-Sized Businesses
ZyWALL Security HandbookSolution for Small and Medium-Sized Businesses
Table of Contents
About this Security Handbook 4
Chapter 1 ZyWALL 1050 At-a-Glance 7
Chapter 2 ZyWALL Success Story 11
Chapter 3 Feature Introduction 19
Chapter 4 Application Library 31
Chapter 5 FAQ 69
Chapter 6 ZyWALL Family Matrix 87
Chapter 7 Lab Test Report 91
Chapter 8 Glossary 97
Copyright © 2006 ZyXEL Communications Corp.
Copyright © 2006 ZyXEL Communications Corp. All rights reserved. ZyXEL, ZyXEL logo and ZyNOS are registered
trademarks of ZyXEL Communications Corp. All other brands, product names, or trademarks mentioned are the
property of their respective owners. All specifi cations are subject to change without notice.
ZyXEL Communications Corp. assumes no reponsibility for any inaccuracies in this document. ZyXEL reserves the
reight to change, modify, transfer, or other revise this publication without noitce.
4
About this Security Handbook
OverviewThis Security Handbook is designed to give a detailed overview of ZyXEL’s newest security product — the ZyWALL 1050. From product information to application library, FAQ to success stories,
you will fi nd everything needed to learn, plan, sell and maintain this product and the related solutions.
Intended AudienceThis security handbook is intended for:
• IT professionals responsible for acquiring, planning or deploying ZyXEL security products for resellers, distributors and customers.
• Security administrators, network administrators or IT procurement decision makers who are interested in ZyXEL’s comprehensive
security product lines.
• Security consultants, journalists of professional IT magazines/media or representatives of distributors and/or resellers who are willing
to know the details about ZyXEL’s latest progress on network security product lines.
How is this Security Handbook organized?
• Unveiling the ZyWALL 1050
In the fi rst three chapters, we’ll give detailed product information about ZyWALL 1050, ZyXEL’s fi rst security product targeting mid- to large organizations. Starting from the positioning,
physical layout, to the success stories of ZyWALL 1050, we are pleased to share the good customer experience with you, and you may take an overview of this fl agship of ZyXEL’s security
product range as well.
Chapter 1. ZyWALL 1050 At-a-Glance
Chapter 2. ZyWALL Success Story
Chapter 3. Feature Introduction
5
• Solutions for the SMB/Mid- to Large-Scale Organizations
Beginning from Chapter 4, there is application library illustrating how ZyXEL security products can be placed in various networking environments, to what extent the ZyWALL product range
can provide customers comprehensive protection, as well as business benefi ts from ZyXEL’s security products. These solutions are organized in categories: VPN applications, Security Policy
Enforcement and Seamless Incorporation. If you don’t have adequate time to read this material in its entirety, this part is the one that you can’t miss out!
The following Chapter 5 gives answers to the frequently asked questions (FAQ) about ZyWALL 1050 itself and its diverse applications.
Chapter 4. Application Library
Chapter 5. FAQ
Note. For detailed hands-on confi guration steps for each application in the library, please browse the Application Note in the Resource CD
• Additional Information
In the last part of this material, we’ll reveal the real performance data direct from ZyXEL’s PQA lab, a matrix of ZyXEL’s full security product range and a “common language” (terminologies)
glossary used by the security industry for your reference.
Chapter 6. ZyWALL Family Matrix
Chapter 7. Lab Test Report
Chapter 8. Glossary
• Contents of the Resource CD
1) Application Note to each scenario addressed in Chapter 4 Application Library
2) Demo GUI of ZyWALL 1050 — this is a great tool for IT professionals to demonstrate the ZyWALL 1050 GUI and/or a visual-aid for explaining features/specifi cations of ZyWALL 1050 in pre-
sales events/activities.
More InformationFor more information about ZyXEL products, please visit: http://www.zyxel.com
For latest news on security threat, please visit: http://mysecurity.zyxel.com/mysecurity/
For product collaterals and marketing tools, please visit: http://zypartner.zyxel.com/user/login.htm
7
ZyWALL 1050 At-a-Glance
Chapter 1
8
ZyWALL 1050 At-a-Glance
1Having an online presence on the Internet allows businesses, especially Small Businesses
(SB) and Small and Medium-sized Businesses (SMB), to gain effective and effi cient
communications with geographically distributed operation sites, partners and potential
customers.
However, the Internet-centric applications and communications could potentially pose
information leakage, mainly eavesdropping of confi dential information, and expose the entire
corporate network to security breaches.
Deploying a proven security solution with integrated product features is the key to
protecting the entire business network against internal and external security threats,
unplanned outages, and goodwill degradation.
ZyWALL 1050, the fi rst product based on ZLD, ZyXEL’s new security platform, is an Integrated
Security Appliance, equipped with comprehensive security features tailored for Small and
Medium Businesses (SMB) and mid- to large-scale organizations.
Target Segment of ZyWALL 1050
The ZyWALL 1050 PrimerBy incorporating comprehensive application inspection technologies and enterprise-class
networking capabilities into a single robust hardware platform, ZyWALL 1050 is capable of
providing real-time, non-stop protection to improve the overall security and productivity of IT
infrastructure for customers.
Equipped with hardware-acceleration technology, ZyWALL is capable of performing tasks
like wire-speed fi rewall protection on fast Ethernet networks, as well as VPN concentrator and
high-performance in-line IDP operations.
Enterprise500+ users
Mid-Large(100 ~ 500 users)
SMB(50 ~ 100 users)
SB(<50 users)
SOHO/Home
ZyWALL 70 UTM
ZyWALL 1050
ZyWALL 5 UTM
ZyWALL 35 UTM
ZyWALL P1 ZyWALL 2 Plus
ZyWALL Target Market
9
Defi nable GbE (Gigabit Ethernet) Interface x 5— Deliver fl exible network partitioning
Built-in VPN H/W Accelerator—Accelerates AES/3DES/DES encryption
Built-in SecuASIC— Accelerates L7 deep packet inspection
USB Port x 2— Removable storage for out-of-band confi guration exchange (future)
Mini-PCI and CardBus Slot— For feature acceleration (future)
HDD Expansion Slot— For local logging and archiving (future)
ZyWALL 1050 — Platform Design
Physical Layout of ZyWALL 1050
PerformanceFirewall=Over 300Mbps VPN=Over 100Mbps IDP=Over 100Mbps
With triple security processors onboard, the ZyWALL 1050 delivers a powerful combination of multiple market-proven technologies in a single, robust platform, making it
operationally and economically feasible for organizations to deploy comprehensive security services to more locations.
11
ZyWALL Success Story
Chapter 2
12
ZyWALL Success Story
2Deploy High Volume VPN Concentrator With Device Redundancy, VPN High Availability To Enable “Multiple Entry Point” And Highly-Available Trusted Connectivity Operation.
Organization NameiPass Inc.
IndustryEnterprise Connectivity
ProfileiPass, a global leader in trusted connectivity, helps enterprises by building and managing broadband remote and mobile access solutions for mobile workers, branch offi ces and
home offi ces. The iPass virtual network spans 160 countries and includes one of the world’s largest Wi-Fi networks and the most complete fixed broadband coverage in North
America. Hundreds of Global 2000 companies such as General Motors, Dow Corning, and Mellon Financial choose iPass as their trusted connectivity provider.
Customer’s ChallengeA key piece of the iPass enterprise solution is to provide secured, trusted and highly-available broadband access to customer’s home offi ces, branch offi ces and retail locations. In
order to achieve this goal, the secured network needs to have the intelligence to provide the customer with high up-time requirements. To do this, monitoring mechanisms must
proactively scan the network and alert the network administrator when the device is functioning abnormally. By proactively scanning the network, the network administrator will be
instantly aware of the issue at hand and will be able to quickly take the necessary actions and prevent network down time.
1
13
ZyXEL SolutionTo provide customers with secure, trusted and highly-available broadband access to home
offi ces, branch offi ces and retail locations, iPass has choosen the ZyWALL 2/2 Plus with VPN
High Availability features and the ZyWALL 1050 with fl exible policy route settings. The ZyWALL
2/2 Plus has the intelligence to failover the VPN tunnel in order to assure that secured access is
always functioning. The customized private MIBs of the ZyWALL 2/2 Plus is able to provide iPass
with a great solution that can be easily integrated into the existing iPass network management
system. This allows the iPass network administrator to easily monitor the device status and take
the proper actions to avoid network failure in advance. In addition, the ZyWALL 1050 provides
iPASS with fl exible policy route settings to achieve “Multiple Entry Points”. The customized
private MIBs also help integration in the iPass network management system.
ZyXEL Product Listá ZyWALL 2 Internet Security Gateway for Tele-Home
á ZyWALL 2 Plus Integrated Security Appliance
á ZyWALL 1050 Internet Security Appliance — Professional VPN Concentrator/UTM Appliance
for SMB/Mid-Large Organization
Benefits of Choosing ZyXELZyXEL products are easy to maintain and upgradeable. They offer their users the fl exibility of
customization and secure device management through SSH/SSL protocols. The ZyXEL products
listed above can be effortlessly integrated into the existing iPass Network Management System
at a very affordable price.
Central Site
Redundant Site
iPass SLA ServerInternal Server
Dial-backup
Lease lineZyWALL 1050
ZyWALL 1050
ZyWALL 2 Plus
Internet
Periodically checking theavailability of remote sites
If the path (in blue) to Main Officeis not available, user can stillaccess the same network resourcevia backup path (in green)
Guaranteed non-stop operation—With deployment of MEP,availability of business-criticalapplication can be assured
IPSecVPNTunnel
Customer’s Application
14
ZyWALL Success Story
2
ZyXEL SolutionAfter testing about 30 products, TÜV found that ZyWALL 2 (together with Vantage CNM)
and ZyWALL 1050 to be the best suite to meet all their needs at a reasonable price. And the
ZyWALL Product family is also fl exible enough to solve all the Internet connection issues.
á The target is to construct and manage a huge VPN with ZyWALL 2 with up to 4,400
locations (planned), and additional devices will follow. It has to be standardized since
the partner’s employees are mostly not savvy technicians.
á The VPN concentrators will be placed in 3 locations (Hamburg, Hannover and Essen)
with ZyWALL 1050. Two ZyWALL 1050s with Device HA will be deployed in each
location for 24-hour VPN availability.
á To enable “always on” remote access, VPN HA on ZyWALL 2 Plus can easily failover to
another VPN concentrator if any central site is down.
á Additionally, a lot of road warriors will be equipped with ZyWALL P1.
ZyXEL Product Listá ZyWALL 2: 7500 pcs. (Planned)
á P650H-E7: 7500 pcs.
á P653HI-17: Approx. 100 pcs.
á Vantage CNM: Project-based version supporting up to 20,000 nodes
á ZyWALL 1050: 6 pcs. (Planned)
High Availability, High Volume VPN Concentrator and Network Management System (Vantage CNM) for Easy-to-Manage “Multiple Entry Points” without Single Point Failures
Organization NameTÜV Nord Group
IndustryTechnical Service Provider
ProfileThe TÜV NORD Group, with a workforce of more than 6,600, is the number
one technical service provider in northern Germany. It has expertise in nearly
all aspects of technical safety, environmental protection, and the conformity
assessment of management systems and products — in other German regions
and 70 countries worldwide.
Customer’s Challenge“TÜV Nord and all its subsidiaries have more than 6,600 employees. 80% of them
get access to the company network from their home. To make sure the access can
be always available when working from home, preventing single point failures
becomes an important point. In addition, all the car service stations shall be better
included in this network while additional services are being planned, e.g. offering
free Internet access to customers waiting for their car to be checked. Since
there are locations with extremely high security needs in this network, strong
protection is necessary.”
2
15
Benefits of Choosing ZyXELá Easy deployment by non-technical staff; easy to maintain and upgrade.
á Fewer staff is needed
á Centrally manageable
á Reasonable price
á Complete portfolio (from the headquarter to the road warriors)
á Meet the needs for Professional Management System, High Volume VPN concentrator
with Device HA, remote site VPN HA, State-of-the-art encryption standards (3DES, AES)
and PKI
Testimonial“With the ZyXEL solution, the IT team of TÜV NORD is able to rollout a large number of VPN
endpoints and maintain them with a staff of 2 people. Also firmware upgrades and policy
changes are very simple and effi cient. The AES encryption and the professional fi rewall
features of the ZyWALL Series meet the high security needs of TÜV; no matter when we have
to connect from customers’ LAN, get a direct Internet link such as DSL, or when we have to
fulfill any future need, with the fl exibility of the ZyWALL we are always protected.”
Oliver Schulz/VPN Solutions/TÜV Nord Service GmbH & Co. KG
Customer’s Application
Remote Site N
Essen (LAN)
Leaseline
Leaseline
ZyWALL 1050
ATM 34Mbps
ATM 8Mbps(20Mbps planned)
ATM 34Mbps(154Mbps planned)
ZyWALL IDP10VPN=30 (300 planned)
ZyWALL 1050
ZyWALL 2
VPN=40 (500 planned)
PIX 515EVPN=346 (1000 planned)
Main traffic insideVPN tunnel:
1.Windows domain logon
2. SMTP
3. POP3
Windows XP SP2Windows VistaWindows 2000
Windows DCActive DirectoryMail server
CPfw1 cluster
CPfw1 cluster
Hamburg (LAN)
Windows DCActive DirectoryMail server
Hannover (LAN)
Windows DCActive DirectoryMail server
Internet
16
ZyWALL Success Story
2Combining IPSec VPN and MPLS VPN to Provide a Cost-Effective VPN Solution
OrganizationCompany X (one of the tier-1 telecom in Taiwan)
IndustryTelco (Telecommunications, Telephone Company)
ProfileCompany X chiefl y provides telecommunication and information-related services covering local and long-distance calls, international calls, GSM, data communication, Internet
services, broadband networking, satellite communication, intelligent network, mobile data and multimedia broadband. As the most experienced and largest integrated
telecommunication operator in Taiwan, Company X is one of the most important partners for international telecommunication cooperation with circuits reaching over 200 countries.
Customer’s ChallengeAs Company X provides IP VPN (MPLS VPN) service to enterprises with many worldwide branches, and there are more and more locations from different companies, offering all
clients with MPLS VPN becomes a “costly” solution; thus a cost-effective solution is needed to expand the VPN services that Company X offers, and a redundant path for MPLS VPN
guarantees 100% uptime for customers’ VPN network. Finally, for companies wish to manage VPN for additional security, Company X also considers providing the fl exibility over
MPLS VPN.
3
17
ZyXEL SolutionCompany X surveyed several products and chose ZyXEL’s ZyWALL Series for combining IPSec
VPN with their MPLS VPN.
á ZyWALL 2 Plus/P1’s are deployed at the branches as remote IPSec VPN sites.
á ZyWALL 1050 terminates the IPSec tunnel before entering the MPLS backbone.
á As terminated by ZyWALL 1050, all traffi cs are within the MPLS VPN.
á If MPLS VPN is fails, IPSec VPN offers redundancy to the VPN network.
á If companies need to manage VPN by their own for additional security (Firewall/VPN...),
IPSec provides the fl exibility over MPLS VPN.
ZyXEL Product Listá ZyWALL P1 Palm-Sized Internet Security Appliance for Personal Network Protection
á ZyWALL 2 Plus Integrated Security Appliance
á ZyWALL 1050 Internet Security Appliance — Professional VPN Concentrator/UTM Appliance
for SMB/Mid-Large Organization
Benefits of Choosing ZyXELá Lower TCO to provide VPN services
á Flexibility to expand the VPN network
á Backup solution if MPLS VPN fails
Customer’s Application
Com-BLocation 1 Com-B
Location 3
Com-ALocation C
Com-ALocation A
Com-ALocation B
Com-BLocation 2
MPLS Locap Loop
IPsecVPNTunnel
ZyWALL 1050
ZyWALL 2 Plus
ZyWALL 2 Plus
Internet
IPSec VPN tunnelsterminate here!
MPLSBackbone
19
Feature Introduction
Chapter 3
20
Feature Introduction
3ZyWALL 1050 provides robust networking functionality and comprehensive security features.
Based on the advanced ZLD platform, ZyWALL 1050 can deliver cutting-edge technologies for
organizations demanding higher level of protection in terms of connectivity and security.
Key Features of ZyWALL 1050:
1. Robust ZLD Platform
A. Diverse Port–Interface Combination Makes Network Planning
Flexible
ZyWALL 1050 supports Layer-2 switching and Layer-3 virtualization technologies.
Taking advantage of both, IT administrators can easily confi gure ZyWALL 1050 to
interconnect network segments regardless of scale or complexity.
Port Grouping (Layer-2 Switching):
The technology provides embedded Layer-2 switching capability. When two physical
ports are grouped, hardware switch controller will forward packets in between based
on the destination MAC addresses without performing security (Firewall, IDP) checks.
Port Grouping is best used when administrators need to aggregate several physical
ports into one representative logical interface.
Layer-3 Virtualization:
In addition to Ethernet interfaces, ZyWALL 1050 supports virtual interfaces such as
VLAN (802.1Q tagged VLAN) and Virtual Interface (IP Alias).
The major benefi t to use VLAN is to extend the port density. There are only 5 physical
ports on ZyWALL 1050, however you can extend port density by defi ning the VLAN
interface (requires additional VLAN-capable switch) when needed.
With the use of VLAN, designers can plan and construct a more complex network.
PPPoEPPTP
Virtual Interface
VLAN Ethernet
Bridge
Port Grouping
Physical Ports
AUX
Layer 3
Layer 2
IP Alias
L2 Switching w/o Firewall
RJ45 Connection
RS232 Connection
Network layer hierarchy of ZyWALL 1050’s port and interface design
LAN1 LAN2 LAN3
without VLAN Tag
Three ports for three LANsOne port for three LANs —Using VLAN to extend port density
LAN1 LAN2 LAN3
without VLAN Tag
with VLAN Tag
Using VLAN to extend port density of ZyWALL 1050
21
Altogether, ZyWALL 1050 provides the most fl exible network hierarchy to be
integrated into any network regardless of the complexity.
An example to connect multiple logical network segments using single physical port
Interface & Port in m:1 relationshipVarious interface be based onone physical port
ge1 & VLAN1 & VLAN2 port 1ge2 & VLAN3 & VLAN4 port 2
ge1192.168.1.0/24
VLAN1172.16.0.0/24
VLAN210.1.1.0/24
ge2192.168.2.0/24
VLAN3172.16.3.0/24
VLAN410.4.4.0/24
Multiple Interfaces Based on Single Physical Port
An example to use both Port Grouping and Layer-3 Virtualization to connect multiple logical network segments
Port Grouping and Layer-3 Virtualization
ge1192.168.1.0/24
VLAN1172.16.1.0/24
VLAN210.2.2.0/24
ge3192.168.3.0/24
VLAN3172.16.3.0/24
VLAN410.4.4.0/24
ge3192.168.3.0/24
VLAN3172.16.3.0/24
VLAN410.4.4.0/24
VLAN-capable switch VLAN-capable switch
Interface & Port in m:n relationshipPhysical port can be grouped at layer 2.
This makes multiple ports map to a single Ethernet Interface.
ge1 & VLAN1 & VLAN2 port 1 & port 2
ge3 & VLAN3 & VLAN4 port 3 & port 4
ge1192.168.1.0/24
VLAN1172.16.1.0/24
VLAN210.2.2.0/24
VLAN-capable switch
VLAN-capable switch
VLAN-capable switch
VLAN-capable switch
Note. For detailed technical information, please refer to product manual and support notes available for
download at: http://www.zyxel.com
22
Feature Introduction
3 B. Custom Security Zone:
The ZyWALL 1050 implements zone-based inspection technologies: all interfaces defi ned
on ZyWALL 1050 (Ethernet/VLAN) can be grouped into zones and security policies can
be applied as well.
Putting these features together, the ZyWALL 1050 delivers the most fl exible deployment
to large or complex networking environments while maintaining effortless management
of security policies.
Concept of custom security zones
Custom ZoneZones can be fully customizable to meet customer’s complex environment. Corporate access policy can be enforced in between each zone.
Example:
Local zone: contains ge1 & VLAN1External zone: contains VLAN2Secret zone: contains ge2DMZ zone: contains VLAN3 & VLAN4
ge1192.168.1.0/24
VLAN1172.16.0.0/24
VLAN210.1.1.0/24
ge2192.168.2.0/24
VLAN3172.16.3.0/24
VLAN410.4.4.0/24
Local External
Secret DMZVLAN-capable switch
VLAN-capable switch
C. Policy-Based Routing
In addition to typical static routes, the ZyWALL 1050 provides robust policy routing
features that help users to control the traffi c fl ow regardless of service type of or
network complexity.
The policy routes enable IT administrators to manipulate both inbound and outbound
traffi c base on several criteria: user/group, time of access, origin of the access attempt,
destination and type of service, etc.
Beyond packet forwarding decisions, policy routes on ZyWALL 1050 also integrate the
settings of Network Address Translation (SNAT) and traffi c shaping (BWM).
Altogether, the policy route feature on ZyWALL 1050 is an extremely powerful tool to
construct the underlying IT infrastructure.
Configuration screen of policy routes
23
D. Dynamic Routing Protocols
In addition to supporting RIP (Router Information Protocol, both v1 and v2), ZyWALL
1050 is also equipped with native support to OSPF (Open Shortest Path First), the de
facto standard of dynamic routing protocols.
Like RIP, OSPF was designed and designated by the Internet Engineering Task Force
(IETF) as one of the Interior Gateway Protocols (IGPs) to replace the dated RIP.
Benefits of implementing OSPF in today’s corporate network are:
1). Changes on an OSPF network are propagated quickly.
2). OSPF is hierarchical, using area 0 as top of the hierarchy.
3). After initialization, OSPF only sends updates on routing table sections that have
been changed; it does not send which of the entire routing table.
4). Using areas, OSPF networks can be logically segmented to decrease the size of
routing tables. Table size can be further reduced by using route summarization.
5). Exchange of routing information can be authenticated with text or MD5 method.
6). OSPF is an open standard unaffi liated with any particular vendor.
In summary, dynamic routing protocols is prevailing on today’s corporate networks.
It helps ensuring network route availability, easy integration with existing routing
infrastructure and dramatically lowering the maintenance overhead on networking
infrastructures.
E. User-Aware Policy Engine
In addition to typical access control capabilities, the ZyWALL 1050 is equipped with
intelligent user-aware policy engine which makes packet forwarding decisions based on
advanced criteria: user ID, user group, time of access and network quota.
Furthermore, the enforcement can be applied to all security features such as VPN, Content
Filtering and Application Patrol.
Coupled with well-designed network partitioning, the corporate security policies could
be effectively enforced so that policy violations/resource abuses could be stopped.
“User-Awareness” integrated into the firewall ACL
However, there are roadblocks to enforcing user-aware access control on today’s
corporate networks — users usually have to log into the security gateway before access
granted and the mechanism would be perceived as clumsy.
Good news is that the authentication mechanism on ZyWALL 1050 can be transparent to
users — by confi guring the “Force User Authentication” policy, the unauthorized access
attempts will be intercepted and the authentication dialog box automatically pops up for
entering access credentials. This scenario can avoid the above drawbacks and achieves a
good balance between usability and policy enforcement.
24
Feature Introduction
3 F. Network Objects
The ZLD is object-based architecture — setting should be confi gured in an object.
When confi guring a specifi c feature/function, the setting should be specifi ed with a
predefi ned “object” instead of entering a value.
Types of objects on ZyWALL 1050 include: Address, Service, Schedule, AAA Server, Auth
Method, Certifi cate and User/Group.
The obvious benefi ts of object-based architecture are:
1). Automatic “Change Update”
Once the value of a setting changed, the change will be automatically updated system-
wise. The behavior helps administrators maintaining the integrity and consistency of
the system confi gurations without hassle.
2). Object Reuse
The user-defi ned objects can be reused. As a result, administration effort can be
drastically reduced in a complex confi guration pertaining to a larger-scale networking
environment or strict corporate security policy.
Screenshot of the “Address” object confi guration screen
G. User Management
The fundamental task for user-aware policy enforcement is user account management.
Security administrator is required to manage user accounts and access credentials then
to defi ne access privilege in each security module on ZyWALL 1050.
The ZyWALL 1050 provides different methods for managing user accounts, such as
internal database and common directory servers:
Local Database
RADIUS
LDAP
Microsoft AD
ZyWALL 1050 can use any one of the above directory servers to authenticate users like
access users or VPN users.
With the diversity in place, ZyWALL 1050 can leverage the existing user database to
authenticate users without redundant management effort.
25
H. Configuration Management
Confi guration fi le carries settings/values to all features system-wise on ZyWALL
1050 and therefore it is a critical task for security administrator to maintain those
confi guration fi les on the security gateway.
There are several advanced designs on ZyWALL 1050 regarding confi guration
management:
1). Editable: the confi guration fi le on ZyWALL 1050 is text-based so that the security
administrator can easily modify/edit it using any text editor of choice. Furthermore,
sensitive information in the confi guration fi le, e.g. password, is hashed to prevent
from credential disclosure.
2). Multiple confi guration fi les: In a complex networking environment, security
administrator may need to maintain multiple sets of confi guration fi le to ensure
effective access control and security policy enforcement. ZyWALL 1050 can hold
multiple sets of confi guration fi les.
3). Changes take effect on the fl y: You can apply a different confi guration fi le to
ZyWALL 1050 without rebooting. New settings will take effect immediately.
Maintaining multiple sets of confi guration fi les
I. Introducing WAN Trunk for managing multiple ISP links
ZyWALL 1050 can handle more than two ISP links. Multiple ISP links can be based on
single physical port or span over multiple physical ports.
Furthermore, ZyWALL 1050 can provide a fault tolerance mechanism to ensure
automatic failover when ISP link failure happens and achieve load balancing to ensure
maximum availability and optimized bandwidth utilization.
Aside from the robust functionality, it’s very easy to manage multiple ISP links on
ZyWALL 1050. To make life easier, simply add WAN connections into the “WAN Trunk”.
In WAN Trunk, IT administrators can choose any of the 3 algorithms for optimizing
bandwidth utilization: Lease Load First, Weighted Round Robin and Spillover.
The task can be done in just few clicks.
Managing multiple ISP links using WAN Trunk
ISP1 ISP2 ISP3
Switch
Mixed WAN links can be based on single physical port on ZyWALL 1050
WAN Trunk
LAN DMZ
Easy to manage —Simply use “WAN Trunk” to manage multiple ISP links
Theoretically, ZyWALL 1050 supports up to 48 ISP links, so you can rest assured that
there’d be no more bandwidth insuffi ciency problem!
26
Feature Introduction
32. Virtual Private Network
ZyWALL 1050 allows organizations to establish Virtual Private Network (VPN) connections
among remote branch offi ces, business partner sites and remote teleworkers.
The VPNs adopt data encryption technologies to establish secure communication
channels and protect confi dential data being transmitted via Internet. Therefore, these VPN
tunnels are immune to session hijacking and data theft. Furthermore, those functionalities
on ZyWALL 1050 are seamlessly integrated so that traffi c coming in through the VPN
tunnel shall be securely inspected prior to entering the trusted networks.
The Hub and Spoke VPN feature dramatically can reduce the management overhead and
complexity involving multi-site/complex networking infrastructures across the Internet.
VPN Specifications:
á ASIC accelerated VPN
á IKE: Pre-shared Key, Certifi cates, Manual Keys
á Extensive user authentication: RADIUS, LDAP/Microsoft AD, Local Database, X-Auth
support for ZyXEL’s SoftRemote VPN Client/ZyWALL P1 hardware-based VPN client
á VPN inspection — Firewalling, IDP, Content Filtering
á Hub-and-spoke confi guration
á Traffi c shaping prioritizes traffi c across VPNs
Deploying IPSec VPN to extend the Intranet, construct Extranet and provide secure remote access to teleworkers
Partner Site
ZyWALL 5 UTM
ZyWALL 1050
AccessPoints
Public Kiosk
ProtectedServers
DMZ Servers
WirelessClient
Home
ZyWALL 70ZyWALL 2
Branch Office Remote Office
Teleworker
Central Site Internet
IPSecVPNTunnel
27
3. Application Patrol
In modern networking environments, two major headaches may arise when IT
administrators need to effectively control running services/applications:
1). Applications running on non-standard ports
There is a trend that applications would run on non-standard ports; e.g. HTTP proxy server
listens to port 8080 instead of standard HTTP port 80.
Conversely, there may also be malicious applications running on standard ports; e.g. a
hazardous backdoor virus may run on HTTP port 80.
These scenarios could cause security breaches within corporate networks and need to be
well monitored and controlled regardless of the company size.
2). Services/Protocols running on non-fixed/dynamic ports
Until now, Microsoft MSN instant messaging service still runs on port 80 that causes
security headache for administrator to control effectively.
To iron out the two aforementioned problems, we need a different approach to identify
the new and probably suspicious applications breeds, control the use of them, and
therefore mitigate security breaches from happening.
Application Patrol is designed to provide a convenient way to manage those undesirable
applications — Instant Messaging (IM), Peer-to-Peer (P2P) on the network.
Instead of looking into exotic port numbers, Application Patrol deploys advanced
“application classifi er” which accurately identifi es the application/service types by parsing
the application payload on OSI layer 7 regardless of the ports they run on.
Furthermore, Application Patrol integrates more exciting capabilities like user-awareness,
rate limiting and scheduling to provide access granularity against the use of those
suspicious applications on the network.
Application Patrol Confi guration Screen
The obvious benefi ts here are:
Effective — port-less application management
Comprehensive — covering common IM/P2P applications and essential services in today’s
corporate networks
Easy-to-use — managing complex/dynamic applications with fewer clicks
28
Feature Introduction
34. Intrusion Detection and Prevention
Equipped with signature-based IDP engine, the ZyWALL 1050 can perform L7 deep
packet inspection. It also supports statistics/protocol anomaly, behavior pattern matching
technologies.
DNAT
Incoming Packet
Forwarded Packet
Routing
Firewall
SNAT
BWM
L3TA
L4TA
ACL
L3 PA
L7TA
L7 PA
Signature analysi's
L7 Inspection
Acronym:
PA: Protocol Anomaly
PI: Packet Inspection
TA: Traffic Anomaly
L4 PA
ZyWALL 1050’s IDP Packet Inspection Flow
As a result, the ZyWALL 1050 can provide comprehensive Intrusion Detection and
Prevention capability to continually cleanse the traffi c contaminants, such as worms,
viruses, Trojans, VoIP threats, among others.
With ZSRT (signature development team) in place, the new IDP signatures/patterns against
latest vulnerabilities/exploits will be released on a weekly basis and the latest signature
packages can be automatically downloaded and deployed via our rock-solid ZSDN service
platform into the devices.
Specifi cations of IDP feature on ZyWALL 1050
á Accelerated by SecuASIC provides over 100Mbps throughput
á Automatic updates of IDP signatures
á IDP signatures of over 2,200+
á User-defi ned custom IDP signatures
á Zone-based IDP inspection provides maximum fl exibility
á Inspection of VPN content
á Signature and protocol anomaly engines
á Detailed logging and reporting
For more information about application/deployment of IDP on today’s corporate networks,
please refer to the Application Library on the next few pages.
29
5. Content Filtering
The content fi ltering feature allows schools or mid- to large-scale organizations to create
and enforce Internet access policies tailor-made for them. The security administrators can
select categories, such as porn or racial sites, to block or monitor from a pre-defi ned list.
Since Internet contents are constantly changing, the URL database must be constantly
updated. With the content fi ltering subscription ZyXEL offers, the ZyWALL 1050 is eligible
to query the most up-to-date URL database so that the access restrictions to new or
relocated sites are properly enforced thus the policy compliance can be assured.
Content Filtering on ZyWALL 1050 is also a user-aware feature. As such, different user can
have different access privileges.
Benefi ts for using Content Filtering service:
Increased employee productivity — helps employees to focus on their job
Legislation compliance — eliminate inappropriate Web surfi ng
Optimized bandwidth usage — block traffi c unrelated to business operations
Content Filtering Specifi cations:
á Industry-leading rating database
á URL database is classifi ed into 60 categories, including Anti-Spyware, Anti-Phishing, etc.
á Cost-effective per-device subscription, regardless of the number of protected users
á URL database is updated constantly
á Simple setup fully integrated into ZyWALL 1050’s user-aware policy engine
6. Hardware Failover
To prevent security gateways from becoming a single point of failure or a bottleneck,
companies with Internet-centric or connectivity-centric business need a redundant
hardware solution for the security gateway.
ZyWALL 1050 implements Device High Availability to help customers avoiding the
connectivity outage.
Default GatewayFor PC1, PC2,
PC3, PC4
Master
PC1 PC2PC3
PC4
Active Stand-By
Backup
LAN Segment A
Internet
Virtual Router V1,VRID=11
1 ISP: Dynamic Assigned IP
1 LAN Segment
Benefi ts of Device High Availability:
á Minimized unplanned/planned downtime
á System maintenance can be performed during business hours
á Avoid losing customers/business/goodwill
The hardware failover mechanism
31
Application Library
Chapter 4
32
Application Library
4
1 Deploying VPN
1-1 Extended Intranets
1-2 Extranet Deployment
1-3 Remote Access VPN
1-4 Large-Scale VPN Deployment
1-5 Access via Central Site
1-6 Multiple Entry Points
1-7 Device High Availability
1-8 VoIP Over VPN
Security Policy Enforcement
2-1 Managing IM/P2P Applications
2-2 Managing WLAN
2-3 Employee Internet Usage Management
Seamless Incorporation
3-1 Zone-Based IDP Protection
3-2 Network Partitioning Using VLAN
3-3 Connecting Multiple ISP Links
3-4 Guaranteed Quality of Service
2
3
Solutions for SMB and Mid- to Large-Scale Organizations
33
Deploying VPN
What is a VPN?
á A Virtual Private Network uses the Internet to connect branch offices, remote
teleworkers and business partners to the internal offi ce resources
What can your business benefi t from deploying VPN?
á Security and Reliability
á Improved communications
á Increased fl exibility
á Lower cost
1
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
Partner Site
ZyWALL 5 UTM
ZyWALL 1050
AccessPoints
Public Kiosk
ProtectedServers
DMZ Servers
Outsider
WirelessClient
Home
ZyWALL 70ZyWALL 2
Branch Office Remote Office
Teleworker
Central Site Internet
IPSecVPNTunnel
34
Application Library
41-1 Extended Intranets
Business Requirements
á Companies with geographically distributed branch offi ces
á Need a de facto standard technology to securely connect private offi ce networks across
the Internet
á To prevent confi dential information transmitted via Internet from eavesdropping
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
ZyWALL 1050
ZyWALL 70
Main Office
Branch Office
Intranet
Now part of the Intranet
IPSec VPN TunnelCommonly used applicationsinside LAN can be extended toserve users on remote siteswithout hassle…and in a securecommunication channel!
More desktops can gainaccess to the network,because a VPN allows newusers to be added almostinstantly.
DomainController
Desktop users
EIP FileServer
Desktop users
Internet
á Need to comply with security policies
á Solution TCO must be affordable
The Application
35
Benefits
á Break the distance limitation of LAN
• Connect all geographically distributed private networks
• Bring remote servers closer as if they are local
• Provide LAN-like user experience across the Internet
• VPN provides private network connectivity and reliability to smaller branch offi ces,
franchise sites, and remote workers
á Deploying state-of-the-art encryption technology
• Communication channels among offi ces are encrypted and authenticated
• Encryption: AES/3DES/DES
• Authentication: IKE and XAuth
• Integrity: SHA-1/MD5
á High-Performance VPN
• Offl oad intensive processes to optimized software modules or dedicated processors
- Improves system throughput
- Free host CPU resources for other tasks
á Lower Costs
• Instead of subscribing expensive IP-VPN (MPLS), IPSec VPN can leverage existing cost-
effective DSL lines while providing even better protection
á Legislation Compliance
• Helping SMBs protect privacy and integrity of the information entrusted to them
á Ease of Management
• Intelligent VPN Wizard to quickly setup VPN tunnels in pairs
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Branch Offices
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
36
Application Library
41-2 Extranet Deployment
Business Requirements
á Enabling external parties to securely access designated network resources to streamline business processes
á Security policy and access control must be in place to protect shared network resources among operating sites
á The solution should be able to work with diverse VPN products
The Application
Main Office
Branch Office
It’s easy to establish VPN connectivity with customer/partner sites regardless of what their VPN gateway is
The VPN provides access to both extranets and wide-area intranets in a secure channel
L 70
Remote Office
35
Customer Site
n
Partner Site
Internet
IPSec VPN Tunnel
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
37
Benefits
á Secure access from/to partner networks
• Open the door for improved client service, vendor support and company
communications
• Customers can order equipments over VPN
• Suppliers can check on orders electronically
• Employees can collaborate on project documents and customer profi les
á Interoperability
• ZyWALL series are ICSA IPSec certifi ed
• It communicates with other VPN-enabled devices from ZyXEL as well as VPN gateways
from other vendors, e.g. Cisco PIX/IOS VPN products, Check Point VPN Pro, Juniper
NetScreen series and more...
á Integrated VPN/UTM solution
• Includes SPI fi rewall and Layer-7 inspection to protect shared network resources on each
operating site
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Branch Offices
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
38
Application Library
41-3 Remote Access VPN
Business Requirements
á Provide secure remote access to offsite and traveling employees
á Protect corporate network resources and VPN users’ systems
á Reduce telecommunication costs
á Minimize end-user support costs
á Streamline deployment and maintenance
The Application
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
ZyWALL 1050
Main Office
PrivateNetwork
PrivateNetwork
Branch Office
Teleworker
Remote teleworkerscan access to networkresources withinprivate networks ofMain offices or Branchoffices, no matterwhere they are.
Through the use of VPN,organizations can get rid ofcostly RAS dial-in and reduceoperation cost for remoteaccess…in a secure manner
LDAP Server
Internal FTP
Mail EIP Workflow
ZyWALL 70
Internet
IPSecVPNTunnel
Application access
39
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Branch Offices
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
For Teleworkers
ZyWALL P1 Palm-Sized Internet Security Appliance for
91-009-018001B Personal Network Protection
ZyWALL Remote Software-Based VPN Client 91-009-016001B
Security Client
Benefits
á Mobility
• An employee on the road (a.k.a. teleworker) can simply gain full network access via
Internet connection
• Mobile offi ce” enabler: working at airports, cyber cafés or any hotspot
á Secure Access
• Communication channels from the “untrused networks” are authenticated and encrypted
á Lowered Operation Cost
• Replacing costly RAS dial-in remote access to company networks
• Users can connect to the network via Internet, eliminating expensive long-distance or
collect call dial-in costs
á Secured End Point
• With deployment of ZyWALL P1 VPN client, the corporate security policy can be
automatically downloaded
• Ensures security policy enforcement on remote user systems
á Reduced Management Overhead
• ZyWALL P1 is a hardware-based VPN client solution that minimizes the maintenance
overhead and reduces help desk calls
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
40
Application Library
41-4 Large-Scale VPN Deployment
If the number of remote sites is huge...
ZyWALL 1050 supports various VPN topology types to meet the needs of organizations
of any size
VPN topology supported
Fully-Meshed topology can be deployed if the number of remote sites is small
Star topology is recommended if the number of remote sites is huge
Star-Mesh mixed topology (cascading topology) — it takes proximity into
consideration in a globally distributed networking environment
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
3
Fully-Meshed Topology
In a fully-meshed VPN topology,
a user can access to resources
on remote VPN sites if a VPN
tunnel was readily established
All ZyWALL models
supports Fully-meshed
VPN topology. The
models are: ZyWALL 2
Plus/5/35/70/1050
HannoverParis
OsloMadrid
London
In this topology, each site plays the
same role — handles incoming
encrypted traffic or encrypts outgoing
traffic designated to a remote site
2
1
1
41
Star Topology
Hannover
OsloMadrid
London
In a Star VPN topology, ZyWALL 1050 acts as a
central site (enabling Hub & Spoke VPN) and
spoke sites can be any ZyWALL model
Paris
Amsterdam
Central Site
In a Star VPN topology, any
user on a spoke site (Madrid
in this example) can access
resources on another spoke
site (London) via the central
site in Amsterdam
A user on a spoke
site (Oslo) can access
resources on the central
site in Amsterdam
Star-Mesh Mixed Topology
Frankfurt
Amsterdam
London
Singapore
Tokyo
EU Central Site
Asia Central Site
Taipei
In a Star-Mesh mixed VPN
topology, any user on a spoke
site (Frankfurt in this case) can
access resources on another
spoke site (London) via the EU
central site in Amsterdam
In a Star-mesh mixed VPN topology, ZyWALL 1050 acts as
a regional central site (enabling Hub & Spoke VPN) and
spoke sites can be any ZyWALL model
A user in a spoke site
(Taipei) can access
resources on the regional
central site in Singapore
If a user in London needs to
access resources outside the EU,
e.g. the Tokyo site, the traffi c will
be routed to the Asia central site
(Singapore) then again routed to
the fi nal destination in Tokyo
Backup tunnel
2 3
42
Application Library
4Product List
Model Description P/N
For Central Sites (Hub/Concentrator)
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Remote Sites (Spoke Sites)
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Benefits
á Scalable VPN Topology
• Basic — Fully-Meshed VPN topology
• Advanced — Star VPN topology and cascading VPN topology for distributed networks
á Reliability
• Status Monitoring of VPN tunnels
• Device High Availability and VPN Backup Gateway feature can ensure the availability of
VPN connections among operating sites
á Reduced Management/Maintenance Effort
• Easy-to-use VPN Wizard
• Automatically generate confi guration scripts for peer gateways
• When confi guring large number VPN tunnels:
- VPN Concentrator for easy, straight-forward VPN tunnel management
- Leveraging confi guration scripts to create a large number of VPN rules
• Comprehensive logging for troubleshooting
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
43
1-5 Access via Central Sites
Business Requirements
á An effective approach is required to deal with the Insecure Internet connection
• Virus, bots, spyware, exploits and attacks are all coming in from the Internet
• It’s already a common security practice to avoid multiple Internet connections on a
corporate network
• Traffi cs among private networks should be encrypted
á How about multi-site, distributed corporate networks?
• Through network planning, centralized Internet connectivity can be achieved
• Lack of IT staff on remote offi ces/branch offi ces
• Security policies should be centrally managed and enforced
The Application
InternetZyWALL 1050
ZyWALL 70
Main Office
Private Network
Private Network
Branch Office
Centralized Access— Alloutgoing traffics originatedfrom a branch office is routedto the Main Office, bothencrypted and non-encrypted
If the traffic is designated tothe Internet, ZyWALL 1050 canroute the traffic to itsdestination on the Internet
Intranet access may carryconfidential information so thetraffic should be transmittedvia a secure VPN tunnel
LDAP Server
Mail EIP Workflow
ZyWALL 1050IPSecVPNTunnel
Internet Access
Intranet Access
44
Application Library
4Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Branch Offices
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Benefits
á Secure Communication Channels
• Through the deployment of extended Intranet VPN, all communications among
operating sites are authenticated and encrypted to provide better connectivity and
better security
á Centrally Managed Internet Access
• Internet access, regardless types of services/applications, are aggregated into a single
gateway
• Eliminates the diffi culties from lacking IT professionals on remote sites
- Avoid unmanaged/less-watched communication channels within corporate Intranet
- Avoid the impact of misconfi gurations on Internet gateways
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
45
1-6 Multiple Entry Points
Business Requirements
á The solution must provide an infrastructure for secure communication channels
• Traffi cs must be encrypted and authenticated
á The solution must guarantee non-stop operation of mission-critical applications/
resources to eliminate:
• Failure of WAN connections
• Failure of secure gateways
• Failure of connectivity within ISP clouds
The Application
ZyWALL 1050 ZyWALL 1050
ZyWALL 2 Plus
Central Site
Redundant Site
If the path (in blue) to Main Office isnot available, user can still access thesame network resource via backuppath (in green)
IPSecVPNTunnel
Internal Server
Internet
Leased line
Guaranteed non-stop operation—With deployment of MEP,
availability of business-critical application can be assured
46
Application Library
4Product List
Model Description P/N
For Central Sites/Redundant Sites
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Remote Site
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Benefits
á Secure Communication Channels
• Through the deployment of extended Intranet VPN, all communications among
operating sites are authenticated and encrypted to provide better connectivity and
security
á Ensuring that the network path is always available
• When the primary network path failed, user can access the same network resources/
applications via the backup path
• The redundancy mechanism covers failures of both ISP links and VPN gateways
á Easy to maintain
• SNAT ensures packets can always be forwarded to the right path
• Does not require complex confi gurations
á Affordable TCO
• Does not require investment on excessive/expensive L7 load balancing equipments
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
47
1-7 Device High Availability
Business Requirements
á Increasing dependence of critical business activities on Internet and VPN
connectivity
• E-commerce
• Intranet VPNs and extranet VPNs
• Remote access VPNs
á Secure gateway failure can pose a major risk
• Loss of revenue
• Loss of customers
• Loss of productivity
• Loss of goodwill
The Application
ZyWALL 1050 (Master)
ZyWALL 2 Plus
ZyWALL 35
ZyWALL 1050 (Backup)
Main Office
Remote Site 1
Remote Site 2
Resilience of WAN connectivity — VPN HAsupports redundant gateways for thenetwork path of VPN to be always available
Mitigate the impact of Single Point of Failure—device HA greatly reduces the devicedowntime and guarantees non-stop operation
Internet
48
Application Library
4Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Remote Sites
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Benefits
á Eliminates Impact of Single Point of Failure
• The unplanned/planned downtime can be minimized
• Avoid losing customers/business/goodwill
á Offl ine Maintenance
• During business hours, simply switch off the target node and bring up the opposite node
to perform system maintenance on the target node
á Easy to Manage/Maintain
• Automatically sync the confi guration fi les on master nodes and backup node
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
49
ZyWALL 1050
VoIP ATA orVoIP Gateway
Server farm
Main Office
Branch OfficeInternet
ZyWALL 70
VoIP ATA orVoIP Gateway
ZyWALL can seamlessly workwith VoIP traffics – switchbetween SIP sessions (call setup)and RTP traffic dynamically
VoIP calls can be protected byVPN to provide cost-effectivesolution to VoIP security issues
IPSecVPNTunnel
VoIP Call
1-8 VoIP Over VPN
Business Requirements
á Dealing with common VoIP security issues
• Unauthorized VoIP calls
• Call hijacking
• Identity theft
• Denial of Service
The Application
50
Application Library
4Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Branch Offices
ZyWALL 70 Budget Internet Security Appliance Recommended
91-009-002001B for SMB
ZyWALL 35 Cost-Effective Internet Security Appliance for SB 91-009-010001B
ZyWALL 5 Best-of-Breed Technology Internet Security
91-009-014001B Appliance for SB
ZyWALL 2 Plus Professional Entry-Level Internet Security Appliance
91-009-029001B for SB/SOHO
Benefits
á Benefi ts for using ZyWALL to protect the converged networks
• Prevent unauthorized clients from placing calls (VoIP-aware fi rewall)
• Prevent the system from call hijacking (VoIP over VPN)
• Prevent the system from identity theft (VoIP over VPN)
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
51
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
Security Policy Enforcement
What is a security policy?
á Security policy, in the context of information security, defi nes the access privilege of an individual/object to information assets
á It’s a mandatory process to protect information assets
What your business can benefi t from deploying security policy?
á Protecting information assets
á Increased productivity
á Mitigate impact of malicious application or misuse
á Regulatory compliance
The need to enforce corporate access policy
á Securing valuable information assets
á Reduced misuse against shared network resources
á Improved utilization of bandwidth resources
Use ZyWALL 1050 to enforce corporate access policies and achieve the following scenario:
á Great user experience — user are not required to log into any specifi c gateway prior to their normal access. Instead, user simply point to their desired URL and the
authentication mechanism would be triggered automatically
á Access granularity — in addition to IP/service ports, IT admin can defi ne access policies based on additional criteria like time of access, user/group or bandwidth
occupied
2
52
Application Library
42-1 Managing IM/P2P Applications
Business Requirements
á An effective mechanism to restrict IM/P2P applications on corporate networks to
avoid the following threats/misuses:
• Infected fi les — Trojans and viruses
• Misconfi gured fi le sharing
• Unencrypted communication
• Theft of identity
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
á Eliminating the potential misuse of the common IM/P2P applications
• Bandwidth occupied
• Social engineer
• Message logging
• Copyright infringement
á The mechanism needs to provide granular access control to avoid the rigid
“all-or-nothing” approach
• Achieve different access privileges for different group of users
The ApplicationFor Manager
IM OK
P2P OK
Time=All
Max BW=200k
For Employee
IM Blocked
P2P Scheduling
Time=18:00~22:00
Max BW=100k
Employee B
Employee A
ManagerIDP Inspection
Rate-limit Bandwidth Usage
Scheduling Control
á Access Granularity for controlling hazardous
IM/P2P applications
• By User/Group
• By Time of access
• By Bandwidth
53
Product List
Model Description P/N
For Access Granularity Against IM/P2P Applications(with “user-aware” capability)
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
For Managing IM/P2P Applications (without “user-aware” capability)
ZyWALL 70 UTM Budget UTM Security Appliance Recommended
91-009-002009B for SMB
iCard, AV+IDP, AV+IDP 1-Year Service Subscription 91-995-004001G
Gold, 1-YR (For ZyWALL 70 UTM)
ZyWALL 35 UTM Cost-Effective UTM Security Appliance for SB 91-009-010011B
iCard, AV+IDP, AV+IDP 1-Year Service Subscription 91-995-004001G
Gold, 1-YR (For ZyWALL 35 UTM)
ZyWALL 5 UTM Best-of-Breed Technology UTM Security
91-009-014001B Appliance for SB
iCard, AV+IDP, AV+IDP 1-Year Service Subscription 91-995-004002G
Silver, 1-YR (For ZyWALL 5 UTM)
Benefits
á Mitigating Security Breaches
• Block IM/P2P applications
• Prevent malicious virus/trojans/bots/backdoors from entering the internal networks
á Increased Productivity
• Help employees focusing on their jobs
• Reduce misuse of network resources, e.g. costly WAN bandwidth
á Easy to use and maintain
• Application patrol: requires very little knowledge about IM/P2P to manage those
unwanted applications
• Portless application management: identifying applications running on non-standard or
dynamic ports
• Supports local user database or external directory servers such as LDAP, RADIUS or
Microsoft AD
á Access Granularity
• Provides the fl exibility to enforce IM/P2P access policies
• Access privileges can be granted according to user/group/time of access/type of
applicationNote. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
54
Application Library
4Deploying
VPNSecurity Policy
EnforcementSeamless
Incorporation
2-2 Managing WLAN
Business Requirements
á Wireless networks need managing to avoid harms under certain conditions:
• Misuse — Wardriving (AP probed by an unknown party), transferring confi dential data
with wireless links (risk of being eavesdropped)...etc.
• Misconfi gurations — Rogue AP on the Intranet (possible malicious break-in), weak WEP/
WAP passphrase (password is “password”... uh?)
á Best security practices of managing a WLAN
• Wireless AP must be isolated from the wired networks within the Intranet
• Requires a mechanism to centrally manage access credentials/privileges of
both wired and wireless users
The Application
WLAN
Server
Security policy enforcement point
— no matter where the destination
is, credentials must be presented
before access being granted
Access granted — the security policy
defines where the user is allowed to
access, e.g. access to DMZ/Internet or
internal servers. This can greatly
increase the WLAN security
Centrally managed user account —
all user accounts are managed on
the corporate LDAP server
Partitioning of wireless access
points — All the wireless APs are
connected to the WLAN zone
LDAP
InternetDMZ
LAN1
2
3
4
55
Benefits
á Isolates wireless access points
• Coupled with VLAN and custom security zone, wireless APs can be centrally
managed regardless of the scale of the corporate network
á Provides “Access Granularity” on wireless users
• May enforce strict access control on wireless users according to access
credentials/bandwidth occupied/timeframe
á Transparent authentication
• User are not required to repeatedly log into a separate authentication server
— simply point to intended destination in a browser
• Minimize impact on normal user behavior and therefore easier to enforce
security policies
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
56
Application Library
4Deploying
VPNSecurity Policy
EnforcementSeamless
Incorporation
2-3 Employee Internet Management
Business Requirements
á Protect users and their computers from visiting Web sites with undesirable or
harmful materials
á Defi nition of undesirable or harmful material should be confi gurable by the Web
fi lter category policy
á Always up-to-date: the URL category database should be constantly updated to cover
ever-changing URLs and Internet community
á The Web fi lter protection service should allow or block requested Web sites
according to the fi ltering policy selections
á In-depth Inspection: control access to Java/ActiveX/Cookie/embedded proxy links
The Application
ZyWALL Series
InternetWeb surfing
Allow
Query Query
Block
Customizableblack list/white list
Dynamic URLdatabase server
Redirect to thewarning page
Always up-to-date— the dynamic URLdatabase maintained by Bluecoat,ZyXEL’s best-in-class technologypartner, delivers comprehensive andprecise coverage
More secure— EIM can preventaccess to maliciousWeb sites that maycarry harmful contents —spyware/malware/bot
57
Benefits
á Increased productivity
• Employees can now focus on their jobs
á Reduced misuse
• Corporate resources can be protected for better bandwidth utilization and higher level
of security
á Regulatory compliance
• Filter porn/violent Web contents
• Access to porn/violent/racism URLs may pose legal implications
á Flexible access policy
• Enforcing access policy with granularity
á Always up-to-date
• Query dynamically-updated URL database
• Catch up with the ever-changing Internet communities
Product List
Model Description P/N
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
iCard, CF, Content Filter 1-Year Service Subscription
ZyWALL 1050, (For ZyWALL 1050)
91-995-006003G
1-YR
ZyWALL 70 UTM Budget UTM Security Appliance Recommended
91-009-002009B for SMB
iCard, CF, Content Filter 1-Year Service Subscription 91-995-003001G
Gold, 1-YR (For ZyWALL 70 UTM)
ZyWALL 35 UTM Cost-Effective UTM Security Appliance for SB 91-009-010011B
iCard, CF, Content Filter 1-Year Service Subscription 91-995-003001G
Gold, 1-YR (For ZyWALL 35 UTM)
ZyWALL 5 UTM Best-of-Breed Technology UTM Security
91-009-014001B Appliance for SB
iCard, CF, Content Filter 1-Year Service Subscription 91-995-003002G
Silver, 1-YR (For ZyWALL 5 UTM)
ZyWALL 2 Plus Professional Entry-Level Internet Security
91-009-029001B Appliance for SB/SOHO
iCard, CF, Content Filter 1-Year Service Subscription 91-995-003002G
Silver, 1-YR (For ZyWALL 2 Plus)
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
58
Application Library
43 Seamless Incorporation
Robust Platform
á The rich networking functionalities enables ZyWALL 1050 to be easily integrate into the existing network infrastructure to perform required tasks
á For example:
• Tagged VLAN can be used to extend interfaces numbers
• Custom zone can be defi ned to create multiple logical segments/areas to fi t on large corporate networks
Multi-Service Gateway
á Based on the robust platform, the ZyWALL 1050 can deliver many security services: VPN, Policy-Based Routing, Access Control, Content Inspection, Application
Management and QoS
In the following sections, we’ll illustrate more security applications that can be easily incorporated into today’s
corporate network
á Zone-based IDP in a server-hosting environment
Can apply unique protection profi le to each network segment — best for MSP environment
á Networking Partitioning Using VLAN
Increased fl exibility when conduct network planning
á Managing WAN Connectivity
Introduces the capability to connect multiple ISP links to increase the bandwidth at competitive TCO
á Guaranteed Quality of Service
Illustrates how to prioritize the bandwidth to meet mission-critical application needs
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
59
3-1 Zone-Based IDP Protection
Business Requirements
á IDP (Intrusion Detection and Prevention) must be able to detect and block malicious
or unwanted traffi cs
á IDP must deliver high performance to minimize the impact on traffi c throughput
and latency
á Deploying different inspection/checking profi les for different access areas
á IDP must keep up-to-date to detect/block the latest worms/exploits/threats
The Application
VLAN 1~3
Zone-based IDP protection for each customer—in a server hosting environment, securityrequirements of each customer may be different.Zone-based IDP protection provides mostflexible protection for each customer
Malicious attacks can be stopped at thegateway— customer servers are securelyprotected and a notification alert will be sent toinvolving parties/individuals
Customer-1
Customer-2
Customer-3
Protected by strict profiles
Protected by loose profiles
No IDP protection
Internet
60
Application Library
4Benefits
á Comprehensive Protection
• Works in both in-line mode and bridge mode — provides real-time intrusion detection
and prevention while maintaining fl exibility for alert/monitoring only
• Signature-based Layers 3-7 deep packet inspection
• Protocol anomaly to identify abnormal behavior of major protocols
• Traffi c Anomaly for scan detection and fl ood detection
á High-Performance IDP
• Delivers high throughput for IDP inspection
• Offl oad intensive processes to SecuASIC content inspection accelerator to
- Improves system throughput
- Free host CPU resources for other tasks
• Minimize impacts on performance when turning on the IDP inspection
á Zone-Based Detection Mechanism
• Maintains multiple sets of IDP profi les
• Different IDP profi les can be enforced on different security zones
á Automatic update
• With ZSRT (ZyXEL Security Response Team), new signature packages are released on a
weekly basis
• Keep the IDP up-to-date to provide protection against the latest threats/worms/exploits
Product List
Model Description P/N
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
iCard, IDP,
ZyWALL 1050, IDP 1-Year Service Subscription (For ZyWALL 1050) 91-995-004003G
1-YR
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
61
3-2 Network Partitioning Using VLAN
Business Requirements
á A scalable mechanism to fi t the corporate network size, regardless of the complexity
of the network architecture
á Information assets with similar security levels should be aggregated into the same
access area
á Access policy should be enforced among different access areas
á The security solution should provide wire-speed connectivity between areas
The ApplicationWAN1All PPPoE links are included in WAN1
VLAN1
VLAN-capable L2 switch is
required to create VLAN tags
SECRETImportant servers, including Domain Controller, Directory server, database servers are placed in this zone. Strict access policy may apply to prevent misuse
VLAN7
LANCorporate Intranet
VLAN8 ~ VLAN10
WAN2All fi xed WAN links are included in WAN2
VLAN2Ensures highest level
of security — granular
access control can be
enforced between zones
FINANCEHighly confi dential fi nancial servers are placed in this zone. Access privilege only be granted to authorized users
VLAN11
DMZInternet-facing public servers
VLAN3
WLANAll the wireless access points are connected into this zone. Strict access policies should be applied to ensure internal security
VLAN4 ~ VLAN6
Customizable security zone
delivers highest fl exibility — can
contain multiple VLAN interfaces
Name of zoneZone description
VLAN ID included in the zone
Legend
VLAN1 ~ 2
VLAN3 ~ 6
VLAN7 ~11
62
Application Library
4Benefits
á Flexibility to manage access across VLANs by using security zone
á Extend the number of interfaces by simply using 802.1Q tagged VLAN
á High throughput performance — highest combined throughput in its class, for both
fi rewall and VPN applications
á Better security — strict/fl exible ACLs could be enforced across security zones
Product List
Model Description P/N
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
63
Managing WAN Connectivity
á Internet connectivity is always the primary concern for the following reasons:
• Internet-centric business operations
• The prevailing of distributed client-server applications
• The use of VPNs relies on underlying Internet connectivity
• Internal information exchange across the Internet
á In the following sections, we give two useful WAN connectivity applications on
today’s corporate networks
• Connecting multiple ISP links
• Quality of Service for WAN connections
3-3 Connecting Multiple ISP Links
Business Requirements
á Support diverse types of WAN connections, including xDSL, FTTx, T1, E1 and T3
Handle the growing demand for bandwidth on the WAN side
á Make the most use of the ISP links to achieve optimized bandwidth utilization
á Provide a mechanism to improve the availability of WAN connections, even with
subscription to unreliable xDSL links
á Here we give 3 examples to illustrate how ZyWALL 1050 can fulfi ll the need to
connecting multiple ISP links
• Multiple PPPoE ISP links
• Multiple Fixed WAN links
• Mixed Types of WAN links
Easy to manage —
Simply use the “WAN
Trunk” to manage
multiple PPPoE links
xDSL
PPPoE1
xDSL xDSL
PPPoE2 PPPoE3
Internet
WAN Trunk
DMZLAN
On ZyWALL 1050,
multiple PPPoE links
can base on a single
physical port
1 Multiple PPPoE Links
L2 Switch
The Application
64
Application Library
4Deploying
VPNSecurity Policy
EnforcementSeamless
Incorporation
Easy to manage —
Simply use the “WAN
Trunk” to manage
multiple PPPoE links
E1 Router
WAN1 WAN2 WAN3
ISP2
WAN Trunk
DMZLAN
Flexible port role
— interfaces can be
freely mapped to
physical ports
2 Multiple Fixed WAN Links
E2 Router E3 Router
ISP1 ISP3
Customizable
security zone
— security zones
can be created to fit
actual needs
Easy to manage —
Simply use the “WAN
Trunk” to manage
multiple PPPoE links
ISP2
WAN Trunk
DMZLAN
Mixed WAN links can
be created on single
physical port on
ZyWALL 1050
3 Mixed Types of WAN Link
E3 Router
ISP1 ISP3
Switch
xDSL
PPPoE1 PPPoE2 PPPoE3
xDSL
The Application The Application
65
Benefits
á Multi-Connectivity
• Encapsulation supported: Ethernet and PPP (PPPoE)
• Supports different types of ISP links of your choice — ADSL/VDSL/FTTB/FTTH/T1/E1/T3/E3
á Highly Scalable
• With the use of 802.1Q tagged VLAN, it is possible to connect up to 48 ISP links
• High performance for multiple services
- Routing/Firewalling/VPN/Intrusion Detection and Prevention
á Failover and Load Balancing
• Automatic failover and fail-back when link failure is detected
• Outbound load balancing — based on three algorithms of your choice
- Least Load First
- Weighted Round-Robin
- Spill-Over
á Easy to Use
• By simply adding interfaces into WAN Trunk to simplify the management efforts
á Better TCO
• By connecting multiple DSL ISP links to the ZyWALL 1050, companies can have adequate
bandwidth on WAN side and the same level of reliability as the expensive lease lines
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
66
Application Library
43-4 Guaranteed Quality of Service
Business Requirements
á Prioritize the shared resource – the network
• Priority traffi cs was seriously, negatively affected by nonessential traffi cs
• For example: sales order processing should always own higher priority than
downloading images
á Serve different resource needs of different applications
• Data transfers: no-interruption
• Video/voice streaming: low latency
• Interactive video/voice: low latency
• Mission-critical: guaranteed bandwidth
• Web-based: typically lower priority
The Application
Deploying VPN
Security Policy Enforcement
Seamless Incorporation
400Kbps
WWW
800Kbps
FTP
100Kbps
RTP
300Kbps
Intranet
IT administrators can defi ne
bandwidth management
policy to ensure quality of
running services
Internet
Bandwidth management
policies based on type of
service, origin of the traffi c,
user/group to ensure
optimized bandwidth
utilization
Outgoing traffics
WAN Trunk
67
Benefits
á Optimized Bandwidth Utilization
• Prioritization of mission-critical applications
• Match network response to application requirements
• Real Time Session Monitoring
á Integrated Security and QoS
• Integration with VPN infrastructure
- Awareness to packet sizes before and after encryption/decryption
• Correctly classify encrypted or NAT traffic
• Knowledge of DMZ traffi c
á Reduced Costs
• Eliminates expense and complexity of multiple boxes
- No additional hardware
• Shared management architecture
- Integrated GUI and management architecture reduce management overhead and
fl atten the learning curve
Product List
Model Description P/N
For Main Offices
ZyWALL 1050 VPN Concentrator for SMB/Mid- to
91-009-020001B Large-Scale Organizations
Note. The P/N (Part Number) in the above table is for standard version. For other version’s P/N, please refer to
the end of Chapter 6 in this handbook.
69
FAQ
Chapter 5
70
FAQ
5A. General
1. What is ZyWALL 1050?
ZyWALL 1050 is an Integrated Security appliance, equipped with complete security
features tailored for Small and Medium Business (SMB) and Mid-Large organizations.
2. When will ZyWALL 1050 be available?
ZyWALL 1050 is available from July 13th 2006; please contact ZyXEL distributors for details.
3. What’s new in ZyWALL 1050 in comparison to the existing
ZyWALL family?
1). Improved security
New OS platform (ZLD) to provide advanced features like: user-awareness, access
granularity, defi nable port/interface and device redundancy
2). Increased performance
New hardware architecture boosts both fi rewall/VPN/UTM performance to exceed
100Mbps for any service
3). Better scalability
Larger capacity, VLAN, multiple WAN, and customizable zone, etc.
4). Lowered Administration Effort
Object-based/CISCO-like CLI/text-based confi g fi le and more context-sensitive Web-
based help
4. What are the new key features of ZyWALL 1050?
1). High Performance: 300Mbps firewall, 100Mbps VPN and 100Mbps IDP
2). High Capacity: 128K NAT sessions, 1000 VPN tunnels and 1024
concurrent access users
3). Definable Zone: port, interface and zone are definable
4). User-aware Security: Firewall, IPSec VPN, Bandwidth Management,
Content Filtering, Multiple-WAN Load Balancing, Intrusion Detection
Prevention (IDP), Application Patrol, Anti-Virus* and Anti-SPAM*
5). High Availability: Redundant IPSec tunnel, Device High Availability
* Future release
5. Does ZyWALL 1050 support UTM functionalities?
Yes. In the 1.00 release, ZyWALL 1050 supports:
1). IDP (with purchase of IDP license)
2). Content Filtering (with purchase of CF license)
3). SPI firewall
4). IPSec VPN
5). Bandwidth Management
6). Multiple WANs Load Balancing
Please note that Anti-Virus and Anti-Spam features will be supported with fi rmware
upgrade in the near future
71
6. Does ZyWALL 1050 support Anti-Virus?
In ZLD 1.00: No
In ZLD 1.10: Yes. ZLD 1.10 will be released in Q1 of 2007
7. Does ZyWALL 1050 support Anti-Spam feature?
In ZLD 1.00: No
In ZLD 2.00: Yes. ZLD 2.00 will be released in Q3/07
8. Does ZyWALL 1050 support SSL VPN?
In ZLD 1.00: No
In ZLD 1.10: Yes. ZLD 1.10 will be released in Q1 of 2007
9. Does ZyWALL 1050 deploy HW-acceleration technology?
Yes. ZyWALL 1050 deploys HW-acceleration technology and
1). VPN performance: HW encryption to accelerate IPSec traffic and SSL VPN
(future release) as well.
2). UTM performance: SecuASIC CIP-2001 boosts IDP performance as well as
AV performance (future release).
10. Is ZyWALL 1050 based on ZyNOS?
No.
The ZyWALL 1050 is based on ZLD, which leverages Linux kernel to achieve better
fl exibility and scalability.
ZLD is well-hardened so that it’s more secure than typical Linux operating systems on the
market.
11. Why choose ZLD instead of ZyNOS?
1). ZLD is more suitable for high scalability products
2). ZLD is more flexible than ZyNOS as new features being introduced
12. Is there any hardware change needed for future fi rmware
upgrades?
No, ZyWALL 1050 hardware design reserves enough fl exibility/capacity for future
fi rmware support.
13. Does ZyWALL 1050 need ZyWALL Turbo Card to activate IDP or
future AV?
No, ZyWALL 1050 has SecuASIC built-in that runs IDP and AV (future release) without
ZyWALL Turbo Card.
14. Is HDD built into ZyWALL 1050?
HDD will be supported by future fi rmware release (ZLD 2.00) with purchase of HDD
package.
ZyWALL 1050 can perform security log archiving (local logging) with HDD.
15. What can I do with the USB ports?
The onboard USB ports are reserved for future use.
16. What can I do with the PCMCIA slot?
The PCMCIA slot is reserved for future use.
72
FAQ
517. What can I do with the Mini-PCI slot?
The Mini-PCI slot is reserved for future use.
18. Dose ZyWALL 1050 support Vantage Report?
Yes. ZyWALL 1050 supports VRPT 3.0, which will be available in Q4 of 2006.
19. Dose ZyWALL 1050 support Vantage CNM?
Yes. ZyWALL 1050 supports CNM 3.0, which will be available in Q2 of 2007.
B. Competition
1. What are the key differentiations of ZyWALL 1050?
1). High Volume VPN Concentrator (ZyWALL 1050 provides 1,000 IPSec VPN
tunnels)
2). High Performance with Triple Core Design (100+ Mbps for any service)
3). High Availability Features Guarantee Non-Stop Operation
3-1) Multiple WAN redundant, load-balanced links up to 48 ISPs
3-2) Device High Availability (or Hardware Failover)
4). User-Aware Policy Engine Enables Access Granularity (User-Aware +
Application Patrol)
5). 2-year hardware warranty
6). No extra cost to upgrade firmware
7). No extra cost for unlimited nodes
8). Hybrid VPN Upgradeable* (Future firmware upgrades offer both SSL VPN and
IPSec VPN without hardware replacement)
2. What products are competitors of ZyWALL 1050?
1). SonicWALL PRO 2040 or PRO 3060
2). Fortinet FortiGate 200A
3). WatchGuard X700 or X1000
4). Juniper NS204
5). 3Com X505
(optional)
73
3. What are the key competitive features from all comparable models?
Unlimited Users
VPN Tunnels
Performance VPN
(Mbps) Firewall
IDP
Concurrent Session
Up to 48 WAN HA/LB
Device HA
Application Patrol
Warranty
Free Firmware Upgrade
MSRP (US$)
Fortinet
FG200A
✓
200
70
150
N/A
400K
x (2)
x
x
1 year
90 days
$3,495
Juniper
NS204
✓
1000
175
375
180
128K
x (2)
✓
x
1 year
x
$9,995
Sonicwall
Pro2040
✓
50
50
200
40
32K
x (2)
✓ (optional)
x
1 year
x
$2,595
Sonicwall
Pro3060
✓
500/1000
75
300
N/A
128K
x (2)
✓ (optional)
x
1 year
x
$3,490
WatchGuard
X700
✓
100
40
150
N/A
50K
x (4, optional)
✓ (optional)
x
1 year
90 days
$2,840
WatchGuard
X1000
✓
500
75
225
N/A
200K
x (4, optional)
✓ (optional)
x
1 year
90 days
$3,790
3Com
X505
✓
1000 (Phase 2)
50
100
50
128K
x
x
✓
1 year
x
$3,750
ZyWALL
1050
✓
1000
150
300
150
128K
✓
✓
✓
2 year
✓
$3,490
4. What are the overall advantages of ZyWALL 1050?
1). Higher VPN, Firewall and IDP performance
2). Multiple (up to 48) WAN HA/LB and Device HA to help organizations easily set up a highly reliable and secure network for their business.
3). ZyXEL provides free firmware upgrades for constant feature renewal free of charge
4). ZyWALL provides a 2-year hardware warranty to lower TCO and protect investment.
74
FAQ
5C. SKU
1. What is iCard?
The iCard contains the license number required for AV/IDP/AS/CF service registration and
activation in your ZyWALL devices, including ZyWALL 1050.
2. What are the ZyWALL 1050 features that require an additional
service license purchase?
As of ZyWALL 1050, you need to buy an additional service license to use and activate the
following security features:
1). IDP
2). Content Filtering
3. What service licenses can I get for my ZyWALL 1050?
iCard/SKU mapping for the ZyWALL 1050
For ZyWALL 1050, we provide 3 types of iCards:
1). iCard for ZyWALL 1050, IDP, 1 year
2). iCard for ZyWALL 1050, IDP, 2 years
3). iCard for ZyWALL 1050, Content Filter, 1 year
4. Does ZyXEL offer free trial for paid services on ZyWALL 1050?
Trial period for each security service:
1). For IDP: 1-month free trial
2). For Content Filter: 1-month free trial
Please note that customers can simply activate the free trial service within the Web
confi gurator (Internet connectivity is required while activating the trial services)
5. For future AV, AS and SSL on ZyWALL 1050, do I need different
iCards?
Yes. Along with AV, AS and SSL in the future, we will create different iCards for each service.
6. Is there any bundle program for iCard and ZyWALL 1050?
ZyXEL will create different bundle programs to pack ZyWALL 1050 and iCard by market
demand.
7. Does ZyXEL provide bundle for device HA application?
No. There is no device HA bundle as of writing.
8. Do I have to pay for fi rmware upgrades?
No. The fi rmware upgrades are offered free of charge.
75
D. Hands-on
1. Can ZyWALL 1050 store multiple confi guration fi les onboard?
Yes. The ZyWALL 1050 supports multiple sets of confi guration fi les onboard. In addition to
that, security administrators can manipulate those confi guration fi les: copy, rename, delete,
apply and download it onto the desktop PC.
The text-based confi guration fi les are editable and viewable with text editors of your
choice.
2. Do I have to reboot the device after applying another
confi guration fi le?
No. You don’t have to reboot the system after applying a different set of confi guration fi le.
The ZyWALL 1050 can apply changes on-the-fl y without rebooting the system and the
changes can take effect immediately right after applying the new confi guration fi le.
3. Would it be bothersome that I have to create objects prior to
confi guring a specifi c feature?
No, it wouldn’t.
On the contrary, there are 2 obvious benefi ts to use objects in feature confi guration:
1). Automatic “Change Update”
Once the value of a setting changed, the change will be automatically applied system-
wise. The feature helps administrator maintaining the integrity and consistency of the
system confi gurations without hassle.
2). Object Reuse
The user-defi ned objects can be reused. As a result, administration effort can be
drastically reduced in a complex confi guration pertaining to a larger-scale networking
environment or strict corporate security policy.
4. What’s the benefi t for using zones?
1). Automatic change update
Without the zone concept, the administrator has to change the corresponding settings
once the interface setting has been changed, which may lead to inconsistency in
fi rewall policy confi guration.
2). Reduced Configuration Effort
By grouping interfaces/tunnels into zones, the confi guration settings can be applied to
each member inside a zone and therefore save confi guration efforts.
5. How do I activate the free trial services on ZyWALL 1050?
ZyXEL provides free trial services on ZyWALL 1050: IDP service and Content Filter service.
The procedure to activate the trial services is quite simple and straightforward:
1). Get connected to the Internet
2). Use a browser to log into the ZyWALL 1050 with administrative privilege
3). Jump to the “Registration” page and perform the device registration
4). Select the check box of each service and click the “Apply” button
6. Can I copy the IDP policy settings from existing ZyWALLs (e.g.
ZyWALL 35 UTM) to the new ZyWALL 1050?
No, you can’t. The format and data structure of the confi guration fi les on ZyWALL 1050 are
totally different from those on ZyNOS-based ZyWALLs, e.g. ZyWALL 35 UTM.
76
FAQ
57. Can I copy the IDP signature database from one ZyWALL 1050 to
another ZyWALL 1050?
No, you can’t. You can only download signature package from the ZSDN Update Server via
Internet.
However, you can copy IDP policy settings from one ZyWALL 1050 to another one.
8. How do I keep IDP signatures updated?
The IDP security service on ZyWALL 1050 supports “Automatic Update” which enables
security administrator to synchronize the IDP Signature Package to the latest version with
online update server.
To enable the automatic update, simply go to the ZyWALL 1050 > Confi guration > Policy
> IDP > Update page and click on the “Auto Update” check box.
Once the automatic update is enabled, the update will take place automatically on an
hourly, daily or weekly basis, depending on your confi guration.
Or, as an alternative, you can click on “Update Now” to update the signature package to the
latest version immediately.
The automatic update mechanism will ensure your device always up-to-date and therefore
the emerging threats/worms/attacks/exploits can be stopped by the IDP feature.
9. How often does ZyXEL update IDP signatures?
With ZSRT (ZyXEL Security Response Team) in place, ZyXEL releases IDP signature package
on a weekly basis to provide up-to-date protection for your valuable information assets
and eliminate the security breaches from happening on the corporate network.
10. How do I keep the Content Filtering database updated?
All the ZyWALLs, including ZyWALL 1050, can query the external Content Filtering
database on-the-fl y without draining the system resources.
Another inherited benefi t is that you don’t have to worry about the content fi ltering
database being outdated. The queries between CF-enabled ZyWALL devices and the
external database server take place dynamically and automatically on the background.
Alternatively, you can always manually maintain your own URL/keyword list on the
ZyWALL to maximize the effectiveness of the Content Filtering feature.
11. What are the built-in services on ZyWALL 1050?
The ZyWALL 1050 integrates a range of built-in servers to provide rich network services to
the users, including DNS, WWW, SSH, telnet, ftp and SNMP.
The built-in services can be disabled anytime to suit your needs.
12. What should I do if I’d like to connect but separate more than 5
logical subnets using ZyWALL 1050?
Although there are only 5 physical Ethernet ports onboard, customers can extend the
port density through the use of IEEE 802.1Q VLAN. With up to 32 VLANs supported,
administrators can always extend the number of the logical networks managed by the
ZyWALL 1050. A VLAN-enabled switch, however, is required to fulfi ll this application.
77
13. How do I confi gure NAT on ZyWALL 1050 if I don’t see any NAT
confi guration screen in the Web confi gurator?
ZyWALL 1050 supports NAT, of course.
The NAT settings are integrated into:
1). Policy Route (ZyWALL 1050 > Configuration > Policy > Route > Policy
Route): you can configure SNAT on the policy route configuration screens.
We consider SNAT settings related to the setting of a policy route since
defining the source IP address is necessary in a policy route.
2). Virtual Server (ZyWALL 1050 > Configuration > Policy > Virtual Server):
you can configure DNAT in a Virtual Server. A virtual server represents an IP
dose not physically exist, however the user can connect to it and finally reach
the physical server by performing DNAT on the NAT gateway.
14. What is a Virtual Server?
The Virtual Server feature (ZyWALL 1050 > Confi guration > Policy > Virtual Server) on
the ZyWALL is used to confi gure 1:1 NAT (DNAT).
Virtual Servers are computers on a private network behind the ZyWALL that you want to
make available outside the private network. If the ZyWALL has only one public IP address,
you can make the computers in the private network available by using ports to forward
packets to the appropriate private IP address. Through the use of virtual server, client
computer can reach out the intended destination by connect to the virtual server IP
while the ZyWALL performs address and/or port translation between the client computer
and the computer in the private network.
The similar function on ZyNOS-based fi rewalls is called “Port Forwarding”.
15. Can I use CLI commands to confi gure the device?
The ZyWALL 1050 supports full-feature CLI commands to provide nifty user experience
for “guru” administrators.
For the comprehensive CLI user guide, please refer to the “CLI Reference Guide”.
78
FAQ
5E. VPN Application
1. How many concurrent VPN tunnels does ZyWALL 1050 support?
The ZyWALL 1050 supports up to 1,000 VPN tunnels running simultaneously. For more
information about ZyWALL 1050’s VPN performance, please refer to the “Lab Test Report”
in this handbook.
2. What is a VPN Concentrator?
A VPN Concentrator combines several VPN connections into one secure network.
Hannover
OsloMadrid
London
Paris
Amsterdam
Central Site
Hub and Spoke VPN topology
For example, say there are VPN connections between each ZyWALL on the spoke sites
(London, Madrid, Paris, Hannover and Oslo in this case) and the ZyWALL, which uses the
VPN concentrator, on the hub site (Amsterdam).
The primary benefi t of a VPN concentrator is that it reduces the number of VPN
connections to be setup and maintained on a complex network.
3. Can I enforce security check against traffi c coming in through
VPN tunnels?
Yes, you can. The ZyWALL 1050 deploys route-based VPN whose tunnels are treated as
interfaces to the system kernel. In that case, security features can be applied when traffi cs
are forwarded through a specifi c interface.
In plain English, the traffi cs incoming through VPN tunnels can be inspected by security
features such as fi rewall, IDP, Content Filter and Bandwidth Management.
4. What is the ICSA VPN certifi cation status of ZyWALL 1050?
ZyXEL is planning to apply for ICSA IPSec VPN certifi cation for the ZyWALL 1050. The
timeframe to be ICSA-certifi ed will be in 1H, 2007.
79
F. User-Aware Applications
1. What does “user-awareness” mean?
User-awareness provides better granularity than the IP- and port-based access control.
In some cases the client IP addresses are dynamic and are therefore quite diffi cult to
defi ne access control policy base on those ever-changing criteria.
Another benefi t of user-awareness is that it provides better accountability for auditing.
Altogether, the user-aware security features may help improving the security level on
today’s corporate networks.
2. How to get authenticated?
Users must “authenticate” themselves before being permitted to access the network via
ZyWALL, provided that the user-aware access policy has been defi ned and enforced.
In this case, accessing users must fi rst connect to the ZyWALL before they can go
anywhere else. The most widely accepted way to authenticate ZyWALL access is using a
Web browser via HTTP protocol. However, TELNET/SSH authentication is also supported on
the ZyWALL.
After entering appropriate credentials, users are authenticated and cleared to access
resources according to their respective privileges.
3. What is “Force User Authentication”? Would it be bothersome?
The process to get authenticated may be bothersome to some people and the diffi culty
may become the roadblock to enforce user-aware access policy.
To make things easier, ZyWALL implements “Force User Authentication” that simplifi es the
authentication process to allow user access without repeated login process. Instead, users
simply use a Web browser to point to the intended destination, and ZyWALL will intercepts
the connection attempt and triggers the authentication process.
Once the access credentials are verifi ed, access privileges are granted.
If verifi cation failed, the access attempt will be blocked.
Please note that the Force User Authentication supports only HTTP protocol.
4. How do I manage user accounts on ZyWALL 1050?
The ZyWALL 1050 support various methods for administrator to manage access
credentials: local user database, and external user database.
In terms of external user database, ZyWALL 1050 supports RADIUS, LDAP and Microsoft
AD. Microsoft AD is compatible with LDAP and has been widely deployed in many
organizations.
5. What are the user-aware features in ZyWALL 1050?
The user-aware security features on the ZyWALL 1050 are:
Policy Route
Firewall
Application Patrol
VPN
Content Filtering
With user-aware security features in place, organizations can achieve better access
granularity to improve both accessibility and security.
80
FAQ
5G. Application Patrol
1. What is Application Patrol?
Application Patrol is designed to provide a convenient way to effectively control the use of
common protocols/applications on today’s corporate networks.
It accurately identifi es the application type by looking into the data payload at Layer-7 of a
packet, regardless of the running port.
More than just allowing/blocking a specifi c type of application based on a policy, the
Application Patrol provides access granularity and traffi c shaping capability against
running applications.
As a result, it’s a powerful feature to manage incoming/outgoing traffi cs from applications’
viewpoint and to help administrators enforcing corporate security policies.
2. Can I use Application Patrol feature to manage IM/P2P
applications?
Yes. Application Patrol supports some common IM/P2P applications including:
1). IM: MSN, AOL, ICQ, Yahoo Messenger and QQ (popular in China)
2). P2P: BitTorrent, eDonkey, FastTrack, Gnutella, Napster and SoulSeek
Access privileges can be granted according to access credential, type of application, access
time, as well as user origin and destination of the access attempt.
3. What applications does Application Patrol support?
The supported applications in Application Patrol can be categorized into:
1). General protocols — HTTP, FTP, SMTP, POP3 and IRC
2). IM — MSN, Yahoo Messenger, AOL-ICQ and QQ
3). P2P — BT, eDonkey, Fasttrack, Gnutella, Napster, H.323, SIP, SoulSeek
4). Streaming — RTSP (Real Time Streaming Protocol)
Please note that Application Patrol does not support custom protocols and/or
applications. Firmware upgrades are required for it to expand the supported application
types.
4. Is it possible to use Application Patrol to manage unsupported
applications?
No. However with fi rmware upgrades, it’s possible for Application Patrol to support new
applications types. ZyXEL will keep developing Application Patrol to support emerging
new applications to meet customer needs.
5. Do I have to pay additional fee for Application Patrol?
No, you don’t have to. The Application Patrol feature is totally free of charge.
81
H. Device High Availability
1. What’s the benefi t to deploy device HA?
The major benefi ts to deploy the device HA are:
1). Minimized unplanned/planned downtime
2). System maintenance can be performed during business hours
3). Avoid losing customers/business/goodwill
2. What is the requirement for device HA in ZyWALL 1050?
1). You’ll need two ZyWALL 1050 devices to enable the device HA feature: one as the
master node and another as the backup node.
2). Firmware version must be identical on both nodes.
If you run device HA using ZyWALL 1050 with different fi rmware versions, the automatic
synchronization mechanism will fail and unexpected behavior may occur. Please make
sure fi rmware of the same version are installed on both nodes in a device HA scenario.
3. Can device HA increase the throughput?
No, it can’t. With deployment of device HA, only one node is up and running at any given
time. As a result, the combined throughput will not increase.
4. Do I have to confi gure the device settings for the master node
and backup node separately because of the device HA scenario?
No, you don’t have to. Customer is not required to confi gure the device settings twice,
since the confi guration fi les on the backup node can be automatically synchronized with
the master. This mechanism will greatly reduce the confi guration overhead in a device HA
scenario and ensure the consistency of the confi guration settings/policies on both nodes.
The synchronization can be performed automatically or manually, depending on the
confi guration setting.
Furthermore, the synchronization connection is encrypted to avoid being eavesdropped.
5. What settings can be automatically synchronized from master
node to the backup node in a device HA scenario?
During synchronization, the master node sends the following information to the backup
node:
1). Startup confi guration fi le (startup-confi g.conf )
2). IDP signatures
3). Certifi cates (My Certifi cates and Trusted Certifi cates)
82
FAQ
56. Do both master and backup nodes share the same license key
used to subscribe IDP security service in a device HA scenario?
No, they don’t.
In a device HA scenario, the master node and backup node must apply separate IDP
license key to make IDP security feature work correctly.
This indicates that you need to purchase 2 IDP iCards for both nodes in a device HA
scenario.
Please note: during the synchronization in device HA scenario, the backup node cannot
get IDP signature updates for the IDP security service that it has not subscribed to.
The same rule can be applied to the Content Filtering security service.
7. As the interface is inactive when a device is in Standby
mode, how could I perform operations that require Internet
connection, e.g. service activation?
There are two ways to perform operations requiring Internet connection when device is in
Standby mode:
1). Administrators can confi gure a Management IP on top of the backup node and use the
management IP to connected to the Internet
2). Operations that require Internet access, such as service activation, could be done
before confi guring the backup node into the “Standby” status.
8. Do I have to pay for the device HA feature?
No. The device HA feature is free of charge. However, you have to purchase the ZyWALL
1050 devices in pairs to take advantage of device HA.
9. Dose ZyWALL 1050 supports Active-Active mode?
No. In ZLD 1.00, device HA only supports Active-Passive mode.
Active-Active mode will be supported in the 2.00 release.
I. VoIP Security
1. What’s the VoIP compatible list of ZyWALLs?
SIP Client
1). ZyXEL P2002 (ATA)
2). ZyXEL P2002L (ATA)
3). ZyXEL P2302R (VoIP Gateway)
4). ZyXEL P2302RL (VoIP Gateway)
5). ZyXEL P2000W (IP phone)
6). Windows Messenger v5.0
SIP Server:
1). SIP Server: Openser v1.1
2). SIP Server: Asterisk v1.291
3). SIP Server: VOCAL v1.50
83
2. Is VoIP traffi c secured by ZyWALL?
Yes. ZyWALL supports VoIP over IPSec, and it makes sure that VoIP is encrypted during
transmission.
3. Except for its own VoIP products, does ZyXEL plan to support
more VoIP devices?
Yes, ZyXEL is testing popular VoIP products and will soon support:
1). CISCO 2600 (VoIP Gateway)
2). CISCO 7900 (IP Phone)
3). CISCO ATA 186/188 (ATA)
4). SIPURA SPA-3000 (ATA)
J. Bandwidth Management
1. I don’t see the “Bandwidth Management” menu on the
Web confi gurator. Does ZyWALL 1050 support Bandwidth
Management?
Yes, ZyWALL 1050 provides more fl exible ways to control network bandwidth with routing
and applications. You can fi nd related Bandwidth Management confi gurations in two
places:
1). Policy Route
2). Application Patrol
2. What is the difference regarding the Bandwidth Management
feature between ZyNOS-based ZyWALL 2 Plus/5/35/70 and ZLD-
based ZyWALL 1050?
1). ZyNOS-based ZyWALL 2 Plus/5/35/70
ZyNOS BWM is based on Interface (LAN/WAN/DMZ) and then policy settings (IP/Port or
service FTP SIP H.323)
2). ZLD-based ZyWALL 1050
ZyWALL 1050 BWM has no Interface limitation, since it is an application-oriented BWM.
You can manage bandwidth based on more Applications (IM/P2P/HTTP/FTP...) or
granular Policy Route (User/IP/Port...).
3. How does Policy Route control bandwidth?
IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior
and to alter packet forwarding based on the policy defi ned by the network administrator.
A policy defi nes the matching criteria, as well as the actions to take when a packet
meets them. The criteria may include username, source address and incoming interface,
destination address, schedule, IP protocol (ICMP, UDP, TCP, etc.) and the port used.
Organizations can allocate bandwidth to traffi cs matching the routing policy and priority
settings.
1). Specify the maximum bandwidth reserved for the route (in kbps).
2). Enter a number between 1 and 1024 to set the traffi c priority.
84
FAQ
54. How does Application Patrol control bandwidth?
Application Patrol provides a convenient way to manage instant messengers (IM) and
peer-to-peer (P2P) applications running on the network. It can also be used to manage a
few general protocols (HTTP and FTP, for example), as well as the RSTP streaming protocol.
Administrators can enable Bandwidth Shaping to restrict the bandwidth each application
is allowed to use.
K. ZSDN-Related
1. What is ZSDN?
ZSDN (ZyXEL Security Distribution Network) is a set of portals providing easy-to-use and
always-on services designed for ZyXEL customers and resellers. ZSDN is composed of
myZyXEL.com, mySecurityZone, the Update Server and ZSRT.
You can access ZyXEL security portals on the following Web sites:
myZyXEL.com
http://www.myzyxel.com/myzyxel/
mySecurityZone
https://mysecurity.zyxel.com/mysecurity/
Currently the Update Server does not provide a publicly accessible Web site. It is only
accessible to registered ZyWALL devices with services activated.
2. Why do I have to register the service?
You have to register your purchased ZyWALL devices for the following reasons:
1). If you’d like to use ZyWALL’s free IDP or CF trial services, you’ll have to activate them
through ZyWALL’s Web confi gurator.
2). If you’ve purchased iCard for a security service, e.g. IDP and CF, you must activate the
security service via the Web confi gurator.
3. What else can I do with the myZyXEL.com account?
1). Access to fi rmware and security service updates.
2). Receive update notifi cation about ZyWALL-related services, fi rmware, and products.
3). Manage (activate, change or delete) your ZyWALL security services online.
In summary, myZyXEL.com delivers a convenient, centralized way to register all your
ZyWALL security appliances and services. It eliminates the hassle of registering individual
ZyWALL appliances and upgrades to streamline the management to all your ZyWALL
security services.
Instead of registering each ZyWALL product individually, using myZyXEL.com allows you
to have a single user profi le where you can manage all your product registration and
service activation.
4. After registration completes, what kind of information is stored
on myZyXEL.com server?
Your user profi le is stored on myZyXEL.com after registration. User profi le information
includes user name, password, email address, country and your registered products and
services.
85
5. What is mySecurityZone?
1). mySecurityZone is a free service portal accessible to everyone.
2). Anyone can browse the latest security news and updates from ZSRT (ZyXEL Security
Response Team), access free resources and subscribe to our free newsletter.
3). For those who have a registered ZyWALL and a myZyXEL.com account, you can log into
mySecurityZone (with the same myZyXEL.com account information) to view detailed
description of Anti-Virus+IDP policies and perform virus searches. In addition, you’ll
automatically receive our advisory newsletters with the latest security updates and
other valuable information.
In mySecurityZone you can:
1). Access all security resources and get free advisory newsletters.
2). Publish or share ZyWALL security information (such as Anti-Virus/IDP policy)
3). Search for all ZyWALL product information
6. What is the Update Server?
The Update Server is designed for security service subscribers to ensure the signature fi le
on their devices is up-to-date. This allows effective virus detection and threat prevention.
Your ZyWALL regularly checks for any signature fi le updates and downloads signature fi les
from the Update Server.
The Update Server is hosted by ZyXEL to provide security protection with 24x7
monitoring service. With dedicated IDC (International Data Center) for a global distributed
architecture, we ensure top-notched Update Server service quality and zero downtime for
all security service subscribers.
7. Since keeping signatures updated is crucial, what has ZyXEL
done to ensure the Update Server availability to customers?
At ZyXEL, important steps are taken to ensure the availability of the Update Server. These
include the following:
1). Dedicated server rooms
We have deployed server farms in IDCs (International Data Centers) located in Taiwan and
Germany. The two IDCs are confi gured for redundancy and server load balancing to ensure
the maximum availability of our Update Server.
2). NOC-grade 24x7 monitoring
ZyXEL has created standard procedure and a dedicated team to monitor the status and
operation of the Update Server. This is to detect failures of any kind and fi x them in the
shortest time possible so that system downtime could be minimized. In addition, this helps
ZyXEL to ensure SLA (Service Level Agreement) to our valued customers.
8. Do I have to pay for myZyXEL.com and mySecurityZone
services?
No. You can access the free resources on myZyXEL.com and mySecurityZone sites without
additional fees.
On myZyXEL.com, you need to purchase an iCard to register and activate security services
on your device.
For those with a registered ZyWALL and a myZyXEL.com account, you get the latest
security advisory and access to IDP signature information on mySecurityZone.
87
ZyWALLFamily Matrix
Chapter 6
88
ZyWALL Family Matrix
6Model Name
System
Firewall Throughput
VPN Throughput (AES)
UTM Throughput
(AV+IDP+Firewall)
Unlimited User Licenses
Sessions
Simultaneous VPN connections
Default Port
Customizable Zone
Networking
Routing/NAT/SUA Mode
Bridge Mode
Mix Mode (Routing+Bridge)
VLAN Tagging (802.1Q)
Security
Firewall (ICSA Certified)
VPN (ICSA Certified)
Content Filtering (Bluecoat)
Anti-SPAM (Mailshell)
Anti-Virus (Kaspersky)
IDS/IDP
IM/P2P
Bandwidth Management
User-aware Management
ZyWALL P1
50Mbps
30Mbps
3Mbps
x
2,048
1
1 x LAN, 1 x WAN
-
x
x
-
-
x
x
-
-
x
x
x
-
-
ZyWALL 2 Plus
24Mbps
24Mbps
-
x
3,000
5
4 x LAN, 1 x WAN
-
x
-
-
-
x
x
x
-
-
-
-
-
-
ZyWALL 5 UTM
60Mbps
30Mbps
12Mbps
x
4,000
10
4 x LAN/DMZ, 1 x WAN
-
x
x
-
-
x
x
x
x
x
x
x
x
-
ZyWALL 35 UTM
75Mbps
35Mbps
14Mbps
x
10,000
35
4 x LAN/DMZ, 2 x WAN
-
x
x
-
-
x
x
x
x
x
x
x
x
-
ZyWALL 70 UTM
100Mbps
45Mbps
18Mbps
x
10,000
100
1 x LAN, 4 x DMZ, 2 x WAN
-
x
x
-
-
x
x
x
x
x
x
x
x
-
ZyWALL 1050
300Mbps
150Mbps
150Mbps*5
x
128,000
1,000
1 x LAN, 2 x DMZ, 2 x WAN
x
x
x
x
x
x*1
x*1
x
x*1
x*1
x
x
x
x
89
Model Name
High Availability
Device HA
VPN HA
Multiple WANs for
Load Balancing
Auto Fail-over, Fail-back
Dial Backup
User Database
Local database
Radius
LDAP
Microsoft AD
Management
WebGUI (HTTP and HTTPS)
Command Line
Vantage CNM
Vantage Report
Ordering Info
Standard
US
UK
Australia
ZyWALL P1
-
-
-
-
-
x
x
-
-
x
x
x
x
ZyWALL P1
91-009-018001B
91-009-018002B
91-009-018003B
91-009-018005B
ZyWALL 2 Plus
-
x
-
x
x
x
x
-
-
x
x
x
x
ZyWALL 2 Plus
91-009-029001B
91-009-029002B
91-009-029003B
91-009-029004B
ZyWALL 5 UTM
-
x
-
x
x
x
x
-
-
x
x
x*2
x
ZyWALL 5 UTM
91-009-014011B
91-009-014014B
91-009-014013B
91-009-014015B
ZyWALL 35 UTM
-
x
x
x
x
x
x
-
-
x
x
x*2
x
ZyWALL 35 UTM
91-009-010011B
91-009-010014B
91-009-002013B
91-009-010017B
ZyWALL 70 UTM
-
x
x
x
x
x
x
-
-
x
x
x*2
x
ZyWALL 70 UTM
91-009-002009B
91-009-002012B
91-009-002011B
91-009-002013B
ZyWALL 1050
x
x
x
x
x
x
x
x
x
x
x
x*3
x*4
ZyWALL 1050
91-009-020001B
91-009-020002B
91-009-020003B
91-009-020004B
*1: Future Release
*2: CNM 2.3 support
*3: CNM 3.0 support
*4: VRPT 3.0 support
*5: IDP+Firewall On
91
Lab Test Report
Chapter 7
92
Lab Test Report
7Summary — Test Result1
Model ZyWALL P1 ZyWALL 2 Plus ZyWALL 5 UTM ZyWALL 35 UTM ZyWALL 70 UTM ZyWALL 1050
Packet Size*1 Throughput Throughput Throughput Throughput Throughput Throughput
(Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec) (Mbits/sec)
64 3.03 3.69 3.42 4.22 6.42 41.67
512 19.17 23.52 21.70 27.88 43.18 293.23
1518 57.13 70.03 64.49 76.81 100.00 370.12
IMIX*2 4.73 5.25 4.28 6.15 9.34 85.54
New Session Rate*3 585.32 538.54 402 573.66 609.14 8038
Note: *1: Measured in byte
*2: Packet sizes ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of
fi xed percentages of different packet sizes. IMIX traffi c contains a mixture of packet sizes in a ratio to each other that approximates the overall makeup of packet sizes observed in real Internet
traffi c. Using IMIX traffi c allows us to test the DUT under realistic conditions, as compared to single packet sizes tested sequentially.
*3: Pure Routing Performance without NAT and Firewall
Firewall Throughput (NAT+Firewall)
93
Model ZyWALL P1 ZyWALL 2 Plus ZyWALL 5 UTM ZyWALL 35 UTM ZyWALL 70 UTM ZyWALL 1050
UTM Throughput (NAT+Firewall+UTM)
64 1.94 N/A*3 1.56 1.56 2.34 45.00
512 3.93 N/A*3 8.59 9.38 9.38 121.80
1518 4.57 N/A*3 13.28 14.84 16.41 153.59
IMIX*2 2.0 N/A*3 3.0 4.0 5.0 61.33
Throughput (Mbits/sec)
Packet Size*1 UDP UDP UDP UDP UDP UDP
IDP
64 0.71 N/A*3 0.67 0.71 0.85 N/A*3
512 2.63 N/A*3 6.81 7.76 8.37 N/A*3
1460 3.31 N/A*3 16.99 19.44 20.67 N/A*3
Throughput (Mbits/sec)
Packet Size*1 HTTP(1024k html file)
Anti-VirusHTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)
64 0.62 N/A*3 0.55 0.59 0.69 N/A*3
512 2.54 N/A*3 5.31 5.87 6.37 N/A*3
1460 3.19 N/A*3 8.61 13.08 15.07 N/A*3
Throughput (Mbits/sec)
Packet Size*1 HTTP(1024k html file)
IDP + Anti-VirusHTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)HTTP
(1024k html file)
Note: *1: Measured in byte
*2: UDP Packet size ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of
fi xed percentages of different packet sizes. IMIX traffi c contains a mixture of packet sizes in a ratio to each other that approximates the overall makeup of packet sizes observed in real Internet
traffi c. Using IMIX traffi c allows us to test the DUT under realistic conditions, as compared to single packet sizes tested sequentially.
*3: Not applicable (The product does not have this feature)
94
Lab Test Report
7
Model ZyWALL P1 ZyWALL 2 Plus ZyWALL 5 UTM ZyWALL 35 UTM ZyWALL 70 UTM ZyWALL 1050
VPN Throughput (NAT enabled)
64 2.83 2.01 2.13 2.62 2.84 38.54
512 16.19 12.40 13.30 16.04 16.85 116.24
1424 36.81 30.46 31.78 37.60 45.99 153.73
IMIX*2 10.09 8.12 11.76 14.48 13.58 93.98
Throughput (Mbits/sec)
Packet Size*1AES AES AES AES AES AES
Throughput (Mbits/sec)
Packet Size*1AES+IDP
Note: *1: Measured in byte
*2: UDP Packet size ratio 64:512:1424 = 6:3:1IMIX represents Internet mix traffi c (IMIX). This is a deterministic way of simulating real network traffi c according to the packet size usage. Some studies indicate that Internet traffi c consists of
fi xed percentages of different packet sizes. IMIX traffi c contains a mixture of packet sizes in a ratio to each other that approximates the overall makeup of packet sizes observed in real Internet
traffi c. Using IMIX traffi c allows us to test the DUT under realistic conditions, as compared to single packet sizes tested sequentially.
*3: Not applicable (The product does not have this feature)
64 1.71 N/A*3 2.12 2.53 2.83 30.50
512 3.42 N/A*3 11.05 12.78 13.88 80.64
1424 3.97 N/A*3 19.78 23.39 24.79 122.21
IMIX*2 3.4 N/A*3 7.28 8.16 9.06 67.98
AES+IDP AES+IDP AES+IDP AES+IDP AES+IDP
95
Testing Scenario and Topology2
• IXIA 1600T: Use ALM1000T8 card and STXS4 card (both support 10/100/1000)
• DUT: Device Under Test
• Remote Manager: Manage DUT
• Performance Test: Use IXIA Software (IxScriptMate, IxVPN, IxLoad)
Equipment List3Model Name Firmware Version* Profile
ZyWALL P1 4.01 (XJ.0) b1
ZyWALL 2 Plus 4.01 (XU.0) b1
ZyWALL 5 UTM 4.01 (XD.0) b4
ZyWALL 35 UTM 4.01 (WZ.0) b4
ZyWALL 70 UTM 4.01 (WM.0) b4
ZyWALL 1050 1.00 (XL.0)
Remote ManagerIXIA 1600T DUT
97
Glossary
Chapter 8
98
Glossary
83DES (Triple DES)
This is a stronger variant of DES (Data Encryption Standard). Triple DES is a widely-used
method of data encryption that applies three separate private (secret) 56-bit keys to each 64-
bit block of data. See also DES and AES.
A-end (IPSec)
This is the end of a VPN tunnel opposite the Z-end (see also Z-end).
AAA Server
Remote user authentication system. An AAA server handles the following tasks.
Authentication determines the identity of the users. Authorization determines the network
services available to authenticated users once they are connected to the network. Accounting
keeps track of the users’ network activity.
ACL (Access Control List)
Access control list refers to procedures and controls that limit or detect access. Access control
is used typically to control user access to network resources such as servers, directories,
and fi les.
ActiveX
ActiveX is the name Microsoft has given to a set of “strategic” object-oriented programming
technologies and tools. ActiveX is Microsoft’s answer to the Java technology from Sun
Microsystems. An ActiveX control is roughly equivalent to a Java applet.
Adware
A software application that can display advertising banners while the program is running or
via some other triggering mechanism. See also Spyware.
AES (Advanced Encryption Standard)
Advanced Encryption Standard is method of data encryption that uses a secret key. AES may
use a 128-bit, 192-bit or 256-bit key. AES is faster than 3DES. See also DES and 3DES.
AH (Authentication Header)
See ESP/AH
Application Layer Gateway (ALG)
An Application Layer Gateway (ALG) is a device that manages a specifi c protocol (such as SIP,
H.323 or FTP) at the application layer.
ASIC (Application Specifi c Integrated Circuit)
This is a chip engineered for a particular use or function.
Authentication
Authentication ensures that digital data transmissions are delivered to the intended receiver.
Authentication also assures the receiver of the integrity of the message and its source
(where or whom it came from). The simplest form of authentication requires a user name
and password to gain access to a particular account. Authentication protocols can also be
based on secret-key encryption, such as DES or 3DES, or on public-key systems using digital
signatures.
AV (Anti-Virus) Scanning
A mechanism for detecting and blocking viruses in File Transfer Protocol (FTP), Internet
Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer
Protocol (HTTP) — including HTTP webmail — and Post Offi ce Protocol version 3 (POP3)
traffi c. ZyWALL UTM integrates Anti-Virus solution.
99
Backbone
In OSPF, the backbone is the transit area to route packets between two areas. The backbone is
also known as area 0.
Backdoor
A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be
triggered to gain access to a program, online service or an entire system.
BackOrifi ce
BackOrifi ce is a remote administration tool that allows a user to control a computer across a
TCP/IP connection using a simple console or GUI application.
Bandwidth Control
Bandwidth control means defi ning a maximum allowable bandwidth for traffi c fl ows from
specifi ed source (s) to specifi ed destination (s). See also Bandwidth Management.
Bandwidth Management
Bandwidth management allows you to allocate bandwidth at an interface according to
defi ned policies.
Binary PKCS#7
Binary PKCS#7 is a standard that defi nes the general syntax for data (including digital
signatures) that may be encrypted.
Binary X.509
Binary X.509 is an ITU-T recommendation that defi nes the formats for X.509 certifi cates.
BitTorrent
BitTorrent is a peer-to-peer (P2P) application and also a fi le sharing protocol.
Bridge
A device that forwards traffi c between network segments based on data link layer
information. These segments share a common network layer address space.
Brute Force Hacking
A technique used to fi nd passwords or encryption keys. Brute Force Hacking involves trying
every possible combination of letters, numbers, etc., until the code is broken.
Brute-Force Password Guessing Protection
This is a protection mechanism to discourage brute-force password guessing attacks on a
device’s management interface. A wait-time must expire before entering the nth password
after n-1 incorrect passwords have been entered.
Buffer Overfl ow
A buffer overfl ow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. The excess information can
overfl ow into adjacent buffers, corrupting or overwriting the valid data held in them. Intruders
could run codes in the overfl ow buffer region to obtain control of the system, install a
backdoor or use the compromised device to launch attacks on other devices.
CA
A Certifi cation Authority (CA) issues certifi cates and guarantees the identity of each certifi cate
owner.
Certifi cates
Certifi cates (also called digital IDs) can be used to authenticate users. Certifi cates are based on
public-private key pairs. They provide a way to exchange public keys for use in authentication.
100
Glossary
8CF (Content Filtering)
Content fi ltering restricts or blocks access to certain web features or content from web pages.
CHAP
Challenge Handshake Authentication Protocol is an alternative protocol that avoids sending
passwords over the wire by using a challenge/response technique.
Classifi er
In computer networking, a classifi er groups traffi c based on specifi c criteria such as the IP
address, port or protocol, etc.
CLI
In this interface, you can use line commands to confi gure the device or perform advanced
device diagnostics and troubleshooting.
CNM
Vantage Centralized Network Management is a software suite that allows you to manage
many geographically dispersed ZyXEL devices from one location.
Community
This is the SNMP equivalent of a password.
Console
This is a device (usually a computer) that you use to manage a networking device via a serial
port (RS232) connection.
Cookie
A string of characters saved by a web browser on the user’s hard disk.
Data Integrity
The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has
not been altered during transmission.
DDNS (Dynamic Domain Name System)
With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address,
allowing the host to be more easily accessible from various locations on the Internet. You
must register for this service with a Dynamic DNS service provider to use this service.
DDoS (Distributed Denial of Service)
A DDoS attack is one in which multiple compromised systems attack a single target, thereby
causing denial of service for users of the targeted system. See also DoS.
Decryption
Decryption is the process of taking encrypted data and decoding it so that it becomes
readable. See also Encryption, Cipher, Plaintext, Ciphertext.
DES (Data Encryption Standard)
A 40- and 56-bit encryption algorithm that was developed by the National Institute of
Standards and Technology (NIST). DES is a block encryption method originally developed by
IBM. It has since been certifi ed by the U.S. government for transmission of any data that is not
classifi ed top secret. DES uses an algorithm for private-key encryption. The key consists of 64
bits of data, which are transformed and combined with the fi rst 64 bits of the message to be
sent. Although DES is fairly weak, with only one iteration, repeating it using slightly different
keys can provide excellent security. See also 3DES and AES.
101
DH
Diffi e-Hellman is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecured communications channel. Diffi e-Hellman is used within IKE
SA setup to establish session keys.
DHCP (Dynamic Host Confi guration Protocol)
A method for automatically assigning IP addresses to hosts on a network. Depending upon
the specifi c device model, ZyWALL devices can allocate dynamic IP addresses to hosts, receive
dynamically assigned IP addresses, or receive DHCP information from a DHCP server and relay
the information to hosts.
DHCP Relay
Dynamic Host Confi guration Protocol Relay is a function that allows DHCP data to be
forwarded between the computer that requests the IP address and the DHCP server.
Dial Backup
Dial backup is an auxiliary WAN connection that you can use if your primary WAN link goes
down.
DMZ (Demilitarized Zone)
From the military term for an area between two opponents where fi ghting is prevented. DMZ
Ethernets connect networks and computers controlled by different bodies. They may be
external or internal. External DMZ Ethernets link regional networks with routers.
DNAT
DNAT (Destination NAT) is used to change the destination IP address in a packet.
DNS (Domain Name System)
Domain Name System links names to IP addresses. When you access Web sites on the Internet
you can type the IP address of the site or the DNS name.
DoS (Denial of Service)
Act of preventing customers, users, clients or other computers from accessing data on a
computer. This is usually accomplished by interrupting or overwhelming the computer with
bad or excessive information requests.
Dynamic DNS
With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address,
allowing the host to be more easily accessible from various locations on the Internet. You
must register for this service with a Dynamic DNS service provider to use this service.
Encryption
Encryption is the process of changing data into a form that can be read only by the intended
receiver. To decipher the message, the receiver of the encrypted data must have the proper
decryption key.
In traditional encryption schemes, the sender and the receiver use the same key to encrypt
and decrypt data. Public-key encryption schemes use two keys
a public key, which anyone may use, and a corresponding private key, which is possessed only
by the person who created it. With this method, anyone may send a message encrypted with
the owner’s public key, but only the owner has the private key necessary to decrypt it. DES
(Data Encryption Standard) and 3DES (Triple DES) are two of the most popular public-key
encryption schemes.
102
Glossary
8ESP/AH
The IP level security protocols, AH and ESP, were originally proposed by the Network Working
Group focused on IP security mechanisms, IPSec. The term IPSec is used loosely here to refer
to packets, keys, and routes that are associated with these protocols. The IP Authentication
Header (AH) protocol provides authentication. The Encapsulating Security Protocol (ESP)
provides both authentication and encryption.
Ethernet
A local area network technology invented at the Xerox Corporation, Palo Alto Research Center.
Ethernet is a best-effort delivery system that uses CSMA/CD technology. Ethernet can be run
over a variety of cable schemes, including thick coaxial, thin coaxial, twisted pair, and fi ber
optic cable. Ethernet is a standard for connecting computers into a local area network (LAN).
The most common form of Ethernet is called 10BaseT, which denotes a peak transmission
speed of 10 Mbps using copper twisted-pair cable.
Extranet
The connecting of two or more intranets. An intranet is an internal Web site that allows
users inside a company to communicate and exchange information. An extranet connects
that virtual space with the intranet of another company, thus allowing these two (or more)
companies to share resources and communicate over the Internet in their own virtual space.
This technology greatly enhances business-to-business communications.
Firewall
A device that protects and controls the connection of one network to another, for traffi c both
entering and leaving. Firewalls are used by companies that want to protect any network-
connected server from damage (intentional or otherwise) by those who log in to it. This could
be a dedicated computer equipped with security measures or it could be a software-based
protection.
Gateway
Also called a router, a gateway is a program or a special-purpose device that transfers IP
datagrams from one network to another until the fi nal destination is reached.
ICMP (Internet Control Message Protocol)
Occasionally a gateway or destination host uses ICMP to communicate with a source host,
for example, to report an error in datagram processing. ICMP uses the basic support of IP as
if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be
implemented by every IP module.
IDP (Intrusion Detection and Prevention)
An IDP system can detect malicious or suspicious packets and respond.
IEEE 802.1Q
IEEE 802.1Q was a project in the IEEE 802 standards process to develop a mechanism to allow
multiple bridged networks to transparently share the same physical network link without
leakage of information between networks (i.e. trunking). IEEE 802.1Q is also the name of
the standard issued by this process, and in common usage the name of the encapsulation
protocol used to implement this mechanism over Ethernet networks.
IGP (Interior Gateway Protocol)
An IGP is a protocol for exchanging routing information between gateways (hosts with
routers) within an autonomous network (for example, a system of corporate local area
networks). The routing information can then be used by the Internet Protocol (IP) or other
network protocols to specify how to route transmissions.
103
IKE (Internet Key Exchange)
Internet Key Exchange is a two-phase security negotiation and key management service
— phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an
IKE SA and phase 2 uses that SA to negotiate SAs for IPSec.
IM (Instant Messaging)
IM refers to chat applications. Chat is real-time, text-based communication between two or
more users via networked-connected devices.
Ingress
Ingress is the act of entering something. An ingress port is an incoming port, that is, the port
that a data packet enters from another port. An ingress router is a router through which a
data packet enters a network from another network.
Internet
(Upper case “I”). The vast collection of inter-connected networks that use TCP/IP protocols
evolved from the ARPANET (Advanced Research Projects Agency Network) of the late 1960’s
and early 1970’s.
Intranet
A play on the word Internet, an intranet is a restricted-access network that works like the Web,
but isn’t on it. Usually owned and managed by a corporation, an intranet enables a company
to share its resources with its employees without confi dential information being made
available to everyone with Internet access.
IP (Internet Protocol)
An Internet standard protocol that defi nes a basic unit of data called a datagram. A datagram
is used in a connectionless, best-effort, delivery system. The Internet protocol defi nes how
information gets passed between systems across the Internet.
IP Multicast
Traditionally, IP packets are transmitted in one of either two ways - Unicast (one sender to one
recipient) or Broadcast (one sender to everybody on the network). IP Multicast is a third way
to deliver IP packets to a group of hosts on the network — not everybody.
IPSec (IP Security)
Security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite
that provides everything you need for secure communications — authentication, integrity,
and confi dentiality — and makes key exchange practical even in larger networks. See also
ESP/AH.
ISAKMP
The Internet Security Association and Key Management Protocol (ISAKMP) provides a
framework for Internet key management and provides the specifi c protocol support for
negotiation of security attributes. By itself, it does not establish session keys, however it can
be used with various session key establishment protocols to provide a complete solution to
Internet key management.
Java
Java is a programming language expressly designed for use in the distributed environment of
the Internet. It was designed to have the “look and feel” of the C++ language, but it is simpler
to use than C++ and enforces an object-oriented programming model.
104
Glossary
8LAN (Local Area Network)
Any network technology that interconnects resources within an offi ce environment, usually at
high speeds, such as Ethernet. A local area network is a short-distance network used to link a
group of computers together within a building. LANs are typically limited to distances of less
than 1,640 feet (500 meters) and provide low-cost, high-bandwidth networking capabilities
within a small geographical area.
Load Balancing
Load balancing is the process of dividing traffi c loads among interfaces (or ports). This
improves quality of services and maximizes bandwidth utilization.
MAC Address (Media Access Control Address)
An address that uniquely identifi es the network interface card, such as an Ethernet adapter.
For Ethernet, the MAC address is a 6 octet address assigned by IEEE. On a LAN or other
network, the MAC address is a computer’s unique hardware number (On an Ethernet LAN,
it’s the same as the Ethernet address). When you’re connected to the Internet from your
computer (or host as the Internet protocol thinks of it), a correspondence table relates your IP
address to your computer’s physical (MAC) address on the LAN. The MAC address is used by
the Media Access Control sub layer of the Data-Link Control (DLC) layer of telecommunication
protocols. There is a different MAC sub layer for each physical device type.
MD5
Message Digest 5, HMAC-MD5 (RFC 2403) is a hash algorithm that is used to authenticate
packet data. It produces a 128-bit message digest. See also SHA-1.
Metric
A value associated with a route that the virtual router uses to select the active route when
there are multiple routes to the same destination network with the same preference value.
The metric value for connected routes is always 0. The default metric value for static routes is
1, but you can specify a different value when defi ning a static route.
NAT (Network Address Translation)
The translation of the source IP address in a packet header to a different IP address. Translated
source IP addresses can come from a dynamic IP address pool or from the IP address of the
egress interface.
NAT-T (NAT-Traversal)
A method for allowing IPSec traffi c to pass through NAT devices along the data path of a VPN
by adding a layer of UDP encapsulation. The method fi rst provides a means for detecting NAT
devices during Phase 1 IKE exchanges, and then a means for traversing them after Phase 2 IKE
negotiations are complete.
Netmask
A netmask indicates which part of an IP address indicates network identifi cation and which
part indicates the host identifi cation. For example, the IP address and netmask 10.20.30.1
255.255.255.0 (or 10.20.30.1/24) refers to all the hosts in the 10.20.30.0 subnet. The IP address
and netmask 10.20.30.1 255.255.255.255 (or 10.20.30.1/32) refers to a single host. See also
Subnet Mask.
OSPF
OSPF is a link-state protocol designed to distribute routing information within an
autonomous system (AS).
105
P2P (Peer-to-Peer)
Peer-to-Peer (P2P) is where devices link to each other without an intermediary and either
device can initiate communications.
Phishing
Phishing is a type of security attack that relies on social engineering in that it lures the victim
into revealing information based on the human tendency to believe in the security of a brand
name because they associate the brand name with trustworthiness.
PKI (Public Key Infrastructure)
PKI is the framework of servers, software, procedures and policies that handles (public-key
cryptography) keys.
Policy Routing
Traditionally, routing is based on the destination address only and the router takes the
shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override
the default routing behavior and forward the packet based on the policy defi ned by the
network administrator.
PPPoE (Point-to-Point Protocol over Ethernet)
Allows multiple users at a site to share the same digital subscriber line, cable modem, or
wireless connection to the Internet. You can confi gure PPPoE client instances, including the
user name and password, on any or all interfaces on some ZyWALL devices.
Proxy
Proxy or proxy server is a technique used to cache information on a Web server and act
as an intermediary between a Web client and that Web server. It basically holds the most
commonly and recently used content from the World Wide Web for users in order to provide
quicker access and to increase server security.
QoS (Quality of Service)
Quality of Service refers to both a network’s ability to deliver data with minimum delay, and
the networking methods used to provide bandwidth for real-time multimedia applications.
RIP (Routing Information Protocol)
An interior or intra-domain routing protocol that uses distance-vector routing algorithms.
RIP is used on the Internet and is common in the NetWare environment as a method for
exchanging routing information between routers.
Rootkit
A root kit is a set of tools used by an intruder after cracking a computer system. These
tools can help the attacker maintain his or her access to the system and use it for malicious
purposes.
Router
A hardware device that distributes data to all other routers and receiving points in or outside
of the local routing domain. Routers also act as fi lters, allowing only authorized devices to
transmit data into the local network so that private information can remain secure. In addition
to supporting these connections, routers also handle errors, keep network usage statistics,
and handle security issues.
SA (Security Association)
An SA is a unidirectional agreement between the VPN participants regarding the
methods and parameters to use in securing a communication channel. For bidirectional
communication, there must be at least two SAs, one for each direction. The VPN participants
negotiate and agree to Phase 1 and Phase 2 SAs during an AutoKey IKE negotiation. See also
SPI.
106
Glossary
8SGMP
A proprietary protocol implemented in ZyXEL products for the purpose of communication in
between devices and centralized management station.
SHA-1
Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of
arbitrary length. It is generally regarded as more secure than MD5 because of the larger
hashes it produces.
SIP (Session Initiation Protocol)
SIP is an IETF (Internet Engineering Task Force)-standard protocol for initiating, modifying, and
terminating multimedia sessions over the Internet. Such sessions might include conferencing,
telephony, or multimedia, with features such as instant messaging and application-level
mobility in network environments.
SNAT
SNAT (Source NAT) is used to change the source IP address in a packet.
SNMP
SNMP is a popular management protocol defi ned by the Internet community for TCP/IP
networks. It is a communication protocol for collecting information from devices on the
network.
Spam
Spam is unsolicited “junk” e-mail sent to large numbers of people to promote products or
services.
Spyware
A general term for a program that surreptitiously monitors your actions. While they are
sometimes sinister, like a remote control program used by a hacker, software companies have
been known to use Spyware to gather data about customers. See also Adware.
SPI (Security Parameters Index)
An SPI is used to distinguish different SAs terminating at the same destination and using the
same IPSec protocol. This data allows for the multiplexing of SAs to a single gateway. The SPI
(Security Parameter Index) along with a destination IP address uniquely identify a particular
Security Association. See also SA.
SSH (Secure Shell)
A protocol that allows device administrators to remotely manage the device in a secure
manner. You can run either an SSH version 1 or version 2 server on the ZyWALL device.
Stateful Inspection
A method in which a fi rewall intercepts a packet at the network layer and then inspects the
entire packet to determine whether to let it through.
Static Routing
User-defi ned routes that cause packets moving between a source and a destination to take
a specifi ed path. Static routing algorithms are table mappings established by the network
administrator prior to the beginning of routing. These mappings do not change unless the
network administrator alters them. Algorithms that use static routes are simple to design and
work well in environments where network traffi c is relatively predictable and where network
design is relatively simple.
107
Subnet Mask
In larger networks, the subnet mask lets you defi ne subnetworks. For example, if you have
a class B network, a subnet mask of 255.255.255.0 specifi es that the fi rst two portions of
the decimal dot format are the network ID, while the third portion is a subnet ID. The fourth
portion is the host ID. If you do not want to have a subnet on a class B network, you would use
a subnet mask of 255.255.0.0.
A network can be subnetted into one or more physical networks which form a subset of the
main network. The subnet mask is the part of the IP address which is used to represent a
subnetwork within a network. Using subnet masks allows you to use network address space
which is normally unavailable and ensures that network traffi c does not get sent to the whole
network unless intended. See also Netmask.
SYN Attack
A SYN attack fl oods a targeted system with a series of SYN packets. Each packet causes the
targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK
that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog
queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal
timer terminates the three-way handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for legitimate users.
Syslog
A protocol that enables a device to send log messages to a host running the syslog daemon
(syslog server). The syslog server then collects and stores these log messages locally.
TCP/IP (Transmission Control Protocol/Internet Protocol)
TCP/IP is a set of communication protocols that support peer-to-peer connectivity functions
for both local and wide area networks. (A communication protocol is a set of rules that allow
computers with different operating systems to communicate with each other.) TCP/IP controls
how data is transferred between computers on the Internet.
Trojan (Trojan Horse)
A Trojan horse is a harmful program that s hidden inside apparently harmless programs or
data. See also Back Door.
UDP (User Datagram Protocol)
UDP is a connectionless transport service that dispenses with the reliability services provided
by TCP. UDP gives applications a direct interface with the Internet Protocol (IP) and the ability
to address a particular application process running on a host via a port number without
setting up a connection session.
UPnP (Universal Plug and Play)
Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP
for simple peer-to-peer network connectivity between devices. A UPnP-enabled device can
dynamically join a network, obtain an IP address, convey its capabilities and learn about other
devices on the network.
URL (Uniform Resource Locator)
A standard way developed to specify the location of a resource available electronically. Also
referred to as a location or address, URLs specify the location of fi les on servers. A general URL
has the syntax protocol://address. For example, http://www.zyxel.com/product/overview.php
specifi es that the protocol is HTTP and the address is www.zyxel.com/product/overview.php
Virtual Link
In OSPF, a virtual link establishes/maintains connectivity between a non-backbone area and
the backbone.
Virus
A computer virus is a small program designed to corrupt and/or alter the operation of other
legitimate programs.
108
Glossary
8VLAN (Virtual Local Area Network)
A VLAN allows a physical network to be partitioned into multiple logical networks. Only
stations within the same group can communicate with each other. Stations on a logical
network can belong to one or more groups.
VoIP (Voice over Internet Protocol)
Voice over Internet Protocol is the converting of the voice signal to data (IP) packets and
then sending the packets over an IP network.
VPN (Virtual Private Network)
A VPN is an easy, cost-effective and secure way for corporations to provide teleworkers and
mobile professionals local dial-up access to their corporate network or to another Internet
Service Provider (ISP). Secure private connections over the Internet are more cost-effective
than dedicated private lines. VPNs are possible because of technologies and standards such
as tunneling, screening, encryption, and IPSec.
VRRP
Virtual Routing Redundancy Protocol, defi ned in RFC 2338, allows you to create redundant
backup gateways to ensure that the default gateway of a host is always available.
Vulnerability
Point where a system can be attacked.
WAN (Wide Area Networks)
WANs link geographically dispersed offi ces in other cities or around the globe including
switched and permanent telephone circuits, terrestrial radio systems and satellite systems.
WINS (Windows Internet Naming Service)
WINS is a service for mapping IP addresses to NetBIOS computer names on Windows NT
server-based networks. A WINS server maps a NetBIOS name used in a Windows network
environment to an IP address used on an IP-based network.
Worms
A worm is a program that is designed to copy itself from one computer to another on a
network. A worm’s uncontrolled replication consumes system resources thus slowing or
stopping other tasks.
X.509 (Binary X.509)
X.509 is an ITU-T recommendation that defi nes the formats for X.509 certifi cates.
X-Auth (Extended Authentication)
X-Auth (Extended Authentication) provides added security for VPN by requiring each VPN
client to use a username and password.
Z-end (IPSec)
This is the end of a VPN tunnel opposite the A-end (see also A-end).
ZLD
ZLD is the fi rmware used in some ZyXEL’s products.
Zombie
A host/workstation being used by malicious software to perform a task without the
knowledge of the user.