ZyXEL Security Training

2008
Zsolt Benk

ZyXEL Certified Master Trainer

ZyXEL Hungary

IT security issues

Todays Top 4 Security Headaches

Virus and Worm

Damage computer infrastructures.

Layer 7 Inspection degrade performance significantly

IM and P2P applications

Cause productivity loss and even legal troubles

Hard to install & manage IM/P2P-managable firewalls

Non--business web surfing, spyware, phishing

Non
Leak sensitive, valuable personal and corporate
information.

Unsolicited Spam mails

Contaminate legitimate messages; even cripple

corporate servers

Protect computer networks against virus

intrusions and attacks

Computer

Computer

Computer

Computer

Computer
Computer

Control of IM/P2P applications use to increase

employee productivity
File Sharing
Applications

Instant Messaging
Applications

Software Tunnel
Applications

Webmail/Posting
Applications

Consume an excessive
amount of bandwidth
and share sensitive
corporate documents

Increase potential
legal liability, waste
personnel Time and
network resources

Bypass firewall to
expose organizations
to risk, and waste
network resources

Increase potential legal

liability, and share
sensitive corporate
documents

Filter non-work related and unproductive web

surfing to mitigate spyware and phishing threats

Eliminate spam mails to block unwanted

messages everyday

ZyXEL advanced technologies

Reasons to buy a ZyWALL

Right Speed Matters Breaking UTM Bottleneck

High Performance, while 8-in-1 Features

Advanced Technology

Less Efforts to Install and Setup

8-in-1(VPN/FW/LB/BWM/CF/AV/(AS)/IDP) Complete Security Features

Superb Performance Even with All Security Services Activated

Cutting-Edge ZLD v2 to Integrate 8 Security Modules

Integrated #1 Kaspersky Anti-Virus
Built-in High performance SecuASIC chipset

User-aware, object oriented setup with text based configuration files

High Performance,
while 8-in-1 Features

Enterprise/Large-mid Security Demand

- Approach to Complete Network Protection
Firewall: Control permitted traffic in and out
VPN: Delivering secure remote access
Load Balance: Utilize multiple WANs
Bandwidth Mgmt: Traffic shaping
Web filters: Eliminate unproductive web-browsing
Anti-Virus: Protect from virus infection
IDS / IDP: Protect against malicious attacks
Anti-Spam: Reduce unwanted email

Advantages

Provides comprehensive security approach

Bandwidth Mgmt
Web Filters

Servers

Anti--Virus
Anti
IDS / IDP

Users

Anti--Spam
Anti

VPN / Firewall

Load Balance

Internet

Apply to SMB Security Demand

- Approach to Complete Network Protection

SMB Security Demand:

- Same threats as Enterprise/Large-Mid

- Limited Budget
- Limited IT staff

Advantages

Provides comprehensive security approach

Potential Burden

Requires multiple products (high cost)

Increases network complexity and operational
cost

Bandwidth Mgmt
Web Filters

Servers

Anti--Virus
Anti

VPNUTM
/ Firewall

Load Balance

IDS / IDP

Users

Anti--Spam
Anti

UTM (Unified Threat Management)

Internet

Advanced Technology

ZyWALL Core Advanced Technology

ZyWALL developed a Unique Security System for
Complete 8-in-1 and Real-Time Network Protection

Linux based Security

Hardened OS
Networking operating
system
Optimized for security
enhanced processing
Designed for High
performance

Integrated Kaspersky
Gateway Anti-Virus
#1 Detection Rates
#1 Response Time to
New Treats
#1 Updating Frequency

Proprietary Security
Acceleration Chip
Hardware scanning
engine
Hardware encryption
Real-time content
analysis

ZLD integrates 8 modules

Designed to Solve
Top 4 Security Headaches

Anti-Spam
Intrusion Prevention

USG

Unified Security Gateway

Anti-Virus
Web Content Filtering
Bandwidth Management
Load Balance
VPN
Firewall

SMB

Security Demand

Enterprise

Security Demand

The Power of ZyXEL SecuASICTM

Performance

ZyXEL SecuASIC UTM:

Most Effective Way
For Higher Performance

ZyXEL SecuASIC
Other ASIC
No ASIC

ZyXEL SecuASIC UTM:

Same performance even signatures growing
Other UTMs:
Lower performance day by day

Other ASIC-based UTM:

Still No Effective Way
For Higher Performance

5X

Software-based UTM:
99% Performance Drop

Layer 3 Application

Source: ZyXEL Internal

Packet
Filter

Firewall

Layer 7 Application

IDP

AntiAntiVirus

20X

Inspection
Flow

Current ASIC Solutions Problems

Right Step on ASIC solution

Good approach to accelerated AV & IDP functions, certainly a step in

the right direction.

Other ASIC Scheme Problems

String-Matching

Results in immense throughput degradation. The more rules grow

in the signature database, the more time inspection needs.

File-based Scanning

Multi-packet files be re-assembled first, and then scanned.

The file size inspected exceeds the available memory inside

simply can NOT be processed.

ZyXEL SecuASIC Technologies

DFA (Deterministic Finite
Automata) Algorithm:

Regardless of the size of the rules, number

of rules or rule complexity, the throughput
speed remains unaffected.

Stream-based Scanning

Packets processed sequentially, suspicious

code being detected and reported without
affecting throughput. Complete inspection
occurs with no limitations on file size.

ZyWALL Overview
Portfolio

ZyWALL Landscape
Family Matrix

Our Technology Is Evolving

Next Generation ZyWALL

ZyWALL UTM

Unified Threat Management

IP-Based
IPSec VPN
IP-Based
Dual WAN
1000+ Signatures
Non-Certified
Anti-Spam
Content Filtering

Performance
- More horse power

Anti-X
- AV/IDP: More signatures
- IM/P2P/Application Patrol
- AS: RBL/ORDBL

Hybrid VPN

- IPSec VPN & SSL VPN

- L2TP VPN

Flexible

- User-Aware/ App-Centric
- Object-based
- VLAN & Flexible Zone

Misc
- Enterprise-level features
- User-Friendly

Unified Security Gateway

User-Aware
Application Patrol (IM/P2P)
Hybrid VPN
(IPSec VPN + SSL VPN)
User-/Application-Based
Multiple WAN

ICSA-Certified
10,000+ Signatures
NSS-Certified

Enhanced Anti-Spam
Secure Content Mgmt

Device HA
Secure Wireless Mgmt
Multi-lingual WebGUI
More

ZyWALL Portfolio
Next Generation products
Enterprise

USG 1000

500+ users

ZyWALL 1050

Mid-Large

(100-500 users)

ZyWALL 70 UTM
ZyWALL 35 UTM
ZyWALL 5 UTM
ZyWALL 2+ / P1

SMB

(50-100 users)

SB

(<50 users)

SOHO

ZyWALL USG 300

ZyWALL USG 200
ZyWALL USG 100
ZyWALL SSL 10
ZyWALL 2WG

ZyWALL USG Series Positioning

Price
ENT

ZyWALL USG series

- Hybrid VPN (SSL +IPSec)

SFP

Redundant
power
- UTM +
2000 IPSec, 750 SSL ZyWALL
- Web Security (HTTP firewall)
USG 2000
- IM/P2P management
- 3G, WLAN security
300M FW
1. M WANs, 8 Giga ports, 2 USB,

1000
IPSec,
250
SSL
- ICSA certifications
HDD
ZyWALL
HDD support

M-WANs
200 IPSec, 25 SSL
19 Rack mount
Flexible Zone

SMB

3 WANs
100 IPSec, 10 SSL ZyWALL
USG 200

SB

ZyWALL
USG 100

ZyWALL
USG 300

2. FW 2G, IPSec 500M, UTM 400M

3. Recommended: 200~500 PC users
1. M WANs, 5 Giga ports, 2 USB,
HDD
2. FW 350M, IPSec 150M, UTM 100M
3. Recommended: 75~200 PC users

1. M WANs, 7 Giga ports, 2 USB

2. FW 200M, IPSec 100M, UTM 48M
3. Recommended: 50~75 PC users

1. 3 WANs, 7 Giga ports, 2 USB

2. FW 150M, IPSec 75M, UTM 24M
3. Recommended: 25~50 PC users

1. 2 WANs, 7 Giga ports, 2 USB

2. FW 100M, IPSec 50M, UTM 24M
3. Recommended: 1~25 PC users

USG 1000

FCS

Available
Q208

Features

ZyWALL Product Family - ZyWALL P1

Worlds first Palm-sized Hardware VPN Client and Internet
Security Appliance for Personal Network Protection

ICSA-certified IPSec 1.1D VPN (1 VPN tunnel) and

SPI firewall (80 Mbps)
Allows for mass, platform-independent
deployment without software installation efforts
Proactive endpoint security provides effective
network protection
ZyXEL Centralized Network Management (CNM)
support
USB-powered
Integrated gateway with built-in anti-virus and
intrusion detection/prevention (in future release)

ZyWALL Product Family - ZyWALL 2WG

Cutting-edge 3G+WiFi router with best security functions for
SOHO and remote offices

Internet access through 3G networks (HSDPA,

UMTS, GPRS, EDGE)
Dual-band, Tri-mode Access Point
(802.11a/b/g)
Advanced ICSA certified ZyNOS SPI Firewall
(24 Mbps) and IPSec VPN (5 VPN tunnels)
protection
Configurable 4-port LAN/DMZ/WLAN zones
Web-based Content Filtering services

Supported 3G Cards:
Sierra Wireless: AC595, AC850, AC860, AC875
Huawei: E612, E620 Option GT HSDPA 7.2 Ready, EC500

ZyWALL 2WG
LEDs:
PWR

WIFI Antenna:

2 dBi Antenna x 2

Power Jack

4 Port LAN/DMZ

Interface:

Extension Card Slot

Dial-Backup: RJ45
4-Port LAN/DMZ
1-Port WAN

WAN Port
Extension Card Slot:
To install 3G/3.5G Card

ZyWALL Product Family - ZyWALL 2 Plus

Internet Security Appliance

ICSA-certified IPSec VPN (5 VPN

tunnels) and SPI firewall (24 Mbps)
Customizable Web content filtering
DoS/DDoS intrusion prevention
ZyXEL Centralized Network
Management (CNM) support

ZyWALL Product Family - ZyWALL 5 UTM

Integrated Internet Security Appliance with Unified Threat
Management

ICSA-certified IPSec 1.1D VPN (10 VPN

tunnels) and SPI firewall (50 Mbps)
Integrated high-performance gateway
with built-in anti-virus, anti-spam,
intrusion detection/prevention, and
content filtering
Flexible and configurable interfaces for
creating dynamic security policies
Bandwidth management and
Centralized Network Management (CNM)
support

ZyWALL Product Family - ZyWALL 35 UTM

Dual-WAN high performance 8-in-1 UTM for Small
Business/Remote Office Branch Office

ICSA-certified IPSec 1.1D VPN (35 VPN

tunnels) and SPI firewall (60 Mbps)
Integrated high-performance gateway
with built-in anti-virus, Anti-Spam, IDP,
and content filtering
Dual-WAN ports for auto-failover/
fallback and load balancing
Flexible and configurable interfaces for
creating dynamic security policies
Bandwidth management and
Centralized Network Management
(CNM) support

ZyWALL Product Family - ZyWALL 70 UTM

Dual-WAN high performance 8-in-1 UTM for SMB (30 ~ 100
ICSA-certified IPSec 1.1D VPN (100
PC Users)

VPN tunnels) and SPI firewall (75

Mbps)
Integrated high-performance gateway
with built-in anti-virus, Anti-Spam, IDP,
and content filtering
Dual-WAN ports for autofailover/fallback and load balancing
Dedicated 4 DMZ ports for public
Internet servers
Bandwidth management and
Centralized Network Management
(CNM) support

ZyWALL USG 100

LEDs:

PWR
SYS
AUX (status of Dial Backup/Dial-In)
CARD (status of Extension Card Slot)

Interface:

(1) WAN1: 10/100/1000

(1) WAN2: 10/100/1000
(5) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role
(2) USB: 2.0, for 3Getc

AUX

Interface:

Dial-Backup/Dial-In OOB:
DB-9 M

Interface:

Console: DB-9 F

Extension Card Slot:

Future Upgrade
1. 3G Cellular Card
2. Wireless LAN Card etc

Power:

12VDC
100~240VAC

ZyWALL USG 100 vs ZyWALL 5 UTM

Multiple WAN

USB, 3G

SecuASIC Inside

More Interface
All Gigabit Ethernet

*: ZyWALL Turbo AV+IDP Accelerator

ZyWALL USG 200

LEDs:

Interface:

PWR
(2) WAN1, WAN2: 10/100/1000
SYS
(1) Optional: 10/100/1000 (can be 3rd WAN, or additional LAN/DMZ)
AUX (status of Dial Backup/Dial-In)
(4) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role
CARD (status of Extension Card Slot)
(2) USB: 2.0, for 3Getc

AUX

Interface:

Dial-Backup/Dial-In OOB:
DB-9 M

Interface:

Console: DB-9 F

Extension Card Slot:

Future Upgrade
1. 3G Cellular Card
2. Wireless LAN Card etc

Power:

12VDC
100~240VAC

ZyWALL USG 200 vs ZyWALL 35 UTM

OPT port

USB, 3G

SecuASIC Inside

More Interface
All Gigabit Ethernet

*: ZyWALL Turbo - SMART Accelerator

ZyWALL Product Family - ZyWALL USG 300

Unified Security Gateway for Small and Medium-Sized
Hybrid VPN (IPSec/SSL VPN) and
Businesses

robust UTM security services

High-performance multi-layer threat
protection powered by cutting-edge
SecuASIC technology
AppPatrol to manage the use of
IM/P2P applications
User-aware policy engine enables
access granularity
Excellent manageability with object
and text-based configuration files as
well as centralized network
management

ZyWALL USG 300

LEDs:

Interface:

PWR
(7) Gigabit Ethernet: 10/100/1000, Configurable Port Role
SYS
(2) USB: 2.0, for printer, storageetc
AUX (status of Dial Backup/Dial-In)
CARD1 (status of Extension Card Slot1)
Interface:
CARD2 (status of Extension Card Slot2)
Dial-Backup/Dial-In OOB: DB-9 M
Console: DB-9 F

Extension Card Slot:

Future Upgrade

Power:

100~240VAC

ZyWALL Product Family - ZyWALL USG 1000

Professional VPN concentrator/UTM Appliance for SMB/Midto Large-Sized Organizations
Hybrid VPN (IPSec/SSL VPN)
and robust UTM security
High-performance multi-layer
threat protection, powered by
SecuASIC technology
AppPatrol to manage the use of
IM/P2P applications
High Availability features
Excellent object oriented, text
based manageability

ZyWALL USG 1000

5 Definable GbE (Gigabit
Ethernet) Interfaces - Deliver
Flexible network partitioning

Built-in SecuASIC and VPN

Builtcrypto Delivers robust UTM
and VPN performance

Ventilation Fans

Extension Card Slot, HDD

Slot and USB Ports
(For future use)

Power Switch
100~240VAC

ZyWALL Product Family - ZyWALL 1050

Best performance UTM/VPN concentrator Security
Appliance for Mid-Large SMB (75 ~ 200 PC Users)
High firewall/VPN performance
(300 Mbps/150 Mbps) with Gigabit
Ethernet ports
Anti-virus, Anti-Spam, IDP, and
content filtering
High availability with built-in device
and VPN redundancy
User aware policy management,
and VLAN support
Excellent object oriented, text based
manageability

ZyWALL USG 2000

LED:

PWR: Power status

SYS: System status
AUX (Status of Dial-in Function)
HDD (Status of Hard Drive)
SEM (VPN/UTM accel.)
CARD: 3G card status

Interface:

6 GbE: 10/100/1000
(Auto MDI/MDIX)
2 SFP: Dual-Personality
Combo Port

Security Extension Module:

SEM-VPN:
SEM-UTM:
SEM-DUAL:

Card Slot:

CardBus slot

AUX & Console:

Dial-in Mgmt & RS-232

Console

Fan:

Ventilation Fans

HDD Slot:

HDD
Expansion Slot

USB:

USB 2.0 (Host) Ports x 2

Power Redundancy:

Redundant Power Module

Security Extension Card (SEM Card)

- for ZyWALL USG 2000
Card Type

UTM
Performance

VPN
Performance

Max. IPSec
VPN Tunnels

Max. SSL
VPN Users

400Mbps

500Mbps

2,000

750

400Mbps

100Mbps

1,000

250

100Mbps

500Mbps

2,000

750

SEM-DUAL

SEM-UTM

SEM-VPN

ZyWALL USG Series

CPU
Flash/DRAM
SecuASIC

System

Interface
IPSec VPN
SSL VPN
USB
Extension Slot
SFP

USG 100

USG 200

USG 300

USG 1000

USG 2000

Freescale 8343E
255M/256M
CIP1001 * 1

Freescale 8343E
256M/256M
CIP1001 * 1

Freescale 8349E
256M/256M
CIP1001 * 2

Pentium M 1.8G
256M/1G
CIP2001 * 1

Intel E6400
256M/2G
CIP3001 * 1*

Firewall: 350M
VPN: 150M
UTM: 100M
Session: 200k
Session Rate: 13k

Firewall: 2G
VPN: 500M*
UTM: 400M*
Session: 1kk
Session Rate: 20k

Firewall: 100M
VPN: 50M
UTM: 24M
Session: 20k
Session Rate: 1k

Firewall: 150M
VPN: 75M
UTM: 24M
Session: 40k
Session Rate: 1.4k

Firewall: 200M
VPN: 100M
UTM: 48M
Session: 60k
Session Rate: 2k

Gigabit Ethernet
2*WAN,
5*LAN/DMZ

Gigabit Ethernet
2*WAN, 1*OPT
4*LAN/DMZ

Gigabit Ethernet
7 Configurable

Gigabit Ethernet
5 Configurable

Gigabit Ethernet
6 Configurable
2 SFP (combo)

50

100

200

1000

2000

2 -> 5

2 -> 10

2 -> 10 -> 25**

5 -> 50 -> 250**

5 -> 200 -> 750**

1 (Cardbus)

1 (Cardbus)

2 (Cardbus)

1 (Cardbus)

1 (Cardbus)

No

No

No

No

Yes

* Need SEM module on USG 2000

** In the future firmware release

ZyWALL Product Family - ZyWALL SSL10

Professional Integrated SSLVPN appliance for small and
medium-sized businesses

Clientless secure remote access

Seamless integration with the
current ZyWALL UTM Series
Supports AD/LDAP/RADIUS and
two-factor authentication
Endpoint security check
Unified policy management with
object-based configuration
Dual-mode (NAT/DMZ mode)
installation with setup wizard

ZyWALL Product Family - ZyWALL OTP

One-Time Password Token for Strong Two-Factor
Authentication Solution

Strong Two-Factor
Authentication Solution
One Token for Many Applications
No Expiration Date for Lower
OpIntuitive and Easy to Install,
Use and Manage
Seamless Integration with
ZyWALL Security Products

ZyWALL Product Family - ZyWALL OTP

ZyWALL OTP Starter Kit

Includes 2 tokens and 1 CD (ZyXEL/Authenex

Server Software)
Designed for new/potential customers to test
and use

ZyWALL OTP 5U

Includes 5 ZyWALL OTP tokens

Designed for customers who already bought
Starter Kit and need more tokens for more
users

ZyWALL OTP 10U

Includes 10 ZyWALL OTP tokens

Designed for customers who already bought
Starter Kit and need more tokens for more
users

ZyWALL Product Family - ZyWALL IPSec VPN

Client

IPSec VPN Client Software for Mobile Users

Windows Vista Support

Interoperability with ZyWALL and
most IPSec VPN Gateways
IPSec VPN Tunneling with
DES/3DES/AES Encryption
User Authentication with X-Auth,
PEM or PKCS#12 Certificates,
PreShared Keys
DPD and Redundant Gateway

ZyWALL Feature Matrix - Networking/Security

ZyWALL Feature Matrix - System/WAN Type

ZyWALL Feature Matrix HA/Authentication/Management

Solution Scenario - Less then 10 PC Users

Secures an office with a single broadband Internet connection.

Provides secure remote access and protect endpoint devices.

Measures mitigating application-level attacks should be taken.

Solution Scenario - 10 to 50 PC Users

Requires site-to-site and remote VPN access capabilities.

Requires firewall protection at the main and branch offices.
Each endpoint device needs to be secured.
Application-level attacks should be taken so that valuable
information assets will be well protected.

Solution Scenario - 50 to 70 PC Users

protection in a distributed network. Prevents threat

from viruses, worms, trojans and remote attacks.
Requires site-to-site and remote VPN access and firewall
Each endpoint device needs to be secured.
Requires high availability of Internet access and QoS
management at the main office.

Solution Scenario - 75 to 200 PC Users

Requires site-to-site and remote access VPN with firewall

protection in a distributed network.
Threats should be stopped at the network perimeter.
Highly reliable performance and uninterrupted access to
resources.
Requires QoS management at the main office.

How about a coffee break?

ZyWALL USG Anti-X

Security Services Introduction
Anti-Virus and IDP
Anti-Spam
Content Filtering

Best-of-breed Technologies Integrated

Kaspersky Anti-Virus Technology
World fastest virus updater

ZyXEL IDP & AppPatrol Technology

More than 2000 signatures
IM/P-2-P applications blocking

Mailshell Anti-Spam Technology

Advanced SpamAdapt AI System: Fuzzy Logic Learning

More than 300,000 rules with dynamically updated

BlueCoat Content Filtering Technology

Dynamically updated ratings of millions of web sites
56 content filtering categories

ZyWALL Security Services Overview

Subscription-based

Each ZyWALL supports an expanding array of subscription-based

security services designed to integrate seamlessly into a network and
provide complete protection.

Auto Update

With integrated support for Anti-Virus, IDP, Anti-Spam and Content

Filtering, ZyWALL intelligently enforce and update each of these
services as updates occur.

Easy to integrate and maintain

With ZyWALL, businesses can avoid the integration and maintenance

problems that often result from sourcing, installing, and maintaining
multiple security products and services from multiple vendors.

ZyWALL Gateway Anti-Virus service

Anti-Virus Specifications
Stream-based gateway AV
ICSA-certified (in progress)
Zone-based AV inspection

Protocol supported

HTTP/SMTP/POP3/FTP/IMAP4

Performance

HW-accelerated SecuASIC
Throughput over 96Mbps for ALL protocols
No file size limit; no concurrent session limit

Compression Archives

ZIP/GZIP/PKZIP up to 100 concurrent archives

RAR up to 16 concurrent archives

Zone-Based Virus Inspection

10,000
+

Enabling configuration
of different AV
inspection rules to
meet security policy

Anti-Virus cont
BWL (Blacklist & Whitelist)

Supports blocking of user-definable filename and/or file

extensions, e.g. *.mp3
Up to 512 entries (BWL altogether)

Action on Virus
Log / Alert

Destroy infected files

Send Windows Message (to both origin and destination)

Reporting

In Dashboard Top-5 virus & Total virus detected

In Threat Report Virus statistics

Blacklist and Whitelist in AV

Blacklist & Whitelist

Can detect then block (or allow, in whitelist)
files by file pattern (file extension), e.g. *.mp3,
*.mpeg

Anti-Virus SKU
Trial period

30 days free trial

SKU

iCard, Anti-Virus 1-year,

ZyWALL 1050
iCard, Anti-Virus 2-year,
ZyWALL 1050

Gateway Anti-Spam and Content Filter

ZyWALL Gateway AS Overview

ZyWALL features High Catching Rate Anti-Spam and
Anti-Phishing
ZyWALL Gateway Anti-Spam, powered by

Real time Auto Updates for Consistent Accuracy

98% high spam catching rate and 0.05% low false positive rate

More than 1 million spam filter checks and constantly real-time updating
Block non-English language spam with language independent filters
Protect against Phishing in email with latest Antifraud filters

Customizable Blacklists and Whitelists

Create blacklists to block spam by IP address, sender name, or MIME header
and customize whitelists for safe e-mail from customers, partners, or important
news sources.

How Anti-Spam Works?

! "#$%&

' ( ) *$+, +- -






2 0"/+7 **"8$9

2 0"/' : $//+; 0&"1#+' $*8$*

. /$01+2 0"/+3+' 405 +2 0"/6

Identify mail content

Create digest and send it to rating server
Get reply on digest score
Take appropriate action (Pass or Spam)

BlueCoat Content Filtering

Supported Since v4.0
HTTP is checked by Demand against BlueCoat Server
BlueCoat Server
Query category of
www.zyxel.com

Internet

www.zyxel.com

1. Request to www.zyxel.com
2. Follow category result to
forward/block HTTP response

Need a break..?

IPSec VPN

What is VPN?
Private Network

Virtual Private Network

Internet

Why VPN?
Security

Authentication
Encryption

Cost

Reducing number of access lines

Cut long distance phone charges

Benefit of VPN Tunnel

Internet

Internet

Sniffer

Cant reach
or
understand

IPSec
Internet Protocol Security
Application Layer

Transport Layer

Network Layer
(IPSec Protocol)
Data Link Layer
Physical Layer

IPSec (cont.)
Two operation modes:
Transport mode
Tunnel mode

Internet

Tunnel Mode
Tunnel Mode
Transport Mode

IPSec (cont.)
Benefits of IPSec
Confidentiality
Integrity

Guarantee of Data Source

Replay protection

Security Association
Security Contract

How data is protected

Security parameters exchange

DES
MD5
Key
PFS

Internet

DES
MD5
Key
PFS

SA Creation
Manually

Offline Negotiation
Never expire

Debugging tool

Dynamically

IKE (Internet Key Exchange)

SA Deletion
SA lifetime expired
Seconds/Bytes

SA deletion requested

Connection Idle Time Out (ZyXEL)

Keys Compromised

Re-keying

IPSec doesnt provide the ability to refresh keys. Instead, we

have to delete an existing SA and negotiate/create a new SA.

ZyXEL VPN

Applications
Corporate to Corporate
Mobile User
SOHO User

Mobile User

Corporate

SOHO
user

Internet
ZyWALL

= VPN

ZyWALL

Corporate

Features
IPSec Protocol
AH, ESP

Address Type support

Single, Range, Subnet

Replay Detection

Protect against Replay Attacks

Key Management
IKE, Manual

Negotiation Mode

Phase 1 : Main, Aggressive

Phase 2 : Quick

Security Protocols
ESP (Encapsulation Security Payload)
AH (Authentication Header)

Original

ESP

AH

IP
Protected
header
data
IP
header

encrypted

ESP Protected
Protected ESP
ESP
header
data
data
trailer
trailer
authenticated

IP
header

AH
header

Protected
data

authenticated

Address Type
Single: Only one host can use VPN

192.168.1.33
Range: A range of hosts can use VPN.

Start: 192.168.1.33
End: 192.168.1.254

Address Type (Cont.)

Subnet: A subnet of hosts can use VPN

Start: 192.168.1.0
End: 255.255.255.0

Features (cont.)
Party Identification
Pre-shared key

Digital Certificate

Encryption Algorithm

Phase 1 : DES, 3DES, AES

Phase 2 : DES, 3DES, AES, NULL

Authentication Algorithm
SHA1, MD5

Key Group
DH1, DH2

Perfect Forward Secrecy

None, DH1, DH2

How IKE works

Two Phase
Phase 1

Establish IKE SAs

Phase 2

Main Mode/
Aggressive Mode

Establish IPSec SAs

IKE SA

Three Modes
Main Mode

Aggressive Mode
Quick Mode

Phase 1

Quick Mode

Phase 2
IPSec SA

Phase 1
Policy Suit Negotiation
Encryption algorithm

Authentication Method
Diffie-Hellman group

Diffie-Hellman Exchange Secret

Authenticate Secret

Phase 2
IPSec SA

Security Protocol (ESP/AH)

Encryption algorithm

Authentication Method

Diffie-Hellman group if PFS

Mode (Transport/Tunnel)

Policy

Local/Remote Network

IPSec Overview

UDP
Port: 500

ESP/AH
Port: none

DES
MD5
Key
3DES
SHA-1
Key

phase 1 negotiation

DES
MD5
Key

phase 2 negotiation

3DES
SHA-1
Key

data data data data

Main Mode
Initiator
SA
Nonce

Responder

Header

Header

Header

Header

Key

ID

Header

ID: Identification
Key: Key Exchange Payload
Nonce: random value

Key

Nonce

Encrypted

Encrypted
Hash

SA

Header

ID

SA: Security Association

Hash

Aggressive Mode
Faster but less secure as Main Mode

Initiator
ID Nonce Key

Responder

SA Header
Header SA Key Nonce ID hash
hash Header

Quick Mode
Phase 2 is quick

Identities have been verified in phase 1

Initiator
ID

ID

Nonce

Responder

SA

Hash Header

Header Hash
Hash

Header

SA

Nonce

ID

ID

PFS
Perfect Forward Secrecy

Keys Created Independently

None PFS
Old Key

Function

New Key

PFS
Old Key

Function

New Key

Setup ZyWALL for IPSec

LAN 2

LAN 1

Security Gateway

IPSec Connection

Information before IPSec setting:

IP Address

Security Protocol

Key Management Method

Encryption Algorithm

Authentication Algorithm
Key Group

Encapsulation Mode

Internet
Security Gateway

Remote Access Today

Common form of secure remote access: IPSec VPN
However, IPSec has the following drawbacks in
most remote access scenarios:

Its mandatory to pre-install and pre-configure tens, hundreds even

thousands of client-side encryption software
imagine that each installation requires a reboot!

Difficulty to traverse through a typical firewall

ESP, UDP-500Uh?

Resulting in massive amount of help-desk calls

Why my laptop showed BSOD (Blue Screen of Death)???

SSL VPN

What is SSL/TLS
Why SSL VPN

SSL VPN Applications Reverse Proxy

SSL VPN Applications Network Extension

IPSec VPN vs. SSL VPN

What is SSL/TLS ?

SSL stands for Secure Socket Layer

Originally created by Netscape.

Uses RC4, MD5, RSA and other encryption methods
Widely used for secure web browsing through HTTPS
(port 443)
Handles authentication and encryption
SSL v2, v3 are commonly deployed

TLS stands for Transport Level Security

IETF adopted SSL, made minor changes and called it TLS

Successor of SSL
Traverses NATs without problems

What is SSL/TLS ?

SSL/TLS provides application layer security (in

OSI layer 7)

Encrypted data payload is inserted/extracted by the

application layer. e..g. HTTP, FTP, POP3 and etc.

What is SSL/TLS ?

HTTPS (using SSL for encryption)

HTTPS
(using
SSL for
encryptio
n)
A lock icon
near the bottom
right of screen

Whats SSL VPN ?

Secured by
SSL

Laptop

Kiosk

Internet

SSL VPN

Mainframe

Server
Mobile Device

Partner

Desktop

Whats SSL VPN ?

A type of VPN (Virtual Private Network)

Secures communication between client and

server by SSL

Authentication

Data Encryption

Why SSL VPN?

Advantages

Clientless
No extra configuration required on users machine
Ideal for Mobile Access

SSL VPN Applications

Depending on what applications of internal

resource can be accessed
Three Network Access Modes in SSL VPN:

Reverse Proxy
Port Forwarding (not supported by ZLD 2.0)
Network Extension

Typical Example of SSL VPN Application

Company

Home

Authentication
Server
LDAP,RADIUS,

Active Directory
File Server

Email Server

Web browser on PC

Other Servers

What is a Reverse Proxy?

A Forward Proxy acts as a proxy for client

requests.
A Reverse Proxy acts as a proxy for web servers.
A forward proxy lowers server response time
and saves on bandwidth; Besides the above
two benefits, a Reverse Proxy protects web
servers from attacks.

Reverse Proxy vs. Forward Proxy

Reverse Proxy

Web Application Access

Authentication
Server
RADIUS, LDAP, NTLM
Active Directory

Client browser

Outlook Web
Access Server

http
https

https
http
Applications with
Web Interface

File Sharing

CIFS

Stands for Common Internet File System

MS Network Neighborhood

ZyXEL SSL VPN CIFS

Provides a webified interface to access file sharing

CIFS Action

Browse (enter a folder)

Create (folder)
Delete (file or folder)
Rename (file or folder)
Upload (file)
Download (file)

File Sharing User Interface

File Sharing User Interface

Network Extension

Assigns IP address to client

Allows client to participate in LAN directly
Adds necessary routes on the client machine

Admin configures routes

Users can also manually add routes

Network Extension Remote Access

ZyWALL Security Extender
(Windows-only for now)

Authentication
Server

RADIUS, LDAP
Active Directory

Client browser

Client Appln

SSL

WAN PPTP

Layer 2
driver/ PPTP

IPSeclike access for any

application.
Firewall rules for access
control

Desktop
Applications

File Server

Any
Protocol

Email Server

Other Servers

Network Extension Logon Flow

Client

SSL
Browser

Load Java Applet

Java Applet
Java Applet
Java Applet : Configure IP, routing
entry, DNS , WINS

SSL VPN Gateway

Login portal
Download java applet

O.K
Search SSL VPN policy and
assign IP and routing entry,
DNS , WINS

create PPP interface and ready

to negoitate PPTP connection.

Negotiate PPTP connection over SSL

Application Access (Network Extension)

172.21.0.0/16
Internet

ZyWALL
1050

eth0

vlan1
Laptop

Assign IP Addr
Provide routing list

192.168.192.75
172.21.0.0/16 192.168.192.75
172.23.0.0/16 192.168.192.75

172.23.0.0/16

Application Access (Network Extension)

Internet
Laptop

172.21.1.77
172.23.3.26

ZyWALL
1050

ge0

vlan1

172.21.0.0/16

172.23.0.0/16

Network Extension Applic

Network Extension Issues

Anytime/Anywhere Access

Public Computers, Home computers Un-trusted

carrier for worms, attacks, malicious code

Require application firewalls & IPS (Intrusion

Prevention System) to enhance security

Known SSL VPN Issues

SUN Java 6 Update 4 has a known
interoperability problem with ZyWALL SSL
VPN
Microsoft JRE (Java Runtime Environment) is
not compatible with ZyWALL SSL VPN

IPSec VPN vs. SSL VPN

IPSec VPN (Dynamic rule)

SSL VPN

VPN Clientless

No (IPSec client)

Yes (Web browser)

Configuration

Pre-configuration

No

Application

Network layer

Application layer

Authentication

XAUTH, certificate

AAA, certificate

IP conflict solution

NAT over IPSec

Wont have IP
conflict issue

Host integrity check

No

Yes*

Ideal for

Side to side

Remote or mobile

ZyXEL SSL VPN Design Specification

Maximum of 64 SSL application objects can be created.

Maximum of one OWA-type SSL application object can be
created.
Maximum of eight SSL application objects can be added to
SSL VPN policy.
Does not Support username and password within URL.
Authentication request will be prompted by your browser.
User name and password are NOT supported. common URL
syntax:
http://<user>:<password>@<host>:<port>/<url-path> however,
red parts are NOT supported.

SSL VPN Benefits

Clientless Remote Access
No pre-installed client software
No pre-configured by end users
Utilizes standard Web browser

Application/User-Aware

Granular access policies over specific applications or users

Enforce corporate security policy by Endpoint Security Checks

Simplified deployment
Automatic agent download

No firewall or NAT traversal issues that IPSec may suffer from

Can survive almost every environment on this planet

Hybrid: SSL VPN & IPSec VPN

So how about integrating both VPN technology
into a single box?
VPN Capacity on ZyWALL 1050
Up to 50 SSL VPN tunnels
Up to 1,000 IPSec VPN tunnels

Performance

75Mbps (SSL VPN)

150Mbps (IPSec VPN)

Main Features of Hybrid VPN

Seamless Integration
Clientless Secure Remote Access
Comprehensive User Auth Mechanism

Seamless Integration

Incorporates both IPSec & SSL VPN into a single box

Employee on
Home Computer (IPSec)

ZyWALL 1050

Internet
WAN

Employee Laptop
In Airport Kiosk
or In Hotel (SSL)

Partners network
(Extranet via IPSec VPN)

Encrypted

LAN Zone
LAN

Decrypted

Email Server

File Share

BI System

OA, ERP System

CRM System

Web-based Application Server

Application (Inventory, Store..)

Remote Desktop Network Extend

Clientless Secure Remote Access

Remote users can use standard web browser to easily access corporate
applications or file sharing without pre-installed or pre-configured VPN
software.

Using standard browser to access Internal

network applications

Using standard browser to access Internal filesharing folder

Comprehensive User Auth Method

ZyWALL OTP
(One-Time Password)

ZyWALL 1050

Local Database
User
Group1

User
Group2

Internet
Remote Users

External Database

justin
zyxel
130201

Active
Directory

justin

RADIUS

LDAP

zyxel

130201

Two-Factor Authentication
Server
Enter PIN code
displayed on the
ZyWALL OTP
token

More VPNs L2TP

Specifications

L2TP over IPSec

Shares tunnel upper bound with IPSec VPN: up to 1,000 tunnels

Benefits for supporting L2TP VPN

Extended VPN client MS Windows 2000 (and above) has L2TP

client built-in and is free of charge
Secure L2TP is more secure than PPTP
Interoperability can interoperate with NAT gateway

Application Note

Default IPSec policy for MS Windows L2TP users

For VPN Connection, users need to configure Local Policy and

Remote Policy accordingly
For VPN Gateway, users need to configure My Address and PreShared Key accordingly
For Policy Route, users need to add one policy route rule
accordingly

Support PAP authentication only

L2TP VPN Scenarios

L2TP over IPSec
Connecting

HTTP Service
Remote
Management
ZyWALL 1050

Mail Service

IM/P2P Management (AppPatrol)

IM/P2P Access Granularity

Differentiating access level of IM/P2P applications and enforcing

granular access policy
Access level: Login, chat, file transfer, voice call, video call

More IM/P2P applications are supported in 2.00

BWM Enhancement

Supports BWM in each rule can do BWM per user group

Can do BWM against inbound traffic
Guaranteed (prioritize) per protocol/application
Maximize bandwidth utilization can borrow excessive bandwidth
dynamically

Real-time Bandwidth Monitor

Show which connection uses which application (protocol) in Traffic

Report
Show graphical bandwidth usage and statistics of protocol

IM/P2P Access Granularity

Access Granularity
Can differentiate access level per IM/P2P
application to enforce corporate access policy

User-Aware, Scheduling and BWM

IT staff can have full & granular control over
the access of IM/P2P application, together
with user-aware, scheduling and BWM

AppPatrol Against IM/P2P

AppPatrol

ZLD 2.00

ZLD 1.0x

ZyNOS 4.00 & after

Integrated
BWM

User-Aware

Scheduling
Access
Granularity
IM/P2P
Up-to-date

Differentiating access level of IM/P2P applications and enforcing

granular access policy
Requires valid IDP subscription

Requires valid AV+IDP subscription

Statistical Graph in AppPatrol

Statistical Graph
Line chart to showcasing perapplication bandwidth usage
over a 60-min time frame

AppPatrol Signature Update

Keep Up-to-date

Can support newer version of (already) supported IM/P2P

applications via signature update

How to Get AppPatrol Updated?

Trial activate IDP trial service and update IDP signatures

before trial expiration
30 days trial period

Constantly update requiring purchase of IDP subscription and

activate IDP standard service
IDP subscription 1-year
IDP subscription 2-year

IDP Enhancement
Enabling flexible direction for IDP inspection
Zone-to-zone protection

Reporting

Display Top-5 Attack detected (in dashboard)

IDP Report executive summary of events triggered by IDP

feature

IDP Signatures
ICSA IDP certification (in progress)

IDP signature over 2,200 (FCS) and can detect &

stop a variety of attacks/exploits
Supports custom signatures

Signature update

Regular update once a week

Emergency update 72 hours after emerging exploit/attack with
high severity
IM/P2P update including signatures for AppPatrol in a nonregular basis

Visibility

IDP signatures searchable in the GUI

Redirect to mySecurityZone for full encyclopedia as well as
description of attacks/exploits

IDP versus ADP

ADP is for Anomaly Detection & Protection

IDP/ADP Comparison
L7 Inspection to Stop
Threats & Attacks
Signature Update
TA/PA
Protecting ZyWALL
Itself
Requiring iCard
Subscription

IDP

ADP

TA: Traffic Anomaly

PA: Protocol Anomaly

Device HA Enhancement
Enabling Link Monitoring option to monitor
link status of direct-connected cables
Upon link failure happened, it triggers failover

LAN

WAN

Switch

ZyWALL 1050 (Master,

Active)
Failover
ZyWALL 1050 (Backup,
Standby)

Switch

Switch

ISP1
DSL CPE/Router

DSL CPE/Router

ISP2

GUI Enhancements
Dashboard Face-lift
New look n feel

Add threat reports

In-line Object Creation

Creating missing objects on-the-fly (without leaving the current

config screen)

Language Options

Architecture for implementing multilingual GUI

Double-byte language supported (Japanese/SC/TC)

Mouse-over Info

Displaying detailed info when moving cursor over an item in

config screen

Dashboard Face-lift
Click on More button to
view more details

New Active Sessions

counter to display active
session # on-the-fly

Top-5 intrusion &

virus detected

In-line Object Creation

Enabling user to create new objects on-the-fly without
leaving current page. The feature is system-wide.

In the drop-down list of each feature, if a desired object

is not present, simply click on the Create Object
option to trigger a pop-up window to create the object
on-the-fly, without leaving current config page.

Certification
ICSA Firewall Version 4.1
ICSA IPSec Version 1.1D
ICSA Anti-Virus
In progress

ICSA IDP

In progress

Summary SKU
ZyWALL 1050
SKUs

ZLD 2.00

ZLD 1.0x

Anti-Virus, 1-YR
Anti-Virus, 2-YR

IDP, 1-YR

IDP, 1-YR

Content Filter,
1-YR

SSL VPN, 5 to 25

SSL VPN, 25 to 50

SSL VPN, 5 to 50

GUI Overview

ZyXEL Communications Corp.

Begin
Default management IP address:

192.168.1.1 on physical port 1 (from the left side of the

front panel)

Default administrator login:

User Name: admin
Password: 1234

GUI Access

Screen size : 1024*768

Multiple browser support

IE 6.0 and above
Firefox 1.5.0 and above
Netscape 7.2 and above

Turn on JavaScript and Cookie setting in your

web browser.
Turn off popup window blocking in your web
browser.

GUI Overview login page

GUI Overview Status Page

Menu Tree

Device command warning

messages

Global Icon List

Device Command Status

GUI Overview Menu Tree (cont.)

Help
Wizard

Logout

Web Console
Site Map

About

GUI Overview Menu Tree

1. First, setup
Network Topology
configuration
Start with Interface

2. Then, setup
Security Policy
configuration
Start with Route

GUI Overview Menu Tree (cont.)

System Built-In
Services
Log and Traffic
Statistics Report

Frequently
used objects

Quick Start

ZyXEL Communications Corp.

Basic component concept

Port: (Physical port)

A place where (L1/L2) frames go

through
A port can be shared by many
interfaces
Virtual Port (VLAN): make use of
VLAN tag (L2 virtualization)
Each port can be configured as
WAN, LAN, or DMZ

Zone

A group of interfaces
A set of hosts with the same
characteristic
A logical element used to make
configuration of firewall rules easier

Interface: (Logical interface)

A place where (L3+) packets go
through
An interface is bound to a port or a
virtual port
Many interfaces can share a port
An interface is bound to one Zone
only, not multiple ones.
Many interfaces can belong to a
Zone.
Alias I/F by definition is a kind of
interface (L3 virtualization), i.e.
Virtual Interface

Note cont.
The physical ports on the front panel of
ZyWALL 1050 are named in the system as
ge1, ge2, ge3, ge4, ge5.
ge stands for Gigabit Ethernet

The ZyWALL1050 Network Hierarchy

ZyWALL1050
Virtual Interface

T
R
U
N
K

IP Alias

Layer3 +

Bridge

VLAN
PPP

AUX

Ethernet

Port
Grouping

Physical Ports

L2 Switching
w/o Firewall
RJ45
Connection

Layer2 -

Internet Connection Setup Using Wizard PPPoE

Wizard PPPoE (cont.)

Wizard PPPoE (cont.)

Wizard PPPoE (cont.)

Setup of the Internet Connection (PPPoE)

Instead than using Wizard, user may also

configure a PPPoE connection using GUI.
Use the system default configuration

ge1 as LAN interface

ge2 & ge3 are combined as WAN_TRUNK

Use ge2 as a base interface for this PPPoE

interface
Connect port 2 (ge2) to a PPPoE server
Connect a host to a port1 (ge1)

Step 1 Setup ISP Account

Idle timeout is used when PPPoE interface is in dial-on-demand mode.

If the idle timeout is zero, no idle timeout is applied.

Step 2 Create a PPPoE interface

The current example uses Nail_up mode. If the PPPoE server is

available, this PPPoE connection will be always active.

Step 3 Check the PPPoE IP Address

Make sure ppp0 obtains the correct IP address.

Step 4 Create a Policy Route for ppp0

Set Next-Hop to ppp0. This policy route rule must be the first rule.

Step 5 Join ppp0 to WAN Zone

Add ppp0 to WAN Zone for firewall, IDP and Content Filter security policy.

Step - 6 Check LAN host connectivity

Verify that the LAN Host can ping outside
network.
Troubleshooting

ppp0 interface obtains IP address.

policy route rules match

LAN Host DNS (for gaining the domain name)

PPPoE server availability

Technical Data

ZyXEL Communications Corp.

Multi-Layer Protection

Firewall
Security Zone based
Global Zone

Address, Schedule, User Aware, Role Based

Firewall Zone Concept

VPN Zone
WAN Zone

US_A
172.21.10.0/24

China_Real_A
192.168.10.0/24
China_A
192.168.200.0/24

ge3:3

1. 5
M
168 / 384K A
. 168
D
.168 SL
. 168

el

ge2
:4
ge1

ge1: 3

1: 2
ge

Ch

nn
Tu
_
in a

Inter-Zone

ge1:1

Manager_A
192.168.10.0/24

Intra-Zone

_Tu
nne

ge3:2

US

ge3:1

K
/ 64
2K L
51
S
AD 84K
/3 le
2M C ab

Internet

FTP_A
192.168.100.2

DMZ Zone
WWW_A
192.168.100.1:8080

Sales_A
192.168.20.0/24
LAN Zone

RD_A
192.168.30.0/24

Finance_A
192.168.40.0/24

Customizable
Multi-zone
Segmentation

Benefits of the Zone Concept

Without the zone concept, once the interface
setting is changed, administrator has to
change all the corresponding settings.
By grouping interfaces/tunnels to zone, the
configuration efforts can be reduced.

Zone Configuration

Firewall Configuration

Global Policy

Application Patrol
Managing from the application viewpoint v.s.
from policy (user/role) based firewall
viewpoint
Application Aware App. Classifier

Identify application by inspecting payload

Supports more than 16 Applications

Application Management

Application Patrol cont.

App. Patrol wont take action before it can
recognize the application
Signature-based Classifier

Quick to support the new protocol

Can be accelerated by H/W

App. Patrol Summary Page

App. Patrol Configuration

Content Filtering
URL Filtering:

Multiple Filtering Profiles

Scheduling, User Aware
Black List & White List
Block by Keyword

Block Dangerous Web Features (ActiveX, Java,

Cookie, Web Proxy)
Custom Deny Message & Redirect to URL

URL Process Flow

Inspection Sequence
Start

Trusted Web
Sites?
N
Allow Trusted
Only?
N
Forbidden Web
Sites?
N

N
Match Category
Setting?

Match Global Block

List?

N
Match URL
Keyword
Blocking?

Intrusion Detection & Prevention (IDP)

IDP: Combination of inline NIDS & NIPS
Multi-Method Detectors
Traffic Anomaly

Protocol Anomaly

Signature based (1800+ signatures)

IDP sensor can sit in front of any zone

Support Custom Signatures

IDS & IPS Scenarios

Internet
NIDS

Internal Network

Internet
inline NIDS
Internal Network

Internet
IPS
Internal Network

Multi-Homing Policy Route

User Aware

Source-Based and Service-Based Routing

Route to

Gateway

VPN Tunnel

Trunk for load balancing & link backup

SNAT

Load Balancing & Link HA

BWM

Policy Route Example

LB & HA Trunk Group

,Q
WH

UID

FH



Load Balancing
Trunk is a group of interfaces

User can balance load by applying trunk in a

policy routing next hop
Support 3 LB algorithms:
Weighted Round Robin
Least Load First
Spillover

Fail-over mechanism is also included in the

trunk

NAT
SNAT Policy-Based
Supported NAT Types

One-to-One, Many-to-One

Many-to-Many Overload, Many One-to-One

Type will be determined automatically

DNAT Virtual Server

One-to-One IP Mapping

Optional Single & Range Port Translation

Transparent Proxy (a usage of DNAT)

SNAT Many-to-one with PAT

DNAT One-to-one with PAT

Flexible Port Configuration

Flexible Port Role

Any port can be configured as a LAN, WAN, DMZ or

other

Flexible Switching Ports

Any port can be configured as switching port

Traffic between switching ports is not inspected by

ZyWALL

Virtual Port

802.1q VLAN port can be defined

Virtual port supports the same functions as physical

port does

Operation Mode
Switching Mode:
Layer 2 Switch

Transparent Mode:
Multiple port Bridge

Mixed Mode:

Mix of routing/NAT and transparent/bridge mode.

Scenario: Mix of NAT & Transparent Mode

:$1
7UDQVSDUHQW
1$7

/$1

/$1

'0=

IPSec
User Aware (Prior login)
Route Based (Static)

HA by backup SG & DDNS

NAT over IPSec traffic

IPSec VPN GUI

Click on Add Gateway

IPSec VPN GUI

IPSec VPN GUI

Click on Add VPN

IPSec VPN GUI

Hands-on: VPN
Task:
Establish VPN triangle as
shown in the diagram.
Encryption
Authentication
Keygroup
Encapsulation
Protocol

: AES
:SHA1
: DH2
:Tunnel
: ESP

802.1q VLAN
Tag-based VLAN

Up to 32 VLANs can be defined

A port can be either non-VLAN port or VLAN

port
Multiple VLAN IDs can be assigned to one
physical port

Traffic between VLANs is routed & checked

Traffic between LAN & VLAN is routed /
bridged (transparent mode) & checked

VLAN Scenario
Tagged VLAN

ZyWALL1050

VLAN-aware Router

192.168.1.254 VLAN 1

192.168.2.254 VLAN 2

VLAN-aware SW

VLAN 3 192.168.3.254
VLAN-aware SW

Un-tagged VLAN
LAN 1

subnet 192.168.1.0

LAN 2

subnet 192.168.2.0

LAN 3

subnet 192.168.3.0

Device HA
Use VRRP to support A/P device HA
Auto sync support

Run-time object synchronization is not supported

yet

Text Configuration File

Configuration file is constructed by CLI
commands
Can be edited off-line by text editor

Easy to copy configuration to other devices

Script

A batch of CLI commands contained in a file

Script files can be stored in ZyWALL1050

Multi Login
Allow users to login system simultaneously
Allow multiple administrators to configure
system concurrently
Administration Account:

Account used to manage system

Access Account:

Account used by the user get through the

ZyWALL1050 device

User Aware

User Object & User Group Object

Users must authenticate themselves before they
can get through ZyWALL
User-based policy scheme is an optional function
of ZyWALL1050
Embedded Auth. Server: HTTP & HTTPS
User Database
Local Profile
Look up by LDAP, or
RADIUS

Lease Timer & Re-authentication Timer, and global

Traffic idle Timer
Policy Route, Firewall, Content Filtering, App.
Patrol, etc.

Configuration Object
Object can be reused, it makes configuration
task easier
User / User Group
AAA Server

Auth Method
Schedule

Address / Address Group

Service / Service Group
Certificate

ISP Account

User & User Group Object

AAA Server Object

Auth Method Object

Schedule Object

Address & Address/GW Group Object

Log Implementation
Internal Buffer: 512 Entries
Log can be view by

Console/SSH/Telnet
Web GUI

E-mail System
Two accounts

Sender Authentication

Syslog Server Four accounts

Log Viewer

Log Configuration

Maintenance Tool
ping

nslookup

Traceroute

Packet trace

Show socket

Show arp table

Traffic Snapshot & Report

Report provides statistics on top 20 bandwidth
usages - by user/ip and service/port concurrently
Snapshot sketches bandwidth usage for user/ip
and service/port by analyzing current sessions
Since traffic log is sent after session is
terminated, it is of no help for immediate traffic
troubleshooting

Traffic Report

Traffic Snapshot

Dynamic Routing
RIP

V1 & v2

Simple & MD5 Authentication

OSPF

Area: Normal, Stub & NSSA

Simple & MD5 Authentication

Virtual Link

Service Platform
Security Info. Center: mySecurityZone

Service Management Center:myZyXEL.com

Device Registration

Trial Service Activation

Service Update Standard Service Activation

Service Refresh service lifetime checkup
Sig. Update

Built-In Services
DHCP Server

DNS Server (A, NS & MX Record)

DDNS

HTTP & HTTPS Server

SSH Server, Ver. 1 & 2.0

TELNET Server

FTP (FTP-TLS support) Server

SNMP Agent, v1 & v2c

Hands-on: Lunch

OneTimePassword token

ZyWALL OTP

One-Time Password for Two-Factor Authentication

Strong Authentication Solution with OTP

Strong Two-Factor Authentication Solution

One Token for Many Applications

No Expiration Date for Lower Operating Costs

Intuitive and Easy to Install, Use and Manage

Seamless Integration with ZyWALL Security Products

ZyWALL OTP - Benefits

Strong Two-Factor Authentication Solution

One Token for Many Applications

No Expiration Date for Lower Operating Costs

Intuitive and Easy to Install, Use and Manage

Seamless Integration with ZyWALL Security Products

Solution Diagram

Central site: Customers need to install ZyXEL/Authenex Server as an

authentication server.
Remote User: ZyWALL OTP token for each remote user
ZyXEL/Authenex Server

LAN

ZyWALL OTP
Email Server

Employee on
Home Computer

ZyWALL OTP

Internet

Firewall

Employee Laptop
In Airport Kiosk
or In Hotel

OA, ERP System

CRM System

Web-based Application Server

Application (Inventory, Store..)

ZyWALL OTP
Authorized Partner
Authorized Customer

File Share

BI System

ZyWALL USG Series

Remote Desktop Network Extend

Management Tools
Vantage CNM and Report

Vantage CNM - Key Feature Sets

Key Feature Sets

Centralized UTM Management for License and

Policy Enforcements
One-Click VPN Configuration

Group Device Configuration for Mass Deployments

Real-time Monitoring, Alerting and Comprehensive
Reporting

Centralized UTM Management for License

and Policy Enforcements
Benefit

Proactive License Expire

Notification

Group Policy Enforcement

Active UTM Attack Notification

Centralize License
Management

Useful Comprehensive Reports

Centralized License Management

Subscription
Monitor
Expire Notification

Security Policy Enforcement

Group Policy Setting

Group Signature Setting

UTM Attack Monitor & Alert

Monitor and alert threat outbreak

Comprehensive UTM Report

Comprehensive Report
Schedule Report

One-Click VPN Configuration

Benefit
Intuitive VPN deployment

Reduces time, costs and

complexity involved in VPN
configurations
Active View VPN Tunnel
Status

Simple click-and-draw VPN

Editor

Viewing VPN Tunnel

Status

Group Device Configuration for Mass

deployments
Benefit
Low TCO for Massive
Deployments and
Maintenance
Automatic Unattended
Upgrade

Firmware Upgrade
By Schedule

Immediately
Device Configuration and Policy
Group Configuration for multiple
devices
Configuration Template to simply
configuration task
Device Setting Backup/Restore

Real-time Monitoring, Alerting and

Comprehensive Graphic Reporting
Benefit

Real-time Monitor Devices

Active Alarm Notification

Centralized Logging &

Reporting

Automatic Schedule Report

Real-time Monitoring

Device Online/Offline Status

Device Alarm Status
VPN Tunnel Up/Down Status

Alerting

Visual Icon
Email Notification

Comprehensive Graphic Reporting

More than 50 predefined reports including

Network Threat and Traffic Report
Detail Drill-down information
Automatic Schedule Email Generation

Vantage CNM Application Scenario

1.1 Topology Managed Security Provider

Company B

Managed
Service
Provider

Internet
Security
Appliance

Internet

Office 3

Internet
Security
Appliance

Vantage
CNM
Server

Company A

Internet
Security
Appliance

Office 2

Internet
Security
Appliance

Office 1

1.2 Topology Distributed Enterprise

Branch
Office

Dept. 1

Dept. 2

Internet

Company C
IT
Manager
Vantage
CNM
Server

Internet
Security
Appliance

Internet
Security
Appliance

Personal
Security
Appliance
Telecommuter

1.3 Topology Centralized Logging and

Reporting

ZyWALL A

Vantage CNM & Online Query from

Reporting Server
Client with IE
Syslog

Internet

ZyWALL B
Syslog

Vantage Report Example

2.1 UTM Management - Policy Profile

Management
Apply AV/AS/IDP/CF Building Block
(Configuration Template) to selected devices
Group Configuration

Apply setting to select devices

1.2 UTM Management - License Management

Centralized License Management
Subscription
Monitor

Maintenance/Upgrade
License Monitor
Subscription
Monitor
Maintenance/Upgrade

1.3 UTM Management - Alarm Indication

Visual alarm indication immediately

Email Alert to Device Owner & Administrator

Problems identification through Alarm Monitor

E-mal Alert Content

Device
under
Attack

2.1 VPN Management One-Click VPN

Easy VPN Creation by click and drag between
VPN gateways

(1) Click

(2) Drag
(3) Configure both devices

2.2 VPN Management VPN Status

Visual Indication of VPN tunnel Up/Down
status

VPN Tunnel is Up
VPN Tunnel is Down

3.1 Device Maintenance Group

Firmware Upgrade
Group Firmware Upgrade
Scheduling

Immediately

Select devices for firmware upgrade

Scheduling or Immediately

3.2 Device Maintenance

Configuration Backup/Restore

Configuration Backup/Restore for group of

devices

4.1 Graphic Reporting predefined

reports Traffic Report
Top Protocol Report
Bandwidth Monitor

4.1 Graphic Reporting predefined

reports Network Attack
Intrusion/Attack/AV/AS Report

Top Source/Destination Report

4.1 Graphic Reporting predefined

reports Security Policy
Web Blocked/Allowed Report
Top Host Report

4.2 Graphic Reporting schedule reports

Schedule Report via Email

Daily/Weekly report generated automatically

Create Daily/Weekly Report

Configure Daily/Weekly Report

4.2 Graphic Reporting schedule reports

Schedule Report via Email

HTML/PDF format report in Email attachment

Report Type: Both/HTML/PDF

Report Content

Case Study

Case Study
Dynamic IP Address
Zombie Tunnel
IPSec and NAT

Dynamic IP Address
VPN between two Security Gateways
one using a dynamic IP address

PC1

PC2

Security Gateway

Internet

Security Gateway

IPSec Tunnel
Dynamic IP
Address

Static IP
Address

Dynamic IP Both Sides

Both sides are dynamic IP address
Router A : DDNS enabled
Router B: Secure GW = DNS name

zywall.dyndns.org
Internet

A
My IP = 0.0.0.0
Secure GW = 0.0.0.0
With DDNS enabled

IPSec Tunnel Mode

My IP = 0.0.0.0
Secure GW =
zywall.dyndns.org

Zombie Tunnel
Sometimes Zombie Tunnel may occur

IP Changes
System Restart

VPN

B
Change IP

A
A

B
Zombie Tunnel

Fail:
New negotiation get
Local/Remote Network conflict

or

Restart
B

Initial - Contact
IF the following condition is met

Router B Restarts
Router B is ZyWALL
Router B is using Static IP

Initial Contact is Per Host based

A
Init-Contact

B (static IP)

No Matter its a initiator

or responder

Idle Time Out

Outbound Idle Time Out

B (dynamic IP)
No Outbound for # min

Inbound Idle Time Out

No Inbound for # min
A
B (dynamic IP)

SA Life Time and Idle Timer

Phase 1

Idle timer
phase 2

phase 2

2 Minutes

phase 2
Phase 1
2 Minutes

Idle timer

phase 2

phase 2

phase 2

IPSec and NAT

Is the host behind NAT allowed to use IPSec?

NAT Condition

Supported IPSec Protocol

VPN Gateway

AH Tunnel mode

embedded NAT

ESP Tunnel mode

VPN client/gateway behind NAT

ESP Tunnel mode

NAT in Transport mode

None

Q&A
Thank You
You!!