Академический Документы
Профессиональный Документы
Культура Документы
2008
Zsolt Benk
ZyXEL Hungary
IT security issues
Computer
Computer
Computer
Computer
Computer
Computer
Instant Messaging
Applications
Software Tunnel
Applications
Webmail/Posting
Applications
Consume an excessive
amount of bandwidth
and share sensitive
corporate documents
Increase potential
legal liability, waste
personnel Time and
network resources
Bypass firewall to
expose organizations
to risk, and waste
network resources
Advanced Technology
High Performance,
while 8-in-1 Features
Advantages
Bandwidth Mgmt
Web Filters
Servers
Anti--Virus
Anti
IDS / IDP
Users
Anti--Spam
Anti
VPN / Firewall
Load Balance
Internet
Advantages
Potential Burden
Bandwidth Mgmt
Web Filters
Servers
Anti--Virus
Anti
VPNUTM
/ Firewall
Load Balance
IDS / IDP
Users
Anti--Spam
Anti
Internet
Advanced Technology
Integrated Kaspersky
Gateway Anti-Virus
#1 Detection Rates
#1 Response Time to
New Treats
#1 Updating Frequency
Proprietary Security
Acceleration Chip
Hardware scanning
engine
Hardware encryption
Real-time content
analysis
Anti-Spam
Intrusion Prevention
USG
Anti-Virus
Web Content Filtering
Bandwidth Management
Load Balance
VPN
Firewall
SMB
Security Demand
Enterprise
Security Demand
ZyXEL SecuASIC
Other ASIC
No ASIC
5X
Software-based UTM:
99% Performance Drop
Layer 3 Application
Packet
Filter
Firewall
Layer 7 Application
IDP
AntiAntiVirus
20X
Inspection
Flow
File-based Scanning
Stream-based Scanning
ZyWALL Overview
Portfolio
ZyWALL Landscape
Family Matrix
ZyWALL UTM
IP-Based
IPSec VPN
IP-Based
Dual WAN
1000+ Signatures
Non-Certified
Anti-Spam
Content Filtering
Performance
- More horse power
Anti-X
- AV/IDP: More signatures
- IM/P2P/Application Patrol
- AS: RBL/ORDBL
Hybrid VPN
Flexible
- User-Aware/ App-Centric
- Object-based
- VLAN & Flexible Zone
Misc
- Enterprise-level features
- User-Friendly
User-Aware
Application Patrol (IM/P2P)
Hybrid VPN
(IPSec VPN + SSL VPN)
User-/Application-Based
Multiple WAN
ICSA-Certified
10,000+ Signatures
NSS-Certified
Enhanced Anti-Spam
Secure Content Mgmt
Device HA
Secure Wireless Mgmt
Multi-lingual WebGUI
More
ZyWALL Portfolio
Next Generation products
Enterprise
USG 1000
500+ users
ZyWALL 1050
Mid-Large
(100-500 users)
ZyWALL 70 UTM
ZyWALL 35 UTM
ZyWALL 5 UTM
ZyWALL 2+ / P1
SMB
(50-100 users)
SB
(<50 users)
SOHO
Redundant
power
- UTM +
2000 IPSec, 750 SSL ZyWALL
- Web Security (HTTP firewall)
USG 2000
- IM/P2P management
- 3G, WLAN security
300M FW
1. M WANs, 8 Giga ports, 2 USB,
1000
IPSec,
250
SSL
- ICSA certifications
HDD
ZyWALL
HDD support
M-WANs
200 IPSec, 25 SSL
19 Rack mount
Flexible Zone
SMB
3 WANs
100 IPSec, 10 SSL ZyWALL
USG 200
SB
ZyWALL
USG 100
ZyWALL
USG 300
USG 1000
FCS
Available
Q208
Features
Supported 3G Cards:
Sierra Wireless: AC595, AC850, AC860, AC875
Huawei: E612, E620 Option GT HSDPA 7.2 Ready, EC500
ZyWALL 2WG
LEDs:
PWR
WIFI Antenna:
2 dBi Antenna x 2
Power Jack
4 Port LAN/DMZ
Interface:
WAN Port
Extension Card Slot:
To install 3G/3.5G Card
PWR
SYS
AUX (status of Dial Backup/Dial-In)
CARD (status of Extension Card Slot)
Interface:
AUX
Interface:
Dial-Backup/Dial-In OOB:
DB-9 M
Interface:
Console: DB-9 F
Future Upgrade
1. 3G Cellular Card
2. Wireless LAN Card etc
Power:
12VDC
100~240VAC
USB, 3G
SecuASIC Inside
More Interface
All Gigabit Ethernet
Interface:
PWR
(2) WAN1, WAN2: 10/100/1000
SYS
(1) Optional: 10/100/1000 (can be 3rd WAN, or additional LAN/DMZ)
AUX (status of Dial Backup/Dial-In)
(4) LAN1/LAN2/DMZ: 10/100/1000, Configurable Port Role
CARD (status of Extension Card Slot)
(2) USB: 2.0, for 3Getc
AUX
Interface:
Dial-Backup/Dial-In OOB:
DB-9 M
Interface:
Console: DB-9 F
Future Upgrade
1. 3G Cellular Card
2. Wireless LAN Card etc
Power:
12VDC
100~240VAC
USB, 3G
SecuASIC Inside
More Interface
All Gigabit Ethernet
Interface:
PWR
(7) Gigabit Ethernet: 10/100/1000, Configurable Port Role
SYS
(2) USB: 2.0, for printer, storageetc
AUX (status of Dial Backup/Dial-In)
CARD1 (status of Extension Card Slot1)
Interface:
CARD2 (status of Extension Card Slot2)
Dial-Backup/Dial-In OOB: DB-9 M
Console: DB-9 F
Power:
100~240VAC
Ventilation Fans
Power Switch
100~240VAC
Interface:
6 GbE: 10/100/1000
(Auto MDI/MDIX)
2 SFP: Dual-Personality
Combo Port
Card Slot:
CardBus slot
Fan:
Ventilation Fans
HDD Slot:
HDD
Expansion Slot
USB:
Power Redundancy:
UTM
Performance
VPN
Performance
Max. IPSec
VPN Tunnels
Max. SSL
VPN Users
400Mbps
500Mbps
2,000
750
400Mbps
100Mbps
1,000
250
100Mbps
500Mbps
2,000
750
SEM-DUAL
SEM-UTM
SEM-VPN
System
Interface
IPSec VPN
SSL VPN
USB
Extension Slot
SFP
USG 100
USG 200
USG 300
USG 1000
USG 2000
Freescale 8343E
255M/256M
CIP1001 * 1
Freescale 8343E
256M/256M
CIP1001 * 1
Freescale 8349E
256M/256M
CIP1001 * 2
Pentium M 1.8G
256M/1G
CIP2001 * 1
Intel E6400
256M/2G
CIP3001 * 1*
Firewall: 350M
VPN: 150M
UTM: 100M
Session: 200k
Session Rate: 13k
Firewall: 2G
VPN: 500M*
UTM: 400M*
Session: 1kk
Session Rate: 20k
Firewall: 100M
VPN: 50M
UTM: 24M
Session: 20k
Session Rate: 1k
Firewall: 150M
VPN: 75M
UTM: 24M
Session: 40k
Session Rate: 1.4k
Firewall: 200M
VPN: 100M
UTM: 48M
Session: 60k
Session Rate: 2k
Gigabit Ethernet
2*WAN,
5*LAN/DMZ
Gigabit Ethernet
2*WAN, 1*OPT
4*LAN/DMZ
Gigabit Ethernet
7 Configurable
Gigabit Ethernet
5 Configurable
Gigabit Ethernet
6 Configurable
2 SFP (combo)
50
100
200
1000
2000
2 -> 5
2 -> 10
1 (Cardbus)
1 (Cardbus)
2 (Cardbus)
1 (Cardbus)
1 (Cardbus)
No
No
No
No
Yes
Strong Two-Factor
Authentication Solution
One Token for Many Applications
No Expiration Date for Lower
OpIntuitive and Easy to Install,
Use and Manage
Seamless Integration with
ZyWALL Security Products
ZyWALL OTP 5U
Auto Update
Anti-Virus Specifications
Stream-based gateway AV
ICSA-certified (in progress)
Zone-based AV inspection
Protocol supported
HTTP/SMTP/POP3/FTP/IMAP4
Performance
HW-accelerated SecuASIC
Throughput over 96Mbps for ALL protocols
No file size limit; no concurrent session limit
Compression Archives
10,000
+
Enabling configuration
of different AV
inspection rules to
meet security policy
Anti-Virus cont
BWL (Blacklist & Whitelist)
Action on Virus
Log / Alert
Reporting
Anti-Virus SKU
Trial period
SKU
More than 1 million spam filter checks and constantly real-time updating
Block non-English language spam with language independent filters
Protect against Phishing in email with latest Antifraud filters
! "#$%&
' ( ) *$+, +- -
2 0"/+7 **"8$9
Internet
www.zyxel.com
1. Request to www.zyxel.com
2. Follow category result to
forward/block HTTP response
Need a break..?
IPSec VPN
What is VPN?
Private Network
Why VPN?
Security
Authentication
Encryption
Cost
Internet
Internet
Sniffer
Cant reach
or
understand
IPSec
Internet Protocol Security
Application Layer
Transport Layer
Network Layer
(IPSec Protocol)
Data Link Layer
Physical Layer
IPSec (cont.)
Two operation modes:
Transport mode
Tunnel mode
Internet
Tunnel Mode
Tunnel Mode
Transport Mode
IPSec (cont.)
Benefits of IPSec
Confidentiality
Integrity
Security Association
Security Contract
DES
MD5
Key
PFS
Internet
DES
MD5
Key
PFS
SA Creation
Manually
Offline Negotiation
Never expire
Debugging tool
Dynamically
SA Deletion
SA lifetime expired
Seconds/Bytes
SA deletion requested
Re-keying
ZyXEL VPN
Applications
Corporate to Corporate
Mobile User
SOHO User
Mobile User
Corporate
SOHO
user
Internet
ZyWALL
= VPN
ZyWALL
Corporate
Features
IPSec Protocol
AH, ESP
Replay Detection
Key Management
IKE, Manual
Negotiation Mode
Security Protocols
ESP (Encapsulation Security Payload)
AH (Authentication Header)
Original
ESP
AH
IP
Protected
header
data
IP
header
encrypted
ESP Protected
Protected ESP
ESP
header
data
data
trailer
trailer
authenticated
IP
header
AH
header
Protected
data
authenticated
Address Type
Single: Only one host can use VPN
192.168.1.33
Range: A range of hosts can use VPN.
Start: 192.168.1.33
End: 192.168.1.254
Start: 192.168.1.0
End: 255.255.255.0
Features (cont.)
Party Identification
Pre-shared key
Digital Certificate
Encryption Algorithm
Authentication Algorithm
SHA1, MD5
Key Group
DH1, DH2
Phase 2
Main Mode/
Aggressive Mode
IKE SA
Three Modes
Main Mode
Aggressive Mode
Quick Mode
Phase 1
Quick Mode
Phase 2
IPSec SA
Phase 1
Policy Suit Negotiation
Encryption algorithm
Authentication Method
Diffie-Hellman group
Phase 2
IPSec SA
Authentication Method
Policy
Local/Remote Network
IPSec Overview
UDP
Port: 500
ESP/AH
Port: none
DES
MD5
Key
3DES
SHA-1
Key
phase 1 negotiation
DES
MD5
Key
phase 2 negotiation
3DES
SHA-1
Key
Main Mode
Initiator
SA
Nonce
Responder
Header
Header
Header
Header
Key
ID
Header
ID: Identification
Key: Key Exchange Payload
Nonce: random value
Key
Nonce
Encrypted
Encrypted
Hash
SA
Header
ID
Hash
Aggressive Mode
Faster but less secure as Main Mode
Initiator
ID Nonce Key
Responder
SA Header
Header SA Key Nonce ID hash
hash Header
Quick Mode
Phase 2 is quick
ID
Nonce
Responder
SA
Hash Header
Header Hash
Hash
Header
SA
Nonce
ID
ID
PFS
Perfect Forward Secrecy
Function
New Key
PFS
Old Key
Function
New Key
LAN 1
Security Gateway
IPSec Connection
Security Protocol
Authentication Algorithm
Key Group
Encapsulation Mode
Internet
Security Gateway
SSL VPN
What is SSL/TLS
Why SSL VPN
What is SSL/TLS ?
What is SSL/TLS ?
What is SSL/TLS ?
Secured by
SSL
Laptop
Kiosk
Internet
SSL VPN
Mainframe
Server
Mobile Device
Partner
Desktop
Authentication
Data Encryption
Advantages
Clientless
No extra configuration required on users machine
Ideal for Mobile Access
Reverse Proxy
Port Forwarding (not supported by ZLD 2.0)
Network Extension
Company
Home
Authentication
Server
LDAP,RADIUS,
Active Directory
File Server
Email Server
Web browser on PC
Other Servers
Reverse Proxy
Client browser
Outlook Web
Access Server
http
https
https
http
Applications with
Web Interface
File Sharing
CIFS
CIFS Action
Network Extension
Authentication
Server
RADIUS, LDAP
Active Directory
Client browser
Client Appln
SSL
WAN PPTP
Layer 2
driver/ PPTP
Desktop
Applications
File Server
Any
Protocol
Email Server
Other Servers
SSL
Browser
Login portal
Download java applet
O.K
Search SSL VPN policy and
assign IP and routing entry,
DNS , WINS
ZyWALL
1050
eth0
vlan1
Laptop
Assign IP Addr
Provide routing list
192.168.192.75
172.21.0.0/16 192.168.192.75
172.23.0.0/16 192.168.192.75
172.23.0.0/16
Internet
Laptop
172.21.1.77
172.23.3.26
ZyWALL
1050
ge0
vlan1
172.21.0.0/16
172.23.0.0/16
Anytime/Anywhere Access
SSL VPN
VPN Clientless
No (IPSec client)
Configuration
Pre-configuration
No
Application
Network layer
Application layer
Authentication
XAUTH, certificate
AAA, certificate
IP conflict solution
Wont have IP
conflict issue
No
Yes*
Ideal for
Side to side
Remote or mobile
Application/User-Aware
Simplified deployment
Automatic agent download
Performance
Seamless Integration
Clientless Secure Remote Access
Comprehensive User Auth Mechanism
Seamless Integration
Employee on
Home Computer (IPSec)
ZyWALL 1050
Internet
WAN
Employee Laptop
In Airport Kiosk
or In Hotel (SSL)
Partners network
(Extranet via IPSec VPN)
Encrypted
LAN Zone
LAN
Decrypted
Email Server
File Share
BI System
Remote users can use standard web browser to easily access corporate
applications or file sharing without pre-installed or pre-configured VPN
software.
ZyWALL 1050
Local Database
User
Group1
User
Group2
Internet
Remote Users
External Database
justin
zyxel
130201
Active
Directory
justin
RADIUS
LDAP
zyxel
130201
Two-Factor Authentication
Server
Enter PIN code
displayed on the
ZyWALL OTP
token
Application Note
HTTP Service
Remote
Management
ZyWALL 1050
Mail Service
BWM Enhancement
Access Granularity
Can differentiate access level per IM/P2P
application to enforce corporate access policy
ZLD 2.00
ZLD 1.0x
Integrated
BWM
User-Aware
Scheduling
Access
Granularity
IM/P2P
Up-to-date
Statistical Graph
Line chart to showcasing perapplication bandwidth usage
over a 60-min time frame
IDP Enhancement
Enabling flexible direction for IDP inspection
Zone-to-zone protection
Reporting
IDP Signatures
ICSA IDP certification (in progress)
Signature update
Visibility
IDP/ADP Comparison
L7 Inspection to Stop
Threats & Attacks
Signature Update
TA/PA
Protecting ZyWALL
Itself
Requiring iCard
Subscription
IDP
ADP
Device HA Enhancement
Enabling Link Monitoring option to monitor
link status of direct-connected cables
Upon link failure happened, it triggers failover
LAN
WAN
Switch
Switch
Switch
ISP1
DSL CPE/Router
DSL CPE/Router
ISP2
GUI Enhancements
Dashboard Face-lift
New look n feel
Language Options
Mouse-over Info
Dashboard Face-lift
Click on More button to
view more details
Certification
ICSA Firewall Version 4.1
ICSA IPSec Version 1.1D
ICSA Anti-Virus
In progress
ICSA IDP
In progress
Summary SKU
ZyWALL 1050
SKUs
ZLD 2.00
ZLD 1.0x
Anti-Virus, 1-YR
Anti-Virus, 2-YR
IDP, 1-YR
IDP, 1-YR
Content Filter,
1-YR
SSL VPN, 5 to 25
SSL VPN, 25 to 50
SSL VPN, 5 to 50
GUI Overview
Begin
Default management IP address:
GUI Access
Help
Wizard
Logout
Web Console
Site Map
About
2. Then, setup
Security Policy
configuration
Start with Route
Frequently
used objects
Quick Start
Zone
A group of interfaces
A set of hosts with the same
characteristic
A logical element used to make
configuration of firewall rules easier
Note cont.
The physical ports on the front panel of
ZyWALL 1050 are named in the system as
ge1, ge2, ge3, ge4, ge5.
ge stands for Gigabit Ethernet
T
R
U
N
K
IP Alias
Layer3 +
Bridge
VLAN
PPP
AUX
Ethernet
Port
Grouping
Physical Ports
L2 Switching
w/o Firewall
RJ45
Connection
Layer2 -
Set Next-Hop to ppp0. This policy route rule must be the first rule.
Add ppp0 to WAN Zone for firewall, IDP and Content Filter security policy.
Technical Data
Multi-Layer Protection
Firewall
Security Zone based
Global Zone
US_A
172.21.10.0/24
China_Real_A
192.168.10.0/24
China_A
192.168.200.0/24
ge3:3
1. 5
M
168 / 384K A
. 168
D
.168 SL
. 168
el
ge2
:4
ge1
ge1: 3
1: 2
ge
Ch
nn
Tu
_
in a
Inter-Zone
ge1:1
Manager_A
192.168.10.0/24
Intra-Zone
_Tu
nne
ge3:2
US
ge3:1
K
/ 64
2K L
51
S
AD 84K
/3 le
2M C ab
Internet
FTP_A
192.168.100.2
DMZ Zone
WWW_A
192.168.100.1:8080
Sales_A
192.168.20.0/24
LAN Zone
RD_A
192.168.30.0/24
Finance_A
192.168.40.0/24
Customizable
Multi-zone
Segmentation
Zone Configuration
Firewall Configuration
Global Policy
Application Patrol
Managing from the application viewpoint v.s.
from policy (user/role) based firewall
viewpoint
Application Aware App. Classifier
Content Filtering
URL Filtering:
Inspection Sequence
Start
Trusted Web
Sites?
N
Allow Trusted
Only?
N
Forbidden Web
Sites?
N
N
Match Category
Setting?
N
Match URL
Keyword
Blocking?
Protocol Anomaly
Internal Network
Internet
inline NIDS
Internal Network
Internet
IPS
Internal Network
Gateway
VPN Tunnel
SNAT
,Q
WH
UID
FH
Load Balancing
Trunk is a group of interfaces
NAT
SNAT Policy-Based
Supported NAT Types
One-to-One, Many-to-One
Virtual Port
Operation Mode
Switching Mode:
Layer 2 Switch
Transparent Mode:
Multiple port Bridge
Mixed Mode:
/$1
/$1
'0=
IPSec
User Aware (Prior login)
Route Based (Static)
Hands-on: VPN
Task:
Establish VPN triangle as
shown in the diagram.
Encryption
Authentication
Keygroup
Encapsulation
Protocol
: AES
:SHA1
: DH2
:Tunnel
: ESP
802.1q VLAN
Tag-based VLAN
VLAN Scenario
Tagged VLAN
ZyWALL1050
VLAN-aware Router
192.168.1.254 VLAN 1
192.168.2.254 VLAN 2
VLAN-aware SW
VLAN 3 192.168.3.254
VLAN-aware SW
Un-tagged VLAN
LAN 1
subnet 192.168.1.0
LAN 2
subnet 192.168.2.0
LAN 3
subnet 192.168.3.0
Device HA
Use VRRP to support A/P device HA
Auto sync support
Multi Login
Allow users to login system simultaneously
Allow multiple administrators to configure
system concurrently
Administration Account:
Access Account:
User Aware
Configuration Object
Object can be reused, it makes configuration
task easier
User / User Group
AAA Server
Auth Method
Schedule
ISP Account
Schedule Object
Log Implementation
Internal Buffer: 512 Entries
Log can be view by
Console/SSH/Telnet
Web GUI
E-mail System
Two accounts
Sender Authentication
Log Viewer
Log Configuration
Maintenance Tool
ping
nslookup
Traceroute
Packet trace
Show socket
Traffic Report
Traffic Snapshot
Dynamic Routing
RIP
V1 & v2
OSPF
Service Platform
Security Info. Center: mySecurityZone
Built-In Services
DHCP Server
Hands-on: Lunch
OneTimePassword token
ZyWALL OTP
Solution Diagram
LAN
ZyWALL OTP
Email Server
Employee on
Home Computer
ZyWALL OTP
Internet
Firewall
Employee Laptop
In Airport Kiosk
or In Hotel
ZyWALL OTP
Authorized Partner
Authorized Customer
File Share
BI System
Management Tools
Vantage CNM and Report
Centralize License
Management
Subscription
Monitor
Expire Notification
Comprehensive Report
Schedule Report
Firmware Upgrade
By Schedule
Immediately
Device Configuration and Policy
Group Configuration for multiple
devices
Configuration Template to simply
configuration task
Device Setting Backup/Restore
Real-time Monitoring
Alerting
Visual Icon
Email Notification
Company B
Managed
Service
Provider
Internet
Security
Appliance
Internet
Office 3
Internet
Security
Appliance
Vantage
CNM
Server
Company A
Internet
Security
Appliance
Office 2
Internet
Security
Appliance
Office 1
Dept. 1
Dept. 2
Internet
Company C
IT
Manager
Vantage
CNM
Server
Internet
Security
Appliance
Internet
Security
Appliance
Personal
Security
Appliance
Telecommuter
ZyWALL A
Internet
ZyWALL B
Syslog
Maintenance/Upgrade
License Monitor
Subscription
Monitor
Maintenance/Upgrade
Device
under
Attack
(1) Click
(2) Drag
(3) Configure both devices
VPN Tunnel is Up
VPN Tunnel is Down
Immediately
Scheduling or Immediately
Report Content
Case Study
Case Study
Dynamic IP Address
Zombie Tunnel
IPSec and NAT
Dynamic IP Address
VPN between two Security Gateways
one using a dynamic IP address
PC1
PC2
Security Gateway
Internet
Security Gateway
IPSec Tunnel
Dynamic IP
Address
Static IP
Address
zywall.dyndns.org
Internet
A
My IP = 0.0.0.0
Secure GW = 0.0.0.0
With DDNS enabled
Zombie Tunnel
Sometimes Zombie Tunnel may occur
IP Changes
System Restart
VPN
B
Change IP
A
A
B
Zombie Tunnel
Fail:
New negotiation get
Local/Remote Network conflict
or
Restart
B
Initial - Contact
IF the following condition is met
Router B Restarts
Router B is ZyWALL
Router B is using Static IP
B (static IP)
B (dynamic IP)
No Outbound for # min
Idle timer
phase 2
phase 2
2 Minutes
phase 2
Phase 1
2 Minutes
Idle timer
phase 2
phase 2
phase 2
NAT Condition
VPN Gateway
AH Tunnel mode
embedded NAT
None
Q&A
Thank You
You!!