2 zywall utm solution - zyxel.se

Application Note Threat Management Using ZyWALL 35 UTM 01

ZyWALL UTM Solution2 ZyWALL UTM Application Note2.2

Application NoteThreat Management Using ZyWALL 35 UTM

ForwardThis support note describes how an SMB can minimize the impact of Internet threats using the ZyWALL 35 UTM as an example. The following chapters are designed to deliver comprehensive protection against Internet threats with minimum management effort.

ScenarioA typical SMB network illustration shows concern of a Corporate Intranet and Public access security issue in different network segments.

[Chapter 1]

Threat management in a Multi-segment network environment and in a server protection environment with AV/IDP

[Chapter 2 ]

Control the Use of IM/P2P Applications to Increase Employee Productivity

[Chapter 3]

Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats

[Chapter 4]

Reduce Spam with ZyWALL Anti-Spam Features

1

2

3

4

LAN Zone

DMZ Zone

InternetIntruder

Remote uesr

Mail/HTTP/FTP server


WAN

ZyWALL UTM Application Note2.2

Forward 02

ZyWALL UTM Solution

ForwardThere is an increasing demand for an effective and proactive mechanism against Internet threats. In a Small and Medium sized Business (SMB) network environment, these threats could result in demand on limited IT resource, reduced productivity, information theft, business disruption and even financial lost.

ZyWALL 5/35/70 UTM (Unified Threat Management) is designed to deliver comprehensive protection against Internet threats with minimum management effort.

This support note describes how an SMB can minimize the impact of Internet threats using the ZyWALL 35 UTM as an example. The following figure shows an example network.

2

Proactive Protection: Threat Management Using ZyWALL 35 UTM


Scenario 03

ZyWALL UTM Solution

ScenarioA typical SMB network, as illustrated in the above figure, may be divided into different network segments, such as the Intranet (trusted network), DMZ for publicly-accessed servers and the Internet (distrusted networks).

Within the Intranet, company employees require access to network resources. Common tasks include web surfing, sending/receiving E-mails either via the company mail server or free E-mail servers, file transfer or even having Instant Massaging (IM) applications to increase productivity.In the DMZ, publicly-accessed servers (such as DNS, FTP, Web or E-mail servers) are hosted to provide services to their customers or partners.

Any user can access the servers in the DMZ from the Internet. In addition to basic access control lists included on the ZyWALL 35 UTM, the company IT management team also required application layer protection to inspect traffic to or from these network segments to prevent any malicious activities from taking place.

2

1

LAN Zone

DMZ Zone

InternetIntruder

Remote uesrMail/HTTP/FTP server


WAN


Threat Management 04

ZyWALL UTM Solution

[ Chapter1 ]: Threat Management

This product table briefly describes ZyXEL solutions for SMBs with fewer than 10 employees and is intended to be a guideline for choosing ZyXEL products for your main business location and teleworker connectivity.

1. In a Multi-Segment Network Environment

The following example show you how to use ZyWALL 35 UTM to prevent virus and worms from entering the Intranet and DMZ networks behind the ZyWALL.Since most virus and worms originate from the Internet, all incoming traffic from the Internet ( or the WAN) to the Intranet (or the LAN and DMZ) should be inspected. Set up the ZyWALL 35 UTM as shown in the example figure to prevent virus or worms from spreading into your network.

1.1 Service Registration and Activation Using the iCard

1.1.1 ZyNOS 4 + Turbo CardThe ZyWALL 35 UTM is the first model in the ZyWALL series to support the AV (Anti-Virus) and IDP (Intrusion Detection and Prevention) services and the latest ZyNOS 4. in order to take advantage of these enhanced features, you must install a ZyWALL Turbo Card in the ZyWALL 35 UTM in the ZyWALL 35 UTM. The ZyWALL Turbo Card is a hardware accelerator that allows your ZyWALL 35 UTM to deliver the best performance.Refer to the documentation that comes with your ZyWALL Turbo Card for hardware installation procedure.

2

1

1


1.1.2 IDP/AV Service ActivationAfter you have successfully installed the ZyWALL Turbo Card, activate the AV/IDP services in the web configuration. Access the web configurator and display the activation screen. If you already have a myZyXEL.com account, all you have to do is select Existing myZyXEL.com account, enter your myZyXEL.com account information and then select IDP/AV 3-month Trial to activate.

With the IDP feature enabled, the ZyWALL 35 UTM inspect all passing traffic to effectively block any Worms, Trojans, DoS or DDoS attacks.

Note: Although IDP can effectively block Worms, Trojans, and prevent DoS and DDoS attacks, it is not capable of detecting viruses from passing through the ZyWALL 35 UTM.

To prevent virus attacks, use the built-in stream-based AV (Anti-Virus) scan engine to scan traffic as they pass through the ZyWALL. The AV scan engine can effectively detect virus/worms and destroy infected files before they reach the intended host computers on the Intranet.

Note: The AV service on the ZyWALL 35 UTM can detect and destroy files that are infected with virus/worms. The AV service cannot stop network DoS and DDoS attacks.


ZyWALL UTM Solution2

1

1.2 IDP + AV: A Perfect Combination

With a combination of IDP and AV services, your ZyWALL 35 UTM is the ultimate security appliance to guard your network from major attacks. Not only will ZyWALL 35 UTM stop network attacks using the IDP service, it will also scan, detect and destroy files that are infected with virus/worms using the AV service. This results in a stable and virus/worms free network. The following sections shows your how to enable IDP and AV features on the ZyWALL 35 UTM.

1.2.1 Configure IDP to Prevent AttacksFollow the steps below to activate the IDP feature on the ZyWALL and the selected interfaces.

0. Access the web configurator.

1. Click IDP in the navigation panel to display the General screen. Select Enable Intrusion Detection and Prevention to activate the IDP feature on the ZyWALL.

2. Select the Active option for the LAN and DMZ interfaces to inspect inbound traffic from LAN and DMZ interfaces.

3. Click Apply to save the settings.

1.2.2 Configure AV to Detect VirusesFollow the steps below to activate the AV feature on the ZyWALL and the selected interfaces.

1. In the web configurator, click ANTI-VIRUS in the navigation panel to display the General screen, Select Enable Anti-Virus to activate the AV function on the ZyWALL.

2. For the FTP service, select Active, LAN and DMZ to enable AV protection for FTP file transfer on the selected interfaces. Select Log to create logs when viruses are detected to warn the IT staff.

3. For the HTTP service, select Active, LAN and DMZ to enable AV protection for HTTP traffic on the selected interfaces. Select Log to create logs when viruses are detected to warn the IT staff.

06


Threat Management1


4. For the POP3 service, select Active and LAN to enable AV protection for POP3 email traffic on the LAN interface. Select Log to create logs when viruses are detected to warn the IT staff.

5. For the SMTP service, select Active and DMZ to enable AV protection for POP3 email traffic on the DMZ interface. Select Log to create logs when viruses are detected to warn the IT staff.


Note: Make sure the signatures are updated regularly to allow effective virus scanning on the ZyWALL 35 UTM.

The AV Signature Update Page

07


Threat Management1

LAN Zone

DMZ Zone

Internet


WAN

Intruder


2.Server Protection with IDP

In order to protect servers (WEB/Mail/FTP/etc) located on the DMZ behind ZyWALL 35 UTM, enable the IDP service on ZyWALL 35 UTM to inspect inbound traffic to these servers. ZyWALL 35 UTM with the IDP service enabled can effectively prevent malicious hackers from accessing these servers and also stop DoS or DDoS attacks from paralyzing the network.The following figure shows a network example where a ZyWALL 35 UTM is set up to protect servers in the DMZ zone.

2.1 Configure IDP to Prevent Malicious Intrusions

Follow the steps below to enable IDP on the ZyWALL and the DMZ interaface to protect the publicly-accessed servers.

1. In the web configurator, click IDP in the navigation panel to display the Gneneral screen as shown . Enable Intrusion Detection and Prevention to enable the IDP feature on the ZyWALL.

2. Select Active for the DMZ interfaceto inspect traffic going from the WAN or LAN interfaces to the DMZ segment behind the ZyWALL.

3. Click Apply to save the changes.

08


Threat Management1


Note: Since IPSec VPN traffic is already protected in the secure VPN tunnel, the IDP/AV services do not inspect the VPN traffic. In addition, the IDP/AV services cannot detect viruses in files or traffic that is password-protected.



1

LAN Zone

InterneteMULE

MSN

WAN


[ Chapter2 ]: Control the Use of IM/P2P Applications to Increase Employee Productivity

IM (Instant Message) and P2P (Peer-to-Peer) applications are popular and their use is on the increase. For example, people may use MSN messenger (an IM application from Microsoft) to chat and send/receive files or use eDonkey (a P2P application) for file sharing. Such applications are perfect medium for spreading viruses, backdoor programs, or Trojans. Computers in the LAN zone might be infected undetected when using IM/P2P applications. The ZyWALL 35 UTM IDP security service provides an effective traffic management to control (allow or block) these IM/P2P applications.

1. P2P/IM Traffic ManagementThe following sections shows you how to configure the IDP service in the ZyWALL 35 UTM to manage MSN messenger usage to prevent virus/Trojans from spreading.Also, you will be shown how to stop employees from sharing files through the company network.

1.1 Register the IDP service

1.1.1 ZyNOS 4.0 + Turbo CardThe ZyWALL 35 UTM is the first model in the ZyWALL series to support the AV (Anti-Virus) and IDP (Intrusion Detection and Prevention) services and the latest ZyNOS 4. in order to take advantage of these enhanced features, you must install a ZyWALL Turbo Card in the ZyWALL 35 UTM. The ZyWALL Turbo Card is a hardware accelerator that allows your ZyWALL 35 UTM to deliver the best performance.Refer to the documentation that comes with your ZyWALL Turbo Card for hardware installation procedure.

Control the Use of IM/P2P Applications to Increase Employee Productivity 10


2


1.1.2 IDP/AV License Activation

Refer to step 1.1 in the page 4 on how to activate IDP/AV services for your ZyWALL 35 UTM.

1.2 Activate IDP

Follow the steps below to activate the IDP service on the LAN and WAN interfaces.

1. In the web configurator, click IDP in the navigation panel to display the General screen. Select Enable Intrusion Detection and Prevention to activate IDP on the ZyWALL.

2. Select Active for the LAN and WAN1/2 interfaces. This activates IDP protection on traffic (such as IM/P2P) between the LAN and WAN interfaces.


11


Control the Use of IM/P2P Applications to Increase Employee Productivity2


1.2.1 Control IM (Instant Message)After you have enabled IDP on the ZyWALL and the selected interfaces, configure the IDP to control IM applications.

1. In the web configurator, click IDP in the navigation panel and click the Signature tab.

2. Click Switch to query view to search for the specified signatures.

3. To configure IDP actions for IM applications (such as MSN), select Signature search and the By Name option. Enter MSN in the text box provided.

4. Click Search and the signature search result displays in the table below.

Block MSN(Chat, File Transfer)

12




1.2. 2 Block MSN File Transfer Select Drop Packet in the Action field for the MSN file transfer related signatures. Keep the actionfor other MSN-related signatures at No Action.

13






2

1.2.2 Control P2P (Peer-to-Peer) File Transfer1. In the web configurator, click IDP in the navigation panel and click the Signature tab. Click

Switch to query view to search for the specified signature.

2. To configure IDP actions for P2P applications (such as eDonkey), select Signature Search and the By Name option. Enter eDonkey in the field provided.

3. Click Search and the signature result displays in the table below.



ZyWALL UTM Solution

4. Select Log to create logs for any eDonkey traffic the ZyWALL detects. 5. To block all e-Donley related traffic, select Drop Packet in the Action field. 6. Click Active to enable the signature.

1.2.2.1 IDP Signature UpdateMake sure the signatures are updated regularly to allow effective IDP inspection on the ZyWALL.

22

2

LAN Zone

InternetWAN HTTP/Web server

3 [ Chapter3 ]: Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats

Web browsing is one of the most common activities people do on a daily basis. However threats and attacks originate from the Internet. Web browsing should be curbed to minimize the impact of hazardous web content (malicious java and ActiveX), spyware, and phishing attacks. These attacks are known to be found in websites that contain pirated software, pornography, and other questionable contents. In addition, non-work related web surfing (such as accessing sports, financial and gambling web sites) should be disallowed to increase business productivity. With the ZyWALL 35 UTM Content Filtering service, network administrator can easily allow or block users from viewing different categories of web sites.The following figure shows a network example.

1. Minimize Spyware Attack

As mentioned earlier, pornography websites are known to contain Spyware and Trojans, thus use ZyWALL 35 UTM to prevent users from accessing these types of websites. The following sections show you how to set up content filtering on the ZyWALL.


16


Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats3


1.1 Register and Activate Content Filtering

In the web configurator, click Registration in the navigation panel. If you already have a myZyXEL.com account, all you have to do is select Existing myZyXEL.com account, enter your myZyXEL.com account information and then select Content Filtering 1-month Trial. The click Apply.

1.2 Use an External Content Filtering Database for Enhanced Filtering

After you have registered and activated the CF service on the ZyWALL, you can use the external content filtering database for enhanced content filtering on the ZyWALL. To use the external database, select Enable External Database Content Filtering in the Categories screen. The select the web categories you want to filter. Users will be blocked from accessing the webs that fall under the selected categories. The following screen shows a configuration example.

17




1.3 Example: Content Filtering Using an External Database In Action

After you activate and configure the content filtering feature on the ZyWALL, you can test and see content filtering in action. Open a web browser and access a website that may contain Nudity (for example, www.nudistweb.net). When the ZyWALL detects that the website category is to be filtered, the website content is prevented from being displayed and you will be redirected to the specified URL, for example user can specify the "Redirect URL" as www.zyxel.com (ZyXEL global website). A warning message also displays notifying you that the website is not allowed to be accessed.

2. Proactive Phishing Protection

Phishing is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. With a combination of the CF and AS (Anti-Spam) services in ZyWALL 35 UTM, network administrators can dramatically reduce the chance of receiving possible phishing e-mails for company network users. Furthermore, these features also prevent users from accessing known phishing websites.

18




2.1 Register and Activate the AS Service

In the web configurator, click Registration in the navigation panel. If you already have a myZyXEL.com account, all you have to do is select Existing myZyXEL.com account, enter your myZyXEL.com account information and then select Anti Spam 3-month Trial. Then click Apply.

2.2 Configure CF to Block Known Phishing Websites

2.2.1 General SettingFollow the steps below to activate content filtering on the ZyWALL and configure general settings.

1. In the web configurator, click CONTENT FILTER in the navigation panel and click the General tab. Select Enable Content Filter to enable the CF function.

2. Under Schedule to Block, select Always Block to set the ZyWALL to block website.

3. Under Message to display when a site is blocked, enter the warning message to be displayed on the user's web browser when the user is trying to access a questionable website. To redirect the user to another website when the requested website is being blocked, enter a web site address in the Redirect URL field. Here, we enter "(Website Blocking)" and "www.zyxel.com" accordingly.

4. Under Exempt Computers, select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to the specified IP address ranges. For example, if you want the CEO's computer (with an IP address of 192.168.10.200) to allow access to any website, enter this IP address to the list.


Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 19


3


2.2.2 Customize the Forbidden Websites which are known phishing web sitesIn addition to using the external content filtering server to provide enhanced filtering services, you can customize filter policies to fit your network needs. In the web configurator, click CONTENT FILTER in the navigation panel and click the Customization tab. Select Enable Web site customization and enter the web site address to the Forbidden Web Site list. (The forbidden list is similar to the black list.)



3

2.2.3 Example: Customized Content Filtering in Action After you activate and customized the content filtering feature on the ZyWALL, you can test and see content filtering in action. Open a web browser and access any questionable website (for example, www.phishbank.com). When the ZyWALL detects that the website category is to be filtered, the website content is prevented from being displayed and you will be redirected to the ZyXEL global website at www.zyxel.com. A warning message also displays notifying you that the website is not allowed to be accessed.

2.3 Configure Anti-Spam to Prevent Phishing

Follow the steps below to activate and configure the Anti-Spam feature on the ZyWALL.

1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS function.

2. Enter the tag (between 1 to16 characters) to be added to the subject of a phishing e-mail. For example, you can enter "[PHISHING]". Then select Discard SMTP mail. Forward POP3 mail with tag in mail subject to forward spam mails using POP3 but discard the SMTP ones.

3. Under Action taken when mail sessions threshold reached, select Forward to bypass AS inspection when the number of concurrent mail sessions is over 15.

Note: The AS feature can inspect up to 15 concurrent mail sessions.



21



In the ANTI-SPAM -> External DB screen, check Enable External Database and adjust the threshold scroll bar to set the spam score (to be returned from an external database). The ZyWALL decides whether a POP3/SMTP mail is a phishing mail or not based on this score.

Note: To activate the "External DB" option, you must first register the ANTI-SPAM service.


22




2.3.1 Example: Phishing Mail Blocking in ActionAfter you have registered and configure the Anti-Spam settings described in the previous sections, any user on the LAN behind the ZyWALL 35 UTM will get a mail with "[PHISHING]" in the subject when the received mail (via POP3) is treated as a phishing mail.

Note: You can apply the Junk Mail action on the received phishing mail which are already tagged by the ZyWALL 35 UTM AS. Refer to the documentation that comes with your e-mail program for more information.

2. Prevent Non-work Related Web SurfingThe following sections show you how to configure the content filtering feature on the ZyWALL 35 UTM to prevent employees from surfing websites that are not related to work.

2.1 General Setting

Follow the steps below to configure general content filtering settings.

1. In the web configurator, click CONTENT FILTER in the navigation panel to display the General screen, Select Enable Content Filter to enable CF function.

2. Under Schedule to Block, select Always Block to set the ZyWALL to block website.

3. Under Message to display when a site is blocked, enter the warning message (for example, "(Website Blocking)") to be displayed on the user's web browser when the user is trying to access a questionable website. To redirect the user to another website when the requested website is being blocked, enter a web site address (for example, www.zyxel.com) in the Redirect URL field.

4. Under Exempt Computers, you can select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to specified IP address ranges. For example, if the CEO's computer (with an IP address of 192.168.10.200) is allowed to access any website, add this IP address to the list.


23




2.2 Use an External Content Filtering Database

After you have registered and activated the CF service on the ZyWALL, you can use the external content filtering database for enhanced content filtering on the ZyWALL. To use the external database, select Enable External Database Content Filtering in the Categories screen. The select the web categories you want to filter. Users will be blocked from accessing the webs that fall under the selected categories. The following screen shows a configuration example.



3


2.3 Example: Content Filtering In Action to Block Non-work Related Surfing

After you have configured the CF feature as described in the previous sections, you can test your configuration by accessing sports website, for example, www.nba.com. The ZyWALL will block you from accessing the website and redirect yourt to www.zyxel.com with a "(Website Blocking)" message displayed on your web browser.



3

LAN Zone

DMZ ZoneInternet

SPAMer

Mail server


WAN

[ Chapter4 ] : Reduce Spam with ZyWALL Anti-Spam Features

With more and more spam received, employees have to spend more working hours managing their mail boxes. This increases unproductive overhead and greatly decrease work performance. Therefore, an effective way of identifying spams and eliminating them is required. Activate the Anti-Spam (AS) feature on the ZyWALL 35 UTM to do just what you want,

Note: The AS feature can inspect SMTP (TCP port 25) and POP3 (TCP port 110) type of e-mails. It does not check e-mails sent via IMAP4.

1. Activate Anti-Spam on POP3 Mails

1.1 Register and Activate the Anti-Spam Service


[ Chapter4 ] : Reduce Spam with ZyWALL Anti-Spam Features

With more and more spam received, employees have to spend more working hours managing their mail boxes. This increases unproductive overhead and greatly decrease work performance. Therefore, an effective way of identifying spams and eliminating them is required. Activate the Anti-Spam (AS) feature on the ZyWALL 35 UTM to do just what you want,

Note: The AS feature can inspect SMTP (TCP port 25) and POP3 (TCP port 110) type of e-mails. It does not check e-mails sent via IMAP4.

1. Activate Anti-Spam on POP3 Mails




26


Reduce Spam with ZyWALL Anti-Spam Features 4

4

1.2 Configure the ANTI-SPAM Service

Follow the steps below to configure AS general settings.

1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS feature on the ZyWALL.

2. Enter the tag (between 1 to16 characters) to be added to the subject of a phishing e-mail. For example, you can enter "!!!SPAM!!!". Then select Discard SMTP mail. Forward POP3 mail with tag in mail subject to forward spam mails using POP3 but discard the SMTP ones.



4. Click Apply to save the settings. Note: The AS feature on the ZyWALL can discard or forward e-mails through the SMTP protocol with the specified tag. For e-mails through the POP3 protocol, the ZyWALL only forwards



1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS feature on the ZyWALL.




4. Click Apply to save the settings. Note: The AS feature on the ZyWALL can discard or forward e-mails through the SMTP protocol with the specified tag. For e-mails through the POP3 protocol, the ZyWALL only forwards


27




In the ANTI-SPAM -> External DB screen, check Enable External Database and adjust the threshold scroll bar to set the spam score (to be returned from an external database). The ZyWALL decides whether a POP3/SMTP mail is a phishing mail or not based on this score.

Note: To activate the "External DB" option, you must first register the ANTI-SPAM service.

2. Activate Anti-Spam on SMTP MailsThe following sections show you how to configure the content filtering feature on the ZyWALL 35 UTM to prevent employees from surfing websites that are not related to work.


In the web configurator, click Registration in the navigation panel. If you already have a myZyXEL.com account, all you have to do is select Existing myZyXEL.com account, enter your myZyXEL.com account information and then select Anti Spam 3-month Trial. Then click Apply

28






1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS feature on the ZyWALL





Note: The AS feature on the ZyWALL can discard or forward e-mails through the SMTP protocol with the specified tag. For e-mails through the POP3 protocol, the ZyWALL only forwards.

You can customize the AS policy to add e-mail addresses to the AS black list (to apply the AS policies) or white list (to allow e-mails to bypass the AS policies). Click the Customization tab to display the configuration screen. Click Apply after you are finished to save the settings.



4


2.3 Example: AS in Action

After you configure the AS feature as described previously, any user on the LAN behind the ZyWALL 35 UTM will get an e-mail with "!!!SPAM!!!" in the subject (the original subject is "Hello") when the received e-mail (via POP3) is identified as a spam. The following figure shows an example.

Reduce Spam with ZyWALL Anti-Spam Features 4 30


2 zywall utm solution - zyxel.se

Documents