2 ZyWALL UTM Application Note

Transcription

1 2 Application Note Threat Management Using ZyWALL 35 UTM Forward This support note describes how an SMB can minimize the impact of Internet threats using the ZyWALL 35 UTM as an example. The following chapters are designed to deliver comprehensive protection against Internet threats with minimum management effort. Scenario A typical SMB network illustration shows concern of a Corporate Intranet and Public access security issue in different network segments. 1 [Chapter 1] Threat management in a Multi-segment network environment and in a server protection environment with AV/IDP 2 [Chapter 2 ] Control the Use of IM/P2P Applications to Increase Employee Productivity 3 [Chapter 3] Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 4 [Chapter 4] Reduce Spam with ZyWALL Anti-Spam Features Application Note Threat Management Using ZyWALL 35 UTM 01

2 Forward There is an increasing demand for an effective and proactive mechanism against Internet threats. In a Small and Medium sized Business (SMB) network environment, these threats could result in demand on limited IT resource, reduced productivity, information theft, business disruption and even financial lost. ZyWALL 5/35/70 UTM (Unified Threat Management) is designed to deliver comprehensive protection against Internet threats with minimum management effort. This support note describes how an SMB can minimize the impact of Internet threats using the ZyWALL 35 UTM as an example. The following figure shows an example network. Mail/HTTP/FTP server DMZ Zone WAN Intruder Internet Mail/HTTP/FTP server Remote uesr LAN Zone Proactive Protection: Threat Management Using ZyWALL 35 UTM Forward 02

3 Scenario A typical SMB network, as illustrated in the above figure, may be divided into different network segments, such as the Intranet (trusted network), DMZ for publicly-accessed servers and the Internet (distrusted networks). Within the Intranet, company employees require access to network resources. Common tasks include web surfing, sending/receiving s either via the company mail server or free servers, file transfer or even having Instant Massaging (IM) applications to increase productivity. In the DMZ, publicly-accessed servers (such as DNS, FTP, Web or servers) are hosted to provide services to their customers or partners. Any user can access the servers in the DMZ from the Internet. In addition to basic access control lists included on the ZyWALL 35 UTM, the company IT management team also required application layer protection to inspect traffic to or from these network segments to prevent any malicious activities from taking place. 1 Scenario 03

4 1 [ Chapter1 ]: Threat Management This product table briefly describes ZyXEL solutions for SMBs with fewer than 10 employees and is intended to be a guideline for choosing ZyXEL products for your main business location and teleworker connectivity. 1. In a Multi-Segment Network Environment The following example show you how to use ZyWALL 35 UTM to prevent virus and worms from entering the Intranet and DMZ networks behind the ZyWALL. Since most virus and worms originate from the Internet, all incoming traffic from the Internet ( or the WAN) to the Intranet (or the LAN and DMZ) should be inspected. Set up the ZyWALL 35 UTM as shown in the example figure to prevent virus or worms from spreading into your network. Mail/HTTP/FTP server DMZ Zone Internet Intruder WAN Mail/HTTP/FTP server Remote uesr LAN Zone 1.1 Service Registration and Activation Using the icard ZyNOS 4 + Turbo Card The ZyWALL 35 UTM is the first model in the ZyWALL series to support the AV (Anti-Virus) and IDP (Intrusion Detection and Prevention) services and the latest ZyNOS 4. in order to take advantage of these enhanced features, you must install a ZyWALL Turbo Card in the ZyWALL 35 UTM in the ZyWALL 35 UTM. The ZyWALL Turbo Card is a hardware accelerator that allows your ZyWALL 35 UTM to deliver the best performance. Refer to the documentation that comes with your ZyWALL Turbo Card for hardware installation procedure. 1 Threat Management 04

5 1.1.2 IDP/AV Service Activation After you have successfully installed the ZyWALL Turbo Card, activate the AV/IDP services in the web configuration. Access the web configurator and display the activation screen. If you already have a myzyxel.com account, all you have to do is select Existing myzyxel.com account, enter your myzyxel.com account information and then select IDP/AV 3-month Trial to activate. With the IDP feature enabled, the ZyWALL 35 UTM inspect all passing traffic to effectively block any Worms, Trojans, DoS or DDoS attacks. Note: Although IDP can effectively block Worms, Trojans, and prevent DoS and DDoS attacks, it is not capable of detecting viruses from passing through the ZyWALL 35 UTM. To prevent virus attacks, use the built-in stream-based AV (Anti-Virus) scan engine to scan traffic as they pass through the ZyWALL. The AV scan engine can effectively detect virus/worms and destroy infected files before they reach the intended host computers on the Intranet. Note: The AV service on the ZyWALL 35 UTM can detect and destroy files that are infected with virus/worms. The AV service cannot stop network DoS and DDoS attacks. 1 Threat Management 05

6 1.2 IDP + AV: A Perfect Combination With a combination of IDP and AV services, your ZyWALL 35 UTM is the ultimate security appliance to guard your network from major attacks. Not only will ZyWALL 35 UTM stop network attacks using the IDP service, it will also scan, detect and destroy files that are infected with virus/worms using the AV service. This results in a stable and virus/worms free network. The following sections shows your how to enable IDP and AV features on the ZyWALL 35 UTM Configure IDP to Prevent Attacks Follow the steps below to activate the IDP feature on the ZyWALL and the selected interfaces. 0. Access the web configurator. 1. Click IDP in the navigation panel to display the General screen. Select Enable Intrusion Detection and Prevention to activate the IDP feature on the ZyWALL. 2. Select the Active option for the LAN and DMZ interfaces to inspect inbound traffic from LAN and DMZ interfaces. 3. Click Apply to save the settings. 1. Configure AV to Detect Viruses Follow the steps below to activate the AV feature on the ZyWALL and the selected interfaces. 1. In the web configurator, click ANTI-VIRUS in the navigation panel to display the General screen, Select Enable Anti-Virus to activate the AV function on the ZyWALL. 2. For the FTP service, select Active, LAN and DMZ to enable AV protection for FTP file transfer on the selected interfaces. Select Log to create logs when viruses are detected to warn the IT staff. 3. For the HTTP service, select Active, LAN and DMZ to enable AV protection for HTTP traffic on the selected interfaces. Select Log to create logs when viruses are detected to warn the IT staff. 1 Threat Management 06

7 4. For the POP3 service, select Active and LAN to enable AV protection for POP3 traffic on the LAN interface. Select Log to create logs when viruses are detected to warn the IT staff. 5. For the SMTP service, select Active and DMZ to enable AV protection for POP3 traffic on the DMZ interface. Select Log to create logs when viruses are detected to warn the IT staff. 6. Click Apply to save the settings. Note: Make sure the signatures are updated regularly to allow effective virus scanning on the ZyWALL 35 UTM. The AV Signature Update Page 1 Threat Management 07

8 2.Server Protection with IDP In order to protect servers (WEB/Mail/FTP/etc) located on the DMZ behind ZyWALL 35 UTM, enable the IDP service on ZyWALL 35 UTM to inspect inbound traffic to these servers. ZyWALL 35 UTM with the IDP service enabled can effectively prevent malicious hackers from accessing these servers and also stop DoS or DDoS attacks from paralyzing the network. The following figure shows a network example where a ZyWALL 35 UTM is set up to protect servers in the DMZ zone. Mail/HTTP/FTP server DMZ Zone Internet Intruder WAN LAN Zone 2.1 Configure IDP to Prevent Malicious Intrusions Follow the steps below to enable IDP on the ZyWALL and the DMZ interaface to protect the publiclyaccessed servers. 1. In the web configurator, click IDP in the navigation panel to display the Gneneral screen as shown. Enable Intrusion Detection and Prevention to enable the IDP feature on the ZyWALL. 2. Select Active for the DMZ interfaceto inspect traffic going from the WAN or LAN interfaces to the DMZ segment behind the ZyWALL. 3. Click Apply to save the changes. 1 Threat Management 08

9 Note: Since IPSec VPN traffic is already protected in the secure VPN tunnel, the IDP/AV services do not inspect the VPN traffic. In addition, the IDP/AV services cannot detect viruses in files or traffic that is password-protected. 1 Threat Management 09

10 [ Chapter2 ]: Control the Use of IM/P2P Applications to Increase Employee Productivity WAN Internet emule MSN LAN Zone IM (Instant Message) and P2P (Peer-to-Peer) applications are popular and their use is on the increase. For example, people may use MSN messenger (an IM application from Microsoft) to chat and send/receive files or use edonkey (a P2P application) for file sharing. Such applications are perfect medium for spreading viruses, backdoor programs, or Trojans. Computers in the LAN zone might be infected undetected when using IM/P2P applications. The ZyWALL 35 UTM IDP security service provides an effective traffic management to control (allow or block) these IM/P2P applications. 1. P2P/IM Traffic Management The following sections shows you how to configure the IDP service in the ZyWALL 35 UTM to manage MSN messenger usage to prevent virus/trojans from spreading. Also, you will be shown how to stop employees from sharing files through the company network. 1.1 Register the IDP service ZyNOS Turbo Card The ZyWALL 35 UTM is the first model in the ZyWALL series to support the AV (Anti-Virus) and IDP (Intrusion Detection and Prevention) services and the latest ZyNOS 4. in order to take advantage of these enhanced features, you must install a ZyWALL Turbo Card in the ZyWALL 35 UTM. The ZyWALL Turbo Card is a hardware accelerator that allows your ZyWALL 35 UTM to deliver the best performance. Refer to the documentation that comes with your ZyWALL Turbo Card for hardware installation procedure. 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 10

11 1.1.2 IDP/AV License Activation Refer to step 1.1 in the page 4 on how to activate IDP/AV services for your ZyWALL 35 UTM. 1.2 Activate IDP Follow the steps below to activate the IDP service on the LAN and WAN interfaces. 1. In the web configurator, click IDP in the navigation panel to display the General screen. Select Enable Intrusion Detection and Prevention to activate IDP on the ZyWALL. 2. Select Active for the LAN and WAN1/2 interfaces. This activates IDP protection on traffic (such as IM/P2P) between the LAN and WAN interfaces. 3. Click Apply to save the settings. 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 11

12 1.2.1 Control IM (Instant Message) After you have enabled IDP on the ZyWALL and the selected interfaces, configure the IDP to control IM applications. 1. In the web configurator, click IDP in the navigation panel and click the Signature tab. 2. Click Switch to query view to search for the specified signatures. 3. To configure IDP actions for IM applications (such as MSN), select Signature search and the By Name option. Enter MSN in the text box provided. 4. Click Search and the signature search result displays in the table below. Block MSN(Chat, File Transfer) 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 12

13 Block MSN File Transfer Select Drop Packet in the Action field for the MSN file transfer related signatures. Keep the action for other MSN-related signatures at No Action. 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 13

14 1. Control P2P (Peer-to-Peer) File Transfer 1. In the web configurator, click IDP in the navigation panel and click the Signature tab. Click Switch to query view to search for the specified signature. 2. To configure IDP actions for P2P applications (such as edonkey), select Signature Search and the By Name option. Enter edonkey in the field provided. 3. Click Search and the signature result displays in the table below. 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 14

15 4. Select Log to create logs for any edonkey traffic the ZyWALL detects. 5. To block all e-donley related traffic, select Drop Packet in the Action field. 6. Click Active to enable the signature IDP Signature Update Make sure the signatures are updated regularly to allow effective IDP inspection on the ZyWALL. 2 Control the Use of IM/P2P Applications to Increase Employee Productivity 15

16 3 [ Chapter3 ]: Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats Web browsing is one of the most common activities people do on a daily basis. However threats and attacks originate from the Internet. Web browsing should be curbed to minimize the impact of hazardous web content (malicious java and ActiveX), spyware, and phishing attacks. These attacks are known to be found in websites that contain pirated software, pornography, and other questionable contents. In addition, non-work related web surfing (such as accessing sports, financial and gambling web sites) should be disallowed to increase business productivity. With the ZyWALL 35 UTM Content Filtering service, network administrator can easily allow or block users from viewing different categories of web sites. The following figure shows a network example. WAN Internet HTTP/Web server LAN Zone 1. Minimize Spyware Attack As mentioned earlier, pornography websites are known to contain Spyware and Trojans, thus use ZyWALL 35 UTM to prevent users from accessing these types of websites. The following sections show you how to set up content filtering on the ZyWALL. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 16

17 1.1 Register and Activate Content Filtering In the web configurator, click Registration in the navigation panel. If you already have a myzyxel.com account, all you have to do is select Existing myzyxel.com account, enter your myzyxel.com account information and then select Content Filtering 1-month Trial. The click Apply. 1.2 Use an External Content Filtering Database for Enhanced Filtering After you have registered and activated the CF service on the ZyWALL, you can use the external content filtering database for enhanced content filtering on the ZyWALL. To use the external database, select Enable External Database Content Filtering in the Categories screen. The select the web categories you want to filter. Users will be blocked from accessing the webs that fall under the selected categories. The following screen shows a configuration example. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 17

18 1.3 Example: Content Filtering Using an External Database In Action After you activate and configure the content filtering feature on the ZyWALL, you can test and see content filtering in action. Open a web browser and access a website that may contain Nudity (for example, When the ZyWALL detects that the website category is to be filtered, the website content is prevented from being displayed and you will be redirected to the specified URL, for example user can specify the "Redirect URL" as (ZyXEL global website). A warning message also displays notifying you that the website is not allowed to be accessed. 2. Proactive Phishing Protection Phishing is the act of sending an to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. With a combination of the CF and AS (Anti-Spam) services in ZyWALL 35 UTM, network administrators can dramatically reduce the chance of receiving possible phishing s for company network users. Furthermore, these features also prevent users from accessing known phishing websites. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 18

19 2.1 Register and Activate the AS Service In the web configurator, click Registration in the navigation panel. If you already have a myzyxel.com account, all you have to do is select Existing myzyxel.com account, enter your myzyxel.com account information and then select Anti Spam 3-month Trial. Then click Apply. Configure CF to Block Known Phishing Websites.1 General Setting Follow the steps below to activate content filtering on the ZyWALL and configure general settings. 1. In the web configurator, click CONTENT FILTER in the navigation panel and click the General tab. Select Enable Content Filter to enable the CF function. 2. Under Schedule to Block, select Always Block to set the ZyWALL to block website. 3. Under Message to display when a site is blocked, enter the warning message to be displayed on the user's web browser when the user is trying to access a questionable website. To redirect the user to another website when the requested website is being blocked, enter a web site address in the Redirect URL field. Here, we enter "(Website Blocking)" and " accordingly. 4. Under Exempt Computers, select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to the specified IP address ranges. For example, if you want the CEO's computer (with an IP address of ) to allow access to any website, enter this IP address to the list. 5. Click Apply to save the settings. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 19

20 .2 Customize the Forbidden Websites which are known phishing web sites In addition to using the external content filtering server to provide enhanced filtering services, you can customize filter policies to fit your network needs. In the web configurator, click CONTENT FILTER in the navigation panel and click the Customization tab. Select Enable Web site customization and enter the web site address to the Forbidden Web Site list. (The forbidden list is similar to the black list.) 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 20

21 .3 Example: Customized Content Filtering in Action After you activate and customized the content filtering feature on the ZyWALL, you can test and see content filtering in action. Open a web browser and access any questionable website (for example, When the ZyWALL detects that the website category is to be filtered, the website content is prevented from being displayed and you will be redirected to the ZyXEL global website at A warning message also displays notifying you that the website is not allowed to be accessed. 2.3 Configure Anti-Spam to Prevent Phishing Follow the steps below to activate and configure the Anti-Spam feature on the ZyWALL. 1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS function. 2. Enter the tag (between 1 to16 characters) to be added to the subject of a phishing . For example, you can enter "[PHISHING]". Then select Discard SMTP mail. Forward POP3 mail with tag in mail subject to forward spam mails using POP3 but discard the SMTP ones. 3. Under Action taken when mail sessions threshold reached, select Forward to bypass AS inspection when the number of concurrent mail sessions is over 15. Note: The AS feature can inspect up to 15 concurrent mail sessions. 4. Click Apply to save the settings. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 21

22 In the ANTI-SPAM -> External DB screen, check Enable External Database and adjust the threshold scroll bar to set the spam score (to be returned from an external database). The ZyWALL decides whether a POP3/SMTP mail is a phishing mail or not based on this score. Note: To activate the "External DB" option, you must first register the ANTI-SPAM service. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 22

23 2.3.1 Example: Phishing Mail Blocking in Action After you have registered and configure the Anti-Spam settings described in the previous sections, any user on the LAN behind the ZyWALL 35 UTM will get a mail with "[PHISHING]" in the subject when the received mail (via POP3) is treated as a phishing mail. Note: You can apply the Junk Mail action on the received phishing mail which are already tagged by the ZyWALL 35 UTM AS. Refer to the documentation that comes with your program for more information. 2. Prevent Non-work Related Web Surfing The following sections show you how to configure the content filtering feature on the ZyWALL 35 UTM to prevent employees from surfing websites that are not related to work. 2.1 General Setting Follow the steps below to configure general content filtering settings. 1. In the web configurator, click CONTENT FILTER in the navigation panel to display the General screen, Select Enable Content Filter to enable CF function. 2. Under Schedule to Block, select Always Block to set the ZyWALL to block website. 3. Under Message to display when a site is blocked, enter the warning message (for example, "(Website Blocking)") to be displayed on the user's web browser when the user is trying to access a questionable website. To redirect the user to another website when the requested website is being blocked, enter a web site address (for example, in the Redirect URL field. 4. Under Exempt Computers, you can select Exclude specified address ranges from the content filter enforcement to NOT apply content filter policies to specified IP address ranges. For example, if the CEO's computer (with an IP address of ) is allowed to access any website, add this IP address to the list. 5. Click Apply to save the settings. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 23

24 Use an External Content Filtering Database After you have registered and activated the CF service on the ZyWALL, you can use the external content filtering database for enhanced content filtering on the ZyWALL. To use the external database, select Enable External Database Content Filtering in the Categories screen. The select the web categories you want to filter. Users will be blocked from accessing the webs that fall under the selected categories. The following screen shows a configuration example. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 24

25 2.3 Example: Content Filtering In Action to Block Non-work Related Surfing After you have configured the CF feature as described in the previous sections, you can test your configuration by accessing sports website, for example, The ZyWALL will block you from accessing the website and redirect yourt to with a "(Website Blocking)" message displayed on your web browser. 3 Curb Non-work Related Web Surfing and Mitigate Spyware and Phishing Threats 25

26 4 [ Chapter4 ] : Reduce Spam with ZyWALL Anti-Spam Features With more and more spam received, employees have to spend more working hours managing their mail boxes. This increases unproductive overhead and greatly decrease work performance. Therefore, an effective way of identifying spams and eliminating them is required. Activate the Anti-Spam (AS) feature on the ZyWALL 35 UTM to do just what you want, Note: The AS feature can inspect SMTP (TCP port 25) and POP3 (TCP port 110) type of s. It does not check s sent via IMAP4. Mail/HTTP/FTP server DMZ Zone WAN Internet SPAMer Mail server LAN Zone 1. Activate Anti-Spam on POP3 Mails 1.1 Register and Activate the Anti-Spam Service In the web configurator, click Registration in the navigation panel. If you already have a myzyxel.com account, all you have to do is select Existing myzyxel.com account, enter your myzyxel.com account information and then select Anti Spam 3-month Trial. Then click Apply. 4 Reduce Spam with ZyWALL Anti-Spam Features 26

27 1.2 Configure the ANTI-SPAM Service Follow the steps below to configure AS general settings. 1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS feature on the ZyWALL. 2. Enter the tag (between 1 to16 characters) to be added to the subject of a phishing . For example, you can enter "!!!SPAM!!!". Then select Discard SMTP mail. Forward POP3 mail with tag in mail subject to forward spam mails using POP3 but discard the SMTP ones. 3. Under Action taken when mail sessions threshold reached, select Forward to bypass AS inspection when the number of concurrent mail sessions is over 15. Note: The AS feature can inspect up to 15 concurrent mail sessions. 4. Click Apply to save the settings. Note: The AS feature on the ZyWALL can discard or forward s through the SMTP protocol with the specified tag. For s through the POP3 protocol, the ZyWALL only forwards 4 Reduce Spam with ZyWALL Anti-Spam Features 27

28 In the ANTI-SPAM -> External DB screen, check Enable External Database and adjust the threshold scroll bar to set the spam score (to be returned from an external database). The ZyWALL decides whether a POP3/SMTP mail is a phishing mail or not based on this score. Note: To activate the "External DB" option, you must first register the ANTI-SPAM service. 2. Activate Anti-Spam on SMTP Mails The following sections show you how to configure the content filtering feature on the ZyWALL 35 UTM to prevent employees from surfing websites that are not related to work. 2.1 Register and Activate the Anti-Spam Service In the web configurator, click Registration in the navigation panel. If you already have a myzyxel.com account, all you have to do is select Existing myzyxel.com account, enter your myzyxel.com account information and then select Anti Spam 3-month Trial. Then click Apply 4 Reduce Spam with ZyWALL Anti-Spam Features 28

29 Configure the ANTI-SPAM Service Follow the steps below to configure AS general settings. 1. In the web configurator, click ANTI-SPAM in the navigation panel to display the General screen. Select Enable Anti-Spam to enable the AS feature on the ZyWALL 2. Enter the tag (between 1 to16 characters) to be added to the subject of a phishing . For example, you can enter "!!!SPAM!!!". Then select Discard SMTP mail. Forward POP3 mail with tag in mail subject to forward spam mails using POP3 but discard the SMTP ones. 3. Under Action taken when mail sessions threshold reached, select Forward to bypass AS inspection when the number of concurrent mail sessions is over 15. Note: The AS feature can inspect up to 15 concurrent mail sessions. 4. Click Apply to save the settings. Note: The AS feature on the ZyWALL can discard or forward s through the SMTP protocol with the specified tag. For s through the POP3 protocol, the ZyWALL only forwards. You can customize the AS policy to add addresses to the AS black list (to apply the AS policies) or white list (to allow s to bypass the AS policies). Click the Customization tab to display the configuration screen. Click Apply after you are finished to save the settings. 4 Reduce Spam with ZyWALL Anti-Spam Features 29

30 2.3 Example: AS in Action After you configure the AS feature as described previously, any user on the LAN behind the ZyWALL 35 UTM will get an with "!!!SPAM!!!" in the subject (the original subject is "Hello") when the received (via POP3) is identified as a spam. The following figure shows an example. 4 Reduce Spam with ZyWALL Anti-Spam Features 30