1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-660HN-F1Z
    5. /
  5. 38
Page 186 / 421 Scroll up to view Page 181 - 185
Chapter 11 Packet Filter
P-660HN-FxZ Series User’s Guide
184
11.3.2
Firewall Versus Filters
Below are some comparisons between the ZyXEL Device’s filtering and firewall functions.
Packet Filtering
The router filters packets as they pass through the router’s interface according to the filter
rules you designed.
Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
Packet filtering only checks the header portion of an IP packet.
When To Use Filtering
1
To block/allow LAN packets by their MAC addresses.
2
To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
3
To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic
between the specific inside host/network "A" and outside host/network "B". If the filter
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot
distinguish traffic originating from an inside host or an outside host by IP address.
4
To block/allow IP trace route.
Firewall
The firewall inspects packet contents as well as their source and destination addresses.
Firewalls of this type employ an inspection module, applicable to all protocols, that
understands data in the packet is intended for other layers, from the network layer (IP
headers) up to the application layer.
The firewall performs stateful inspection. It takes into account the state of connections it
handles so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a non-existent outbound request can be blocked.
The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and
control the network session rather than control individual packets in a session.
The firewall provides e-mail service to notify you of routine reports and when alerts occur.
When To Use The Firewall
1
To prevent DoS attacks and prevent hackers cracking your network.
2
A range of source and destination IP addresses as well as port numbers can be specified
within one firewall rule making the firewall a better choice when complex rules are
required.
3
To selectively block/allow inbound or outbound traffic between inside host/networks
and outside host/networks. Remember that filters cannot distinguish traffic originating
from an inside host or an outside host by IP address.
4
The firewall performs better than filtering if you need to check many rules.
5
Use the firewall if you need routine e-mail reports about your system or need to be
alerted when attacks occur.
6
The firewall can block specific URL traffic that might occur in the future. The URL can
be saved in an Access Control List (ACL) database.
Page 187 / 421
Chapter 11 Packet Filter
P-660HN-FxZ Series User’s Guide
185
Page 188 / 421
P-660HN-FxZ Series User’s Guide
185
C
HAPTER
12
Certificates
12.1
Overview
This chapter describes how your ZyXEL Device can use certificates as a means of
authenticating wireless clients. It gives background information about public-key certificates
and explains how to use them.
A certificate contains the certificate owner’s identity and public key. Certificates provide a
way to exchange public keys for use in authentication.
Figure 107
Certificates Example
In the figure above, the ZyXEL Device (Z) checks the identity of the notebook (A) using a
certificate before granting it access to the network.
12.1.1
What You Can Do in the Certificates Screens
Use the
My Certificates
screens (
Section 12.2 on page 186
) to generate and export self-
signed certificates or certification requests and import the ZyXEL Device’s CA-signed
certificates.
Use the
Trusted CAs
screens (
Section 12.3 on page 194
) to save CA certificates to the
ZyXEL Device.
Use the
Trusted Remote Hosts
screens (
Section 12.4 on page 199
) to import self-signed
certificates.
Use the
Directory Servers
screens (
Section 12.5 on page 204
) to configure a list of
addresses of directory servers (that contain lists of valid and revoked certificates).
Page 189 / 421
Chapter 12 Certificates
P-660HN-FxZ Series User’s Guide
186
12.1.2
What You Need to Know About Certificates
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each
certificate owner. There are commercial certification authorities like CyberTrust or VeriSign
and government certification authorities. You can use the ZyXEL Device to generate
certification requests that contain identifying information and public keys and then send the
certification requests to a certification authority.
Certificate File Formats
The certification authority certificate that you want to import has to be in one of these file
formats:
Binary X.509: This is an ITU-T recommendation that defines the formats for X.509
certificates.
PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase
letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable
form.
Binary PKCS#7: This is a standard that defines the general syntax for data (including
digital signatures) that may be encrypted. The ZyXEL Device currently allows the
importation of a PKS#7 file that contains a single certificate.
PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses 64
ASCII characters to convert a binary PKCS#7 certificate into a printable form.
Finding Out More
See
Section 12.6 on page 206
for technical background information on certificates.
12.2
The My Certificates Screen
This is the ZyXEL Device’s summary list of certificates and certification requests. Certificates
display in black and certification requests display in gray. Click
Security >
Certificates >
My
Certificates
to open the
My Certificates
screen.
Figure 108
My Certificates
Page 190 / 421
Chapter 12 Certificates
P-660HN-FxZ Series User’s Guide
187
The following table describes the labels in this screen.
Table 66
My Certificates
LABEL
DESCRIPTION
PKI Storage
Space in Use
This bar displays the percentage of the ZyXEL Device’s PKI storage space that is
currently in use. The bar turns from green to red when the maximum is being
approached. When the bar is red, you should consider deleting expired or
unnecessary certificates before adding more certificates.
My Certificate
Setting
#
This field displays the certificate index number. The certificates are listed in
alphabetical order.
Name
This field displays the name used to identify this certificate. It is recommended that
you give each certificate a unique name.
Type
This field displays what kind of certificate this is.
REQ
represents a certification request and is not yet a valid certificate. Send a
certification request to a certification authority, which then issues a certificate. Use
the
My Certificate Import
screen to import the certificate and replace the request.
SELF
represents a self-signed certificate.
*SELF
represents the default self-signed certificate, which the ZyXEL Device uses
to sign imported trusted remote host certificates.
CERT
represents a certificate issued by a certification authority.
Subject
This field displays identifying information about the certificate’s owner, such as CN
(Common Name), OU (Organizational Unit or department), O (Organization or
company) and C (Country). It is recommended that each certificate have unique
subject information.
Issuer
This field displays identifying information about the certificate’s issuing certification
authority, such as a common name, organizational unit or department,
organization or company and country. With self-signed certificates, this is the
same information as in the
Subject
field.
Valid From
This field displays the date that the certificate becomes applicable. The text
displays in red and includes a Not Yet Valid! message if the certificate has not yet
become applicable.
Valid To
This field displays the date that the certificate expires. The text displays in red and
includes an Expiring! or Expired! message if the certificate is about to expire or
has already expired.
Modify
Click the
Edit
icon to open a screen with an in-depth list of information about the
certificate.
Click the
Remove
icon to remove the certificate. A window displays asking you to
confirm that you want to delete the certificate.
You cannot delete a certificate that one or more features is configured to use.
Do the following to delete a certificate that shows
*SELF
in the
Type
field.
1. Make sure that no other features, such as HTTPS, VPN, SSH
are configured to
use the
*SELF
certificate.
2. Click the
Edit
icon next to another self-signed certificate (see the description on
the
Create
button if you need to create a self-signed certificate).
3.
Select the
Default self-signed certificate which signs the imported remote
host certificates
check box.
4. Click
Apply
to save the changes and return to the
My Certificates
screen.
5. The certificate that originally showed
*SELF
displays
SELF
and you can delete
it now.
Note that subsequent certificates move up by one when you take this action
Create
Click this to go to the screen where you can have the ZyXEL Device generate a
certificate or a certification request.

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top