ZLD 2.20 Introduction

ZLD 2.20 Introduction
For ZyWALL USG series
ZyXEL
y
Communications Corp.
p
Date : 2009/08/11
Outline
„
„
„
„
„
„
„
„
„
Summary
I
Improved
d Usability
U bili
BWM
End point security
Windows 7 Ready
Better loon n' feel GUI 2.0
Trouble shooting made easy
Misc
FAQ
Summary: (1/2)
ZLD v2.20 Main Features
Improved Usability
What improved?
Auto disable p
policy
y route rule when next-hop
p is dead
User do not need to setup policy route for default LAN to WAN traffic
ZLD packet flow v2.0
User do not need to setup policy route for IPSec Traffic
Policy Route overwrite all routing, event
Support Many 1 to 1 NAT
Support Outgoing Many to Many overload NAT
Unified Interface design
Consistent all USG interface configuration style
Object reference
Object Reference look up: Display “Where used” for each objects
CF enhancement
Bypass CF check on IPSec VPN
BWM
What improved?
DSCP
Diff SERV tagging
BWM by DSCP mark
End point security
What improved?
EPS (with SSL VPN)
End point security check against SSLVPN
EPS (with Authentication Policy)
Support Kaspersky AV client (AV enforcer)
Windows 7 ready
What improved?
SSLVPN enhancement
h
t
SSLVPN ffull
ll tunnel
t
l supports
t Windows
Wi d
7
Summary: (2/2)
ZLD v2.20 Main Features
Better look n’ feel
GUI v2.0
Trouble shooting made easy
What improved?
Using
g Web 2.0 ((Ajax)
j ) technology;
gy; much more flexible and easy-to-use
y
Virtual device on dashboard
What improved?
Log display support for source/destination interface and protocol
Packet Capture configuration on GUI
GUI v2.0 (Better loon n' feel)
Control packet capturing from GUI.
Supports multiple interfaces capture simultaneously.
Download pcaps from GUI.
Misc
What improved?
AAA enhancement
Support LDAP User Group
Authentication Policy
Enhanced version of force user authentication
3G enhancement
More 3G card support (USB) & 3G budget control
IPSec VPN enhancement
IPSec HA Auto Fall Back (ZyNOS-alike feature)
HA enhancement
Support Bridge/VLAN on Device HA AP mode
SIP ALG enhancement
SIP ALG 1.2: Support IPPBX in DMZ zone scenario
DNS query method
Device DNS query bind with specific interface.
R ti
Routing
enhancement
h
t
RIP/OSPF on VLAN
Improved Usability
- ZLD p
packet flow 2.0
- CF enhancement
- Object reference
Problem on current ZLD design
„ Problem on current ZLD 2.0x, 2.1x design
‹ Virtual Server p
problem
z
z
z
z
1:1 mapping need to use policy route
NAT loop back need to use policy route
No many one to one support
If mapping IP is device unowned IP, device will create virtual
interface for virtual server rule. (Need better solution)
‹ Routing
g Issue
z User need to create policy route for routing (e.g. lan traffic, wlan
traffic)
z Direct route always has higher priority than policy route
z Set SNAT with device unowned IP on Policy Route is not work
‹ Site to Site VPN need policy route
New Packet Flow Design
„ User do not need to set policy route for default
LAN to WAN traffic and VPN traffic
‹Default SNAT and WAN Trunk Routing
‹Static Route and Dynamic Route can be
‹Auto create VPN routing
g policy.
y
„ Support outgoing Many to Many NAT (Proxy
ARP))
„ New NAT loopback implementation
„ Policy Route can be overwrite Direct Route
ZLD Routing Table Changes
ZLD 2.1x design
ZLD 2.20 design
Routing check
Routing check
Direct-connected Subnets
Direct-connected Subnets
Dynamic VPN
Policy Route
Policy Route
Main (Linux nature)
Static Route
Dynamic Route
Many 1 to 1 NAT #1,…, #n
Auto VPN
Site to Site VPN
Dynamic VPN
Static and dynamic route
Default WAN Trunk
Main route table
New route
N
t
table at
ZLD 2.20
Default WAN Trunk
„ Provide default Trunk “SYSTEM_DEFAULT_WAN_TRUNK”
that user can not delete it.
„ SYSTEM_DEFAULT_WAN_TRUNK will add external
Ethernet interface and ppp/aux/cellular automatically
NAT Enhancement
„ Support 1 to 1 NAT and many 1 to 1 NAT
„ New NAT loopback implementation
„ NAT Table design change
ZLD 2.20 design
Doing SNAT
Checking
Priority
ZLD 2.1x design
g
Policy Route SNAT
high
Doing SNAT
1 to 1 SNAT
(including Many 1 to 1)
Policy Route SNAT
NAT L
Loopback
b k
1 to 1 SNAT
(including Many 1 to 1)
low
Default SNAT
Default SNAT
„Traffic that match the following criteria
will do the related action.
action
„Only internal to external will do SNAT
SNAT
Internal Æ external
On
Scenarios (Example)
LAN Æ WAN
Access Internet
Internal Æ internal
Off
LAN Æ DMZ
A
Access
S
Server
external Æ Internal
Off
WAN Æ LAN
Serving Internet access
external Æ external
Off
WAN Æ WAN
Dynamic
y
Route
Policy Route Enhancement
„ Goal
‹ Auto
A t disable
di bl policy
li route
t when
h nextt h
hop iis d
dead
d
„ Interface Status Base on
‹ Link up and down
‹ Interface enable/disable
‹ Connectivity check
‹ Object IP or not
Activate (green)
Deactivate (gray)
Auto-Deactivated (red)
Unified Interface Enhancement
„ Purpose
‹Provide more flexible and user friendly design
‹Make All USG Series have consistent Interface
configuration style
„Enhancement for ZLD 2
2.20
20
‹Configurable Interface Name
‹Showing Port Information on Ethernet Interface
‹Interface Property
‹System Default PPP Interface
‹Zone/Trunk design change
Unify Interface Name for All Product
„ Before ZLD v2.20
‹ Interface name on USG100/200 device
z wan1, wan2, opt, lan1, lan2, dmz
‹ USG300/1000/2000, ZW1050
z ge1, ge2, ge3 and so on
„After ZLD 2.20
‹ Unify
Unif interface name design for all models
‹ User can define a meaningful name
Configurable Interface Name (1/2)
„ The interface name is configurable
User can modify the interface name
Configurable Interface Name (2/2)
„ New interface name will display at all features which
using interface
Display user defined interface name
Showing Port Information on Interface
Interface
Display wording
Ethernet:
ge1(wan1), ge2(wan2), ge3(lan1)…
P1, P2, P3,…
VLAN PPP
VLAN,
Display it’s
it s base physical port
port, such as P1
P1, P2
P2…
Bridge
n/a
WLAN, Cellular
Display the location it is, such as shot1/shot2 or USB1/USB2
Aux
aux
Interface Property
„ Differentiate interface into several groups
„ Different
Diff
t setting
tti ffor diff
differentt property
t
‹ To simplified configuration page on GUI
Type
Device Model
Internal
USG 100/200:
LAN1, LAN2, DMZ
External
USG 100/200:
WAN1, WAN 2
General
USG 300/1000/2000:
ge1, ge2…
Set DHCP Client
Not Support
Support
Support
Set DHCP Server
Support
Not Support
Support
Set DHCP Relay
Support
Not Support
Support
Set Default Gateway
Not Support
Support
Support
Set Metric
Not Support
Support
Support
Set Ping Check
Not Support
Support
Support
MAC Address Setting
Not Support
Support
Support
System Default PPP Interface
„ Support binding multiple PPP interfaces in one WAN
00/ 00 .
interface for USG 100/200
„ Support setup PPP on VLAN interface for USG 100/200.
User can add/delete user-defined PPP Interface
System default PPP Interface, User can not deleted it
Zone/Trunk design change
Type
Before ZLD v2.20
After ZLD v2.20
ZONE
USG 100/200
a. Fixed ZONE:
- WAN,
- LAN1,
- LAN2,
WLAN
- WLAN,
- DMZ,
- OPT(only for USG200),
- SSL_VPN,
- IPSec VPN
b. User can not create/delete ZONE.
USG 300/1000/2000
User can create/delete ZONE.
a. System default ZONE:
- WAN,
- LAN1,
- LAN2,
LAN2
- WLAN,
- DMZ,
- OPT(only for USG200),
- SSL_VPN,
- IPSec VPN
b. User can create/delete ZONE
TRUNK
USG 100/200
a. Limit to 5 TRUNK :
-WAN_TRUNK,
-WAN_TRUNK2,
-WAN_TRUNK3,
-WAN_TRUNK4,
WAN TRUNK4
-WAN_TRUNK5
b. User can not add /delete existent TRUNK
USG 300/1000/2000
User can add/delete TRUNK
a. No Limitation of Fixed 5 TRUNKs
b User can add/delete TRUNK
b.
Object Reference
„ Current issue:
‹ When user try to remove an used object,
object the system will
return failed message, but no further information.
„ New design:
‹ A mechanism to get all references for Object/Group.
Object Reference: GUI
CF Enhancement
„ Some user request not to do content
filt checking
filter
h ki
when
h passing
i
th
thru VPN
tunnel
„ Add a CLI command to Bypass/Inspect
CF filter on VPN traffic
BWM
- Diff SERV tagging
gg g
- BWM by DSCP mark
What DiffServ Code Point is?
Negotiate service level agreement/traffic conditioning.
Define DSCP according to administrative policies
Perform traffic marking, shapingGuarantee traffic QoS level based on DSCP
and administrative control
:Network edge router
:Network
N
k core router
DSCP Design
„ Objective
‹ DSCP
DSCP-aware
aware traffic conditioning
conditioning, shaping and marking
‹ Support DSCP marking based on application layer
„ DSCP functionality
y in ZLD
‹ Marking: classify traffic to different DSCP value according
to application or source/destination IP, service and even
user aware
user-aware
‹ Bandwidth management: packets with different DSCP will
receive differentiated BWM
‹ Routing: different DSCP tagged packets can get distinct
routing result or NAT
„ Combine DSCP control into policy rule and App.
App
Patrol
End point security
- EPS with SSL VPN
- EPS with Authentication Policy
EPS with SSLVPN
„ Security software is distributed to end-user devices.
„ A program is downloaded and installed on endpoint and
checks endpoint security status when endpoint access
controlled by ZyWALL.
„ If endpoint operation environment matches company
security requirement, the access will be granted.
„ Check Client Host for
‹ Anti-Virus Installation & Activation
‹ Anti-Spyware Installation & Activation
‹ Personal Firewall Installation & Activation
‹ User define checking on OS internal setups. Ex: Windows Registry.
Scenario with EPS checking
Check :
Anti-Virus
×
Anti-spware
v
Personal Firewall ×
….
v
….
v
Company
LDAP,RADIUS,
Active Directory
×
File Server
×
×
Check:
Anti-Virus
×
Anti-spware
Personal Firewall
….
….
Email Server
×
×
×
×
Web Server
Check
Check:
Anti-Virus
v
Anti-spware
Personal Firewall
….
….
v
v
v
v
EPS with Authentication Policy
„Improving Version of Force User
A th ti ti
Authentication
„Network Admission Control.
„Do EPS checking after user
authentication.
authentication
„User can access network after pass User
authentication and EPS checking.
Windows 7 ready
- SSL VPN enhancement
Support Windows 7
Technical elements/Spec
Top‐down road map
Note
((4Q'09)
Q )
((1Q'10)
Q )
((2Q'10)
Q )
ZLD 2.12
patch x
ZLD 2.20
ZLD 2.21
SSLVPN Full tunnel:
Run SecuExtender in Windows 7
yes
yes
yes
SSLVPN Proxy mode:
User run IE8 in Windows 7
yes
yes
yes
D i M
Device
Management:
t
Administrator use IE8 in Windows 7
yes
yes
yes
EPS:
Set poilcy to detect Windows 7
no
yes
yes
(4Q'09)
(2Q'10)
(4Q'10)
yes
y
yes
y
yes
y
IPSec VPN client (TGB)
IPSec version:
2 4 204 61 03
2.4.204.61.03
Better Look n’ Feel
- GUI 2.0
Web GUI 2.0 Introduction
„ ZLD Web GUI 2.0 is based on Ext-JS’s
lib
library
to
t develop
d
l
because
b
off
‹ High performance, customizable UI widgets
‹ Well designed, documented and extensible
component model
‹ Well browser compatibility
Web GUI 2.0 Property
„ Reorganized Menu Tree
„ Easy to monitor device status
‹ Virtual Device
„ Customizable dashboard
„ User Friendly Table Operation
‹ More user-friendlyy interface to configure
g
Reorganized Menu Tree
„Dash Board
„Monitor
„Configuration
„Maintenance
Virtual Device
Customized Dashboard (1/2)
Customized Dashboard (2/2)
User Friendly Table Operation
Quick Setup
Trouble shooting made easy
- LOG in GUI 2.0
- Debug Tool
LOG
„ Support extra log column
‹ Source interface
‹ Destination interface
‹ Protocol
APP Patrol Enhancement
„Support log MSN user login/logout
‹MSN user XXX has logged in.
‹MSN user XXX has logged out.
Debug tool
„ Make it easy for trouble shooting
„ Support
S
t GUI page for
f packet
k t capture.
t
„ Support multiple interface packet captures.
„ Download the packet capture result from GUI.
Misc
AAA Enhancement
„ In ZLD current design, grouping of external
users is not user-friendly.
user friendly
‹Use a big group (i.e. ldap-users) to represent all
external users
users.
‹User-defined group members MUST be manuallykeyed in.
„ New design is going to:
‹Instead of using a container to contain thousands of
users, use a user to represent them.
‹Support as many as scenarios as possible.
possible
‹Need as few as configuration steps as possible.
AAA Enhancement - Design Coverage
„ This enhancement is only applied to those
services support both external AAA and user
useraware.
‹Services
‹S
i
supporting
ti external
t
l AAA can authenticate
th ti t
users by external AAA server.
z weblogin,
weblogin L2TP,
L2TP xx-auth,
auth WLAN
‹Services supporting user-aware notify user-aware
feature about user login/logout status
status.
z weblogin, dialin, ftp, login, ssh
‹From now on,
on only weblogin case will be focused
focused.
Budget Control: 3G
„Control 3G network usage by
‹Time Usage
‹Data Transmit
„Action supports
‹Log/Alert
pp
‹Connection Dropped
IPSec VPN: Fall Back
„Fail Over: Negotiate tunnel with
secondary remote gateway when primary
remote gateway is dead
„Fall Back: Let tunnel re-connect to
primary remote gateway, even if
secondary remote gateway is alive
„If
If secondary remote gateway is alive
then it always keep connection with
secondary because of IPSec daemon
record the dead remote gateway
IPSec VPN: Auto Fall Back
Fail Over
Secure gateway A
IP 172 23 38 10
IP:172.23.38.10
Fall Back
HQ 172.23.38.1
HQ:
172 23 38 1
Phase 1:
SG1:172.23.38.10 ((A))
SG2:172.23.38.20 (B)
No Fail Over Î No Fall Back
Fall Back Î Fail Over
Secure gateway B
IP:172.23.38.20
Device HA Enhancement
„Supports VLAN and Bridge interface on
D i HA AP M
Device
Mode
d
„Device HA backup
p will not doing
g NTP
Sync (ITS)
SIP ALG 1.2
„ Purpose: Support IPPBX in DMZ zone scenario
„ Design
D i coverage:
‹ Ports SIP Tracking
z Listening
Li t i UDP ports
t on SIP
SIP: max 8 ports
t
‹ Behaviors:
z Related SIP connections
• Help APP Patrol to monitor sip connection
z NAT ALG
• Modify packets under NAT environment
• Help clients to construct media connection under NAT
environment
z Extend SIP connections’ lifetime
‹Customized controls
DNS Query Enhancement (1/2)
Current problem:
„ The destination DNS server of zone forwarder is
decided by domain of inquired FQDN
„ Problem
‹ Routing entries determines the interface from which DNS
query
que
y will be se
sentt out
‹ DNS query will be dropped if destination DNS server
requires DNS query must be came from its ISP network
„ Some DNS queries with specific domain need to
be bound to specific interface
DNS Query Enhancement (2/2)
„ Force DNS query packet to be bound with specific interface
when send it out
‹ interface name (ge1, ge2 ..):DNS server from ISP or customized DNS
server. DNS query will be bound to the configured interface
‹ any:Customized DNS Server
Server. Outgoing interface for DNS query depends
on routing decision
‹ tunnel:DNS server at remote network. DNS query will pass through tunnel
Match!
Zone Forwarder Table:
Domain Server Via
abc.com abc WAN2
xyz.com xyz WAN1
DNS query:
www.abc.com
DNS query:
Dst IP: abc
www.abc.com
RIP/OSPF enhancement
„When edit VLAN, user could setup
RIP/OSPF
FAQ