Gateway User Interface

29

Configuring Advanced Firewall Settings

The Edit Advanced Firewall Settings page allows you to configure advanced features on your firewall.

Enabling Advanced Security

The 2Wire gateway firewall already provides a high level of security. You can configure the firewall to provide

advanced security features, including stealth mode, strict UDP

, or block pings.

•

Stealth Mode. When in stealth mode, the 2Wire gateway firewall does not return information in

response to network queries; that is, it will appear to hackers who are trying to access your network

that your network does not exist. This discourages hackers from further attempts at accessing your

network, because to them it will appear as though there is no active network to access.

•

Block Ping. Ping is a basic Internet program that, when used without malicious intent, allows a user to

verify that a particular IP address exists and can accept requests. Hackers can use ping to launch an

attack against your network, because ping can determine the number form of the network’s IP address

(for example, 105.246.172.72) from the domain name (for example, www.mynetwork.com). If you

enable Block Ping, your network will block all ping requests.

Gateway User Interface

30

•

Strict UDP Session Control. Enabling this feature provides increased security by preventing the 2Wire

gateway from accepting packets sent from an unknown source over an existing connection.

The ability

to send traffic based on destination only is required by some applications. Enabling this feature may not

allow some on-line applications to work properly.

Allowing Inbound and Outbound Traffic

The Inbound and Outbound Control pane displays some common protocol types. When one of the Inbound

protocol boxes is checked, the firewall allows the corresponding protocol to pass through from the Internet

to the network. If one of the Outbound protocol boxes is checked, the firewall allows the traffic from the

network to pass through the firewall to the Internet.

Note:

If you configure the firewall to block an Inbound protocol, you may disable support for

hosted applications that require that type of protocol.

Disabling Attack Detection

By default, the 2Wire gateway firewall rules block the attack types listed in the Attack Detection pane. There

are some applications and devices that require the use of specific data ports through the firewall. The

gateway allows users to open the necessary ports through the firewall using the Firewall Settings page. If

the user requires that a computer have all incoming traffic available to it, this computer can be set to the

DMZplus mode. While in DMZplus mode, the computer is still protected against numerous broadband

attacks (for example, SYN Flood or Invalid TCP flag attacks).

I

n rare cases, the incoming traffic may be inadvertently blocked by the firewall (for example, when

integrating with external third-party firewalls or VPN servers). You may need to disable one or more of the

attack detection capabilities for any device placed in the DMZplus. In this case, the third-party server

provides the attack protection normally provided by the gateway.

Following are the attacks for which the gateway firewall filters continuously checks.

•

Excessive Session Detection. When enabled, the firewall will detect applications on the local network

that are creating excessive sessions out to the Internet. This activity is likely due to a virus or “worm”

infected computer (for example, Blaster Worm). When the event is detected, the gateway displays a

HURL warning page.

•

TCP/UDP Port Scan. A port scan is a series of messages sent by someone attempting to break into a

computer to learn which computer network services, each associated with a well-known port number

(such as UDP and TCP), the computer provides. When enabled, the firewall detects UDP and TCP port

scans, and drops the packet.

•

Invalid Source/Destination IP address. When enabled, the firewall will verify IP addresses by checking

for the following:

−

IP source address is broadcast or multicast — drop packet.

−

TCP destination IP address is not unicast — drop packet.

−

IP source and destination address are the same — drop packet.

−

Invalid IP source received from private/home network — drop packet.

Gateway User Interface

31

•

Packet Flood (SYN/UDP/ICMP/Other). When enabled, the firewall will check for SYN, UDP

, ICMP

, and

other types of packet floods on the local and Internet facing interfaces and stop the flood.

•

Invalid TCP Flag Attacks (NULL/XMAS/Other). When enabled, the firewall will scan inbound and

outbound packets for invalid TCP Flag settings, and drop the packet to prevent SYN/FIN, NULL, and

XMAS attacks.

•

Invalid ICMP Detection. The firewall checks for invalid ICMP/code types, and drops the packet.

•

Miscellaneous. The firewall checks for the following:

−

Unknown IP protocol — drop packet.

−

Port 0 attack detected — drop packet.

−

TCP SYN packet — drop packet.

−

Not a start session packet — drop packet.

−

ICMP destination unreachable — terminate session.

32

Access the Management and Diagnostic

Console

Accessing the Management and Diagnostic Console

The Management and Diagnostic Console (MDC) provides information about the status of the 2Wire

gateway, its broadband network connections, attached home networking devices, system and security

information, and a running log of any error conditions.

To access the MDC locally, in the browser address bar enter

.

After you access the MDC, use the left-hand navigation menu to select specific MDC pages.

System Summary Page

The System Summary page s

hows general information about the 2Wire gateway, its configuration,

and components.

Access the Management and Diagnostic Console

33

Depending on the service provider and the components installed, the System Summary page may include

the following information:

Item

Description

System

Model

2Wire gateway model number (for example, 3700HGV-B).

Serial number

2Wire gateway serial number.

MAC Address

2Wire gateway MAC address.

Hardware Version

2Wire gateway hardware version.

Hardware Options

The type of peripheral device installed.

DSL Modem Type

VDSL.

Current Software

2Wire gateway software version.

Configuration

Key Code

The static key code associated with the current

provisioning settings.

System Time

The day, month, year, and time; or “Retrieving date and

time settings from Internet” if not set.

Time Since Last Boot

The time elapsed since the 2Wire gateway was last

restarted.

Last ID Post

The time elapsed since the 2Wire gateway communicated

with the configuration server.

Components

DSL Modem

Modem software version.

common_en

The language in which the user interface is presented

(common_en = English).

Firewall Rules

Current version of the installed firewall rules database.

Application List

Current version of the application list.