Firewall Tab

46

Stealth Mode

In normal firewall operation, when an unknown remote device makes a request to connect to a user’s

network the firewall does not allow the connection to be made and responds with a “connection not

available” message. This may not discourage a determined hacker, because the message confirms that

there is an active network sending the response. The hacker may then use more sophisticated tools in an

attempt to access your network.

When in stealth mode, the 2Wire gateway firewall does not return

any

information in response to network

queries; that is, it will appear to the hacker who is trying to access your network that your network does not

exist. This discourages hackers from further attempts at accessing your network, because to them it will

appear as though there is no active network to access.

To enable Stealth Mode:

•

Open a Web browser and access the 2Wire gateway user interface by entering

•

Click the

Firewall

tab.

•

Click the Advanced Settings

link under the tab to open the Edit Advanced Firewall Settings page.

1.

In the Security pane, click the

Stealth Mode

checkbox.

2.

Click

SAVE

.

Firewall Tab

47

Block Ping

Ping is a basic Internet program that, when used without malicious intent, allows a user to verify that a

particular IP address exists and can accept requests. Ping is used diagnostically to ensure that a host

computer you are trying to reach is operating. It can also be used to see how long it takes to get a response

back from a specific host computer.

Hackers can use ping to launch an attack against your network, because ping can determine the number

form of the network’s IP address (for example, 105.246.172.72) from the domain name (for example,

www.mynetwork.com). If you enable Block Ping, your network will block all ping requests.

To block ping:

•

Open a Web browser and access the 2Wire gateway user interface by entering

•

Click the

Firewall

tab.

•

Click the Advanced Settings

link under the tab to open the Edit Advanced Firewall Settings page.

1.

In the Security pane, click the

Block Pings

checkbox.

2.

Click

SAVE

.

Firewall Tab

48

Strict UDP Session Control

Enabling this feature provides increased security by preventing the 2Wire gateway from accepting packets

sent from an unknown source over an existing connection.

Strict UDP instructs the 2Wire gateway to be more restrictive about what packets are allowed to transmit

over an established connection from a local network computer to the Internet. In addition to relying on

information about the destination (3-tuple), the 2Wire gateway will also use information about the source of

the connection (5-tuple).

To enable strict UDP session control:

•

Open a Web browser and access the 2Wire gateway user interface by entering

•

Click the

Firewall

tab.

•

Click the Advanced Settings

link under the tab to open the Edit Advanced Firewall Settings page.

1.

In the Security pane, click the

Strict UDP Session Control

checkbox.

2.

Click

SAVE

.

Note:

The ability to send traffic based on destination only is required by some applications.

Enabling this feature may not allow some on-line applications to work properly.

Firewall Tab

49

Allowing Inbound and Outbound Traffic

The Inbound and Outbound Control pane displays some common protocol types. When one of the Inbound

protocol boxes is checked, the firewall allows the corresponding protocol to pass through from the Internet

to the network. If one of the Outbound protocol boxes is checked, the firewall allows the traffic from the

network to pass through the firewall to the Internet.

To block an Inbound or Outbound protocol:

•

Open a Web browser and access the 2Wire gateway user

interface by entering http://gateway.2Wire.net.

•

Click the

Firewall

tab.

•

Click the Advanced Settings

link under the tab to open the

Edit Advanced Firewall Settings page.

1.

In the Inbound and Outbound Control pane, deselect the

checkbox of the protocol you wish to block.

2.

Click

SAVE

.

Disabling Attack Detection

By default, the 2Wire gateway firewall rules block the attack

types listed in the Attack Detection pane. There are some

applications and devices that require the use of specific data

ports through the firewall. The gateway allows users to open the necessary ports through the firewall using

the Firewall Settings page. If the user requires that a computer have all incoming traffic available to it, this

computer can be set to the DMZplus mode. While in DMZplus mode, the computer is still protected against

numerous broadband attacks (for example, SYN Flood or Invalid TCP flag attacks).

I

n rare cases, the incoming traffic may be inadvertently blocked by the firewall (for example, when

integrating with external third-party firewalls or VPN servers). You may need to disable one or more of the

attack detection capabilities for any device placed in the DMZplus. In this case, the third-party server

provides the attack protection normally provided by the gateway.

Note:

If you configure the firewall to block an Inbound protocol, you may disable support for

hosted applications that require that type of protocol.

Firewall Tab

50

The following table lists the attacks for which the gateway firewall filters continuously check.

To disable attack detection for a specific port:

•

Open a Web browser and access the 2Wire gateway user interface by entering

•

Click the

Firewall

tab.

Attack

Description and Action Taken

Excessive Session Detection

When enabled, the firewall will detect applications on the

local network that are creating excessive sessions out to

the Internet. This activity is likely due to a virus or “worm”

infected computer (for example, Blaster Worm). When the

event is detected, the gateway displays a HURL warning

page.

TCP/UDP Port Scan

A port scan is a series of messages sent by someone

attempting to break into a computer to learn which

computer network services, each associated with a well-

known port number (such as UDP and TCP), the computer

provides. When enabled, the firewall detects UDP and TCP

port scans, and drops the packet.

Invalid Source/Destination IP

address

When enabled, the firewall will verify IP addresses by

checking for the following:

IP source address is broadcast or multicast — drop

packet.

TCP destination IP address is not unicast — drop packet.

IP source and destination address are the same — drop

packet.

Invalid IP source received from private/home network —

drop packet.

Packet Flood (SYN/UDP/ICMP/

Other)

When enabled, the firewall will check for SYN, UDP

, ICMP

,

and other types of packet floods on the local and Internet

facing interfaces and stop the flood.

Invalid TCP Flag Attacks (NULL/

XMAS/Other)

When enabled, the firewall will scan inbound and

outbound packets for invalid TCP Flag settings, and drop

the packet to prevent SYN/FIN, NULL, and XMAS attacks.

Invalid ICMP Detection

The firewall checks for invalid ICMP/code types, and drops

the packet.

Miscellaneous

The firewall checks for the following:

Unknown IP protocol — drop packet.

Port 0 attack detected — drop packet.

TCP SYN packet — drop packet.

Not a start session packet — drop packet.

ICMP destination unreachable — terminate session.