58
Advanced Setup Method
Advanced Setup Method
59
section
2
1
3
4
5
6
7
Stateful Packet Inspection:
This option allows you to select different application types that are
using dynamic port numbers. If you wish to use Stateful Packet
Inspection (SPI) for blocking packets, click on the Yes radio button in
the “Enable SPI and Anti-DoS firewall protection” field and then check
the inspection type that you need, such as Packet Fragmentation,
TCP Connection, UDP Session, FTP Service, H.323 Service, and TFTP
Service.
It is called a “stateful” packet inspection because it examines the
contents of the packet to determine the state of the communication;
i.e. it ensures that the stated destination computer has previously
requested the current communication. This is a way of ensuring
that all communications are initiated by the recipient computer and
are taking place only with sources that are known and trusted from
previous interactions. In addition to being more rigorous in their
inspection of packets, stateful inspection firewalls also close off ports
until a connection to the specific port is requested.
When particular types of traffic are checked, only the particular
type of traffic initiated from the internal LAN will be allowed. For
example, if the user only checks FTP Service in the Stateful Packet
Inspection section, all incoming traffic will be blocked except for FTP
connections initiated from the local LAN.
DoS Detect Criteria
Total incomplete TCP/UDP sessions HIGH:
Defines the rate of new un-established sessions that will cause the
software to start deleting half-open sessions.
Total incomplete TCP/UDP sessions LOW:
Defines the rate of new un-established sessions that will cause the
software to stop deleting half-open sessions.
Incomplete TCP/UDP sessions (per min.) HIGH:
Maximum number of allowed incomplete TCP/UDP sessions per
minute.
Incomplete TCP/UDP sessions (per min.) LOW:
Minimum number of allowed incomplete TCP/UDP sessions per
minute.
Maximum incomplete TCP/UDP sessions number from same host:
Maximum half-open fragmentation packet number from same host
Network attacks that deny access to a network device are called
DoS attacks. DoS attacks are aimed at devices and networks with a
connection to the Internet. Their goal is not to steal information, but to
disable a device or network so users no longer have access to network
resources.
The VoIP Router protects against DoS attacks including: Ping of Death
(Ping flood) attack, SYN flood attack, IP fragment attack (Teardrop
Attack), Brute-force attack, Land Attack, IP Spoofing attack, IP with
zero length, TCP null scan (Port Scan Attack), UDP port loopback,
Snork Attack.
Note:
The firewall does not significantly affect system performance, so
we advise enabling the prevention features to protect your network.
Parameter Description
Enable SPI and Anti-DoS firewall protection:
The Intrusion Detection feature of the VoIP Router limits the access of
incoming traffic at the WAN port. When the Stateful Packet Inspection
(SPI) feature is turned on, all incoming packets are blocked except
those types marked with a check in the Stateful Packet Inspection
section at the top of the screen.
Downloaded from
www.Manualslib.com
manuals search engine