Page 66 / 120 Scroll up to view Page 61 - 65
VoIP/(802.11g) ADSL2+ Router
Chapter 4: Configuration
5.
The new port filter rule for HTTP is shown below:
7.
Configure your Virtual Server (“port forwarding”) settings so that incoming HTTP requests on port 80
will be forwarded to the PC running your web server:
Note:
For how to configure the HTTP in Virtual Server, go to
Add Virtual Server
in
Virtual
Server
section for more details.
.
65
Page 67 / 120
VoIP/(802.11g) ADSL2+ Router
Chapter 4: Configuration
Intrusion Detection
The router’s
Intrusion Detection System
(IDS) is used to detect hacker attacks and intrusion
attempts from the Internet. If the IDS function of the firewall is enabled, inbound packets are
filtered and blocked depending on whether they are detected as possible hacker attacks, intrusion
attempts or other connections that the router determines to be suspicious.
Blacklist
: If the router detects a possible attack, the source IP or destination IP address will be
added to the Blacklist. Any further attempts using this IP address will be blocked for the time
period specified as the
Block Duration
. The default setting for this function is false (disabled).
Some attack types are denied immediately without using the Blacklist function, such as
Land
attack
and
Echo/CharGen scan
.
Intrusion Detection
: If enabled, IDS will block Smurf attack attempts. Default is false.
Block Duration:
~
Victim Protection Block Duration
: This is the duration for blocking
Smurf
attacks.
Default value is 600 seconds.
~
Scan Attack Block Duration
: This is the duration for blocking hosts that attempt a
possible Scan attack. Scan attack types include
X’mas scan, IMAP SYN/FIN scan
and
similar attempts. Default value is 86400 seconds.
~
DoS Attack Block Duration
: This is the duration for blocking hosts that attempt a
possible Denial of Service (DoS) attack. Possible DoS attacks this attempts to block
include
Ascend Kill
and
WinNuke
. Default value is 1800 seconds.
Max TCP Open Handshaking Count
: This is a threshold value to decide whether a
SYN Flood
attempt is occurring or not. Default value is 100 TCP SYN per seconds.
Max PING Count
: This is a threshold value to decide whether an
ICMP Echo Storm
is occurring or
not.
Default value is 15 ICMP Echo Requests (PING) per second.
66
Page 68 / 120
VoIP/(802.11g) ADSL2+ Router
Chapter 4: Configuration
Max ICMP Count
: This is a threshold to decide whether an
ICMP flood
is occurring or not. Default
value is 100 ICMP packets per seconds except ICMP Echo Requests (PING).
For
SYN Flood
,
ICMP Echo Storm
and
ICMP flood
, IDS will just warn the user in the Event Log. It
cannot protect against such attacks.
Table 2: Hacker attack types recognized by the IDS
Intrusion Name
Detect Parameter
Blacklist
Type of Block
Duration
Drop Packet
Show Log
Ascend Kill
Ascend Kill data
Src IP
DoS
Yes
Yes
WinNuke
TCP
Port 135, 137~139,
Flag: URG
Src IP
DoS
Yes
Yes
Smurf
ICMP type 8
Des IP is broadcast
Dst IP
Victim
Protection
Yes
Yes
Land attack
SrcIP = DstIP
Yes
Yes
Echo/CharGen Scan
UDP Echo Port and
CharGen Port
Yes
Yes
Echo Scan
UDP Dst Port =
Echo(7)
Src IP
Scan
Yes
Yes
CharGen Scan
UDP Dst Port =
CharGen(19)
Src IP
Scan
Yes
Yes
X’mas Tree Scan
TCP Flag: X’mas
Src IP
Scan
Yes
Yes
IMAP
SYN/FIN Scan
TCP Flag: SYN/FIN
DstPort: IMAP(143)
SrcPort: 0 or 65535
Src IP
Scan
Yes
Yes
SYN/FIN/RST/ACK
Scan
TCP,
No Existing session
And Scan Hosts
more than five.
Src IP
Scan
Yes
Yes
Net Bus Scan
TCP
No Existing session
DstPort = Net Bus
12345,12346, 3456
SrcIP
Scan
Yes
Yes
Back Orifice Scan
UDP, DstPort =
Orifice Port (31337)
SrcIP
Scan
Yes
Yes
SYN Flood
Max TCP Open
Handshaking Count
(Default 100 c/sec)
Yes
ICMP Flood
Max ICMP Count
(Default 100 c/sec)
Yes
ICMP Echo
Max PING Count
(Default 15 c/sec)
Yes
Src IP
: Source IP
Src Port
: Source Port
Dst Port
: Destination Port
Dst IP
: Destination IP
67
Page 69 / 120
VoIP/(802.11g) ADSL2+ Router
Chapter 4: Configuration
URL Filter
URL (Uniform Resource Locator – e.g. an address in the form of
or
) filter rules allow you to prevent users on your network from accessing
particular websites by their URL. There are no pre-defined URL filter rules; you can add filter rules
to meet your requirements.
Enable/Disable:
To enable or disable URL Filter feature.
Block Mode:
A list of the modes that you can choose to check the URL filter rules. The default is
set to
Disabled.
~
Disabled:
No action will be performed by the Block Mode.
~
Always On:
Action is enabled.
URL filter rules will be monitoring and checking at all hours
of the day.
~
TimeSlot1 ~ TimeSlot16:
It is self-defined time period.
You may specify the time period to
check the URL filter rules, i.e. during working hours. For setup and detail, refer to
Time
Schedule
section.
Keywords Filtering:
Allows blocking by specific keywords within a particular URL rather than
having to specify a complete URL (e.g. to block any image called “advertisement.gif”). When
enabled, your specified keywords list will be checked to see if any keywords are present in URLs
accessed to determine if the connection attempt should be blocked. Please note that the URL filter
blocks web browser (HTTP) connection attempts using port 80 only.
68
Page 70 / 120
VoIP/(802.11g) ADSL2+ Router
Chapter 4: Configuration
For example, if the URL is
, it will be dropped as the keyword
“abcde” occurs in the URL.
Domains Filtering: This function checks the domain name only, not the IP address, in URLs
accessed against your list of domains to block or allow. If it is matched, the URL request will be
sent (Trusted) or dropped (Forbidden). For this function to be activated,
both check-boxes must be
checked
. The checking procedure is:
1.
Check the domain in the URL to determine if it is in the trusted list. If yes, the
connection attempt is sent to the remote web server.
2.
If not, check if it is listed in the forbidden list, and if present then the connection attempt
is dropped.
3.
If the packet does not match either of the above two items, it is sent to the remote web
server.
4.
Please be note that the domain only should be specified, not the full URL. For example
to block traffic to
www.sex.com
, enter “sex” or “sex.com” instead of “www.sex.com”. In
the example below, the URL request for
www.abc.com
will be sent to the remote web
server because it is listed in the trusted list, whilst the URL request for
www.sex
or
www.sex.com
will be dropped, because sex.com is in the forbidden list.
69

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top