Page 111 / 270
Scroll up to view Page 106 - 110
Unified Services Router
User Manual
109
Figure 70: Prote cting the route r and LAN from inte rne t attacks
WAN Security Checks
:
Enable Stealth Mode: If Stealth Mode is enabled, the router will not respond to port
scans from the WAN. This makes it less susceptible to discovery and attacks.
Block TCP Flood: If this option is enabled, the router will drop all invalid TCP
packets and be protected from a SYN flood attack.
LAN Security Checks
:
Block UDP Flood: If this option is enabled, the router will not accept more than 20
simultaneous, active UDP connections from a single computer on the LAN.
UDP Connection Limit: You can set the number of simultaneous active UDP
connections to be accepted from a single computer on the LAN; the default is 25
ICSA Settings
:
Block ICMP Notification: selecting th is prevents ICMP packets from being
identified as such. ICMP packets, if identified, can be captured and used in a Ping
(ICMP) flood DoS attack.
Page 112 / 270
Unified Services Router
User Manual
110
Block Fragmented Packets: selecting this option drops any fragmented packets
through or to the gateway
Block Multicast Packets: selecting this option drops multicast packets, which could
indicate a spoof attack, through or to the gateway.
DoS Attacks :
SYN Flood Detect Rate (max/sec): The rate at which the SYN Flood can be
detected.
Echo Storm (ping pkts/sec): The number of ping packets per second at which the
router detects an Echo storm attack from the WAN and prevents further ping traffic
from that external address.
ICMP Flood (ICMP pkts/sec): The number of ICMP packets per second at which the
router detects an ICMP flood attack from the WAN and prevents further ICMP
traffic from that external address.
The ping on LAN interfaces is enabled in default. To disable the ping response
from LAN hosts to the LAN/WAN port of the device uncheck the "Allow Ping from
LAN"option.
Page 113 / 270
Unified Services Router
User Manual
111
Chapter
6.
IPsec / PPTP / L2TP VPN
A VPN provides a secure communication channel (“tunnel”) between two gateway
routers or a remote PC client. The following types of tunnels can be created:
Gateway-to-gateway VPN: to connect two or more routers to secure traffic between
remote sites.
Remote Client (client-to-gateway VPN tunnel): A remote client initiat es a VPN
tunnel as the IP address of the remote PC client is not known in advance. The
gateway in this case acts as a responder.
Remote client behind a NAT router: The client has a dynamic IP address and is
behind a NAT Router. The remote PC client at the NAT router initia tes a VPN
tunnel as the IP address of the remote NAT router is not known in advance. T he
gateway WAN port acts as responder.
PPTP server for LAN / WAN PPTP client connections.
L2TP server for LAN / WAN L2TP client connections.
Figure 71: Example of Gate way-to -Gate way IPse c VPN tunne l using two
DSR route rs conne cte d to the Inte rne t
Page 114 / 270
Unified Services Router
User Manual
112
Figure 72: Example of thre e IPse c clie nt conne ctions to the inte rnal
ne twork through the DSR IPse c gate way
Page 115 / 270
Unified Services Router
User Manual
113
6.1 VPN Wizard
Setup > Wizard > VPN Wizard
You can use the VPN wizard to quickly create both IKE and VPN policies. Once the
IKE or VPN policy is created, you can modify it as required.
Figure 73: VPN Wizard launch scre e n
To easily establish a VPN tunnel using VPN Wizard, follow the steps below:
1.
Select the VPN tunnel type to create
The tunnel can either be a gateway to gateway co nnection (site-to-site) or a tunnel
to a host on the internet (remote access).
Set the Connection Name and pre-shared key: the connection name is used for
management, and the pre-shared key will be required on the VPN client or gateway
to establish the tunnel
Determine the local gateway for this tunnel; if there is more than 1 WAN
configured the tunnel can be configured for either of the gateways.
19216811.live