Page 51 / 202 Scroll up to view Page 46 - 50
Vigor2800 Series User’s Guide
45
IP Filters
Depending on whether there is an existing Internet connection, or in other words “the WAN
link status is up or down”, the IP filter architecture categorizes traffic into two:
Call Filter
and
Data Filter
.
z
Call Filter -
When there is no existing Internet connection,
Call Filter
is applied to all
traffic, all of which should be outgoing. It will check packets according to the filter
rules. If legal, the packet will pass. Then the router shall
“initiate a call”
to build the
Internet connection and send the packet to Internet.
z
Data Filter
- When there is an existing Internet connection,
Data Filter
is applied to
incoming and outgoing traffic. It will check packets according to the filter rules. If legal,
the packet will pass the router.
The following illustrations are flow charts explaining how router will treat incoming traffic
and outgoing traffic respectively.
Stateful Packet Inspection (SPI)
Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy
static packet filtering, which examines a packet based on the information in its header,
stateful inspection builds up a state machine to track each connection traversing all interfaces
of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just
examine the header information also monitor the state of the connection.
Page 52 / 202
Vigor2800 Series User’s Guide
46
Instant Messenger (IM) and Peer-to-Peer (P2P) Application Blocking
As the popularity of all kinds of instant messenger application arises, communication cannot
become much easier. Nevertheless, while some industry may leverage this as a great tool to
connect with their customers, some industry may take reserve attitude in order to reduce
employee misusage during office hour or prevent unknown security leak. It is similar
situation for corporation towards peer-to-peer applications since file-sharing can be
convenient but insecure at the same time. To address these needs, we provide IM and P2P
blocking functionality.
Denial of Service (DoS) Defense
The
DoS Defense
functionality helps you to detect and mitigate the DoS attack. The attacks
are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.
The flooding-type attacks will attempt to exhaust all your system's resource while the
vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the
protocol or operation system.
The
DoS Defense
function enables the Vigor router to inspect every incoming packet based
on the attack signature database. Any malicious packet that might duplicate itself to paralyze
the host in the secure LAN will be strictly blocked and a Syslog message will be sent as
warning, if you set up Syslog server.
Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined
parameter, such as the number of thresholds, is identified as an attack and the Vigor router
will activate its defense mechanism to mitigate in a real-time manner.
The below shows the attack types that DoS/DDoS defense function can detect:
1. SYN flood attack
2. UDP flood attack
3. ICMP flood attack
4. TCP Flag scan
5. Trace route
6. IP options
7. Unknown protocol
8. Land attack
9. Smurf attack
10. SYN fragment
11. ICMP fragment
12. Tear drop attack
13. Fraggle attack
14. Ping of Death attack
15. TCP/UDP port scan
Content Filtering
To provide an appropriate cyberspace to users, Vigor router equips with
URL Content Filter
not only to limit illegal traffic from/to the inappropriate web sites but also prohibit other web
feature where malicious code may conceal.
Once a user type in or click on an URL with objectionable keywords, URL keyword blocking
facility will decline the HTTP request to that web page thus can limit user’s access to the
website. You may imagine
URL Content Filter
as a well-trained convenience-store clerk
who won’t sell adult magazines to teenagers. At office,
URL Content Filter
can also provide
a job-related only environment hence to increase the employee work efficiency. How can
URL Content Filter work better than traditional firewall in the field of filtering? Because it
checks the URL strings or some of HTTP data hiding in the payload of TCP packets while
legacy firewall inspects packets based on the fields of TCP/IP headers only.
On the other hand, Vigor router can prevent user from accidentally downloading malicious
codes from web pages. It’s very common that malicious codes conceal in the executable
objects, such as ActiveX, Java Applet, compressed files, and other executable files. Once
downloading these types of files from websites, you may risk bringing threat to your system.
For example, an ActiveX control object is usually used for providing interactive web feature.
If malicious code hides inside, it may occupy user’s system.
Page 53 / 202
Vigor2800 Series User’s Guide
47
Web Filtering
We all know that the content on the Internet just like other types of media may be
inappropriate sometimes. As a responsible parent or employer, you should protect those in
your trust against the hazards. With Web filtering service of the Vigor router, you can protect
your business from common primary threats, such as productivity, legal liability, network and
security threats. For parents, you can protect your children from viewing adult websites or
chat rooms.
Once you have activated your Web Filtering service in Vigor router and chosen the categories
of website you wish to restrict, each URL address requested (e.g.www.bbc.co.uk) will be
checked against our server database, powered by SurfControl. The database covering over 70
languages and 200 countries, over 1 billion Web pages divided into 40 easy-to-understand
categories. This database is updated as frequent as daily by a global team of Internet
researchers. The server will look up the URL and return a category to your router. Your Vigor
router will then decide whether to allow access to this site according to the categories you have
selected. Please note that this action will not introduce any delay in your Web surfing because
each of multiple load balanced database servers can handle millions of requests for
categorization.
Below shows the menu items for Firewall.
3.4.2 General Setup
General Setup allows you to adjust settings of IP Filter and common options.
Here you can
enable or disable the
Call Filter
or
Data Filter
. Under some circumstance, your filter set can
be linked to work in a serial manner. So here you assign the
Start Filter Set
only. Also you
can configure the
Log Flag
settings,
Enable Stateful packet inspection
,
Apply IP filter to
VPN incoming packets
,
Drop non-http connection on TCP port 80
, and
Accept
incoming fragmented UDP packets
.
Click
Firewall
and click
General Setup
to open the general setup page.
Page 54 / 202
Vigor2800 Series User’s Guide
48
Call Filter
Check
Enable
to activate the Call Filter function. Assign a start
filter set for the Call Filter.
Data Filter
Check
Enable
to activate the Data Filter function. Assign a start
filter set for the Data Filter.
Log Flag
For troubleshooting needs you can specify the filter log here.
None -
The log function is not activated.
Block -
All blocked packets will be logged.
Pass -
All passed packets will be logged.
No Match -
The log function will record all packets that are not
matched.
Note that the filter log will be displayed on the Telnet terminal
when you type the
log -f
command.
Some on-line games (for example: Half Life) will use lots of fragmented UDP packets to
transfer game data. Instinctively as a secure firewall, Vigor router will reject these
fragmented packets to prevent attack unless you enable “Accept Incoming Fragmented UDP
Packets”. By checking this box, you can play these kinds of on-line games. If security
concern is in higher priority, you cannot enable “Accept Incoming Fragmented UDP
Packets”.
3.4.3 Filter Setup
Click
Firewall
and click
Filter Setup
to open the setup page.
Page 55 / 202
Vigor2800 Series User’s Guide
49
To edit or add a filter, click on the set number to edit the individual set. The following page
will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit
each rule. Check
Active
to enable the rule.
Filter Rule
Click a button numbered (1 ~ 7) to edit the filter rule. Click the
button will open Edit Filter Rule web page. For the detailed
information, refer to the following page.
Active
Enable or disable the filter rule.
Comment
Enter filter set comments/description. Maximum length is
23–character long
Next Filter Set
Set the link to the next filter set to be executed after the current
filter run. Do not make a loop with many filter sets.
To edit
Filter Rule
, click the
Filter Rule
index button to enter the Filter Rule setup page.
Comments
Enter filter set comments/description. Maximum length is 14-
character long.
Check to enable the
Filter Rule
Check this box to enable the filter rule.
Pass or Block
Specifies the action to be taken when packets match the rule.
Block Immediately -
Packets matching the rule will be dropped

Rate

4.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top