Page 186 / 794 Scroll up to view Page 181 - 185
Vigor2860 Series User’s Guide
172
After finishing all the settings here, please click
OK
to save the configuration.
3.4.4 Port Triggering
Port Triggering is a variation of open ports function.
The key difference between "open port" and "port triggering" is:
Once the OK button is clicked and the configuration has taken effect, "open port" keeps
the ports opened forever.
Once the OK button is clicked and the configuration has taken effect, "port triggering"
will only attempt to open the ports once the triggering conditions are met.
The duration that these ports are opened depends on the type of protocol used. The
"default" durations are shown below and these duration values can be modified via telnet
commands.
TCP: 86400 sec.
UDP: 180 sec.
IGMP: 10 sec.
TCP WWW: 60 sec.
TCP SYN: 60 sec.
Available settings are explained as follows:
Item
Description
Comment
Display the text which memorizes the application of this
rule.
Page 187 / 794
Vigor2860 Series User’s Guide
173
Triggering Protocol
Display the protocol of the triggering packets.
Triggering Port
Display the port of the triggering packets.
Incoming Protocol
Display the protocol for the incoming data of such
triggering profile.
Incoming Port
Display the port for the incoming data of such triggering
profile.
Status
Display if the rule is active or de-active.
Click the index number link to open the configuration page.
Available settings are explained as follows:
Item
Description
Enable
Check to enable this entry.
Service
Choose the
predefined
service to apply for such trigger
profile.
Comment
Type the text to memorize the application of this rule.
Triggering Protocol
Select the protocol (TCP, UDP or TCP/UDP) for such
triggering profile.
Page 188 / 794
Vigor2860 Series User’s Guide
174
Triggering Port
Type the port or port range for such triggering profile.
Incoming Protocol
When the triggering packets received, it is expected the
incoming packets will use the selected protocol. Select the
protocol (TCP, UDP or TCP/UDP) for the incoming data of
such triggering profile.
Incoming Port
Type the port or port range for the incoming packets.
After finishing all the settings here, please click
OK
to save the configuration.
Page 189 / 794
Vigor2860 Series User’s Guide
175
3.5 Firewall
3.5.1 Basics for Firewall
While the broadband users demand more bandwidth for multimedia, interactive applications,
or distance learning, security has been always the most concerned. The firewall of the Vigor
router helps to protect your local network against attack from unauthorized outsiders. It also
restricts users in the local network from accessing the Internet. Furthermore, it can filter out
specific packets that trigger the router to build an unwanted outgoing connection.
Firewall Facilities
The users on the LAN are provided with secured protection by the following firewall facilities:
User-configurable IP filter (Call Filter/ Data Filter).
Stateful Packet Inspection (SPI): tracks packets and denies unsolicited incoming data
Selectable Denial of Service (DoS) /Distributed DoS (DDoS) attacks protection
IP Filters
Depending on whether there is an existing Internet connection, or in other words “the WAN
link status is up or down”, the IP filter architecture categorizes traffic into two:
Call Filter
and
Data Filter
.
Call Filter -
When there is no existing Internet connection,
Call Filter
is applied to all
traffic, all of which should be outgoing. It will check packets according to the filter rules.
If legal, the packet will pass. Then the router shall
“initiate a call”
to build the Internet
connection and send the packet to Internet.
Data Filter
- When there is an existing Internet connection,
Data Filter
is applied to
incoming and outgoing traffic. It will check packets according to the filter rules. If legal,
the packet will pass the router.
The following illustrations are flow charts explaining how router will treat incoming traffic
and outgoing traffic respectively.
Page 190 / 794
Vigor2860 Series User’s Guide
176
Stateful Packet Inspection (SPI)
Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy
static packet filtering, which examines a packet based on the information in its header, stateful
inspection builds up a state machine to track each connection traversing all interfaces of the
firewall and makes sure they are valid. The stateful firewall of Vigor router not only examines
the header information also monitors the state of the connection.
Denial of Service (DoS) Defense
The
DoS Defense
functionality helps you to detect and mitigate the DoS attack. The attacks
are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.
The flooding-type attacks will attempt to exhaust all your system's resource while the
vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the
protocol or operation system.
The
DoS Defense
function enables the Vigor router to inspect every incoming packet based on
the attack signature database. Any malicious packet that might duplicate itself to paralyze the
host in the secure LAN will be strictly blocked and a Syslog message will be sent as warning, if
you set up Syslog server.
Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined
parameter, such as the number of thresholds, is identified as an attack and the Vigor router will
activate its defense mechanism to mitigate in a real-time manner.
The below shows the attack types that DoS/DDoS defense function can detect:
1. SYN flood attack
2. UDP flood attack
3. ICMP flood attack
4. Port Scan attack
5. IP options
6. Land attack
7. Smurf attack
8. Trace route
9. SYN fragment
10. Fraggle attack
11. TCP flag scan
12. Tear drop attack
13. Ping of Death attack
14. ICMP fragment
15. Unassigned Numbers
Below shows the menu items for Firewall.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top