Vigor2900 Series User’s Guide

70

Delete Static Route

1.

Click the

Index Number

that you want to delete from the

Static Route Configuration

page.

2.

Select

Empty/Clear

from the drop-down menu, and then click the

OK

button to delete

the route.

Vigor2900 Series User’s Guide

71

Deactivate Static Route

1.

Click the

Index Number

that you want to disable from the

Static Route Configuration

page.

2.

Select

Inactive/Disable

from the drop-down menu, and then click the

OK

button to

delete the route.

Vigor2900 Series User’s Guide

72

3.7 IP Filter/Firewall Setup

3.7.1 Basics for Firewall

While the broadband users demand more bandwidth for multimedia, interactive applications,

or distance learning, security has been always the most concerned. The firewall of the Vigor

router helps to protect your local network against attack from unauthorized outsiders. It also

restricts users in the local network from accessing the Internet. Furthermore, it can filter out

specific packets that trigger the router to build an unwanted outgoing connection.

The most basic security concept is to set user name and password while you install your router.

The administrator login will prevent unauthorized access to the router configuration from your

router.

Firewall Facilities

The users on the LAN are provided with secured protection by the following firewall facilities:

z

User-configurable IP filter (Call Filter/ Data Filter).

z

Stateful Packet Inspection (SPI): tracks packets and denies unsolicited incoming data

z

Selectable Denial of Service (DoS) /Distributed DoS (DDoS) attacks protection

z

URL Content Filter

IP Filters

Depending on whether there is an existing Internet connection, or in other words “the WAN

link status is up or down”, the IP filter architecture categorizes traffic into two:

Call Filter

and

Data Filter

.

z

Call Filter -

When there is no existing Internet connection,

Call Filter

is applied to all

traffic, all of which should be outgoing. It will check packets according to the filter rules.

If legal, the packet will pass. Then the router shall

“initiate a call”

to build the Internet

connection and send the packet to Internet.

Vigor2900 Series User’s Guide

73

z

Data Filter

- When there is an existing Internet connection,

Data Filter

is applied to

incoming and outgoing traffic. It will check packets according to the filter rules. If legal,

the packet will pass the router.

The following illustrations are flow charts explaining how router will treat incoming traffic

and outgoing traffic respectively.

Stateful Packet Inspection (SPI)

Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy

static packet filtering, which examines a packet based on the information in its header, stateful

inspection builds up a state machine to track each connection traversing all interfaces of the

firewall and makes sure they are valid. The stateful firewall of Vigor router not just examine

the header information also monitor the state of the connection.

Instant Messenger (IM) and Peer-to-Peer (P2P) Application Blocking

As the popularity of all kinds of instant messenger application arises, communication cannot

become much easier. Nevertheless, while some industry may leverage this as a great tool to

connect with their customers, some industry may take reserve attitude in order to reduce

employee misusage during office hour or prevent unknown security leak. It is similar situation

for corporation towards peer-to-peer applications since file-sharing can be convenient but

insecure at the same time. To address these needs, we provide IM and P2P blocking

functionality.

Vigor2900 Series User’s Guide

74

Denial of Service (DoS) Defense

The

DoS Defense

functionality helps you to detect and mitigate the DoS attack. The attacks

are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.

The flooding-type attacks will attempt to exhaust all your system's resource while the

vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the

protocol or operation system.

The

DoS Defense

function enables the Vigor router to inspect every packet based on the attack

signature database. Any malicious packet that might duplicate itself to paralyze the host in the

secure LAN will be strictly blocked and a Syslog message will be sent as warning, if you set up

Syslog server.

Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined

parameter, such as the number of thresholds, is identified as an attack and the Vigor router will

activate its defense mechanism to mitigate in a real-time manner.

The below shows the attack types that DoS/DDoS defense function can detect:

1. SYN flood attack

2. UDP flood attack

3. ICMP flood attack

4. TCP Flag scan

5. Trace route

6. IP options

7. Unknown protocol

8. Land attack

9. Smurf attack

10. SYN fragment

11. ICMP fragment

12. Tear drop attack

13. Fraggle attack

14. Ping of Death attack

15. TCP/UDP port scan

URL Content Filter

To provide an appropriate cyberspace to users, Vigor router equips with

URL Content Filter

not only to limit illegal traffic from/to the inappropriate web sites but also prohibit other web

feature where malicious code may conceal.

Once a user type in or click on an URL with objectionable keywords, URL keyword blocking

facility will decline the HTTP request to that web page thus can limit user’s access to the

website. You may imagine

URL Content Filter

as a well-trained convenience-store clerk who

won’t sell adult magazines to teenagers. At office,

URL Content Filter

can also provide a

job-related only environment hence to increase the employee work efficiency. How can URL

Content Filter work better than traditional firewall in the field of filtering? Because it checks

the URL strings or some of HTTP data hiding in the payload of TCP packets while legacy

firewall inspects packets based on the fields of TCP/IP headers only.

On the other hand, Vigor router can prevent user from accidentally downloading malicious

codes from web pages. It’s very common that malicious codes conceal in the executable objects,

such as ActiveX, Java Applet, compressed files, and other executable files. Once downloading

these types of files from websites, you may risk bringing threat to your system. For example, an

ActiveX control object is usually used for providing interactive web feature. If malicious code

hides inside, it may occupy user’s system.