1. Home
    2. /
  2. Manuals
    3. /
  3. DrayTek
    4. /
  4. VigorPro 5300
    5. /
  5. 18
Page 86 / 304 Scroll up to view Page 81 - 85
VigorPro5300 Series User’s Guide
78
z
Call Filter -
When there is no existing Internet connection,
Call Filter
is applied to all
traffic, all of which should be outgoing. It will check packets according to the filter
rules. If legal, the packet will pass. Then the router shall
“initiate a call”
to build the
Internet connection and send the packet to Internet.
z
Data Filter
- When there is an existing Internet connection,
Data Filter
is applied to
incoming and outgoing traffic. It will check packets according to the filter rules. If legal,
the packet will pass the router.
The following illustrations are flow charts explaining how router will treat incoming traffic
and outgoing traffic respectively.
Stateful Packet Inspection (SPI)
Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy
static packet filtering, which examines a packet based on the information in its header,
stateful inspection builds up a state machine to track each connection traversing all interfaces
of the firewall and makes sure they are valid. The stateful firewall of Vigor router not just
examine the header information also monitor the state of the connection.
Denial of Service (DoS) Defense
The
DoS Defense
functionality helps you to detect and mitigate the DoS attack. The attacks
are usually categorized into two types, the flooding-type attacks and the vulnerability attacks.
The flooding-type attacks will attempt to exhaust all your system's resource while the
Page 87 / 304
VigorPro5300 Series User’s Guide
79
vulnerability attacks will try to paralyze the system by offending the vulnerabilities of the
protocol or operation system.
The
DoS Defense
function enables the Vigor router to inspect every incoming packet based
on the attack signature database. Any malicious packet that might duplicate itself to paralyze
the host in the secure LAN will be strictly blocked and a Syslog message will be sent as
warning, if you set up Syslog server.
Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined
parameter, such as the number of thresholds, is identified as an attack and the Vigor router
will activate its defense mechanism to mitigate in a real-time manner.
The below shows the attack types that DoS/DDoS defense function can detect:
1. SYN flood attack
2. UDP flood attack
3. ICMP flood attack
4. TCP Flag scan
5. Trace route
6. IP options
7. Unknown protocol
8. Land attack
9. Smurf attack
10. SYN fragment
11. ICMP fragment
12. Tear drop attack
13. Fraggle attack
14. Ping of Death attack
15. TCP/UDP port scan
Anti-Virus and Anti-Intrusion
Users might have much more confidence about the security in the network for data
transmission if the functions of anti-virus and anti-intrusion are activated. The VigorPro
router offers the mechanism of anti-virus and anti-intrusion. What you have to do is to set the
proper profiles and invoke them. The anti-virus profile and anti-intrusion configuration can
be set in Anti-Virus menu (refer to section 3.7) and Anti-Intrusion menu (refer to section 3.6).
However, the mechanism must be enabled either in
Firewall>>General Setup
or
Firewall>>Filter Setup
web page. After you choose proper Anti-Virus profile and check
Anti-Intrusion box, the Anti-Virus and Anti-Intrusion LEDs on the front panel will light up.
Below shows the menu items for Firewall.
3.6.2 General Setup
General Setup allows you to adjust settings of IP Filter and common options.
Here you can
enable or disable the
Call Filter
or
Data Filter
. Under some circumstance, your filter set can
be linked to work in a serial manner. So here you assign the
Start Filter Set
only. Also you
can configure the
Log Flag
settings,
Apply IP filter to VPN incoming packets
, and
Accept
incoming fragmented UDP packets
.
Important:
When some packet does not fit the rule configured in
Filter Setup
web page,
the filtering action configured in general setup web page will apply to that packet.
Click
Firewall
and click
General Setup
to open the general setup page.
Page 88 / 304
VigorPro5300 Series User’s Guide
80
Call Filter
Check
Enable
to activate the Call Filter function. Assign a start
filter set for the Call Filter.
Data Filter
Check
Enable
to activate the Data Filter function. Assign a start
filter set for the Data Filter.
Filter
Select
Pass
or
Block
for the packets that do not match with the
filter rules.
IM/P2P Filter
Select a CSM profile for global IM/P2P application blocking. All
the hosts in LAN must follow the standard configured in the
CSM profile selected here. For detailed information, refer to the
section of CSM profile setup. For troubleshooting needs, you can
specify to record information for IM/P2P by checking the Log
box. It will be sent to Syslog server. Please refer to section 3.14.4
Syslog/Mail Alert
for more detailed information.
URL Content Filter
Select one of the
URL Content Filter
profile settings (created in
CSM>> URL Content Filter
) for applying with this router. Please
set at least one profile for choosing in
CSM>> URL Content
Filter
web page first. For troubleshooting needs, you can specify to
record information for
URL Content Filter
by checking the Log
box. It will be sent to Syslog server. Please refer to section 3.14.4
Syslog/Mail Alert
for more detailed information.
Page 89 / 304
VigorPro5300 Series User’s Guide
81
Web Content Filter
Select one of the
Web Content Filter
profile settings (created in
CSM>> Web Content Filter
) for applying with this router. Please
set at least one profile for anti-virus in
CSM>> Web Content
Filter
web page first. For troubleshooting needs, you can specify to
record information for
Web Content Filter
by checking the Log
box. It will be sent to Syslog server. Please refer to section 3.14.4
Syslog/Mail Alert
for more detailed information.
Anti-Virus
Select one of the anti-virus profile settings (created in
Anti-Virus>>Profile Setting
) for applying with this router. Please
set at least one profile for anti-virus in
Anti-Virus->
Profile
Setting
web page first. For troubleshooting needs, you can specify
to record information for
Anti-Virus
by checking the Log box. It
will be sent to Syslog server. Please refer to section 3.14.4
Syslog/Mail Alert
for more detailed information.
Anti-Intrusion
Check the
Enable
box to invoke anti-intrusion filter function. For
troubleshooting needs, you can specify to record information for
Anti-Intrusion
by checking the Log box. It will be sent to Syslog
server. Please refer to section 3.14.4
Syslog/Mail Alert
for more
detailed information.
Anti-Spam
Select one of the anti-spam profile settings (created in
Anti-Spam>>Profile Setting
) for applying with this router. Please
set at least one profile for anti-spam in
Anti-Spam>>Profile
Setting
web page first. For troubleshooting needs, you can specify
to record information for
Anti-Spam
by checking the Log box. It
will be sent to Syslog server. Please refer to section 3.14.4
Syslog/Mail Alert
for more detailed information.
Apply IP filter to VPN
incoming packets
Check this box to enable the function.
Accept large
incoming…
Some on-line games (for example: Half Life) will use lots of
fragmented UDP packets to transfer game data. Instinctively as a
secure firewall, Vigor router will reject these fragmented packets
to prevent attack unless you enable “
Accept large incoming
fragmented UDP or ICMP Packets
”. By checking this box, you
can play these kinds of on-line games. If security concern is in
higher priority, you cannot enable “
Accept large incoming
fragmented UDP or ICMP Packets
”.
Enable Transparent
Mode
Check this box to enable transparent function for such router. It
is not necessary for users to re-organize the network or configure
the subnet settings for each PC connected under such router.
However, the configured Anti-Virus, Anti-Intrusion and
Anti-Spam profiles can be applied to PCs connected behind vigor
router to have the best security. The following picture explains
the basic structure for using transparent mode for vigor router.
Page 90 / 304
VigorPro5300 Series User’s Guide
82
PCs with subnet “172.16.x.x” connected under VigorPro 5300
will be protected by security settings enabled and configured on
the web pages of Vigor router. When the transparent mode has
been checked, hackers from Internet do not sense the existence of
vigor router, therefore they cannot attack the router.
Advance Setting
Click
Edit
to open the following window. However, it is
strongly recommended
to use the default settings here.
Codepage
- This function is used to compare the characters
among different languages. Choose correct codepage can help
the system obtaining correct ASCII after decoding data from
URL and enhance the correctness of URL Content Filter. The
default value for this setting is ANSI 1252 Latin I. If you do not
choose any codepage, no decoding job of URL will be processed.
Please use the drop-down list to choose a codepage.
If you do not have any idea of choosing suitable codepage,
please open Syslog. From Codepage Information of Setup dialog,
you will see the recommended codepage listed on the dialog box.

Rate

4.5 / 5 based on 2 votes.

Popular DrayTek Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top