Page 61 / 240 Scroll up to view Page 56 - 60
Firewall Protection and Content Filtering
4-1
v1.0, March 2009
Chapter 4
Firewall Protection and Content Filtering
This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to
protect your network.
This chapter includes the following sections:
“About Firewall Protection and Content Filtering” on page 4-1
“Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2
“Setting a Schedule to Block or Allow Specific Traffic” on page 4-28
“Setting Block Sites (Content Filtering)” on page 4-29
“Enabling Source MAC Filtering” on page 4-31
“IP/MAC Binding” on page 4-33
“Port Triggering” on page 4-35
“Bandwidth Limiting” on page 4-37
“E-Mail Notifications of Event Logs and Alerts” on page 4-39
“Administrator Tips” on page 4-43
About Firewall Protection and Content Filtering
The ProSafe VPN Firewall 200 provides you with Web content filtering options, plus browsing
activity reporting and instant alerts via e-mail. Parents and network administrators can establish
restricted access policies based on time-of-day, Web addresses and Web address keywords. You
can also block Internet access by applications and services, such as chat or games.
A firewall is a special category of router that protects one network (the “trusted” network, such as
your LAN) from another (the untrusted network, such as the Internet), while allowing
communication between the two. You can further segment keyword blocking to certain known
groups (see
“Managing Groups and Hosts (LAN Groups)” on page 3-6
to set up LAN Groups).
A firewall incorporates the functions of a NAT (Network Address Translation) router, while
adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic
that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall
uses a process called stateful packet inspection to protect your network from attacks and
Page 62 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
4-2
Firewall Protection and Content Filtering
v1.0, March 2009
intrusions. NAT performs a very limited stateful inspection in that it considers whether the
incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far
beyond NAT.
Using Rules to Block or Allow Specific Kinds of Traffic
Firewall rules are used to block or allow specific traffic passing through from one side to the other.
You can configure up to 600 rules on the FVX538. Inbound rules (WAN to LAN) restrict access by
outsiders to private resources, selectively allowing only specific outside users to access specific
resources. Outbound rules (LAN to WAN) determine what outside resources local users can have
access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of
the FVX538 are:
Inbound
: Block all access from outside except responses to requests from the LAN side.
Outbound
: Allow all access from the LAN side to the outside.
The firewall rules for blocking/allowing traffic on the VPN firewall can be applied to LAN/WAN
traffic, DMZ/WAN traffic and LAN/DMZ traffic.
Services-Based Rules
The rules to block traffic are based on the traffic’s category of service.
Outbound Rules (service blocking)
– Outbound traffic is normally allowed unless the
firewall is configured to disallow it.
Inbound Rules (port forwarding)
– Inbound traffic is normally blocked by the firewall
unless the traffic is in response to a request from the LAN side. The firewall can be configured
to allow this otherwise blocked traffic.
Table 4-1.
Supported FIrewall Rule Configurations
Traffic Rule
Outbound Rules
Inbound Rules
LAN WAN
50
50
DMZ WAN
50
50
LAN DMZ
50
50
Page 63 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Firewall Protection and Content Filtering
4-3
v1.0, March 2009
Customized Services
– Additional services can be added to the list of services in the factory
default list. These added services can then have rules defined for them to either allow or block
that traffic (see
“Adding Customized Services” on page 4-25
.
Quality of Service (QoS) priorities
– Each service has its own native priority that impacts its
quality of performance and tolerance for jitter or delays. You can change the QoS priority
which will change the traffic mix through the system (see
“Setting Quality of Service (QoS)
Priorities” on page 4-27
).
Outbound Rules (Service Blocking)
The FVX538 allows you to block the use of certain Internet services by PCs on your network. This
is called service blocking or port filtering.
Note:
See
“Enabling Source MAC Filtering” on page 4-31
for yet another way to block
outbound traffic from selected PCs that would otherwise be allowed by the
firewall.
Table 4-2.
Outbound Rules
Item
Description
Service Name
Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the
Services menu (see
“Adding Customized Services” on page 4-25
).
Action (Filter)
Select the desired action for outgoing connections covered by this rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
Note
: Any outbound traffic which is not blocked by rules you create will be allowed by
the Default rule.
ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That
is, you wish to allow a subset of traffic that is currently blocked by another rule.
Action (Select
Schedule)
Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will
be used by this rule.
This drop down menu gets activated only when “BLOCK by schedule, otherwise
Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
Use schedule page to configure the time schedules (see
“Setting a Schedule to
Block or Allow Specific Traffic” on page 4-28
).
Page 64 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
4-4
Firewall Protection and Content Filtering
v1.0, March 2009
LAN users
These settings determine which computers on your network are affected by this rule.
Select the desired options:
Any – All PCs and devices on your LAN.
Single address – Enter the required address and the rule will be applied to that
particular PC.
Address range – If this option is selected, you must enter the start and finish fields.
Groups – Select the Group to which this rule will apply. Use the LAN Groups screen
(under Network Configuration) to assign PCs to Groups. See
“Managing Groups
and Hosts (LAN Groups)” on page 3-6
.
WAN Users
These settings determine which Internet locations are covered by the rule, based on
their IP address. Select the desired option:
Any – All Internet IP address are covered by this rule.
Single address – Enter the required address in the start field.
Address range – If this option is selected, you must enter the start and end fields.
DMZ Users
These settings determine which DMZ computers on the DMZ network are affected by
this rule. Select the desired options.
Any – All PCs and devices on your DMZ network.
Single address – Enter the required address and the rule will be applied to that
particular PC on the DMZ network.
Address range – If this option is selected, you must enter the start and finish fields
of the DMZ computers.
Table 4-2.
Outbound Rules (continued)
Item
Description
Page 65 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Firewall Protection and Content Filtering
4-5
v1.0, March 2009
QoS Priority
The priority assigned to IP packets of this service. The priorities are defined by “Type
of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router
marks the Type Of Service (TOS) field as defined below:
Normal-Service: No special priority given to the traffic. The IP packets for services
with this priority are marked with a TOS value of 0.
Minimize-Cost: Used when data must be transferred over a link that has a lower
cost. The IP packets for services with this priority are marked with a TOS value of 1.
Maximize-Reliability: Used when data needs to travel to the destination over a
reliable link and with little or no retransmission. The IP packets for services with this
priority are marked with a TOS value of 2.
Maximize-Throughput: Used when the volume of data transferred during an interval
is important even if the latency over the link is high. The IP packets for services with
this priority are marked with a TOS value of 4.
Minimize-Delay: Used when the time required (latency) for the packet to reach the
destination must be low. The IP packets for services with this priority are marked
with a TOS value of 8.
This setting determines the priority of a service which, in turn, determines the quality
of that service for the traffic passing through the firewall. By default, the priority
shown is that of the selected service. The user can change it accordingly. If the user
does not make a selection (i.e., leaves it as None), then the native priority of the
service will be applied to the policy. See
“Setting Quality of Service (QoS) Priorities”
on page 4-27
.
NAT IP
Specifies whether the source address of the outgoing packets on WAN should be
assigned WAN interface address OR different one.
NAT single IP is on: The Interface to which the NAT IP belongs to. All the outgoing
packets on WAN will be routed through the specified WAN interface only.
WAN Interface Address: All the outgoing packets on WAN will be assigned WAN
interface address.
Single Address: All the outgoing packets on WAN will be assigned the specified IP
address.
Note
: This option will be available only when WAN mode is NAT. The IP address
specified should fall under the WAN subnet.
Table 4-2.
Outbound Rules (continued)
Item
Description

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top