DISCUS™ DRG A124G

Table 2

TABLE 2

List of fields on the MAC Filtering Table

PARAMETER

DESCRIPTION

MAC Address Control

Select to enable or disable this function

MAC Filtering Table

DHCP Client List

Enter the MAC address in the space provided

Use this drop down menu to quickly copy the currently associ-

ated clients to the table

FIREWALL >> URL

BLOCKING

The Router allows the user to block access to web sites by entering either a full

URL address or just a keyword. This feature can be used to protect children

from accessing violent or pornographic web sites.

FIGURE 5

URL Blocking menu

It is possible to define up to 30 sites here.

FIREWALL >> SCHEDULE

RULE

It is possible to filter Internet access for local clients based on rules. Each ac-

cess control rule may be activated at a scheduled time.

Define the schedule on the

Schedule Rule

screen and apply the rule on the

Access Control screen.

© (2008) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

70

OGU 930500195-A1

Firewall Section

DISCUS™ DRG A124G

Schedule Rule

Follow this steps to add a schedule rule:

•

Select the

Add Schedule Rule

item on the Schedule Rule screen

•

Define the appropriate settings for a schedule rule

•

Click

OK

button and then click

SAVE SETTINGS

button to save your set-

tings.

FIGURE 7

Editing of Schedule Rule

FIREWALL >> INTRUSION

DETECTION

It is used to detect and block common hacker attacks. The main firewall feature

is

SPI (Stateful Packet Inspection)

that supports many applications that are us-

ing port numbers. In this section menu there is some fields:

•

Intrusion Detection Feature

Intrusion Detection Stateful

Packet Inspection (SPI) and

Anti-DoS firewall protection (De-

fault: Enabled)

The Intrusion Detection Feature of the

Router limits access for incoming traffic at

the WAN port. When the SPI feature is

turned on, all incoming traffic at the WAN

port will be blocked except for those types

marked in the Stateful Packet Inspection

© (2008) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

Firewall Section

OGU 930500195-A1

71

DISCUS™ DRG A124G

RIP Defect (Default: Disabled)

If an RIP request packet is not acknowl-

edged to by the router, it will stay in the

input queue and not be released. Accu-

mulated packets could cause the input

queue to fill, causing severe problems for

all protocols. Enabling this feature pre-

vents the packets from accumulating.

Discard Ping to WAN (Default :

Enabled )

Prevent a ping on the Router’s WAN port

from being routed to the network.

•

Stateful Packet inspection

It’s called a “stateful” packet inspection because it examines the contents of the

packet to determine the state of the communications; i.e., it ensures that the

started destination computer has previously requested the current communica-

tion. This is a way of ensuring that all communications are initiated by the re-

cipient computer and are taking place only with sources that are known and

trusted from the previous interactions. In addition to being more rigorous in their

inspection of packets, stateful inspection firewalls also close off ports until con-

nection to the specific port is requested.

When particular types of traffic are checked, only the particular type of traffic ini-

tiated from the internal LAN will be allowed. For example, if the user only

checks “FTP service” in the Stateful Packet Inspection section, all incoming traf-

fic will be blocked except for FTP connections initiated from the local LAN.

Stateful Packet Inspection allows you to select different application types that

are using dynamic ports numbers. If you wish to use the Stateful Packet Inspec-

tion (SPI) to block packets, click on the Yes radio button in the inspection type

that you need, such as Packet Fragmentation, TCP connection, UDP Session,

FTP Service, H.323 Service, or TFTP Service.

© (2008) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

72

OGU 930500195-A1

Firewall Section

DISCUS™ DRG A124G

Intrusion detection panel

Scroll down to view more information.

•

When hackers attempt to enter your network, we can alert you by e-

mail

.

Enter your email address. Specify your STMP and POP3 servers, username

and password.

•

Connection Policy

Enter the appropriate values for TCP / UDP sessions as described in the follow-

ing table.

TABLE 3

List of values TCP/UDP sessions

PARAMETER

DEFAULTS

DESCRIPTION

Fragmentation half-open wait

10 s

Configures the number of seconds that a

packet state structure remains active.

When the timeout value expires the router

drops the unassembled packet, freeing

that structure for use by another packet

TCP SYN wait

30 s

Defines

how long the software will wait for

a TCP session to synchronize before

dropping the session

TCP FIN wait

5 s

Specifies how long TCP session will be

maintained after the firewall detects a FIN

packet

© (2008) Pirelli Broadband Solutions S.p.A. All Rights Reserved. Proprietary Use Pursuant to Cover Page Instructions.

Firewall Section

OGU 930500195-A1

73

DISCUS™ DRG A124G

TABLE 3

List of values TCP/UDP sessions

PARAMETER

DEFAULTS

DESCRIPTION

TCP connection idle timeout

3600 s

The length of time for which a TDP session

will be managed if there is no activity

UDP session

idle timeout

30 s

The length of time for which a UDP ses-

sion will be managed if there is no activity

H.323 data channel idle

timeout

180 s

The length of time for which a H.323 ses-

sion will be managed if there is no activity

•

DoS criteria and port scan criteria

Set up DoS and port scan criteria in the spaces provided (as shown in

Table 4)

TABLE 4

List of values of DoS parameters

PARAMETER

DEFAULTS

DESCRIPTION

Total incomplete TCP / UDP ses-

sion HIGH

300 sessions

Defines the rate of new unestablished ses-

sion that will cause the software to start

deleting half-open sessions

Total incomplete TCP / UDP ses-

sion LOW

250 sessions

Defines the rate of new unestablished ses-

sions that will cause the software to stop

deleting half open sessions

Total incomplete TCP / UDP ses-

sion (per min) HIGH

250 sessions

Maximum number of allowed incomplete

TCP / UDP sessions per minute

Total incomplete TCP / UDP ses-

sion (per min) LOW

200 sessions

Minimum number of allowed incomplete

TCP / UDP sessions per minute

Incomplete TCP / UDP sessions

detect sensitive time period

300 msec

Length of time before an incomplete TCP /

UDP session from the same host

Maximum half-open fragmentation

packet number from same host

30

Maximum number of half-open fragmenta-

tion packets from the same host.

Half-open fragmentation detect

sensitive time

period

10000 msec

Length of time before a half-open fragmen-

tation session is detected as half-open

Flooding cracker block time

300 s

Length of time from detecting a flood at-

tack to blocking attack

The firewall does not significantly affect system performance, so we advise enabling the prevention fea-

tures and leaving them at the default settings to protect your network