1. Home
    2. /
  2. Manuals
    3. /
  3. Siemens
    4. /
  4. SpeedStream-5200
    5. /
  5. 17
Page 81 / 129 Scroll up to view Page 76 - 80
SpeedStream Router User Guide
Clone a Rule Definition
You can create a new set of custom IP filter rules from one of the existing preconfigured firewall levels.)
1.
In the
Clone Rules Definitions
box,
select the firewall level to copy.
2.
Click
Clone Rule Set
. The
Rules
table
refreshes to display the new rules for that
level.
3.
If you want to change any of a rule’s
criteria, click
Edit
in the row of that rule, and then complete steps 1 through 5 as relevant (refer to the
following section for detailed instructions.)
Create Custom IP Filter Rules
You can create a new filter rule based on criteria you enter.
Note
You must have selected the
Custom
firewall level from the
Firewall – Simple Setup
window.
The following instructions reference the step numbers on the
Firewall – Custom IP Filter
Configuration
window.
Step 1: Fill in the following information.
1.
In the
Rule No.
text box, enter an unused rule number. If you enter a number that is already in the
rules database, an error message will display.
2. In the
Access
drop-down list box, select
the access value,
Permit
or
Deny
.
3. In the
Direction
drop-down list box,
select whether the rule applies to
Inbound
or
Outbound
packet traffic.
4.
To prevent the firewall from creating a stateful inspection session for packets matched on this rule,
select the
Keep stateless
check box.
Step 2: Define the source and destination.
1. In the
Network Interface
list under the
Source
heading, select the
Network
Interface
.
2.
Designate whether the source is any IP
address or a specific address; if the latter,
enter the IP address and netmask.
3.
Repeat the previous steps to specify the
Destination
criteria.
71
Page 82 / 129
SpeedStream Router User Guide
Step 3: Select a protocol to filter.
1.
In the
Select by Name
list box, select the protocol name.
- or -
In the
Select by Number
text box, enter
the protocol number.
2.
Depending on the protocol, select the applicable rule options:
ctors.
For TCP/UDP, go to
Step 4a
.
For ICMP, go to
Step 4b
.
For any other protocol, go to
Step 5
.
Step 4a: If TCP/UDP chosen in Step 3, select the desired rule options.
1. Specify
Source Port Operator
options:
Select the
source port operator.
Enter the first port number.
If applicable, enter the second port
number.
2. Specify
Destination Port Operator
options:
Select the destination port operator.
Enter the first port number.
If applicable, enter the second port number.
If applicable, select Apply rule only to TCP connections that are already established.
If applicable, select Check syn
packets for TCP conne
Step 4b. If ICMP chosen in Step 3, select
the desired ICMP rule options.
From the table, select one or multiple
options.
- or -
To automatically select all options, click
All Types.
Step 5. Apply the rule definition, clear the form, or reset the form.
To accept the settings, click
Apply
.
72
Page 83 / 129
SpeedStream Router User Guide
Firewall Log
When the Attack Detection System (ADS) is enabled, various checks are performed, according to the
criteria you designate. For example:
1.
If an attack is detected, that information can be displayed in the
Firewall Log
.
2.
Any denials of access by the firewall can be logged with a reason code and a description string.
3.
Syslog-formatted messages can be sent to another node on the LAN.
The
Firewall Log
contains a maximum of 200 entries; each entry may contain a maximum of 200
characters.
To display the Firewall Log window
From the main menu, click
Advanced Setup
, then click
Firewall
, and then click
Log
.
The
Firewall Log
window displays.
ADS (Attack Detection System)
The firewall Advanced Attack Detection System (ADS) contains various algorithms to detect and identify
WAN attacks the moment they start and protect the LAN from such attacks. Though WAN access may be
temporarily hindered, the LAN is protected from harmful traffic.
ADS typically looks for two types of packets:
malformed
packets and
spoofed
source address
packets.
Malformed packets have been purposefully constructed with errors in them. These are used to crash
systems that do not properly handle the errors. This type of attack usually happens against large sites
rather than home users.
73
Page 84 / 129
SpeedStream Router User Guide
Packets with spoofed source addresses are commonly sent to smaller hosts, not with the intent of
bringing down a particular computer, but rather to take down a large host through a mechanism called
Distributed Denial of Service (DDoS).
In this situation, when a huge number of computers are used to
request services, those services are rendered unavailable because of the traffic load.
The Attack Detection System generates a log entry for a particular type of attack once per minute.
Consequently, there will be multiple entries for long-term attacks. This lets the user know the period of
time that the attack persisted.
Background
TCP/IP
(Transmission Control Protocol/Internet Protocol) is the “language” computers that make up the
Internet (called
hosts
) use to talk to each other. TCP and IP dictate the meaning of two sets of tags (or
headers) that are added to user data before being sent. An
IP
header
contains a
destination address
and a
source address
that tell all of the hosts delivering the data where it is supposed to go, much like an
envelope for an inter-office memo. A
TCP header
is similar to a subject line on the memo: it contains
information that allows the recipient to quickly figure out what the data is and where it goes once the IP
“envelope” has been removed. The combination of a block of data and its associated TCP and IP headers
is often referred to as a
packet
.
The part of a host that writes and reads the TCP and IP headers is called a
network stack
. Almost all
network stacks have flaws in them (some more than others!) due to intolerance to improper or invalid
headers. This can result in a variety of problems from computer crashes to security breaches. While newer
protocols attempt to address these issues (e.g., IPSec), the current version of IP, called
IPv4
, will be here
to stay for some time, flaws and all. This is where the SpeedStream Attack Detection System (ADS)
comes in.
Types of Attack
The two most common attack types are
unauthorized access
and
Denial of Service (DoS)
. Someone
guessing your login password is one example of unauthorized access; unfortunately, an external device
like the SpeedStream router is unable to do much to prevent that except perhaps have a firewall rule that
limits which hosts may log in. The SpeedStream ADS, however, can block attempts by external (WAN)
hosts to “impersonate” a LAN host in order to gain access to weakly protected data services on other
LAN connected computers.
DoS attacks take several forms, but the basic intended effect is the same: to prevent a host from accessing
other hosts, or preventing other hosts from accessing it. In effect, this kicks the host off the Internet. One
type of DoS attack sends more data to a host than its connection can handle. Little can be done about this
attack without having the Internet service provider block it upstream.
Another type of DoS attack attempts to crash the host by sending bad data to its network stack. The
SpeedStream ADS as described below can filter several popular incarnations of this attack. One way in
which the bad data is created is by
spoofing
, or modifying, the source address in the IP header. Normally,
when a host sends a packet to another host, it puts its address in the IP header so the other host knows
where it came from.
While most small users will never be on the receiving end of a direct DoS attack, a new twist to the DoS
does quite often take advantage of broadband-connected Internet hosts. Instead of attempting to generate
74
Page 85 / 129
SpeedStream Router User Guide
enough data to flood a large Internet host’s connection, a would-be attacker instead “convinces” hundreds
or thousands of other hosts to do it for him. This is called a
Distributed Denial of Service (DDoS)
. Several
viruses can turn a host into a remote-controlled “zombie,” although some attacks can simply use a host’s
network stack to do the job if it is too trusting. The SpeedStream ADS monitors this behavior.
ADS Configuration Options
The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts
from the WAN:
Same Source and Destination Address
(a.k.a.
Land Attack
):
This packet has a spoofed source IP address set to be the same as the destination host and can result in
the DoS or crash of the local host. When the receiving host tries to respond to the source address in
the packet, it ends up just sending it back to itself. This packet could ping-pong back and forth over
200 times (consuming CPU resources) before being discarded.
Broadcast Source Address
(a.k.a.
Smurf or Fraggle Attack
):
This packet has a spoofed source IP address set to the “broadcast” address. Most hosts only accept
packets destined for their own IP address, but there are a couple of special IP address called broadcast
addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a
packet’s source address, however, because a packet has to come from a host. If a network stack does
respond to a packet with a broadcast source address, the response will be sent to the broadcast address
on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would
then respond back to the host flooding it with data, possibly making inaccessible to other users.
LAN Source Address On WAN:
This packet has a spoofed source address set to be a typical trusted LAN address. One method of
separating a LAN from a WAN is by using NAPT. This allows the LAN to use IP addresses that are
normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN attacks. A
packet with a LAN source address coming from the WAN is attempting to masquerade as a LAN
packet so that it might be trusted by a LAN host and received.
Invalid IP Packet Fragment (a.k.a.
Ping of Death
):
IP packets can be large. If a link between two hosts transporting a packet can only handle smaller
packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments
get to the destination host, they must be reassembled into the original large packet like pieces of a
puzzle. If each stage of reassembly is not carefully checked by the receiving host’s network stack, a
specially crafted invalid fragment can cause the host to crash.
TCP NULL Flags:
The TCP header contains a set of “flags” that indicate information about the packet which is used by
receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet,
none was. This packet can cause some hosts to crash.
TCP FIN Flag:
The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to
crash.
75

Rate

4.5 / 5 based on 2 votes.

Popular Siemens Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top