SMC SMCWBR14-G2-EU Router Manual PDF (Setup & Configuration Guide)

Page 81 / 132 Scroll up to view Page 76 - 80

S

ECURITY

4-37

Intrusion Detection

The BARRICADE’s firewall inspects packets at the application layer,

maintains TCP and UDP session information including timeouts and

number of active sessions, and provides the ability to detect and prevent

certain types of network attacks such as Denial-of-Service (DoS) attacks.

Page 82 / 132

C

ONFIGURING

THE

BARRICADE

4-38

Network attacks that deny access to a network device are called DoS

attacks. DoS attacks are aimed at devices and networks with a connection

to the Internet. Their goal is not to steal information, but to disable a

device or network so users no longer have access to network resources.

The BARRICADE protects against DoS attacks including: Ping of Death

(Ping flood) attack, SYN flood attack, IP fragment attack (Teardrop

Attack), Brute-force attack, Land Attack, IP Spoofing attack, IP with zero

length, TCP null scan (Port Scan Attack), UDP port loopback, Snork

Attack.

Note:

The firewall does not significantly affect system performance, so

we advise enabling the prevention features to protect your

network.

Page 83 / 132

S

ECURITY

4-39

The table below lists the Intrusion Detection parameters and their

descriptions.

Parameter

Defaults

Description

Intrusion Detection

Feature

SPI and Anti-DoS

firewall protection

No

The Intrusion Detection feature of the

BARRICADE limits the access of incoming traffic

at the WAN port. When the Stateful Packet

Inspection (SPI) feature is turned on, all incoming

packets are blocked except those types marked

with a check in the SPI section at the top of the

screen.

RIP Defect

Disabled

If the router does not reply to an IPX RIP request

packet, it will stay in the input queue and not be

released. Accumulated packets could cause the

input queue to fill, causing severe problems for all

protocols. Enabling this feature prevents the

packets accumulating.

Discard Ping to

WAN

Don’t

discard

Prevents a ping on the router’s WAN port from

being routed to the network.

Page 84 / 132

C

ONFIGURING

THE

BARRICADE

4-40

Stateful Packet

Inspection

Enabled

This option allows you to select different

application types that are using dynamic port

numbers. If you wish to use Stateful Packet

Inspection (SPI) for blocking packets, click on the

Yes radio button in the “Enable SPI and Anti-DoS

firewall protection” field and then check the

inspection type that you need, such as Packet

Fragmentation, TCP Connection, UDP Session,

FTP Service and TFTP Service.

It is called a “stateful” packet inspection because it

examines the contents of the packet to determine

the state of the communication; i.e., it ensures that

the stated destination computer has previously

requested the current communication. This is a

way of ensuring that all communications are

initiated by the recipient computer and are taking

place only with sources that are known and trusted

from previous interactions. In addition to being

more rigorous in their inspection of packets,

stateful inspection firewalls also close off ports

until a connection to the specific port is requested.

When particular types of traffic are checked, only

the particular type of traffic initiated from the

internal LAN will be allowed. For example, if the

user only checks FTP Service in the Stateful Packet

Inspection section, all incoming traffic will be

blocked except for FTP connections initiated from

the local LAN.

When hackers

attempt to enter

your network,

we can alert you

by email

Your E-mail

Address

Enter your email address.

SMTP Server

Address

Enter your SMTP server address (usually the part

of the email address following the “@” sign).

POP3 Server

Address

Enter your POP3 server address (usually the part

of the email address following the “@” sign).

User Name

Enter your email account user name.

Parameter

Defaults

Description

Page 85 / 132

S

ECURITY

4-41

Password

Enter your email account password.

Connection Policy

Fragmentation

half-open wait

10 secs

Configures the number of seconds that a packet

state structure remains active. When the timeout

value expires, the router drops the unassembled

packet, freeing that structure for use by another

packet.

TCP SYN wait

30 secs

Defines how long the software will wait for a TCP

session to reach an established state before

dropping the session.

TCP FIN wait

5 secs

Specifies how long a TCP session will be managed

after the firewall detects a FIN-exchange.

TCP connection

idle timeout

3600 secs

(1 hour)

The length of time for which a TCP session will be

managed if there is no activity.

UDP session idle

timeout

30 secs

The length of time for which a UDP session will

be managed if there is no activity.

DoS Detect Criteria

Total incomplete

TCP/UDP

sessions HIGH

300

sessions

Defines the rate of new unestablished sessions that

will cause the software to

start

deleting half-open

sessions.

Total incomplete

TCP/UDP

sessions LOW

250

sessions

Defines the rate of new unestablished sessions that

will cause the software to

stop

deleting half-open

sessions.

Incomplete

TCP/UDP

sessions (per min.)

HIGH

250

sessions

Maximum number of allowed incomplete

TCP/UDP sessions per minute.

Incomplete

TCP/UDP

sessions (per min.)

LOW

200

sessions

Minimum number of allowed incomplete

TCP/UDP sessions per minute.

Maximum

incomplete

TCP/UDP

sessions number

from same host

10

sessions

Maximum number of incomplete TCP/UDP

sessions from the same host.

Parameter

Defaults

Description

Rate

Popular SMC Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share