Page 171 / 320 Scroll up to view Page 166 - 170
Chapter 14 Filters
AMG1302/AMG1202-TSeries User’s Guide
171
Destination Prefix Length
Enter the prefix length for the destination IPv6 address.
ICMPv6 Type
Select the ICMPv6 message type to filter. The following message types can be
selected:
1 / Destination Unreachable:
0
-
no route to destination; 1 -
communication with destination administratively prohibited; 3 - address
unreachable; 4 - port unreachable
2 / Packet Too Big
3
/
Time Exceeded:
0 - hop limit exceeded in transit; 1 - fragment
reassembly time exceeded
4
/
Parameter Problem
: 0 - erroneous header field encountered; 1 -
unrecognized Next Header type encountered; 2 - unrecognized IPv6 option
encountered
128
/
Echo Request
129 /
Echo Response
130
/
Listener Query -
Multicast listener query
131
/
Listener Report -
Multicast listener report
132
/
Listener Done
- Multicast listener done
143
/
Listener Report v2 -
Multicast listener report v2
133
/
Router Solicitation
134
/
Router Advertisement
135
/
Neighbor Solicitation
136
/
Neighbor Advertisement
137
/
Redirect -
Redirect message
Protocol
This is the (upper layer) protocol that defines the service to which this rule
applies. By default it is ICMPv6.
IPv6 / MAC Filter Listing
IPv6 / MAC Filter Rule Index
Select the index number of the filter set from the drop-down list box.
#
This is the index number of the rule in a filter set.
Active
This field shows whether the rule is activated.
Interface
This is the interface that the rule applies to.
Direction
The filter set applies to this traffic direction.
ICMPv6 Type
The ICMPv6 message type to filter.
Src IP/PrefixLength
This displays the source IPv6 address and prefix length.
Dest IP/PrefixLength
This displays the destination IPv6 address and prefix length.
Mac Address
This is the MAC address of the packets being filtered.
Protocol
This is the (upper layer) protocol that defines the service to which this rule
applies. By default it is ICMPv6.
Apply
Click this to apply your changes.
Delete
Click this to remove the filter rule.
Cancel
Click this to restore your previously saved settings.
Table 59
Security > Filter > IPv6/MAC Filter (continued)
LABEL
DESCRIPTION
Page 172 / 320
Chapter 14 Filters
AMG1302/AMG1202-TSeries User’s Guide
172
Page 173 / 320
AMG1302/AMG1202-TSeries User’s Guide
173
C
HAPTER
15
Firewall
15.1
Overview
This chapter shows you how to enable the AMG1302/AMG1202-TSeries firewall. Use the firewall to
protect your AMG1302/AMG1202-TSeries and network from attacks by hackers on the Internet and
control access to it. The firewall:
allows traffic that originates from your LAN computers to go to all other networks.
blocks traffic that originates on other networks from going to the LAN.
blocks SYN and port scanner attacks.
By default, the AMG1302/AMG1202-TSeries blocks DDOS, LAND and Ping of Death attacks whether
the firewall is enabled or disabled.
The following figure illustrates the firewall action. User
A
can initiate an IM (Instant Messaging)
session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However
other traffic initiated from the WAN is blocked (3 and 4).
Figure 80
Default Firewall Action
15.1.1
What You Can Do in the Firewall Screens
Use the
General
screen (
Section 15.2 on page 175
) to select the firewall protection level on the
AMG1302/AMG1202-TSeries.
Use the
Default Action
screen (
Section 15.3 on page 176
) to set the default action that the
firewall takes on packets that do not match any of the firewall rules.
Use the
Rules
screen (
Section 15.4 on page 178
) to view the configured firewall rules and add,
edit or remove a firewall rule.
Use the
Dos
screen (
Section 15.5 on page 184
) to set the thresholds that the AMG1302/
AMG1202-TSeries uses to determine when to start dropping sessions that do not become fully
established (half-open sessions).
WAN
LAN
3
4
1
2
A
Page 174 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
174
15.1.2
What You Need to Know About Firewall
SYN Attack
A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the
targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that
follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are moved off the queue only when an ACK comes back or when an internal timer terminates
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests,
making the system unavailable for legitimate users.
DoS
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no longer
have access to network resources. The AMG1302/AMG1202-TSeries is pre-configured to
automatically detect and thwart all known DoS attacks.
DDoS
A Distributed DoS (DDoS) attack is one in which multiple compromised systems attack a single
target, thereby causing denial of service for users of the targeted system.
LAND Attack
In a Local Area Network Denial (LAND) attack, hackers flood SYN packets into the network with a
spoofed source IP address of the target system. This makes it appear as if the host computer sent
the packets to itself, making the system unavailable while the target system tries to respond to
itself.
Ping of Death
Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum
65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or
reboot.
SPI
Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is
valid. Filtering decisions are based not only on rules but also context. For example, traffic from the
WAN may only be allowed to cross the firewall in response to a request from the LAN.
RFC 4890 SPEC Traffic
RFC 4890 specifies the filtering policies for ICMPv6 messages.
This is important for protecting
against security threats including DoS, probing, redirection attacks and renumbering attacks that
can be carried out through ICMPv6. Since ICMPv6 error messages are critical for establishing and
maintaining communications, filtering policy focuses on ICMPv6 informational messages.
Page 175 / 320
Chapter 15 Firewall
AMG1302/AMG1202-TSeries User’s Guide
175
Anti-Probing
If an outside user attempts to probe an unsupported port on your AMG1302/AMG1202-TSeries, an
ICMP response packet is automatically returned. This allows the outside user to know the
AMG1302/AMG1202-TSeries exists. The AMG1302/AMG1202-TSeries supports anti-probing, which
prevents the ICMP response packet from being sent. This keeps outsiders from discovering your
AMG1302/AMG1202-TSeries when unsupported ports are probed.
ICMP
Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol
between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams,
but the messages are processed by the TCP/IP software and directly apparent to the application
user.
DoS Thresholds
For DoS attacks, the AMG1302/AMG1202-TSeries uses thresholds to determine when to drop
sessions that do not become fully established. These thresholds apply globally to all sessions. You
can use the default threshold values, or you can change them to values more suitable to your
security requirements.
15.2
The Firewall General Screen
Use this screen to select the firewall protection level on the AMG1302/AMG1202-TSeries. Click
Security > Firewall > General
to display the following screen.
Figure 81
Security > Firewall > General

Rate

3.7 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top