Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

186

The following table describes the labels in this screen.

15.6

Firewall Technical Reference

This section provides some technical background information about the topics covered in this

chapter.

15.6.1

Firewall Rules Overview

Your customized rules take precedence and override the AMG1302/AMG1202-TSeries’s default

settings. The AMG1302/AMG1202-TSeries checks the source IP address, destination IP address and

IP protocol type of network traffic against the firewall rules (in the order you list them). When the

traffic matches a rule, the AMG1302/AMG1202-TSeries takes the action specified in the rule.

Firewall rules are grouped based on the direction of travel of packets to which they apply:

Note: The LAN includes both the LAN port and the WLAN.

By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection allows packets traveling in

the following directions:

•

LAN to Router

These rules specify which computers on the LAN can manage the AMG1302/AMG1202-TSeries

(remote management).

Note: You can also configure the remote management settings to allow only a specific

computer to manage the AMG1302/AMG1202-TSeries.

Table 67

Security > Firewall > DoS > Advanced

LABEL

DESCRIPTION

TCP SYN-Request

Count

This is the rate of new TCP half-open sessions per second that causes the firewall to

start deleting half-open sessions. When the rate of new connection attempts rises

above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as

required to accommodate new connection attempts.

UDP Packet Count

This is the rate of new UDP half-open sessions per second that causes the firewall to

start deleting half-open sessions. When the rate of new connection attempts rises

above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as

required to accommodate new connection attempts.

ICMP Echo-Request

Count

This is the rate of new ICMP Echo-Request half-open sessions per second that causes

the firewall to start deleting half-open sessions. When the rate of new connection

attempts rises above this number, the AMG1302/AMG1202-TSeries deletes half-open

sessions as required to accommodate new connection attempts.

Back

Click this button to return to the previous screen.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

•

LAN to Router

•

WAN to LAN

•

LAN to WAN

•

WAN to Router

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

187

•

LAN to WAN

These rules specify which computers on the LAN can access which computers or services on the

WAN.

By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection drops packets traveling in

the following directions:

•

WAN to LAN

These rules specify which computers on the WAN can access which computers or services on the

LAN.

Note: You also need to configure NAT port forwarding (or full featured NAT address

mapping rules) to allow computers on the WAN to access devices on the LAN.

•

WAN to Router

By default the AMG1302/AMG1202-TSeries stops computers on the WAN from managing the

AMG1302/AMG1202-TSeries. You could configure one of these rules to allow a WAN computer to

manage the AMG1302/AMG1202-TSeries.

Note: You also need to configure the remote management settings to allow a WAN

computer to manage the AMG1302/AMG1202-TSeries.

You may define additional rules and sets or modify existing ones but please exercise extreme

caution in doing so.

For example, you may create rules to:

•

Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.

•

Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts

on the Internet to specific hosts on the LAN.

•

Allow everyone except your competitors to access a web server.

•

Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the source IP address, destination IP address and IP

protocol type of network traffic to rules set by the administrator. Your customized rules take

precedence and override the AMG1302/AMG1202-TSeries’s default rules.

15.6.2

Guidelines For Enhancing Security With Your Firewall

6

Change the default password via web configurator.

7

Think about access control before you connect to the network in any way.

8

Limit who can access your router.

9

Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse

the enabled services to access the firewall or the network.

10

For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the

services at specific interfaces.

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

188

11

Protect against IP spoofing by making sure the firewall is active.

12

Keep the firewall in a secured (locked) room.

15.6.3

Security Considerations

Note: Incorrectly configuring the firewall may block valid access or introduce security

risks to the AMG1302/AMG1202-TSeries and your protected network. Use caution

when creating or deleting firewall rules and test your rules after you configure

them.

Consider these security ramifications before creating a rule:

1

Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC

is blocked, are there users that require this service?

2

Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will

a rule that blocks just certain users be more effective?

3

Does a rule that allows Internet users access to resources on the LAN create a security

vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,

Internet users may be able to connect to computers with running FTP servers.

4

Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of entering the

information into the correct fields in the web configurator screens.

15.6.4

Triangle Route

When the firewall is on, your AMG1302/AMG1202-TSeries acts as a secure gateway between your

LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic

passes through the AMG1302/AMG1202-TSeries to protect your LAN against attacks.

Figure 90

Ideal Firewall Setup

15.6.4.1

The “Triangle Route” Problem

A traffic route is a path for sending or receiving data packets between two Ethernet devices. You

may have more than one connection to the Internet (through one or more ISPs). If an alternate

gateway is on the LAN (and its IP address is in the same subnet as the AMG1302/AMG1202-

TSeries’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may occur.

The steps below describe the “triangle route” problem.

1

2

WAN

LAN

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

189

1

A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on

the WAN.

2

The AMG1302/AMG1202-TSeries reroutes the SYN packet through Gateway

A

on the LAN to the

WAN.

3

The reply from the WAN goes directly to the computer on the LAN without going through the

AMG1302/AMG1202-TSeries.

As a result, the AMG1302/AMG1202-TSeries resets the connection, as the connection has not been

acknowledged.

Figure 91

“Triangle Route” Problem

15.6.4.2

Solving the “Triangle Route” Problem

If you have the AMG1302/AMG1202-TSeries allow triangle route sessions, traffic from the WAN can

go directly to a LAN computer without passing through the AMG1302/AMG1202-TSeries and its

firewall protection.

Another solution is to use IP alias. IP alias allows you to partition your network into logical sections

over the same Ethernet interface. Your AMG1302/AMG1202-TSeries supports up to three logical

LAN interfaces with the AMG1302/AMG1202-TSeries being the gateway for each logical network.

It’s like having multiple LAN networks that actually use the same physical cables and ports. By

putting your LAN and Gateway

A

in different subnets, all returning network traffic must pass

through the AMG1302/AMG1202-TSeries to your LAN. The following steps describe such a scenario.

1

A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the

WAN.

2

The AMG1302/AMG1202-TSeries

reroutes the packet to Gateway A, which is in Subnet 2.

3

The reply from the WAN goes to the AMG1302/AMG1202-TSeries.

4

The AMG1302/AMG1202-TSeries then sends it to the computer on the LAN in Subnet 1.

1

2

3

WAN

LAN

A

ISP 1

ISP 2

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

190

Figure 92

IP Alias

1

2

3

LAN

A

ISP 1

ISP 2

4

WAN

Subnet 1

Subnet 2