1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. D1000 eircom
    5. /
  5. 32
Page 156 / 228 Scroll up to view Page 151 - 155
Chapter 13 Firewall
ericom D1000 modem User’s Guide
156
13.5
The DoS Screen
Use this screen to enable DoS protection. Click
Security > Firewall > Dos
to display the following
screen.
Figure 106
Security > Firewall > DoS
The following table describes the labels in this screen.
13.5.1
The DoS Advanced Screen
For DoS
attacks, the Device uses thresholds to determine when to start dropping sessions that do
not become fully established (half-open sessions). These thresholds apply globally to all sessions.
For TCP, half-open means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed. Under normal circumstances, the application that initiates
a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
Figure 107
Three-Way Handshake
For UDP, half-open means that the firewall has detected no return traffic. An unusually high number
(or arrival rate) of half-open sessions could indicate a DOS attack.
Table 61
Security > Firewall > DoS
LABEL
DESCRIPTION
Denial of Services
Enable this to protect against DoS attacks. The Device will drop sessions that surpass
maximum thresholds.
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.
Advanced
Click this to go to a screen to specify maximum thresholds at which the Device will start
dropping sessions.
Page 157 / 228
Chapter 13 Firewall
ericom D1000 modem User’s Guide
157
13.5.1.1
Threshold Values
If everything is working properly, you probably do not need to change the threshold settings as the
default threshold values should work for most small offices. Tune these parameters when you
believe the Device has been receiving DoS attacks that are not recorded in the logs or the logs
show that the Device is classifying normal traffic as DoS attacks. Factors influencing choices for
threshold values are:
1
The maximum number of opened sessions.
2
The minimum capacity of server backlog in your LAN network.
3
The CPU power of servers in your LAN network.
4
Network bandwidth.
5
Type of traffic for certain servers.
Reduce the threshold values if your network is slower than average for any of these factors
(especially if you have servers that are slow or handle many tasks and are often busy).
If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended
that you increase the threshold values since lots of sessions will be established during a small
period of time and the Device may classify them as DoS attacks.
13.5.2
Configuring Firewall Thresholds
Click
Security > Firewall > DoS > Advanced
to display the following screen.
Figure 108
Security > Firewall > DoS > Advanced
Page 158 / 228
Chapter 13 Firewall
ericom D1000 modem User’s Guide
158
The following table describes the labels in this screen.
13.6
Firewall Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
13.6.1
Firewall Rules Overview
Your customized rules take precedence and override the Device’s default settings. The Device
checks the source IP address, destination IP address and IP protocol type of network traffic against
the firewall rules (in the order you list them). When the traffic matches a rule, the Device takes the
action specified in the rule.
Firewall rules are grouped based on the direction of travel of packets to which they apply:
Note: The LAN includes both the LAN port and the WLAN.
By default, the Device’s stateful packet inspection allows packets traveling in the following
directions:
LAN to Router
These rules specify which computers on the LAN can manage the Device (remote management).
Table 62
Security > Firewall > DoS > Advanced
LABEL
DESCRIPTION
TCP SYN-Request
Count
This is the rate of new TCP half-open sessions per second that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the Device deletes half-open sessions as required to
accommodate new connection attempts.
UDP Packet Count
This is the rate of new UDP half-open sessions per second that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the Device deletes half-open sessions as required to
accommodate new connection attempts.
ICMP Echo-Request
Count
This is the rate of new ICMP Echo-Request half-open sessions per second that causes
the firewall to start deleting half-open sessions. When the rate of new connection
attempts rises above this number, the Device deletes half-open sessions as required
to accommodate new connection attempts.
ICMP Redirect
Select
Enable
to monitor for and block ICMP redirect attacks.
An ICMP redirect attack is one where forged ICMP redirect messages can force the
client device to route packets for certain connections through an attacker’s host.
DoS Log(Log Level:
DEBUG)
Select
Enable
to log DoS attacks. See
Chapter 16 on page 173
for information on
viewing logs.
Back
Click this button to return to the previous screen.
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.
LAN to Router
WAN to LAN
LAN to WAN
WAN to Router
Page 159 / 228
Chapter 13 Firewall
ericom D1000 modem User’s Guide
159
Note: You can also configure the remote management settings to allow only a specific
computer to manage the Device.
LAN to WAN
These rules specify which computers on the LAN can access which computers or services on the
WAN.
By default, the Device’s stateful packet inspection drops packets traveling in the following
directions:
WAN to LAN
These rules specify which computers on the WAN can access which computers or services on the
LAN.
Note: You also need to configure NAT port forwarding (or full featured NAT address
mapping rules) to allow computers on the WAN to access devices on the LAN.
WAN to Router
By default the Device stops computers on the WAN from managing the Device. You could
configure one of these rules to allow a WAN computer to manage the Device.
Note: You also need to configure the remote management settings to allow a WAN
computer to manage the Device.
You may define additional rules and sets or modify existing ones but please exercise extreme
caution in doing so.
For example, you may create rules to:
Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts
on the Internet to specific hosts on the LAN.
Allow everyone except your competitors to access a web server.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the Device’s default rules.
13.6.2
Guidelines For Enhancing Security With Your Firewall
6
Change the default password via web configurator.
7
Think about access control before you connect to the network in any way.
8
Limit who can access your router.
9
Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could
present a potential security risk. A determined hacker might be able to find creative ways to misuse
the enabled services to access the firewall or the network.
Page 160 / 228
Chapter 13 Firewall
ericom D1000 modem User’s Guide
160
10
For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the
services at specific interfaces.
11
Protect against IP spoofing by making sure the firewall is active.
12
Keep the firewall in a secured (locked) room.
13.6.3
Security Considerations
Note: Incorrectly configuring the firewall may block valid access or introduce security
risks to the Device and your protected network. Use caution when creating or
deleting firewall rules and test your rules after you configure them.
Consider these security ramifications before creating a rule:
1
Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC
is blocked, are there users that require this service?
2
Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will
a rule that blocks just certain users be more effective?
3
Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,
Internet users may be able to connect to computers with running FTP servers.
4
Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
13.6.4
Triangle Route
When the firewall is on, your Device acts as a secure gateway between your LAN and the Internet.
In an ideal network topology, all incoming and outgoing network traffic passes through the Device
to protect your LAN against attacks.
Figure 109
Ideal Firewall Setup
13.6.4.1
The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. You
may have more than one connection to the Internet (through one or more ISPs). If an alternate
gateway is on the LAN (and its IP address is in the same subnet as the Device’s LAN IP address),
1
2
WAN
LAN

Rate

5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top