1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 37
Page 181 / 427 Scroll up to view Page 176 - 180
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 13 Firewalls
181
C
HAPTER
13
Firewalls
This chapter gives some background information on firewalls and introduces the ZyXEL
Device firewall.
13.1
Firewall Overview
Originally, the term
firewall
referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term “firewall” is a system or group
of systems that enforces an access-control policy between two networks. It may also be
defined as a mechanism used to protect a trusted network from an untrusted network. Of
course, firewalls cannot solve every security problem. A firewall is
one
of the mechanisms
used to establish a network security perimeter in support of a network security policy. It
should never be the
only
mechanism or method employed. For a firewall to guard effectively,
you must design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
Refer to
Section 14.5 on page 196
to configure default firewall settings.
Refer to
Section 14.6 on page 197
to view firewall rules.
Refer to
Section 14.6.1 on page 199
to configure firewall rules.
Refer to
Section 14.6.2 on page 202
to configure a custom service.
Refer to
Section 14.8.3 on page 209
to configure firewall thresholds.
13.2
Types of Firewalls
There are three main types of firewalls:
Packet Filtering Firewalls
Application-level Firewalls
Stateful Inspection Firewalls
13.2.1
Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network
address of a packet and the type of application.
Page 182 / 427
P-2602H(W)(L)-DxA Series User’s Guide
182
Chapter 13 Firewalls
13.2.2
Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they
use programs written for specific Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specific data. Application-level gateways have
a number of general advantages over the default mode of permitting application traffic directly
to internal hosts:
Information hiding prevents the names of internal systems from being made known via DNS
to outside systems, since the application gateway is the only host whose name must be made
known to outside systems.
Robust authentication and logging pre-authenticates application traffic before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with standard
host logging. Filtering rules at the packet filtering router can be less complex than they would
be if the router needed to filter application traffic and direct it to a number of specific systems.
The router need only allow application traffic destined for the application gateway and reject
the rest.
13.2.3
Stateful Inspection Firewalls
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency, however, they
may lack the granular application level access control or caching that some proxies support.
See
Section 13.5 on page 187
for more information on stateful inspection.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
13.3
Introduction to ZyXEL’s Firewall
The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated. The ZyXEL Device’s purpose is to allow a private
Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can
be used to prevent theft, destruction and modification of data, as well as log events, which may
be important to the security of your network. The ZyXEL Device also has packet filtering
capabilities.
The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a
secure gateway for all data passing between the Internet and the LAN.
The ZyXEL Device has one DSL/ISDN port and one Ethernet LAN port, which physically
separate the network into two areas.
The DSL/ISDN port connects to the Internet.
Page 183 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 13 Firewalls
183
The LAN (Local Area Network) port attaches to a network of computers, which needs
security from the outside world. These computers will have access to Internet services
such as e-mail, FTP, and the World Wide Web.
However, “inbound access” will not be
allowed unless you configure remote management or create a firewall rule to allow a
remote host to use a specific service.
13.3.1
Denial of Service Attacks
Figure 98
Firewall Application
13.4
Denial of Service
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no
longer have access to network resources. The ZyXEL Device is pre-configured to
automatically detect and thwart all known DoS attacks.
13.4.1
Basics
Computers share information over the Internet using a common language called TCP/IP. TCP/
IP, in turn, is a set of application protocols that perform specific functions. An “extension
number”, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP
(Web), FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default
uses TCP port 80.
When computers communicate on the Internet, they are using the client/server model, where
the server "listens" on a specific TCP/UDP port for information requests from remote client
computers on the network. For example, a Web server typically listens on port 80. Please note
that while a computer may be intended for use over a single port, such as Web on port 80,
other ports are also active. If the person configuring or managing the computer is not careful, a
hacker could attack it over an unprotected port.
Some of the most common IP ports are:
Page 184 / 427
P-2602H(W)(L)-DxA Series User’s Guide
184
Chapter 13 Firewalls
13.4.2
Types of DoS Attacks
There are four types of DoS attacks:
1
Those that exploit bugs in a TCP/IP implementation.
2
Those that exploit weaknesses in the TCP/IP specification.
3
Brute-force attacks that flood a network with useless data.
4
IP Spoofing.
5
"
Ping of Death
" and "
Teardrop
" attacks exploit bugs in the TCP/IP implementations of
various computer and host systems.
Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum
65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to
an unsuspecting system. Systems may crash, hang or reboot.
Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is
transmitted through a network, IP packets are often broken up into smaller chunks. Each
fragment looks like the original IP packet except that it contains an offset field that says,
for instance, "This fragment is carrying bytes 200 through 400 of the original (non
fragmented) IP packet." The Teardrop program creates a series of IP fragments with
overlapping offset fields. When these fragments are reassembled at the destination, some
systems will crash, hang, or reboot.
6
Weaknesses in the TCP/IP specification leave it open to "
SYN Flood
" and "
LAND
"
attacks. These attacks are executed during the handshake that initiates a communication
session between two applications.
Figure 99
Three-Way Handshake
Table 66
Common IP Ports
21
FTP
53
DNS
23
Telnet
80
HTTP
25
SMTP
110
POP3
Page 185 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 13 Firewalls
185
Under normal circumstances, the application that initiates a session sends a SYN
(synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
SYN Attack
floods a targeted system with a series of SYN packets. Each packet causes
the targeted system to issue a SYN-ACK response. While the targeted system waits for
the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses
on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an
ACK comes back or when an internal timer (which is set at relatively long intervals)
terminates the three-way handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for legitimate users.
Figure 100
SYN Flood
In a
LAND Attack
, hackers flood SYN packets into the network with a spoofed source
IP address of the targeted system. This makes it appear as if the host computer sent the
packets to itself, making the system unavailable while the target system tries to respond
to itself.
7
A
brute-force
attack, such as a "Smurf" attack, targets a feature in the IP specification
known as directed or subnet broadcasting, to quickly flood the target network with
useless data. A Smurf hacker floods a router with Internet Control Message Protocol
(ICMP) echo request packets (pings). Since the destination IP address of each packet is
the broadcast address of the network, the router will broadcast the ICMP echo request
packet to all hosts on the network. If there are numerous hosts, this will create a large
amount of ICMP echo request and response traffic. If a hacker chooses to spoof the
source IP address of the ICMP echo request packet, the resulting ICMP traffic will not
only clog up the "intermediary" network, but will also congest the network of the spoofed
source IP address, known as the "victim" network. This flood of broadcast traffic
consumes all available bandwidth, making communications impossible.

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top