Zyxel P-2602HW-D1A Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

P-2602HW-D1A

Page 186 / 427 Scroll up to view Page 181 - 185

P-2602H(W)(L)-DxA Series User’s Guide

186

Chapter 13 Firewalls

Figure 101

Smurf Attack

13.4.2.1

ICMP Vulnerability

ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types

trigger an alert:

13.4.2.2

Illegal Commands (NetBIOS and SMTP)

The only legal NetBIOS commands are the following - all others are illegal.

All SMTP commands are illegal except for those displayed in the following tables.

Table 67

ICMP Commands That Trigger Alerts

REDIRECT

TIMESTAMP_REQUEST

TIMESTAMP_REPLY

ADDRESS_MASK_REQUEST

ADDRESS_MASK_REPLY

Table 68

Legal NetBIOS Commands

MESSAGE:

REQUEST:

POSITIVE:

VE:

RETARGET:

KEEPALIVE:

Table 69

Legal SMTP Commands

AUTH

DATA

EHLO

ETRN

EXPN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SEND

SOML

TURN

VRFY

Page 187 / 427

P-2602H(W)(L)-DxA Series User’s Guide

Chapter 13 Firewalls

187

13.4.2.3

Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints.

Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute

the firewall gaining knowledge of the network topology inside the firewall.

Often, many DoS attacks also employ a technique known as "

IP Spoofing

" as part of their

attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to

magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized

access to computers by tricking a router or firewall into thinking that the communications are

coming from within the trusted network. To engage in IP spoofing, a hacker must modify the

packet headers so that it appears that the packets originate from a trusted host and should be

allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts.

13.5

Stateful Inspection

With stateful inspection, fields of the packets are compared to packets that are already known

to be trusted. For example, if you access some outside service, the proxy server remembers

things about your original request, like the port number and source and destination addresses.

This “remembering” is called

saving the state.

When the outside system responds to your

request, the firewall compares the received packets with the saved state to determine if they

are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN

from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection

allows all communications to the Internet that originate from the LAN, and blocks all traffic to

the LAN that originates from the Internet. In summary, stateful inspection:

•

Allows all sessions originating from the LAN (local network) to the WAN (Internet).

•

Denies all sessions originating from the WAN to the LAN.

Figure 102

Stateful Inspection

Page 188 / 427

P-2602H(W)(L)-DxA Series User’s Guide

188

Chapter 13 Firewalls

The previous figure shows the ZyXEL Device’s default firewall rules in action as well as

demonstrates how stateful inspection works. User A can initiate a Telnet session from within

the LAN and responses to this request are allowed. However other Telnet traffic initiated from

the WAN is blocked.

13.5.1

Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN

network through the firewall's WAN interface. The TCP packet is the first in a session, and the

packet's application layer protocol is configured for a firewall rule inspection:

The packet travels from the firewall's LAN to the WAN.

The packet is evaluated against the interface's existing outbound access list, and the

packet is permitted (a denied packet would simply be dropped at this point).

The packet is inspected by a firewall rule to determine and record information about the

state of the packet's connection. This information is recorded in a new state table entry

created for the new connection. If there is not a firewall rule for this packet and it is not an

attack, then the settings in the

Firewall General

screen determine the action for this

packet.

Based on the obtained state information, a firewall rule creates a temporary access list

entry that is inserted at the beginning of the WAN interface's inbound extended access

list. This temporary access list entry is designed to permit inbound packets of the same

connection as the outbound packet just inspected.

The outbound packet is forwarded out through the interface.

Later, an inbound packet reaches the interface. This packet is part of the connection

previously established with the outbound packet. The inbound packet is evaluated against

the inbound access list, and is permitted because of the temporary access list entry

previously created.

The packet is inspected by a firewall rule, and the connection's state table entry is updated

as necessary. Based on the updated state information, the inbound extended access list

temporary entries might be modified, in order to permit only packets that are valid for the

current state of the connection.

Any additional inbound or outbound packets that belong to the connection are inspected

to update the state table entry and to modify the temporary inbound access list entries as

required, and are forwarded through the interface.

When the connection terminates or times out, the connection's state table entry is deleted

and the connection's temporary inbound access list entries are deleted.

13.5.2

Stateful Inspection on Your ZyXEL Device

Additional rules may be defined to extend or override the default rules. For example, a rule

may be created which will:

•

Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the

Internet.

Page 189 / 427

P-2602H(W)(L)-DxA Series User’s Guide

Chapter 13 Firewalls

189

•

Allow certain types of traffic from the Internet to specific hosts on the LAN.

•

Allow access to a Web server to everyone but competitors.

•

Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by evaluating the network traffic’s Source IP address, Destination IP

address, IP protocol type, and comparing these to rules set by the administrator.

Note:

The ability to define firewall rules is a very powerful tool. Using custom rules, it

is possible to disable all firewall protection or block all access to the Internet.

Use extreme caution when creating or deleting firewall rules. Test changes

after creating them to make sure they work correctly.

Below is a brief technical description of how these connections are tracked. Connections may

either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as

with the "virtual connections" created for UDP and ICMP).

13.5.3

TCP Security

The ZyXEL Device uses state information embedded in TCP packets. The first packet of any

new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.

All packets that do not have this flag structure are called "subsequent" packets, since they

represent data that occurs later in the TCP stream.

If an initiation packet originates on the WAN, this means that someone is trying to make a

connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer

Protocols" shown next), these packets are dropped and logged.

If an initiation packet originates on the LAN, this means that someone is trying to make a

connection from the LAN to the Internet. Assuming that this is an acceptable part of the

security policy (as is the case with the default policy), the connection will be allowed. A cache

entry is added which includes connection information such as IP addresses, TCP ports,

sequence numbers, etc.

When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN),

its connection information is extracted and checked against the cache. A packet is only

allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a

connection which originated on the LAN).

13.5.4

UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence

numbers). However, at the very minimum, they contain an IP address pair (source and

destination). UDP also contains port pairs, and ICMP has type and code information. All of

this data can be analyzed in order to build "virtual connections" in the cache.

For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP

address and port pairs will be stored. For a short period of time, UDP packets from the WAN

that have matching IP and UDP information will be allowed back in through the firewall.

Page 190 / 427

P-2602H(W)(L)-DxA Series User’s Guide

190

Chapter 13 Firewalls

A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive.

Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask

requests will allow incoming address mask replies, and outgoing timestamp requests will

allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall,

simply because they are too dangerous and contain too little tracking information. For

instance, ICMP redirect packets are never allowed in, since they could be used to reroute

traffic through attacking machines.

13.5.5

Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network

connections simultaneously. In general terms, they usually have a "control connection" which

is used for sending commands between endpoints, and then "data connections" which are used

for transmitting bulk information.

Consider the FTP protocol. A user on the LAN opens a control connection to a server on the

Internet and requests a file. At this point, the remote server will open a data connection from

the Internet. For FTP to work properly, this connection must be allowed to pass through even

though a connection from the Internet would normally be rejected.

In order to achieve this, the ZyXEL Device inspects the application-level FTP data.

Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a

cache entry for the anticipated data connection. This can be done safely, since the PORT

command contains address and port information, which can be used to uniquely identify the

connection.

Any protocol that operates in this way must be supported on a case-by-case basis. You can use

the web configurator’s Custom Ports feature to do this.

13.6

Guidelines for Enhancing Security with Your Firewall

•

Change the default password.

•

Limit who can telnet into your router.

•

Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled

service could present a potential security risk. A determined hacker might be able to find

creative ways to misuse the enabled services to access the firewall or the network.

•

For local services that are enabled, protect against misuse. Protect by configuring the

services to communicate only with specific peers, and protect by configuring rules to

block packets for the services at specific interfaces.

•

Protect against IP spoofing by making sure the firewall is active.

•

Keep the firewall in a secured (locked) room.

13.6.1

Security In General

You can never be too careful! Factors outside your firewall, filtering or NAT can cause

security breaches. Below are some generalizations about what you can do to minimize them.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share