1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-2602HW-D1A
    5. /
  5. 39
Page 191 / 427 Scroll up to view Page 186 - 190
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 13 Firewalls
191
Encourage your company or organization to develop a comprehensive security plan.
Good network administration takes into account what hackers can do and prepares
against attacks. The best defense against hackers and crackers is information. Educate all
employees about the importance of security and how to minimize risk. Produce lists like
this one!
DSL or cable modem connections are “always-on” connections and are particularly
vulnerable because they provide more opportunities for hackers to crack your system.
Turn your computer off when not in use.
Never give out a password or any sensitive information to an unsolicited telephone call or
e-mail.
Never e-mail sensitive information such as passwords, credit card information, etc.,
without encrypting the information first.
Never submit sensitive information via a web page unless the web site uses secure
connections. You can identify a secure connection by looking for a small “key” icon on
the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If
a web site uses a secure connection, it is safe to submit information. Secure web
transactions are quite difficult to crack.
Never reveal your IP address or other system networking information to people outside
your company. Be careful of files e-mailed to you from strangers. One common way of
getting BackOrifice on a system is to include it as a Trojan horse with other files.
Change your passwords regularly. Also, use passwords that are not easy to figure out.
The most difficult passwords to crack are those with upper and lower case letters,
numbers and a symbol such as % or #.
Upgrade your software regularly. Many older versions of software, especially web
browsers, have well known security deficiencies. When you upgrade to the latest
versions, you get the latest patches and fixes.
If you use “chat rooms” or IRC sessions, be careful with any information you reveal to
strangers.
If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off
hacks that cause your system to slowly become unstable or unusable.
Always shred confidential information, particularly about your computer, before
throwing it away. Some hackers dig through the trash of companies or individuals for
information that might help them in an attack.
13.7
Packet Filtering Vs Firewall
Below are some comparisons between the ZyXEL Device’s filtering and firewall functions.
13.7.1
Packet Filtering:
The router filters packets as they pass through the router’s interface according to the filter
rules you designed.
Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
Packet filtering only checks the header portion of an IP packet.
Page 192 / 427
P-2602H(W)(L)-DxA Series User’s Guide
192
Chapter 13 Firewalls
13.7.1.1
When To Use Filtering
To block/allow LAN packets by their MAC addresses.
To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic
between the specific inside host/network "A" and outside host/network "B". If the filter
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters can not
distinguish traffic originating from an inside host or an outside host by IP address.
To block/allow IP trace route.
13.7.2
Firewall
The firewall inspects packet contents as well as their source and destination addresses.
Firewalls of this type employ an inspection module, applicable to all protocols, that
understands data in the packet is intended for other layers, from the network layer (IP
headers) up to the application layer.
The firewall performs stateful inspection. It takes into account the state of connections it
handles so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked.
The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and
control the network session rather than control individual packets in a session.
The firewall provides e-mail service to notify you of routine reports and when alerts
occur.
13.7.2.1
When To Use The Firewall
To prevent DoS attacks and prevent hackers cracking your network.
A range of source and destination IP addresses as well as port numbers can be specified
within one firewall rule making the firewall a better choice when complex rules are
required.
To selectively block/allow inbound or outbound traffic between inside host/networks and
outside host/networks. Remember that filters can not distinguish traffic originating from
an inside host or an outside host by IP address.
The firewall performs better than filtering if you need to check many rules.
Use the firewall if you need routine e-mail reports about your system or need to be alerted
when attacks occur.
The firewall can block specific URL traffic that might occur in the future. The URL can
be saved in an Access Control List (ACL) database.
Page 193 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 14 Firewall Configuration
193
C
HAPTER
14
Firewall Configuration
This chapter shows you how to enable and configure the ZyXEL Device firewall.
14.1
Access Methods
The web configurator is, by far, the most comprehensive firewall configuration tool your
ZyXEL Device has to offer. For this reason, it is recommended that you configure your
firewall using the web configurator. CLI commands provide limited configuration options and
are only recommended for advanced users.
14.2
Firewall Policies Overview
Firewall rules are grouped based on the direction of travel of packets to which they apply:
Note:
The LAN includes both the LAN port and the WLAN.
By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the
following directions:
LAN to LAN/ Router
This allows computers on the LAN to manage the ZyXEL Device and communicate
between networks or subnets connected to the LAN interface.
LAN to WAN
By default, the ZyXEL Device’s stateful packet inspection drops packets traveling in the
following directions:
WAN to LAN
WAN to WAN/ Router
This prevents computers on the WAN from using the ZyXEL Device as a gateway to
communicate with other computers on the WAN and/or managing the ZyXEL Device.
You may define additional rules and sets or modify existing ones but please exercise
extreme caution in doing so.
LAN to LAN/ Router
WAN to LAN
LAN to WAN
WAN to WAN/ Router
Page 194 / 427
P-2602H(W)(L)-DxA Series User’s Guide
194
Chapter 14 Firewall Configuration
Note:
If you configure firewall rules without a good understanding of how they work,
you might inadvertently introduce security risks to the firewall and to the
protected network. Make sure you test your rules after you configure them.
For example, you may create rules to:
Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
Allow certain types of traffic, such as Lotus Notes database synchronization, from
specific hosts on the Internet to specific hosts on the LAN.
Allow everyone except your competitors to access a Web server.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the Source IP address, Destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the ZyXEL Device’s default rules.
14.3
Rule Logic Overview
Note:
Study these points carefully before configuring rules.
14.3.1
Rule Checklist
State the intent of the rule. For example, “This restricts all IRC access from the LAN to the
Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an
inside Notes server.”
1
Is the intent of the rule to forward or block traffic?
2
What direction of traffic does the rule apply to?
3
What IP services will be affected?
4
What computers on the LAN are to be affected (if any)?
5
What computers on the Internet will be affected? The more specific, the better. For
example, if traffic is being allowed from the Internet to the LAN, it is better to allow only
certain machines on the Internet to access the LAN.
14.3.2
Security Ramifications
1
Once the logic of the rule has been defined, it is critical to consider the security
ramifications created by the rule:
2
Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?
3
Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all
users, will a rule that blocks just certain users be more effective?
Page 195 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Chapter 14 Firewall Configuration
195
4
Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the
LAN, Internet users may be able to connect to computers with running FTP servers.
5
Does this rule conflict with any existing rules?
6
Once these questions have been answered, adding rules is simply a matter of plugging the
information into the correct fields in the web configurator screens.
14.3.3
Key Fields For Configuring Rules
14.3.3.1
Action
Should the action be to
Drop
,
Reject
or
Permit
?
Note:
“Drop” means the firewall silently discards the packet. “Reject” means the
firewall discards packets and sends an ICMP destination-unreachable
message to the sender.
14.3.3.2
Service
Select the service from the
Service
scrolling list box. If the service is not listed, it is necessary
to first define it. See
Appendix F on page 371
for more information on predefined services.
14.3.3.3
Source Address
What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of
IPs or a subnet?
14.3.3.4
Destination Address
What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a
range of IPs or a subnet?
14.4
Connection Direction
This section describes examples for firewall rules for connections going from LAN to WAN
and from WAN to LAN.
LAN to LAN/ Router, WAN to WAN/ Router and DMZ to DMZ/ Router rules apply to
packets coming in on the associated interface (LAN, WAN or DMZ respectively). LAN to
LAN/ Router means policies for LAN-to-ZyXEL Device (the policies for managing the
ZyXEL Device through the LAN interface) and policies for LAN-to-LAN (the policies that
control routing between two subnets on the LAN). Similarly, WAN to WAN/ Router and
DMZ to DMZ/ Router polices apply in the same way to the WAN and DMZ ports.

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top