1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-660HN-F1Z
    5. /
  5. 34
Page 166 / 421 Scroll up to view Page 161 - 165
Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
164
Figure 90
Three-Way Handshake
For UDP, half-open means that the firewall has detected no return traffic. An unusually high
number (or arrival rate) of half-open sessions could indicate a DOS attack.
9.4.1
Threshold Values
If everything is working properly, you probably do not need to change the threshold settings as
the default threshold values should work for most small offices. Tune these parameters when
you believe the ZyXEL Device has been receiving DoS attacks that are not recorded in the
logs or the logs show that the ZyXEL Device is classifying normal traffic as DoS attacks.
Factors influencing choices for threshold values are:
1
The maximum number of opened sessions.
2
The minimum capacity of server backlog in your LAN network.
3
The CPU power of servers in your LAN network.
4
Network bandwidth.
5
Type of traffic for certain servers.
Reduce the threshold values if your network is slower than average for any of these factors
(especially if you have servers that are slow or handle many tasks and are often busy).
If you often use P2P applications such as file sharing with eMule or eDonkey, it’s
recommended that you increase the threshold values since lots of sessions will be
established during a small period of time and the ZyXEL Device may classify them as
DoS attacks.
9.4.2
Configuring Firewall Thresholds
The ZyXEL Device also sends alerts whenever
TCP Maximum Incomplete
is exceeded. The
global values specified for the threshold and timeout apply to all TCP connections.
Click
Firewall
>
Threshold
to bring up the next screen.
Page 167 / 421
Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
165
Figure 91
Security > Firewall > Threshold
The following table describes the labels in this screen.
Table 57
Security > Firewall > Threshold
LABEL
DESCRIPTION
Denial of Service
Thresholds
The ZyXEL Device measures both the total number of existing half-open
sessions and the rate of session establishment attempts. Both TCP and UDP
half-open sessions are counted in the total number and rate measurements.
Measurements are made once a minute.
One Minute Low
This is the rate of new half-open sessions per minute that causes the firewall to
stop deleting half-open sessions. The ZyXEL Device continues to delete half-
open sessions as necessary, until the rate of new connection attempts drops
below this number.
One Minute High
This is the rate of new half-open sessions per minute that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the ZyXEL Device deletes half-open sessions as required to
accommodate new connection attempts.
For example, if you set the one minute high to 100, the ZyXEL Device starts
deleting half-open sessions when more than 100 session establishment attempts
have been detected in the last minute. It stops deleting half-open sessions when
the number of session establishment attempts detected in a minute goes below
the number set as the one minute low.
Maximum
Incomplete Low
This is the number of existing half-open sessions that causes the firewall to stop
deleting half-open sessions. The ZyXEL Device continues to delete half-open
requests as necessary, until the number of existing half-open sessions drops
below this number.
Maximum
Incomplete High
This is the number of existing half-open sessions that causes the firewall to start
deleting half-open sessions. When the number of existing half-open sessions
rises above this number, the ZyXEL Device deletes half-open sessions as
required to accommodate new connection requests. Do not set
Maximum
Incomplete High
to lower than the current
Maximum Incomplete
Low
number.
For example, if you set the maximum incomplete high to 100, the ZyXEL Device
starts deleting half-open sessions when the number of existing half-open
sessions rises above 100. It stops deleting half-open sessions when the number
of existing half-open sessions drops below the number set as the maximum
incomplete low.
Page 168 / 421
Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
166
9.5
Firewall Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
9.5.1
Firewall Rules Overview
Your customized rules take precedence and override the ZyXEL Device’s default settings. The
ZyXEL Device checks the source IP address, destination IP address and IP protocol type of
network traffic against the firewall rules (in the order you list them). When the traffic matches
a rule, the ZyXEL Device takes the action specified in the rule.
Firewall rules are grouped based on the direction of travel of packets to which they apply:
"
The LAN includes both the LAN port and the WLAN.
By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the
following directions:
LAN to LAN/ Router
These rules specify which computers on the LAN can manage the ZyXEL Device (remote
management) and communicate between networks or subnets connected to the LAN
interface (IP alias).
TCP Maximum
Incomplete
An unusually high number of half-open sessions with the same destination host
address could indicate that a DoS attack is being launched against the host.
Specify the number of existing half-open TCP sessions with the same destination
host IP address that causes the firewall to start dropping half-open sessions to
that same destination host IP address. Enter a number between 1 and 256. As a
general rule, you should choose a smaller number for a smaller network, a slower
system or limited bandwidth. The ZyXEL Device sends alerts whenever the
TCP
Maximum Incomplete
is exceeded.
Action taken when
TCP Maximum
Incomplete
reached threshold
Select the action that ZyXEL Device should take when the TCP maximum
incomplete threshold is reached. You can have the ZyXEL Device either:
Delete the oldest half open session when a new connection request comes.
or
Deny new connection requests for the number of minutes that you specify
(between 1 and 255).
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.
Table 57
Security > Firewall > Threshold (continued)
LABEL
DESCRIPTION
LAN to LAN/ Router
WAN to LAN
LAN to WAN
WAN to WAN/ Router
Page 169 / 421
Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
167
"
You can also configure the remote management settings to allow only a
specific computer to manage the ZyXEL Device.
LAN to WAN
These rules specify which computers on the LAN can access which computers or services
on the WAN.
By default, the ZyXEL Device’s stateful packet inspection drops packets traveling in the
following directions:
WAN to LAN
These rules specify which computers on the WAN can access which computers or services
on the LAN.
"
You also need to configure NAT port forwarding (or full featured NAT address
mapping rules) to allow computers on the WAN to access devices on the LAN.
WAN to WAN/ Router
By default the ZyXEL Device stops computers on the WAN from managing the ZyXEL
Device or using the ZyXEL Device as a gateway to communicate with other computers on
the WAN. You could configure one of these rules to allow a WAN computer to manage the
ZyXEL Device.
"
You also need to configure the remote management settings to allow a WAN
computer to manage the ZyXEL Device.
You may define additional rules and sets or modify existing ones but please exercise extreme
caution in doing so.
For example, you may create rules to:
Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
Allow certain types of traffic, such as Lotus Notes database synchronization, from specific
hosts on the Internet to specific hosts on the LAN.
Allow everyone except your competitors to access a web server.
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the ZyXEL Device’s default rules.
Page 170 / 421
Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
168
9.5.2
Guidelines For Enhancing Security With Your Firewall
1
Change the default password via web configurator.
2
Think about access control before you connect to the network in any way.
3
Limit who can access your router.
4
Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5
For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6
Protect against IP spoofing by making sure the firewall is active.
7
Keep the firewall in a secured (locked) room.
9.5.3
Security Considerations
"
Incorrectly configuring the firewall may block valid access or introduce security
risks to the ZyXEL Device and your protected network. Use caution when
creating or deleting firewall rules and test your rules after you configure them.
Consider these security ramifications before creating a rule:
1
Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?
2
Is it possible to modify the rule to be more specific? For example, if IRC is blocked for
all users, will a rule that blocks just certain users be more effective?
3
Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to
the LAN, Internet users may be able to connect to computers with running FTP servers.
4
Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
9.5.4
Triangle Route
When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and
the Internet. In an ideal network topology, all incoming and outgoing network traffic passes
through the ZyXEL Device to protect your LAN against attacks.

Rate

4 / 5 based on 1 vote.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top