Zyxel P-660R-F1 Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

Zyxel

P-660R-F1

Page 96 / 268 Scroll up to view Page 91 - 95

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

The following table describes the labels in this screen.

7.4

The Firewall Threshold Screen

For DoS

attacks, the ZyXEL Device uses thresholds to determine when to start dropping sessions

that do not become fully established (half-open sessions). These thresholds apply globally to all

sessions.

For TCP, half-open means that the session has not reached the established state-the TCP three-way

handshake has not yet been completed. Under normal circumstances, the application that initiates

a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK

(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK

(acknowledgment). After this handshake, a connection is established.

Figure 59

Three-Way Handshake

For UDP, half-open means that the firewall has detected no return traffic. An unusually high number

(or arrival rate) of half-open sessions could indicate a DOS attack.

Table 35

Security > Firewall > Rules: Edit: Edit Customized Services: Config

LABEL

DESCRIPTION

Config

Service Name

Type a unique name for your custom port.

Service Type

Choose the IP port (

TCP

UDP

TCP/UDP

) that defines your customized port

from the drop down list box.

Port Configuration

Type

Click

Single

to specify one port only or

Range

to specify a span of ports that define

your customized service.

Port Number

Type a single port number or the range of port numbers that define your

customized service.

Back

Click this to return to the previous screen without saving.

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Delete

Click this to delete the current rule.

Page 97 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

7.4.1

Threshold Values

If everything is working properly, you probably do not need to change the threshold settings as the

default threshold values should work for most small offices. Tune these parameters when you

believe the ZyXEL Device has been receiving DoS attacks that are not recorded in the logs or the

logs show that the ZyXEL Device is classifying normal traffic as DoS attacks. Factors influencing

choices for threshold values are:

The maximum number of opened sessions.

The minimum capacity of server backlog in your LAN network.

The CPU power of servers in your LAN network.

Network bandwidth.

Type of traffic for certain servers.

Reduce the threshold values if your network is slower than average for any of these factors

(especially if you have servers that are slow or handle many tasks and are often busy).

•

If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended

that you increase the threshold values since lots of sessions will be established during a small

period of time and the ZyXEL Device may classify them as DoS attacks.

7.4.2

Configuring Firewall Thresholds

The ZyXEL Device also sends alerts whenever

TCP Maximum Incomplete

is exceeded. The global

values specified for the threshold and timeout apply to all TCP connections.

Click

Firewall

Threshold

to bring up the next screen.

Figure 60

Security > Firewall > Threshold

Page 98 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

The following table describes the labels in this screen.

Table 36

Security > Firewall > Threshold

LABEL

DESCRIPTION

Denial of Service

Thresholds

The ZyXEL Device measures both the total number of existing half-open

sessions and the rate of session establishment attempts. Both TCP and UDP

half-open sessions are counted in the total number and rate measurements.

Measurements are made once a minute.

One Minute Low

This is the rate of new half-open sessions per minute that causes the firewall to

stop deleting half-open sessions. The ZyXEL Device continues to delete half-

open sessions as necessary, until the rate of new connection attempts drops

below this number.

One Minute High

This is the rate of new half-open sessions per minute that causes the firewall to

start deleting half-open sessions. When the rate of new connection attempts

rises above this number, the ZyXEL Device deletes half-open sessions as

required to accommodate new connection attempts.

For example, if you set the one minute high to 100, the ZyXEL Device starts

deleting half-open sessions when more than 100 session establishment

attempts have been detected in the last minute. It stops deleting half-open

sessions when the number of session establishment attempts detected in a

minute goes below the number set as the one minute low.

Maximum

Incomplete Low

This is the number of existing half-open sessions that causes the firewall to stop

deleting half-open sessions. The ZyXEL Device continues to delete half-open

requests as necessary, until the number of existing half-open sessions drops

below this number.

Maximum

Incomplete High

This is the number of existing half-open sessions that causes the firewall to

start deleting half-open sessions. When the number of existing half-open

sessions rises above this number, the ZyXEL Device deletes half-open sessions

as required to accommodate new connection requests. Do not set

Maximum

Incomplete High

to lower than the current

Maximum Incomplete

Low

number.

For example, if you set the maximum incomplete high to 100, the ZyXEL Device

starts deleting half-open sessions when the number of existing half-open

sessions rises above 100. It stops deleting half-open sessions when the number

of existing half-open sessions drops below the number set as the maximum

incomplete low.

TCP Maximum

Incomplete

An unusually high number of half-open sessions with the same destination host

address could indicate that a DoS attack is being launched against the host.

Specify the number of existing half-open TCP sessions with the same

destination host IP address that causes the firewall to start dropping half-open

sessions to that same destination host IP address. Enter a number between 1

and 256. As a general rule, you should choose a smaller number for a smaller

network, a slower system or limited bandwidth. The ZyXEL Device sends alerts

whenever the

TCP Maximum Incomplete

is exceeded.

Action taken when

TCP Maximum

Incomplete

reached threshold

Select the action that ZyXEL Device should take when the TCP maximum

incomplete threshold is reached. You can have the ZyXEL Device either:

Delete the oldest half open session when a new connection request comes.

Deny new connection requests for the number of minutes that you specify

(between 1 and 255).

Apply

Click this to save your changes.

Cancel

Click this to restore your previously saved settings.

Page 99 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

7.5

Firewall Technical Reference

This section provides some technical background information about the topics covered in this

chapter.

7.5.1

Firewall Rules Overview

Your customized rules take precedence and override the ZyXEL Device’s default settings. The ZyXEL

Device checks the source IP address, destination IP address and IP protocol type of network traffic

against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyXEL

Device takes the action specified in the rule.

Firewall rules are grouped based on the direction of travel of packets to which they apply:

Note: The LAN includes both the LAN port and the WLAN.

By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the following

directions:

•

LAN to Router

These rules specify which computers on the LAN can manage the ZyXEL Device (remote

management).

Note: You can also configure the remote management settings to allow only a specific

computer to manage the ZyXEL Device.

•

LAN to WAN

These rules specify which computers on the LAN can access which computers or services on the

WAN.

By default, the ZyXEL Device’s stateful packet inspection drops packets traveling in the following

directions:

•

WAN to LAN

These rules specify which computers on the WAN can access which computers or services on the

LAN.

Note: You also need to configure NAT port forwarding (or full featured NAT address

mapping rules) to allow computers on the WAN to access devices on the LAN.

•

WAN to Router

By default the ZyXEL Device stops computers on the WAN from managing the ZyXEL Device. You

could configure one of these rules to allow a WAN computer to manage the ZyXEL Device.

Note: You also need to configure the remote management settings to allow a WAN

computer to manage the ZyXEL Device.

•

LAN to Router

•

WAN to LAN

•

LAN to WAN

•

WAN to Router

Page 100 / 268

Chapter 7 Firewalls

P-660R-F1 Series User’s Guide

100

You may define additional rules and sets or modify existing ones but please exercise extreme

caution in doing so.

For example, you may create rules to:

•

Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.

•

Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts

on the Internet to specific hosts on the LAN.

•

Allow everyone except your competitors to access a web server.

•

Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the source IP address, destination IP address and IP

protocol type of network traffic to rules set by the administrator. Your customized rules take

precedence and override the ZyXEL Device’s default rules.

7.5.2

Guidelines For Enhancing Security With Your Firewall

Change the default password via web configurator.

Think about access control before you connect to the network in any way.

Limit who can access your router.

Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse

the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the

services at specific interfaces.

Protect against IP spoofing by making sure the firewall is active.

Keep the firewall in a secured (locked) room.

7.5.3

Security Considerations

Note: Incorrectly configuring the firewall may block valid access or introduce security

risks to the ZyXEL Device and your protected network. Use caution when creating

or deleting firewall rules and test your rules after you configure them.

Consider these security ramifications before creating a rule:

Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC

is blocked, are there users that require this service?

Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will

a rule that blocks just certain users be more effective?

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share