Page 211 / 367 Scroll up to view Page 206 - 210
VMG4380-B10A / VMG4325-B10A User’s Guide
211
C
HAPTER
15
Firewall
15.1
Overview
This chapter shows you how to enable and configure the Device’s security settings. Use the firewall
to protect your Device and network from attacks by hackers on the Internet and control access to
it. By default the firewall:
allows traffic that originates from your LAN computers to go to all other networks.
blocks traffic that originates on other networks from going to the LAN.
The following figure illustrates the default firewall action. User
A
can initiate an IM (Instant
Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2).
However other traffic initiated from the WAN is blocked (3 and 4).
Figure 102
Default Firewall Action
15.1.1
What You Can Do in this Chapter
Use the
General
screen to configure the security level of the firewall on the Device (
Section 15.2
on page 213
).
Use the
Service
screen to add or remove predefined Internet services and configure firewall
rules (
Section 15.3 on page 213
).
Use the
Access Control
screen to view and configure incoming/outgoing filtering rules (
Section
15.4 on page 215
).
Use the
DoS
screen to activate protection against Denial of Service (DoS) attacks (
Section 15.5
on page 218
).
WAN
LAN
3
4
1
2
A
Page 212 / 367
Chapter 15 Firewall
VMG4380-B10A / VMG4325-B10A User’s Guide
212
15.1.2
What You Need to Know
SYN Attack
A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the
targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that
follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are moved off the queue only when an ACK comes back or when an internal timer terminates
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests,
making the system unavailable for legitimate users.
DoS
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no longer
have access to network resources. The ZyXEL Device is pre-configured to automatically detect and
thwart all known DoS attacks.
DDoS
A DDoS attack is one in which multiple compromised systems attack a single target, thereby
causing denial of service for users of the targeted system.
LAND Attack
In a LAND attack, hackers flood SYN packets into the network with a spoofed source IP address of
the target system. This makes it appear as if the host computer sent the packets to itself, making
the system unavailable while the target system tries to respond to itself.
Ping of Death
Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum
65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or
reboot.
SPI
Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is
valid. Filtering decisions are based not only on rules but also context. For example, traffic from the
WAN may only be allowed to cross the firewall in response to a request from the LAN.
Page 213 / 367
Chapter 15 Firewall
VMG4380-B10A / VMG4325-B10A User’s Guide
213
15.2
The Firewall Screen
Use this screen to set the security level of the firewall on the Device. Firewall rules are grouped
based on the direction of travel of packets to which they apply.
Click
Security > Firewall
to display the
General
screen.
Figure 103
Security > Firewall > General
The following table describes the labels in this screen.
15.3
The Service Screen
You can configure customized services and port numbers in the
Service
screen. For a
comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number
Authority) website. See
Appendix F on page 353
for some examples.
Table 75
Security > Firewall > General
LABEL
DESCRIPTION
Firewall
Select
Enable
to activate the firewall feature on the Device.
Easy
Select
Easy
to allow LAN to WAN and WAN to LAN packet directions.
Medium
Select
Medium
to allow LAN to WAN but deny WAN to LAN packet directions.
High
Select
High
to deny LAN to WAN and WAN to LAN packet directions.
Apply
Click
Apply
to save your changes.
Cancel
Click
Cancel
to restore your previously saved settings.
Page 214 / 367
Chapter 15 Firewall
VMG4380-B10A / VMG4325-B10A User’s Guide
214
Click
Security > Firewall > Service
to display the following screen.
Figure 104
Security > Firewall > Service
The following table describes the labels in this screen.
15.3.1
Add/Edit a Service
Use this screen to add a customized service rule that you can use in the firewall’s ACL rule
configuration. Click
Add new service entry
or the edit icon next to an existing service rule in the
Service
screen to display the following screen.
Figure 105
Service: Add/Edit
Table 76
Security > Firewall > Service
LABEL
DESCRIPTION
Add new
service entry
Click this to add a new service.
Name
This is the name of your customized service.
Description
This is the description of your customized service.
Ports/Protocol
Number
This shows the IP protocol (
TCP
,
UDP
,
ICMP
, or
TCP/UDP
) and the port number or range
of ports that defines your customized service.
Other
and the protocol number displays if the
service uses another IP protocol.
Modify
Click the
Edit
icon to edit the entry.
Click the
Delete
icon to remove this entry.
Page 215 / 367
Chapter 15 Firewall
VMG4380-B10A / VMG4325-B10A User’s Guide
215
The following table describes the labels in this screen.
15.4
The Access Control Screen
Click
Security > Firewall > Access Control
to display the following screen. This screen displays a
list of the configured incoming or outgoing filtering rules.
Figure 106
Security > Firewall > Access Control
Table 77
Service: Add/Edit
LABEL
DESCRIPTION
Protocol
Choose the IP protocol (
TCP
,
UDP
,
ICMP
, or
Other
) that defines your customized port from
the drop-down list box. Select
Other
to be able to enter a protocol number.
Source/
Destination Port
These fields are displayed if you select
TCP
or
UDP
as the IP port.
Select
Single
to specify one port only or
Range
to specify a span of ports that define your
customized service. If you select
Any
, the service is applied to all ports.
Type a single port number or the range of port numbers that define your customized
service.
Protocol
Number
This field is displayed if you select
Other
as the protocol.
Enter the protocol number of your customized port.
Add
Click this to add the protocol to the
Rule List
below.
Rule List
Protocol
This is the IP port (
TCP
,
UDP
,
ICMP
, or
Other
) that defines your customized port.
Ports/Protocol
Number
For
TCP
,
UDP
,
ICMP
, or
TCP/UDP
protocol rules this shows the port number or range that
defines the custom service. For other IP protocol rules this shows the protocol number.
Modify
Click the
Delete
icon to remove the rule.
Service Name
Enter a unique name (up to 32 printable English keyboard characters, including spaces) for
your customized port.
Service
Description
Enter a description for your customized port.
Apply
Click
Apply
to save your changes.
Cancel
Click
Cancel
to exit this screen without saving.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top