Manuals / ZyXEL Communications / Computer Equipment / Modem

ZyXEL Communications 2602HWNLI-D7A manual How can I protect against IP spoofing attacks?

Models: 2602HWNLI-D7A

1 246

Download 246 pages 10.29 Kb

Page 201

Prestige 2602HWNLI-D7A Support Notes

How can I protect against IP spoofing attacks?

The Prestige's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on. If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks. The basic scheme is as follows:

For the input data filter:

∙Deny packets from the outside that claim to be from the inside

∙Allow everything that is not spoofing us

Filter rule setup:

∙Filter type =TCP/IP Filter Rule

∙Active =Yes

∙Source IP Addr =a.b.c.d

∙Source IP Mask =w.x.y.z

∙Action Matched =Drop

∙Action Not Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask:

For the output data filters:

∙Deny bounceback packet

∙Allow packets that originate from us

Filter rule setup:

∙Filter Type =TCP/IP Filter Rule

∙Active =Yes

∙Destination IP Addr =a.b.c.d

∙Destination IP Mask =w.x.y.z

∙Action Matched =Drop

∙Action No Matched =Forward

Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask.

201

All contents copyright (c) 2007 ZyXEL Communications Corporation.

Image 201

ZyXEL Communications 2602HWNLI-D7A manual How can I protect against IP spoofing attacks?

Contents

Version Aug Prestige 2602HWNLI-D7APrestige 2602HWNLI-D7A Support Notes FAQ Roduct FAQ Pstn L Ifeline FAQ Ontent F Ilter FAQ Ireless FAQ Application Notes All PCs must have an Ethernet adapter card installed TCP/IP InstallationEthernet connection TCP/IP Configuration Follow these steps to configure Windows TCP/IP∙ Setting up the Prestige router Prestige 2602HWNLI-D7A Support Notes Setup the Prestige as a Dhcp Relay ∙ Setup the Prestige as a Dhcp Client Configure an Internal Server Behind SUA Press Enter to Confirm or ESC to CancelSmtp Service Port NumberConfigure a Pptp server Behind SUA ∙ Example 1723 192.168.1.10 Prestige 2602HWNLI-D7A Support Notes ∙ What is Multi-NAT? Using NAT / Multi-NATMany to One One to OneMany to Many Overload Many to Many No OverloadFollowing table summarizes these types NAT Type IP Mapping DirectionApplying NAT in the SMT Menus Field Options Description Full FeatureNone SUA OnlyConfiguring NAT Table Applying NAT in Menu 4 and MenuAddress Mapping Sets and NAT Server Sets Prestige 2602HWNLI-D7A Support Notes SUA Field Description Option/ExampleDescription Option FieldFollowing table describes the fields in this screen Enter 2 to go to Menu 15.2.1-NAT Server Setup See the following figure Internet Access OnlyPrestige 2602HWNLI-D7A Support Notes Internet Access with an Internal Server Types are used Type One-to-One Start= Name= Example3 Support Non NAT Friendly Applications Type Many-to-Many No Overload Start= NAT Type IP Mapping ∙ SUA∙ Filter Structure About Filter & Filter Examples How does ZyXEL filter work?∙ Filter Types and SUA Prestige 2602HWNLI-D7A Support Notes Menu Protocol and device rule cannot be active together Filter for blocking the web service Create a filter set in Menu Rule 2 for b.DNS request, TCP06/Port number Rule one for a. http packet, TCP06/Port numberRule 3 for c. DNS packet UDP17/Port number Filter for blocking a specific client Configuration Create a filter set in Menu 21, e.g., setEnter the client IP in this field One rule for blocking all packets from this clientAddr= field, for one workstation it is Set to Drop to drop all the packets from this clientDetailed format of the Ethernet Version Before you BeginConfigurations Action Matched= Drop Action Not Matched= Forward Value= 0080c810234a Filter for blocking the NetBIOS packets Action Not Matched= Check Next Rule Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Menu 21.1.6 TCP/IP Filter Rule Filter # 1,6 Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Menu 3.1 General Ethernet Setup Input Filter Sets Using the Dynamic DNS Ddns Key Settings for using Ddns function Network Management Using Snmp Password Enable WildcardWrites ∙ GetNext ∙ Get∙ Set ∙ TrapZyXEL Snmp Implementation ∙ warmStart defined in RFC-1215 Configure the Prestige for Snmp Using syslog ∙ Unix Setup L02 Call Terminated C02 Call Terminated Example ∙ Packet triggered log∙ Filter log Format SdcmdSyslogSend SYSLOGPPPLOG, SYSLOGNOTICE, String ∙ PPP Log∙ What is IP Alias ? Using IP AliasDhcp Setup TCP/IP Setup IP Alias Using Call SchedulingSelect a Schedule Set number and give it a name Edit the Schedule sets in menuMenu 26.1 Schedule Set Setup is as follows Start Date How Often Forced On Forced Down Enable∙ Time Service in Prestige ∙ IP Multicast Setup Enable Igmp in Prestiges LAN in menu Using IP MulticastMulticast Enable Igmp in Prestiges remote node in menuYou can deploy the backup gateway on LAN of Prestige Using Prestige traffic redirectSMT Menu 2 WAN Backup Setup Traffic Redirect on LAN portWAN IP ∙ 1. What is UPnP Using Universal Plug n Play UPnPUPnP Operations Enable UPnP function in ZyXEL device ∙ 2. Using UPnP in ZyXEL devicesChanges through UPnP Prestige 2602HWNLI-D7A Support Notes Finally, your video conversation is achieved What is Infrastructure mode? Infrastructure modeConfiguration Prestige Wireless using SMT Prestige 2602HWNLI-D7A Support Notes ∙ Configuration Wireless Station to Infrastructure mode Double click on the AP you want to associated with MAC Filter Overview Wireless MAC address filteringKey Settings Option Descriptions Configured in this list will be blockedFilter Action Prestige 2602HWNLI-D7A Support Notes Introduction WEP configuration Wired Equivalent PrivacySetting up the Access Point Key settings Access point will decrypt the data by its Key Setting up the Station Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Ieee 802.1x Introduction ConfiguringAuthenticator Authentication ServerSupplicant ∙ Authentication Port State and Authentication Control ∙ Re-Authentication Eapol Exchange between 802.1x Authenticator and Supplicant Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Wireless Port Control= No Authentication Required If you use WEB Configuration∙ Using Internal Authentication Server Password Key settingsIf you use WEB Configurator User Name∙ Using External Radius Authentication Server Prestige 2602HWNLI-D7A Support Notes Server Address Port Shared Secret Key settings for authentication serverPreparation Site SurveySurvey on Site Prestige 2602HWNLI-D7A Support Notes Usage of Pstn Lifeline Pstn Lifeline Application NotesLifeline configuration How to connect Lifeline and DSL connection Relay to PstnFirgure 1 Splitter type Prestige 2602HWNLI-D7A Support Notes Usage of Isdn Lifeline Isdn Lifeline Application NotesRelay to Isdn Prestige 2602HWNLI-D7A Support Notes VoIP Application Notes Setup SIP AccountPrestige 2602HWNLI-D7A Support Notes Number AccountLocal PortSetup PasswordReset DomainPreparation and Steps Peer to Peer call Topology Topology ExplanationPrestige 2602HWNLI-D7A Support Notes Setup--- Configuring SIP / VoIP related settings in device B Phone port settings Volume Setting to take effectFunction menu SpeakingActive Advanced voice settings configurationSupport DialingSIP Account Each fields detail description of the page is listed belowDtmf Mode TimerURL Type ExpirationWaiting MessageIndication TimeEach fields detail description of the page is listed below SIP Number Speed DialName TypeSettings Voice Common SettingsRegion ImmediateCall Service Mode Services from your voice service providerVoice QoS setup Call Forwarding setup PriorityVoice Vlan Unconditional Forward to Number Busy Forward to NumberNo Answer Forward to Number Forward to Table NumberUnconditional Busy ForwardCall Hold setup Number Setup sectionCall Waiting setup ConditionScenario Prestige 2602HWNLI-D7A Support Notes Step Three Way Conference setupStep Dial B phone number directly to make another call ConversationDial to B Off hook B conversation Call Transfer setupApplication scenario 2 Consult On Hold Transfer To active Blind Transfer please follow the below stepApplication scenario 3 Attendant Transfer To active Attendant Transfer please follow the below step Internal CallCall Fallback Prestige 2602HWNLI-D7A Support Notes Call Park Call Flow Step Then a hang up the phoneCall Pickup Call Flow Call Return Each filed is described in the following table Distinctive RingingHow to configure DND on phone keypad? 95# Enable Do Not DisturbDo Not Disturb DND Hot Line Auto Dial #95# Disable Do not Disturb 95#SIP Number*Active Timer#Music on hold Ras voice config fxs saveMWI Country Code Caller ID enable/disableTrunking Trunking Peer to Peer Trunking CategoryNetwork Once dials #01 on phone 1, phone 3 will ring Configuration detailsPrestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Trunking SIP to FXO Trunking GeneralGUI VoIP Trunking General, then click Apply button Trunking FXO to SIP On Device B No special configuration neededPrestige 2602HWNLI-D7A Support Notes Trunking FXO to FXO Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes What is ZyNOS? FAQHow do I access the embedded web configurator? Why cant I make Telnet to Prestige from WAN? How do I upload or backup Romfile via web configurator?What should I do if I forget the system password? You have not enable Telnet service on WAN interface in MenuWhat is SUA? When should I use SUA? What is the difference between NAT and SUA?What is the Prestige Integrated Access Device? Why cant I configure device filters or protocol filters?How many network users can the SUA/NAT support? What are Device filters and Protocol filters?How do I know I am using PPPoE? What is PPPoE?Will the Prestige work with my Internet connection? What do I need to use the Prestige?How can I configure the Prestige? Why does my provider use PPPoE?Which Internet Applications can I use with the Prestige? What network interface does the Prestige support?Default IP address is 192.168.1.1, Password How does e-mail work through the Prestige?What Dhcp capability does the Prestige support? How does the Prestige support TFTP? Can the Prestige support Tftp over WAN?How fast can the data go? When do I need Multi-NAT? What is Multi-NAT?Server What IP/Port mapping does Multi-NAT support?What is the difference between SUA and Multi-NAT? What is BOOTP/DHCP?What is DDNS? When do I need Ddns service? Do I need Lifeline? What does Lifeline mean?Can I connect more than one phone on the phone port? Can I receive incoming Pstn call through P2602HWNLI- D7A?Why use VoIP? What is Voice over IP?What is the relationship between codec and VoIP? Can I make an outgoing Pstn call through P2602HWNLI D7A?What is voice quality? What is the difference between H.323 and SIP?What is codec? What advantage does Voice over IP can provide?What codec does Prestige support? What is the relation of codec and VoIP?Which codec should I choose? What do I need in order to use SIP?Can register but can not establish a call? Unable to register with the SIP server?What is a network firewall? What makes Prestige firewall secure?What are the basic types of firewalls? What kind of firewall is the Prestige? What is Ping of Death attack? What is Denials of Service DoSattack?What is Teardrop attack? What is SYN Flood attack?What is Brute-force attack? What is Land attack?What is IP Spoofing attack? What are the default ACL firewall rules in Prestige?How can I protect against IP spoofing attacks? Why do I need VPN? What is VPN?Can I override block or allow certain URLs by wording? SecurityWhat is L2TP? What is PPTP?What is IPSec? CostWhat is SA? What is IKE?What secure protocols does IPSec support? What is Phase 1 ID for? What is Pre-Shared Key?What are the differences between IKE and manual key VPN? What are Local ID and Peer ID?How do I configure Prestige VPN? When should I use FQDN?Is my Prestige ready for IPSec VPN? How many VPN connections does Prestige support?What types of authentication does Prestige VPN support? What VPN protocols are supported by Prestige?What types of encryption does Prestige VPN support? Does Prestige support dynamic secure gateway IP? Where can I configure Phase 1 ID in Prestige? Does Prestige VPN support NetBIOS broadcast?Will ZyXEL support Secure Remote Management? Is the host behind NAT allowed to use IPSec?We presume your environment may look like this Can Prestige support IPSec passthrough? How can I keep a tunnel alive?What are the advantages of Wireless LANs ? What is a Wireless LAN ?Where can you find wireless 802.11 networks ? What are the disadvantages of Wireless LANs ?What is an Access Point ? What is Ieee 802.11 ?What is 802.11a ? What is 802.11b ?What is 802.11g ? How fast is 802.11b ?Does the 802.11 interfere with Bluetooth devices ? What is Wi-Fi ?Can radio signals pass through walls ? What types of devices use the 2.4GHz Band ?What is Infrastructure mode ? What is Ad Hoc mode ?How many Access Points are required in a given area ? What is Direct-Sequence Spread Spectrum Technology Dsss ?Why the 2.4 Ghz Frequency range ? What is Frequency-hopping Spread Spectrum Technology Fhss ?What is Server Set ID Ssid ? What is an Essid ?What is the difference between 40-bit and 64-bit WEP ? What is WEP ?What is a WEP key ? Can the Ssid be encrypted ?What is Wireless Sniffer? What is 802.1x ?What are Insertion Attacks? What is AAA ? What is Radius ?What is WPA ? What is WPA-PSK? Trouble ShootingExample Online TraceTCP/IP 0001 RAW Data Urgent Ptr TCP Data Length=6 Captured=6 0000 20 20 20 20 20 Prestige 2602HWNLI-D7A Support Notes Be 2F FE EF D0 7637 Checksum = 0x7A12 31250 Urgent Ptr Offline Trace TCP 0000 80 C8 A0-C5 0010 0020 1B-18 FA F0 04-05 Prestige 233 Prestige 2602HWNLI-D7A Support Notes Debug PPPoE Connection Example- a trace with system crashes Prestige 2602HWNLI-D7A Support Notes Prestige 2602HWNLI-D7A Support Notes Trace LAN packet Trace WAN packet LAN/WAN Packet TraceExample RAW Data Size 60 Time 12090.210 sec Frame Type TCP = 0xE8ED 0030 22 38 E8 ED 00 00 20 20-20 20 20 FB be 2F FE EF D0 CLI Command List