ZyXEL Communications G-2000 Plus 14.3 Introduction to ZyXEL’s Firewall, 14.2.3Stateful Inspection Firewalls

ZyAIR G-2000 Plus User’s Guide

1Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems.

2Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest.

14.2.3Stateful Inspection Firewalls

Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. See “Stateful Inspection” on page 185 for more information on Stateful Inspection.

Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.

14.3 Introduction to ZyXEL’s Firewall

The ZyAIR firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The ZyAIR’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyAIR can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyAIR also has packet-filtering capabilities.

The ZyAIR is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.

The ZyAIR has one Ethernet WAN port and one Ethernet LAN port, which are used to physically separate the network into two areas.

•The WAN (Wide Area Network) port attaches to the broadband modem (cable or ADSL) connecting to the Internet.

•The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, inbound access will not be allowed unless the remote host is authorized to use a specific service.