Manuals / Brands / Computer Equipment / Network Router / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications HW-D Series, P-662H 10.4.2.1 ICMP Vulnerability, 10.4.2.2 Illegal Commands (NetBIOS and SMTP)

1 496

Download 496 pages, 13.69 Mb

P-662H/HW-D Series User’s Guide

Figure 93 Smurf Attack

10.4.2.1 ICMP Vulnerability

ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert:

Table 61 ICMP Commands That Trigger Alerts

5REDIRECT

13TIMESTAMP_REQUEST

14TIMESTAMP_REPLY

17ADDRESS_MASK_REQUEST

18ADDRESS_MASK_REPLY

10.4.2.2 Illegal Commands (NetBIOS and SMTP)

The only legal NetBIOS commands are the following - all others are illegal.

Table 62 Legal NetBIOS Commands

MESSAGE:

REQUEST:

POSITIVE:

VE:

RETARGET:

KEEPALIVE:

All SMTP commands are illegal except for those displayed in the following tables.

Table 63 Legal SMTP Commands

AUTH	DATA	EHLO	ETRN	EXPN	HELO	HELP	MAIL	NOOP

QUIT	RCPT	RSET	SAML	SEND	SOML	TURN	VRFY

174	Chapter 10 Firewalls

Contents

User’s Guide Page Copyright Disclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement FCC Caution IMPORTANT NOTE: FCC Radiation Exposure Statement Viewing Certifications Safety Warnings ZyXEL Limited Warranty Note Customer Support Page Page Table of Contents Bandwidth Management Wizard Wireless LAN DMZ Network Address Translation (NAT) Screens Firewall Configuration Content Filtering Content Access Control Introduction to IPSec Page Static Route Bandwidth Management Remote Management Configuration Universal Plug-and-Play(UPnP) System Logs Troubleshooting Appendix A Product Specifications Appendix B About ADSL Appendix E IP Addresses and Subnetting Appendix F Wireless LANs Appendix G Appendix J Appendix K Appendix L Appendix M Appendix N Page List of Figures Page Page Page Page Figure 232 Red Hat 9.0: KDE: Network Configuration: Activate Page Page List of Tables Page Page Page Page Page Preface About This User's Guide Syntax Conventions Related Documentation User Guide Feedback Graphics Icons Key Getting To Know Your ZyXEL Device 1.1 Introducing the ZyXEL Device High Speed Internet Access Zero Configuration Internet Access Any IP Firewall Content Filtering LAN/DMZ Interface IPSec VPN Capability Traffic Redirect Media Bandwidth Management Universal Plug and Play (UPnP) Dynamic DNS Support DHCP IP Alias IP Policy Routing (IPPR) Packet Filters 1.1.1.1P-662HWWireless Features Wireless LAN Wi-FiProtected Access Wireless g+ Antenna Wireless LAN MAC Address Filtering 1.1.2.1 Internet Access 1.1.2.2 LAN to LAN Application 1.1.4 Front Panel LEDs Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2 Accessing the Web Configurator Login Ignore 2.3 Resetting the ZyXEL Device 2.4Navigating the Web Configurator Page Page 2.4.2 Status Screen Page Page 2.4.3 Status: Any IP Table Any IP Table 2.4.4 Status: WLAN Status WLAN Status 2.4.5 Status: Bandwidth Status Bandwidth Status 2.4.6 Status: VPN Status VPN Status 2.4.7 Status: Packet Statistics Packet Statistics Poll Interval(s) Page 2.4.8 Changing Login Password Maintenance > System Page Page Wizard Setup for Internet Access 3.1 Introduction 3.2Internet Access Wizard Setup Restart the Internet/ Wireless Setup Wizard 3.2.1Automatic Detection 3.2.2Manual Configuration Page Page Page Back to Username and Password setup 3.3 Wireless Connection Wizard Setup Page RESET 3.3.1Automatically assign a WPA key Manually assign a WPA key 3.3.2 Manually assign a WPA-PSKkey Manually assign a key 3.3.3 Manually assign a WEP key Manually assign a WEP key Finish Page Bandwidth Management Wizard 4.1 Introduction 4.2 Predefined Media Bandwidth Management Services 4.3 Bandwidth Management Wizard Setup Page Page Page Page WAN Setup 5.1 WAN Overview 5.1.1.1 ENET ENCAP 5.1.1.2 PPP over Ethernet 5.1.1.3 PPPoA 5.1.1.4RFC 5.1.2.1 VC-basedMultiplexing 5.1.2.2 LLC-basedMultiplexing 5.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation 5.1.4.2 IP Assignment with RFC 1483 Encapsulation 5.1.4.3 IP Assignment with ENET ENCAP Encapsulation 5.2 Metric 5.3 Traffic Shaping 5.3.1.1 Constant Bit Rate (CBR) 5.3.1.2 Variable Bit Rate (VBR) 5.3.1.3 Unspecified Bit Rate (UBR) 5.4 Zero Configuration Internet Access 5.5Internet Connection Page 5.5.1 Configuring Advanced Internet Connection Internet Connection Page 5.6 Configuring More Connections 5.6.1 More Connections Edit More Connections Page Page 5.6.2 Configuring More Connections Advanced Setup More Connections Edit 5.7 Traffic Redirect 5.8 Configuring WAN Backup Page 5.9 WAN Backup Advanced Screen Page Page 5.10 Dial Backup Modem Setup Page Page Page LAN Setup 6.1 LAN Overview 6.1.1LANs, WANs and the ZyXEL Device 6.1.2.1 IP Pool Setup 6.2LAN TCP/IP 6.2.1.1 Private IP Addresses 6.2.3 Multicast IGMP-v1 IGMP 6.2.4 Any IP 6.2.4.1 How Any IP Works 6.3 Configuring LAN IP Page 6.4 DHCP Setup 6.5 LAN Client List 6.6 LAN IP Alias IP Alias Page Page Wireless LAN 7.1 Wireless Network Overview 7.2Wireless Security Overview 7.2.4 Encryption IEEE IEEE 802.1x + Static WEP IEEE 802.1x + Dynamic WEP WPA 7.3 Wireless Performance Overview 7.4 Additional Wireless Terms 7.5 General Wireless LAN Screen Page 7.5.1 No Security No Security 7.5.2 WEP Encryption Screen Network > Wireless LAN 7.5.3 WPA(2)-PSK Page 7.5.4 WPA(2) Authentication Screen Wireless LAN Network Wireless WPA Page 7.5.5 Wireless LAN Advanced Setup Figure 67 Advanced 7.6 OTIST 7.6.1.1 AP 7.6.1.2 Wireless Client 7.6.2 Starting OTIST Start OTIST Adapter Setup key 7.7MAC Filter Page 7.8 WMM QoS 7.8.3 Services Page 7.9 QoS Screen QoS 7.9.2 Application Priority Configuration Modify 7.10 Multiple SSID (P-662HW-DModels only) 7.10.1 Multiple SSID Commands Page 7.10.2 Multiple SSID Example DMZ 8.1 Introduction 8.2 Configuring DMZ Figure 79 DMZ Table 51 DMZ 8.3 DMZ Public IP Address Example 8.4 DMZ Private and Public IP Address Example Page Page Network Address Translation (NAT) Screens 9.1 NAT Overview 9.1.2 What NAT Does 9.1.3 How NAT Works 9.1.4 NAT Application 9.1.5 NAT Mapping Types One to One Many to One SUA Only 9.2 SUA (Single User Account) Versus NAT 9.3NAT General Setup 9.4 Port Forwarding 9.4.1 Default Server IP Address 9.4.2 Port Forwarding: Services and Port Numbers 9.5 Configuring Port Forwarding 9.5.1 Port Forwarding Rule Edit 9.6 Address Mapping Page 9.6.1 Address Mapping Rule Edit Address Mapping Page Firewalls 10.1 Firewall Overview 10.2 Types of Firewalls 10.3 Introduction to ZyXEL’s Firewall 10.4 Denial of Service 10.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 10.4.2.1 ICMP Vulnerability 10.4.2.2 Illegal Commands (NetBIOS and SMTP) 10.4.2.3 Traceroute 10.5 Stateful Inspection 10.5.1 Stateful Inspection Process Firewall General 10.5.2Stateful Inspection and the ZyXEL Device 10.5.3 TCP Security 10.5.4 UDP/ICMP Security 10.6Guidelines for Enhancing Security with Your Firewall 10.7Packet Filtering Vs Firewall 10.7.1.1When To Use Filtering 10.7.2.1When To Use The Firewall Firewall Configuration 11.1 Access Methods 11.2 Firewall Policies Overview 11.3 Rule Logic Overview 11.3.3.1 Action 11.3.3.2 Service 11.3.3.3 Source Address 11.3.3.4 Destination Address 11.4 Connection Direction 11.5 General Firewall Policy 11.6 Firewall Rules Summary Page 11.6.1 Configuring Firewall Rules Page Page 11.6.2 Customized Services Edit Customized Services 11.7 Example Firewall Rule Customized Service Customized Services Config Any Destination Address Delete Services Rules Page 11.8 Predefined Services Page 11.9 Anti-Probing 11.10 DoS Thresholds 11.10.2.1 TCP Maximum Incomplete and Blocking Time 11.10.3 Configuring Firewall Thresholds Firewall Threshold Page Page Anti-VirusPacket Scan 12.1 Overview 12.2 Signature-BasedVirus Scan 12.3Introduction to the ZyXEL Device Anti-virusPacket Scan 12.4Anti-VirusPacket Scan Configuration AntiVirus 12.5 Registration and Online Update Page 12.5.1 Updating the Anti-VirusPacket Scan Page Content Filtering 13.1 Content Filtering Overview 13.2 Configuring Keyword Blocking 13.3 Configuring the Schedule 13.4 Configuring Trusted Computers Page Content Access Control 14.1 Content Access Control Overview 14.2 Activating CAC and Creating User Groups 14.2.1 Configuring Time Schedule Time Content Access Control-General Unlimited End Time 14.2.2 Configuring Services Content Access Control: General 14.2.2.1 Available Services Page 14.2.3 Configuring Web Site Filters Web Browsing Page Page Page Page 14.2.4 Testing Web Site Access Privileges Diagnose 14.3 User Account Setup 14.4 User Online Status 14.5 Content Access Control Logins 14.5.2 Administrator Login Page Introduction to IPSec 15.1 VPN Overview 15.1.3.1 Encryption 15.1.3.2 Data Confidentiality 15.1.3.3 Data Integrity 15.1.3.4 Data Origin Authentication 15.2 IPSec Architecture 15.3 Encapsulation 15.4IPSec and NAT Page Page VPN Screens 16.1 VPN/IPSec Overview 16.2 IPSec Algorithms 16.3 My IP Address 16.4 Secure Gateway Address 16.5 VPN Setup Screen Figure 129 VPN Setup Table 88 VPN Setup 16.6 Keep Alive 16.7 VPN, NAT, and NAT Traversal 16.8 Remote DNS Server 16.9 ID Type and Content 16.9.1 ID Type and Content Examples 16.10 Pre-SharedKey 16.11 Editing VPN Policies Page Page Page Page 16.12 IKE Phases 16.12.1Negotiation Mode Negotiation Mode Main Mode Aggressive Mode Main Mode 16.13 Configuring Advanced IKE Settings Page Page 16.14 Manual Key Setup 16.15 Configuring Manual Key Page Page 16.16 Viewing SA Monitor 16.17 Configuring Global Setting 16.18 Telecommuter VPN/IPSec Examples 16.18.2 Telecommuters Using Unique VPN Rules Example 16.19 VPN and Remote Management Certificates 17.1 Certificates Overview 17.2Self-signedCertificates 17.3 Configuration Summary 17.4 My Certificates Page 17.5 My Certificate Import 17.6 My Certificate Create Page 17.7 My Certificate Details Page Page 17.8 Trusted CAs Figure 145 Trusted CAs 17.9 Trusted CA Import 17.10 Trusted CA Details Page 17.11 Trusted Remote Hosts Page 17.12 Verifying a Trusted Remote Host’s Certificate 17.13 Trusted Remote Hosts Import 17.14 Trusted Remote Host Certificate Details Page Page 17.15 Directory Servers 17.16 Directory Server Add or Edit Page Static Route 18.1 Static Route 18.2 Configuring Static Route 18.2.1 Static Route Edit Page Page Bandwidth Management 19.1 Bandwidth Management Overview 19.2 Application-basedBandwidth Management 19.3 Subnet-basedBandwidth Management 19.4 Application and Subnet-basedBandwidth Management 19.5 Scheduler 19.6 Maximize Bandwidth Usage 19.6.2.1 Priority-basedAllotment of Unused and Unbudgeted Bandwidth 19.6.2.2Fairness-basedAllotment of Unused and Unbudgeted Bandwidth 19.7 Configuring Summary Page 19.8 Bandwidth Management Rule Setup 19.8.1 Rule Configuration User Defined Service Rule Setup Page 19.9 Bandwidth Monitor Page Page Dynamic DNS Setup 20.1 Dynamic DNS Overview 20.2 Configuring Dynamic DNS Figure 163 Dynamic DNS Page Page Remote Management Configuration 21.1 Remote Management Overview 21.2 WWW 21.3 Telnet 21.4 Configuring Telnet 21.5 Configuring FTP 21.6 SNMP 21.6.1Supported MIBs 21.6.2 SNMP Traps 21.6.3 Configuring SNMP SNMP Page 21.7 Configuring DNS 21.8 Configuring ICMP Page 21.9 TR-069 Page Universal Plug-and-Play(UPnP) 22.1 Introducing Universal Plug and Play 22.2 UPnP and ZyXEL 22.3 Installing UPnP in Windows Example Communications Universal Plug and Play Add/Remove Programs Properties Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Network Connections Optional Networking Components … 22.4Using UPnP in Windows XP Example Page Page Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke Page Page System 23.1 General Setup Page 23.2 Time Setting Page Page Page Logs 24.1 Logs Overview 24.2 Viewing the Logs 24.3 Configuring Log Settings Access Control Page 24.4 SMTP Error Messages Page Tools 25.1 Firmware Upgrade Firmware Upload in Progress 25.2 Configuration Screen 25.2.2 Restore Configuration 25.3 Restart Page Diagnostic 26.1 General Diagnostic 26.2 DSL Line Diagnostic Troubleshooting 27.1 Problems Starting Up the ZyXEL Device 27.2 Problems with the LAN 27.3 Problems with the WAN 27.4 Problems Accessing the ZyXEL Device 27.4.1.1 Internet Explorer Pop-upBlockers Privacy Internet Options Block pop-ups 2Select Settings…to open the Pop-upBlocker Settings screen Allowed sites 27.4.1.2JavaScripts Custom Level Scripting Active scripting Scripting of Java applets 27.4.1.3 Java Permissions 2make sure that Use Java 2 for <applet> under Java (Sun) is selected 27.4.2 ActiveX Controls in Internet Explorer 2In the Internet Options window, click Custom Level 3Scroll down to ActiveX controls and plug-ins 4Under Download signed ActiveX controls select the Prompt radio button Page Page Specification Tables Table 148 Firmware Page Page Introduction to DSL ADSL Overview Advantages of ADSL Page Page Page Windows 95/98/Me Installing Components Protocol Microsoft manufacturers Client Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP 3Right-click Local Area Connection and then click Properties Internet Protocol (TCP/IP) •Click Advanced IP Settings TCP/IP Address IP address Subnet mask Use the following DNS server addresses Preferred DNS server Alternate DNS server Macintosh OS 8/9 2Select Ethernet built-in from the Connect via list Using DHCP Server Configure: Macintosh OS Linux Using the K Desktop Environment (KDE) System Setting Ethernet Device General Automatically obtain IP address settings with dhcp Using Configuration Files Page Page Introduction to IP Addresses IP Address Classes and Network ID Subnet Masks Subnetting Example: Two Subnets Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Wireless LAN Topologies ESS Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN IEEE RADIUS Types of Authentication EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Service) PEAP (Protected EAP) LEAP Dynamic WEP Key Exchange WPA(2) User Authentication Security Parameters Summary Page Import ZyXEL Device Certificates into Netscape Navigator 2Click Install Certificate to open the Install Certificate wizard Install Certificate Import Certificate Page Enrolling and Importing SSL Client Certificates Installing the CA’s Certificate Installing Your Personal Certificate(s) File name Browse Place all certificates in the following store Page Page Command Syntax Access via Telnet Command Usage Page Page Page Page Page Firmware and Configuration File Maintenance Page Page Page Page Page Page Page Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Page Page Internal SPTGEN Overview The Configuration Text File Format Internal SPTGEN FTP Download Example Internal SPTGEN FTP Upload Example Example Internal SPTGEN Screens Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Command Examples Page Page Connecting a POTS Splitter Telephone Microfilters ZyXEL Device With ISDN Page Page Page Table 185 ICMP Logs Table 186 CDR Logs Table 187 PPP Logs Table 188 UPnP Logs Page Table 191 IPSec Logs Table 192 IKE Logs Page Page Table 193 PKI Logs Page Page Page Page Log Commands Log Command Example The Ideal Setup The “Triangle Route” Problem The “Triangle Route” Solutions IP Aliasing Gateways on the WAN Side Page Index