ZyXEL Communications P-312 - page 153

P312 Broadband Security Gateway

What Is a Firewall? 13-5

Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the

receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the

initiator responds with an ACK (acknowledgment). After this handshake, connection is established.

2-a SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the

targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that

follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a

backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an

internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once

the queue is full, the system will ignore all incoming SYN requests, making the system unavailable

for legitimate users.

Figure 13-3 SYN Flood

2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP

address of the targeted system. This makes it appear as if the host computer sent the packets to

itself, making the system unavailable while the target system tries to respond to itself.

3. A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed

or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a

router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the

destination IP address of each packet is the broadcast address of the network, the router will broadcast

the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a

large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP

address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the

"intermediary" network, but will also congest the network of the spoofed source IP address, known as

the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making

communications impossible.

Contents

Main Prestige 312 Broadband Security Gateway P312 Broadband Security Gateway FCC Statement iii Federal Communications Commission (FCC) Interference Statement iv Canadian Users Information for Canadian Users Declaration of Conformity Prestige 312 Standard Standard Item Versi on Page Page viii Customer Support Customer Support Table of Contents Page Page Page Page Page Page List of Figures Page Page Page Page Page Page List Of Tables Page Page Page Preface Page Page Page Chapter 1 Getting to Know Your Prestige 1.1 The Prestige 312 Broadband Security Gateway 1.2 Features of The Prestige 312 Page 1.3 Applications for Prestige 312 1.3.1 Broadband Internet Access via Cable or xDSL Modem Page Chapter 2 Hardware Installation & Initial Setup 2.1 Front Panel LEDs and Back Panel Ports 2.1.1 Front Panel LEDs 2.2 Prestige 312 Rear Panel and Connections 2.3 Additional Installation Requirements 2.4 Housing 2.5 Power Up Your Prestige P312 Broadband Security Gateway Hardware Installation & Initial Setup 2-5 Figure 2-4 Password Screen 2.6 Navigating the SMT Interface 2-6 Hardware Installation & Initial Setup 2.6.1 Main Menu After you enter the password, the SMT displays the Prestige 312 Main Menu, as shown below. Figure 2-5 Prestige 312 Main Menu 2.6.2 System Management Terminal Interface Summary Table 2-3 Main Menu Summary 2.7 Changing the S ystem Password 2.7.1 Resetting the Prestige 2.8 General Setup 2.8.1 Dynamic DNS 2.8.2 Configuring Dynamic DNS 2.9 WAN Setup 2.10 LAN Setup 2.10.1 LAN Port Filter Setup Chapter 3 Internet Access 3.1 TCP/IP and DHCP for LAN 3.1.1 Factory LAN Defaults 3.1.2 IP Address and Subnet Mask 3.1.3 Private IP Addresses 3.1.4 RIP Setup 3.1.5 DHCP Configuration 3.1.6 IP Multicast 3.1.7 IP Alias 3.2 TCP/IP and DHCP Ethernet Setup Page 3-6 Internet Access P312 Broadband Security Gateway Internet Access 3-7 3.2.1 IP Alias Setup 3.3 Internet Access Setup 3.3.1 Ethernet Encapsulation 3.3.2 PPTP Encapsulation 3.3.3 Configuring the PPTP Client 3.3.4 PPPoE Encapsulation Page 3.4 Basic Setup Complete Page Chapter 4 Remote Node Setup 4.1 Remote Node Profile 4.1.1 Ethernet Encapsulation 4-2 Remote Node Setup Table 4-1 Fields in Menu 11.1 4.1.2 PPPoE Encapsulation 4-4 Remote Node Setup Table 4-2 Fields in Menu 11.1 (PPPoE Encapsulation Specific) 4.1.3 PPTP Encapsulation Remote Node Setup 4-5 4-6 Remote Node Setup 4.2 Editing TCP/IP Options (with Ethernet Encapsulation) 4.2.1 Editing TCP/IP Options (with PPTP Encapsulation) 4-8 Remote Node Setup 4.2.2 Editing TCP/IP Options (with PPPoE Encapsulation) 4.3 Remote Node Filter Page Page 5.1 IP Static Route Setup IP Static Route Setup 5-3 Table 5-1 IP Static Route Menu Fields Page Chapter 6 Network Address Translation (NAT) 6.1 Introduction 6.1.1 NAT Definitions 6.1.2 What NAT Does 6.1.3 How NAT works 6.1.4 NAT Mapping Types 6.1.5 SUA (Single User Account) Versus NAT 6.1.6 NAT Application 6.2 SMT Menus 6.2.1 Applying NAT in the SMT Menus Page 6.2.2 Configuring NAT 6.2.3 Address Mapping Sets and NAT Server Sets: Page Page Page Page 6.3 NAT Server Sets 6.3.1 Multiple Servers behind NAT 6.3.2 Configuring a Server behind NAT 6.4 Examples 6.4.1 Internet Access Only Page 6.4.2 Example 2 Internet Access with an Inside Server 6.4.3 Example 3 General Case Page Page Page 6.4.4 Example 4 NAT Unfriendly Application Programs 6-20 NAT Figure 6-23 Example 4 - Menu 15.1.1 - Address Mapping Rules Page Page Chapter 7 Filter Configuration 7.1 About Filtering 7.1.1 The Filter Structure of the Prestige Filters 7-3 Execute Filter Rule Filter Set Forward Drop Check Next Rule 7.2 Configuring a Filter Set Filters 7-5 Figure 7-6 NetBIOS_WAN Filter Rules Summary Figure 7-7 NetBIOS _LAN Filter Rules Summary Figure 7-8 TEL_FTP_WEB_WAN Filter Rules Summary 7-6 Filters 7.2.1 Filter Rules Summary Menu 7.2.2 Configuring a Filter Rule 7.2.3 TCP/IP Filter Rule 7-8 Filters Filters 7-9 Page Filters 7-11 Figure 7-10 Executing an IP Filter 7.2.4 Generic Filter Rule Filters 7-13 7.3 Example Filter Page 7.4 Filter Types and NAT 7.5 Firewall 7.6 Applying a Filter and Factory Defaults 7.6.1 LAN traffic 7.6.2 Remote Node Filters Chapter 8 SNMP Configuration 8.1 About SNMP 8.2 Configuring SNMP Page Chapter 9 System Information & Diagnosis 9.1 System Status System Information & Diagnosis 9-3 9.2 System Information and Console Port Speed 9.2.1 System Information 9.2.2 Console Port Speed 9.3 Log and Trace 9.3.1 Viewing Error Log 9.3.2 UNIX Syslog Page 9-8 System Information & Diagnosis 1. CDR 2. Packet triggered 3. Filter log System Information & Diagnosis 9-9 4. PPP log 5. Firewall log 9.3.3 Call-Triggering Packet 9.4 Diagnostic 9.4.1 WAN DHCP Page Chapter 10 Transferring Files 10.1 Filename conventions 10.1.1 Firmware Development 10.2 Backup Configuration 10.3 Restore Configuration 10.4 Upload Firmware 10.4.1 Uploading the Router Firmware 10.4.2 Uploading Router Configuration File 10.5 TFTP File Transfer 10.5.1 Example TFTP Command 10.6 FTP File Transfer 10.6.1 Using the FTP command from the DOS Prompt Page Page Chapter 11 System Maintenance & Information 11.1 Command Interpreter Mode 11.2 Call Control Support 11.2.1 Budget Management 11.2.2 Call History 11.3 Time and Date Setting 11.3.1 How often does the Prestige update the time? System Maintenance & Information 11-5 Figure 11-6 System Maintenance Time and Date Setting Table 11-3 Time and Date Setting Fields 11.4 Remote Management Setup 11.5 Boot Commands 11-8 System Maintenance & Information Figure 11-9 Boot Module Commands Chapter 12 Telnet Configuration and Capabilities 12.1 About Telnet Configuration 12.2 Telnet Under NAT 12.3 Telnet Capabilities 12.3.1 Single Administrator 12.4 Telnet Under the Firewall Page Chapter 13 What is a Firewall 13.1 Types of Firewalls 13.1.1 Packet Filtering Firewalls 13.1.2 Application-level Firewalls 13.1.3 Stateful Inspection firewalls 13.2 Introduction to ZyXELs Firewall 13.3 Denial of Service 13.3.1 Basics 13.3.2 Types of DoS attacks Page 13.4 Stateful Inspection 13.4.1 Stateful Inspection Process 13.4.2 Stateful Inspection & the Prestige 13.4.3 TCP Security 13.4.4 UDP/ICMP Security 13.4.5 Upper Layer Protocols 13.5 Guidelines For Enhancing Securit y With Your Firewall 13.5.1 Security In General Page Page Chapter 14 Introducing the Prestige Firewall 14.1 SMT Menus 14.1.1 View Firewall Log 14.1.2 Attack Types Page Page Introducing the Prestige Firewall 14-5 Table 14-4 View Firewall Log 14.2 The Big Picture Filtering, Firewall and NAT 14.3 Packet Filtering Vs Firewall 14.3.1 Packet Filtering: 14.3.2 Firewall: Page Chapter 15 Introducing the Prestige Web Configurator 15.1 Web Configurator Login and Welcome Screens Page 15.3 E-Mail 15.3.1 What are Alerts? 15.3.2 What are Logs? Introducing the Prestige Web Configurator 15-5 Table 15-1 E-Mail 15.3.3 SMTP Error Messages 15.3.4 Example E-Mail Log 15.4 Attack Alert 15.4.1 Threshold Values: 15.4.2 Half-Open Sessions Page P312 Broadband Security Gateway 15-10 Introducing the Prestige Web Configurator Table 15-3 Attack Alert Introducing the Prestige Web Configurator 15-11 Page Chapter 16 Creating Custom Rules 16.1 Rules Overview 16.2 Rule Logic Overview 16.2.1 Rule Checklist 16.2.2 Security Ramifications 16.2.3 Key Fields For Configuring Rules 16.3 Connection Direction 16.4 Services Supported Creating Custom Rules 16-5 Table 16-1 Services Supported 16.5 Rule Summary Creating Custom Rules 16-7 Table 16-2 Firewall Rules Summary First Screen Table 16-1 16.5.1 Creating/Editing Firewall Rules Page P312 Broadband Security Gateway 16-10 Creating Custom Rules 16.5.2 Source & Destination Addresses Page 16.6 Timeout 16.6.1 Factors Influencing Choices for Timeout Values: Page P312 Broadband Security Gateway 16-14 Creating Custom Rules Table 16-5 Timeout Menu Page 17.2 Creating/Editing A Custom Port Page P312 Broadband Security Gateway 17-4 Custom Ports Table 17-2 Creating/Editing A Custom Port Page P312 Broadband Security Gateway 18-2 Logs Table 18-1 Log Screen Page Page Chapter 19 Example Firewall Rules 19.1 Examples 19.1.1 Example 1 - Firewall Rule To Allow Web Service From The Internet Page Page Page Page 19.1.2 Example 2 Small Office With Mail, FTP and Web Servers Page Page Page Page 19.1.3 Example 3: DHCP Negotiation and Syslog Connection from the Internet Page Page Page Chapter 20 Content Filtering 20.1 Restrict Web Features 20.1.1 ActiveX 20.1.2 Java 20.1.3 Cookies 20.2 Blocking URLs 20.3 Content Filteri ng Using the Web Configurator Page Page Page Chapter 21 Troubleshooting 21.1 Problems Starting Up the Prestige 21-2 Troubleshooting 21.2 Problems with the LAN Interface Table 21-2 Troubleshooting the LAN Interface 21.3 Problems with the WAN interface Table 21-3 Troubleshooting the WAN interface Troubleshooting 21-3 21.4 Problems with Internet Access Table 21-4 Troubleshooting Internet Access 21.5 Problems with the Firewall Page Appendix A PPPoE Page Appendix B PPTP Page Hardware Specifications I Appendix C Hardware Specifications Pin1 Pin 6 Pin 9 Appendix D Important Safety Instructions CLI Commands K Appendix E Firewall CLI Commands LCLI Commands CLI Commands M NCLI Commands CLI Commands O P Power Adapter Specifications Appendix F Power Adapter Specs Power Adapter Specifications Q RGlossary Glossary of Terms Glossary S TGlossary Glossary U VGlossary Glossary W XGlossary Glossary Y ZGlossary Glossary AA Page Index CC Index A B C D F G H I J L M N O P S T U V W X Z