ZyXEL Communications P-661HW 178

P-661H/HW Series User’s Guide

Table 67 Firewall: Threshold (continued)

LABEL	DESCRIPTION	DEFAULT VALUES

Maximum	This is the number of existing half-open	80 existing half-open sessions.
Incomplete Low	sessions that causes the firewall to stop
	deleting half-open sessions. The ZyXEL
	Device continues to delete half-open requests
	as necessary, until the number of existing
	half-open sessions drops below this number.
Maximum	This is the number of existing half-open	100 existing half-open sessions.
Incomplete High	sessions that causes the firewall to start	The above values causes the
	deleting half-open sessions. When the	ZyXEL Device to start deleting half-
	number of existing half-open sessions rises	open sessions when the number of
	above this number, the ZyXEL Device deletes	existing half-open sessions rises
	half-open sessions as required to	above 100, and to stop deleting
	accommodate new connection requests. Do	half-open sessions with the
	not set Maximum Incomplete High to lower	number of existing half-open
	than the current Maximum Incomplete Low	sessions drops below 80.
	number.
TCP Maximum	This is the number of existing half-open TCP	30 existing half-open TCP
Incomplete	sessions with the same destination host IP	sessions.
	address that causes the firewall to start
	dropping half-open sessions to that same
	destination host IP address. Enter a number
	between 1 and 256. As a general rule, you
	should choose a smaller number for a smaller
	network, a slower system or limited
	bandwidth.
Action taken when the TCP Maximum Incomplete threshold is reached.

Delete the oldest	Select this radio button to clear the oldest half
half open session	open session when a new connection request
when new	comes.
connection
request comes
Deny new	Select this radio button and specify for how
connection	long the ZyXEL Device should block new
request for	connection requests when TCP Maximum
	Incomplete is reached.
	Enter the length of blocking time in minutes
	(between 1 and 256).
Apply	Click Apply to save your changes back to the ZyXEL Device.

Cancel	Click Cancel to begin configuring this screen afresh.

178	Chapter 9 Firewall Configuration

Contents

User’s Guide Page Copyright Disclaimer Trademarks Certifications Federal Communications Commission (FCC) Interference Statement Notice Certifications Page Safety Warnings ZyXEL Limited Warranty Note Customer Support Page Page Table of Contents Wizards Wireless LAN Network Address Translation (NAT) Screens Firewall Configuration Content Filtering Introduction to IPSec Page Static Route Bandwidth Management Remote Management Configuration Page Troubleshooting Appendix A Product Specifications Appendix B About ADSL Appendix G Appendix H Appendix Appendix J Appendix K Page List of Figures Page Page Page Page Page List of Tables Page Page Page Preface About This User's Guide Syntax Conventions Related Documentation User Guide Feedback Graphics Icons Key Getting To Know Your ZyXEL Device 1.1 Introducing the ZyXEL Device 1.2 Features High Speed Internet Access Triple Play Service Zero Configuration Internet Access Any IP Media Bandwidth Management Universal Plug and Play (UPnP) PPPoE (RFC2516) Network Address Translation (NAT) Dynamic DNS Support IP Alias TR-069Compliance (P-661HOnly) Housing 4-portSwitch Wireless LAN 1.3 Applications for the ZyXEL Device 1.4 Front Panel LEDs 1.5 Hardware Connection 1.6 Splitters and Microfilters 1.6.1 Connecting a POTS Splitter 1.6.2Telephone Microfilters Page Page Introducing the Web Configurator 2.1 Web Configurator Overview 2.2 Accessing the Web Configurator Login Ignore Go to Wizard setup Go to Advanced setup View Device Status 2.3 Resetting the ZyXEL Device 2.4Navigating the Web Configurator Page Page Page 2.4.2 Status Screen Page 2.4.3 Status: Any IP Table Any IP Table 2.4.4 Status: WLAN Status (Wireless devices only) WLAN Status 2.4.5 Status: VPN Status VPN Status 2.4.6 Status: Bandwidth Status Bandwidth Status 2.4.7 Status: Packet Statistics Packet Statistics Poll Interval(s) 2.4.8 Changing Login Password Maintenance > System Page Wizards 3.1 Internet Setup Wizard 3.1.2.1 Screen 3.1.2.2 Screen 3.1.2.3 Screen Page Page 3.1.3 No DSL Detection 3.2Wireless Connection Wizard Setup (wireless devices only) Page Disable wireless security Manually assign a WEP key 3.2.1Manually assign a WPA-PSKkey Manually assign a key Pre- Shared Key 3.2.2 Manually assign a WEP key Page Finish 3.3 Bandwidth Management Wizard BANDWIDTH MANAGEMENT SETUP 3.3.1 Screen 3.3.2 Screen 3.3.3 Screen Page WAN Setup 4.1 WAN Overview 4.1.1.1 ENET ENCAP 4.1.1.2 PPP over Ethernet 4.1.1.3 PPPoA 4.1.1.4RFC 4.1.2.1 VC-basedMultiplexing 4.1.2.2 LLC-basedMultiplexing 4.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation 4.1.4.2 IP Assignment with RFC 1483 Encapsulation 4.1.4.3 IP Assignment with ENET ENCAP Encapsulation 4.2 Metric 4.3 Traffic Shaping 4.3.1.1 Constant Bit Rate (CBR) 4.3.1.2 Variable Bit Rate (VBR) 4.3.1.3 Unspecified Bit Rate (UBR) 4.4 Zero Configuration Internet Access 4.5Internet Connection Page 4.5.1 Configuring Advanced Internet Connection Internet Connection Page 4.6 Configuring More Connections 4.6.1 More Connections Edit More Connections Page Page 4.6.2 Configuring More Connections Advanced Setup More Connections Edit 4.7 Traffic Redirect 4.8 Configuring WAN Backup Page Page LAN Setup 5.1 LAN Overview 5.1.1LANs, WANs and the ZyXEL Device 5.1.2.1 IP Pool Setup 5.2LAN TCP/IP 5.2.1.1 Private IP Addresses 5.2.3 Multicast IGMP-v1 IGMP 5.2.4 Any IP 5.2.4.1 How Any IP Works 5.3 Configuring LAN IP Page 5.4 DHCP Setup 5.5 LAN Client List Page 5.6 LAN IP Alias Page Page Wireless LAN 6.1 Wireless Network Overview 6.2Wireless Security Overview 6.2.4 Encryption Static WEP WPA- PSK WPA-PSK WPA 6.3 Wireless Performance Overview 6.4 General Wireless LAN Screen Page 6.4.1 No Security No Security 6.4.2 WEP Encryption Network > Wireless LAN 6.4.3 WPA-PSK/WPA2-PSK Page 6.4.4 WPA/WPA2 Wireless LAN Page 6.4.5 Wireless LAN Advanced Setup 6.5 OTIST 6.5.1.1 AP 6.5.1.2 Wireless Client 6.5.2 Starting OTIST Start OTIST Adapter 6.5.3Notes on OTIST 6.6MAC Filter Page 6.7 WMM QoS 6.7.3 Services 6.8 QoS Screen 6.8.1 ToS (Type of Service) and WMM QoS QoS 6.8.2 Application Priority Configuration Modify Page Page Network Address Translation (NAT) Screens 7.1 NAT Overview 7.1.2 What NAT Does 7.1.3 How NAT Works 7.1.4 NAT Application 7.1.5 NAT Mapping Types One to One Many to One SUA Only 7.2 SUA (Single User Account) Versus NAT 7.3NAT General Setup 7.4 Port Forwarding 7.4.1 Default Server IP Address 7.4.2 Port Forwarding: Services and Port Numbers 7.4.3 Configuring Servers Behind Port Forwarding (Example) 7.5 Configuring Port Forwarding 7.5.1 Port Forwarding Rule Edit 7.6 Address Mapping Page 7.6.1 Address Mapping Rule Edit Address Mapping Page Firewalls 8.1 Firewall Overview 8.2 Types of Firewalls 8.3 Introduction to ZyXEL’s Firewall 8.4 Denial of Service 8.4.2 Types of DoS Attacks Ping of Death Teardrop SYN Flood LAND SYN Attack LAND Attack brute-force 8.4.2.1 ICMP Vulnerability 8.4.2.2 Illegal Commands (NetBIOS and SMTP) 8.4.2.3 Traceroute 8.5 Stateful Inspection 8.5.1 Stateful Inspection Process Firewall General 8.5.2Stateful Inspection and the ZyXEL Device 8.5.3 TCP Security 8.5.4 UDP/ICMP Security 8.6Guidelines for Enhancing Security with Your Firewall 8.7Packet Filtering Vs Firewall 8.7.1.1When To Use Filtering 8.7.2.1When To Use The Firewall Firewall Configuration 9.1 Access Methods 9.2 Firewall Policies Overview 9.3 Rule Logic Overview 9.3.3.1 Action 9.3.3.2 Service 9.3.3.3 Source Address 9.3.3.4 Destination Address 9.4 Connection Direction 9.5 Triangle Route 9.5.2 Solving the “Triangle Route” Problem 9.6 General Firewall Policy 9.7 Firewall Rules Summary 9.7.1 Configuring Firewall Rules Page Page 9.7.2 Customized Services Edit Customized Services 9.8 Example Firewall Rule Customized Service Customized Services Config Any Destination Address Delete Services Rules Page 9.9 Predefined Services Page 9.10 Anti-Probing 9.11 DoS Thresholds 9.11.2.1 TCP Maximum Incomplete and Blocking Time 9.11.3 Configuring Firewall Thresholds Firewall Threshold Page Trend Micro Security Services 10.1 Trend Micro Security Services Overview Service Summary Activate My Services Service Summary 10.2 Configuring TMSS on the ZyXEL Device Page 10.2.2 TMSS Exception List Security > TMSS > Exception List 10.3 TMSS Virus Protection 10.4 Parental Controls Page 10.4.1 Parental Controls Statistics Statistics 10.5 ActiveX Controls in Internet Explorer Page Page Page Content Filtering 11.1 Content Filtering Overview 11.2 Configuring Keyword Blocking 11.3 Configuring the Schedule 11.4 Configuring Trusted Computers Page Introduction to IPSec 12.1 VPN Overview 12.1.3.1 Encryption 12.1.3.2 Data Confidentiality 12.1.3.3 Data Integrity 12.1.3.4 Data Origin Authentication 12.2 IPSec Architecture 12.3 Encapsulation 12.4IPSec and NAT Page Page VPN Screens 13.1 VPN/IPSec Overview 13.2 IPSec Algorithms 13.3 My IP Address 13.4 Secure Gateway Address 13.5 VPN Setup Screen Figure 121 VPN Setup Table 78 VPN Setup 13.6 Keep Alive 13.7 VPN, NAT, and NAT Traversal 13.8 Remote DNS Server 13.9 ID Type and Content 13.9.1 ID Type and Content Examples 13.10 Pre-SharedKey 13.11 Editing VPN Policies Page Page Page Page 13.12 IKE Phases 13.12.1Negotiation Mode Negotiation Mode Main Mode Aggressive Mode Main Mode 13.13 Configuring Advanced IKE Settings Page Page 13.14 Manual Key Setup 13.15 Configuring Manual Key Page Page 13.16 Viewing SA Monitor 13.17 Configuring Global Setting 13.18 Telecommuter VPN/IPSec Examples 13.18.2 Telecommuters Using Unique VPN Rules Example Page 13.19 VPN and Remote Management Page Static Route 14.1 Static Route 14.2Configuring Static Route 14.2.1 Static Route Edit Page Page Bandwidth Management 15.1 Bandwidth Management Overview 15.2 Application-basedBandwidth Management 15.3 Subnet-basedBandwidth Management 15.4 Application and Subnet-basedBandwidth Management 15.5 Scheduler 15.6 Maximize Bandwidth Usage 15.6.2.1 Priority-basedAllotment of Unused and Unbudgeted Bandwidth 15.6.2.2Fairness-basedAllotment of Unused and Unbudgeted Bandwidth 15.7 Configuring Summary 15.8 Bandwidth Management Rule Setup Page 15.8.1 Rule Configuration User define Page 15.9 Bandwidth Monitor Page Dynamic DNS Setup 16.1 Dynamic DNS Overview 16.2 Configuring Dynamic DNS Figure 140 Dynamic DNS Page Page Remote Management Configuration 17.1 Remote Management Overview 17.2 WWW 17.3 Telnet 17.4 Configuring Telnet 17.5 Configuring FTP 17.6 SNMP 17.6.1Supported MIBs 17.6.2 SNMP Traps 17.6.3 Configuring SNMP SNMP Page 17.7 Configuring DNS 17.8 Configuring ICMP Page 17.9 TR-069 (P-661HOnly) Page Universal Plug-and-Play(UPnP) 18.1 Introducing Universal Plug and Play 18.2 UPnP and ZyXEL 18.3 Installing UPnP in Windows Example Communications Universal Plug and Play Add/Remove Programs Properties Installing UPnP in Windows XP 1Click Start and Control Panel 2Double-click Network Connections Network Connections Optional Networking Components … 18.4Using UPnP in Windows XP Example Page Page Page Web Configurator Easy Access 1Click Start and then Control Panel 3Select My Network Places under Other Places Local Network Invoke Page System 19.1 General Setup Page 19.2 Time Setting Page Page Page Logs 20.1 Logs Overview 20.2 Viewing the Logs 20.3 Configuring Log Settings Page Page Tools 21.1 Firmware Upgrade Firmware Upload in Progress Return 21.2 Configuration Page 21.3 Restart Page Diagnostic 22.1 General Diagnostic 22.2 DSL Line Diagnostic Troubleshooting 23.1 Problems Starting Up the ZyXEL Device 23.2 Problems with the LAN 23.3 Problems with the WAN 23.4 Problems Accessing the ZyXEL Device Page Appendix A Product Specifications Specification Tables Table 127 Firmware Page Page Appendix B About ADSL Introduction to DSL ADSL Overview Advantages of ADSL Page Wall-mountingInstructions Page Appendix D Setting up Your Computer’s IP Address Windows 95/98/Me Installing Components Protocol Microsoft manufacturers Client Configuring Obtain an IP address automatically Specify an IP address Subnet Mask Disable DNS Windows 2000/NT/XP Page Internet Protocol (TCP/IP) Use the following IP Address IP address Subnet mask Default gateway •Click Advanced IP Settings TCP/IP Address Default gateways TCP/IP Gateway Address Use the following DNS server addresses Preferred DNS server Alternate DNS server Macintosh OS Automatic Location •Select Built-inEthernet from the Show list Using DHCP Configure Linux Automatically obtain IP address settings with dhcp Statically set IP Addresses Address Default Gateway Address Using Configuration Files Page Appendix E IP Subnetting IP Addressing IP Classes Subnet Masks Subnetting Example: Two Subnets Page Example: Four Subnets Example Eight Subnets Subnetting With Class A and Class B Networks Page Appendix F Command Interpreter Command Syntax Command Usage Page Appendix G Firewall Commands Page Page Page Page Page Appendix H NetBIOS Filter Commands Introduction Display NetBIOS Filter Settings NetBIOS Filter Configuration Appendix PPPoE PPPoE in Action Benefits of PPPoE Traditional Dial-upScenario How PPPoE Works ZyXEL Device as a PPPoE Client Appendix J Log Descriptions Page Page Table 149 ICMP Logs Table 150 CDR Logs Table 151 PPP Logs Table 152 UPnP Logs Page Table 155 IPSec Logs Table 156 IKE Logs Page Page Table 157 PKI Logs Page Page Page Page Log Commands Log Command Example Wireless LANs (wireless devices only) Wireless LAN Topologies ESS Channel RTS/CTS Fragmentation Threshold Preamble Type IEEE 802.11g Wireless LAN IEEE RADIUS Types of Authentication Dynamic WEP Key Exchange WPA and WPA2 User Authentication Wireless Client WPA Supplicants WPA(2) with RADIUS Application Example WPA(2)-PSKApplication Example Security Parameters Summary Page Pop-upWindows, JavaScripts and Java Permissions Internet Explorer Pop-upBlockers Enable pop-upBlockers with Exceptions 2Select Settings…to open the Pop-upBlocker Settings screen Allowed sites JavaScripts Custom Level Scripting Active scripting Scripting of Java applets Java Permissions JAVA (Sun) 2make sure that Use Java 2 for <applet> under Java (Sun) is selected Figure 219 Java (Sun) Index