ZyXEL Communications P660HWTX 802.11g Wireless ADSL2+4 port Gateway User Manual 2

ZyXEL Communications Corporation 802.11g Wireless ADSL2+4 port Gateway Users Manual 2

Users Manual 2

P-660H/HW/W-T Series User’ GuideChapter 7 Network Address Translation (NAT) Screens 112Figure 43   Edit Address Mapping Rule  The following table describes the fields in this screen. Table 30   Edit Address Mapping Rule LABEL DESCRIPTIONType Choose the port mapping type from one of the following. •One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type.•Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. •Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses. •Many-to-Many No Overload: Many-to-Many No Overload mode maps each local IP address to unique global IP addresses. •Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world.Local Start IP This is the starting local IP address (ILA). Local IP addresses are N/A for Server port mapping.Local End IP This is the end local IP address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address. This field is N/A for One-to-One and Server mapping types.Global Start IP This is the starting global IP address (IGA). Enter 0.0.0.0 here if you have a dynamic IP address from your ISP. Global End IP This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-to-One and Server mapping types.Server Mapping SetOnly available when Type is set to Server. Select a number from the drop-down menu to choose a server set from the NAT - Address Mapping Rules screen.Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen to edit a server set that you have selected in the Server Mapping Set field.Apply Click Apply to save your changes back to the Prestige.
P-660H/HW/W-T Series User’ Guide113 Chapter 7 Network Address Translation (NAT) ScreensCancel Click Cancel to return to the previously saved settings.Delete Click Delete to exit this screen without saving.Table 30   Edit Address Mapping Rule  (continued)LABEL DESCRIPTION
P-660H/HW/W-T Series User’ GuideChapter 8 Dynamic DNS Setup 114CHAPTER 8Dynamic DNS SetupThis chapter discusses how to configure your Prestige to use Dynamic DNS.8.1  Dynamic DNS Overview  Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. 8.1.1  DYNDNS WildcardEnabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.If you have a private WAN IP address, then you cannot use Dynamic DNS.See Section 8.2 on page 114 for configuration instruction. 8.2  Configuring Dynamic DNS To change your Prestige’s DDNS, click Dynamic DNS. The screen appears as shown.See Section 8.1 on page 114 for more information.
P-660H/HW/W-T Series User’ Guide115 Chapter 8 Dynamic DNS SetupFigure 44   Dynamic DNSThe following table describes the fields in this screen. Table 31   Dynamic DNSLABEL DESCRIPTIONActive Select this check box to use dynamic DNS.Service Provider This is the name of your Dynamic DNS service provider.Host Names  Type the domain name assigned to your Prestige by your Dynamic DNS provider.E-mail Address Type your e-mail address.User Type your user name.Password Type the password assigned to you.Enable Wildcard Select the check box to enable DYNDNS Wildcard.Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.
P-660H/HW/W-T Series User’ GuideChapter 9 Time and Date 116CHAPTER 9Time and DateThis screen is not available on all models. Use this screen to configure the Prestige’s time and date settings.9.1  Configuring Time and Date To change your Prestige’s time and date, click Time And Date. The screen appears as shown. Use this screen to configure the Prestige’s time based on your local time zone. Figure 45   Time and DateThe following table describes the fields in this screen.
P-660H/HW/W-T Series User’ Guide117 Chapter 9 Time and Date Table 32   Time and DateLABEL DESCRIPTIONTime ServerUse Protocol when BootupSelect the time service protocol that your time server sends when you turn on the Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.The main difference between them is the format. Daytime (RFC 867) format is day/month/year/time zone of the server. Time (RFC 868) format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. NTP (RFC 1305) is similar to Time (RFC 868). Select None to enter the time and date manually. IP Address or URL Enter the IP address or URL of your time server. Check with your ISP/network administrator if you are unsure of this information.Time and Date Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.Start Date Enter the month and day that your daylight-savings time starts on if you selected Daylight Savings.End Date Enter the month and day that your daylight-savings time ends on if you selected Daylight Savings.Synchronize system clock with Time Server now.Select this option to have your Prestige use the time server (that you configured above) to set its internal system clock.Please wait for up to 60 seconds while the Prestige locates the time server. If the Prestige cannot find the time server, please check the time server protocol and its IP address. If the IP address was entered correctly, try pinging it for example to test the connection.DateCurrent Date This field displays the date of your Prestige. Each time you reload this page, the Prestige synchronizes the time with the time server.New Date (yyyy-mm-dd)This field displays the last updated date from the time server.When you select None in the Use Protocol when Bootup field, enter the new date in this field and then click Apply.TimeCurrent Time This field displays the time of your Prestige.Each time you reload this page, the Prestige synchronizes the time with the time server.New Time This field displays the last updated time from the time server.When you select None in the Use Protocol when Bootup field, enter the new time in this field and then click Apply. Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 118CHAPTER 10FirewallsThis chapter gives some background information on firewalls and introduces the Prestige firewall.10.1  Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself. Refer to Section 11.5 on page 135 to configure default firewall settings. Refer to Section 11.6 on page 136 to view firewall rules. Refer to Section 11.6.1 on page 138 to configure firewall rules. Refer to Section 11.7 on page 141 to configure a custom service. Refer to Section 11.12.3 on page 151 to configure firewall thresholds. 10.2  Types of FirewallsThere are three main types of firewalls:• Packet Filtering Firewalls• Application-level Firewalls• Stateful Inspection Firewalls10.2.1  Packet Filtering FirewallsPacket filtering firewalls restrict access based on the source/destination computer network address of a packet and the type of application.
P-660H/HW/W-T Series User’ Guide119 Chapter 10 Firewalls10.2.2  Application-level FirewallsApplication-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts:Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems.Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging. Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems. The router need only allow application traffic destined for the application gateway and reject the rest.10.2.3   Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. See Section 10.5 on page 124 for more information on stateful inspection.Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.10.3  Introduction to ZyXEL’s FirewallThe Prestige firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The Prestige’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The Prestige can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The Prestige also has packet filtering capabilities.The Prestige is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.The Prestige has one DSL/ISDN port and one Ethernet LAN port, which physically separate the network into two areas.• The DSL/ISDN port connects to the Internet.
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 120• The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web.  However, “inbound access” will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service.10.3.1  Denial of Service AttacksFigure 46   Prestige Firewall Application10.4  Denial of ServiceDenials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Prestige is pre-configured to automatically detect and thwart all known DoS attacks.10.4.1  BasicsComputers share information over the Internet using a common language called TCP/IP. TCP/IP, in turn, is a set of application protocols that perform specific functions. An “extension number”, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web), FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default uses TCP port 80. When computers communicate on the Internet, they are using the client/server model, where the server "listens" on a specific TCP/UDP port for information requests from remote client computers on the network. For example, a Web server typically listens on port 80. Please note that while a computer may be intended for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are:
P-660H/HW/W-T Series User’ Guide121 Chapter 10 Firewalls10.4.2  Types of DoS AttacksThere are four types of DoS attacks: 1Those that exploit bugs in a TCP/IP implementation.2Those that exploit weaknesses in the TCP/IP specification.3Brute-force attacks that flood a network with useless data. 4IP Spoofing.5"Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems. • Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang or reboot. • Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. 6Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These attacks are executed during the handshake that initiates a communication session between two applications.Table 33   Common IP Ports21 FTP 53 DNS23 Telnet 80 HTTP25 SMTP 110 POP3
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 122Figure 47   Three-Way HandshakeUnder normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. •SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Figure 48   SYN Flood•In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 7A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol
P-660H/HW/W-T Series User’ Guide123 Chapter 10 Firewalls(ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the "intermediary" network, but will also congest the network of the spoofed source IP address, known as the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. Figure 49   Smurf Attack10.4.2.1  ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert:10.4.2.2  Illegal Commands (NetBIOS and SMTP)The only legal NetBIOS commands are the following - all others are illegal.Table 34   ICMP Commands That Trigger Alerts5REDIRECT13 TIMESTAMP_REQUEST14 TIMESTAMP_REPLY17 ADDRESS_MASK_REQUEST18 ADDRESS_MASK_REPLYTable 35   Legal NetBIOS CommandsMESSAGE:REQUEST:POSITIVE:VE:
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 124All SMTP commands are illegal except for those displayed in the following tables. 10.4.2.3  TracerouteTraceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The Prestige blocks all IP Spoofing attempts.10.5  Stateful InspectionWith stateful inspection, fields of the packets are compared to packets that are already known to be trusted. For example, if you access some outside service, the proxy server remembers things about your original request, like the port number and source and destination addresses. This “remembering” is called saving the state. When the outside system responds to your request, the firewall compares the received packets with the saved state to determine if they are allowed in. The Prestige uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the Prestige’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: • Allows all sessions originating from the LAN (local network) to the WAN (Internet).• Denies all sessions originating from the WAN to the LAN.RETARGET:KEEPALIVE:Table 36    Legal SMTP CommandsAUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOPQUIT RCPT RSET SAML SEND SOML  TURN VRFYTable 35   Legal NetBIOS Commands
P-660H/HW/W-T Series User’ Guide125 Chapter 10 FirewallsFigure 50   Stateful InspectionThe previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.10.5.1  Stateful Inspection ProcessIn this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application layer protocol is configured for a firewall rule inspection:1The packet travels from the firewall's LAN to the WAN.2The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point).3The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, then the settings in the  Default Policy screen determine the action for this packet.4Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.5The outbound packet is forwarded out through the interface.6Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created.7The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary. Based on the updated state information, the inbound extended access list
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 126temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection.8Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.9When the connection terminates or times out, the connection's state table entry is deleted and the connection's temporary inbound access list entries are deleted.10.5.2  Stateful Inspection and the PrestigeAdditional rules may be defined to extend or override the default rules. For example, a rule may be created which will:• Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the Internet.• Allow certain types of traffic from the Internet to specific hosts on the LAN.• Allow access to a Web server to everyone but competitors.• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator.Note: The ability to define firewall rules is a very powerful tool. Using custom rules, it is possible to disable all firewall protection or block all access to the Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly.Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual connections" created for UDP and ICMP). 10.5.3  TCP SecurityThe Prestige uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream. If an initiation packet originates on the WAN, this means that someone is trying to make a connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these packets are dropped and logged.If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
P-660H/HW/W-T Series User’ Guide127 Chapter 10 FirewallsWhen the Prestige receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).10.5.4  UDP/ICMP SecurityUDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order to build "virtual connections" in the cache. For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP information will be allowed back in through the firewall.A similar situation exists for ICMP, except that the Prestige is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 10.5.5  Upper Layer ProtocolsSome higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected.In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data connection. This can be done safely, since the PORT command contains address and port information, which can be used to uniquely identify the connection.Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator’s Custom Ports feature to do this.10.6  Guidelines for Enhancing Security with Your Firewall• Change the default password via SMT or web configurator.
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 128• Limit who can telnet into your router. • Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. • For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. • Protect against IP spoofing by making sure the firewall is active. • Keep the firewall in a secured (locked) room. 10.6.1  Security In GeneralYou can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them.• Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk. Produce lists like this one!• DSL or cable modem connections are “always-on” connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system. Turn your computer off when not in use. • Never give out a password or any sensitive information to an unsolicited telephone call or e-mail.• Never e-mail sensitive information such as passwords, credit card information, etc., without encrypting the information first.• Never submit sensitive information via a web page unless the web site uses secure connections. You can identify a secure connection by looking for a small “key” icon on the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web site uses a secure connection, it is safe to submit information. Secure web transactions are quite difficult to crack.• Never reveal your IP address or other system networking information to people outside your company. Be careful of files e-mailed to you from strangers. One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files.• Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult passwords to crack are those with upper and lower case letters, numbers and a symbol such as % or #.• Upgrade your software regularly. Many older versions of software, especially web browsers, have well known security deficiencies. When you upgrade to the latest versions, you get the latest patches and fixes.• If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers.• If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable.
P-660H/HW/W-T Series User’ Guide129 Chapter 10 Firewalls• Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in an attack.10.7  Packet Filtering Vs FirewallBelow are some comparisons between the Prestige’s filtering and firewall functions.10.7.1  Packet Filtering:• The router filters packets as they pass through the router’s interface according to the filter rules you designed.• Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service.• Packet filtering only checks the header portion of an IP packet.10.7.1.1  When To Use Filtering• To block/allow LAN packets by their MAC addresses.• To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.• To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A. Filters can not distinguish traffic originating from an inside host or an outside host by IP address.• To block/allow IP trace route.10.7.2  Firewall• The firewall inspects packet contents as well as their source and destination addresses. Firewalls of this type employ an inspection module, applicable to all protocols, that understands data in the packet is intended for other layers, from the network layer (IP headers) up to the application layer.• The firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.• The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.• The firewall provides e-mail service to notify you of routine reports and when alerts occur.10.7.2.1  When To Use The Firewall• To prevent DoS attacks and prevent hackers cracking your network.
P-660H/HW/W-T Series User’ GuideChapter 10 Firewalls 130• A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required.• To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address.• The firewall performs better than filtering if you need to check many rules.• Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur.• The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.
P-660H/HW/W-T Series User’ Guide131 Chapter 10 Firewalls
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 132CHAPTER 11Firewall ConfigurationThis chapter shows you how to enable and configure the Prestige firewall.11.1  Access MethodsThe web configurator is, by far, the most comprehensive firewall configuration tool your Prestige has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users.11.2  Firewall Policies Overview  Firewall rules are grouped based on the direction of travel of packets to which they apply: Note: The LAN includes both the LAN port and the WLAN.By default, the Prestige’s stateful packet inspection allows packets traveling in the following directions:• LAN to LAN/ Router This allows computers on the LAN to manage the Prestige and communicate between networks or subnets connected to the LAN interface.• LAN to WANBy default, the Prestige’s stateful packet inspection blocks packets traveling in the following directions:•WAN to LAN•WAN to WAN/ Router This prevents computers on the WAN from using the Prestige as a gateway to communicate with other computers on the WAN and/or managing the Prestige.You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.• LAN to LAN/ Router • WAN to LAN• LAN to WAN • WAN to WAN/ Router
P-660H/HW/W-T Series User’ Guide133 Chapter 11 Firewall ConfigurationNote: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.For example, you may create rules to:• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.• Allow everyone except your competitors to access a Web server.• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Prestige’s default rules. 11.3  Rule Logic Overview  Note: Study these points carefully before configuring rules.11.3.1  Rule ChecklistState the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.”1Is the intent of the rule to forward or block traffic?2What direction of traffic does the rule apply to?3What IP services will be affected?4What computers on the LAN are to be affected (if any)?5What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.11.3.2  Security Ramifications1Once the logic of the rule has been defined, it is critical to consider the security ramifications created by the rule:2Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?3Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 1344Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.5Does this rule conflict with any existing rules?6Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.11.3.3  Key Fields For Configuring Rules11.3.3.1  ActionShould the action be to Block or Forward? “Block” means the firewall silently discards the packet.11.3.3.2  ServiceSelect the service from the Service scrolling list box. If the service is not listed, it is necessary to first define it. See Section 11.10 on page 146 for more information on predefined services.11.3.3.3  Source AddressWhat is the connection’s source address; is it on the LAN, WAN? Is it a single IP, a range of IPs or a subnet?11.3.3.4  Destination AddressWhat is the connection’s destination address; is it on the LAN, WAN? Is it a single IP, a range of IPs or a subnet?11.4  Connection DirectionThis section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/ Router, WAN to WAN/ Router rules apply to packets coming in on the associated interface (LAN, WAN respectively). LAN to LAN/ Router means policies for LAN-to-Prestige (the policies for managing the Prestige through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN). Similarly, WAN to WAN/ Router polices apply in the same way to the WAN ports.11.4.1  LAN to WAN RulesThe default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules
P-660H/HW/W-T Series User’ Guide135 Chapter 11 Firewall ConfigurationThe default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. 11.4.2  AlertsAlerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Edit Rule screen (select the Send Alert Message to Administrator When Matched check box) or when a rule is matched in the Edit Rule screen. When an event generates an alert, a message can be immediately sent to an e-mail account that you specify in the Log Settings screen (see the chapter on logs).11.5  Configuring Default Firewall Policy   Click Firewall and then Default Policy to display the following screen. Activate the firewall by selecting the Firewall Enabled check box as seen in the following screen.Refer to Section 10.1 on page 118 for more information. Figure 51   Firewall: Default PolicyThe following table describes the labels in this screen. Table 37   Firewall: Default PolicyLABEL DESCRIPTIONFirewall Enabled Select this check box to activate the firewall. The Prestige performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.Allow Asymmetrical RouteSelect this check box to have the Prestige firewall permit the use of triangle route topology on the network. See the appendix for more on triangle route topology.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 13611.6  Rule Summary  Note: The ordering of your rules is very important as rules are applied in turn.Refer to Section 10.1 on page 118 for more information. Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed.Packet Direction This is the direction of travel of packets (LAN to LAN/Router, LAN to WAN, WAN to WAN/Router, WAN to LAN).Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, LAN to LAN/Router means packets traveling from a computer/subnet on the LAN to either another computer/subnet on the LAN interface of the Prestige or the Prestige itself. Default Action Use the radio buttons to select whether to Block (silently discard) or Forward (allow the passage of) packets that are traveling in the selected direction.Log Select the check box to create a log (when the above action is taken) for packets that are traveling in the selected direction and do not match any of the rules below.Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.Table 37   Firewall: Default Policy (continued)LABEL DESCRIPTION
P-660H/HW/W-T Series User’ Guide137 Chapter 11 Firewall ConfigurationFigure 52   Firewall: Rule Summary The following table describes the labels in this screen.  Table 38   Rule SummaryLABEL DESCRIPTIONFirewall Rules Storage Space in UseThis read-only bar shows how much of the Prestige's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.Packet Direction Use the drop-down list box to select a direction of travel of packets for which you want to configure firewall rules.Default Policy This field displays the default action and log policy you selected in the Default Rule screen for the packet direction shown in the field above.The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings above.Rule This is your firewall rule number. The ordering of your rules is important as rules are applied in turn. Click a rule’s number to go to the Firewall Edit Rule screen to configure or edit a firewall rule.Active This field displays whether a firewall is turned on (Y) or not (N). Source IP This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.Destination IP This drop-down list box displays the destination addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.Service  This drop-down list box displays the services to which this firewall rule applies. Please note that a blank service type is equivalent to Any. See Section 11.10 on page 146 for more information.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 13811.6.1  Configuring Firewall Rules   Refer to Section 10.1 on page 118 for more information. Follow these directions to create a new rule.1In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 2Click Insert to display this screen and refer to the following table for information on the labels.Action This is the specified action for that rule, either Block or Forward. Note that Block means the firewall silently discards the packet.Schedule This field tells you whether a schedule is specified (Yes) or not (No).Log This field shows you whether a log is created when packets match this rule (Enabled) or not (Disable).Alert This field tells you whether this rule generates an alert (Yes) or not (No) when the rule is matched.Insert/Append Type the index number for where you want to put a rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. Click Insert to add a new firewall rule before the specified index number. Click Append to add a new firewall rule after the specified index number. Move Type a rule’s index number and the number for where you want to put that rule. Click Move to move the rule to the number that you typed. The ordering of your rules is important as they are applied in order of their numbering.Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.Table 38   Rule Summary (continued)LABEL DESCRIPTION
P-660H/HW/W-T Series User’ Guide139 Chapter 11 Firewall ConfigurationFigure 53   Firewall: Edit RuleThe following table describes the labels in this screen.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 140Table 39   Firewall: Edit RuleLABEL DESCRIPTIONActive Select this option to enable this firewall rule. Action for Matched PacketUse the radio button to select whether to discard (Block) or allow the passage of (Forward) packets that match this rule.Source/Destination AddressAddress Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address. Start IP Address Enter the single IP address or the starting IP address in a range here. End IP Address Enter the ending IP address in a range here.Subnet Mask Enter the subnet mask here, if applicable.Add Click Add to add a new address to the Source or Destination Address box. You can add multiple addresses, ranges of addresses, and/or subnets.Edit To edit an existing source or destination address, select it from the box and click Edit.Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it.ServicesAvailable/ SelectedServicesPlease see Section 11.10 on page 146 for more information on services available. Highlight a service from the Available Services box on the left, then click Add>> to add it to the Selected Services box on the right. To remove a service, highlight it in the Selected Services box on the right, then click Remove.Edit CustomizedServiceClick the Edit Customized Services link to bring up the screen that you use to configure a new custom service that is not in the predefined list of services.ScheduleDay to Apply Select everyday or the day(s) of the week to apply the rule.Time of Day toApply (24-HourFormat)Select All Day or enter the start and end times in the hour-minute format to apply the rule.LogLog Packet DetailInformationThis field determines if a log for packets that match the rule is created (Enable) or not (Disable). Go to the Log Settings page and select the Access Control logs category to have the Prestige record these logs.Alert Send Alert Messageto AdministratorWhen MatchedSelect the check box to have the Prestige generate an alert when the rule is matched.Back Click Back to return to the previous screen. Apply Click Apply to save your customized settings and exit this screen.Cancel Click Cancel to exit this screen without saving.Delete Click Delete to remove this firewall rule and return to the Firewall Rule Summary screen.
P-660H/HW/W-T Series User’ Guide141 Chapter 11 Firewall Configuration11.7  Customized Services Configure customized services and port numbers not predefined by the Prestige. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 11.10 on page 146. Click the Customized Services link while editing a firewall rule to configure a custom service port. This displays the following screen.Refer to Section 10.1 on page 118 for more information. Figure 54   Firewall: Customized ServicesThe following table describes the labels in this screen. 11.8  Configuring A Customized Service  Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen.Table 40   Customized ServicesLABEL DESCRIPTIONNo. This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service.Name This is the name of your customized service.Protocol This shows the IP protocol (TCP, UDP or TCP/UDP) that defines your customized service.Port This is the port number or range that defines your customized service.Back Click Back to return the Firewall Edit Rule screen.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 142Refer to Section 10.1 on page 118 for more information. Figure 55   Firewall: Configure Customized ServicesThe following table describes the labels in this screen.11.9  Example Firewall Rule The following Internet firewall rule example allows a hypothetical “My Service” connection from the Internet.1Click Firewall in the navigation panel and click Rule Summary.2Select WAN to LAN in the Packet Direction field. Table 41   Firewall: Configure Customized ServicesLABEL DESCRIPTIONService Name Type a unique name for your custom port.Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box.Port ConfigurationType Click Single to specify one port only or Range to specify a span of ports that define your customized service. Port Number Type a single port number or the range of port numbers that define your customized service.Back Click Back to return to the Firewall Customized Services screen.Apply Click Apply to save your customized settings and exit this screen.Cancel Click Cancel to return to the previously saved settings.Delete Click Delete to delete the current rule.
P-660H/HW/W-T Series User’ Guide143 Chapter 11 Firewall ConfigurationFigure 56   Firewall Example: Rule Summary3In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.4Click Insert to display the firewall rule configuration screen.5Select Any in the Destination Address box and then click Delete.6Configure the destination address screen as follows and click Add.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 144Figure 57   Firewall Example: Edit Rule: Destination Address 7In the Edit Rule screen, click the Customized Services link to open the Customized Service screen. 8Click an index number to display the Customized Services -Config screen and configure the screen as follows and click Apply.Figure 58   Edit Custom Port Example9In the Edit Rule screen, use the Add>> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done.
P-660H/HW/W-T Series User’ Guide145 Chapter 11 Firewall ConfigurationFigure 59   Firewall Example: Edit Rule: Select Customized ServicesNote: Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port.On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 146Rule 2 allows a “My Service” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.Figure 60   Firewall Example: Rule Summary: My Service 11.10  Predefined ServicesThe Available Services list box in the Edit Rule screen (see Section 11.6.1 on page 138) displays all predefined services that the Prestige already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. (UDP/TCP:53) means UDP port 53 and TCP port 53. Up to 128 entries are supported. Custom service ports may also be configured using the Edit Customized Services function discussed previously.Table 42    Predefined ServicesSERVICE DESCRIPTIONAIM/NEW_ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ.AUTH(TCP:113) Authentication protocol used by some servers.BGP(TCP:179)  Border Gateway Protocol.BOOTP_CLIENT(UDP:68)  DHCP Client.BOOTP_SERVER(UDP:67)  DHCP Server.
P-660H/HW/W-T Series User’ Guide147 Chapter 11 Firewall ConfigurationCU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software.DNS(UDP/TCP:53)  Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers.FINGER(TCP:79)  Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.FTP(TCP:20.21)  File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.H.323(TCP:1720) Net Meeting uses this protocol.HTTP(TCP:80)  Hyper Text Transfer Protocol - a client/server protocol for the world wide web.HTTPS HTTPS is a secured http session often used in e-commerce.ICQ(UDP:4000) This is a popular Internet chat program.IPSEC_TRANSPORT/TUNNEL(AH:0)The IPSEC AH (Authentication Header) tunneling protocol uses this service.IPSEC_TUNNEL(ESP:0) The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service.IRC(TCP/UDP:6667) This is another popular Internet chat program.MSN Messenger(TCP:1863) Microsoft Networks’ messenger service uses this protocol. MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts.NEWS(TCP:144)  A protocol for news groups.NFS(UDP:2049)  Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments.NNTP(TCP:119)  Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).PPTP(TCP:1723) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel.PPTP_TUNNEL(GRE:0) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel.RCMD(TCP:512)  Remote Command Service.REAL_AUDIO(TCP:7070)  A streaming audio service that enables real time sound over the web.REXEC(TCP:514)  Remote Execution Daemon.RLOGIN(TCP:513)  Remote Login.RTELNET(TCP:107)  Remote Telnet.RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115)  Simple File Transfer Protocol.Table 42    Predefined Services (continued)SERVICE DESCRIPTION
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 14811.11  Anti-Probing  If an outside user attempts to probe an unsupported port on your Prestige, an ICMP response packet is automatically returned.  This allows the outside user to know the Prestige exists. The Prestige supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your Prestige when unsupported ports are probed.  Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user.  Refer to Section 10.1 on page 118 for more information. Click Firewall in the navigation panel and click Anti Probing to display the screen as shown. SMTP(TCP:25)  Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another.SNMP(TCP/UDP:161)  Simple Network Management Program.SNMP-TRAPS (TCP/UDP:162) Traps for use with the SNMP (RFC:1215).SQL-NET(TCP:1521)  Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.SSDP(UDP:1900) Simole Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900. SSH(TCP/UDP:22) Secure Shell Remote Login Program.STRMWORKS(UDP:1558)  Stream Works Protocol.SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.TACACS(UDP:49)  Login Host Protocol used for (Terminal Access Controller  Access Control System).TELNET(TCP:23)  Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems.TFTP(UDP:69)  Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol).VDOLIVE(TCP:7000)  Another videoconferencing solution.Table 42    Predefined Services (continued)SERVICE DESCRIPTION
P-660H/HW/W-T Series User’ Guide149 Chapter 11 Firewall ConfigurationFigure 61   Firewall: Anti ProbingThe following table describes the labels in this screen.11.12  DoS Thresholds For DoS attacks, the Prestige uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions.You can use the default threshold values, or you can change them to values more suitable to your security requirements.Refer to Section 11.12.3 on page 151 to configure thresholds.  Table 43   Firewall: Anti ProbingLABEL DESCRIPTIONRespond to PING onThe Prestige does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests.Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests. Do not respond to requests for unauthorized services.Select this option to prevent hackers from finding the Prestige by probing for unused ports. If you select this option, the Prestige will not respond to port request(s) for unused ports, thus leaving the unused ports and the Prestige unseen. By default this option is not selected and the Prestige will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports, and a TCP Reset packet for a port probe on its unused TCP ports. Note that the probing packets must first traverse the Prestige 's firewall mechanism before reaching this anti-probing mechanism. Therefore if the firewall mechanism blocks a probing packet, the Prestige reacts based on the firewall policy, which by default, is to send a TCP reset packet for a blocked TCP packet. You can use the command "sys firewall tcprst rst [on|off]" to change this policy. When the firewall mechanism blocks a UDP packet, it drops the packet without sending a response packet.Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige.Reset Click Reset to begin configuring this screen afresh.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 15011.12.1  Threshold ValuesTune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for most small offices. Factors influencing choices for threshold values are:• The maximum number of opened sessions.• The minimum capacity of server backlog in your LAN network.• The CPU power of servers in your LAN network.• Network bandwidth. • Type of traffic for certain servers.If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced.You should make any changes to the threshold values before you continue configuring firewall rules. 11.12.2  Half-Open SessionsAn unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 47 on page 122). For UDP, "half-open" means that the firewall has detected no return traffic.The Prestige measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.When the number of existing half-open sessions rises above a threshold (max-incomplete high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (max-incomplete low).When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige starts deleting half-open sessions as required to accommodate new connection requests. The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period.11.12.2.1  TCP Maximum Incomplete and Blocking TimeAn unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
P-660H/HW/W-T Series User’ Guide151 Chapter 11 Firewall ConfigurationWhenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to one of the following methods:• If the Blocking Time timeout is 0 (the default), then the Prestige deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold. • If the Blocking Time timeout is greater than 0, then the Prestige blocks all new connection requests to the host giving the server time to handle the present connections. The Prestige continues to block all new connection requests until the Blocking Time expires. 11.12.3  Configuring Firewall Thresholds The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall, and Threshold to bring up the next screen.Figure 62   Firewall: ThresholdThe following table describes the labels in this screen.
P-660H/HW/W-T Series User’ GuideChapter 11 Firewall Configuration 152Table 44   Firewall: ThresholdLABEL DESCRIPTION DEFAULT VALUESDenial of Service ThresholdsOne Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions. The Prestige continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.80 existing half-open sessions.One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts.100 half-open sessions per minute. The above numbers cause the Prestige to start deleting half-open sessions when more than 100 session establishment attempts have been detected in the last minute, and to stop deleting half-open sessions when fewer than 80 session establishment attempts have been detected in the last minute.Maximum Incomplete LowThis is the number of existing half-open sessions that causes the firewall to stop deleting half-open sessions. The Prestige continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.80 existing half-open sessions.Maximum Incomplete HighThis is the number of existing half-open sessions that causes the firewall to start deleting half-open sessions. When the number of existing half-open sessions rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection requests. Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number.100 existing half-open sessions. The above values causes the Prestige to start deleting half-open sessions when the number of existing half-open sessions rises above 100, and to stop deleting half-open sessions with the number of existing half-open sessions drops below 80.TCP Maximum Incomplete This is the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address. Enter a number between 1 and 256. As a general rule, you should choose a smaller number for a smaller network, a slower system or limited bandwidth.30 existing half-open TCP sessions.Action taken when the TCP Maximum Incomplete threshold is reached.Delete the oldest half open session when new connection request comesSelect this radio button to clear the oldest half open session when a new connection request comes.
P-660H/HW/W-T Series User’ Guide153 Chapter 11 Firewall ConfigurationDeny new connection request forSelect this radio button and specify for how long the Prestige should block new connection requests when TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256).Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.Table 44   Firewall: Threshold (continued)LABEL DESCRIPTION DEFAULT VALUES
P-660H/HW/W-T Series User’ GuideChapter 12 Content Filtering 154CHAPTER 12Content FilteringThis chapter covers how to configure content filtering.12.1  Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the Prestige performs content filtering. You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering.12.2  The Main Content Filter Screen Click Content Filter to display the main Content Filtering screen. Figure 63   Content Filtering The following table describes the links in this screen. Table 45   LINK DESCRIPTIONKeyword Click this link to display a screen where you can configure your Prestige to block Web sites containing keywords in their URLs, Schedule Click this link to display a screen where you can set the days and times for the Prestige to perform content filtering, Trusted Click this link to display a screen where you can exclude a range of users on the LAN from content filtering on your Prestige
P-660H/HW/W-T Series User’ Guide155 Chapter 12 Content Filtering12.3  Configuring Keyword Blocking  Use this screen to block sites containing certain keywords in the URL. For example, if you enable the keyword "bad", the Prestige blocks all sites containing this keyword including the URL http://www.website.com/bad.html, even if it is not included in the Filter List. To have your Prestige block Web sites containing keywords in their URLs, click Content Filter and Keyword. The screen appears as shown.Figure 64   Content Filter: KeywordThe following table describes the labels in this screen.  Table 46   Content Filter: KeywordLABEL DESCRIPTIONEnable Keyword Blocking Select this check box to enable this feature.Block Websites that contain these keywords in the URL:This box contains the list of all the keywords that you have configured the Prestige to block. Delete  Highlight a keyword in the box and click Delete to remove it. Clear All  Click Clear All to remove all of the keywords from the list.Keyword Type a keyword in this field. You may use any character (up to 127 characters). Wildcards are not allowed.Add Keyword Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 64 keywords are allowed.When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.Back Click Back to return to the previous screen.Apply Click Apply to save your changes back to the Prestige.Cancel Click Cancel to return to the previously saved settings.
P-660H/HW/W-T Series User’ GuideChapter 12 Content Filtering 15612.4  Configuring the Schedule  To set the days and times for the Prestige to perform content filtering, click Content Filter and Schedule. The screen appears as shown.Figure 65   Content Filter: ScheduleThe following table describes the labels in this screen.   12.5  Configuring Trusted Computers  To exclude a range of users on the LAN from content filtering on your Prestige, click Content Filter and Trusted. The screen appears as shown.Table 47   Content Filter: ScheduleLABEL DESCRIPTIONDays to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Block:Use the 24 hour format to configure which time of the day (or select the All day check box) you want the content filtering to be active. Back Click Back to return to the previous screen.Apply  Click Apply to save your changes. Cancel Click Cancel to return to the previously saved settings.
P-660H/HW/W-T Series User’ Guide157 Chapter 12 Content FilteringFigure 66   Content Filter: TrustedThe following table describes the labels in this screen. Table 48   Content Filter: TrustedLABEL DESCRIPTIONTrusted User IP RangeFrom Type the IP address of a computer (or the beginning IP address of a specific range of computers) on the LAN that you want to exclude from content filtering. To Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer.Back Click Back to return to the previous screen.Apply  Click Apply to save your changes back to the Prestige. Cancel Click Cancel to return to the previously saved settings.
P-660H/HW/W-T Series User’ GuideChapter 13 Remote Management Configuration 158CHAPTER 13Remote ManagementConfigurationThis chapter provides information on configuring remote management.13.1  Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers.When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.You may manage your Prestige from a remote location via:• Internet (WAN only)• ALL (LAN and WAN)• LAN only, • Neither (Disable).When you Choose WAN o n ly  or ALL (LAN & WAN), you still need to configure a firewall rule to allow access.To disable remote management of a service, select Disable in the corresponding Server Access field.You may only have one remote management session running at a time. The Prestige automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Telnet2HTTP13.1.1  Remote Management LimitationsRemote management over LAN or WAN will not work when:
P-660H/HW/W-T Series User’ Guide159 Chapter 13 Remote Management Configuration• A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. • You have disabled that service in one of the remote management screens.• The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately.• There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.• There is a firewall rule that blocks it.13.1.2  Remote Management and NATWhen NAT is enabled:• Use the Prestige’s WAN IP address when configuring from the WAN. • Use the Prestige’s LAN IP address when configuring from the LAN.13.1.3   System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The Prestige automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. 13.2  TelnetYou can configure your Prestige for remote Telnet access as shown next.Figure 67   Telnet Configuration on a TCP/IP Network
P-660H/HW/W-T Series User’ GuideChapter 13 Remote Management Configuration 16013.3  FTPYou can upload and download Prestige firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.13.4  WebYou can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details.13.5  Configuring Remote Management Click Remote Management to open the following screen. See Section 13.1 on page 158 for more information. Figure 68   Remote ManagementThe following table describes the fields in this screen.Table 49   Remote ManagementLABEL DESCRIPTIONServer Type  Each of these labels denotes a service that you may use to remotely manage the Prestige.Access Status Select the access interface. Choices are All, LAN Only, WAN Only and Disable. Port This field shows the port number for the remote management service. You may change the port number for a service in this field, but you must use the same port number to use that service for remote management.Secured Client IPThe default 0.0.0.0 allows any client to use this service to remotely manage the Prestige. Type an IP address to restrict access to a client with a matching IP address. Apply Click Apply to save your settings back to the Prestige.Cancel Click Cancel to begin configuring this screen afresh.
P-660H/HW/W-T Series User’ Guide161 Chapter 13 Remote Management Configuration
P-660H/HW/W-T Series User’ GuideChapter 14 Universal Plug-and-Play (UPnP) 162CHAPTER 14Universal Plug-and-Play (UPnP)This chapter introduces the UPnP feature in the web configurator.14.1  Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.See Section 14.2.1 on page 163 for configuration instructions. 14.1.1  How do I know if I'm using UPnP? UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 14.1.2  NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:• Dynamic port mapping• Learning public IP addresses• Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. See the NAT chapter for more information on NAT.
P-660H/HW/W-T Series User’ Guide163 Chapter 14 Universal Plug-and-Play (UPnP)14.1.3  Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 14.2  UPnP and ZyXELZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.UPnP broadcasts are only allowed on the LAN.See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows.14.2.1  Configuring UPnP From the Site Map in the main menu, click UPnP under Advanced Setup to display the screen shown next.See Section 14.1 on page 162 for more information. Figure 69   Configuring UPnPThe following table describes the fields in this screen.
P-660H/HW/W-T Series User’ GuideChapter 14 Universal Plug-and-Play (UPnP) 16414.3  Installing UPnP in Windows ExampleThis section shows how to install UPnP in Windows Me and Windows XP.  Installing UPnP in Windows MeFollow the steps below to install the UPnP in Windows Me. 1Click Start and Control Panel. Double-click Add/Remove Programs.2Click on the Windows Setup tab and select Communication in the Components selection box. Click Details.  Table 50   Configuring UPnPLABEL DESCRIPTIONEnable the Universal Plug and Play (UPnP) Service Select this check box to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).Allow users to make configuration changes through UPnPSelect this check box to allow UPnP-enabled applications to automatically configure the Prestige so that they can communicate through the Prestige, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Allow UPnP to pass through FirewallSelect this check box to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).Apply Click Apply to save the setting to the Prestige.Cancel Click Cancel to return to the previously saved settings.
P-660H/HW/W-T Series User’ Guide165 Chapter 14 Universal Plug-and-Play (UPnP)Figure 70   Add/Remove Programs: Windows Setup: Communication 3In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 71   Add/Remove Programs: Windows Setup: Communication: Components4Click OK to go back to the Add/Remove Programs Properties window and click Next.  5Restart the computer when prompted.
P-660H/HW/W-T Series User’ GuideChapter 14 Universal Plug-and-Play (UPnP) 166Installing UPnP in Windows XPFollow the steps below to install the UPnP in Windows XP.1Click Start and Control Panel. 2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….  Figure 72   Network Connections4The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.
P-660H/HW/W-T Series User’ Guide167 Chapter 14 Universal Plug-and-Play (UPnP)Figure 73   Windows Optional Networking Components Wizard5In the Networking Services window, select the Universal Plug and Play check box.
P-660H/HW/W-T Series User’ GuideChapter 14 Universal Plug-and-Play (UPnP) 168Figure 74   Networking Services6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 14.4  Using UPnP in Windows XP ExampleThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige.Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige. Auto-discover Your UPnP-enabled Network Device1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.2Right-click the icon and select Properties.
P-660H/HW/W-T Series User’ Guide169 Chapter 14 Universal Plug-and-Play (UPnP)Figure 75   Network Connections3In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
P-660H/HW/W-T Series User’ GuideChapter 14 Universal Plug-and-Play (UPnP) 170Figure 76   Internet Connection Properties 4You may edit or delete the port mappings or click Add to manually add port mappings.

Navigation menu