ZyXEL AMG1202T10B User Guide

12.1 Overview

MOD

VoIP

Data

PVC0

PVC2

PVC1

This chapter describes how to configure the port binding settings.

Port binding allows you to aggregate port connections into logical groups. You may bind WAN PVCs to Ethernet ports and WLANs to specify how traffic is forwarded. Different ATM QoS settings can be specified for each WAN PVC to meet bandwidth requirements for the type of traffic to be transferred.

For example, three port binding groups could be created on the device (R1) for three different WAN PVC connections. The first PVC (PVC0) is for non time-sensitive data traffic. The second and third PVCs (PVC1 and PVC2) are for time sensitive Media-On-Demand (MOD) video traffic and VoIP traffic, respectively.

Figure 73 Port Binding Groups

CHAPTER 12

Port Binding

AMG1302/AMG1202-TSeries User’s Guide 161

Chapter 12 Port Binding

If a WAN PVC is bound to an ethernet port, traffic from the ethernet port will only be forwarded through the specified WAN PVC and vice versa. If a port is not in a port binding group, traffic to and from the port will be forwarded according to the routing table. See the tutorial section (Section on

page 37) for more details on configuring port binding for multiple WAN connections.

12.1.1 What You Can Do in the Port Binding Screens

•Use the General screen (Section 12.3 on page 162) to activate port binding.

•Use the Port Binding screen (Section 12.3 on page 162) to set up port binding groups.

•Use the Port Binding Summary screen (Section 12.3.1 on page 163) to view configured port

binding groups.

12.2 The Port Binding General Screen

Use this screen to activate port binding and set up port binding groups. Click Network Setting > Port Binding to display the following screen.

Figure 74 Network Setting > Port Binding

The following table describes the labels in this screen.

Table 54 Network Setting > Port Binding

LABEL DESCRIPTION

Activated Port Binding Activate or deactivate the port binding feature. Apply Add the selected port binding group configuration.

12.3 The Port Binding Screen

Use this screen to set up port binding groups. Click Network Setting > Port Binding > Port Binding to display the following screen.

162

AMG1302/AMG1202-TSeries User’s Guide

Chapter 12 Port Binding

Figure 75 Network Setting > Port Binding > Port Binding

The following table describes the labels in this screen.

Table 55 Network Setting > Port Binding > Port Binding

LABEL DESCRIPTION

Port Binding Active Activate or deactivate port binding for the port binding group. Group Index Select the index number for the port binding group.

When a port is assigned to a port binding group, traffic will be forwarded to the other ports in the group, but not to ports in other groups. If a port is not included in any groups, traffic will be forwarded according to the routing table.

ATM VCs Select the ATM VC (PVC) to include in the port binding group. Each ATM VC can only

be bound to one group.

Ethernet Select the Ethernet (Eth) ports to include in the port binding group. Each Ethernet

port can only be bound to one group.

Wireless LAN Select the WLAN (AP) connection to include in the port binding group. Additional APs

Group Summary Port Binding

Summary Apply Add the selected port binding group configuration. Delete Delete the selected port binding group configuration. Cancel Click this to restore your previously saved settings.

can be enabled on the More AP screen (Section 7.3 on page 98).

Click this to view a summary of configured port binding groups.

12.3.1 Port Binding Summary Screen

Use this screen to view configured port binding groups.

In the Port Binding screen, click the Port Binding Summary button in the Group Summary section to display the following screen.

Figure 76 Network Setting > Port Binding > Port Binding Summary

AMG1302/AMG1202-TSeries User’s Guide

163

Chapter 12 Port Binding

The following table describes the labels in this screen.

Table 56 Network Setting > Port Binding > Port Binding Summary

LABEL DESCRIPTION

Group ID This field displays the group index number. Group port This field displays the ports included in the group.

164

AMG1302/AMG1202-TSeries User’s Guide

CHAPTER 13

Dynamic DNS Setup

13.1 Overview

Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.

First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.

13.1.1 What You Can Do in the DDNS Screen

Use the Dynamic DNS screen (Section 13.2 on page 165) to enable DDNS and configure the DDNS settings on the AMG1302/AMG1202-TSeries.

13.1.2 What You Need To Know About DDNS

DYNDNS Wildcard

Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.

If you have a private WAN IP address, then you cannot use Dynamic DNS.

13.2 The Dynamic DNS Screen

Use this screen to change your AMG1302/AMG1202-TSeries’s DDNS. Click Network Setting > Dynamic DNS. The screen appears as shown.

AMG1302/AMG1202-TSeries User’s Guide 165

Chapter 13 Dynamic DNS Setup

Figure 77 Network Setting > Dynamic DNS

The following table describes the fields in this screen.

Table 57 Network Setting > Dynamic DNS

LABEL DESCRIPTION

Dynamic DNS Setup Active Dynamic

DNS Service Provider This is the website of your Dynamic DNS service provider. Host Name Type the domain name assigned to your AMG1302/AMG1202-TSeries by your Dynamic

Username Type your user name. Password Type the password assigned to you. Enable Wildcard

Option Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

Select this check box to use dynamic DNS.

DNS provider.

You can specify up to two host names in the field separated by a comma (",").

Select the check box to enable DynDNS Wildcard.

166

AMG1302/AMG1202-TSeries User’s Guide

CHAPTER 14

14.1 Overview

This chapter introduces three types of filters supported by the AMG1302/AMG1202-TSeries. You can configure rules to restrict traffic by IP addresses, MAC addresses, IPv6 addresses and/or URLs.

14.1.1 What You Can Do in the Filter Screens

•Use the IP/MAC Filter screen (Section 14.2 on page 167) to create IP and MAC filter rules.

•Use the IPv6/MAC Filter screen (Section 14.3 on page 170) to create IPv6 and MAC filter rules.

14.1.2 What You Need to Know About Filtering

Filters

URL

The URL (Uniform Resource Locator) identifies and helps locates resources on a network. On the Internet the URL is the web address that you type in the address bar of your Internet browser, for example “http://www.zyxel.com”.

URL and IP Filter Structure

The URL, IP and IPv6 filters have individual rule indexes. The AMG1302/AMG1202-TSeries allows you to configure each type of filter with its own respective set of rules.

14.2 The IP/MAC Filter Screen

Use this screen to create and apply IP and MAC filters. Click Security > Filter > IP/MAC Filter. The screen appears as shown.

AMG1302/AMG1202-TSeries User’s Guide 167

Chapter 14 Filters

Figure 78 Security > Filter > IP/MAC Filter

The following table describes the labels in this screen.

Table 58 Security > Filter > IP/MAC Filter

LABEL DESCRIPTION

Rule Type Rule Type selection Select White List to specify traffic to allow and Black List to specify traffic to

disallow. IP / MAC Filter Rule Editing IP / MAC Filter Rule Index Select the index number of the filter rule. Active Use this field to enable or disable the filter rule. Interface Select the PVC to which to apply the filter. Direction Apply the filter to Incoming or Outgoing traffic direction. Rule Type Select IP or MAC type to configure the rule.

Use the IP Filter to block or allow traffic by IP addresses.

Use the MAC Filter to block or allow traffic by MAC address. Source IP Address Enter the source IP address of the packets you wish to filter. This field is

Subnet Mask Enter the IP subnet mask for the source IP address Port Number Enter the source port of the packets that you wish to filter. The range of this

Destination IP Address Enter the destination IP address of the packets you wish to filter. This field is

ignored if it is 0.0.0.0.

field is 0 to 65535. This field is ignored if it is 0.

ignored if it is 0.0.0.0.

168

AMG1302/AMG1202-TSeries User’s Guide

Chapter 14 Filters

Table 58 Security > Filter > IP/MAC Filter (continued)

LABEL DESCRIPTION

Subnet Mask Enter the IP subnet mask for the destination IP address. Port Number Enter the destination port of the packets that you wish to filter. The range of

this field is 0 to 65535. This field is ignored if it is 0. Protocol Select ICMP, TCP or UDP for the upper layer protocol. IP / MAC Filter Listing IP / MAC Filter Rule Index Select the index number of the filter set from the drop-down list box. # This is the index number of the rule in a filter set. Active This field shows whether the rule is activated. Interface This is the interface that the filter set applies to. Direction The filter set applies to this traffic direction. Src IP/Mask This is the source IP address and subnet mask when you select IP as the rule

type. Dest IP/Mask This is the destination IP address and subnet mask. Mac Address This is the MAC address of the packets being filtered. Src Port This is the source port number. Dest Port This is the destination port number. Protocol This is the upper layer protocol. Apply Click this to apply your changes. Delete Click this to remove the filter rule. Cancel Click this to restore your previously saved settings.

AMG1302/AMG1202-TSeries User’s Guide

169

Chapter 14 Filters

14.3 IPv6/MAC Filter

Use this screen to create and apply IPv6 filters. Click Security > Filter > IPv6/MAC Filter. The screen appears as shown.

Figure 79 Security > Filter > IPv6/MAC Filter

The following table describes the labels in this screen.

Table 59 Security > Filter > IPv6/MAC Filter

LABEL DESCRIPTION

Rule Type Rule Type selection Select White List to specify traffic to allow and Black List to specify traffic to

IPv6 / MAC Filter Rule Editing IPv6 / MAC Filter Rule Index Select the index number of the filter rule. Active Use this field to enable or disable the filter rule. Interface Select the PVC to which to apply the filter. Direction Apply the filter to Incoming or Outgoing traffic direction. Rule Type Select IP or MAC type to configure the rule.

Source IP Address Enter the source IPv6 address of the packets you wish to filter. This field is

Source Prefix Length Enter the prefix length for the source IPv6 address Destination IPv6 Address Enter the destination IPv6 address of the packets you wish to filter. This field is

block.

Use the IP Filter to block or allow traffic by IPv6 addresses.

Use the MAC Filter to block or allow traffic by MAC address.

ignored if it is ::.

170

AMG1302/AMG1202-TSeries User’s Guide

Chapter 14 Filters

Table 59 Security > Filter > IPv6/MAC Filter (continued)

LABEL DESCRIPTION

Destination Prefix Length Enter the prefix length for the destination IPv6 address. ICMPv6 Type Select the ICMPv6 message type to filter. The following message types can be

selected:

1 / Destination Unreachable: 0 - no route to destination; 1 -

communication with destination administratively prohibited; 3 - address

unreachable; 4 - port unreachable

2 / Packet Too Big

3 / Time Exceeded: 0 - hop limit exceeded in transit; 1 - fragment

reassembly time exceeded

4 / Parameter Problem: 0 - erroneous header field encountered; 1 -

unrecognized Next Header type encountered; 2 - unrecognized IPv6 option

encountered

128 / Echo Request

129 / Echo Response

130 / Listener Query - Multicast listener query

131 / Listener Report - Multicast listener report

132 / Listener Done - Multicast listener done

143 / Listener Report v2 - Multicast listener report v2

133 / Router Solicitation

134 / Router Advertisement

135 / Neighbor Solicitation

136 / Neighbor Advertisement

137 / Redirect - Redirect message

Protocol This is the (upper layer) protocol that defines the service to which this rule

IPv6 / MAC Filter Listing IPv6 / MAC Filter Rule Index Select the index number of the filter set from the drop-down list box. # This is the index number of the rule in a filter set. Active This field shows whether the rule is activated. Interface This is the interface that the rule applies to. Direction The filter set applies to this traffic direction. ICMPv6 Type The ICMPv6 message type to filter. Src IP/PrefixLength This displays the source IPv6 address and prefix length. Dest IP/PrefixLength This displays the destination IPv6 address and prefix length. Mac Address This is the MAC address of the packets being filtered. Protocol This is the (upper layer) protocol that defines the service to which this rule

Apply Click this to apply your changes. Delete Click this to remove the filter rule. Cancel Click this to restore your previously saved settings.

applies. By default it is ICMPv6.

AMG1302/AMG1202-TSeries User’s Guide

171

Chapter 14 Filters

172

AMG1302/AMG1202-TSeries User’s Guide

15.1 Overview

WAN

LAN

3 4

1 2

This chapter shows you how to enable the AMG1302/AMG1202-TSeries firewall. Use the firewall to protect your AMG1302/AMG1202-TSeries and network from attacks by hackers on the Internet and control access to it. The firewall:

• allows traffic that originates from your LAN computers to go to all other networks.

• blocks traffic that originates on other networks from going to the LAN.

• blocks SYN and port scanner attacks.

By default, the AMG1302/AMG1202-TSeries blocks DDOS, LAND and Ping of Death attacks whether the firewall is enabled or disabled.

The following figure illustrates the firewall action. User A can initiate an IM (Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4).

CHAPTER 15

Firewall

Figure 80 Default Firewall Action

15.1.1 What You Can Do in the Firewall Screens

•Use the General screen (Section 15.2 on page 175) to select the firewall protection level on the

AMG1302/AMG1202-TSeries.

•Use the Default Action screen (Section 15.3 on page 176) to set the default action that the

firewall takes on packets that do not match any of the firewall rules.

•Use the Rules screen (Section 15.4 on page 178) to view the configured firewall rules and add,

edit or remove a firewall rule.

•Use the Dos screen (Section 15.5 on page 184) to set the thresholds that the AMG1302/

AMG1202-TSeries uses to determine when to start dropping sessions that do not become fully established (half-open sessions).

AMG1302/AMG1202-TSeries User’s Guide 173

Chapter 15 Firewall

15.1.2 What You Need to Know About Firewall

SYN Attack

A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYNACKs are moved off the queue only when an ACK comes back or when an internal timer terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

DoS

Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The AMG1302/AMG1202-TSeries is pre-configured to automatically detect and thwart all known DoS attacks.

DDoS

A Distributed DoS (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.

LAND Attack

In a Local Area Network Denial (LAND) attack, hackers flood SYN packets into the network with a spoofed source IP address of the target system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

Ping of Death

Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or reboot.

SPI

Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is valid. Filtering decisions are based not only on rules but also context. For example, traffic from the WAN may only be allowed to cross the firewall in response to a request from the LAN.

RFC 4890 SPEC T raffic

174

RFC 4890 specifies the filtering policies for ICMPv6 messages. This is important for protecting against security threats including DoS, probing, redirection attacks and renumbering attacks that can be carried out through ICMPv6. Since ICMPv6 error messages are critical for establishing and maintaining communications, filtering policy focuses on ICMPv6 informational messages.

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

Anti-Probing

If an outside user attempts to probe an unsupported port on your AMG1302/AMG1202-TSeries, an ICMP response packet is automatically returned. This allows the outside user to know the AMG1302/AMG1202-TSeries exists. The AMG1302/AMG1202-TSeries supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your AMG1302/AMG1202-TSeries when unsupported ports are probed.

ICMP

Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user.

DoS Thresholds

For DoS attacks, the AMG1302/AMG1202-TSeries uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.

15.2 The Firewall General Screen

Use this screen to select the firewall protection level on the AMG1302/AMG1202-TSeries. Click Security > Firewall > General to display the following screen.

Figure 81 Security > Firewall > General

AMG1302/AMG1202-TSeries User’s Guide

175

Chapter 15 Firewall

The following table describes the labels in this screen.

Table 60 Security > Firewall > General

LABEL DESCRIPTION

High This setting blocks all traffic to and from the Internet. Only local network traffic and LAN to WAN

Medium This is the recommended setting. It allows traffic to the Internet but blocks anyone from the

Low This setting allows traffic to the Internet and also allows someone from the Internet to access

Custom This setting allows the customer to create and edit individual firewall rules.

Off This setting is not recommended. It disables firewall protection for your network and could

Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

service (Telnet, FTP, HTTP, HTTPS, DNS, POP3, SMTP) is permitted.

Internet from accessing any services on your local network.

services on your local network. This would be used with Port Forwarding, Default Server.

Firewall rules can be created in the Default Action screen (Section 15.3 on page 176) and Rules screen (Section 15.4 on page 178).

potentially expose your network to significant security risks. This option should only be used for troubleshooting or if you intend using another firewall in conjunction with your ZyXEL router.

15.3 The Default Action Screen

Use this screen to set the default action that the firewall takes on packets that do not match any of the firewall rules. Click Security > Firewall > Default Action to display the following screen.

Figure 82 Security > Firewall > Default Action

176

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

The following table describes the labels in this screen.

Table 61 Security > Firewall > Default Action

LABEL DESCRIPTION

Packet Direction This is the direction of travel of packets (LAN to Router , LAN to WAN, WAN to Router,

Default Action Use the drop-down list boxes to select the default action that the firewall is to take on

Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

WAN to LAN).

Firewall rules are grouped based on the direction of travel of packets to which they apply. For example, LAN to Router means packets traveling from a computer/subnet on the LAN to the AMG1302/AMG1202-TSeries itself.

packets that are traveling in the selected direction and do not match any of the firewall rules.

Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.

Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an ICMP destination-unreachable message (for a UDP packet) to the sender.

Select Permit to allow the passage of the packets.

AMG1302/AMG1202-TSeries User’s Guide

177

Chapter 15 Firewall

15.4 The Rules Screen

Click Security > Firewall > Rules to display the following screen. This screen displays a list of the configured firewall rules. Note the order in which the rules are listed.

Note: The firewall configuration screen shown in this section is specific to the following

devices: P-The ordering of your rules is very important as rules are applied in turn.

Figure 83 Security > Firewall > Rules

The following table describes the labels in this screen.

Table 62 Security > Firewall > Rules

LABEL DESCRIPTION

Firewall Rules Storage Space in Use

Packet Direction Use the drop-down list box to select a direction of travel of packets for which you

Create a new rule after rule number

# This is your firewall rule number. The ordering of your rules is important as rules are

Active This field displays whether a firewall is turned on or not. Select the check box to

Source IP Address This column displays the source addresses or ranges of addresses to which this

Destination IP Address This column displays the destination addresses or ranges of addresses to which this

Service This column displays the services to which this firewall rule applies. See Appendix F

Action This field displays whether the firewall silently discards packets (Drop), discards

Source Interface This column displays the source interface to which this firewall rule applies. This is

This read-only bar shows how much of the AMG1302/AMG1202-TSeries's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.

want to configure firewall rules. Select an index number and click Add to add a new firewall rule after the selected

index number. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.

The following read-only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction. The firewall rules that you configure (summarized below) take priority over the general firewall action settings in the General screen.

applied in turn.

enable the rule. Clear the check box to disable the rule.

firewall rule applies. Please note that a blank source or destination address is equivalent to Any.

on page 305 for more information.

packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject) or allows the passage of packets (Permit).

the interface through which the traffic entered the AMG1302/AMG1202-TSeries. Please note that a blank source interface is equivalent to Any.

178

AMG1302/AMG1202-TSeries User’s Guide

Table 62 Security > Firewall > Rules

LABEL DESCRIPTION

Destination Interface This column displays the destination interface to which this firewall rule applies. This

is the interface through which the traffic is destined to leave the AMG1302/ AMG1202-TSeries. Please note that a blank source interface is equivalent to Any.

Modify Click the Edit icon to go to the screen where you can edit the rule.

Click the Remove icon to delete an existing firewall rule. A window displays asking you to confirm that you want to delete the firewall rule. Note that subsequent firewall

rules move up by one when you take this action. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

15.4.1 The Rules Add Screen

Use this screen to configure firewall rules. In the Rules screen, select an index number and click Add or click a rule’s Edit icon to display this screen and refer to the following table for information

on the labels.

Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

179

Chapter 15 Firewall

Figure 84 Security > Firewall > Rules > Add

180

The following table describes the labels in this screen.

Table 63 Security > Firewall > Rules > Add

LABEL DESCRIPTION

Active Select this option to enable this firewall rule. Action for Matched

Packets

IP Version Type Select the IP version, IPv4 or IPv6, to apply this firewall rule to. Rate Limit Set a maximum number of packets per second, minute, or hour to limit the

Maximum Burst Number

Log This field determines if a log for packets that match the rule is created or not. Rules/Destination Address

Use the drop-down list box to select whether to discard (Drop), deny and send an

ICMP destination-unreachable message to the sender of (Reject) or allow the

passage of (Permit) packets that match this rule.

throughput of traffic that matches this rule.

Set the maximum number of packets that can be sent at the peak rate.

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

Table 63 Security > Firewall > Rules > Add

LABEL DESCRIPTION

Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP

addresses (for instance, 192.168.1.10 to 192.169.1.50), a subnet or any IP address?

Select an option from the drop-down list box that includes: Single Address, Range

Address, Subnet Address and Any Start IP Address Enter the single IP address or the starting IP address in a range here. End IP Address Enter the ending IP address in a range here. Subnet Mask Enter the subnet mask here, if applicable. Source Mac Address Specify a source MAC address of traffic to which to apply this firewall rule applies.

Please note that a blank source MAC address is equivalent to any. Source Interface Specify a source interface to which this firewall rule applies. This is the interface

through which the traffic entered the AMG1302/AMG1202-TSeries. Please note that a

blank source interface is equivalent to any. Destination Interface Specify a destination interface to which this firewall rule applies. This is the interface

through which the traffic is destined to leave the AMG1302/AMG1202-TSeries. Please

note that a blank source interface is equivalent to any. Services Available Services Please see Appendix F on page 305 for more information on services available. Select

Edit Customized Service

TCP Flag Specify any TCP flag bits the firewall rule is to check for. Schedule Select the days and time during which to apply the rule. Select Everyday and All

Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

a service from the Available Services box.

Click the Edit Customized Service button to bring up the screen that you use to

configure a new custom service that is not in the predefined list of services.

Day to always apply the rule.

Address.

15.4.2 Customized Services

Configure customized services and port numbers not predefined by the AMG1302/AMG1202TSeries. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. See Appendix F on page 305 for some examples. Click the Edit Customized Services button while editing a firewall rule to configure a custom service port. This displays the following screen.

AMG1302/AMG1202-TSeries User’s Guide

181

Chapter 15 Firewall

Figure 85 Security > Firewall > Rules: Edit: Edit Customized Services

The following table describes the labels in this screen.

Table 64 Security > Firewall > Rules: Edit: Edit Customized Services

LABEL DESCRIPTION

# This is the number of your customized port. Name This is the name of your customized service. Protocol This shows the IP protocol (TCP or UDP) that defines your customized service. Port Type This is the port number or range that defines your customized service. Start Port This is a single port number or the starting port number of a range that defines your

End Port This is a single port number or the ending port number of a range that defines your customized

Modify Click this to edit a customized service. Add Click this to configure a customized service. Back Click this to return to the Firewall Edit Rule screen.

customized service.

service.

15.4.3 Customized Service Add/Edit

Use this screen to add a customized rule or edit an existing rule. Click Add or the Edit icon next to a rule number in the Firewall Customized Services screen to display the following screen.

Figure 86 Security > Firewall > Rules: Edit: Edit Customized Services: Add/Edit

182

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

The following table describes the labels in this screen.

Table 65 Security > Firewall > Rules: Edit: Edit Customized Services: Add/Edit

LABEL DESCRIPTION

Config Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP or UDP) that defines your customized port from the drop down list

Port Configuration Type Click Single to specify one port only or Port Range to specify a span of ports that define

Port Number Type a single port number or the range of port numbers that define your customized

Back Click this to return to the previous screen without saving. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. Delete Click this to delete the current rule.

box.

your customized service.

service.

AMG1302/AMG1202-TSeries User’s Guide

183

Chapter 15 Firewall

15.5 The DoS Screen

Use this screen to enable DoS protection. Click Security > Firewall > Dos to display the following screen.

Figure 87 Security > Firewall > Dos

The following table describes the labels in this screen.

Table 66 Security > Firewall > Dos

LABEL DESCRIPTION

Denial of Services Enable this to protect against DoS attacks. The AMG1302/AMG1202-TSeries will drop

Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. Advanced Click this to go to a screen to specify maximum thresholds at which the AMG1302/

sessions that surpass maximum thresholds.

AMG1202-TSeries will start dropping sessions.

15.5.1 The DoS Advanced Screen

For DoS attacks, the AMG1302/AMG1202-TSeries uses thresholds to determine when to start dropping sessions that do not become fully established (half-open sessions). These thresholds apply globally to all sessions.

For TCP, half-open means that the session has not reached the established state-the TCP three-way handshake has not yet been completed. Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.

Figure 88 Three-Way Handshake

184

For UDP, half-open means that the firewall has detected no return traffic. An unusually high number (or arrival rate) of half-open sessions could indicate a DOS attack.

AMG1302/AMG1202-TSeries User’s Guide

15.5.1.1 Threshold Values

If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the AMG1302/AMG1202-TSeries has been receiving DoS attacks that are not recorded in the logs or the logs show that the AMG1302/AMG1202-TSeries is classifying normal traffic as DoS attacks. Factors influencing choices for threshold values are:

1 The maximum number of opened sessions.

2 The minimum capacity of server backlog in your LAN network.

3 The CPU power of servers in your LAN network.

4 Network bandwidth.

5 Type of traffic for certain servers.

Reduce the threshold values if your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy).

• If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the AMG1302/AMG1202-TSeries may classify them as DoS attacks.

Chapter 15 Firewall

15.5.2 Configuring Firewall Thresholds

Click Security > Firewall > DoS > Advanced to display the following screen.

Figure 89 Security > Firewall > DoS > Advanced

AMG1302/AMG1202-TSeries User’s Guide

185

Chapter 15 Firewall

The following table describes the labels in this screen.

Table 67 Security > Firewall > DoS > Advanced

LABEL DESCRIPTION

TCP SYN-Request Count

UDP Packet Count This is the rate of new UDP half-open sessions per second that causes the firewall to

ICMP Echo-Request Count

Back Click this button to return to the previous screen. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings.

This is the rate of new TCP half-open sessions per second that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as required to accommodate new connection attempts.

start deleting half-open sessions. When the rate of new connection attempts rises above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as required to accommodate new connection attempts.

This is the rate of new ICMP Echo-Request half-open sessions per second that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the AMG1302/AMG1202-TSeries deletes half-open sessions as required to accommodate new connection attempts.

15.6 Firewall Technical Reference

This section provides some technical background information about the topics covered in this chapter.

15.6.1 Firewall Rules Overview

Your customized rules take precedence and override the AMG1302/AMG1202-TSeries’s default settings. The AMG1302/AMG1202-TSeries checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the AMG1302/AMG1202-TSeries takes the action specified in the rule.

Firewall rules are grouped based on the direction of travel of packets to which they apply:

•LAN to Router •WAN to LAN

• LAN to WAN • WAN to Router

Note: The LAN includes both the LAN port and the WLAN.

By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection allows packets traveling in the following directions:

•LAN to Router These rules specify which computers on the LAN can manage the AMG1302/AMG1202-TSeries

(remote management).

186

Note: You can also configure the remote management settings to allow only a specific

computer to manage the AMG1302/AMG1202-TSeries.

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

•LAN to WAN These rules specify which computers on the LAN can access which computers or services on the

WAN.

By default, the AMG1302/AMG1202-TSeries’s stateful packet inspection drops packets traveling in the following directions:

•WAN to LAN These rules specify which computers on the WAN can access which computers or services on the

LAN.

Note: You also need to configure NAT port forwarding (or full featured NAT address

mapping rules) to allow computers on the WAN to access devices on the LAN.

•WAN to Router By default the AMG1302/AMG1202-TSeries stops computers on the WAN from managing the

AMG1302/AMG1202-TSeries. You could configure one of these rules to allow a WAN computer to manage the AMG1302/AMG1202-TSeries.

Note: You also need to configure the remote management settings to allow a WAN

computer to manage the AMG1302/AMG1202-TSeries.

You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.

For example, you may create rules to:

• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.

• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.

• Allow everyone except your competitors to access a web server.

• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the source IP address, destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the AMG1302/AMG1202-TSeries’s default rules.

15.6.2 Guidelines For Enhancing Security With Your Firewall

6 Change the default password via web configurator.

7 Think about access control before you connect to the network in any way.

8 Limit who can access your router.

9 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.

10 For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.

AMG1302/AMG1202-TSeries User’s Guide

187

Chapter 15 Firewall

WAN

LAN

11 Protect against IP spoofing by making sure the firewall is active.

12 Keep the firewall in a secured (locked) room.

15.6.3 Security Considerations

Note: Incorrectly configuring the firewall may block valid access or introduce security

risks to the AMG1302/AMG1202-TSeries and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.

Consider these security ramifications before creating a rule:

1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC

is blocked, are there users that require this service?

2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will

a rule that blocks just certain users be more effective?

3 Does a rule that allows Internet users access to resources on the LAN create a security

vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.

4 Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens.

15.6.4 Triangle Route

When the firewall is on, your AMG1302/AMG1202-TSeries acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the AMG1302/AMG1202-TSeries to protect your LAN against attacks.

Figure 90 Ideal Firewall Setup

15.6.4.1 The “Triangle Route” Problem

A traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the AMG1302/AMG1202TSeries’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may occur. The steps below describe the “triangle route” problem.

188

AMG1302/AMG1202-TSeries User’s Guide

Chapter 15 Firewall

WAN

LAN

ISP 1

ISP 2

1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on

the WAN.

2 The AMG1302/AMG1202-TSeries reroutes the SYN packet through Gateway A on the LAN to the

WAN.

3 The reply from the WAN goes directly to the computer on the LAN without going through the

AMG1302/AMG1202-TSeries.

As a result, the AMG1302/AMG1202-TSeries resets the connection, as the connection has not been acknowledged.

Figure 91 “Triangle Route” Problem

15.6.4.2 Solving the “Triangle Route” Problem

If you have the AMG1302/AMG1202-TSeries allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the AMG1302/AMG1202-TSeries and its firewall protection.

Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your AMG1302/AMG1202-TSeries supports up to three logical LAN interfaces with the AMG1302/AMG1202-TSeries being the gateway for each logical network.

It’s like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the AMG1302/AMG1202-TSeries to your LAN. The following steps describe such a scenario.

1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the

WAN.

2 The AMG1302/AMG1202-TSeries reroutes the packet to Gateway A, which is in Subnet 2.

3 The reply from the WAN goes to the AMG1302/AMG1202-TSeries.

4 The AMG1302/AMG1202-TSeries then sends it to the computer on the LAN in Subnet 1.

AMG1302/AMG1202-TSeries User’s Guide

189

Chapter 15 Firewall

LAN

ISP 1

ISP 2

WAN

Subnet 1

Subnet 2

Figure 92 IP Alias

190

AMG1302/AMG1202-TSeries User’s Guide

+ 130 hidden pages