ZyXEL AMG1312T10B Users Manual
CHAPTER 13
Dynamic DNS Setup
13.1 Overview
Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic
DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access
your FTP server or Web site on your own computer using a domain name (for instance
myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an
IP address that changes each time you reconnect. Your friends or relatives will always be able to
call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for
people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name.
The Dynamic DNS service provider will give you a password or key.
13.1.1 What You Can Do in the DDNS Screen
Use the Dynamic DNS screen (Section 13.2 on page 161) to enable DDNS and configure the DDNS
settings on the AMG1312-T Series.
13.1.2 What You Need To Know About DDNS
DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same
IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example,
www.yourhost.dyndns.org and still reach your hostname.
If you have a private WAN IP address, then you cannot use Dynamic DNS.
13.2 The Dynamic DNS Screen
Use this screen to change your AMG1312-T Series’s DDNS. Click Network Setting > Dynamic
DNS. The screen appears as shown.
AMG1312-T Series User’s Guide 161
Chapter 13 Dynamic DNS Setup
Figure 81 Network Setting > Dynamic DNS
The following table describes the fields in this screen.
Table 61 Network Setting > Dynamic DNS
LABEL DESCRIPTION
Dynamic DNS Setup
Active Dynamic
DNS
Service Provider This is the website of your Dynamic DNS service provider.
Host Name Type the domain name assigned to your AMG1312-T Series by your Dynamic DNS
Username Type your user name.
Password Type the password assigned to you.
Enable Wildcard
Option
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
Select this check box to use dynamic DNS.
provider.
You can specify up to two host names in the field separated by a comma (",").
Select the check box to enable DynDNS Wildcard.
162
AMG1312-T Series User’s Guide
CHAPTER 14
14.1 Overview
This chapter introduces three types of filters supported by the AMG1312-T Series. You can configure
rules to restrict traffic by IP addresses, MAC addresses, IPv6 addresses and/or URLs.
14.1.1 What You Can Do in the Filter Screens
•Use the IP/MAC Filter screen (Section 14.2 on page 163) to create IP and MAC filter rules.
•Use the IPv6/MAC Filter screen (Section 14.3 on page 166) to create IPv6 and MAC filter rules.
14.1.2 What You Need to Know About Filtering
Filters
URL
The URL (Uniform Resource Locator) identifies and helps locates resources on a network. On the
Internet the URL is the web address that you type in the address bar of your Internet browser, for
example “http://www.zyxel.com”.
URL and IP Filter Structure
The URL, IP and IPv6 filters have individual rule indexes. The AMG1312-T Series allows you to
configure each type of filter with its own respective set of rules.
14.2 The IP/MAC Filter Screen
Use this screen to create and apply IP and MAC filters. Click Security > Filter > IP/MAC Filter.
The screen appears as shown.
AMG1312-T Series User’s Guide 163
Chapter 14 Filters
Figure 82 Security > Filter > IP/MAC Filter
The following table describes the labels in this screen.
Table 62 Security > Filter > IP/MAC Filter
LABEL DESCRIPTION
Rule Type
Rule Type selection Select White List to specify traffic to allow and Black List to specify traffic to
disallow.
IP / MAC Filter Rule Editing
IP / MAC Filter Rule Index Select the index number of the filter rule.
Active Use this field to enable or disable the filter rule.
Interface Select the PVC to which to apply the filter.
Direction Apply the filter to Incoming or Outgoing traffic direction.
Rule Type Select IP or MAC type to configure the rule.
Use the IP Filter to block or allow traffic by IP addresses.
Use the MAC Filter to block or allow traffic by MAC address.
Source IP Address Enter the source IP address of the packets you wish to filter. This field is
Subnet Mask Enter the IP subnet mask for the source IP address
Port Number Enter the source port of the packets that you wish to filter. The range of this
Destination IP Address Enter the destination IP address of the packets you wish to filter. This field is
ignored if it is 0.0.0.0.
field is 0 to 65535. This field is ignored if it is 0.
ignored if it is 0.0.0.0.
164
AMG1312-T Series User’s Guide
Chapter 14 Filters
Table 62 Security > Filter > IP/MAC Filter (continued)
LABEL DESCRIPTION
Subnet Mask Enter the IP subnet mask for the destination IP address.
Port Number Enter the destination port of the packets that you wish to filter. The range of
this field is 0 to 65535. This field is ignored if it is 0.
Protocol Select ICMP, TCP or UDP for the upper layer protocol.
IP / MAC Filter Listing
IP / MAC Filter Rule Index Select the index number of the filter set from the drop-down list box.
# This is the index number of the rule in a filter set.
Active This field shows whether the rule is activated.
Interface This is the interface that the filter set applies to.
Direction The filter set applies to this traffic direction.
Src IP/Mask This is the source IP address and subnet mask when you select IP as the rule
type.
Dest IP/Mask This is the destination IP address and subnet mask.
Mac Address This is the MAC address of the packets being filtered.
Src Port This is the source port number.
Dest Port This is the destination port number.
Protocol This is the upper layer protocol.
Apply Click this to apply your changes.
Delete Click this to remove the filter rule.
Cancel Click this to restore your previously saved settings.
AMG1312-T Series User’s Guide
165
Chapter 14 Filters
14.3 IPv6/MAC Filter
Use this screen to create and apply IPv6 filters. Click Security > Filter > IPv6/MAC Filter. The
screen appears as shown.
Figure 83 Security > Filter > IPv6/MAC Filter
The following table describes the labels in this screen.
Table 63 Security > Filter > IPv6/MAC Filter
LABEL DESCRIPTION
Rule Type
Rule Type selection Select White List to specify traffic to allow and Black List to specify traffic to
IPv6 / MAC Filter Rule Editing
IPv6 / MAC Filter Rule Index Select the index number of the filter rule.
Active Use this field to enable or disable the filter rule.
Interface Select the PVC to which to apply the filter.
Direction Apply the filter to Incoming or Outgoing traffic direction.
Rule Type Select IP or MAC type to configure the rule.
Source IP Address Enter the source IPv6 address of the packets you wish to filter. This field is
Source Prefix Length Enter the prefix length for the source IPv6 address
Destination IPv6 Address Enter the destination IPv6 address of the packets you wish to filter. This field is
block.
Use the IP Filter to block or allow traffic by IPv6 addresses.
Use the MAC Filter to block or allow traffic by MAC address.
ignored if it is ::.
ignored if it is ::.
166
AMG1312-T Series User’s Guide
Chapter 14 Filters
Table 63 Security > Filter > IPv6/MAC Filter (continued)
LABEL DESCRIPTION
Destination Prefix Length Enter the prefix length for the destination IPv6 address.
ICMPv6 Type Select the ICMPv6 message type to filter. The following message types can be
selected:
1 / Destination Unreachable: 0 - no route to destination; 1 -
communication with destination administratively prohibited; 3 - address
unreachable; 4 - port unreachable
2 / Packet Too Big
3 / Time Exceeded: 0 - hop limit exceeded in transit; 1 - fragment
reassembly time exceeded
4 / Parameter Problem: 0 - erroneous header field encountered; 1 -
unrecognized Next Header type encountered; 2 - unrecognized IPv6 option
encountered
128 / Echo Request
129 / Echo Response
130 / Listener Query - Multicast listener query
131 / Listener Report - Multicast listener report
132 / Listener Done - Multicast listener done
143 / Listener Report v2 - Multicast listener report v2
133 / Router Solicitation
134 / Router Advertisement
135 / Neighbor Solicitation
136 / Neighbor Advertisement
137 / Redirect - Redirect message
Protocol This is the (upper layer) protocol that defines the service to which this rule
IPv6 / MAC Filter Listing
IPv6 / MAC Filter Rule Index Select the index number of the filter set from the drop-down list box.
# This is the index number of the rule in a filter set.
Active This field shows whether the rule is activated.
Interface This is the interface that the rule applies to.
Direction The filter set applies to this traffic direction.
ICMPv6 Type The ICMPv6 message type to filter.
Src IP/PrefixLength This displays the source IPv6 address and prefix length.
Dest IP/PrefixLength This displays the destination IPv6 address and prefix length.
Mac Address This is the MAC address of the packets being filtered.
Protocol This is the (upper layer) protocol that defines the service to which this rule
Apply Click this to apply your changes.
Delete Click this to remove the filter rule.
Cancel Click this to restore your previously saved settings.
applies. By default it is ICMPv6.
applies. By default it is ICMPv6.
AMG1312-T Series User’s Guide
167
15.1 Overview
WAN
LAN
3
4
1
2
A
This chapter shows you how to enable the AMG1312-T Series firewall. Use the firewall to protect
your AMG1312-T Series and network from attacks by hackers on the Internet and control access to
it. The firewall:
• allows traffic that originates from your LAN computers to go to all other networks.
• blocks traffic that originates on other networks from going to the LAN.
• blocks SYN and port scanner attacks.
By default, the AMG1312-T Series blocks DDOS, LAND and Ping of Death attacks whether the
firewall is enabled or disabled.
The following figure illustrates the firewall action. User A can initiate an IM (Instant Messaging)
session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However
other traffic initiated from the WAN is blocked (3 and 4).
CHAPTER 15
Firewall
Figure 84 Default Firewall Action
15.1.1 What You Can Do in the Firewall Screens
•Use the General screen (Section 15.2 on page 170) to select the firewall protection level on the
AMG1312-T Series.
•Use the Default Action screen (Section 15.3 on page 171) to set the default action that the
firewall takes on packets that do not match any of the firewall rules.
•Use the Rules screen (Section 15.4 on page 173) to view the configured firewall rules and add,
edit or remove a firewall rule.
•Use the Dos screen (Section 15.5 on page 179) to set the thresholds that the AMG1312-T Series
uses to determine when to start dropping sessions that do not become fully established (halfopen sessions).
AMG1312-T Series User’s Guide 168
15.1.2 What You Need to Know About Firewall
SYN Attack
A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the
targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that
follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYNACKs are moved off the queue only when an ACK comes back or when an internal timer terminates
the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests,
making the system unavailable for legitimate users.
DoS
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no longer
have access to network resources. The AMG1312-T Series is pre-configured to automatically detect
and thwart all known DoS attacks.
DDoS
Chapter 15 Firewall
A Distributed DoS (DDoS) attack is one in which multiple compromised systems attack a single
target, thereby causing denial of service for users of the targeted system.
LAND Attack
In a Local Area Network Denial (LAND) attack, hackers flood SYN packets into the network with a
spoofed source IP address of the target system. This makes it appear as if the host computer sent
the packets to itself, making the system unavailable while the target system tries to respond to
itself.
Ping of Death
Ping of Death uses a "ping" utility to create and send an IP packet that exceeds the maximum
65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or
reboot.
SPI
Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is
valid. Filtering decisions are based not only on rules but also context. For example, traffic from the
WAN may only be allowed to cross the firewall in response to a request from the LAN.
RFC 4890 SPEC T raffic
RFC 4890 specifies the filtering policies for ICMPv6 messages. This is important for protecting
against security threats including DoS, probing, redirection attacks and renumbering attacks that
can be carried out through ICMPv6. Since ICMPv6 error messages are critical for establishing and
maintaining communications, filtering policy focuses on ICMPv6 informational messages.
AMG1312-T Series User’s Guide
169
Chapter 15 Firewall
Anti-Probing
If an outside user attempts to probe an unsupported port on your AMG1312-T Series, an ICMP
response packet is automatically returned. This allows the outside user to know the AMG1312-T
Series exists. The AMG1312-T Series supports anti-probing, which prevents the ICMP response
packet from being sent. This keeps outsiders from discovering your AMG1312-T Series when
unsupported ports are probed.
ICMP
Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol
between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams,
but the messages are processed by the TCP/IP software and directly apparent to the application
user.
DoS Thresholds
For DoS attacks, the AMG1312-T Series uses thresholds to determine when to drop sessions that do
not become fully established. These thresholds apply globally to all sessions. You can use the
default threshold values, or you can change them to values more suitable to your security
requirements.
15.2 The Firewall General Screen
Use this screen to select the firewall protection level on the AMG1312-T Series. Click Security >
Firewall > General to display the following screen.
Figure 85 Security > Firewall > General
170
AMG1312-T Series User’s Guide
Chapter 15 Firewall
The following table describes the labels in this screen.
Table 64 Security > Firewall > General
LABEL DESCRIPTION
High This setting blocks all traffic to and from the Internet. Only local network traffic and LAN to WAN
Medium This is the recommended setting. It allows traffic to the Internet but blocks anyone from the
Low This setting allows traffic to the Internet and also allows someone from the Internet to access
Custom This setting allows the customer to create and edit individual firewall rules.
Off This setting is not recommended. It disables firewall protection for your network and could
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
service (Telnet, FTP, HTTP, HTTPS, DNS, POP3, SMTP) is permitted.
Internet from accessing any services on your local network.
services on your local network. This would be used with Port Forwarding, Default Server.
Firewall rules can be created in the Default Action screen (Section 15.3 on page 171) and Rules
screen (Section 15.4 on page 173).
potentially expose your network to significant security risks. This option should only be used for
troubleshooting or if you intend using another firewall in conjunction with your ZyXEL router.
15.3 The Default Action Screen
Use this screen to set the default action that the firewall takes on packets that do not match any of
the firewall rules. Click Security > Firewall > Default Action to display the following screen.
Figure 86 Security > Firewall > Default Action
AMG1312-T Series User’s Guide
171
Chapter 15 Firewall
The following table describes the labels in this screen.
Table 65 Security > Firewall > Default Action
LABEL DESCRIPTION
Packet Direction This is the direction of travel of packets (LAN to Router , LAN to WAN, WAN to Router,
Default Action Use the drop-down list boxes to select the default action that the firewall is to take on
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
WAN to LAN).
Firewall rules are grouped based on the direction of travel of packets to which they apply.
For example, LAN to Router means packets traveling from a computer/subnet on the
LAN to the AMG1312-T Series itself.
packets that are traveling in the selected direction and do not match any of the firewall
rules.
Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP
destination-unreachable message to the sender.
Select Reject to deny the packets and send a TCP reset packet (for a TCP packet) or an
ICMP destination-unreachable message (for a UDP packet) to the sender.
Select Permit to allow the passage of the packets.
172
AMG1312-T Series User’s Guide
15.4 The Rules Screen
Click Security > Firewall > Rules to display the following screen. This screen displays a list of the
configured firewall rules. Note the order in which the rules are listed.
Note: The firewall configuration screen shown in this section is specific to the following
devices: P-The ordering of your rules is very important as rules are applied in turn.
Figure 87 Security > Firewall > Rules
The following table describes the labels in this screen.
Table 66 Security > Firewall > Rules
LABEL DESCRIPTION
Firewall Rules Storage
Space in Use
Packet Direction Use the drop-down list box to select a direction of travel of packets for which you
Create a new rule
after rule number
# This is your firewall rule number. The ordering of your rules is important as rules are
Active This field displays whether a firewall is turned on or not. Select the check box to
Source IP Address This column displays the source addresses or ranges of addresses to which this
Destination IP Address This column displays the destination addresses or ranges of addresses to which this
Service This column displays the services to which this firewall rule applies. See Appendix F
Action This field displays whether the firewall silently discards packets (Drop), discards
Source Interface This column displays the source interface to which this firewall rule applies. This is
This read-only bar shows how much of the AMG1312-T Series's memory for
recording firewall rules it is currently using. When you are using 80% or less of the
storage space, the bar is green. When the amount of space used is over 80%, the
bar is red.
want to configure firewall rules.
Select an index number and click Add to add a new firewall rule after the selected
index number. For example, if you select “6”, your new rule becomes number 7 and
the previous rule 7 (if there is one) becomes rule 8.
The following read-only fields summarize the rules you have created that apply to
traffic traveling in the selected packet direction. The firewall rules that you configure
(summarized below) take priority over the general firewall action settings in the
General screen.
applied in turn.
enable the rule. Clear the check box to disable the rule.
firewall rule applies. Please note that a blank source or destination address is
equivalent to Any.
firewall rule applies. Please note that a blank source or destination address is
equivalent to Any.
on page 286 for more information.
packets and sends a TCP reset packet or an ICMP destination-unreachable message
to the sender (Reject) or allows the passage of packets (Permit).
the interface through which the traffic entered the AMG1312-T Series. Please note
that a blank source interface is equivalent to Any.
Chapter 15 Firewall
AMG1312-T Series User’s Guide
173
Chapter 15 Firewall
Table 66 Security > Firewall > Rules (continued)
LABEL DESCRIPTION
Destination Interface This column displays the destination interface to which this firewall rule applies. This
is the interface through which the traffic is destined to leave the AMG1312-T Series.
Please note that a blank source interface is equivalent to Any.
Modify Click the Edit icon to go to the screen where you can edit the rule.
Click the Remove icon to delete an existing firewall rule. A window displays asking
you to confirm that you want to delete the firewall rule. Note that subsequent firewall
rules move up by one when you take this action.
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
15.4.1 The Rules Add Screen
Use this screen to configure firewall rules. In the Rules screen, select an index number and click
Add or click a rule’s Edit icon to display this screen and refer to the following table for information
on the labels.
174
AMG1312-T Series User’s Guide
Figure 88 Security > Firewall > Rules > Add
Chapter 15 Firewall
The following table describes the labels in this screen.
Table 67 Security > Firewall > Rules > Add
LABEL DESCRIPTION
Active Select this option to enable this firewall rule.
Action for Matched
Packets
IP Version Type Select the IP version, IPv4 or IPv6, to apply this firewall rule to.
Rate Limit Set a maximum number of packets per second, minute, or hour to limit the
Maximum Burst
Number
Log This field determines if a log for packets that match the rule is created or not.
Rules/Destination Address
AMG1312-T Series User’s Guide
Use the drop-down list box to select whether to discard (Drop), deny and send an
ICMP destination-unreachable message to the sender of (Reject) or allow the
passage of (Permit) packets that match this rule.
throughput of traffic that matches this rule.
Set the maximum number of packets that can be sent at the peak rate.
175
Chapter 15 Firewall
Table 67 Security > Firewall > Rules > Add (continued)
LABEL DESCRIPTION
Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP
Start IP Address Enter the single IP address or the starting IP address in a range here.
End IP Address Enter the ending IP address in a range here.
Subnet Mask Enter the subnet mask here, if applicable.
Source Mac Address Specify a source MAC address of traffic to which to apply this firewall rule applies.
Source Interface Specify a source interface to which this firewall rule applies. This is the interface
Destination Interface Specify a destination interface to which this firewall rule applies. This is the interface
Services
Available Services Please see Appendix F on page 286 for more information on services available. Select
Edit Customized
Service
TCP Flag Specify any TCP flag bits the firewall rule is to check for.
Schedule Select the days and time during which to apply the rule. Select Everyday and All
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
addresses (for instance, 192.168.1.10 to 192.169.1.50), a subnet or any IP address?
Select an option from the drop-down list box that includes: Single Address, Range
Address, Subnet Address and Any
Please note that a blank source MAC address is equivalent to any.
through which the traffic entered the AMG1312-T Series. Please note that a blank
source interface is equivalent to any.
through which the traffic is destined to leave the AMG1312-T Series. Please note that
a blank source interface is equivalent to any.
a service from the Available Services box.
Click the Edit Customized Service button to bring up the screen that you use to
configure a new custom service that is not in the predefined list of services.
Day to always apply the rule.
Address.
15.4.2 Customized Services
Configure customized services and port numbers not predefined by the AMG1312-T Series. For a
comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number
Authority) website. See Appendix F on page 286 for some examples. Click the Edit Customized
Services button while editing a firewall rule to configure a custom service port. This displays the
following screen.
176
AMG1312-T Series User’s Guide
Chapter 15 Firewall
Figure 89 Security > Firewall > Rules: Edit: Edit Customized Services
The following table describes the labels in this screen.
Table 68 Security > Firewall > Rules: Edit: Edit Customized Services
LABEL DESCRIPTION
# This is the number of your customized port.
Name This is the name of your customized service.
Protocol This shows the IP protocol (TCP or UDP) that defines your customized service.
Port Type This is the port number or range that defines your customized service.
Start Port This is a single port number or the starting port number of a range that defines your
customized service.
End Port This is a single port number or the ending port number of a range that defines your customized
service.
Modify Click this to edit a customized service.
Add Click this to configure a customized service.
Back Click this to return to the Firewall Edit Rule screen.
15.4.3 Customized Service Add/Edit
Use this screen to add a customized rule or edit an existing rule. Click Add or the Edit icon next to
a rule number in the Firewall Customized Services screen to display the following screen.
Figure 90 Security > Firewall > Rules: Edit: Edit Customized Services: Add/Edit
AMG1312-T Series User’s Guide
177
Chapter 15 Firewall
The following table describes the labels in this screen.
Table 69 Security > Firewall > Rules: Edit: Edit Customized Services: Add/Edit
LABEL DESCRIPTION
Config
Service Name Type a unique name for your custom port.
Service Type Choose the IP port (TCP or UDP) that defines your customized port from the drop down list
Port Configuration
Type Click Single to specify one port only or Port Range to specify a span of ports that define
Port Number Type a single port number or the range of port numbers that define your customized
Back Click this to return to the previous screen without saving.
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
Delete Click this to delete the current rule.
box.
your customized service.
service.
178
AMG1312-T Series User’s Guide
15.5 The DoS Screen
Use this screen to enable DoS protection. Click Security > Firewall > Dos to display the following
screen.
Figure 91 Security > Firewall > Dos
The following table describes the labels in this screen.
Table 70 Security > Firewall > Dos
LABEL DESCRIPTION
Denial of Services Enable this to protect against DoS attacks. The AMG1312-T Series will drop sessions that
surpass maximum thresholds.
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
Advanced Click this to go to a screen to specify maximum thresholds at which the AMG1312-T
Series will start dropping sessions.
Chapter 15 Firewall
15.5.1 The DoS Advanced Screen
For DoS attacks, the AMG1312-T Series uses thresholds to determine when to start dropping
sessions that do not become fully established (half-open sessions). These thresholds apply globally
to all sessions.
For TCP, half-open means that the session has not reached the established state-the TCP three-way
handshake has not yet been completed. Under normal circumstances, the application that initiates
a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
Figure 92 Three-Way Handshake
For UDP, half-open means that the firewall has detected no return traffic. An unusually high number
(or arrival rate) of half-open sessions could indicate a DOS attack.
AMG1312-T Series User’s Guide
179
Chapter 15 Firewall
15.5.1.1 Threshold Values
If everything is working properly, you probably do not need to change the threshold settings as the
default threshold values should work for most small offices. Tune these parameters when you
believe the AMG1312-T Series has been receiving DoS attacks that are not recorded in the logs or
the logs show that the AMG1312-T Series is classifying normal traffic as DoS attacks. Factors
influencing choices for threshold values are:
1 The maximum number of opened sessions.
2 The minimum capacity of server backlog in your LAN network.
3 The CPU power of servers in your LAN network.
4 Network bandwidth.
5 Type of traffic for certain servers.
Reduce the threshold values if your network is slower than average for any of these factors
(especially if you have servers that are slow or handle many tasks and are often busy).
• If you often use P2P applications such as file sharing with eMule or eDonkey, it’s recommended
that you increase the threshold values since lots of sessions will be established during a small
period of time and the AMG1312-T Series may classify them as DoS attacks.
15.5.2 Configuring Firewall Thresholds
Click Security > Firewall > DoS > Advanced to display the following screen.
Figure 93 Security > Firewall > DoS > Advanced
180
AMG1312-T Series User’s Guide
Chapter 15 Firewall
The following table describes the labels in this screen.
Table 71 Security > Firewall > DoS > Advanced
LABEL DESCRIPTION
TCP SYN-Request
Count
UDP Packet Count This is the rate of new UDP half-open sessions per second that causes the firewall to
ICMP Echo-Request
Count
Back Click this button to return to the previous screen.
Apply Click this to save your changes.
Cancel Click this to restore your previously saved settings.
This is the rate of new TCP half-open sessions per second that causes the firewall to
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the AMG1312-T Series deletes half-open sessions as required to
accommodate new connection attempts.
start deleting half-open sessions. When the rate of new connection attempts rises
above this number, the AMG1312-T Series deletes half-open sessions as required to
accommodate new connection attempts.
This is the rate of new ICMP Echo-Request half-open sessions per second that causes
the firewall to start deleting half-open sessions. When the rate of new connection
attempts rises above this number, the AMG1312-T Series deletes half-open sessions
as required to accommodate new connection attempts.
15.6 Firewall Technical Reference
This section provides some technical background information about the topics covered in this
chapter.
15.6.1 Firewall Rules Overview
Your customized rules take precedence and override the AMG1312-T Series’s default settings. The
AMG1312-T Series checks the source IP address, destination IP address and IP protocol type of
network traffic against the firewall rules (in the order you list them). When the traffic matches a
rule, the AMG1312-T Series takes the action specified in the rule.
Firewall rules are grouped based on the direction of travel of packets to which they apply:
•LAN to Router •WAN to LAN
• LAN to WAN • WAN to Router
Note: The LAN includes both the LAN port and the WLAN.
By default, the AMG1312-T Series’s stateful packet inspection allows packets traveling in the
following directions:
•LAN to Router
These rules specify which computers on the LAN can manage the AMG1312-T Series (remote
management).
Note: You can also configure the remote management settings to allow only a specific
computer to manage the AMG1312-T Series.
AMG1312-T Series User’s Guide
181
Chapter 15 Firewall
•LAN to WAN
These rules specify which computers on the LAN can access which computers or services on the
WAN.
By default, the AMG1312-T Series’s stateful packet inspection drops packets traveling in the
following directions:
•WAN to LAN
These rules specify which computers on the WAN can access which computers or services on the
LAN.
Note: You also need to configure NAT port forwarding (or full featured NAT address
•WAN to Router
By default the AMG1312-T Series stops computers on the WAN from managing the AMG1312-T
Series. You could configure one of these rules to allow a WAN computer to manage the
AMG1312-T Series.
Note: You also need to configure the remote management settings to allow a WAN
mapping rules) to allow computers on the WAN to access devices on the LAN.
computer to manage the AMG1312-T Series.
You may define additional rules and sets or modify existing ones but please exercise extreme
caution in doing so.
For example, you may create rules to:
• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts
on the Internet to specific hosts on the LAN.
• Allow everyone except your competitors to access a web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the AMG1312-T Series’s default rules.
15.6.2 Guidelines For Enhancing Security With Your Firewall
6 Change the default password via web configurator.
7 Think about access control before you connect to the network in any way.
8 Limit who can access your router.
9 Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could
present a potential security risk. A determined hacker might be able to find creative ways to misuse
the enabled services to access the firewall or the network.
10 For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the
services at specific interfaces.
182
AMG1312-T Series User’s Guide
11 Protect against IP spoofing by making sure the firewall is active.
1
2
WAN
LAN
12 Keep the firewall in a secured (locked) room.
15.6.3 Security Considerations
Note: Incorrectly configuring the firewall may block valid access or introduce security
risks to the AMG1312-T Series and your protected network. Use caution when
creating or deleting firewall rules and test your rules after you configure them.
Consider these security ramifications before creating a rule:
1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC
is blocked, are there users that require this service?
2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will
a rule that blocks just certain users be more effective?
3 Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,
Internet users may be able to connect to computers with running FTP servers.
Chapter 15 Firewall
4 Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
15.6.4 Triangle Route
When the firewall is on, your AMG1312-T Series acts as a secure gateway between your LAN and
the Internet. In an ideal network topology, all incoming and outgoing network traffic passes
through the AMG1312-T Series to protect your LAN against attacks.
Figure 94 Ideal Firewall Setup
15.6.4.1 The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. You
may have more than one connection to the Internet (through one or more ISPs). If an alternate
gateway is on the LAN (and its IP address is in the same subnet as the AMG1312-T Series’s LAN IP
address), the “triangle route” (also called asymmetrical route) problem may occur. The steps below
describe the “triangle route” problem.
AMG1312-T Series User’s Guide
183
Chapter 15 Firewall
1
2
3
WAN
LAN
A
ISP 1
ISP 2
1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on
the WAN.
2 The AMG1312-T Series reroutes the SYN packet through Gateway A on the LAN to the WAN.
3 The reply from the WAN goes directly to the computer on the LAN without going through the
AMG1312-T Series.
As a result, the AMG1312-T Series resets the connection, as the connection has not been
acknowledged.
Figure 95 “Triangle Route” Problem
15.6.4.2 Solving the “Triangle Route” Problem
If you have the AMG1312-T Series allow triangle route sessions, traffic from the WAN can go
directly to a LAN computer without passing through the AMG1312-T Series and its firewall
protection.
Another solution is to use IP alias. IP alias allows you to partition your network into logical sections
over the same Ethernet interface. Your AMG1312-T Series supports up to three logical LAN
interfaces with the AMG1312-T Series being the gateway for each logical network.
It’s like having multiple LAN networks that actually use the same physical cables and ports. By
putting your LAN and Gateway A in different subnets, all returning network traffic must pass
through the AMG1312-T Series to your LAN. The following steps describe such a scenario.
1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2 The AMG1312-T Series reroutes the packet to Gateway A, which is in Subnet 2.
3 The reply from the WAN goes to the AMG1312-T Series.
4 The AMG1312-T Series then sends it to the computer on the LAN in Subnet 1.
184
AMG1312-T Series User’s Guide
Figure 96 IP Alias
1
2
3
LAN
A
ISP 1
ISP 2
4
WAN
Subnet 1
Subnet 2
Chapter 15 Firewall
AMG1312-T Series User’s Guide
185
CHAPTER 16
16.1 Overview
Parental control allows you to block web sites with the specific URL. You can also define time
periods and days during which the AMG1312-T Series performs parental control on a specific user.
16.2 The Parental Control Screen
Use this screen to enable parental control, view the parental control rules and schedules.
Click Security > Parental Control to open the following screen.
Figure 97 Security > Parental Control
Parental Control
The following table describes the fields in this screen.
Table 72 Security > Parental Control
LABEL DESCRIPTION
Parental Control Use this field to activate or deactivate parental control.
Add new PCP Click this to create a new parental control rule.
# This is the index number of the rule.
Status This indicates whether the rule is active or not.
A yellow bulb signifies that this rule is active. A gray bulb signifies that this rule is not
active.
PCP Name This shows the name of the rule.
Home Network User This shows the MAC address of the LAN user’s computer to which this rule applies.
Internet Access
Schedule
Network Service This shows whether the network service is configured. If not, None will be shown.
AMG1312-T Series User’s Guide 186
This shows the day(s) and time on which parental control is enabled.
Table 72 Security > Parental Control (continued)
LABEL DESCRIPTION
Website Blocked This shows whether the website block is configured. If not, None will be shown.
Modify Click the Edit icon to go to the screen where you can edit the rule.
Click the Delete icon to delete an existing rule.
Apply Click Apply to save your changes.
Cancel Click Cancel to restore your previously saved settings.
16.2.1 Add/Edit Parental Control Rule
Click Add new PCP in the Parental Control screen to add a new rule or click the Edit icon next to
an existing rule to edit it. Use this screen to configure a restricted access schedule and/or URL
filtering settings to block the users on your network from accessing certain web sites.
Figure 98 Add/Edit Parental Control Rule
Chapter 16 Parental Control
The following table describes the fields in this screen.
Table 73 Parental Control: Add/Edit
LABEL DESCRIPTION
General
Active Select the checkbox to activate this parental control rule.
AMG1312-T Series User’s Guide
187
Chapter 16 Parental Control
Table 73 Parental Control: Add/Edit (continued)
LABEL DESCRIPTION
Parental Control
Profile Name
Home Network User
Internet Access Schedule
Day Select check boxes for the days that you want the AMG1312-T Series to perform
Time of Day to Apply Enter the starting and ending time that the LAN user is allowed access.
Network Service
Network Service
Setting
Add new service Click this to show a screen in which you can add a new service rule. You can configure
Active This shows whether a configured service is activated or not.
Service Name This shows the name of the rule.
Protocol This shows the protocol of the rule.
Port This shows the port of the rule.
Modify Click the Edit icon to go to the screen where you can edit the rule.
Blocked Site/URL Enter the URL of web sites or URL keywords to which the AMG1312-T Series blocks
Apply Click Apply to save your changes.
Cancel Click Cancel to exit this screen without saving.
Enter a descriptive name for the rule.
Select the LAN user that you want to apply this rule to from the drop-down list box. If
you select Custom, enter the LAN user’s MAC address. If you select All, the rule
applies to all LAN users.
parental control.
If you select Block, the AMG1312-T Series prohibits the users from viewing the Web
sites with the URLs listed below.
If you select Access, the AMG1312-T Series blocks access to all URLs except ones
listed below.
the Service Name, Protocol, and Name of the new rule.
Click the Delete icon to delete an existing rule.
access.
188
AMG1312-T Series User’s Guide
CHAPTER 17
17.1 Overview
The AMG1312-T Series can use certificates (also called digital IDs) to authenticate users.
Certificates are based on public-private key pairs. A certificate contains the certificate owner’s
identity and public key. Certificates provide a way to exchange public keys for use in authentication.
17.1.1 What You Can Do in this Chapter
•Use the Local Certificates screen to view and import the AMG1312-T Series’s CA-signed
certificates (Section 17.3 on page 189).
•The Trusted CA screen lets you save the certificates of trusted CAs to the AMG1312-T Series
(Section 17.4 on page 191).
Certificate
17.2 What You Need to Know
The following terms and concepts may help as you read through this chapter.
Certification Authority
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate
owner. There are commercial certification authorities like CyberTrust or VeriSign and government
certification authorities. The certification authority uses its private key to sign certificates. Anyone
can then use the certification authority's public key to verify the certificates. You can use the
AMG1312-T Series to generate certification requests that contain identifying information and public
keys and then send the certification requests to a certification authority.
Certificate File Format
The certification authority certificate that you want to import has to be in one of these file formats:
• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 64 ASCII characters to
convert a binary X.509 certificate into a printable form.
17.3 Local Certificates
Use this screen to view the AMG1312-T Series’s summary list of certificates and certification
requests. You can import the following certificates to your AMG1312-T Series:
AMG1312-T Series User’s Guide 189
Chapter 17 Certificate
• Web Server - This certificate secures HTTP connections.
• SSH - This certificate secures remote connections.
Click Security > Certificates to open the Local Certificates screen.
Figure 99 Security > Certificates > Local Certificates
The following table describes the labels in this screen.
Table 74 Security > Certificates > Local Certificates
LABEL DESCRIPTION
WebServer Click Browse... to find the certificate file you want to upload.
Current File This field displays the name used to identify this certificate. It is recommended
Subject This field displays identifying information about the certificate’s owner, such as
Issuer This field displays identifying information about the certificate’s issuing
Valid From This field displays the date that the certificate becomes applicable. The text
Valid To This field displays the date that the certificate expires. The text displays in red
Cert Click this button and then Save in the File Download screen. The Save As
SSH Type in the location of the SSH certificate file you want to upload in this field or
Current File This field displays the name used to identify this certificate. It is recommended
Key Type This field applies to the SSH certificate.
that you give each certificate a unique name.
CN (Common Name), OU (Organizational Unit or department), O (Organization
or company) and C (Country). It is recommended that each certificate have
unique subject information.
certification authority, such as a common name, organizational unit or
department, organization or company and country.
displays in red and includes a Not Yet Valid! message if the certificate has not
yet become applicable.
and includes an Expiring! or Expired! message if the certificate is about to
expire or has already expired.
screen opens, browse to the location that you want to use and click Save.
click Browse to find it.
that you give each certificate a unique name.
190
This shows the file format of the current certificate.
Replace Click this to replace the certificate(s) and save your changes back to the
AMG1312-T Series.
Reset Click this to clear your settings.
AMG1312-T Series User’s Guide
Loading...