ZyXEL P660WTXV2 Users Manual
Chapter 8 Network Address Translation (NAT) Screens
Table 33 Address Mapping Rules (continued)
LABEL DESCRIPTION
Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note
that port numbers do not change for the One-to-one NAT mapping type.
M-1: Many-to-One mode maps multiple local IP addresses to one global IP address.
This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User
Account feature that previous ZyXEL routers supported only.
M-M Ov (Overload): Many-to-Many Overload mode maps multiple local IP
addresses to shared global IP addresses.
MM No (No Overload): Many-to-Many No Overload mode maps each local IP
address to unique global IP addresses.
Server: This type allows you to specify inside servers of different services behind
the NAT to be accessible to the outside world.
Back Click Back to return to the NAT Mode screen.
8.7 Editing an Address Mapping Rule
Use this screen to edit an address mapping rule. Click the rule’s link in the NAT Address
Mapping Rules screen to display the screen shown next.
Figure 43 Edit Address Mapping Rule
P-660W-Tx v2 User’s Guide
101
Chapter 8 Network Address Translation (NAT) Screens
The following table describes the fields in this screen.
Table 34 Edit Address Mapping Rule
LABEL DESCRIPTION
Type Choose the port mapping type from one of the following.
• One-to-One: One-to-One mode maps one local IP address to one global IP
address. Note that port numbers do not change for One-to-one NAT mapping
type.
• Many-to-One: Many-to-One mode maps multiple local IP addresses to one
global IP address. This is equivalent to SUA (i.e., PAT, port address translation),
ZyXEL's Single User Account feature that previous ZyXEL routers supported
only.
• Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP
addresses to shared global IP addresses.
• Many-to-Many No Overload: Many-to-Many No Overload mode maps each
local IP address to unique global IP addresses.
• Server: This type allows you to specify inside servers of different services
behind the NAT to be accessible to the outside world.
Local Start IP This is the starting local IP address (ILA). Local IP addresses are N/A for Server
port mapping.
Local End IP This is the end local IP address (ILA). If your rule is for all local IP addresses, then
Global Start IP This is the starting global IP address (IGA). Enter 0.0.0.0 here if you have a dynamic
Global End IP This is the ending global IP address (IGA). This field is N/A for One-to-One, Many-
Server Mapping
Set
Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen to edit a server
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to return to the previously saved settings.
Delete Click Delete to exit this screen without saving.
enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End
IP address.
This field is N/A for One-to-One and Server mapping types.
IP address from your ISP.
to-One and Server mapping types.
Only available when Type is set to Server.
Select a number from the drop-down menu to choose a server set from the NAT -
Address Mapping Rules screen.
set that you have selected in the Server Mapping Set field.
102
P-660W-Tx v2 User’s Guide
CHAPTER 9
Dynamic DNS Setup
This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS.
9.1 Dynamic DNS Overview
Dynamic DNS allows you to update your current dynamic IP address with one or many
dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You
can also access your FTP server or Web site on your own computer using a domain name (for
instance myhost.dhs.org, where myhost is a name of your choice) that will never change
instead of using an IP address that changes each time you reconnect. Your friends or relatives
will always be able to call you even if they don't know your IP address.
First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is
for people with a dynamic IP from their ISP or DHCP server that would still like to have a
domain name. The Dynamic DNS service provider will give you a password or key.
9.1.1 DYNDNS Wildcard
Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the
same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use,
for example, www.yourhost.dyndns.org and still reach your hostname.
If you have a private WAN IP address, then you cannot use Dynamic DNS.
9.2 Configuring Dynamic DNS
To change your ZyXEL Device’s DDNS, click Dynamic DNS. The screen appears as shown.
P-660W-Tx v2 User’s Guide
103
Chapter 9 Dynamic DNS Setup
Figure 44 Dynamic DNS
The following table describes the fields in this screen.
Table 35 Dynamic DNS
LABEL DESCRIPTION
Active Select this check box to use dynamic DNS.
Service Provider This is the name of your Dynamic DNS service provider.
Host Names Type the domain name assigned to your ZyXEL Device by your Dynamic DNS
E-mail Address Type your e-mail address.
User Type your user name.
Password Type the password assigned to you.
Enable Wildcard Select the check box to enable DYNDNS Wildcard.
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to begin configuring this screen afresh.
provider.
104
P-660W-Tx v2 User’s Guide
CHAPTER 10
Time and Date
This screen is not available on all models. Use this screen to configure the ZyXEL Device’s
time and date settings.
10.1 Configuring Time and Date
To change your ZyXEL Device’s time and date, click Time And Date. The screen appears as
shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone.
Figure 45 Time and Date
The following table describes the fields in this screen.
P-660W-Tx v2 User’s Guide
105
Chapter 10 Time and Date
Table 36 Time and Date
LABEL DESCRIPTION
Time Server
Use Protocol
when Bootup
IP Address or URL Enter the IP address or URL of your time server. Check with your ISP/network
Time and Date Choose the time zone of your location. This will set the time difference between
Daylight Savings Select this option if you use daylight savings time. Daylight saving is a period from
Start Date Enter the month and day that your daylight-savings time starts on if you selected
End Date Enter the month and day that your daylight-savings time ends on if you selected
Synchronize
system clock with
Time Server now.
Date
Current Date This field displays the date of your ZyXEL Device.
New Date (yyyymm-dd)
Time
Current Time This field displays the time of your ZyXEL Device.
New Time This field displays the last updated time from the time server.
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to begin configuring this screen afresh.
Select the time service protocol that your time server sends when you turn on the
ZyXEL Device. Not all time servers support all protocols, so you may have to
check with your ISP/network administrator or use trial and error to find a protocol
that works.
The main difference between them is the format.
Daytime (RFC 867) format is day/month/year/time zone of the server.
Time (RFC 868) format displays a 4-byte integer giving the total number of
seconds since 1970/1/1 at 0:0:0.
NTP (RFC 1305) is similar to Time (RFC 868).
Select None to enter the time and date manually.
administrator if you are unsure of this information.
your time zone and Greenwich Mean Time (GMT).
late spring to early fall when many countries set their clocks ahead of normal local
time by one hour to give more daytime light in the evening.
Daylight Savings.
Daylight Savings.
Select this option to have your ZyXEL Device use the time server (that you
configured above) to set its internal system clock.
Please wait for up to 60 seconds while the ZyXEL Device locates the time server.
If the ZyXEL Device cannot find the time server, please check the time server
protocol and its IP address. If the IP address was entered correctly, try pinging it
for example to test the connection.
Each time you reload this page, the ZyXEL Device synchronizes the time with the
time server.
This field displays the last updated date from the time server.
When you select None in the Use Protocol when Bootup field, enter the new
date in this field and then click Apply.
Each time you reload this page, the ZyXEL Device synchronizes the time with the
time server.
When you select None in the Use Protocol when Bootup field, enter the new
time in this field and then click Apply.
106
P-660W-Tx v2 User’s Guide
CHAPTER 11
Firewalls
This chapter gives some background information on firewalls and introduces the ZyXEL
Device firewall.
11.1 Firewall Overview
Originally, the term firewall referred to a construction technique designed to prevent the
spread of fire from one room to another. The networking term “firewall” is a system or group
of systems that enforces an access-control policy between two networks. It may also be
defined as a mechanism used to protect a trusted network from an untrusted network. Of
course, firewalls cannot solve every security problem. A firewall is one of the mechanisms
used to establish a network security perimeter in support of a network security policy. It
should never be the only mechanism or method employed. For a firewall to guard effectively,
you must design and deploy it appropriately. This requires integrating the firewall into a broad
information-security policy. In addition, specific policies must be implemented within the
firewall itself.
Refer to Section 12.6 on page 122 to configure default firewall settings.
Refer to Section 12.7 on page 123 to view firewall rules.
Refer to Section 12.7.1 on page 125 to configure firewall rules.
Refer to Section 12.8 on page 128 to configure a custom service.
Refer to Section 12.13.3 on page 136 to configure firewall thresholds.
11.2 Types of Firewalls
There are three main types of firewalls:
• Packet Filtering Firewalls
• Application-level Firewalls
• Stateful Inspection Firewalls
11.2.1 Packet Filtering Firewalls
Packet filtering firewalls restrict access based on the source/destination computer network
address of a packet and the type of application.
P-660W-Tx v2 User’s Guide
107
Chapter 11 Firewalls
11.2.2 Application-level Firewalls
Application-level firewalls restrict access by serving as proxies for external servers. Since they
use programs written for specific Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specific data. Application-level gateways have
a number of general advantages over the default mode of permitting application traffic directly
to internal hosts:
Information hiding prevents the names of internal systems from being made known via DNS
to outside systems, since the application gateway is the only host whose name must be made
known to outside systems.
Robust authentication and logging pre-authenticates application traffic before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with standard
host logging. Filtering rules at the packet filtering router can be less complex than they would
be if the router needed to filter application traffic and direct it to a number of specific systems.
The router need only allow application traffic destined for the application gateway and reject
the rest.
11.2.3 Stateful Inspection Firewalls
Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency, however, they
may lack the granular application level access control or caching that some proxies support.
See Section 11.5 on page 113 for more information on stateful inspection.
Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.
11.3 Introduction to ZyXEL’s Firewall
The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated (in the web configurator). The ZyXEL Device’s
purpose is to allow a private Local Area Network (LAN) to be securely connected to the
Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of
data, as well as log events, which may be important to the security of your network. The
ZyXEL Device also has packet filtering capabilities.
The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a
secure gateway for all data passing between the Internet and the LAN.
The ZyXEL Device has one DSL/ISDN port and one Ethernet LAN port, which physically
separate the network into two areas.
108
• The DSL/ISDN port connects to the Internet.
• The LAN (Local Area Network) port attaches to a network of computers, which needs
security from the outside world. These computers will have access to Internet services
such as e-mail, FTP, and the World Wide Web. However, “inbound access” will not be
allowed unless you configure remote management or create a firewall rule to allow a
remote host to use a specific service.
P-660W-Tx v2 User’s Guide
11.3.1 Denial of Service Attacks
Figure 46 ZyXEL Device Firewall Application
11.4 Denial of Service
Chapter 11 Firewalls
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the
Internet. Their goal is not to steal information, but to disable a device or network so users no
longer have access to network resources. The ZyXEL Device is pre-configured to
automatically detect and thwart all known DoS attacks.
11.4.1 Basics
Computers share information over the Internet using a common language called TCP/IP. TCP/
IP, in turn, is a set of application protocols that perform specific functions. An “extension
number”, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP
(Web), FTP (File Transfer Protocol), POP3 (E-mail), etc. For example, Web traffic by default
uses TCP port 80.
When computers communicate on the Internet, they are using the client/server model, where
the server "listens" on a specific TCP/UDP port for information requests from remote client
computers on the network. For example, a Web server typically listens on port 80. Please note
that while a computer may be intended for use over a single port, such as Web on port 80,
other ports are also active. If the person configuring or managing the computer is not careful, a
hacker could attack it over an unprotected port.
Some of the most common IP ports are:
P-660W-Tx v2 User’s Guide
109
Chapter 11 Firewalls
Table 37 Common IP Ports
21 FTP 53 DNS
23 Telnet 80 HTTP
25 SMTP 110 POP3
11.4.2 Types of DoS Attacks
There are four types of DoS attacks:
1 Those that exploit bugs in a TCP/IP implementation.
2 Those that exploit weaknesses in the TCP/IP specification.
3 Brute-force attacks that flood a network with useless data.
4 IP Spoofing.
5 "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of
various computer and host systems.
• Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum
65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an
unsuspecting system. Systems may crash, hang or reboot.
• Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is
transmitted through a network, IP packets are often broken up into smaller chunks. Each
fragment looks like the original IP packet except that it contains an offset field that says,
for instance, "This fragment is carrying bytes 200 through 400 of the original (non
fragmented) IP packet." The Teardrop program creates a series of IP fragments with
overlapping offset fields. When these fragments are reassembled at the destination, some
systems will crash, hang, or reboot.
6 Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND"
attacks. These attacks are executed during the handshake that initiates a communication
session between two applications.
110
Figure 47 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN
(synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.
P-660W-Tx v2 User’s Guide
Chapter 11 Firewalls
• SYN Attack floods a targeted system with a series of SYN packets. Each packet causes
the targeted system to issue a SYN-ACK response. While the targeted system waits for the
ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on
what is known as a backlog queue. SYN-ACKs are moved off the queue only when an
ACK comes back or when an internal timer (which is set at relatively long intervals)
terminates the three-way handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for legitimate users.
Figure 48 SYN Flood
•In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP
address of the targeted system. This makes it appear as if the host computer sent the
packets to itself, making the system unavailable while the target system tries to respond to
itself.
7 A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification
known as directed or subnet broadcasting, to quickly flood the target network with
useless data. A Smurf hacker floods a router with Internet Control Message Protocol
(ICMP) echo request packets (pings). Since the destination IP address of each packet is
the broadcast address of the network, the router will broadcast the ICMP echo request
packet to all hosts on the network. If there are numerous hosts, this will create a large
amount of ICMP echo request and response traffic. If a hacker chooses to spoof the
source IP address of the ICMP echo request packet, the resulting ICMP traffic will not
only clog up the "intermediary" network, but will also congest the network of the
spoofed source IP address, known as the "victim" network. This flood of broadcast
traffic consumes all available bandwidth, making communications impossible.
P-660W-Tx v2 User’s Guide
111
Chapter 11 Firewalls
Figure 49 Smurf Attack
11.4.2.1 ICMP Vulnerability
ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types
trigger an alert:
Table 38 ICMP Commands That Trigger Alerts
5 REDIRECT
13 TIMESTAMP_REQUEST
14 TIMESTAMP_REPLY
17 ADDRESS_MASK_REQUEST
18 ADDRESS_MASK_REPLY
11.4.2.2 Illegal Commands (NetBIOS and SMTP)
The only legal NetBIOS commands are the following - all others are illegal.
Table 39 Legal NetBIOS Commands
MESSAGE:
REQUEST:
POSITIVE:
VE:
RETARGET:
KEEPALIVE:
All SMTP commands are illegal except for those displayed in the following tables.
Table 40 Legal SMTP Commands
AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP
QUIT RCPT RSET SAML SEND SOML TURN VRFY
11.4.2.3 Traceroute
Traceroute is a utility used to determine the path a packet takes between two endpoints.
Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute
the firewall gaining knowledge of the network topology inside the firewall.
112
P-660W-Tx v2 User’s Guide
Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their
attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to
magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized
access to computers by tricking a router or firewall into thinking that the communications are
coming from within the trusted network. To engage in IP spoofing, a hacker must modify the
packet headers so that it appears that the packets originate from a trusted host and should be
allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts.
11.5 Stateful Inspection
With stateful inspection, fields of the packets are compared to packets that are already known
to be trusted. For example, if you access some outside service, the proxy server remembers
things about your original request, like the port number and source and destination addresses.
This “remembering” is called saving the state. When the outside system responds to your
request, the firewall compares the received packets with the saved state to determine if they
are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN
from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection
allows all communications to the Internet that originate from the LAN, and blocks all traffic to
the LAN that originates from the Internet. In summary, stateful inspection:
Chapter 11 Firewalls
• Allows all sessions originating from the LAN (local network) to the WAN (Internet).
• Denies all sessions originating from the WAN to the LAN.
Figure 50 Stateful Inspection
The previous figure shows the ZyXEL Device’s default firewall rules in action as well as
demonstrates how stateful inspection works. User A can initiate a Telnet session from within
the LAN and responses to this request are allowed. However other Telnet traffic initiated from
the WAN is blocked.
P-660W-Tx v2 User’s Guide
113
Chapter 11 Firewalls
11.5.1 Stateful Inspection Process
In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:
1 The packet travels from the firewall's LAN to the WAN.
2 The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).
3 The packet is inspected by a firewall rule to determine and record information about the
state of the packet's connection. This information is recorded in a new state table entry
created for the new connection. If there is not a firewall rule for this packet and it is not
an attack, then the settings in the Default Policy screen determine the action for this
packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated
against the inbound access list, and is permitted because of the temporary access list
entry previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is
updated as necessary. Based on the updated state information, the inbound extended
access list temporary entries might be modified, in order to permit only packets that are
valid for the current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
11.5.2 Stateful Inspection and the ZyXEL Device
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
• Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
• Allow certain types of traffic from the Internet to specific hosts on the LAN.
• Allow access to a Web server to everyone but competitors.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
114
P-660W-Tx v2 User’s Guide
Chapter 11 Firewalls
" The ability to define firewall rules is a very powerful tool. Using custom rules, it
is possible to disable all firewall protection or block all access to the Internet.
Use extreme caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may
either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as
with the "virtual connections" created for UDP and ICMP).
11.5.3 TCP Security
The ZyXEL Device uses state information embedded in TCP packets. The first packet of any
new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.
All packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part of the
security policy (as is the case with the default policy), the connection will be allowed. A cache
entry is added which includes connection information such as IP addresses, TCP ports,
sequence numbers, etc.
When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN),
its connection information is extracted and checked against the cache. A packet is only
allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a
connection which originated on the LAN).
11.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence
numbers). However, at the very minimum, they contain an IP address pair (source and
destination). UDP also contains port pairs, and ICMP has type and code information. All of
this data can be analyzed in order to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP
address and port pairs will be stored. For a short period of time, UDP packets from the WAN
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive.
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask
requests will allow incoming address mask replies, and outgoing timestamp requests will
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall,
simply because they are too dangerous and contain too little tracking information. For
instance, ICMP redirect packets are never allowed in, since they could be used to reroute
traffic through attacking machines.
P-660W-Tx v2 User’s Guide
115
Chapter 11 Firewalls
11.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network
connections simultaneously. In general terms, they usually have a "control connection" which
is used for sending commands between endpoints, and then "data connections" which are used
for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the
Internet and requests a file. At this point, the remote server will open a data connection from
the Internet. For FTP to work properly, this connection must be allowed to pass through even
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyXEL Device inspects the application-level FTP data.
Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a
cache entry for the anticipated data connection. This can be done safely, since the PORT
command contains address and port information, which can be used to uniquely identify the
connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator’s Custom Ports feature to do this.
11.6 Guidelines for Enhancing Security with Your Firewall
• Change the default password via the web configurator.
• Limit who can telnet into your router.
• Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
• For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
• Protect against IP spoofing by making sure the firewall is active.
• Keep the firewall in a secured (locked) room.
11.6.1 Security In General
You can never be too careful! Factors outside your firewall, filtering or NAT can cause
security breaches. Below are some generalizations about what you can do to minimize them.
• Encourage your company or organization to develop a comprehensive security plan. Good
network administration takes into account what hackers can do and prepares against
attacks. The best defense against hackers and crackers is information. Educate all
employees about the importance of security and how to minimize risk. Produce lists like
this one!
• DSL or cable modem connections are “always-on” connections and are particularly
vulnerable because they provide more opportunities for hackers to crack your system.
Turn your computer off when not in use.
• Never give out a password or any sensitive information to an unsolicited telephone call or
e-mail.
116
P-660W-Tx v2 User’s Guide
Chapter 11 Firewalls
• Never e-mail sensitive information such as passwords, credit card information, etc.,
without encrypting the information first.
• Never submit sensitive information via a web page unless the web site uses secure
connections. You can identify a secure connection by looking for a small “key” icon on
the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a
web site uses a secure connection, it is safe to submit information. Secure web transactions
are quite difficult to crack.
• Never reveal your IP address or other system networking information to people outside
your company. Be careful of files e-mailed to you from strangers. One common way of
getting BackOrifice on a system is to include it as a Trojan horse with other files.
• Change your passwords regularly. Also, use passwords that are not easy to figure out. The
most difficult passwords to crack are those with upper and lower case letters, numbers and
a symbol such as % or #.
• Upgrade your software regularly. Many older versions of software, especially web
browsers, have well known security deficiencies. When you upgrade to the latest versions,
you get the latest patches and fixes.
• If you use “chat rooms” or IRC sessions, be careful with any information you reveal to
strangers.
• If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off
hacks that cause your system to slowly become unstable or unusable.
• Always shred confidential information, particularly about your computer, before throwing
it away. Some hackers dig through the trash of companies or individuals for information
that might help them in an attack.
11.7 Packet Filtering Vs Firewall
Below are some comparisons between the ZyXEL Device’s filtering and firewall functions.
11.7.1 Packet Filtering:
• The router filters packets as they pass through the router’s interface according to the filter
rules you designed.
• Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
• Packet filtering only checks the header portion of an IP packet.
11.7.1.1 When To Use Filtering
• To block/allow LAN packets by their MAC addresses.
• To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
• To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic
between the specific inside host/network "A" and outside host/network "B". If the filter
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters can not
distinguish traffic originating from an inside host or an outside host by IP address.
• To block/allow IP trace route.
P-660W-Tx v2 User’s Guide
117
Chapter 11 Firewalls
11.7.2 Firewall
• The firewall inspects packet contents as well as their source and destination addresses.
Firewalls of this type employ an inspection module, applicable to all protocols, that
understands data in the packet is intended for other layers, from the network layer (IP
headers) up to the application layer.
• The firewall performs stateful inspection. It takes into account the state of connections it
handles so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked.
• The firewall uses session filtering, i.e., smart rules, that enhance the filtering process and
control the network session rather than control individual packets in a session.
• The firewall provides e-mail service to notify you of routine reports and when alerts occur.
11.7.2.1 When To Use The Firewall
• To prevent DoS attacks and prevent hackers cracking your network.
• A range of source and destination IP addresses as well as port numbers can be specified
within one firewall rule making the firewall a better choice when complex rules are
required.
• To selectively block/allow inbound or outbound traffic between inside host/networks and
outside host/networks. Remember that filters can not distinguish traffic originating from
an inside host or an outside host by IP address.
• The firewall performs better than filtering if you need to check many rules.
• Use the firewall if you need routine e-mail reports about your system or need to be alerted
when attacks occur.
• The firewall can block specific URL traffic that might occur in the future. The URL can be
saved in an Access Control List (ACL) database.
118
P-660W-Tx v2 User’s Guide
CHAPTER 12
Firewall Configuration
This chapter shows you how to enable and configure the ZyXEL Device firewall.
12.1 Access Methods
The web configurator is, by far, the most comprehensive firewall configuration tool your
ZyXEL Device has to offer. For this reason, it is recommended that you configure your
firewall using the web configurator. CLI commands provide limited configuration options and
are only recommended for advanced users.
12.2 Firewall Policies Overview
Firewall rules are grouped based on the direction of travel of packets to which they apply:
• LAN to LAN/ Router • WAN to LAN
• LAN to WAN • WAN to WAN/ Router
" The LAN includes both the LAN port and the WLAN.
By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the
following directions:
• LAN to LAN/ Router
This allows computers on the LAN to manage the ZyXEL Device and communicate
between networks or subnets connected to the LAN interface.
• LAN to WAN
By default, the ZyXEL Device’s stateful packet inspection blocks packets traveling in the
following directions:
•WAN to LAN
•WAN to WAN/ Router
This prevents computers on the WAN from using the ZyXEL Device as a gateway to
communicate with other computers on the WAN and/or managing the ZyXEL Device.
You may define additional rules and sets or modify existing ones but please exercise
extreme caution in doing so.
P-660W-Tx v2 User’s Guide
119
Chapter 12 Firewall Configuration
" If you configure firewall rules without a good understanding of how they work,
you might inadvertently introduce security risks to the firewall and to the
protected network. Make sure you test your rules after you configure them.
For example, you may create rules to:
• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific
hosts on the Internet to specific hosts on the LAN.
• Allow everyone except your competitors to access a Web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the Source IP address, Destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the ZyXEL Device’s default rules.
12.3 Rule Logic Overview
" Study these points carefully before configuring rules.
12.3.1 Rule Checklist
State the intent of the rule. For example, “This restricts all IRC access from the LAN to the
Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an
inside Notes server.”
1 Is the intent of the rule to forward or block traffic?
2 What direction of traffic does the rule apply to?
3 What IP services will be affected?
4 What computers on the LAN are to be affected (if any)?
5 What computers on the Internet will be affected? The more specific, the better. For
example, if traffic is being allowed from the Internet to the LAN, it is better to allow
only certain machines on the Internet to access the LAN.
12.3.2 Security Ramifications
120
1 Once the logic of the rule has been defined, it is critical to consider the security
ramifications created by the rule:
2 Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?
P-660W-Tx v2 User’s Guide
3 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for
all users, will a rule that blocks just certain users be more effective?
4 Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to
the LAN, Internet users may be able to connect to computers with running FTP servers.
5 Does this rule conflict with any existing rules?
6 Once these questions have been answered, adding rules is simply a matter of plugging
the information into the correct fields in the web configurator screens.
12.3.3 Key Fields For Configuring Rules
12.3.3.1 Action
Should the action be to Block or Forward? “Block” means the firewall silently discards the
packet.
12.3.3.2 Service
Select the service from the Service scrolling list box. If the service is not listed, it is necessary
to first define it. See Section 12.11 on page 133 for more information on predefined services.
Chapter 12 Firewall Configuration
12.3.3.3 Source Address
What is the connection’s source address; is it on the LAN, WAN? Is it a single IP, a range of
IPs or a subnet?
12.3.3.4 Destination Address
What is the connection’s destination address; is it on the LAN, WAN? Is it a single IP, a range
of IPs or a subnet?
12.4 Connection Direction
This section describes examples for firewall rules for connections going from LAN to WAN
and from WAN to LAN.
LAN to LAN/ Router, WAN to WAN/ Router rules apply to packets coming in on the
associated interface (LAN, WAN respectively). LAN to LAN/ Router means policies for
LAN-to-ZyXEL Device (the policies for managing the ZyXEL Device through the LAN
interface) and policies for LAN-to-LAN (the policies that control routing between two subnets
on the LAN). Similarly, WAN to WAN/ Router polices apply in the same way to the WAN
ports.
12.4.1 LAN to WAN Rules
The default rule for LAN to WAN traffic is that all users on the LAN are allowed nonrestricted access to the WAN. When you configure a LAN to WAN rule, you in essence want
to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules
The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If
you wish to allow certain WAN users to have access to your LAN, you will need to create
custom rules to allow it.
P-660W-Tx v2 User’s Guide
121
Chapter 12 Firewall Configuration
12.4.2 Alerts
Alerts are reports on events, such as attacks, that you may want to know about right away. You
can choose to generate an alert when an attack is detected in the Edit Rule screen (select the
Send Alert Message to Administrator When Matched check box) or when a rule is matched
in the Edit Rule screen.
When an event generates an alert, a message can be immediately sent
to an e-mail account that you specify in the Log Settings screen (see the chapter on logs).
12.5 The Main Firewall Screen
Click Content Filter to display the main Content Filtering screen.
Figure 51 Content Filtering
The following table describes the links in this screen.
Table 41 Firewall > Firewall Functions
LINK DESCRIPTION
Default
Policy
Rule
Summary
AntiProbing
Threshold Click this link to configure threshold values used to detect DoS attacks.
Click this link to configure the default firewall policy.
Click this link to configure firewall rules.
Click this link to configure anti-probing rules.
12.6 Configuring Default Firewall Policy
Click Firewall and then Default Policy to display the following screen. Activate the firewall
by selecting the Firewall Enabled check box as seen in the following screen.
Refer to Section 11.1 on page 107 for more information.
122
P-660W-Tx v2 User’s Guide
Chapter 12 Firewall Configuration
Figure 52 Firewall: Default Policy
The following table describes the labels in this screen.
Table 42 Firewall: Default Policy
LABEL DESCRIPTION
Firewall Enabled Select this check box to activate the firewall. The ZyXEL Device performs access
Allow
Asymmetrical
Route
Packet Direction This is the direction of travel of packets (LAN to LAN/Router, LAN to WAN, WAN
Default Action Use the radio buttons to select whether to Block (silently discard) or Forward
Log Select the check box to create a log (when the above action is taken) for packets
Back Click Back to return to the previous screen.
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to begin configuring this screen afresh.
control and protects against Denial of Service (DoS) attacks when the firewall is
activated.
Select this check box to have the ZyXEL Device firewall permit the use of triangle
route topology on the network. See the appendix for more on triangle route
topology.
to WAN/Router, WAN to LAN).
Firewall rules are grouped based on the direction of travel of packets to which they
apply. For example, LAN to LAN/Router means packets traveling from a
computer/subnet on the LAN to either another computer/subnet on the LAN
interface of the ZyXEL Device or the ZyXEL Device itself.
(allow the passage of) packets that are traveling in the selected direction.
that are traveling in the selected direction and do not match any of the rules below.
12.7 Rule Summary
" The ordering of your rules is very important as rules are applied in turn.
P-660W-Tx v2 User’s Guide
123
Chapter 12 Firewall Configuration
Refer to Section 11.1 on page 107 for more information.
Click on Firewall, then Rule Summary to bring up the following screen. This screen is a
summary of the existing rules. Note the order in which the rules are listed.
Figure 53 Firewall: Rule Summary
The following table describes the labels in this screen.
Table 43 Rule Summary
LABEL DESCRIPTION
Firewall Rules
Storage Space
in Use
Packet
Direction
Default Policy This field displays the default action and log policy you selected in the Default Rule
Rule This is your firewall rule number. The ordering of your rules is important as rules are
Active This field displays whether a firewall is turned on (Y) or not (N).
Source IP This drop-down list box displays the source addresses or ranges of addresses to
Destination IP This drop-down list box displays the destination addresses or ranges of addresses to
This read-only bar shows how much of the ZyXEL Device's memory for recording
firewall rules it is currently using. When you are using 80% or less of the storage
space, the bar is green. When the amount of space used is over 80%, the bar is red.
Use the drop-down list box to select a direction of travel of packets for which you
want to configure firewall rules.
screen for the packet direction shown in the field above.
The following read-only fields summarize the rules you have created that apply to
traffic traveling in the selected packet direction. The firewall rules that you configure
(summarized below) take priority over the general firewall action settings above.
applied in turn.
Click a rule’s number to go to the Firewall Edit Rule screen to configure or edit a
firewall rule.
which this firewall rule applies. Please note that a blank source or destination
address is equivalent to Any.
which this firewall rule applies. Please note that a blank source or destination
address is equivalent to Any.
124
P-660W-Tx v2 User’s Guide
Chapter 12 Firewall Configuration
Table 43 Rule Summary (continued)
LABEL DESCRIPTION
Service This drop-down list box displays the services to which this firewall rule applies.
Please note that a blank service type is equivalent to Any. See Section 12.11 on
page 133 for more information.
Action This is the specified action for that rule, either Block or Forward. Note that Block
means the firewall silently discards the packet.
Schedule This field tells you whether a schedule is specified (Yes) or not (No).
Log This field shows you whether a log is created when packets match this rule
(Enabled) or not (Disable).
Alert This field tells you whether this rule generates an alert (Ye s) or not (No) when the
Insert/Append Type the index number for where you want to put a rule. For example, if you type “6”,
Move Type a rule’s index number and the number for where you want to put that rule. Click
Back Click Back to return to the previous screen.
Apply Click Apply to save your changes back to the ZyXEL Device.
Cancel Click Cancel to begin configuring this screen afresh.
rule is matched.
your new rule becomes number 6 and the previous rule 6 (if there is one) becomes
rule 7.
Click Insert to add a new firewall rule before the specified index number.
Click Append to add a new firewall rule after the specified index number.
Move to move the rule to the number that you typed. The ordering of your rules is
important as they are applied in order of their numbering.
12.7.1 Configuring Firewall Rules
Refer to Section 11.1 on page 107 for more information.
Follow these directions to create a new rule.
1 In the Rule Summary screen, type the index number for where you want to put the rule.
For example, if you type “6”, your new rule becomes number 6 and the previous rule 6
(if there is one) becomes rule 7.
2 Click Insert to display this screen and refer to the following table for information on the
labels.
P-660W-Tx v2 User’s Guide
125
Chapter 12 Firewall Configuration
Figure 54 Firewall: Edit Rule
126
The following table describes the labels in this screen.
P-660W-Tx v2 User’s Guide
Chapter 12 Firewall Configuration
Table 44 Firewall: Edit Rule
LABEL DESCRIPTION
Active Select this option to enable this firewall rule.
Action for Matched
Packet
Source/Destination
Address
Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of
Start IP Address Enter the single IP address or the starting IP address in a range here.
End IP Address Enter the ending IP address in a range here.
Subnet Mask Enter the subnet mask here, if applicable.
Add Click Add to add a new address to the Source or Destination Address box.
Edit To edit an existing source or destination address, select it from the box and click
Delete Highlight an existing source or destination address from the Source or
Services
Available/ Selected
Services
Edit Customized
Service
Schedule
Day to Apply Select everyday or the day(s) of the week to apply the rule.
Time of Day to
Apply (24-Hour
Format)
Log
Log Packet Detail
Information
Alert
Send Alert
Message to
Administrator When
Matched
Back Click Back to return to the previous screen.
Apply Click Apply to save your customized settings and exit this screen.
Cancel Click Cancel to exit this screen without saving.
Delete Click Delete to remove this firewall rule and return to the Firewall Rule
Use the radio button to select whether to discard (Block) or allow the passage
of (Forward) packets that match this rule.
IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address?
Select an option from the drop-down list box that includes: Single Address,
Range Address, Subnet Address and Any
You can add multiple addresses, ranges of addresses, and/or subnets.
Edit.
Destination Address box above and click Delete to remove it.
Please see Section 12.11 on page 133 for more information on services
available. Highlight a service from the Available Services box on the left, then
click Add>> to add it to the Selected Services box on the right. To remove a
service, highlight it in the Selected Services box on the right, then click
Remove.
Click the Edit Customized Services link to bring up the screen that you use to
configure a new custom service that is not in the predefined list of services.
Select All Day or enter the start and end times in the hour-minute format to
apply the rule.
This field determines if a log for packets that match the rule is created (Enable)
or not (Disable). Go to the Log Settings page and select the Access Control
logs category to have the ZyXEL Device record these logs.
Select the check box to have the ZyXEL Device generate an alert when the rule
is matched.
Summary screen.
Address.
P-660W-Tx v2 User’s Guide
127
Chapter 12 Firewall Configuration
12.8 Customized Services
Configure customized services and port numbers not predefined by the ZyXEL Device. For a
comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number
Authority) website. For further information on these services, please read Section 12.11 on
page 133. Click the Customized Services link while editing a firewall rule to configure a
custom service port. This displays the following screen.
Refer to Section 11.1 on page 107 for more information.
Figure 55 Firewall: Customized Services
The following table describes the labels in this screen.
Table 45 Customized Services
LABEL DESCRIPTION
No. This is the number of your customized port. Click a rule’s number of a service to go to the
Firewall Customized Services Config screen to configure or edit a customized service.
Name This is the name of your customized service.
Protocol This shows the IP protocol (TCP, UDP or TCP/UDP) that defines your customized
service.
Port This is the port number or range that defines your customized service.
Back Click Back to return the Firewall Edit Rule screen.
12.9 Configuring A Customized Service
Click a rule number in the Firewall Customized Services screen to create a new custom port
or edit an existing one. This action displays the following screen.
Refer to Section 11.1 on page 107 for more information.
128
P-660W-Tx v2 User’s Guide
Chapter 12 Firewall Configuration
Figure 56 Firewall: Configure Customized Services
The following table describes the labels in this screen.
Table 46 Firewall: Configure Customized Services
LABEL DESCRIPTION
Service Name Type a unique name for your custom port.
Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from
the drop down list box.
Port Configuration
Type Click Single to specify one port only or Range to specify a span of ports that define
your customized service.
Port Number Type a single port number or the range of port numbers that define your customized
service.
Back Click Back to return to the Firewall Customized Services screen.
Apply Click Apply to save your customized settings and exit this screen.
Cancel Click Cancel to return to the previously saved settings.
Delete Click Delete to delete the current rule.
12.10 Example Firewall Rule
The following Internet firewall rule example allows a hypothetical “My Service” connection
from the Internet.
1 Click Firewall in the navigation panel and click Rule Summary.
2 Select WAN to LAN in the Packet Direction field.
P-660W-Tx v2 User’s Guide
129
Chapter 12 Firewall Configuration
Figure 57 Firewall Example: Rule Summary
3 In the Rule Summary screen, type the index number for where you want to put the rule.
For example, if you type “6”, your new rule becomes number 6 and the previous rule 6
(if there is one) becomes rule 7.
4 Click Insert to display the firewall rule configuration screen.
5 Select Any in the Destination Address box and then click Delete.
6 Configure the destination address screen as follows and click Add.
Figure 58 Firewall Example: Edit Rule: Destination Address
130
P-660W-Tx v2 User’s Guide
Loading...