Home » ZyXEL Manuals » Networking » ZyXEL P-660HW-T1 v2 » Manual Viewer

ZyXEL P-660HW-T1 v2 User Guide - Page 143

Stateful Inspection

Get ZyXEL P-660HW-T1 v2 PDF manuals and user guides

View all ZyXEL P-660HW-T1 v2 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 143 highlights

P-660HW-T v2 User's Guide 9.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts. 9.5 Stateful Inspection With stateful inspection, fields of the packets are compared to packets that are already known to be trusted. For example, if you access some outside service, the proxy server remembers things about your original request, like the port number and source and destination addresses. This "remembering" is called saving the state. When the outside system responds to your request, the firewall compares the received packets with the saved state to determine if they are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device's stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: • Allows all sessions originating from the LAN (local network) to the WAN (Internet). • Denies all sessions originating from the WAN to the LAN. Figure 82 Stateful Inspection Chapter 9 Firewalls 143

Section	Page
P-660HW-T v2	1
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	8
Customer Support	9
Table of Contents	11
List of Figures	21
List of Tables	27
Preface	31
Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.2.1 Wireless Features	36
1.3 Applications for the ZyXEL Device	37
1.3.1 Protected Internet Access	37
1.3.2 LAN to LAN Application	38
1.4 Front Panel LEDs	38
1.5 Hardware Connection	39
Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	43
2.3.1 Using the Reset Button	43
2.4 Navigating the Web Configurator	43
2.4.1 Navigation Panel	43
2.4.2 Status Screen	46
2.4.3 Status: Any IP Table	49
2.4.4 Status: WLAN Status	49
2.4.5 Status: Bandwidth Status	50
2.4.6 Status: Packet Statistics	51
2.4.7 Changing Login Password	52
Wizard Setup for Internet Access	55
3.1 Introduction	55
3.2 Internet Access Wizard Setup	55
3.2.1 Automatic Detection	57
3.2.2 Manual Configuration	57
3.3 Wireless Connection Wizard Setup	62
3.3.1 Manually assign a WPA-PSK key	65
3.3.2 Manually assign a WEP key	66
Bandwidth Management Wizard	69
4.1 Introduction	69
4.2 Predefined Media Bandwidth Management Services	69
4.3 Bandwidth Management Wizard Setup	70
WAN Setup	75
5.1 WAN Overview	75
5.1.1 Encapsulation	75
5.1.2 Multiplexing	76
5.1.3 Encapsulation and Multiplexing Scenarios	76
5.1.4 VPI and VCI	77
5.1.5 IP Address Assignment	77
5.1.6 Nailed-Up Connection (PPP)	78
5.1.7 NAT	78
5.2 Metric	78
5.3 Traffic Shaping	79
5.3.1 ATM Traffic Classes	80
5.4 Zero Configuration Internet Access	80
5.5 Internet Connection	81
5.5.1 Configuring Advanced Internet Connection Setup	83
5.6 Configuring More Connections	84
5.6.1 More Connections Edit	85
5.6.2 Configuring More Connections Advanced Setup	88
5.7 Traffic Redirect	89
5.8 Configuring WAN Backup	90
Wireless LAN	93
6.1 Wireless Network Overview	93
6.2 Wireless Security Overview	94
6.2.1 SSID	94
6.2.2 MAC Address Filter	94
6.2.3 User Authentication	95
6.2.4 Encryption	95
6.2.5 One-Touch Intelligent Security Technology (OTIST)	96
6.3 Wireless Performance Overview	96
6.4 General Wireless LAN Screen	96
6.4.1 No Security	98
6.4.2 WEP Encryption	98
6.4.3 WPA-PSK/WPA2-PSK	99
6.4.4 WPA/WPA2	101
6.4.5 Wireless LAN Advanced Setup	103
6.5 OTIST	105
6.5.1 Enabling OTIST	105
6.5.2 Starting OTIST	107
6.5.3 Notes on OTIST	108
6.6 MAC Filter	108
LAN Setup	111
7.1 LAN Overview	111
7.1.1 LANs, WANs and the ZyXEL Device	111
7.1.2 DHCP Setup	112
7.1.3 DNS Server Address	112
7.1.4 DNS Server Address Assignment	113
7.2 LAN TCP/IP	113
7.2.1 IP Address and Subnet Mask	113
7.2.2 RIP Setup	114
7.2.3 Multicast	115
7.2.4 Any IP	115
7.3 Configuring LAN IP	117
7.3.1 Configuring Advanced LAN Setup	117
7.4 DHCP Setup	119
7.5 LAN Client List	120
7.6 LAN IP Alias	121
Network Address Translation (NAT) Screens	125
8.1 NAT Overview	125
8.1.1 NAT Definitions	125
8.1.2 What NAT Does	126
8.1.3 How NAT Works	126
8.1.4 NAT Application	127
8.1.5 NAT Mapping Types	127
8.2 SUA (Single User Account) Versus NAT	128
8.3 NAT General Setup	128
8.4 Port Forwarding	129
8.4.1 Default Server IP Address	130
8.4.2 Port Forwarding: Services and Port Numbers	130
8.4.3 Configuring Servers Behind Port Forwarding (Example)	131
8.5 Configuring Port Forwarding	131
8.5.1 Port Forwarding Rule Edit	132
8.6 Address Mapping	133
8.6.1 Address Mapping Rule Edit	135
Firewalls	137
9.1 Firewall Overview	137
9.2 Types of Firewalls	137
9.2.1 Packet Filtering Firewalls	137
9.2.2 Application-level Firewalls	138
9.2.3 Stateful Inspection Firewalls	138
9.3 Introduction to ZyXEL’s Firewall	138
9.3.1 Denial of Service Attacks	139
9.4 Denial of Service	139
9.4.1 Basics	139
9.4.2 Types of DoS Attacks	140
9.5 Stateful Inspection	143
9.5.1 Stateful Inspection Process	144
9.5.2 Stateful Inspection and the ZyXEL Device	144
9.5.3 TCP Security	145
9.5.4 UDP/ICMP Security	145
9.5.5 Upper Layer Protocols	146
9.6 Guidelines for Enhancing Security with Your Firewall	146
9.6.1 Security In General	146
9.7 Packet Filtering Vs Firewall	147
9.7.1 Packet Filtering:	147
9.7.2 Firewall	148
Firewall Configuration	149
10.1 Access Methods	149
10.2 Firewall Policies Overview	149
10.3 Rule Logic Overview	150
10.3.1 Rule Checklist	150
10.3.2 Security Ramifications	150
10.3.3 Key Fields For Configuring Rules	151
10.4 Connection Direction	151
10.4.1 LAN to WAN Rules	152
10.4.2 Alerts	152
10.5 General Firewall Policy	152
10.6 Firewall Rules Summary	153
10.6.1 Configuring Firewall Rules	155
10.6.2 Customized Services	158
10.6.3 Configuring a Customized Service	159
10.7 Example Firewall Rule	159
10.8 Predefined Services	163
10.9 Anti-Probing	165
10.10 DoS Thresholds	166
10.10.1 Threshold Values	166
10.10.2 Half-Open Sessions	167
10.10.3 Configuring Firewall Thresholds	168
Content Filtering	171
11.1 Content Filtering Overview	171
11.2 Configuring Keyword Blocking	171
11.3 Configuring the Schedule	172
11.4 Configuring Trusted Computers	173
Static Route	175
12.1 Static Route	175
12.2 Configuring Static Route	175
12.2.1 Static Route Edit	176
Bandwidth Management	179
13.1 Bandwidth Management Overview	179
13.2 Application-based Bandwidth Management	179
13.3 Subnet-based Bandwidth Management	179
13.4 Application and Subnet-based Bandwidth Management	180
13.5 Scheduler	180
13.5.1 Priority-based Scheduler	180
13.5.2 Fairness-based Scheduler	181
13.6 Maximize Bandwidth Usage	181
13.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	181
13.6.2 Maximize Bandwidth Usage Example	182
13.6.3 Bandwidth Management Priorities	183
13.7 Over Allotment of Bandwidth	184
13.8 Configuring Summary	184
13.9 Bandwidth Management Rule Setup	185
13.9.1 Rule Configuration	187
13.10 Bandwidth Monitor	189
Dynamic DNS Setup	191
14.1 Dynamic DNS Overview	191
14.1.1 DYNDNS Wildcard	191
14.2 Configuring Dynamic DNS	191
Remote Management Configuration	195
15.1 Remote Management Overview	195
15.1.1 Remote Management Limitations	195
15.1.2 Remote Management and NAT	196
15.1.3 System Timeout	196
15.2 WWW	196
15.3 Telnet	197
15.4 Configuring Telnet	197
15.5 Configuring FTP	198
15.6 SNMP	199
15.6.1 Supported MIBs	200
15.6.2 SNMP Traps	201
15.6.3 Configuring SNMP	201
15.7 Configuring DNS	202
15.8 Configuring ICMP	203
15.9 TR-069	204
Universal Plug-and-Play (UPnP)	207
16.1 Introducing Universal Plug and Play	207
16.1.1 How do I know if I'm using UPnP?	207
16.1.2 NAT Traversal	207
16.1.3 Cautions with UPnP	208
16.2 UPnP and ZyXEL	208
16.2.1 Configuring UPnP	208
16.3 Installing UPnP in Windows Example	209
16.3.1 Installing UPnP in Windows Me	209
16.3.2 Installing UPnP in Windows XP	211
16.4 Using UPnP in Windows XP Example	212
16.4.1 Auto-discover Your UPnP-enabled Network Device	212
16.4.2 Web Configurator Easy Access	215
System	219
17.1 General Setup	219
17.1.1 General Setup and System Name	219
17.1.2 General Setup	219
17.2 Time Setting	221
Logs	225
18.1 Logs Overview	225
18.1.1 Alerts and Logs	225
18.2 Viewing the Logs	225
18.3 Configuring Log Settings	226
18.3.1 Example E-mail Log	228
18.4 Log Descriptions	229
Tools	245
19.1 Firmware Upgrade	245
19.2 Configuration Screen	247
19.2.1 Backup Configuration	247
19.2.2 Restore Configuration	248
19.2.3 Back to Factory Defaults	249
19.3 Restart	249
Diagnostic	251
20.1 General Diagnostic	251
20.2 DSL Line Diagnostic	252
Troubleshooting	253
21.1 Problems Starting Up the ZyXEL Device	253
21.2 Problems with the LAN	253
21.3 Problems with the WAN	254
21.4 Problems Accessing the ZyXEL Device	255
Product Specifications	257
About ADSL	261
Internal SPTGEN	263
Wall-mounting Instructions	279
Setting up Your Computer’s IP Address	281
IP Subnetting	297
Command Interpreter	305
Firewall Commands	309
NetBIOS Filter Commands	315
Splitters and Microfilters	317
Wireless LANs	321
Pop-up Windows, JavaScripts and Java Permissions	335
Triangle Route	343
Index	345
Numerics	345
A	345
B	345
C	345
D	346
E	346
F	347
G	347
H	347
I	347
L	348
M	348
N	348
O	348
P	348
Q	349
R	349
S	349
T	350
U	350
V	351
W	351

Match case Limit results 1 per page

P-660HW-T v2 User’s Guide

Chapter 9 Firewalls

143

9.4.2.3

Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints.

Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute

the firewall gaining knowledge of the network topology inside the firewall.

Often, many DoS attacks also employ a technique known as "

IP Spoofing

" as part of their

attack. IP Spoofing may be used to break into systems, to hide the hacker's identity, or to

magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized

access to computers by tricking a router or firewall into thinking that the communications are

coming from within the trusted network. To engage in IP spoofing, a hacker must modify the

packet headers so that it appears that the packets originate from a trusted host and should be

allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts.

9.5

Stateful Inspection

With stateful inspection, fields of the packets are compared to packets that are already known

to be trusted. For example, if you access some outside service, the proxy server remembers

things about your original request, like the port number and source and destination addresses.

This “remembering” is called

saving the state.

When the outside system responds to your

request, the firewall compares the received packets with the saved state to determine if they

are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN

from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection

allows all communications to the Internet that originate from the LAN, and blocks all traffic to

the LAN that originates from the Internet. In summary, stateful inspection:

•

Allows all sessions originating from the LAN (local network) to the WAN (Internet).

•

Denies all sessions originating from the WAN to the LAN.

Figure 82

Stateful Inspection