Home » ZyXEL Manuals » Networking » ZyXEL P-660HW-T1 v2 » Manual Viewer

ZyXEL P-660HW-T1 v2 User Guide - Page 167

Half-Open Sessions

Get ZyXEL P-660HW-T1 v2 PDF manuals and user guides

View all ZyXEL P-660HW-T1 v2 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 167 highlights

P-660HW-T v2 User's Guide If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules. 10.10.2 Half-Open Sessions An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "halfopen" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 79 on page 140). For UDP, "half-open" means that the firewall has detected no return traffic. The ZyXEL Device measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (max-incomplete high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (maxincomplete low). When the rate of new connection attempts rises above a threshold (one-minute high), the ZyXEL Device starts deleting half-open sessions as required to accommodate new connection requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. 10.10.2.1 TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host. Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the ZyXEL Device starts deleting half-open sessions according to one of the following methods: • If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold. • If the Blocking Time timeout is greater than 0, then the ZyXEL Device blocks all new connection requests to the host giving the server time to handle the present connections. The ZyXEL Device continues to block all new connection requests until the Blocking Time expires. Chapter 10 Firewall Configuration 167

Section	Page
P-660HW-T v2	1
User’s Guide	1
Copyright	3
Certifications	4
Safety Warnings	6
ZyXEL Limited Warranty	8
Customer Support	9
Table of Contents	11
List of Figures	21
List of Tables	27
Preface	31
Getting To Know Your ZyXEL Device	33
1.1 Introducing the ZyXEL Device	33
1.2 Features	33
1.2.1 Wireless Features	36
1.3 Applications for the ZyXEL Device	37
1.3.1 Protected Internet Access	37
1.3.2 LAN to LAN Application	38
1.4 Front Panel LEDs	38
1.5 Hardware Connection	39
Introducing the Web Configurator	41
2.1 Web Configurator Overview	41
2.2 Accessing the Web Configurator	41
2.3 Resetting the ZyXEL Device	43
2.3.1 Using the Reset Button	43
2.4 Navigating the Web Configurator	43
2.4.1 Navigation Panel	43
2.4.2 Status Screen	46
2.4.3 Status: Any IP Table	49
2.4.4 Status: WLAN Status	49
2.4.5 Status: Bandwidth Status	50
2.4.6 Status: Packet Statistics	51
2.4.7 Changing Login Password	52
Wizard Setup for Internet Access	55
3.1 Introduction	55
3.2 Internet Access Wizard Setup	55
3.2.1 Automatic Detection	57
3.2.2 Manual Configuration	57
3.3 Wireless Connection Wizard Setup	62
3.3.1 Manually assign a WPA-PSK key	65
3.3.2 Manually assign a WEP key	66
Bandwidth Management Wizard	69
4.1 Introduction	69
4.2 Predefined Media Bandwidth Management Services	69
4.3 Bandwidth Management Wizard Setup	70
WAN Setup	75
5.1 WAN Overview	75
5.1.1 Encapsulation	75
5.1.2 Multiplexing	76
5.1.3 Encapsulation and Multiplexing Scenarios	76
5.1.4 VPI and VCI	77
5.1.5 IP Address Assignment	77
5.1.6 Nailed-Up Connection (PPP)	78
5.1.7 NAT	78
5.2 Metric	78
5.3 Traffic Shaping	79
5.3.1 ATM Traffic Classes	80
5.4 Zero Configuration Internet Access	80
5.5 Internet Connection	81
5.5.1 Configuring Advanced Internet Connection Setup	83
5.6 Configuring More Connections	84
5.6.1 More Connections Edit	85
5.6.2 Configuring More Connections Advanced Setup	88
5.7 Traffic Redirect	89
5.8 Configuring WAN Backup	90
Wireless LAN	93
6.1 Wireless Network Overview	93
6.2 Wireless Security Overview	94
6.2.1 SSID	94
6.2.2 MAC Address Filter	94
6.2.3 User Authentication	95
6.2.4 Encryption	95
6.2.5 One-Touch Intelligent Security Technology (OTIST)	96
6.3 Wireless Performance Overview	96
6.4 General Wireless LAN Screen	96
6.4.1 No Security	98
6.4.2 WEP Encryption	98
6.4.3 WPA-PSK/WPA2-PSK	99
6.4.4 WPA/WPA2	101
6.4.5 Wireless LAN Advanced Setup	103
6.5 OTIST	105
6.5.1 Enabling OTIST	105
6.5.2 Starting OTIST	107
6.5.3 Notes on OTIST	108
6.6 MAC Filter	108
LAN Setup	111
7.1 LAN Overview	111
7.1.1 LANs, WANs and the ZyXEL Device	111
7.1.2 DHCP Setup	112
7.1.3 DNS Server Address	112
7.1.4 DNS Server Address Assignment	113
7.2 LAN TCP/IP	113
7.2.1 IP Address and Subnet Mask	113
7.2.2 RIP Setup	114
7.2.3 Multicast	115
7.2.4 Any IP	115
7.3 Configuring LAN IP	117
7.3.1 Configuring Advanced LAN Setup	117
7.4 DHCP Setup	119
7.5 LAN Client List	120
7.6 LAN IP Alias	121
Network Address Translation (NAT) Screens	125
8.1 NAT Overview	125
8.1.1 NAT Definitions	125
8.1.2 What NAT Does	126
8.1.3 How NAT Works	126
8.1.4 NAT Application	127
8.1.5 NAT Mapping Types	127
8.2 SUA (Single User Account) Versus NAT	128
8.3 NAT General Setup	128
8.4 Port Forwarding	129
8.4.1 Default Server IP Address	130
8.4.2 Port Forwarding: Services and Port Numbers	130
8.4.3 Configuring Servers Behind Port Forwarding (Example)	131
8.5 Configuring Port Forwarding	131
8.5.1 Port Forwarding Rule Edit	132
8.6 Address Mapping	133
8.6.1 Address Mapping Rule Edit	135
Firewalls	137
9.1 Firewall Overview	137
9.2 Types of Firewalls	137
9.2.1 Packet Filtering Firewalls	137
9.2.2 Application-level Firewalls	138
9.2.3 Stateful Inspection Firewalls	138
9.3 Introduction to ZyXEL’s Firewall	138
9.3.1 Denial of Service Attacks	139
9.4 Denial of Service	139
9.4.1 Basics	139
9.4.2 Types of DoS Attacks	140
9.5 Stateful Inspection	143
9.5.1 Stateful Inspection Process	144
9.5.2 Stateful Inspection and the ZyXEL Device	144
9.5.3 TCP Security	145
9.5.4 UDP/ICMP Security	145
9.5.5 Upper Layer Protocols	146
9.6 Guidelines for Enhancing Security with Your Firewall	146
9.6.1 Security In General	146
9.7 Packet Filtering Vs Firewall	147
9.7.1 Packet Filtering:	147
9.7.2 Firewall	148
Firewall Configuration	149
10.1 Access Methods	149
10.2 Firewall Policies Overview	149
10.3 Rule Logic Overview	150
10.3.1 Rule Checklist	150
10.3.2 Security Ramifications	150
10.3.3 Key Fields For Configuring Rules	151
10.4 Connection Direction	151
10.4.1 LAN to WAN Rules	152
10.4.2 Alerts	152
10.5 General Firewall Policy	152
10.6 Firewall Rules Summary	153
10.6.1 Configuring Firewall Rules	155
10.6.2 Customized Services	158
10.6.3 Configuring a Customized Service	159
10.7 Example Firewall Rule	159
10.8 Predefined Services	163
10.9 Anti-Probing	165
10.10 DoS Thresholds	166
10.10.1 Threshold Values	166
10.10.2 Half-Open Sessions	167
10.10.3 Configuring Firewall Thresholds	168
Content Filtering	171
11.1 Content Filtering Overview	171
11.2 Configuring Keyword Blocking	171
11.3 Configuring the Schedule	172
11.4 Configuring Trusted Computers	173
Static Route	175
12.1 Static Route	175
12.2 Configuring Static Route	175
12.2.1 Static Route Edit	176
Bandwidth Management	179
13.1 Bandwidth Management Overview	179
13.2 Application-based Bandwidth Management	179
13.3 Subnet-based Bandwidth Management	179
13.4 Application and Subnet-based Bandwidth Management	180
13.5 Scheduler	180
13.5.1 Priority-based Scheduler	180
13.5.2 Fairness-based Scheduler	181
13.6 Maximize Bandwidth Usage	181
13.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	181
13.6.2 Maximize Bandwidth Usage Example	182
13.6.3 Bandwidth Management Priorities	183
13.7 Over Allotment of Bandwidth	184
13.8 Configuring Summary	184
13.9 Bandwidth Management Rule Setup	185
13.9.1 Rule Configuration	187
13.10 Bandwidth Monitor	189
Dynamic DNS Setup	191
14.1 Dynamic DNS Overview	191
14.1.1 DYNDNS Wildcard	191
14.2 Configuring Dynamic DNS	191
Remote Management Configuration	195
15.1 Remote Management Overview	195
15.1.1 Remote Management Limitations	195
15.1.2 Remote Management and NAT	196
15.1.3 System Timeout	196
15.2 WWW	196
15.3 Telnet	197
15.4 Configuring Telnet	197
15.5 Configuring FTP	198
15.6 SNMP	199
15.6.1 Supported MIBs	200
15.6.2 SNMP Traps	201
15.6.3 Configuring SNMP	201
15.7 Configuring DNS	202
15.8 Configuring ICMP	203
15.9 TR-069	204
Universal Plug-and-Play (UPnP)	207
16.1 Introducing Universal Plug and Play	207
16.1.1 How do I know if I'm using UPnP?	207
16.1.2 NAT Traversal	207
16.1.3 Cautions with UPnP	208
16.2 UPnP and ZyXEL	208
16.2.1 Configuring UPnP	208
16.3 Installing UPnP in Windows Example	209
16.3.1 Installing UPnP in Windows Me	209
16.3.2 Installing UPnP in Windows XP	211
16.4 Using UPnP in Windows XP Example	212
16.4.1 Auto-discover Your UPnP-enabled Network Device	212
16.4.2 Web Configurator Easy Access	215
System	219
17.1 General Setup	219
17.1.1 General Setup and System Name	219
17.1.2 General Setup	219
17.2 Time Setting	221
Logs	225
18.1 Logs Overview	225
18.1.1 Alerts and Logs	225
18.2 Viewing the Logs	225
18.3 Configuring Log Settings	226
18.3.1 Example E-mail Log	228
18.4 Log Descriptions	229
Tools	245
19.1 Firmware Upgrade	245
19.2 Configuration Screen	247
19.2.1 Backup Configuration	247
19.2.2 Restore Configuration	248
19.2.3 Back to Factory Defaults	249
19.3 Restart	249
Diagnostic	251
20.1 General Diagnostic	251
20.2 DSL Line Diagnostic	252
Troubleshooting	253
21.1 Problems Starting Up the ZyXEL Device	253
21.2 Problems with the LAN	253
21.3 Problems with the WAN	254
21.4 Problems Accessing the ZyXEL Device	255
Product Specifications	257
About ADSL	261
Internal SPTGEN	263
Wall-mounting Instructions	279
Setting up Your Computer’s IP Address	281
IP Subnetting	297
Command Interpreter	305
Firewall Commands	309
NetBIOS Filter Commands	315
Splitters and Microfilters	317
Wireless LANs	321
Pop-up Windows, JavaScripts and Java Permissions	335
Triangle Route	343
Index	345
Numerics	345
A	345
B	345
C	345
D	346
E	346
F	347
G	347
H	347
I	347
L	348
M	348
N	348
O	348
P	348
Q	349
R	349
S	349
T	350
U	350
V	351
W	351

Match case Limit results 1 per page

P-660HW-T v2 User’s Guide

Chapter 10 Firewall Configuration

167

If your network is slower than average for any of these factors (especially if you have servers

that are slow or handle many tasks and are often busy), then the default values should be

reduced.

You should make any changes to the threshold values before you continue configuring

firewall rules.

10.10.2

Half-Open Sessions

An unusually high number of half-open sessions (either an absolute number or measured as

the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-

open" means that the session has not reached the established state-the TCP three-way

handshake has not yet been completed (see

Figure 79 on page 140

). For UDP, "half-open"

means that the firewall has detected no return traffic.

The ZyXEL Device measures both the total number of existing half-open sessions and the rate

of session establishment attempts. Both TCP and UDP half-open sessions are counted in the

total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (

max-incomplete

high

), the ZyXEL Device starts deleting half-open sessions as required to accommodate new

connection requests. The ZyXEL Device continues to delete half-open requests as necessary,

until the number of existing half-open sessions drops below another threshold (

max-

incomplete low

When the rate of new connection attempts rises above a threshold (

one-minute high

), the

ZyXEL Device starts deleting half-open sessions as required to accommodate new connection

requests. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate

of new connection attempts drops below another threshold (

one-minute low

). The rate is the

number of new attempts detected in the last one-minute sample period.

10.10.2.1

TCP Maximum Incomplete and Blocking Time

An unusually high number of half-open sessions with the same destination host address could

indicate that a Denial of Service attack is being launched against the host.

Whenever the number of half-open sessions with the same destination host address rises above

a threshold (

TCP Maximum Incomplete

), the ZyXEL Device starts deleting half-open

sessions according to one of the following methods:

•

If the

Blocking Time

timeout is 0 (the default), then the ZyXEL Device deletes the oldest

existing half-open session for the host for every new connection request to the host. This

ensures that the number of half-open sessions to a given host will never exceed the

threshold.

•

If the

Blocking Time

timeout is greater than 0, then the ZyXEL Device blocks all new

connection requests to the host giving the server time to handle the present connections.

The ZyXEL Device continues to block all new connection requests until the

Blocking

Time

expires.