Home » Asus Manuals » Network Security & Firewall Devices » Asus SL1000 » Manual Viewer

Asus SL1000 User Manual - Page 80

Configuring DoS Settings

Add to My Manuals
Save this manual to your list of manuals

Page 80 highlights

Chapter 9. Configuring Firewall/NAT Settings Internet Security Router User's Manual 5. Click on the button to create the new service. The new service will then be displayed in the service list table at the bottom half of the Service Configuration page. 9.6.2.4 Modify a Service To modify a service, follow the instructions below: 1. Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration Page). 2. Select the service from the service drop-down list or click on the icon of the service to be modified in the service list table. 3. Make desired changes to any or all of the following fields: service name, public port and protocol. Please see Table 9.5 for explanation of these fields. 4. Click on the button to modify this service. The new settings for this service will then be displayed in the service list table at the bottom half of the Service Configuration page. 9.6.2.5 Delete a Service To delete a service, follow the instructions below: 1. Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration Page). 2. Select the service from the service drop-down list or click on the icon of the service to be modified in the service list table. 3. Click on the button to delete this service. Note that the service deleted will be removed from the service list table located at the bottom half of the same configuration page. 9.6.2.6 View Configured Services To see a list of existing services, follow the instructions below: 1. Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration Page). 2. The service list table located at the bottom half of the Service Configuration page shows all the configured services. 9.6.3 Configuring DoS Settings The Internet Security Router has a proprietary Attack Defense Engine that protects internal networks from Denial of Service (DoS) attacks such as SYN flooding, IP smurfing, LAND, Ping of Death and all re-assembly attacks. It can drop ICMP redirects and IP loose/strict source routing packets. For example, a security device with the Internet Security Router Firewall provides protection from "WinNuke", a widely used program to remotely crash unprotected Windows systems in the Internet. The Internet Security Router Firewall also provides protection from a variety of common Internet attacks such as IP Spoofing, Ping of Death, Land Attack, Reassembly and SYN flooding. For a complete list of DoS protection provided by the Internet Security Router, please see Table 2.3. 9.6.3.1 DoS Protection Configuration Parameters Table 9.6 describes the configuration parameters available for DoS Protection. Table 9.6. DoS Protection Configuration Parameters Field SYN Flooding Description Check or un-check this option to enable or disable protection against SYN Flood attacks. This attack involves sending connection requests to a server, but never fully completing the connections. This will cause some computers 64

Section	Page
Table of Contents	3
List of Figures	11
List of Tables	14
Introduction	17
1.1 Features	17
1.2 System Requirements	17
1.3 Using this Document	17
1.3.1 Notational conventions	17
1.3.2 Typographical conventions	17
1.3.3 Special messages	17
Getting to Know the Internet Security Router	19
2.1 Parts List	19
2.2 Front Panel	19
2.3 Rear Panel	19
2.4 Major Features	20
2.4.1 Firewall Features	20
2.4.1.1 Address Sharing and Management	20
2.4.1.1 ACL (Access Control List)	21
2.4.1.2 Stateful Packet Inspection	21
2.4.1.3 Defense against DoS Attacks	21
2.4.1.4 Application Command Filtering	22
2.4.1.5 Application Level Gateway (ALG)	22
2.4.1.6 URL Filtering	22
2.4.1.7 Log and Alerts	22
2.4.1.8 Remote Access	23
2.4.2 VPN	23
Quick Start Guide	25
3.1 Part 1 — Connecting the Hardware	25
3.1.1 Step 1. Connect an ADSL or a cable modem.	25
3.1.2 Step 2. Connect computers or a LAN.	25
3.1.3 Step 3. Attach the power adapter.	25
3.1.4 Step 4. Turn on the Internet Security Router, the ADSL or cable modem and power up your computers.	26
3.2 Part 2 — Configuring Your Computers	27
3.2.1 Before you begin	27
3.2.2 Windows[CT6]® XP PCs:	27
3.2.3 Windows® 2000 PCs:	27
3.2.4 Windows® 95, 98, and Me PCs	28
3.2.5 Windows® NT 4.0 workstations:	28
3.2.6 Assigning static IP addresses to your PCs	29
3.3 Part 3 — Quick Configuration of the Internet Security Router	30
3.3.1 Buttons Used in Setup Wizard	30
3.3.2 Setting Up the Internet Security Router	30
3.3.3 Testing Your Setup	36
3.3.4 Default Router Settings	36
Getting Started with the Configuration Manager[CT9]	37
4.1 Log into Configuration Manager	37
4.2 Functional Layout	38
4.2.1 Setup Menu Navigation Tips	38
4.2.2 Commonly Used Buttons and Icons	38
4.3 The Home Page of Configuration Manager	39
4.4 Overview of System Configuration	39
Configuring LAN Settings	41
5.1 LAN IP Address	41
5.1.1 LAN IP Configuration Parameters	41
5.1.2 Configuring the LAN IP Address	41
5.2 DHCP (Dynamic Host Control Protocol)	42
5.2.1 What is DHCP?	42
5.2.2 Why use DHCP?	43
5.2.3 Configuring DHCP Server	43
5.2.4 Viewing Current DHCP Address Assignments	44
5.3 DNS	45
5.3.1 About DNS	45
5.3.2 Assigning DNS Addresses	45
5.3.3 Configuring DNS Relay	45
5.4 Viewing LAN Statistics	46
Configuring WAN Settings	47
6.1 WAN Connection Mode	47
6.2 PPPoE	47
6.2.1 WAN PPPoE Configuration Parameters	47
6.2.2 Configuring PPPoE for WAN	48
6.3 Dynamic IP	48
6.3.1 WAN Dynamic IP Configuration Parameters	48
6.3.2 Configuring Dynamic IP for WAN	49
6.4 Static IP	50
6.4.1 WAN Static IP Configuration Parameters	50
6.4.2 Configuring Static IP for WAN	50
6.5 Viewing WAN Statistics	51
Configuring Routes	53
7.1 Overview of IP Routes	53
7.1.1 Do I need to define IP routes?	53
7.2 Dynamic Routing using RIP (Routing Information Protocol)	54
7.2.1 Enabling/Disabling RIP	54
7.3 Static Routing	54
7.3.1 Static Route Configuration Parameters	54
7.3.2 Adding Static Routes	54
7.3.3 Deleting Static Routes	54
7.3.4 Viewing the Static Routing Table	55
Configuring DDNS	57
8.1 DDNS Configuration Parameters	58
8.2 Access DDNS Configuration Page	59
8.3 Configuring RFC-2136 DDNS Client	59
8.4 Configuring HTTP DDNS Client	60
Configuring Firewall/NAT Settings	61
9.1 Firewall Overview	61
9.1.1 Stateful Packet Inspection	61
9.1.2 DoS (Denial of Service) Protection	61
9.1.3 Firewall and Access Control List (ACL)	61
9.1.3.1 Priority Order of ACL Rule	61
9.1.3.2 Tracking Connection State	62
9.1.4 Default ACL Rules	62
9.2 NAT Overview	62
9.2.1 Static (One to One) NAT	62
9.2.2 Dynamic NAT	63
9.2.3 NAPT (Network Address and Port Translation) or PAT (Port Address Translation)	64
9.2.4 Reverse Static NAT	65
9.2.5 Reverse NAPT / Virtual Server	65
9.3 Configuring Inbound ACL Rules	65
9.3.1 Inbound ACL Rule Configuration Parameters	65
9.3.2 Access Inbound ACL Rule Configuration Page – (Firewall Inbound ACL)	68
9.3.3 Add Inbound ACL Rules	68
9.3.4 Modify Inbound ACL Rules	69
9.3.5 Delete Inbound ACL Rules	69
9.3.6 Display Inbound ACL Rules	69
9.4 Configuring Outbound ACL Rules	69
9.4.1 Outbound ACL Rule Configuration Parameters	70
9.4.2 Access Outbound ACL Rule Configuration Page – (Firewall Outbound ACL)	72
9.4.3 Add an Outbound ACL Rule	73
9.4.4 Modify Outbound ACL Rules	73
9.4.5 Delete Outbound ACL Rules	74
9.4.6 Display Outbound ACL Rules	74
9.5 Configuring URL Filters	74
9.5.1 URL Filter Configuration Parameters	74
9.5.2 Access URL Filter Configuration Page – (Firewall URL Filter)	74
9.5.3 Add an URL Filter Rule	75
9.5.4 Modify an URL Filter Rule	75
9.5.5 Delete an URL Filter Rule	75
9.5.6 View Configured URL Filter Rules	75
9.5.7 URL Filter Rule Example	75
9.6 Configuring Advanced Firewall Features – (Firewall Advanced)	76
9.6.1 Configuring Self Access Rules	76
9.6.1.1 Self Access Configuration Parameters	77
9.6.1.2 Access Self Access Rule Configuration Page – (Firewall Advanced Self Access)	77
9.6.1.3 Add a Self Access Rule	77
9.6.1.4 Modify a Self Access Rule	78
9.6.1.5 Delete a Self Access Rule	78
9.6.1.6 View Configured Self Access Rules	78
9.6.2 Configuring Service List	78
9.6.2.1 Service List Configuration Parameters	79
9.6.2.2 Access Service List Configuration Page – (Firewall Advanced Service)	79
9.6.2.3 Add a Service	79
9.6.2.4 Modify a Service	80
9.6.2.5 Delete a Service	80
9.6.2.6 View Configured Services	80
9.6.3 Configuring DoS Settings	80
9.6.3.1 DoS Protection Configuration Parameters	80
9.6.3.2 Access DoS Configuration Page – (Firewall Advanced DoS)	82
9.6.3.3 Configuring DoS Settings	82
9.7 Firewall Policy List – (Firewall Policy List)	82
9.7.1 Configuring Application Filter	83
9.7.1.1 Application Filter Configuration Parameters	83
9.7.1.2 Access Application Filter Configuration Page – (Firewall Policy List Application Filter)	84
9.7.1.3 Add an Application Filter	85
9.7.1.3.1 FTP Example: Add a FTP Filter Rule to Block FTP DELETE Command	85
9.7.1.3.2 HTTP Example: Add a HTTP Filter Rule to Block JAVA Applets and Java Archives	87
9.7.1.4 Modify an Application Filter	88
9.7.1.5 Delete an Application Filter	89
9.7.2 Configuring IP Pool	89
9.7.2.1 IP Pool Configuration Parameters	89
9.7.2.2 Access IP Pool Configuration Page – (Firewall Policy List IP Pool)	90
9.7.2.3 Add an IP Pool	90
9.7.2.4 Modify an IP Pool	90
9.7.2.5 Delete an IP Pool	91
9.7.2.6 IP Pool Example	91
9.7.3 Configuring NAT Pool	92
9.7.3.1 NAT Pool Configuration Parameters	92
9.7.3.2 Access NAT Pool Configuration Page – (Firewall Policy List NAT Pool)	93
9.7.3.3 Add a NAT Pool	94
9.7.3.4 Modify a NAT Pool	94
9.7.3.5 Delete a NAT Pool	94
9.7.3.6 NAT Pool Example	94
9.7.4 Configuring Time Range	96
9.7.4.1 Time Range Configuration Parameters	96
9.7.4.2 Access Time Range Configuration Page – (Firewall Policy List Time Range)	97
9.7.4.3 Add a Time Range	97
9.7.4.4 Modify a Time Range	97
9.7.4.5 Delete a Time Range	98
9.7.4.6 Delete a Schedule in a Time Range	98
9.7.4.7 Time Range Example	98
9.8 Firewall Statistics – Firewall Statistics	99
Configuring VPN	101
10.1 Default Parameters	101
10.2 VPN Tunnel Configuration Parameters	103
10.3 Establish VPN Connection Using Automatic Keying	106
10.3.1 Add a Rule for VPN Connection Using Pre-shared Key	107
10.3.2 Modify VPN Rules	108
10.3.3 Delete VPN Rules	108
10.3.4 Display VPN Rules	108
10.4 Establish VPN Connection Using Manual Keys	109
10.4.1 Add a Rule for VPN Connection Using Manual Key	109
10.4.2 Modify VPN Rules	110
10.4.3 Delete VPN Rules	110
10.4.4 Display VPN Rules	110
10.5 VPN Statistics	111
10.6 VPN Connection Examples	112
10.6.1 Intranet Scenario – firewall + VPN and no NAT for VPN traffic	112
10.6.1.1 Configure Rules on Internet Security Router 1 (ISR1)	113
10.6.1.2 Configure Rules on Internet Security Router 2 (ISR2)	114
10.6.1.3 Establish Tunnel and Verify	116
10.6.2 Extranet Scenario – firewall + static NAT + VPN for VPN traffic	116
10.6.2.1 Setup the Internet Security Routers	117
10.6.2.2 Configure VPN Rules on ISR1	118
10.6.2.3 Configure VPN Rules on ISR2	120
10.6.2.4 Establish Tunnel and Verify	123
Configuring Remote Access	125
11.1 Remote Access	125
11.2 Manage User Groups and Users	125
11.2.1 User Group Configuration Parameters	125
11.2.2 Access User Group Configuration Page – (Remote Access User Group)	126
11.2.3 Add a User Group and/or a User	126
11.2.4 Modify a User Group or a User	127
11.2.5 Delete a User Group or a User	127
11.2.6 User Group and Users Configuration Example	128
11.3 Configure Group ACL Rules	128
11.3.1 Group ACL Specific Configuration Parameters	128
11.3.2 Access Group ACL Configuration Page – (Remote Access Group ACL)	129
11.3.3 Add/Modify/Delete Group ACL Rules	129
11.4 Remote User Login Process	129
11.5 Configure Firewall for Remote Access	131
11.6 Virtual IP Address Configuration for Remote Access VPN	132
11.6.1 Access VPN Virtual IP Configuration Page – (Remote Access VPN Virtual IP)	132
11.6.2 Assign VPN Virtual IP Address for Remote Access Users	132
11.6.3 Change Virtual IP Assignments for Remote Access Users	133
11.6.4 Delete Virtual IP Address for Remote Access Users	133
11.7 Configure VPN for Remote Access	134
11.7.1 Main Mode Remote Access	134
11.7.2 Aggressive Mode Remote Access	136
System Management	139
12.1 Configure System Services	139
12.2 Change the Login Password	140
12.3 Modify System Information	140
12.4 Setup Date and Time	141
12.4.1 View the System Date and Time	142
12.5 System Configuration Management	142
12.5.1 Reset System Configuration	142
12.5.2 Backup System Configuration	143
12.5.3 Restore System Configuration	143
12.6 Upgrade Firmware	144
12.7 Reset the Internet Security Router	145
12.8 Logout Configuration Manager	146
ALG Configuration	147
IP Addresses, Network Masks, and Subnets	151
14.1 IP Addresses	151
14.1.1 Structure of an IP address	151
14.2 Network classes	151
14.3 Subnet masks	152
Troubleshooting	155
15.1 Diagnosing Problem using IP Utilities	156
15.1.1 ping	156
15.1.2 nslookup	157
Glossary	159

Match case Limit results 1 per page

Chapter 9. Configuring Firewall/NAT Settings

Internet Security Router User

’

s Manual

5. Click on the

button to create the new service. The new service will then be displayed in

the service list table at the bottom half of the Service Configuration page.

9.6.2.4

Modify a Service

To modify a service, follow the instructions below:

Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration

Page).

Select the service from the service drop-down list or click on the

icon of the service to be

modified in the service list table.

Make desired changes to any or all of the following fields: service name, public port and protocol.

Please see Table 9.5 for explanation of these fields.

4. Click on the

button to modify this service. The new settings for this service will then be

displayed in the service list table at the bottom half of the Service Configuration page.

9.6.2.5

Delete a Service

To delete a service, follow the instructions below:

Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration

Page).

Select the service from the service drop-down list or click on the

icon of the service to be

modified in the service list table.

3. Click on the

button to delete this service. Note that the service deleted will be removed

from the service list table located at the bottom half of the same configuration page.

9.6.2.6

View Configured Services

To see a list of existing services, follow the instructions below:

Open the Service List Configuration Page (see section 9.6.2.2 Access Service List Configuration

Page).

The service list table located at the bottom half of the Service Configuration page shows all the

configured services.

9.6.3

Configuring DoS Settings

The Internet Security Router has a proprietary Attack Defense Engine that protects internal networks from

Denial of Service (DoS) attacks such as SYN flooding, IP smurfing, LAND, Ping of Death and all re-assembly

attacks. It can drop ICMP redirects and IP loose/strict source routing packets. For example, a security device

with the Internet Security Router Firewall provides protection from

“

WinNuke

”

, a widely used program to

remotely crash unprotected Windows systems in the Internet. The Internet Security Router Firewall also

provides protection from a variety of common Internet attacks such as IP Spoofing, Ping of Death, Land Attack,

Reassembly and SYN flooding. For a complete list of DoS protection provided by the Internet Security Router,

please see Table 2.3.

9.6.3.1

DoS Protection Configuration Parameters

Table 9.6 describes the configuration parameters available for DoS Protection.

Table 9.6. DoS Protection Configuration Parameters

Field

Description

SYN Flooding

Check or un-check this option to enable or disable protection against SYN

Flood attacks. This attack involves sending connection requests to a server,

but never fully completing the connections. This will cause some computers