Home » ZyXEL Manuals » Networking » ZyXEL LTE5121 » Manual Viewer

ZyXEL LTE5121 User Guide - Page 132

Firewall Technical Reference

Get ZyXEL LTE5121 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 132 highlights

Chapter 12 Firewall 12.6 Firewall Technical Reference This section provides some technical background information about the topics covered in this chapter. 12.6.1 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via web configurator. 2 Think about access control before you connect to the network in any way. 3 Limit who can access your LTE Device. 4 Don't enable any local service (such as Telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. 5 For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. 6 Keep the firewall in a secured (locked) room. 12.6.2 Security Considerations Note: Incorrectly configuring the firewall may block valid access or introduce security risks to the LTE Device and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 3 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 4 Does this rule conflict with any existing rules? Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the web configurator screens. 132 LTE-5121 User's Guide

Section	Page
LTE5121	1
Contents Overview	3
Table of Contents	5
User’s Guide	13
Introduction	15
1.1 Overview	15
1.2 Applications for the LTE Device	15
1.2.1 Internet Access	15
1.2.2 VoIP Features	16
1.3 The WLAN Button	16
1.4 The WPS Button	16
1.5 Ways to Manage the LTE Device	17
1.6 Good Habits for Managing the LTE Device	17
1.7 LEDs (Lights)	17
1.8 The RESET Button	19
1.9 Wall-mounting Instructions	19
Introducing the Web Configurator	23
2.1 Overview	23
2.1.1 Accessing the Web Configurator	23
2.2 The Web Configurator Layout	25
2.2.1 Title Bar	25
2.2.2 Main Window	25
Technical Reference	27
Connection Status and System Info	29
3.1 Overview	29
3.2 The Connection Status Screen	29
3.3 The System Info Screen	30
Broadband	35
4.1 Overview	35
4.1.1 What You Can Do in this Chapter	35
4.1.2 What You Need to Know	35
4.1.3 Before You Begin	36
4.2 The Broadband Screen	36
4.2.1 Edit Internet Connection	38
4.3 The SIM Screen	39
4.3.1 PUK Code Screen	40
4.4 Technical Reference	41
Wireless	43
5.1 Overview	43
5.1.1 What You Can Do in this Chapter	43
5.1.2 Wireless Network Overview	43
5.1.3 Before You Begin	45
5.2 The Wireless General Screen	45
5.2.1 No Security	47
5.2.2 Basic (Static WEP/Shared WEP Encryption)	47
5.2.3 More Secure (WPA(2)-PSK)	49
5.2.4 WPA(2) Authentication	50
5.3 The More AP Screen	51
5.3.1 Edit More AP	52
5.4 The WPS Screen	53
5.5 The WMM Screen	55
5.6 Scheduling Screen	57
5.7 Channel Status Screen	57
5.8 Technical Reference	58
5.8.1 Additional Wireless Terms	59
5.8.2 Wireless Security Overview	59
5.8.3 Signal Problems	61
5.8.4 BSS	61
5.8.5 MBSSID	62
5.8.6 WiFi Protected Setup (WPS)	62
Home Networking	71
6.1 Overview	71
6.1.1 What You Can Do in this Chapter	71
6.1.2 What You Need To Know	71
6.2 The LAN Setup Screen	74
6.3 The Static DHCP Screen	75
6.3.1 Before You Begin	75
6.4 The UPnP Screen	77
6.5 The File Sharing Screen	77
6.5.1 Before You Begin	78
6.5.2 Add/Edit File Sharing	79
6.6 The Media Server Screen	80
6.7 The Printer Server Screen	81
6.7.1 Before You Begin	81
6.8 Technical Reference	82
6.9 Installing UPnP in Windows Example	86
6.10 Using UPnP in Windows XP Example	89
Static Route	95
7.1 Overview	95
7.2 Configuring Static Route	96
7.2.1 Add/Edit Static Route	97
DNS Route	99
8.1 Overview	99
8.1.1 What You Can Do in this Chapter	99
8.2 The DNS Route Screen	100
8.2.1 Add/Edit DNS Route Edit	100
Quality of Service (QoS)	103
9.1 Overview	103
9.1.1 What You Can Do in this Chapter	103
9.1.2 What You Need to Know	103
9.2 The QoS General Screen	104
9.3 The Queue Setup Screen	105
9.3.1 Add/Edit a QoS Queue	106
9.4 The Class Setup Screen	107
9.4.1 Add/Edit QoS Class	109
9.5 The QoS Monitor Screen	112
9.6 QoS Technical Reference	113
9.6.1 DiffServ	113
Network Address Translation (NAT)	115
10.1 Overview	115
10.1.1 What You Can Do in this Chapter	115
10.1.2 What You Need To Know	115
10.2 The Port Forwarding Screen	116
10.2.1 The Port Forwarding Screen	117
10.2.2 The Port Forwarding Edit Screen	118
10.3 The DMZ Screen	119
10.4 The Sessions Screen	119
10.5 The ALG Screen	120
10.6 Technical Reference	120
10.6.1 NAT Definitions	121
10.6.2 What NAT Does	121
10.6.3 How NAT Works	121
Dynamic DNS	123
11.1 Overview	123
11.1.1 What You Need To Know	123
11.2 The Dynamic DNS Screen	123
Firewall	125
12.1 Overview	125
12.1.1 What You Can Do in this Chapter	125
12.1.2 What You Need to Know	126
12.2 The General Screen	126
12.3 The Services Screen	127
12.3.1 The Add New Services Entry Screen	128
12.4 The Access Control Screen	129
12.4.1 The Add New ACL Rule/Edit Screen	130
12.5 The DoS Screen	131
12.6 Firewall Technical Reference	132
12.6.1 Guidelines For Enhancing Security With Your Firewall	132
12.6.2 Security Considerations	132
MAC Filter	133
13.1 Overview	133
13.1.1 What You Need to Know	133
13.2 The MAC Filter Screen	133
Parental Control	135
14.1 Overview	135
14.2 The Parental Control Screen	135
14.2.1 Add/Edit a Parental Control Rule	136
Certificates	139
15.1 Overview	139
15.1.1 What You Can Do in this Chapter	139
15.1.2 What You Need to Know	139
15.1.3 Verifying a Certificate	140
15.2 Local Certificates	141
15.3 Trusted CA	143
15.4 Trusted CA Import	143
15.5 View Certificate	144
15.6 VPN Certificates	145
15.7 VPN Certificate Import	147
VPN	149
16.1 Overview	149
16.2 The VPN Screen	149
16.3 IPSec VPN: Add	150
16.4 VPN Monitor Screen	155
16.5 Technical Reference	155
16.5.1 IPSec Architecture	156
16.5.2 Encapsulation	156
16.5.3 IKE Phases	157
16.5.4 Negotiation Mode	158
16.5.5 IPSec and NAT	159
16.5.6 VPN, NAT, and NAT Traversal	159
16.5.7 ID Type and Content	160
16.5.8 Pre-Shared Key	161
16.5.9 Diffie-Hellman (DH) Key Groups	161
VoIP	163
17.1 Overview	163
17.1.1 What You Can Do in this Chapter	163
17.1.2 What You Need to Know	163
17.1.3 Before You Begin	164
17.2 The SIP Service Provider Screen	165
17.3 The SIP Account Screen	171
17.3.1 Add/Edit SIP Account	172
17.4 Multiple SIP Accounts	175
17.5 Phone Screen	175
17.5.1 Edit Phone Device	175
17.6 The Phone Region Screen	177
17.7 The Call Rule Screen	177
17.8 Technical Reference	179
17.8.1 VoIP	179
17.8.2 SIP	179
17.8.3 Quality of Service (QoS)	183
17.8.4 Phone Services Overview	184
System Monitor	187
18.1 Overview	187
18.1.1 What You Can Do in this Chapter	187
18.1.2 What You Need To Know	187
18.2 The LTE Status Screen	188
18.3 The System Log Screen	190
18.4 The Phone Log Screen	191
18.5 The VoIP Call History Screen	192
18.6 The WAN Status Screen	192
18.7 The LAN Status Screen	193
18.8 The NAT Status Screen	194
18.9 The VoIP Status Screen	195
User Account	197
19.1 Overview	197
19.2 The User Account Screen	197
Remote MGMT	199
20.1 Overview	199
20.1.1 What You Need to Know	199
20.2 The Remote MGMT Screen	200
SNMP	201
21.1 Overview	201
21.2 The SNMP Screen	201
System	203
22.1 Overview	203
22.1.1 What You Need to Know	203
22.2 The System Screen	203
Time Setting	205
23.1 Overview	205
23.2 The Time Setting Screen	205
Log Setting	207
24.1 Overview	207
24.2 The Log Setting Screen	207
Firmware Upgrade	209
25.1 Overview	209
25.2 The Firmware Upgrade Screen	209
Backup/Restore	211
26.1 Overview	211
26.2 The Backup/Restore Screen	211
26.3 The Reboot Screen	213
Diagnostic	215
27.1 Overview	215
27.2 The Ping/TraceRoute Screen	215
27.3 LTE Diagnostic Screen	216
Troubleshooting	217
28.1 Overview	217
28.2 Power, Hardware Connections, and LEDs	217
28.3 LTE Device Access and Login	218
28.4 Internet Access	220
28.5 Wireless Internet Access	221
28.6 Phone Calls and VoIP	222
28.7 USB Device Connection	222
28.8 UPnP	223
Legal Information	225

Match case Limit results 1 per page

Chapter 12 Firewall

LTE-5121 User’s Guide

132

12.6

Firewall Technical Reference

This section provides some technical background information about the topics covered in this

chapter.

12.6.1

Guidelines For Enhancing Security With Your Firewall

Change the default password via web configurator.

Think about access control before you connect to the network in any way.

Limit who can access your LTE Device.

Don't enable any local service (such as Telnet or FTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse

the enabled services to access the firewall or the network.

For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the

services at specific interfaces.

Keep the firewall in a secured (locked) room.

12.6.2

Security Considerations

Note: Incorrectly configuring the firewall may block valid access or introduce security

risks to the LTE Device and your protected network. Use caution when creating or

deleting firewall rules and test your rules after you configure them.

Consider these security ramifications before creating a rule:

Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC

is blocked, are there users that require this service?

Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will

a rule that blocks just certain users be more effective?

Does a rule that allows Internet users access to resources on the LAN create a security

vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,

Internet users may be able to connect to computers with running FTP servers.

Does this rule conflict with any existing rules?

Once these questions have been answered, adding rules is simply a matter of entering the

information into the correct fields in the web configurator screens.