Home » ZyXEL Manuals » Networking » ZyXEL P-660H-T1 v2 » Manual Viewer

ZyXEL P-660H-T1 v2 User Guide - Page 117

Stateful Inspection Process - records

Get ZyXEL P-660H-T1 v2 PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 117 highlights

Chapter 8 Firewalls are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device's stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. In summary, stateful inspection: • Allows all sessions originating from the LAN (local network) to the WAN (Internet). • Denies all sessions originating from the WAN to the LAN. Figure 62 Stateful Inspection The previous figure shows the ZyXEL Device's default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 8.5.1 Stateful Inspection Process In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application layer protocol is configured for a firewall rule inspection: 1 The packet travels from the firewall's LAN to the WAN. 2 The packet is evaluated against the interface's existing outbound access list, and the packet is permitted (a denied packet would simply be dropped at this point). 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet's connection. This information is recorded in a new state table entry created for the new connection. If there is not a firewall rule for this packet and it is not an attack, then the settings in the Firewall General screen determine the action for this packet. 4 Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected. 5 The outbound packet is forwarded out through the interface. P-660H-Tx v2 User's Guide 117

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	19
List of Tables	25
Introduction	29
Introducing the ZyXEL Device	31
1.1 Overview	31
1.2 Ways to Manage the ZyXEL Device	32
1.3 Good Habits for Managing the ZyXEL Device	33
1.4 LEDs	33
1.5 Splitters and Microfilters	34
1.5.1 Connecting a POTS Splitter	34
1.5.2 Telephone Microfilters	35
1.6 Hardware Connections	35
Introducing the Web Configurator	37
2.1 Web Configurator Overview	37
2.2 Accessing the Web Configurator	37
2.2.1 User Access	38
2.2.2 Administrator Access	38
2.3 Resetting the ZyXEL Device	40
2.3.1 Using the Reset Button	40
2.4 Navigating the Web Configurator	40
2.4.1 Navigation Panel	40
2.4.2 Status Screen	43
2.4.3 Status: Any IP Table	45
2.4.4 Status: Bandwidth Status	46
2.4.5 Status: Packet Statistics	47
2.4.6 Changing Login Password	48
Wizards	49
Wizard Setup for Internet Access	51
3.1 Introduction	51
3.2 Internet Access Wizard Setup	51
3.2.1 Automatic Detection	53
3.2.2 Manual Configuration	53
Bandwidth Management Wizard	59
4.1 Introduction	59
4.2 Predefined Media Bandwidth Management Services	59
4.3 Bandwidth Management Wizard Setup	60
Network	65
WAN Setup	67
5.1 WAN Overview	67
5.1.1 Encapsulation	67
5.1.2 Multiplexing	68
5.1.3 Encapsulation and Multiplexing Scenarios	68
5.1.4 VPI and VCI	69
5.1.5 IP Address Assignment	69
5.1.6 Nailed-Up Connection (PPP)	69
5.1.7 NAT	70
5.2 Metric	70
5.3 Traffic Shaping	70
5.3.1 ATM Traffic Classes	71
5.4 Zero Configuration Internet Access	72
5.5 Internet Connection	72
5.5.1 Configuring Advanced Internet Connection Setup	74
5.6 Configuring More Connections	76
5.6.1 More Connections Edit	77
5.6.2 Configuring More Connections Advanced Setup	80
5.7 Traffic Redirect	81
5.8 Configuring WAN Backup	82
LAN Setup	85
6.1 LAN Overview	85
6.1.1 LANs, WANs and the ZyXEL Device	85
6.1.2 DHCP Setup	86
6.1.3 DNS Server Address	86
6.2 LAN TCP/IP	86
6.2.1 IP Address and Subnet Mask	86
6.2.2 RIP Setup	88
6.2.3 Multicast	88
6.2.4 Any IP	89
6.3 Configuring LAN IP	90
6.3.1 Configuring Advanced LAN Setup	91
6.4 DHCP Setup	92
6.5 LAN Client List	93
6.6 LAN IP Alias	94
Network Address Translation (NAT) Screens	97
7.1 NAT Overview	97
7.1.1 NAT Definitions	97
7.1.2 What NAT Does	98
7.1.3 How NAT Works	98
7.1.4 NAT Application	98
7.1.5 NAT Mapping Types	99
7.2 SUA (Single User Account) Versus NAT	100
7.3 SIP ALG	100
7.4 NAT General Setup	101
7.5 Port Forwarding	102
7.5.1 Default Server IP Address	102
7.5.2 Port Forwarding: Services and Port Numbers	102
7.5.3 Configuring Servers Behind Port Forwarding (Example)	103
7.6 Configuring Port Forwarding	103
7.6.1 Port Forwarding Rule Edit	104
7.7 Address Mapping	105
7.7.1 Address Mapping Rule Edit	107
Security	109
Firewalls	111
8.1 Firewall Overview	111
8.2 Types of Firewalls	111
8.2.1 Packet Filtering Firewalls	111
8.2.2 Application-level Firewalls	112
8.2.3 Stateful Inspection Firewalls	112
8.3 Introduction to ZyXEL’s Firewall	112
8.3.1 Denial of Service Attacks	113
8.4 Denial of Service	113
8.4.1 Basics	113
8.4.2 Types of DoS Attacks	114
8.5 Stateful Inspection	116
8.5.1 Stateful Inspection Process	117
8.5.2 Stateful Inspection and the ZyXEL Device	118
8.5.3 TCP Security	118
8.5.4 UDP/ICMP Security	119
8.5.5 Upper Layer Protocols	119
8.6 Guidelines for Enhancing Security with Your Firewall	120
8.6.1 Security In General	120
8.7 Packet Filtering Vs Firewall	121
8.7.1 Packet Filtering:	121
8.7.2 Firewall	121
Firewall Configuration	123
9.1 Access Methods	123
9.2 Firewall Policies Overview	123
9.3 Rule Logic Overview	124
9.3.1 Rule Checklist	124
9.3.2 Security Ramifications	124
9.3.3 Key Fields For Configuring Rules	125
9.4 Connection Direction	125
9.4.1 LAN to WAN Rules	126
9.4.2 Alerts	126
9.5 General Firewall Policy	126
9.6 Firewall Rules Summary	127
9.6.1 Configuring Firewall Rules	129
9.6.2 Customized Services	132
9.6.3 Configuring a Customized Service	132
9.7 Example Firewall Rule	133
9.8 Predefined Services	137
9.9 Anti-Probing	139
9.10 DoS Thresholds	140
9.10.1 Threshold Values	140
9.10.2 Half-Open Sessions	141
9.10.3 Configuring Firewall Thresholds	141
Content Filtering	145
10.1 Content Filtering Overview	145
10.2 Configuring Keyword Blocking	145
10.3 Configuring the Schedule	146
10.4 Configuring Trusted Computers	147
Advanced Setup	149
Static Route	151
11.1 Static Route	151
11.2 Configuring Static Route	151
11.2.1 Static Route Edit	152
Bandwidth Management	155
12.1 Bandwidth Management Overview	155
12.2 Application-based Bandwidth Management	155
12.3 Subnet-based Bandwidth Management	155
12.4 Application and Subnet-based Bandwidth Management	156
12.5 Scheduler	156
12.5.1 Priority-based Scheduler	156
12.5.2 Fairness-based Scheduler	157
12.6 Maximize Bandwidth Usage	157
12.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	157
12.6.2 Maximize Bandwidth Usage Example	157
12.6.3 Bandwidth Management Priorities	159
12.7 Over Allotment of Bandwidth	159
12.8 Configuring Summary	159
12.9 Bandwidth Management Rule Setup	160
12.9.1 Rule Configuration	162
12.10 Bandwidth Monitor	164
Dynamic DNS Setup	165
13.1 Dynamic DNS Overview	165
13.1.1 DYNDNS Wildcard	165
13.2 Configuring Dynamic DNS	165
Remote Management Configuration	169
14.1 Remote Management Overview	169
14.1.1 Remote Management Limitations	170
14.1.2 Remote Management and NAT	170
14.1.3 System Timeout	170
14.2 WWW	170
14.3 Telnet	171
14.4 Configuring Telnet	171
14.5 Telnet Login	172
14.6 Configuring FTP	173
14.7 SNMP	174
14.7.1 Supported MIBs	175
14.7.2 SNMP Traps	175
14.7.3 Configuring SNMP	175
14.8 Configuring DNS	177
14.9 Configuring ICMP	177
14.10 TR-069	178
Universal Plug-and-Play (UPnP)	181
15.1 Introducing Universal Plug and Play	181
15.1.1 How do I know if I'm using UPnP?	181
15.1.2 NAT Traversal	181
15.1.3 Cautions with UPnP	181
15.2 UPnP and ZyXEL	182
15.2.1 Configuring UPnP	182
15.3 Installing UPnP in Windows Example	183
15.3.1 Installing UPnP in Windows Me	183
15.3.2 Installing UPnP in Windows XP	184
15.4 Using UPnP in Windows XP Example	185
15.4.1 Auto-discover Your UPnP-enabled Network Device	186
15.4.2 Web Configurator Easy Access	189
Maintenance and Troubleshooting	193
System	195
16.1 General Setup	195
16.1.1 General Setup and System Name	195
16.1.2 General Setup	195
16.2 Time Setting	197
Tools	201
17.1 Firmware Upgrade	201
17.2 Configuration Screen	203
17.2.1 Backup Configuration	203
17.2.2 Restore Configuration	204
17.2.3 Back to Factory Defaults	205
17.3 Restart	205
Diagnostic	207
18.1 General Diagnostic	207
18.2 DSL Line Diagnostic	208
Logs	209
19.1 Logs Overview	209
19.1.1 Alerts and Logs	209
19.2 Viewing the Logs	209
19.3 Configuring Log Settings	210
19.3.1 Example E-mail Log	212
19.4 Log Descriptions	213
Troubleshooting	227
20.1 Power, Hardware Connections, and LEDs	227
20.2 ZyXEL Device Access and Login	228
20.3 Internet Access	230
Appendices and Index	231
Product Specifications	233
Internal SPTGEN	241
Setting up Your Computer’s IP Address	257
IP Addresses and Subnetting	273
Pop-up Windows, JavaScripts and Java Permissions	283
Firewall Commands	289
NetBIOS Filter Commands	295
Triangle Route	297
Legal Information	299
Customer Support	303

Match case Limit results 1 per page

Chapter 8 Firewalls

P-660H-Tx v2 User’s Guide

117

are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN

from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection

allows all communications to the Internet that originate from the LAN, and blocks all traffic to

the LAN that originates from the Internet. In summary, stateful inspection:

•

Allows all sessions originating from the LAN (local network) to the WAN (Internet).

•

Denies all sessions originating from the WAN to the LAN.

Figure 62

Stateful Inspection

The previous figure shows the ZyXEL Device’s default firewall rules in action as well as

demonstrates how stateful inspection works. User A can initiate a Telnet session from within

the LAN and responses to this request are allowed. However other Telnet traffic initiated from

the WAN is blocked.

8.5.1

Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN

network through the firewall's WAN interface. The TCP packet is the first in a session, and the

packet's application layer protocol is configured for a firewall rule inspection:

The packet travels from the firewall's LAN to the WAN.

The packet is evaluated against the interface's existing outbound access list, and the

packet is permitted (a denied packet would simply be dropped at this point).

The packet is inspected by a firewall rule to determine and record information about the

state of the packet's connection. This information is recorded in a new state table entry

created for the new connection. If there is not a firewall rule for this packet and it is not

an attack, then the settings in the

Firewall General

screen determine the action for this

packet.

Based on the obtained state information, a firewall rule creates a temporary access list

entry that is inserted at the beginning of the WAN interface's inbound extended access

list. This temporary access list entry is designed to permit inbound packets of the same

connection as the outbound packet just inspected.

The outbound packet is forwarded out through the interface.