Home » ZyXEL Manuals » Networking » ZyXEL P-660HW-D1 v2 » Manual Viewer

ZyXEL P-660HW-D1 v2 User Guide - Page 152

Guidelines for Enhancing Security with Your Firewall

Get ZyXEL P-660HW-D1 v2 PDF manuals and user guides

View all ZyXEL P-660HW-D1 v2 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 152 highlights

Chapter 9 Firewalls 9.6 Guidelines for Enhancing Security with Your Firewall • Change the default password via CLI (Command Line Interpreter) or web configurator. • Limit who can telnet into your router. • Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. • For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. • Protect against IP spoofing by making sure the firewall is active. • Keep the firewall in a secured (locked) room. 9.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. • Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk. Produce lists like this one! • DSL or cable modem connections are "always-on" connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system. Turn your computer off when not in use. • Never give out a password or any sensitive information to an unsolicited telephone call or e-mail. • Never e-mail sensitive information such as passwords, credit card information, etc., without encrypting the information first. • Never submit sensitive information via a web page unless the web site uses secure connections. You can identify a secure connection by looking for a small "key" icon on the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web site uses a secure connection, it is safe to submit information. Secure web transactions are quite difficult to crack. • Never reveal your IP address or other system networking information to people outside your company. Be careful of files e-mailed to you from strangers. One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files. • Change your passwords regularly. Also, use passwords that are not easy to figure out. The most difficult passwords to crack are those with upper and lower case letters, numbers and a symbol such as % or #. • Upgrade your software regularly. Many older versions of software, especially web browsers, have well known security deficiencies. When you upgrade to the latest versions, you get the latest patches and fixes. • If you use "chat rooms" or IRC sessions, be careful with any information you reveal to strangers. • If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable. 152 P-660HW-Dx v2 User's Guide

Section	Page
User’s Guide	1
About This User's Guide	3
Document Conventions	4
Safety Warnings	6
Contents Overview	9
Table of Contents	11
List of Figures	21
List of Tables	27
Introduction	31
Introducing the ZyXEL Device	33
1.1 Overview	33
1.2 Ways to Manage the ZyXEL Device	35
1.3 Good Habits for Managing the ZyXEL Device	35
1.4 LEDs	35
1.5 Hardware Connections	36
1.5.1 Splitters and Microfilters	36
Introducing the Web Configurator	39
2.1 Web Configurator Overview	39
2.2 Accessing the Web Configurator	39
2.2.1 User Access	40
2.2.2 Administrator Access	40
2.3 Resetting the ZyXEL Device	42
2.3.1 Using the Reset Button	42
2.4 Navigating the Web Configurator	42
2.4.1 Navigation Panel	42
2.4.2 Status Screen	44
2.4.3 Status: Any IP Table	47
2.4.4 Status: WLAN Status	47
2.4.5 Status: Bandwidth Status	48
2.4.6 Status: Packet Statistics	48
2.4.7 Changing Login Password	50
Wizards	51
Wizard Setup for Internet Access	53
3.1 Introduction	53
3.2 Internet Access Wizard Setup	53
3.2.1 Automatic Detection	55
3.2.2 Manual Configuration	55
3.3 Wireless Connection Wizard Setup	60
3.3.1 Manually assign a WPA-PSK key	63
3.3.2 Manually assign a WEP key	63
Bandwidth Management Wizard	67
4.1 Introduction	67
4.2 Predefined Media Bandwidth Management Services	67
4.3 Bandwidth Management Wizard Setup	68
Network	73
WAN Setup	75
5.1 WAN Overview	75
5.1.1 Encapsulation	75
5.1.2 Multiplexing	76
5.1.3 Encapsulation and Multiplexing Scenarios	76
5.1.4 VPI and VCI	77
5.1.5 IP Address Assignment	77
5.1.6 Nailed-Up Connection (PPP)	77
5.1.7 NAT	78
5.2 Metric	78
5.3 Traffic Shaping	78
5.3.1 ATM Traffic Classes	79
5.4 Zero Configuration Internet Access	80
5.5 Internet Connection	80
5.5.1 Configuring Advanced Internet Connection Setup	82
5.6 Configuring More Connections	84
5.6.1 More Connections Edit	85
5.6.2 Configuring More Connections Advanced Setup	88
5.7 Traffic Redirect	89
5.8 Configuring WAN Backup	89
LAN Setup	93
6.1 LAN Overview	93
6.1.1 LANs, WANs and the ZyXEL Device	93
6.1.2 DHCP Setup	94
6.1.3 DNS Server Address	94
6.1.4 DNS Server Address Assignment	94
6.2 LAN TCP/IP	95
6.2.1 IP Address and Subnet Mask	95
6.2.2 RIP Setup	96
6.2.3 Multicast	96
6.2.4 Any IP	97
6.3 Configuring LAN IP	98
6.3.1 Configuring Advanced LAN Setup	99
6.4 DHCP Setup	100
6.5 LAN Client List	101
6.6 LAN IP Alias	102
Wireless LAN	105
7.1 Wireless Network Overview	105
7.2 Wireless Security Overview	106
7.2.1 SSID	106
7.2.2 MAC Address Filter	106
7.2.3 User Authentication	106
7.2.4 Encryption	107
7.2.5 One-Touch Intelligent Security Technology (OTIST)	108
7.3 General Wireless LAN Screen	108
7.3.1 No Security	109
7.3.2 WEP Encryption	110
7.3.3 WPA-PSK/WPA2-PSK	111
7.3.4 WPA/WPA2	113
7.3.5 Wireless LAN Advanced Setup	115
7.4 OTIST	117
7.4.1 Enabling OTIST	117
7.4.2 Starting OTIST	119
7.4.3 Notes on OTIST	120
7.5 MAC Filter	121
7.6 WMM QoS	122
7.6.1 WMM QoS Example	122
7.6.2 WMM QoS Priorities	122
7.6.3 Services	123
7.7 QoS Screen	124
7.7.1 ToS (Type of Service) and WMM QoS	125
7.7.2 Application Priority Configuration	126
Network Address Translation (NAT) Screens	129
8.1 NAT Overview	129
8.1.1 NAT Definitions	129
8.1.2 What NAT Does	130
8.1.3 How NAT Works	130
8.1.4 NAT Application	130
8.1.5 NAT Mapping Types	131
8.2 SUA (Single User Account) Versus NAT	132
8.3 SIP ALG	132
8.4 NAT General Setup	133
8.5 Port Forwarding	134
8.5.1 Default Server IP Address	134
8.5.2 Port Forwarding: Services and Port Numbers	134
8.5.3 Configuring Servers Behind Port Forwarding (Example)	135
8.6 Configuring Port Forwarding	135
8.6.1 Port Forwarding Rule Edit	136
8.7 Address Mapping	137
8.7.1 Address Mapping Rule Edit	139
Security	141
Firewalls	143
9.1 Firewall Overview	143
9.2 Types of Firewalls	143
9.2.1 Packet Filtering Firewalls	143
9.2.2 Application-level Firewalls	144
9.2.3 Stateful Inspection Firewalls	144
9.3 Introduction to ZyXEL’s Firewall	144
9.3.1 Denial of Service Attacks	145
9.4 Denial of Service	145
9.4.1 Basics	145
9.4.2 Types of DoS Attacks	146
9.5 Stateful Inspection	148
9.5.1 Stateful Inspection Process	149
9.5.2 Stateful Inspection and the ZyXEL Device	150
9.5.3 TCP Security	150
9.5.4 UDP/ICMP Security	151
9.5.5 Upper Layer Protocols	151
9.6 Guidelines for Enhancing Security with Your Firewall	152
9.6.1 Security In General	152
9.7 Packet Filtering Vs Firewall	153
9.7.1 Packet Filtering:	153
9.7.2 Firewall	153
Firewall Configuration	155
10.1 Access Methods	155
10.2 Firewall Policies Overview	155
10.3 Rule Logic Overview	156
10.3.1 Rule Checklist	156
10.3.2 Security Ramifications	156
10.3.3 Key Fields For Configuring Rules	157
10.4 Connection Direction	157
10.4.1 LAN to WAN Rules	158
10.4.2 Alerts	158
10.5 General Firewall Policy	158
10.6 Firewall Rules Summary	159
10.6.1 Configuring Firewall Rules	161
10.6.2 Customized Services	164
10.6.3 Configuring a Customized Service	164
10.7 Example Firewall Rule	165
10.8 Predefined Services	169
10.9 Anti-Probing	171
10.10 DoS Thresholds	172
10.10.1 Threshold Values	172
10.10.2 Half-Open Sessions	173
10.10.3 Configuring Firewall Thresholds	173
Content Filtering	177
11.1 Content Filtering Overview	177
11.2 Configuring Keyword Blocking	177
11.3 Configuring the Schedule	178
11.4 Configuring Trusted Computers	179
Advanced	181
Static Route	183
12.1 Static Route	183
12.2 Configuring Static Route	183
12.2.1 Static Route Edit	184
Bandwidth Management	187
13.1 Bandwidth Management Overview	187
13.2 Application-based Bandwidth Management	187
13.3 Subnet-based Bandwidth Management	187
13.4 Application and Subnet-based Bandwidth Management	188
13.5 Scheduler	188
13.5.1 Priority-based Scheduler	188
13.5.2 Fairness-based Scheduler	189
13.6 Maximize Bandwidth Usage	189
13.6.1 Reserving Bandwidth for Non-Bandwidth Class Traffic	189
13.6.2 Maximize Bandwidth Usage Example	189
13.6.3 Bandwidth Management Priorities	191
13.7 Over Allotment of Bandwidth	191
13.8 Configuring Summary	191
13.9 Bandwidth Management Rule Setup	192
13.10 DiffServ	194
13.10.1 DSCP and Per-Hop Behavior	194
13.10.2 Rule Configuration	194
13.11 Bandwidth Monitor	197
Dynamic DNS Setup	199
14.1 Dynamic DNS Overview	199
14.1.1 DYNDNS Wildcard	199
14.2 Configuring Dynamic DNS	199
Remote Management Configuration	203
15.1 Remote Management Overview	203
15.1.1 Remote Management Limitations	204
15.1.2 Remote Management and NAT	204
15.1.3 System Timeout	204
15.2 WWW	204
15.3 Telnet	205
15.4 Configuring Telnet	205
15.5 Telnet Login	206
15.6 Configuring FTP	207
15.7 SNMP	207
15.7.1 Supported MIBs	209
15.7.2 SNMP Traps	209
15.7.3 Configuring SNMP	209
15.8 Configuring DNS	210
15.9 Configuring ICMP	211
Universal Plug-and-Play (UPnP)	213
16.1 Introducing Universal Plug and Play	213
16.1.1 How do I know if I'm using UPnP?	213
16.1.2 NAT Traversal	213
16.1.3 Cautions with UPnP	213
16.2 UPnP and ZyXEL	214
16.2.1 Configuring UPnP	214
16.3 Installing UPnP in Windows Example	215
16.3.1 Installing UPnP in Windows Me	215
16.3.2 Installing UPnP in Windows XP	216
16.4 Using UPnP in Windows XP Example	217
16.4.1 Auto-discover Your UPnP-enabled Network Device	218
16.4.2 Web Configurator Easy Access	221
Maintenance and Troubleshooting	225
System	227
17.1 General Setup	227
17.1.1 General Setup and System Name	227
17.1.2 General Setup	227
17.2 Time Setting	229
Logs	233
18.1 Logs Overview	233
18.1.1 Alerts and Logs	233
18.2 Viewing the Logs	233
18.3 Configuring Log Settings	234
18.3.1 Example E-mail Log	236
18.4 Log Descriptions	237
Tools	251
19.1 Firmware Upgrade	251
19.2 Configuration Screen	253
19.2.1 Backup Configuration	253
19.2.2 Restore Configuration	254
19.2.3 Back to Factory Defaults	255
19.3 Restart	255
Diagnostic	257
20.1 General Diagnostic	257
20.2 DSL Line Diagnostic	257
Troubleshooting	259
21.1 Power, Hardware Connections, and LEDs	259
21.2 ZyXEL Device Access and Login	260
21.3 Internet Access	261
Appendices and Index	263
Product Specifications and Wall Mounting	265
Wireless LANs	271
Setting up Your Computer’s IP Address	285
IP Addresses and Subnetting	301
Firewall Commands	311
Internal SPTGEN	317
Pop-up Windows, JavaScripts and Java Permissions	333
NetBIOS Filter Commands	339
Triangle Route	341
Legal Information	343
Customer Support	347

Match case Limit results 1 per page

Chapter 9 Firewalls

P-660HW-Dx v2 User’s Guide

152

9.6

Guidelines for Enhancing Security with Your Firewall

•

Change the default password via CLI (Command Line Interpreter) or web configurator.

•

Limit who can telnet into your router.

•

Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled

service could present a potential security risk. A determined hacker might be able to find

creative ways to misuse the enabled services to access the firewall or the network.

•

For local services that are enabled, protect against misuse. Protect by configuring the

services to communicate only with specific peers, and protect by configuring rules to

block packets for the services at specific interfaces.

•

Protect against IP spoofing by making sure the firewall is active.

•

Keep the firewall in a secured (locked) room.

9.6.1

Security In General

You can never be too careful! Factors outside your firewall, filtering or NAT can cause

security breaches. Below are some generalizations about what you can do to minimize them.

•

Encourage your company or organization to develop a comprehensive security plan. Good

network administration takes into account what hackers can do and prepares against

attacks. The best defense against hackers and crackers is information. Educate all

employees about the importance of security and how to minimize risk. Produce lists like

this one!

•

DSL or cable modem connections are “always-on” connections and are particularly

vulnerable because they provide more opportunities for hackers to crack your system.

Turn your computer off when not in use.

•

Never give out a password or any sensitive information to an unsolicited telephone call or

e-mail.

•

Never e-mail sensitive information such as passwords, credit card information, etc.,

without encrypting the information first.

•

Never submit sensitive information via a web page unless the web site uses secure

connections. You can identify a secure connection by looking for a small “key” icon on

the bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a

web site uses a secure connection, it is safe to submit information. Secure web transactions

are quite difficult to crack.

•

Never reveal your IP address or other system networking information to people outside

your company. Be careful of files e-mailed to you from strangers. One common way of

getting BackOrifice on a system is to include it as a Trojan horse with other files.

•

Change your passwords regularly. Also, use passwords that are not easy to figure out. The

most difficult passwords to crack are those with upper and lower case letters, numbers and

a symbol such as % or #.

•

Upgrade your software regularly. Many older versions of software, especially web

browsers, have well known security deficiencies. When you upgrade to the latest versions,

you get the latest patches and fixes.

•

If you use “chat rooms” or IRC sessions, be careful with any information you reveal to

strangers.

•

If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off

hacks that cause your system to slowly become unstable or unusable.