6 • Security
Model 3086 G.SHDSL Integrated Access Device User Guide
108
Introduction
Introduction
Security provides the ability to setup and enforce security policies. The policies define the types of traffic per-
mitted to pass through a gateway, either inbound, outbound, or both, and from which origins the traffic may
be allowed to enter.
Within the security configuration is a stateful firewall. A stateful firewall utilizes a security mechanism to main-
tain information concerning the packets it receives. This information is used for deciding dynamically whether
or not a packet may pass through.
Port filters are rules that determine how a packet should be handled. The rules define the protocol type, the
range of source and destination port numbers and an indication whether the packet is allowed or not.
Security triggers are used with applications that require and create separate sessions. The most common exam-
ple is FTP. An FTP client establishes a connection to a server using port 21, but data transfers are done on a
separate connection or port. The port number, and who makes the connection, can vary depending on the
FTP client. To allow FTP to work without triggers, you would need to set up port filters allowing the correct
port numbers through. This is a significant security risk.
This risk can be avoided by using security triggers. Triggers tell the security mechanism to expect these second-
ary sessions and how to handle them. Rather than allowing a range of port numbers, triggers handle the situa-
tion dynamically, opening the secondary sessions only when appropriate. The triggers work without needing to
understand the application protocol or reading the payload of the packet, although this does happen when
using NAT.
Triggering allows you to set up a trigger for different application protocols that use multiple sessions. The tim-
eout between sessions and whether or not session chaining are allowed are configurable. Session chaining is not
needed for FTP but is for NetMeeting.
See Chapter 7, “NAT (Network Address Translation)” on page 117.
Configuring the IAD
The configuration of security assumes that the 3086/IAD already has a valid IP address for the Ethernet port so
that the user may access the modem via the web page. If the IP address is still the factory default, go to the sec-
tion in Chapter 3 entitled IP Address Quick Start Modification.
In this example the WAN transport between the two 3086/IADs will be IPoA.
1. Click on
WAN Connections
under Configuration on the 3086’s Menu.
2. Click on
Create a New Service
.
3. Select
IPoA Routed
and click on the
Configure
button.
4. For this example, enter
IPoA Security Firewall
in the Description field.
5. VPI remains at 0. Change VCI to be 100.
6. Click on
WAN IP address
and enter 192.168.101.1 in the adjacent box. The default IP mask is
255.255.255.0.
7. Click on
Apply
.