![background image](http://html.mh-extra.com/html/zyxel-communications/vantage-cnm-2-0/vantage-cnm-2-0_user-manual_945619169.webp)
Vantage CNM 2.0 User’s Guide
Chapter 12 Configuration > Firewall
172
12.4.2 Stateful Inspection and the ZyXEL device
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
1
Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
2
Allow certain types of traffic from the Internet to specific hosts on the LAN.
3
Allow access to a Web server to everyone but competitors.
4
Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
Below is a brief technical description of how these connections are tracked. Connections may
either be defined by the upper protocols (for instance, TCP), or by the ZyXEL device itself (as
with the "virtual connections" created for UDP and ICMP).
12.4.3
TCP Security
The ZyXEL device uses state information embedded in TCP packets. The first packet of any
new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.
All packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part of the
security policy (as is the case with the default policy), the connection will be allowed. A cache
entry is added which includes connection information such as IP addresses, TCP ports,
sequence numbers, etc.
When the ZyXEL device receives any subsequent packet (from the Internet or from the LAN),
its connection information is extracted and checked against the cache. A packet is only
allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a
connection which originated on the LAN).
Note: The ability to define firewall rules is a very powerful tool.
Using custom rules, it is possible to disable all firewall
protection or block all access to the Internet. Use extreme
caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.
Summary of Contents for VANTAGE CNM 2.0 -
Page 30: ...Vantage CNM 2 0 User s Guide 33 Chapter 1 Introducing Vantage ...
Page 40: ...Vantage CNM 2 0 User s Guide 43 Chapter 2 GUI Introduction ...
Page 66: ...Vantage CNM 2 0 User s Guide 69 Chapter 4 Configuration Select Device BB General ...
Page 78: ...Vantage CNM 2 0 User s Guide 81 Chapter 5 Configuration LAN ...
Page 96: ...Vantage CNM 2 0 User s Guide 99 Chapter 7 Configuration DMZ ...
Page 126: ...Vantage CNM 2 0 User s Guide 129 Chapter 8 Configuration WAN ...
Page 140: ...Vantage CNM 2 0 User s Guide 143 Chapter 9 Configuration NAT ...
Page 144: ...Vantage CNM 2 0 User s Guide 147 Chapter 10 Configuration Static Route ...
Page 162: ...Vantage CNM 2 0 User s Guide 165 Chapter 11 Configuration VPN ...
Page 182: ...Vantage CNM 2 0 User s Guide 185 Chapter 12 Configuration Firewall ...
Page 188: ...Vantage CNM 2 0 User s Guide 191 Chapter 13 Configuration Device Log ...
Page 236: ...Vantage CNM 2 0 User s Guide 239 Chapter 18 Other System Screens ...
Page 239: ...Vantage CNM 2 0 User s Guide Chapter 19 Monitor Alarms 242 Figure 132 Monitor Current Alarms ...
Page 242: ...Vantage CNM 2 0 User s Guide 245 Chapter 19 Monitor Alarms ...
Page 248: ...Vantage CNM 2 0 User s Guide 251 Chapter 20 Other Monitor Screens ...
Page 254: ...Vantage CNM 2 0 User s Guide 257 Figure 151 WFTPD Pro Log On ...
Page 266: ...Vantage CNM 2 0 User s Guide 269 ...
Page 274: ...Vantage CNM 2 0 User s Guide 277 ...
Page 286: ...Vantage CNM 2 0 User s Guide 289 ...
Page 288: ...Vantage CNM 2 0 User s Guide 291 ...
Page 291: ...Vantage CNM 2 0 User s Guide 294 Figure 181 ESS Provides Campus Wide Coverage ...
Page 292: ...Vantage CNM 2 0 User s Guide 295 ...
Page 312: ...Vantage CNM 2 0 User s Guide 315 ...