P-662H/HW-D Series User’s Guide
178
Chapter 10 Firewalls
A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive.
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask
requests will allow incoming address mask replies, and outgoing timestamp requests will
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall,
simply because they are too dangerous and contain too little tracking information. For
instance, ICMP redirect packets are never allowed in, since they could be used to reroute
traffic through attacking machines.
10.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network
connections simultaneously. In general terms, they usually have a "control connection" which
is used for sending commands between endpoints, and then "data connections" which are used
for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the
Internet and requests a file. At this point, the remote server will open a data connection from
the Internet. For FTP to work properly, this connection must be allowed to pass through even
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyXEL Device inspects the application-level FTP data.
Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a
cache entry for the anticipated data connection. This can be done safely, since the PORT
command contains address and port information, which can be used to uniquely identify the
connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator’s Custom Ports feature to do this.
10.6 Guidelines for Enhancing Security with Your Firewall
• Change the default password via CLI (Command Line Interpreter) or the web
configurator.
• Limit who can telnet into your router.
• Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
• For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
• Protect against IP spoofing by making sure the firewall is active.
• Keep the firewall in a secured (locked) room.
Содержание 802.11g ADSL 2+ 4-Port Security Gateway HW-D Series
Страница 1: ...P 662H HW D Series 802 11g ADSL 2 4 Port Security Gateway User s Guide Version 3 40 Edition 1 7 2006 ...
Страница 2: ......
Страница 10: ...P 662H HW D Series User s Guide 10 Customer Support ...
Страница 24: ...P 662H HW D Series User s Guide 24 Table of Contents ...
Страница 32: ...P 662H HW D Series User s Guide 32 List of Figures ...
Страница 38: ...P 662H HW D Series User s Guide 38 List of Tables ...
Страница 64: ...P 662H HW D Series User s Guide 64 Chapter 2 Introducing the Web Configurator ...
Страница 84: ...P 662H HW D Series User s Guide 84 Chapter 4 Bandwidth Management Wizard ...
Страница 108: ...P 662H HW D Series User s Guide 108 Chapter 5 WAN Setup ...
Страница 122: ...P 662H HW D Series User s Guide 122 Chapter 6 LAN Setup ...
Страница 155: ...P 662H HW D Series User s Guide Chapter 8 DMZ 155 Figure 81 DMZ Private and Public Address Example ...
Страница 156: ...P 662H HW D Series User s Guide 156 Chapter 8 DMZ ...
Страница 188: ...P 662H HW D Series User s Guide 188 Chapter 11 Firewall Configuration Figure 97 Firewall Edit Rule ...
Страница 202: ...P 662H HW D Series User s Guide 202 Chapter 11 Firewall Configuration ...
Страница 210: ...P 662H HW D Series User s Guide 210 Chapter 12 Anti Virus Packet Scan ...
Страница 214: ...P 662H HW D Series User s Guide 214 Chapter 13 Content Filtering ...
Страница 232: ...P 662H HW D Series User s Guide 232 Chapter 14 Content Access Control ...
Страница 238: ...P 662H HW D Series User s Guide 238 Chapter 15 Introduction to IPSec ...
Страница 273: ...P 662H HW D Series User s Guide Chapter 17 Certificates 273 Figure 144 My Certificate Details ...
Страница 284: ...P 662H HW D Series User s Guide 284 Chapter 17 Certificates Figure 152 Trusted Remote Host Details ...
Страница 292: ...P 662H HW D Series User s Guide 292 Chapter 18 Static Route ...
Страница 303: ...P 662H HW D Series User s Guide Chapter 19 Bandwidth Management 303 Figure 162 Bandwidth Management Monitor ...
Страница 304: ...P 662H HW D Series User s Guide 304 Chapter 19 Bandwidth Management ...
Страница 308: ...P 662H HW D Series User s Guide 308 Chapter 20 Dynamic DNS Setup ...
Страница 332: ...P 662H HW D Series User s Guide 332 Chapter 22 Universal Plug and Play UPnP ...
Страница 338: ...P 662H HW D Series User s Guide 338 Chapter 23 System ...
Страница 344: ...P 662H HW D Series User s Guide 344 Chapter 24 Logs ...
Страница 350: ...P 662H HW D Series User s Guide 350 Chapter 25 Tools ...
Страница 363: ...P 662H HW D Series User s Guide Chapter 27 Troubleshooting 363 Figure 213 Security Setting ActiveX Controls ...
Страница 364: ...P 662H HW D Series User s Guide 364 Chapter 27 Troubleshooting ...
Страница 368: ...P 662H HW D Series User s Guide 368 Product Specifications ...
Страница 372: ...P 662H HW D Series User s Guide 372 Appendix C Wall mounting Instructions ...
Страница 408: ...P 662H HW D Series User s Guide 408 Appendix F Wireless LANs ...
Страница 420: ...P 662H HW D Series User s Guide 420 Appendix H Command Interpreter ...
Страница 436: ...P 662H HW D Series User s Guide 436 Appendix L NetBIOS Filter Commands ...
Страница 462: ...P 662H HW D Series User s Guide 462 Appendix M Internal SPTGEN ...
Страница 484: ...P 662H HW D Series User s Guide 484 Appendix P Triangle Route ...