advertisement
P320W Support Notes
traffic will be blocked by P320W. To help users get rid of the problem and configuration tasks, P320W will create firewall policy automatically to allow incoming traffic if NAT is enabled in the P320Ws.
Firewall FAQ
What is a network firewall?
A firewall is a system or group of systems that enforces an access-control policy between two networks.
It may also be defined as a mechanism used to protect a trusted network from an untrusted network. The firewall can be thought of two mechanisms. One to block the traffic, and the other to permit traffic.
What makes P320W secure?
The P320W is pre-configured to automatically detect and thwart Denial of Service (DoS) attacks such as
Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P320W supports Network Address Translation (NAT), which translates the private local addresses to one public address. This adds a level of security since the clients on the private LAN are invisible to the Internet.
What are the basic types of firewalls?
Conceptually, there are three types of firewalls:
1. Packet Filtering Firewall
2. Application-level Firewall
3. Stateful Inspection Firewall
Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These header information include the source, destination addresses and ports of the packets.
Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them. A proxy server is an application gateway or circuit-level gateway that runs on top of general operating system such
59
All contents copyright (c) 2005 ZyXEL Communications Corporation.
P320W Support Notes
as UNIX or Windows NT. It hides valuable data by requiring users to communicate with secure systems by mean of a proxy. A key drawback of this device is performance.
Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful
Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support.
What kind of firewall is the P320W?
1. The P320W's firewall inspects packets contents and IP headers. It is applicable to all protocols that understand data in the packet is intended for other layers, from network layer up to the application layer.
2. The P320W's firewall performs stateful inspection. It takes into account the state of connections it handles so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked.
3. The P320W's firewall uses session filtering, i.e., smart rules, that enhance the filtering process and control the network session rather than control individual packets in a session.
4. The P320W's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.
Why do you need a firewall when your router has packet filtering and NAT built-in?
With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state. Thus, for greater security, a firewall is considered.
What is Denials of Service (DoS) attack?
Denial of Service (DoS) attacks is aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
There are four types of DoS attacks:
1. Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop.
60
All contents copyright (c) 2005 ZyXEL Communications Corporation.
P320W Support Notes
2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND
Attacks.
3. Brute-force attacks that flood a network with useless data such as Smurf attack.
4. IP Spoofing
What is Ping of Death attack?
Ping of Death uses a 'PING' utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot.
What is Teardrop attack?
Teardrop attack exploits weakness in the reassemble of the IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original packet except that it contains an offset field. The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.
What is SYN Flood attack?
SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the
SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.
What is LAND attack?
In a LAN attack, hackers flood SYN packets to the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
What is Brute-force attack?
A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the
61
All contents copyright (c) 2005 ZyXEL Communications Corporation.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Prestige 320W
- 1 802.11g Wireless Firewall Router
- 1 Support Notes
- 5 Application Notes
- 5 General Application Notes
- 5 Internet Connection
- 9 Configure an Internal Server Behind SUA
- 11 Using the Dynamic DNS (DDNS)
- 12 Network Management Using SNMP
- 18 Using Prestige traffic redirect
- 19 Using Universal Plug n Play (UPnP)
- 24 WLAN Application Notes
- 24 Infrastructure Mode
- 29 Wireless MAC Address Filtering
- 31 WEP Configuration
- 37 IEEE 802.1x
- 46 Site Survey
- 50 FAQ
- 50 Product FAQ
- 50 What is the P320W 802.11g Wireless Firewall Router?
- 51 Will the P320W work with my Internet connection?
- 51 What do I need to use the Prestige?
- 51 Does the Prestige support PPPoE?
- 52 How do I know I am using PPPoE?
- 52 Why does my provider use PPPoE?
- 52 Which Internet Applications can I use with the Prestige?
- 52 How can I configure the Prestige?
- 52 What network interface does the Prestige support?
- 52 What can we do with Prestige?
- 52 Does Prestige support dynamic IP addressing?
- 53 What is the difference between the internal IP and the real
- 53 How does e-mail work through the Prestige?
- 53 What is the main difference between WinGate and the Prestige
- 54 Is it possible to access a server running behind SUA from th
- 54 What DHCP capability does the Prestige support?
- 54 What network interface does the new Prestige series support?
- 54 How can I upload data to outside Internet over the one-way c
- 54 How fast can the data go?
- 55 My Prestige can not get an IP address from the ISP to connec
- 57 What is BOOTP/DHCP
- 57 What is DDNS
- 58 When do I need DDNS service?
- 58 What DDNS servers does the Prestige support?
- 58 What is DDNS wildcard?
- 58 Does the Prestige support DDNS wildcard?
- 58 Why can't I use video conferencing with MSN 4.6?
- 58 Should I create any firewall rule by myself to allow incomin
- 59 Firewall FAQ
- 59 What is a network firewall?
- 59 What makes P320W secure?
- 59 What are the basic types of firewalls?
- 60 What kind of firewall is the P320W?
- 60 Why do you need a firewall when your router has packet filte
- 60 What is Denials of Service (DoS) attack?
- 61 What is Ping of Death attack?
- 61 What is Teardrop attack?
- 61 What is SYN Flood attack?
- 61 What is LAND attack?
- 61 What is Brute-force attack?
- 62 What is IP Spoofing attack?
- 62 Wireless FAQ
- 62 What is a Wireless LAN?
- 62 What are the advantages of Wireless LANs?
- 63 What are the disadvantages of Wireless LANs?
- 63 Where can you find wireless 802.11 networks?
- 63 What is an Access Point?
- 64 What is IEEE 802.11?
- 64 What is 802.11b?
- 64 How fast is 802.11b?
- 64 What is 802.11a?
- 64 What is 802.11g?
- 65 Is it possible to use products from a variety of vendors?
- 65 What is Wi-Fi?
- 65 What types of devices use the 2.4GHz Band?
- 65 Does the 802.11 interfere with Bluetooth devices?
- 65 Can radio signals pass through walls?
- 66 What are potential factors that may causes interference amon
- 66 What's the difference between a WLAN and a WWAN?
- 66 What is Ad Hoc mode?
- 66 What is Infrastructure mode?
- 66 How many Access Points are required in a given area?
- 67 What is Direct-Sequence Spread Spectrum Technology – (DSSS)?
- 67 What is Frequency-hopping Spread Spectrum Technology – (FHSS
- 67 Do I need the same kind of antenna on both sides of a link?
- 67 Why the 2.4 Ghz Frequency range?
- 67 What is Server Set ID (SSID)?
- 68 What is an ESSID?
- 68 How do I secure the data across an Access Point's radio lin
- 68 What is WEP?
- 68 What is the difference between 40-bit and 64-bit WEP?
- 68 What is a WEP key?
- 68 Will 128-bit WEP communicate with 64-bit WEP?
- 69 Can the SSID be encrypted?
- 69 By turning off the broadcast of SSID, can someone still snif
- 69 What are Insertion Attacks?
- 69 What is Wireless Sniffer?
- 69 What is the difference between Open System and Shared Key of
- 70 What is 802.1x?
- 70 What is the difference between force-authorized, force-unaut
- 70 What is AAA?
- 70 What is RADIUS?
- 71 Trouble Shooting
- 71 Why none of the LEDs turn on when connect the Prestige’s pow
- 71 Why cannot access the Prestige from my computer?
- 71 Why cannot access the Internet?
- 73 Unable to run applications