Firewall
Firewall Overview
This chapter shows you how to enable the Zyxel Device firewall. Use the firewall to protect your Zyxel Device and network from attacks by hackers on the Internet and control access to it. The firewall:
• allows traffic that originates from your LAN computers to go to all other networks.DX/EX/PX Series User’s Guide
• blocks traffic that originates on other networks from going to the LAN.
By default, the Zyxel Device blocks DoS attacks whether the firewall is enabled or disabled.
The following figure illustrates the firewall action. User A can initiate an IM (Instant Messaging) session from the LAN to the WAN (1). Return traffic for this session is also allowed (2). However other traffic initiated from the WAN is blocked (3 and 4).
Default Firewall Action
What You Need to Know About Firewall
SYN Attack
A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.
DoS
Denial-of-Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Zyxel Device is pre-configured to automatically detect and thwart all known DoS attacks.
DoS Thresholds
For DoS attacks, the Zyxel Device uses thresholds to determine when to drop sessions that do not become fully established. These thresholds apply globally to all sessions. You can use the default threshold values, or you can change them to values more suitable to your security requirements.
DDoS
A Distributed Denial-of-Service (DDoS) attack is an attack in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system.
ICMP
Internet Control Message Protocol (ICMP) is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol (IP) datagrams, but the messages are processed by the TCP/IP software and directly apparent to the application user.
LAND Attack
In a LAND attack, hackers flood SYN packets into the network with a spoofed source IP address of the target system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Ping of Death
Ping of Death uses a ‘ping’ utility to create and send an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. This may cause systems to crash, hang or reboot.
SPI
Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is valid. Filtering decisions are based not only on rules but also context. For example, traffic from the WAN may only be allowed to cross the firewall in response to a request from the LAN.
Firewall
Use the firewall to protect your Zyxel Device and network from attacks by hackers on the Internet and control access to it.
What You Can Do in this Chapter
• Use the General screen to configure the security level of the firewall on the Zyxel Device (General).
• Use the Protocol screen to add or remove predefined Internet services and configure firewall rules (Protocol (Customized Services)).
• Use the Access Control screen to view and configure incoming or outgoing filtering rules (Access Control (Rules)).
General
Use the firewall to protect your Zyxel Device and network from attacks by hackers on the Internet and control access to it. Use this screen to set the security level of the firewall on the Zyxel Device. Firewall rules are grouped based on the direction of travel of packets. A higher firewall level means more restrictions on the Internet activities you can perform. Click Security > Firewall > General to display the following screen. Use the slider to select the level of firewall protection.
Security > Firewall > General
LAN to WAN is your access to all Internet services. WAN to LAN is the access of other computers on the Internet to devices behind the Zyxel Device.When the security level is set to High, Telnet, HTTP, HTTPS, DNS, IMAP, POP3, SMTP, and/or IPv6 ICMPv6 (Ping) traffic from the LAN are still allowed.
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
IPv4 Firewall | Enable firewall protection when using IPv4 (Internet Protocol version 4). |
IPv6 Firewall | Enable firewall protection when using IPv6 (Internet Protocol version 6). |
High | This setting blocks all traffic to and from the Internet. Only local network traffic and LAN to WAN service (Telnet, HTTP, HTTPS, DNS, POP3, SMTP) is permitted. |
Medium | This is the recommended setting. It allows traffic to the Internet but blocks anyone from the Internet from accessing any services on your local network. |
Low | This setting allows traffic to the Internet and also allows someone from the Internet to access services on your local network. This would be used with Port Forwarding, Default Server. |
Apply | Click this to save your changes. |
Cancel | Click this to restore your previously saved settings. |
Protocol (Customized Services)
You can configure customized services and port numbers in the Protocol screen. Each set of protocol rules listed in the table are reusable objects to be used in conjunction with ACL rules in the Access Control screen. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. Click Security > Firewall > Protocol to display the following screen.
Removing a protocol rule will also remove associated ACL rules.Security > Firewall > Protocol
The following table describes the labels in this screen.
Label | Description |
|---|---|
Add New Protocol Entry | Click this to configure a customized service. |
Name | This is the name of your customized service. |
Description | This is a description of your customized service. |
Ports/Protocol Number | This shows the port number or range and the IP protocol (TCP or UDP) that defines your customized service. |
Modify | Click this to edit a customized service. |
Add Customized Service
Add a customized rule or edit an existing rule by specifying the protocol and the port numbers. Click Add New Protocol Entry in the Protocol screen to display the following screen.
Security > Firewall > Protocol: Add New Protocol Entry
The following table describes the labels in this screen.
Label | Description |
|---|---|
Service Name | Enter a descriptive name for your customized service. You can use up to 16 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
Description | Enter a description for your customized service. You can use up to 16 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
Protocol | Select the protocol (TCP, UDP, ICMP, ICMPv6, or Other) that defines your customized port from the drop down list box. |
Protocol Number | Enter a single port number or the range of port numbers (0 – 255) that define your customized service. |
OK | Click this to save your changes. |
Cancel | Click this to exit this screen without saving. |
Access Control (Rules)
An Access Control List (ACL) rule is a manually-defined rule that can accept, reject, or drop incoming or outgoing packets from your network. This screen displays a list of the configured incoming or outgoing filtering rules. Note the order in which the rules are listed. Click Security > Firewall > Access Control to display the following screen.
The ordering of your rules is very important as rules are applied in turn.Security > Firewall > Access Control
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
Rules Storage Space Usage | This read-only bar shows how much of the Zyxel Device's memory is in use for recording firewall rules. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. |
Add New ACL Rule | Select an index number and click Add New ACL Rule to add a new firewall rule after the selected index number. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8. |
# | This field displays the rule index number. The ordering of your rules is important as rules are applied in turn. |
Status | This field displays the status of the ACL rule. A yellow bulb signifies that this ACL rule is active, while a gray bulb signifies that this ACL rule is not active. |
Name | This field displays the rule name. |
Src IP | This field displays the source IP addresses to which this rule applies. |
Dest IP | This field displays the destination IP addresses to which this rule applies. |
Service | This field displays the protocol (All, TCP, UDP, TCP/UDP, ICMP, ICMPv6, or any) used to transport the packets for which you want to apply the rule. |
Action | Displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject), or allow the passage of (Accept) packets that match this rule. |
Modify | Click the Edit icon to edit the firewall rule. Click the Delete icon to delete an existing firewall rule. |
Add New ACL Rule
Click Add new ACL rule or the Edit icon next to an existing ACL rule in the Access Control screen. The following screen displays. Use this screen to accept, reject, or drop packets based on specified parameters, such as source and destination IP address, IP Type, service, and direction. You can also specify a limit as to how many packets this rule applies to at a certain period of time or specify a schedule for this rule.
Security > Firewall > Access Control > Add New ACL Rule
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
Active | Click this switch to enable this ACL rule. |
Filter Name | Enter a descriptive name for your filter rule. You can use up to 16 printable characters except [ " ], [ ` ], [ ' ], [ < ], [ > ], [ ^ ], [ $ ], [ | ], [ & ], or [ ; ]. Spaces are allowed. |
Order | Assign the order of your rules as rules are applied in turn. |
Select Source IP Address | If you want the source to come from a particular (single) IP, select Specific IP Address. If not, select from a detected device. |
Source IP Address | If you selected Specific IP Address in the previous item, enter the source device’s IP address here. Otherwise this field will be hidden if you select the detected device. |
Select Destination Device | If you want your rule to apply to packets with a particular (single) IP, select Specific IP Address. If not, select a detected device. |
Destination IP Address | If you selected Specific IP Address in the previous item, enter the destination device’s IP address here. Otherwise this field will be hidden if you select the detected device. |
MAC Address | Enter the MAC addresses of the Wi-Fi or wired LAN clients that are allowed access to the Zyxel Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc. |
IP Type | Select between IPv4 or IPv6. Compared to IPv4, IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 1038 IP addresses. The Zyxel Device can use IPv4/IPv6 dual stack to connect to IPv4 and IPv6 networks, and supports IPv6 rapid deployment (6RD). |
Select Service | Select a service from the Select Service box. |
Protocol | Select the protocol (ALL, TCP/UDP, TCP, UDP, ICMP, or ICMPv6) used to transport the packets for which you want to apply the rule. |
Custom Source Port | This is a single port number or the starting port number of a range that defines your rule. |
Custom Destination Port | This is a single port number or the ending port number of a range that defines your rule. |
TCP Flag | Select the TCP Flag (SYN, ACK, URG, PSH, RST, FIN). This appears when you select TCP/UDP or TCP in the Protocol field. |
Policy | Use the drop-down list box to select whether to discard (Drop), deny and send an ICMP destination-unreachable message to the sender (Reject), or allow the passage of (Accept) packets that match this rule. |
Direction | Select WAN to LAN to apply the rule to traffic from WAN to LAN. Select LAN to WAN to apply the rule to traffic from LAN to WAN. Select WAN to Router to apply the rule to traffic from WAN to router. Select LAN to Router to apply the rule to traffic from LAN to router. |
Enable Rate Limit | Click this switch to enable the setting of maximum number of packets per maximum number of minute or second to limit the throughput of traffic that matches this rule. If not, the next item will be disabled. |
Scheduler Rules | Select a schedule rule for this ACL rule form the drop-down list box. You can configure a new schedule rule by clicking Add New Rule. This will bring you to the Security > Scheduler Rules screen. |
OK | Click this to save your changes. |
Cancel | Click this to exit this screen without saving. |
DoS
DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access becomes unavailable. Use the DoS screen to activate protection against DoS attacks.
Click Security > Firewall > DoS to display the following screen.
Security > Firewall > DoS
The following table describes the labels in this screen.
LABEL | Description |
|---|---|
DoS Protection Blocking | Enable this to protect against DoS attacks. The Zyxel Device will drop sessions that surpass maximum thresholds. |
Apply | Click this to save your changes. |
Cancel | Click this to restore your previously saved settings. |
Firewall Technical Reference
This section provides some technical background information about the topics covered in this chapter.
Firewall Rules Overview
Your customized rules take precedence and override the Zyxel Device’s default settings. The Zyxel Device checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the Zyxel Device takes the action specified in the rule.
Firewall rules are grouped based on the direction of travel of packets to which they apply:
• LAN to Router | • WAN to LAN |
|---|---|
• LAN to WAN | • WAN to Router |
By default, the Zyxel Device’s stateful packet inspection allows packets traveling in the following directions:
• LAN to Router
These rules specify which computers on the LAN can manage the Zyxel Device (remote management).
You can also configure the remote management settings to allow only a specific computer to manage the Zyxel Device.• LAN to WAN
These rules specify which computers on the LAN can access which computers or services on the WAN.
By default, the Zyxel Device’s stateful packet inspection drops packets traveling in the following directions:
• WAN to LAN
These rules specify which computers on the WAN can access which computers or services on the LAN.
You also need to configure NAT port forwarding (or full featured NAT address mapping rules) to allow computers on the WAN to access devices on the LAN.• WAN to Router
By default the Zyxel Device stops computers on the WAN from managing the Zyxel Device. You could configure one of these rules to allow a WAN computer to manage the Zyxel Device.
You also need to configure the remote management settings to allow a WAN computer to manage the Zyxel Device.You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
For example, you may create rules to:
• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
• Allow certain types of traffic, such as Lotus Notes database synchronization, from specific hosts on the Internet to specific hosts on the LAN.
• Allow everyone except your competitors to access a web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the Zyxel Device’s default rules.
Guidelines For Security Enhancement With Your Firewall
1 Change the default password through the Web Configurator.
2 Think about access control before you connect to the network in any way.
3 Limit who can access your router.
4 Do not enable any local service (such as telnet) that you do not use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
Security Considerations
Incorrectly configuring the firewall may block valid access or introduce security risks to the Zyxel Device and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them.Consider these security ramifications before creating a rule:
1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC (Internet Relay Chat) is blocked, are there users that require this service?
2 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective?
3 Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the information into the correct fields in the Web Configurator screens.