ZyXEL Communications ZyWALL5UTM 4.0 User Manual
ZyWALL 5/35/70 Series User’s Guide
Chapter 10 Firewalls
208
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator’s Custom Services feature to do this.
the web configurator’s Custom Services feature to do this.
10.6 Guidelines For Enhancing Security With Your Firewall
1 Change the default password via SMT or web configurator.
2 Think about access control before you connect a console port to the network in any way,
including attaching a modem to the port. Be aware that a break on the console port might
give unauthorized individuals total control of the firewall, even with access control
configured.
give unauthorized individuals total control of the firewall, even with access control
configured.
3 Limit who can telnet into your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
10.7 Packet Filtering Vs Firewall
Below are some comparisons between the ZyWALL’s filtering and firewall functions.
10.7.1 Packet Filtering:
• The router filters packets as they pass through the router’s interface according to the filter
rules you designed.
• Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
• Packet filtering only checks the header portion of an IP packet.
10.7.1.1 When To Use Filtering
1 To block/allow LAN packets by their MAC addresses.
2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets.
3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic
between the specific inside host/network "A" and outside host/network "B". If the filter
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot
distinguish traffic originating from an inside host or an outside host by IP address.
blocks the traffic from A to B, it also blocks the traffic from B to A. Filters cannot
distinguish traffic originating from an inside host or an outside host by IP address.
4 To block/allow IP trace route.