ZyXEL Communications 202H Manual De Usuario
Prestige 202H User’s Guide
12-10 Firewalls
12.5.3 TCP Security
The Prestige uses state information embedded in TCP packets. The first packet of any new connection has its
SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag
structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag
structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection from
the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these
packets are dropped and logged.
the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these
packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection from
the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the
default policy), the connection will be allowed. A cache entry is added which includes connection
information such as IP addresses, TCP ports, sequence numbers, etc.
the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the
default policy), the connection will be allowed. A cache entry is added which includes connection
information such as IP addresses, TCP ports, sequence numbers, etc.
When the Prestige receives any subsequent packet (from the Internet or from the LAN), its connection
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).
12.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains
port pairs, and ICMP has type and code information. All of this data can be analyzed in order to build "virtual
connections" in the cache.
However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains
port pairs, and ICMP has type and code information. All of this data can be analyzed in order to build "virtual
connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port
pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP
information will be allowed back in through the firewall.
pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP
information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Prestige is even more restrictive. Specifically, only
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming
address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other
ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too
little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used
to reroute traffic through attacking machines.
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming
address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other
ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too
little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used
to reroute traffic through attacking machines.
12.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
commands between endpoints, and then "data connections" which are used for transmitting bulk information.
simultaneously. In general terms, they usually have a "control connection" which is used for sending
commands between endpoints, and then "data connections" which are used for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and
requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to
requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to