ZyXEL p-660h-61 Guida Utente
Prestige 660H Series User’s Guide
Firewalls
10-9
commands between endpoints, and then "data connections" which are used for transmitting bulk
information.
information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet
and requests a file. At this point, the remote server will open a data connection from the Internet. For
FTP to work properly, this connection must be allowed to pass through even though a connection from
the Internet would normally be rejected.
and requests a file. At this point, the remote server will open a data connection from the Internet. For
FTP to work properly, this connection must be allowed to pass through even though a connection from
the Internet would normally be rejected.
In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches
for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data
connection. This can be done safely, since the PORT command contains address and port information,
which can be used to uniquely identify the connection.
for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data
connection. This can be done safely, since the PORT command contains address and port information,
which can be used to uniquely identify the connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use the
web configurator’s Custom Ports feature to do this.
web configurator’s Custom Ports feature to do this.
10.6 Guidelines for Enhancing Security with Your Firewall
♦
Change the default password via SMT or web configurator.
♦
Limit who can telnet into your router.
♦
Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
♦ For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the services
at specific interfaces.
at specific interfaces.
♦
Protect against IP spoofing by making sure the firewall is active.
♦
Keep the firewall in a secured (locked) room.
10.6.1 Security In General
You can never be too careful! Factors outside your firewall, filtering or NAT can cause security
breaches. Below are some generalizations about what you can do to minimize them.
breaches. Below are some generalizations about what you can do to minimize them.
♦
Encourage your company or organization to develop a comprehensive security plan. Good
network administration takes into account what hackers can do and prepares against attacks.
The best defense against hackers and crackers is information. Educate all employees about the
importance of security and how to minimize risk. Produce lists like this one!
network administration takes into account what hackers can do and prepares against attacks.
The best defense against hackers and crackers is information. Educate all employees about the
importance of security and how to minimize risk. Produce lists like this one!
♦
DSL or cable modem connections are “always-on” connections and are particularly vulnerable
because they provide more opportunities for hackers to crack your system. Turn your
computer off when not in use.
because they provide more opportunities for hackers to crack your system. Turn your
computer off when not in use.
♦
Never give out a password or any sensitive information to an unsolicited telephone call or e-
mail.
mail.
♦
Never e-mail sensitive information such as passwords, credit card information, etc., without
encrypting the information first.
encrypting the information first.
♦
Never submit sensitive information via a web page unless the web site uses secure
connections. You can identify a secure connection by looking for a small “key” icon on the
bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web
connections. You can identify a secure connection by looking for a small “key” icon on the
bottom of your browser (Internet Explorer 3.02 or better or Netscape 3.0 or better). If a web