ZyXEL p-660h-61 사용자 가이드
Prestige 660H Series User’s Guide
11-2
Firewall Configuration
11.3.1 Alerts
Alerts are reports on events, such as attacks, that you may want to know about right away. You can
choose to generate an alert when an attack is detected in the Alert screen (Figure 11-2 - select the
Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen
(see Figure 12-4)
choose to generate an alert when an attack is detected in the Alert screen (Figure 11-2 - select the
Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen
(see Figure 12-4)
.
When an event generates an alert, a message can be immediately sent to an e-mail
account that you specify in the Log Settings screen (see the chapter on logs).
11.3.2 Threshold Values
Tune these parameters when something is not working and after you have checked the firewall
counters. These default values should work fine for most small offices. Factors influencing choices for
threshold values are:
counters. These default values should work fine for most small offices. Factors influencing choices for
threshold values are:
♦
The maximum number of opened sessions.
♦
The minimum capacity of server backlog in your LAN network.
♦
The CPU power of servers in your LAN network.
♦
Network bandwidth.
♦
Type of traffic for certain servers.
If your network is slower than average for any of these factors (especially if you have servers that are
slow or handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.
slow or handle many tasks and are often busy), then the default values should be reduced.
You should make any changes to the threshold values before you continue configuring firewall rules.
11.3.3 Half-Open Sessions
An unusually high number of half-open sessions (either an absolute number or measured as the arrival
rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the
session has not reached the established state-the TCP three-way handshake has not yet been completed
(see Figure 10-2). For UDP, "half-open" means that the firewall has detected no return traffic.
rate) could indicate that a Denial of Service attack is occurring. For TCP, "half-open" means that the
session has not reached the established state-the TCP three-way handshake has not yet been completed
(see Figure 10-2). For UDP, "half-open" means that the firewall has detected no return traffic.
The Prestige measures both the total number of existing half-open sessions and the rate of session
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and
rate measurements. Measurements are made once a minute.
establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and
rate measurements. Measurements are made once a minute.
When the number of existing half-open sessions rises above a threshold (max-incomplete high), the
Prestige starts deleting half-open sessions as required to accommodate new connection requests. The
Prestige continues to delete half-open requests as necessary, until the number of existing half-open
sessions drops below another threshold (max-incomplete low).
Prestige starts deleting half-open sessions as required to accommodate new connection requests. The
Prestige continues to delete half-open requests as necessary, until the number of existing half-open
sessions drops below another threshold (max-incomplete low).
When the rate of new connection attempts rises above a threshold (one-minute high), the Prestige
starts deleting half-open sessions as required to accommodate new connection requests. The Prestige
continues to delete half-open sessions as necessary, until the rate of new connection attempts drops
below another threshold (one-minute low). The rate is the number of new attempts detected in the last
one-minute sample period.
starts deleting half-open sessions as required to accommodate new connection requests. The Prestige
continues to delete half-open sessions as necessary, until the rate of new connection attempts drops
below another threshold (one-minute low). The rate is the number of new attempts detected in the last
one-minute sample period.
TCP Maximum Incomplete and Blocking Time
An unusually high number of half-open sessions with the same destination host address could indicate
that a Denial of Service attack is being launched against the host.
that a Denial of Service attack is being launched against the host.
Whenever the number of half-open sessions with the same destination host address rises above a
threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to
one of the following methods:
threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to
one of the following methods: