Netgear FVS318Gv2 – ProSAFE VPN Firewall Series Manual De Referência
Firewall Protection
171
NETGEAR ProSAFE VPN Firewall FVS318G v2
LAN Security Checks
Block UDP flood
Select the Block UDP flood check box to prevent the VPN firewall from accepting
more than a specified number of simultaneous, active User Datagram Protocol
(UDP) connections from a single device on the LAN.
In the field, enter the number of connections per second that define a UDP flood. You
can enter a number from 25 to 999. The default value is 25. The VPN firewall drops
UDP packets that exceed the specified number of connections per second.
By default, the Block UDP flood check box is cleared so that the number of
simultaneous, active UDP connections from a single device on the LAN is not
restricted.
A UDP flood is a form of denial of service attack that can be initiated when one
device sends many UDP packets to random ports on a remote host. As a result, the
distant host does the following:
more than a specified number of simultaneous, active User Datagram Protocol
(UDP) connections from a single device on the LAN.
In the field, enter the number of connections per second that define a UDP flood. You
can enter a number from 25 to 999. The default value is 25. The VPN firewall drops
UDP packets that exceed the specified number of connections per second.
By default, the Block UDP flood check box is cleared so that the number of
simultaneous, active UDP connections from a single device on the LAN is not
restricted.
A UDP flood is a form of denial of service attack that can be initiated when one
device sends many UDP packets to random ports on a remote host. As a result, the
distant host does the following:
1.
Checks for the application listening at that port.
2.
Sees that no application is listening at that port.
3.
Replies with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
eventually making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
Disable Ping Reply
on LAN Ports
on LAN Ports
Select the Disable Ping Reply on LAN Ports check box to prevent the VPN firewall
from responding to a ping on a LAN port. A ping can be used as a diagnostic tool.
Keep this check box cleared unless a specific reason exists to prevent the VPN
firewall from responding to a ping on a LAN port.
from responding to a ping on a LAN port. A ping can be used as a diagnostic tool.
Keep this check box cleared unless a specific reason exists to prevent the VPN
firewall from responding to a ping on a LAN port.
VPN Pass through
IPSec
PPTP
L2TP
PPTP
L2TP
When the VPN firewall functions in NAT mode, all packets going to the remote VPN
gateway are first filtered through NAT and then encrypted according to the VPN
policy. For example, if a VPN client or gateway on the LAN side of the VPN firewall
wants to connect to another VPN endpoint on the WAN side (placing the VPN firewall
between two VPN endpoints), encrypted packets are sent to the VPN firewall.
Because the VPN firewall filters the encrypted packets through NAT, the packets
become invalid unless you enable the VPN Pass through feature.
To enable the VPN tunnel to pass the VPN traffic without any filtering, select any or
all of the following check boxes:
gateway are first filtered through NAT and then encrypted according to the VPN
policy. For example, if a VPN client or gateway on the LAN side of the VPN firewall
wants to connect to another VPN endpoint on the WAN side (placing the VPN firewall
between two VPN endpoints), encrypted packets are sent to the VPN firewall.
Because the VPN firewall filters the encrypted packets through NAT, the packets
become invalid unless you enable the VPN Pass through feature.
To enable the VPN tunnel to pass the VPN traffic without any filtering, select any or
all of the following check boxes:
•
IPSec. Disables NAT filtering for IPSec tunnels.
•
PPTP. Disables NAT filtering for PPTP tunnels.
•
L2TP. Disables NAT filtering for L2TP tunnels.
By default, all three check boxes are selected.
Multicast Pass through
Enable IGMP
IP multicast pass-through allows multicast packets that originate in the WAN, such
as packets from a media streaming or gaming application, to be forwarded to the
LAN subnet. Internet Group Management Protocol (IGMP) is used to support
multicast between IP hosts and their adjacent neighbors.
Select the Enable IGMP check box to enable IP multicast pass-through. By default,
IP multicast pass-through is disabled.
as packets from a media streaming or gaming application, to be forwarded to the
LAN subnet. Internet Group Management Protocol (IGMP) is used to support
multicast between IP hosts and their adjacent neighbors.
Select the Enable IGMP check box to enable IP multicast pass-through. By default,
IP multicast pass-through is disabled.
Table 31. Attack Checks screen settings for IPv4 (continued)
Setting
Description