beautypg.com

Udp/icmp security, Upper layer protocols – ZyXEL Communications Broadband Security Gateway P-312 User Manual

Page 157

background image

P312 Broadband Security Gateway

What Is a Firewall?

13-9

When any subsequent packet hits the box (from the Internet or from the LAN), its connection information is
extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid
connection (that is, if it is a response to a connection which originated on the LAN).

13.4.4 UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains
port pairs, and ICMP has type and code information. All of these data can be analyzed in order to build
"virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port
pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP
information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Prestige is even more restrictive. Specifically, only
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming
address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other
ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too
little tracking information. For instance, ICMP redirect packets are never allowed in, since they could be used
to reroute traffic through attacking machines.

13.4.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
commands between endpoints, and then "data connections" which are used for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and
requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to
work properly, this connection must be allowed to pass through even though a connection from the Internet
would normally be rejected.
In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches for
outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data
connection. This can be done safely, since the PORT command contains address and port information, which
can be used to uniquely identify the connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use the Prestige
Web Configurator’s Custom Ports feature to do this.

13.5 Guidelines For Enhancing Security With Your Firewall

1. Change the default password on the SMT and Web Configurator.
2. Think about access control before you connect a console port to the network in any way, including

attaching a modem to the port. Be aware that a break on the console port might give total control of the
firewall, even with access control configured.