ZyXEL Communications 792H User Manual

Prestige 792H G.SHDSL Router

Firewalls

8-11

8.5.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
commands between endpoints, and then "data connections" which are used for transmitting bulk information.

Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and
requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to
work properly, this connection must be allowed to pass through even though a connection from the Internet
would normally be rejected.

In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it searches for
outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data
connection. This can be done safely, since the PORT command contains address and port information, which
can be used to uniquely identify the connection.

Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web
configurator’s Custom Ports feature to do this.

8.6 Guidelines for Enhancing Security with Your Firewall

1. Change the default password via SMT or web configurator.

2. Think about access control before you connect a console port to the network in any way, including

attaching a modem to the port. Be aware that a break on the console port might give unauthorized
individuals total control of the firewall, even with access control configured.

3. Limit who can telnet into your router.

4. Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could

present a potential security risk. A determined hacker might be able to find creative ways to misuse the
enabled services to access the firewall or the network.

5. For local services that are enabled, protect against misuse. Protect by configuring the services to

communicate only with specific peers, and protect by configuring rules to block packets for the services
at specific interfaces.

6. Protect against IP spoofing by making sure the firewall is active.

7. Keep the firewall in a secured (locked) room.

8.6.1 Security In General

You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches.
Below are some generalizations about what you can do to minimize them.