1 acl (access control list), 2 stateful packet inspection, 3 defense against dos attacks – Asus SL1000 User Manual

Internet Security Router User

’s Manual

Chapter 2 Getting to Know the Internet Security Router

5

„ Reverse Static – This is inbound mapping that maps a globally valid Internet address to an internal

host address. All packets coming to that external address are relayed to the internal address. This is
useful when hosting services in an internal machine.

„ Reverse NAPT – Also called inbound mapping, port mapping, and virtual server. Any packet coming

to the router can be relayed to the internal host based on the protocol, port number or IP Address
specified in the rule. This is useful when multiple services are hosted on different internal machines.

Note

For a complete listing of all NAT ALGs supported, refer to
Appendix A

“ALG Configuration” on.

2.4.1.1

ACL (Access Control List)

ACL rule is one of the basic building blocks for network security. Firewall monitors each individual packet,
decodes the header information of inbound and outbound traffic and then either blocks the packet from
passing or allows it to pass based on the contents of the source address, destination address, source port,
destination port, protocol and other criterion, e.g. application filter, time ranges, defined in the ACL rules.

ACL is a very appropriate measure for providing isolation of one subnet from another. It can be used as the
first line of defense in the network to block inbound packets of specific types from ever reaching the protected
network.

The Internet Security Router Firewall

’s ACL methodology supports:

„ Filtering based on destination and source IP address, port number and protocol
„ Use of the wild card for composing filter rules
„ Filter Rule priorities
„ Time based filters
„ Application specific filters
„ User group based filters for remote access

2.4.1.2

Stateful Packet Inspection

The Internet Security Router Firewall uses

“stateful packet inspection” that extracts state-related information

required for the security decision from the packet and maintains this information for evaluating subsequent
connection attempts. It has awareness of application and creates dynamic sessions that allow dynamic
connections so that no ports need to be opened other than the required ones. This provides a solution which is
highly secure and that offers scalability and extensibility.

2.4.1.3

Defense against DoS Attacks

The Internet Security Router Firewall has an Attack Defense Engine that protects internal networks from
known types of Internet attacks. It provides automatic protection from Denial of Service (DoS) attacks such as
SYN flooding, IP smurfing, LAND, Ping of Death and all re-assembly attacks. It can drop ICMP redirects and
IP loose/strict source routing packets. For example, the Internet Security Router Firewall provides protection
from

“WinNuke”, a widely used program to remotely crash unprotected Windows systems in the Internet. The

Internet Security Router Firewall also provides protection from a variety of common Internet attacks such as IP
Spoofing, Ping of Death, Land Attack, Reassembly and SYN flooding.

The type of attack protections provided by the Internet Security Router are listed in Table 2.3.

Table 2.3. DoS Attacks

Type of Attack

Name of Attacks

Re-assembly attacks

Bonk, Boink, Teardrop (New Tear),
Overdrop, Opentear, Syndrop, Jolt

ICMP Attacks

Ping of Death, Smurf, Twinge

Flooders

ICMP Flooder, UDP Flooder, SYN