Stateful Inspection Firewall - ZyXEL Communications P-320W v3 User Manual

Chapter 12 Firewall
12.3.1 About the P-320W v3 Firewall
The P-320W v3 firewall is a stateful inspection firewall and is designed to protect
against Denial of Service attacks when activated (click the General tab under
Firewall and then click the Enable Firewall check box). The P-320W v3's
purpose is to allow a private Local Area Network (LAN) to be securely connected to
the Internet. The P-320W v3 can be used to prevent theft, destruction and
modification of data, as well as log events, which may be important to the security
of your network.
The P-320W v3 is installed between the LAN and a broadband modem connecting
to the Internet. This allows it to act as a secure gateway for all data passing
between the Internet and the LAN.
The P-320W v3 has one Ethernet WAN port and four Ethernet LAN ports, which are
used to physically separate the network into two areas.The WAN (Wide Area
Network) port attaches to the broadband (cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which
needs security from the outside world. These computers will have access to
Internet services such as e-mail, FTP and the World Wide Web. However, "inbound
access" is not allowed (by default) unless the remote host is authorized to use a
specific service.

12.3.1.1 Stateful Inspection Firewall

Stateful inspection firewalls restrict access by screening data packets against
defined access rules. They make access control decisions based on IP address and
protocol. They also "inspect" the session data to assure the integrity of the
connection and to adapt to dynamic protocols. These firewalls generally provide
the best speed and transparency; however, they may lack the granular application
level access control or caching that some proxies support. Firewalls, of one type or
another, have become an integral part of standard security solutions for
enterprises.
12.3.2 Security Parameter Index (SPI)
An SPI is used to distinguish different SAs terminating at the same destination and
using the same IPSec protocol. This data allows for the multiplexing of SAs to a
single gateway. The SPI (Security Parameter Index) along with a destination IP
address uniquely identify a particular Security Association (SA). The SPI is
transmitted from the remote VPN gateway to the local VPN gateway. The local VPN
gateway then uses the network, encryption and key values that the administrator
associated with the SPI to establish the tunnel. Current ZyXEL implementation
assumes identical outgoing and incoming SPIs.
118
P-320W v3 User's Guide