Upper Layer Protocols; Guidelines For Enhancing Security With Your Firewall; Packet Filtering Vs Firewall - ZyXEL Communications ZyAIR G-2000 Plus User Manual

14.5.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network
connections simultaneously. In general terms, they usually have a "control connection" which
is used for sending commands between endpoints, and then "data connections" which are used
for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the
Internet and requests a file. At this point, the remote server will open a data connection from
the Internet. For FTP to work properly, this connection must be allowed to pass through even
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyAIR inspects the application-level FTP data. Specifically, it
searches for outgoing "PORT" commands, and when it sees these; it adds a cache entry for the
anticipated data connection. This can be done safely, since the PORT command contains
address and port information, which can be used to uniquely identify the connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator's Custom Services feature to do this.

14.6 Guidelines For Enhancing Security With Your Firewall

1 Change the default password via SMT or web configurator.
2 Think about access control before you connect a console port to the network in any way,
including attaching a modem to the port. Be aware that a break on the console port might
give unauthorized individuals total control of the firewall, even with access control
configured.
3 Limit who can telnet into your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.

14.7 Packet Filtering Vs Firewall

Below are some comparisons between the ZyAIR's filtering and firewall functions.
Chapter 14 Firewalls
ZyAIR G-2000 Plus User's Guide
188