Tcp Security - ZyXEL Communications ZyXEL ZyWALL 2WE User Manual

Zyxel internet security gateway user's guide
Hide thumbs Also See for ZyXEL ZyWALL 2WE:
Table of Contents

Advertisement

ZyWALL 2 and ZyWALL 2WE
These custom rules work by evaluating the network traffic's Source IP address, Destination IP address, IP
protocol type, and comparing these to rules set by the administrator.
The ability to define firewall rules is a very powerful tool. Using custom rules, it is
possible to disable all firewall protection or block all access to the Internet. Use
extreme caution when creating or deleting firewall rules. Test changes after
creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may either be
defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with the "virtual
connections" created for UDP and ICMP).

13.5.3 TCP Security

The ZyWALL uses state information embedded in TCP packets. The first packet of any new connection has
its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag
structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection from
the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these
packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection from
the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the
default policy), the connection will be allowed. A cache entry is added which includes connection
information such as IP addresses, TCP ports, sequence numbers, etc.
When the ZyWALL receives any subsequent packet (from the Internet or from the LAN), its connection
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).
13.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also contains
port pairs, and ICMP has type and code information. All of this data can be analyzed in order to build "virtual
connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port
pairs will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP
information will be allowed back in through the firewall.
13-10
Firewalls

Advertisement

Table of Contents
loading

This manual is also suitable for:

Zywall 2

Table of Contents