Udp/Icmp Security; Upper Layer Protocols; Guidelines For Enhancing Security With Your Firewall - ZyXEL Communications PRESTIGE 660H Series User Manual

Prestige 660H/HW Series User's Guide
When the Prestige receives any subsequent packet (from the Internet or from the LAN), its
connection information is extracted and checked against the cache. A packet is only allowed to
pass through if it corresponds to a valid connection (that is, if it is a response to a connection
which originated on the LAN).

12.5.4 UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence
numbers). However, at the very minimum, they contain an IP address pair (source and
destination). UDP also contains port pairs, and ICMP has type and code information. All of
this data can be analyzed in order to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP
address and port pairs will be stored. For a short period of time, UDP packets from the WAN
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Prestige is even more restrictive.
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask
requests will allow incoming address mask replies, and outgoing timestamp requests will
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall,
simply because they are too dangerous and contain too little tracking information. For
instance, ICMP redirect packets are never allowed in, since they could be used to reroute
traffic through attacking machines.

12.5.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network
connections simultaneously. In general terms, they usually have a "control connection" which
is used for sending commands between endpoints, and then "data connections" which are used
for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the
Internet and requests a file. At this point, the remote server will open a data connection from
the Internet. For FTP to work properly, this connection must be allowed to pass through even
though a connection from the Internet would normally be rejected.
In order to achieve this, the Prestige inspects the application-level FTP data. Specifically, it
searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the
anticipated data connection. This can be done safely, since the PORT command contains
address and port information, which can be used to uniquely identify the connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use
the web configurator's Custom Ports feature to do this.

12.6 Guidelines for Enhancing Security with Your Firewall

• Change the default password via SMT or web configurator.
139 Chapter 12 Firewalls