Table of Contents
Advertisement
Chapter 11 Firewall
The ZyXEL Device is installed between the LAN and a broadband modem connecting to the
Internet. This allows it to act as a secure gateway for all data passing between the Internet and
the LAN.
The ZyXEL Device has one Ethernet WAN port and four Ethernet LAN ports, which are used
to physically separate the network into two areas.The WAN (Wide Area Network) port
attaches to the broadband (cable or DSL) modem to the Internet.
The LAN (Local Area Network) port attaches to a network of computers, which needs security
from the outside world. These computers will have access to Internet services such as e-mail,
FTP and the World Wide Web. However, "inbound access" is not allowed (by default) unless
the remote host is authorized to use a specific service.
11.1.4 Guidelines For Enhancing Security With Your Firewall
1 Change the default password via web configurator.
2 Think about access control before you connect to the network in any way, including
attaching a modem to the port.
3 Limit who can access your router.
4 Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled
service could present a potential security risk. A determined hacker might be able to find
creative ways to misuse the enabled services to access the firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by configuring the
services to communicate only with specific peers, and protect by configuring rules to
block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
11.2 Triangle Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL
Device's LAN IP address, return traffic may not go through the ZyXEL Device. This is called
an asymmetrical or "triangle" route. This causes the ZyXEL Device to reset the connection, as
the connection has not been acknowledged.
You can have the ZyXEL Device permit the use of asymmetrical route topology on the
network (not reset the connection).
Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without
passing through the ZyXEL Device. A better solution is to use IP alias to put the ZyXEL
Device and the backup gateway on separate subnets.
11.2.1 Triangle Routes and IP Alias
You can use IP alias instead of allowing triangle routes. IP Alias allow you to partition your
network into logical sections over the same interface.
By putting your LAN and Gateway A in different subnets, all returning network traffic must
pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.
122
ZyXEL NBG-334SH User's Guide
Advertisement
Table of Contents
Troubleshooting
