Guidelines For Enhancing Security With Your Firewall; Security Considerations - ZyXEL Communications PMG5318-B20A User Manual

Chapter 15 Firewall
• Allow everyone except your competitors to access a web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the source IP address, destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the GPON Device's default rules.

15.4.2 Guidelines For Enhancing Security With Your Firewall

Change the default password via web configurator.
6
Think about access control before you connect to the network in any way.
7
Limit who can access your router.
8
Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could
9
present a potential security risk. A determined hacker might be able to find creative ways to misuse
the enabled services to access the firewall or the network.
10 For local services that are enabled, protect against misuse. Protect by configuring the services to
communicate only with specific peers, and protect by configuring rules to block packets for the
services at specific interfaces.
11 Protect against IP spoofing by making sure the firewall is active.
12 Keep the firewall in a secured (locked) room.

15.4.3 Security Considerations

Note: Incorrectly configuring the firewall may block valid access or introduce security
risks to the GPON Device and your protected network. Use caution when creating or
deleting firewall rules and test your rules after you configure them.
Consider these security ramifications before creating a rule:
Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC
1
is blocked, are there users that require this service?
Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will
2
a rule that blocks just certain users be more effective?
Does a rule that allows Internet users access to resources on the LAN create a security
3
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,
Internet users may be able to connect to computers with running FTP servers.
Does this rule conflict with any existing rules?
4
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
136
PMG5318-B20A User's Guide