ZyXEL Communications ZyWALL 5 User Manual page 136

ZyWALL 5 Internet Security Appliance
The ability to define firewall rules is a very powerful tool. Using
custom rules, it is possible to disable all firewall protection or
block all access to the Internet. Use extreme caution when creating
or deleting firewall rules. Test changes after creating them to make
sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may either be
defined by the upper protocols (for instance, TCP), or by the ZyWALL itself (as with the "virtual
connections" created for UDP and ICMP).
9.5.3 TCP Security
The ZyWALL uses state information embedded in TCP packets. The first packet of any new
connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets
that do not have this flag structure are called "subsequent" packets, since they represent data that
occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection
from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown
next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection
from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the
case with the default policy), the connection will be allowed. A cache entry is added which includes
connection information such as IP addresses, TCP ports, sequence numbers, etc.
When the ZyWALL receives any subsequent packet (from the Internet or from the LAN), its
connection information is extracted and checked against the cache. A packet is only allowed to pass
through if it corresponds to a valid connection (that is, if it is a response to a connection which
originated on the LAN).
9.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also
contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order
to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and
port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching
IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyWALL is even more restrictive. Specifically,
only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow
incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp
replies. No other ICMP packets are allowed in through the firewall, simply because they are too
dangerous and contain too little tracking information. For instance, ICMP redirect packets are never
allowed in, since they could be used to reroute traffic through attacking machines.
9.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
9-8 Firewalls