Firewall Advanced - Motorola NVG510 Administrator's Handbook

Administrator's Handbook
Link: Firewall Advanced

Firewall Advanced

When you click the
All computer operating systems are vulnerable to attack from outside sources, typically at the operating system or
Internet Protocol (IP) layers. Stateful Inspection firewalls intercept and analyze incoming data packets to deter-
mine whether they should be admitted to your private LAN, based on multiple criteria, or blocked. Stateful inspec-
tion improves security by tracking data packets over a period of time, examining incoming and outgoing packets.
Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets consti-
tuting a proper response are allowed through the firewall.
Stateful inspection is a security feature that prevents unsolicited inbound access when NAT is disabled. You can
configure UDP and TCP "no-activity" periods that will also apply to NAT time-outs if stateful inspection is enabled
on the interface. Stateful Inspection parameters are active on a WAN interface only if enabled on your Gateway.
Stateful inspection can be enabled on a WAN interface whether NAT is enabled or not.
DoS Protection – Denial-0f-Service attacks are common on the Internet, and can render an individual PC or a
whole network practically unusable by consuming all its resources. Your Gateway includes default settings to
block the most common types of DoS attacks. For special requirements or circumstances, a variety of additional
blocking characteristics is offered. See the following table.
Menu item
Drop packets with invalid source or
destination IP address
Protect against port scan
Drop packets with unknown ether
types
Drop packets with invalid TCP flags
Detect and drop packet floods
Flood limit (packets per second)
Flood burst limit (maximum num-
ber of packets in a burst)
If you make any changes here, click the
60
button the Firewall Advanced screen appears.
Function
invalid source or destination IP address
Whether packets with
are to be dropped
Whether to detect and drop port scans.
unknown ether types
Whether packets with
Whether packets with invalid TCP flag settings (NULL, FIN, Xmas,
etc.) should be dropped
Whether packet flooding should be detected and offending packets
be dropped
Specifies the number limit of packets per second before dropping the
remainder.
Specifies the number limit of packets in a single burst before dropping
the remainder.
Save
button.
(es)
are to be dropped