Tcp Security; Upper Layer Protocols; Udp/Icmp Security - ZyXEL Communications Prestige 662HW Series User Manual

Prestige 662HW Series User's Guide
block all access to the Internet. Use extreme caution when creating
or deleting firewall rules. Test changes after creating them to make
sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may either be
defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual
connections" created for UDP and ICMP).

11.5.3 TCP Security

The Prestige uses state information embedded in TCP packets. The first packet of any new connection
has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not
have this flag structure are called "subsequent" packets, since they represent data that occurs later in
the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection
from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown
next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection
from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the
case with the default policy), the connection will be allowed. A cache entry is added which includes
connection information such as IP addresses, TCP ports, sequence numbers, etc.
When the Prestige receives any subsequent packet (from the Internet or from the LAN), its connection
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the
LAN).

11.5.4 UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also
contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order
to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and
port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching
IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Prestige is even more restrictive. Specifically, only
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow
incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp
replies. No other ICMP packets are allowed in through the firewall, simply because they are too
dangerous and contain too little tracking information. For instance, ICMP redirect packets are never
allowed in, since they could be used to reroute traffic through attacking machines.

11.5.5 Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
commands between endpoints, and then "data connections" which are used for transmitting bulk
information.
11-8 Firewalls