User manual ZYXEL PRESTIGE 661H

[. . . ] P-661H/HW Series 802. 11g Wireless ADSL2+ 4-port Security Gateway User's Guide Version 3. 40 Edition 1 5/2006 P-661H/HW Series User's Guide Copyright Copyright © 2006 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. [. . . ] For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. 8. 5. 5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. A user on the LAN opens a control connection to a server on the Internet and requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected. In order to achieve this, the ZyXEL Device inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a cache entry for the anticipated data connection. This can be done safely, since the PORT command contains address and port information, which can be used to uniquely identify the connection. Any protocol that operates in this way must be supported on a case-by-case basis. You can use the web configurator's Custom Ports feature to do this. 8. 6 Guidelines for Enhancing Security with Your Firewall · Change the default password. · Don't enable any local service (such as SNMP or NTP) that you don't use. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. · Protect against IP spoofing by making sure the firewall is active. · Keep the firewall in a secured (locked) room. 8. 6. 1 Security In General You can never be too careful!Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. 154 Chapter 8 Firewalls P-661H/HW Series User's Guide · Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. Educate all employees about the importance of security and how to minimize risk. · DSL or cable modem connections are "always-on" connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system. · Never give out a password or any sensitive information to an unsolicited telephone call or e-mail. · Never e-mail sensitive information such as passwords, credit card information, etc. , without encrypting the information first. [. . . ] 1 The AP passes the wireless client's authentication request to the RADIUS server. 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. Appendix K 365 P-661H/HW Series User's Guide 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 210 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. 1 First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). [. . . ]