NETGEAR SRX5308-100NAS Switch User Manual


 
Firewall Protection
167
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
2. Enter the settings as explained in the following table:
Table 34. Attack Checks screen settings for IPv4
Setting Description
WAN Security Checks
Respond to Ping on
Internet Ports
Select the Respond to Ping on Internet Ports check box to enable the VPN firewall
to respond to a ping from the Internet to its IPv4 address. A ping can be used as a
diagnostic tool. Keep this check box cleared unless you have a specific reason to
enable the VPN firewall to respond to a ping from the Internet.
Enable Stealth Mode Select the En
able Stealth Mode check box (which is the default setting) to prevent
the VPN firewall from responding to port scans from the WAN, thus making it less
susceptible to discovery and attacks.
Block TCP flood Select the B
lock TCP flood check box (which is the default setting) to enable the
VPN firewall to drop all invalid TCP packets and to protect the VPN firewall from a
SYN flood attack.
A SYN flood is a form of denial of service attack in which an attacker sends a
succession of
SYN (synchronize) requests to a target system. When the system
responds, the attacker does not complete the connections, thus leaving the
connection half open and flooding the server with SYN messages. No legitimate
connections can then be made.
LAN Security Checks
Block UDP flood Select the B
lock UDP flood check box (which is the default setting) to prevent the
VPN firewall from accepting more than 20 simultaneous, active User Datagram
Pro
tocol (UDP) connections from a single device on the LAN.
A UDP flood is a form of denial of service att
ack that can be initiated when one
device sends a large number of UDP packets to random ports on a remote host. As a
result, the distant host does the following:
1. Checks for the application listening at
that port.
2. Sees that no application is listeni
ng at that port.
3. Replies with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventua
lly making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
Disable Ping Reply
on LAN Port
s
Select the Disable Ping Reply on LAN Ports check box to prevent the VPN firewall
from responding to a ping on a LAN port. A ping can be used as a diagnostic tool.
Keep this check box cleared unless you have a specific reason to prevent the VPN
firewall from responding to a ping on a LAN port.