Filter
Top Products
158 Chapter 10 Firewalls
N0115790
Consider the FTP protocol. A user on the LAN opens a control connection to a
server on the Internet and requests a file. At this point, the remote server opens a
data connection from the Internet. For FTP to work properly, this connection must
be allowed to pass through even though a connection from the Internet is normally
rejected.
In order to achieve the above scenario, the BCM50a Integrated Router inspects
the application level FTP data. Specifically, it searches for outgoing PORT
commands, and when it sees these; it adds a cache entry for the anticipated data
connection. This can be done safely, since the PORT command contains address
and port information, which can be used to uniquely identify the connection.
Any protocol that operates in this way must be supported on a case-by-case basis.
You can use the Custom Ports feature in the WebGUI to do this.
Guidelines for enhancing security with your firewall
1 Change the default password through SMT or WebGUI.
2 Think about access control before you connect your device to the network in
any way.
3 Limit who can Telnet into your router.
4 Do not enable any local service (such as SNMP or NTP) that you do not use.
Any enabled service can present a potential security risk. A determined
hacker can find creative ways to misuse the enabled services to access the
firewall or the network.
5 For local services that are enabled, protect against misuse. Protect by
configuring the services to communicate only with specific peers, and protect
by configuring rules to block packets for the services at specific interfaces.
6 Protect against IP spoofing by making sure the firewall is active.
7 Keep the firewall in a secured (locked) room.
Packet filtering vs. firewall
Below are some comparisons between the filtering and firewall functions of the
BCM50a Integrated Router.