Filter
Top Products
ZyXEL NBG-415N User’s Guide
93 Chapter 7 Advanced
7.9 Firewall
Stateful packet inspection (SPI) firewalls restrict access by screening data packets against
defined access rules. They make access control decisions based on IP address and protocol.
They also "inspect" the session data to assure the integrity of the connection and to adapt to
dynamic protocols. These firewalls generally provide the best speed and transparency;
however, they may lack the granular application level access control or caching that some
proxies support.
The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against
Denial of Service attacks when activated. The ZyXEL Device’s purpose is to allow a private
Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can
be used to prevent theft, destruction and modification of data, as well as log events, which may
be important to the security of your network. The ZyXEL Device also has packet-filtering
capabilities.
7.9.1 DMZ
The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to
be visible to the outside world (while still being protected from DoS (Denial of Service)
attacks such as SYN flooding and Ping of Death). These public servers can also still be
accessed from the secure LAN.
7.9.2 ALG
Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP
addresses and port numbers in their packets’ data payload. The ZyXEL Device examines and
uses IP address and port number information embedded in the data stream. When a device
behind the ZyXEL Device uses an application for which the ZyXEL Device has ALG service
enabled, the ZyXEL Device translates the device’s private IP address inside the data stream to
a public IP address. It also records session port numbers and dynamically creates implicit NAT
port forwarding and firewall rules for the application’s traffic to come in from the WAN to the
LAN.
7.9.3 NAT Endpoint Filtering
NAT Endpoint Filtering controls how the ZyXEL Device’s NAT manages incoming
connection requests to ports that are already being used. Three filtering options are available
on UDP and TCP packets.
• Endpoint Independent
Once a LAN-side application has created a connection through a specific port, NAT will
forward any incoming connection requests with the same port to the LAN-side
application regardless of their origin. This is the least restrictive option, giving the best
connectivity and allowing some applications (for example, P2P applications) to behave
almost as if they are directly connected to the Internet.