SMC Networks Router SMCWBR14-G2 User Manual
Have a look at the manual SMC Networks Router SMCWBR14-G2 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 10 SMC Networks manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
SECURITY 4-35 Intrusion Detection The Barricade’s firewall inspects packets at the application layer, maintains TCP and UDP session information including timeouts and number of active sessions, and provides the ability to detect and prevent certain types of network attacks such as Denial-of-Service (DoS) attacks.
CONFIGURING THE BAR RICADE 4-36 Network attacks that deny access to a network device are called DoS attacks. DoS attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Barricade protects against DoS attacks including: Ping of Death (Ping flood) attack, SYN flood attack, IP fragment attack (Teardrop Attack), Brute-force attack, Land Attack, IP Spoofing attack, IP with zero length, TCP null scan (Port Scan Attack), UDP port loopback, Snork Attack. Note:The firewall does not significantly affect system performance, so we advise enabling the prevention features to protect your network.
SECURITY 4-37 The table below lists the Intrusion Detection parameters and their descriptions. Parameter Defaults Description Intrusion Detection Feature SPI and Anti-DoS firewall protectionNo The Intrusion Detection feature of the Barricade limits the access of incoming traffic at the WAN port. When the Stateful Packet Inspection (SPI) feature is turned on, all incoming packets are blocked except those types marked with a check in the SPI section at the top of the screen. RIP Defect Disabled If the router does not reply to an IPX RIP request packet, it will stay in the input queue and not be released. Accumulated packets could cause the input queue to fill, causing severe problems for all protocols. Enabling this feature prevents the packets accumulating. Discard Ping to WANDon’t discardPrevents a ping on the router’s WAN port from being routed to the network.
CONFIGURING THE BAR RICADE 4-38 Stateful Packet InspectionEnabled This option allows you to select different application types that are using dynamic port numbers. If you wish to use Stateful Packet Inspection (SPI) for blocking packets, click on the Yes radio button in the “Enable SPI and Anti-DoS firewall protection” field and then check the inspection type that you need, such as Packet Fragmentation, TCP Connection, UDP Session, FTP Service and TFTP Service. It is called a “stateful” packet inspection because it examines the contents of the packet to determine the state of the communication; i.e., it ensures that the stated destination computer has previously requested the current communication. This is a way of ensuring that all communications are initiated by the recipient computer and are taking place only with sources that are known and trusted from previous interactions. In addition to being more rigorous in their inspection of packets, stateful inspection firewalls also close off ports until a connection to the specific port is requested. When particular types of traffic are checked, only the particular type of traffic initiated from the internal LAN will be allowed. For example, if the user only checks FTP Service in the Stateful Packet Inspection section, all incoming traffic will be blocked except for FTP connections initiated from the local LAN. When hackers attempt to enter your network, we can alert you by email Your E-mail AddressEnter your email address. SMTP Server AddressEnter your SMTP server address (usually the part of the email address following the “@” sign). POP3 Server AddressEnter your POP3 server address (usually the part of the email address following the “@” sign). User Name Enter your email account user name. Parameter Defaults Description
SECURITY 4-39 Password Enter your email account password. Connection Policy Fragmentation half-open wait10 secs Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. TCP SYN wait 30 secs Defines how long the software will wait for a TCP session to reach an established state before dropping the session. TCP FIN wait 5 secs Specifies how long a TCP session will be managed after the firewall detects a FIN-exchange. TCP connection idle timeout3600 secs (1 hour)The length of time for which a TCP session will be managed if there is no activity. UDP session idle timeout30 secs The length of time for which a UDP session will be managed if there is no activity. DoS Detect Criteria Total incomplete TCP/UDP sessions HIGH300 sessionsDefines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. Total incomplete TCP/UDP sessions LOW250 sessionsDefines the rate of new unestablished sessions that will cause the software to stop deleting half-open sessions. Incomplete TCP/UDP sessions (per min.) HIGH250 sessionsMaximum number of allowed incomplete TCP/UDP sessions per minute. Incomplete TCP/UDP sessions (per min.) LOW200 sessionsMinimum number of allowed incomplete TCP/UDP sessions per minute. Maximum incomplete TCP/UDP sessions number from same host10 sessionsMaximum number of incomplete TCP/UDP sessions from the same host. Parameter Defaults Description
CONFIGURING THE BAR RICADE 4-40 Note:We do not recommend modifying the default parameters shown above. Click Save Settings to proceed, or Cancel to change your settings. Incomplete TCP/UDP sessions detect sensitive time period300 msecs Length of time before an incomplete TCP/UDP session is detected as incomplete. Maximum half-open fragmentation packet number from same host30 sessionsMaximum number of half-open fragmentation packets from the same host. Half-open fragmentation detect sensitive time period1 sec Length of time before a half-open fragmentation session is detected as half-open. Flooding cracker block time300 secs Length of time from detecting a flood attack to blocking the attack. Parameter Defaults Description
SECURITY 4-41 DMZ If you have a client PC that cannot run an Internet application properly from behind the firewall, you can open the client up to unrestricted two-way Internet access. Enter the IP address of a DMZ (Demilitarized Zone) host on this screen. Adding a client to the DMZ may expose your local network to a variety of security risks, so only use this option as a last resort.
CONFIGURING THE BAR RICADE 4-42 Wireless The Barricade can be quickly configured for roaming clients by setting the Service Set Identifier (SSID) and channel number. It supports data encryption and client filtering. To use the wireless feature, check the Enable check box and click Save Settings. To begin configuring your wireless security settings, click Wireless Encryption.
SECURITY 4-43 Wireless Encryption The Barricade can transmit your data securely over a wireless network. Matching security mechanisms must be set up on your Barricade and your wireless client devices. Select the most suitable security mechanism from the drop-down list on this screen. Click Save Settings to proceed, or Cancel to change your settings. Parameter Description No WEP, No WPA/WPA2 Disables all wireless security. To make it easier to set up your wireless network, we recommend enabling this setting initially. By default, wireless security is disabled. WEP Only Once you have your wireless network in place, the minimum security we recommend is to enable the legacy security standard, Wired Equivalent Privacy (WEP). See “WEP” on page 4-45. WPA/WPA2 Only For maximum wireless security, you should enable the WPA/WPA2 option. See “WPA/WPA2” on page 4-47.
CONFIGURING THE BAR RICADE 4-44 Access Control For a more secure wireless network you can specify that only certain wireless clients can connect to the Barricade. Up to 32 MAC addresses can be added to the MAC Filtering Table. When enabled, all registered MAC addresses are controlled by the Access Rule. By default, this MAC filtering feature is disabled.