Configuring Firewall Firewall
Configuration Guide
83
1
Firewall
1.1 Overview
Firewall is used to enhance the network security. It can prevent external network threats from
spreading to the internal network, protect the internal hosts from ARP attacks, and control the
internal users’ access to the external network.
1.2 Supported Features
The Firewall module supports four functions: Anti ARP Spoofing, Attack Defense, MAC Filtering
and Access Control.
Anti ARP Spoofing
ARP (Address Resolution Protocol) is used to map IP addresses to the corresponding MAC
addresses so that packets can be delivered to their destinations. However, since ARP is
implemented with the premise that all the hosts and gateways are trusted, there are high
security risks on real, complex networks. If attackers send ARP spoofing packets with false IP
address-to-MAC address mapping entries, the device will update the ARP table based on the
false ARP packets and record wrong mapping entries, which results in a breakdown of normal
communication.
Anti ARP Spoofing can protect the network from ARP spoofing attacks. It works based on the
IP-MAC Binding entries. These entries record the correct one-to-one relationships between IP
addresses and MAC addresses. When receiving an ARP packet, the router checks whether it
matches any of the IP-MAC Binding entries. If not, the router will ignore the ARP packets. In this
way, the router maintains the correct ARP table.
In addition, the router provides the following two sub functions:
Permitting the packets matching the IP-MAC Binding entries only and discarding other
packets.
Sending GARP packets to the hosts when it detects ARP attacks. The GARP packets can
inform hosts of the correct ARP table, preventing their ARP tables from being falsified by
ARP spoofing packets.
Attack Defense
Attacks on a network device can cause device or network paralysis. With the Attack Defense
feature, the router can identify and discard various attack packets which are sent to the CPU,
and limit the packet receiving rate. In this way, the router can protect itself and the connected
network against malicious attacks.
To Next Page
Loading...
