ZyXEL Communications UAG5100 - What You Need to Know

ZyXEL Communications UAG5100

617 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Chapter 25 Security Policy

UAG Series User’s Guide

290

25.1.2 What You Need to Know

Stateful Inspection

The UAG uses stateful inspection in its security policies. The UAG restricts access by screening data

packets against defined access rules. It also inspects sessions. For example, traffic from one zone is

not allowed unless it is initiated by a computer in another zone first.

Zones

A zone is a group of interfaces. Group the UAG’s interfaces into different zones based on your

needs. You can configure security policies for data passing between zones or even between

interfaces.

Default Security Policy Behavior

Security policies are grouped based on the direction of travel of packets to which they apply. Here is

the default security policy behavior for traffic going through the UAG in various directions.

Note: Intra-zone traffic (such as LAN to LAN traffic or WAN to WAN traffic) can also be

blocked by the zone configuration. See Section 34.2.1 on page 397 for details.

To-Device Rules

Rules with Device as the To Zone apply to traffic going to the UAG itself. By default:

• The security policy allows only LAN, or WAN computers to access or manage the UAG.

• The UAG allows DHCP traffic from any interface to the UAG.

• The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for

AH, ESP, GRE, HTTPS, IKE, NATT.

When you configure a security policy for packets destined for the UAG itself, make sure it does not

conflict with your service control rule. See Chapter 46 on page 486 for more information about

Table 129 Default Security Policy Behavior

FROM ZONE TO ZONE BEHAVIOR

From any to Device DHCP traffic from any interface to the UAG is allowed.

From LAN1 to any (other than

the UAG)

Traffic from the LAN1 to any of the networks connected to the UAG is allowed.

From LAN2 to any (other than

the UAG)

Traffic from the LAN2 to any of the networks connected to the UAG is allowed.

From LAN1 to Device Traffic from the LAN1 to the UAG itself is allowed.

From LAN2 to Device Traffic from the LAN2 to the UAG itself is allowed.

From WAN to Device The default services listed in To-Device Rules on page 290 are allowed from

the WAN to the UAG itself. All other WAN to UAG traffic is dropped.

From any to any Traffic that does not match any security policy is dropped. This includes traffic

from the WAN to any of the networks behind the UAG.

This also includes traffic to or from interfaces that are not assigned to a zone

(extra-zone traffic).

Table of Contents

Other manuals for ZyXEL Communications UAG5100

Firmware Release Notes29 pages

Related product manuals

Preview: ZyXEL Communications UAG4100

ZyXEL Communications UAG4100

Preview: ZyXEL Communications UAG2100

ZyXEL Communications UAG2100

Preview: ZyXEL Communications UAG Series

ZyXEL Communications UAG Series

Preview: ZYWALL USG 20

Preview: ZyWALL USG 50

Preview: ZYWALL USG CLI

Preview: ZyWall USG20-VPN

ZyWall USG20-VPN

Preview: ZyWALL USG100-Plus

ZyWALL USG100-Plus

Preview: ZyWALL USG 100 Series

ZyWALL USG 100 Series

Preview: USG-100@USG-200 - V2.20 ED 2

USG-100@USG-200 - V2.20 ED 2