Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides
 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home
Find a Hotspot...

Add this search code to your site!
Copyright 2003Jupitermedia
  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.


 
 ZyXEL Prestige 312 Broadband Access Security Gateway

Page 2 

 Author: Tim Higgins
 Review Date: 10/4/2000


Of Filters and Firewalls


NOTE: Opening holes in your firewall can compromise your LAN's security if done incorrectly.

With the basics out of the way, let's take a look at the real reason that you'd buy the 312... its Firewall.  But we also run into the first obstacle:

You can only configure the Firewall features via the PNC Firewall Setup application.

This means that you'll need a computer running Windows 95, 98, or NT4 to do anything besides enable and disable the Firewall (which you can do through the SMT (Telnet) interface).

Assuming you have the proper computer available, you use the PNC Firewall app to:

  • Enable / Disable the firewall

  • Setup emailing of firewall alerts

  • Set timing thresholds for Alert features

  • Configure policies

  • View Firewall logs

The screenshots below show some of the Firewall setup features.

P312 Firewall Email Alert window  P312 Policy Rule summary window

I tested the firewall by port scanning it and by trying to connect with applications that I had set policies to block.  The 312 properly blocked the traffic and sent an email alert, with my LAN clients none the worse for the attack.  I also tried a ping flood with similar results.  Looks like it works!

There are some nice Firewall features that I didn't try, such as the ability to set timeouts on various TCP, UDP and ICMP connection types, and the ability to define customs services (for use in Policy rules) that include port ranges.   On the downside, however, you can't define custom services using the ICMP protocol, and the logging could be better (more on that later).

The main thing that I found confusing about this part of the 312's capabilities is the relationship (overlap?) between the Filter and Firewall capabilities.  Although page 12-7 of the User Guide gives a good explanation of when to use the Filter and Firewall features, I found it easy to be confused.  When I compare ZyXEL's approach to that used by SonicWall, I definitely prefer SonicWall's approach, in which Filtering applies more to content vs. packets/ports.  I also found it a pain to have to keep switching between the SMT (Telnet), Advanced Setup PNC, and Firewall PNC, to configure the 312, and especially to debug my setup problems.  (This is due to the limitation of only one admin login at a time.)   For example, it took me some hunting between the Advanced and Firewall PNCs to track down the way to shut off a Policy that was logging all LAN to WAN traffic and causing constant email Alerts to be sent.

Filter configuration is possible without using the PNC application, but you'll probably prefer using the PNC.  The PNC screens and the browser based help pages that can be brought up via a Help button on each screen should help many users successfully set up this important part of the router's capabilities.  

P312 Filter Setup window  P312 Filter Rule Configuration window

P312 Ethernet Filter window 

 

Multi-flavored NAT


What sets the 312 apart from any other routers that I've tested so far is its five different NAT modes (Multi-NAT). (Check this ZyXEL FAQ for more details.)

These new NAT modes will be useful primarily to people who have multiple IP addresses from their ISP.  With Multi-NAT, for example, you can have more than one of the same type server (HTTP for example) running on the same port number, but on different IP addresses (or domains).  This is like having multiple "DMZ" capability, but you still get the firewall protection for the servers.  Great stuff, huh? 

The old "SUA" (Single User Account) NAT mode (the only mode on the 310 and 314 routers) is still supported, and it fortunately is the default setup for the router.  So you can have the 312's NAT router allow servers on your LAN can be accessed from the Internet, but you are limited to 12 port-number-to-LAN IP mappings.  You can't specify TCP or UDP protocol, and you can't map port ranges, either.  One of the twelve mappings is dedicated to the Default Server mapping.  This is similar to the DMZ Host, or Exposed Computer feature on other routers.  Any inbound service request that doesn't have a defined IP address to handle it will be sent to the Default Server.  Another mapping is dedicated to Port 1026 "RR Reserved", so this leaves ten single port mappings for users to set.

But remember that you also have the 312's Firewall to deal with before you can get to a mapped server.  And then there's the Filters to configure or maybe disable... ooooh I think my brain is moving into overload!  But not before I deliver a little bad news:

  • Multi-NAT features are useful only if you have multiple WAN IP addresses.  For example, you can't have multiple "default servers" ,i.e. "DMZ" computers if you have only one WAN IP.

  • There is no PNC support for the multi-NAT features (or even the basic "SUA" mode.  You have to use the SMT interface, User Guide and Applications Notes to setup these features.

And before you ask, the 312 has only one physical WAN port, so it can't be connected to multiple WAN feeds, i.e. both a cable modem and a DSL connection.  Your multiple WAN IP addresses must come from the same ISP.

  • Page 1
  • Page 3

    •  Add YOUR Opinion  

     Opinion Summary:     100.0%   |   0.0%  |   out of 10 reviews  
     Read Reviews by Users  
    Print this Page 









    Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


    Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums