U.S. Robotics SureConnect ADSL
4-Port Router User Guide

Firewall - Stateful Inspection

The USRobotics SureConnect ADSL 4-Port Router provides firewall stateful inspection for intrusion detection. The USRobotics SureConnect ADSL 4-Port Router tracks all packets originating from the LAN and records each connection's address pair, and TCP/UDP port pairs. When receiving TCP/UDP packets from the WAN side, the IP addresses and port numbers must match the tracking records. Otherwise, the packet is dropped by the ADSL router.

For ICMP packets, only outgoing ICMP request packets originating from the LAN are allowed to be forwarded to the WAN, and its related incoming ICMP reply packets from the WAN side are allowed to come into the LAN. For example, you can ping any device on the WAN side from a PC on the LAN side, but you cannot ping the U.S. Robotics SureConnect ADSL 4-Port Router nor any LANdevice from the WAN side.

Also, ICMP redirect packets are never allowed in, since they could be used to reroute traffic through attacking machines. The only exception to the above firewall rules occurs when the remote technical support access is explicitly allowed by the local user—the USRobotics SureConnect ADSL 4-Port Router responds to ping request packets and allows remote access to the USRobotics SureConnect ADSL 4-Port Router Web User Interface (WUI). The U.S. Robotics SureConnect ADSL 4-Port Router firewall also prevents LAND attack and SYN flood.

SYN Floods - the USRobotics SureConnect ADSL 4-Port Router firewall drops all unsolicited TCP SYN requests received from the WAN side. Land Attacks - this attack forces a victim machine into an unending loop. The USRobotics SureConnect ADSL 4-Port Router firewall can prevent such attacks by disallowing any packets with the same source and destination address.

Security - Remote and Local Access Accounts

• The USRobotics SureConnect ADSL 4-Port Router WUI provides a local administration account, a local non-administrative user account, and a remote technical support user account with password protection. The remote technical support account allows the local administrative user to explicitly enable a remote technician to access the USRobotics SureConnect ADSL 4-Port Router's WUI and allows it to send the ping response packet.
• The remote support access will not work in bridge mode since there is no public IP address assigned to the router.
• The remote technical support user can read/write the configuration, but cannot change security. When remote access security is enabled by a local admin, the remote user can access the modem via telnet or a browser from the WAN, but not from the LAN. Its account user name is "support" and the default password is "support".
• The maximum length for user name and password is 15 characters.

DHCP Server

The USRobotics SureConnect ADSL 4-Port Router provides DHCP server service over the LAN interface when the network operating mode is set to PPPoE, PPPoA, MER or IPoA mode. When enabled, the DHCP server will respond to DHCP request packets from LAN devices and assign:

• An unused IP address within the start-end IP address range configured by the user to the LAN device.

• The ADSL router's LAN interface IP address as the primary DNS server address to the LAN device. The ADSL router will perform DNS relay between the LAN device and the real DNS server at the remote service provider site.

• The ADSL router's LAN interface IP address as the default gateway to the LAN device.

DHCP Client

The USRobotics SureConnect ADSL 4-Port Router provides DHCP client service for each WAN interface which is operating in MER network operating mode. If enabled, the DHCP client will request the WAN interface IP address, primary and secondary DNS server addresses, and default gateway from the DHCP server at the service provider site. If the DHCP client function is disabled, the user must manually configure the WAN IP address, DNS server addresses and default gateway.

DNS Relay

The USRobotics SureConnect ADSL 4-Port Router provides DNS Relay service only when the NAPT function is enabled. The DNS inquiry packets received from the LAN devices will be forwarded to the primary DNS server at the remote site and vice versa, the DNS response packets received from the remote DNS server will be relayed back to the LAN device.