Netopia D7100 SDSL Benutzerhandbuch
8-70 User’s Reference Guide
FFF
Fiiiillllttttee
e
errrriiiin
n
n
ng
g
g
g ee
e
exxxxaa
a
am
m
m
mp
p
p
pllllee
e
e #
#
#
#2
2
2
2
Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0,
regardless of the type of connection or its destination. The filter would look like this:
regardless of the type of connection or its destination. The filter would look like this:
This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0
at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter
is applied to a packet with the source IP address 200.233.14.5, it will block it.
at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter
is applied to a packet with the source IP address 200.233.14.5, it will block it.
In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all
packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte
is.
packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte
is.
Note: The protocol attribute for this filter is 0 by default. This tells the filter to ignore the IP protocol or type of
IP packet.
IP packet.
D
D
D
Dee
e
essssiiiig
g
g
gn
n
n
n g
g
g
gu
u
u
uiiiid
d
d
dee
e
elllliiiin
n
n
nee
e
essss
Careful thought must go into designing a new filter set. You should consider the following guidelines:
■
Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty
set, and that can actually make your network less secure.
set, and that can actually make your network less secure.
■
Be sure each individual filter’s purpose is clear.
■
Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the
filters would respond to a number of different hypothetical packets.
filters would respond to a number of different hypothetical packets.
■
Consider the combined effect of the filters. If ever y filter in a set fails to match on a par ticular packet, the
packet is:
packet is:
■
Passed if all the filters are configured to discard (not for ward)
■
Discarded if all the filters are configured to pass (for ward)
■
Discarded if the set contains a combination of pass and discard filters
D
D
D
Diiiissssaa
a
ad
d
d
dvvv
vaa
a
an
n
n
nttttaa
a
ag
g
g
gee
e
essss o
o
o
offff ffffiiiillllttttee
e
errrrssss
Although using filter sets can greatly enhance network security, there are disadvantages:
■
Filters are complex. Combining them in filter sets introduces subtle interactions, increasing the likelihood
of implementation errors.
of implementation errors.
■
Enabling a large number of filters can have a negative impact on per formance. Processing of packets will
take longer if they have to go through many checkpoints.
take longer if they have to go through many checkpoints.
■
Too much reliance on packet filters can cause too little reliance on other security methods. Filter sets are
not a substitute for password protection, effective safeguarding of passwords, caller ID, the “must match”
option in the answer profile, PAP or CHAP in connection profiles, callback, and general awareness of how
not a substitute for password protection, effective safeguarding of passwords, caller ID, the “must match”
option in the answer profile, PAP or CHAP in connection profiles, callback, and general awareness of how
+-#---Source IP Addr---Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+
+----------------------------------------------------------------------+
| 1 200.233.14.0 0.0.0.0 ANY -- -- Yes No |
| |
+----------------------------------------------------------------------+
+----------------------------------------------------------------------+
| 1 200.233.14.0 0.0.0.0 ANY -- -- Yes No |
| |
+----------------------------------------------------------------------+