Netopia 430 s 参照ガイド
7-18
Netopia ISDN Router Reference Guide
Note: The protocol attribute for this filter is 0 by default. This tells the
filter to ignore the IP protocol or type of IP packet.
filter to ignore the IP protocol or type of IP packet.
Design guidelines
Careful thought should go into designing a new filter set. You should
consider the following guidelines:
consider the following guidelines:
■
Be sure the filter set’s overall purpose is clear from the
beginning. A vague purpose can lead to a faulty set, and that can
actually make your network
beginning. A vague purpose can lead to a faulty set, and that can
actually make your network
less secure.
■
Be sure each individual filter’s purpose is clear.
■
Determine how filter priority will affect the set’s actions. Test the
set (on paper) by determining how the filters would respond to a
number of different hypothetical packets.
set (on paper) by determining how the filters would respond to a
number of different hypothetical packets.
■
Consider the combined effect of the filters. If ever y filter in a set
fails to match on a par ticular packet, the packet is:
fails to match on a par ticular packet, the packet is:
■
passed if all the filters are configured to discard (
not for-
ward).
■
discarded if all the filters are configured to pass (for ward).
■
discarded if the set contains a combination of pass and dis-
card filters.
card filters.
Disadvantages of filters
Although using filter sets can greatly enhance network security, there
are disadvantages:
are disadvantages:
■
Filters are complex. Combining them in filter sets introduces
subtle interactions, increasing the likelihood of implementation
errors.
subtle interactions, increasing the likelihood of implementation
errors.
■
Enabling a large number of filters can have a negative impact on
per formance. Processing of packets will take longer if they have
per formance. Processing of packets will take longer if they have