Zhone 2000 ユーザーガイド
A p p l i c a t i o n N o t e s
253
“filter.” A filter is simply as set of rules that determine whether a packet
should be passed or discarded as it crosses an interface. An interface is any
port that carries IP traffic. On the IAD, it can be on of the following: Ethernet
port, PPP connection, ATM PVC, or FR DLCI. IP filtering can selectively
pass or discard IP packets based on one or more of the following properties:
should be passed or discarded as it crosses an interface. An interface is any
port that carries IP traffic. On the IAD, it can be on of the following: Ethernet
port, PPP connection, ATM PVC, or FR DLCI. IP filtering can selectively
pass or discard IP packets based on one or more of the following properties:
•
Protocol (IP, ICMP, TCP, and UDP)
•
Protocol flags (for TCP and ICMP only)
•
Source and/or Destination IP address
•
Source and/or Destination port number
Information Policy
Before you define a filtering rule set, you must determine what information
you will permit to enter or exit the network and who should have access to
that information. This “information policy” can be divided into two broad
groups: open and closed. An open information policy, by default, allows
access to everything; filters are put in place to block access only to a small
number of sensitive addresses and/or protocols. This type of policy is
typically used in a trusted network situation that places a premium on
openness rather than security. Any filters applied are intended to deny access
to sensitive information not intended for public viewing, such as financial
data. A closed information policy, by default, blocks access to everything;
filters are put in place to allow access only to approved addresses and/or
protocols. A closed information policy is used when security and network
integrity are more important than ease of access. If your network is connected
to the Internet, a closed information policy will make your system less
vulnerable to attack.
you will permit to enter or exit the network and who should have access to
that information. This “information policy” can be divided into two broad
groups: open and closed. An open information policy, by default, allows
access to everything; filters are put in place to block access only to a small
number of sensitive addresses and/or protocols. This type of policy is
typically used in a trusted network situation that places a premium on
openness rather than security. Any filters applied are intended to deny access
to sensitive information not intended for public viewing, such as financial
data. A closed information policy, by default, blocks access to everything;
filters are put in place to allow access only to approved addresses and/or
protocols. A closed information policy is used when security and network
integrity are more important than ease of access. If your network is connected
to the Internet, a closed information policy will make your system less
vulnerable to attack.
Filtering Interface
You may apply IP Filtering to any interface that carries IP traffic. Rule sets
can be defined for both inbound and outbound traffic through each interface.
The block diagram below shows where IP Filtering is performed on the IAD.
can be defined for both inbound and outbound traffic through each interface.
The block diagram below shows where IP Filtering is performed on the IAD.