Zhone 2004 ユーザーガイド
C-4
2 0 0 0 - A 2 - G B 2 2 - 0 0
accessible from the Internet. When the Alias entry is configured, the
following information must be entered:
following information must be entered:
•
Local IP Address
− the local IP address as seen from the LAN.
•
Internet IP Address
− the IP address of the device as seen from the Internet.
When configuring a NAT Alias entry, the alias’s Internet IP address must also
be configured on the WAN port. This must be configured with an IP mask of
255.255.255.255 if the alias’s Internet IP address is on the same subnet as the
IAD’s WAN IP address. If the alias’s Internet IP address is on a subnet
different from the IAD’s WAN IP address, the proper subnet mask should be
used. Refer to “Configure Port IP Address” on page 4-16 for further
information.
be configured on the WAN port. This must be configured with an IP mask of
255.255.255.255 if the alias’s Internet IP address is on the same subnet as the
IAD’s WAN IP address. If the alias’s Internet IP address is on a subnet
different from the IAD’s WAN IP address, the proper subnet mask should be
used. Refer to “Configure Port IP Address” on page 4-16 for further
information.
IP Filtering
IP Filtering controls IP traffic traveling through an interface by selectively
passing or discarding IP packets based on criteria expressed in the form of a
“filter.” A filter is simply as set of rules that determine whether a packet
should be passed or discarded as it crosses an interface. An interface is any
port that carries IP traffic. On the IAD, it can be on of the following: Ethernet
port, PPP connection, or ATM PVC. IP filtering can selectively pass or
discard IP packets based on one or more of the following properties:
passing or discarding IP packets based on criteria expressed in the form of a
“filter.” A filter is simply as set of rules that determine whether a packet
should be passed or discarded as it crosses an interface. An interface is any
port that carries IP traffic. On the IAD, it can be on of the following: Ethernet
port, PPP connection, or ATM PVC. IP filtering can selectively pass or
discard IP packets based on one or more of the following properties:
•
Protocol (IP, ICMP, TCP, and UDP)
•
Protocol flags (for TCP and ICMP only)
•
Source and/or Destination IP address
•
Source and/or Destination port number
Information Policy
Before you define a filtering rule set, you must determine what information
you will permit to enter or exit the network and who should have access to
that information. This “information policy” can be divided into two broad
groups: open and closed. An open information policy, by default, allows
access to everything; filters are put in place to block access only to a small
number of sensitive addresses and/or protocols. This type of policy is
typically used in a trusted network situation that places a premium on
openness rather than security. Any filters applied are intended to deny access
to sensitive information not intended for public viewing, such as financial
data. A closed information policy, by default, blocks access to everything;
filters are put in place to allow access only to approved addresses and/or
protocols. A closed information policy is used when security and network
integrity are more important than ease of access. If your network is connected
to the Internet, a closed information policy will make your system less
vulnerable to attack.
you will permit to enter or exit the network and who should have access to
that information. This “information policy” can be divided into two broad
groups: open and closed. An open information policy, by default, allows
access to everything; filters are put in place to block access only to a small
number of sensitive addresses and/or protocols. This type of policy is
typically used in a trusted network situation that places a premium on
openness rather than security. Any filters applied are intended to deny access
to sensitive information not intended for public viewing, such as financial
data. A closed information policy, by default, blocks access to everything;
filters are put in place to allow access only to approved addresses and/or
protocols. A closed information policy is used when security and network
integrity are more important than ease of access. If your network is connected
to the Internet, a closed information policy will make your system less
vulnerable to attack.