Nortel 4134 Guia Do Utilizador
22
Firewall and NAT Fundamentals
to go from the trusted to untrusted network based on a rule match, the
stateful firewall creates a network connection, which is uniquely identified
by certain elements of the packet. Based on the application type (and the
corresponding protocol), the appropriate inbound policy is dynamically
created. When a return packet is received, the packet is allowed as long as
the state of the network connection allows reception of this packet.
stateful firewall creates a network connection, which is uniquely identified
by certain elements of the packet. Based on the application type (and the
corresponding protocol), the appropriate inbound policy is dynamically
created. When a return packet is received, the packet is allowed as long as
the state of the network connection allows reception of this packet.
The inbound policy is a temporary policy that expires upon the expiry of the
network connection. Since the inbound policy does not keep ports open
indefinitely, network vulnerability is drastically reduced in comparison to a
packet filter.
network connection. Since the inbound policy does not keep ports open
indefinitely, network vulnerability is drastically reduced in comparison to a
packet filter.
Stateful inspection elements
Typically, a stateful firewall connection is identified by the following five
basic elements:
basic elements:
•
Source Address
•
Destination Address
•
Source Port
•
Destination Port
•
Protocol
Additional elements can also be included in the firewall connection for some
special protocols.
special protocols.
Virtual firewall zones
Most firewalls apply rules to single interfaces, but with the SR4134, this is
not the case. Instead, the SR4134 firewall places interfaces into rule sets
called virtual firewalls or zones. The advantage of configuring common rule
sets is that you can perform the most complex task (editing rules) once, and
apply this configuration across multiple interfaces. You no longer need to
repeat policy definitions on multiple interfaces. Once a policy is defined
for a zone, you can place any number of interfaces into that zone. As a
result, the SR4134 can accommodate complex policy configurations with
less duplication of rule entry.
not the case. Instead, the SR4134 firewall places interfaces into rule sets
called virtual firewalls or zones. The advantage of configuring common rule
sets is that you can perform the most complex task (editing rules) once, and
apply this configuration across multiple interfaces. You no longer need to
repeat policy definitions on multiple interfaces. Once a policy is defined
for a zone, you can place any number of interfaces into that zone. As a
result, the SR4134 can accommodate complex policy configurations with
less duplication of rule entry.
The SR4134 provides a default zone, the internet, that is the only available
untrusted zone. You must therefore add all untrusted interfaces to the
internet zone. You cannot create a second untrusted zone.
untrusted zone. You must therefore add all untrusted interfaces to the
internet zone. You cannot create a second untrusted zone.
The SR4134 does not trust inbound connections on interfaces that are in
the untrusted internet zone. These connections are blocked by default. Only
interfaces from within a trusted zone are trusted to start new connections.
the untrusted internet zone. These connections are blocked by default. Only
interfaces from within a trusted zone are trusted to start new connections.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.