Справочник Пользователя для Netopia PN Series
Security
7-15
Design guidelines
Careful thought should go into designing a new filter set. You should
consider the following guidelines:
consider the following guidelines:
■
Be sure the filter set’s overall purpose is clear from the
beginning. A vague purpose can lead to a faulty set, and that
can actually make your network
beginning. A vague purpose can lead to a faulty set, and that
can actually make your network
less secure.
■
Be sure each individual filter’s purpose is clear.
■
Determine how filter priority will affect the set’s actions. Test
the set (on paper) by determining how the filters would respond
to a number of different hypothetical packets.
the set (on paper) by determining how the filters would respond
to a number of different hypothetical packets.
■
Consider the combined effect of the filters. If every filter in a
set fails to match on a particular packet, the packet is:
set fails to match on a particular packet, the packet is:
■
passed if all the filters are configured to discard (
not for-
ward).
■
discarded if all the filters are configured to pass (forward).
■
discarded if the set contains a combination of pass and
discard filters.
discard filters.
Disadvantages of filters
Although using filter sets can greatly enhance network security,
there are disadvantages:
there are disadvantages:
■
Filters are complex. Combining them in filter sets introduces
subtle interactions, increasing the likelihood of implementation
errors.
subtle interactions, increasing the likelihood of implementation
errors.
■
Enabling a large number of filters can have a negative impact
on per formance. Processing of packets will take longer if they
have to go through many checkpoints.
on per formance. Processing of packets will take longer if they
have to go through many checkpoints.