Administrator’s Handbook
64
Parts of a filter
A filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the follow-
ing attributes:
◆
The source IP address (where the packet was sent from)
◆
The destination IP address (where the packet is going)
◆
The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP
Other filter attributes
There are three other attributes to each filter:
◆
The filter’s order (i.e., priority) in the filterset
◆
Whether the filter is currently active
◆
Whether the filter is set to forward packets or to block (discard) packets
Design guidelines
Careful thought must go into designing a new filterset. You should consider the following guidelines:
◆
Be sure the filterset’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and
that can actually make your network less secure.
◆
Be sure each individual filter’s purpose is clear.
◆
Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the filters
would respond to a number of different hypothetical packets.
◆
Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the
packet is:
• Forwarded if all the filters are configured to discard (not forward)
• Discarded if all the filters are configured to forward
• Discarded if the set contains a combination of forward and discard filters
An approach to using filters
The ultimate goal of network security is to prevent unauthorized access to the network without compromising
authorized access. Using filtersets is part of reaching that goal.
Each filterset you design will be based on one of the following approaches:
◆
That which is not expressly prohibited is permitted.
◆
That which is not expressly permitted is prohibited.
It is strongly recommended that you take the latter, and safer, approach to all of your filterset designs.