Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI 4-37
Security
Firewall Implementation
Firewall ImplementationThe Adit provides very powerful NAT and firewall capabilities. This section provides some of the
underlying implementation details so that users who are familiar with the low-level action of firewalls
will know what behaviors to expect from the Adit. Users who do not need this level of detail can skip
this section.
Network Connection Configuration
The Network Connection setup screens contain three configuration items for each IP interface that
influence the NAT and firewall behavior of the Adit. These include the Network Type, Routing Mode,
and Internet Connection Firewall settings, described below.
Network Type
Normally the user does not need to change the network type from the default setting applied when
the network connection is created. The effects of each setting are as follows:
LAN
A network connection designated as type LAN is used for private LAN hosts. This is usually
the local network containing hosts that are directly managed by the local administrator. From
the firewall perspective, hosts on the LAN connections are considered inherently trusted, unless
designated otherwise by the administrator. When NAPT routing mode is enabled on other
WAN network connections, hosts that are in the directly connected subnets of any LAN
network connection will have NAPT applied against sessions that are initiated from the LAN
network toward the WAN network.
WAN
A network connection designated as type WAN is used for the interface that provides a path to
the Internet. From the firewall perspective, hosts on the WAN interfaces are considered
inherently untrusted, unless designated otherwise by the administrator. WAN interfaces are
typically secured by enabling the Internet Connection Firewall and often using NAPT routing
mode if connected to the Internet.
DMZ
A network connection designated as type DMZ is used for an interface that contains servers that
provide public access. Packets between a DMZ network interface and a WAN network interface
are passed by default, unless explicitly blocked by user configured rules (see the processing
sequence tables in Firewall Processing Sequence on page 4-39). This designation, with its
inherent insecurity, should not typically be needed by most users. There are other ways to
expose servers to the public hosts that are more secure and better suited to mixing both servers
and private hosts on the same interface.