Security 13-11

Filtering example #2

Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this:

+-#---

Source IP Addr---

Dest IP Addr-----

Proto-Src.Port-D.Port--On?-Fwd-+

+----------------------------------------------------------------------

 

 

+

1

200.233.14.0

0.0.0.0

0

Yes No

 

 

 

+----------------------------------------------------------------------

 

 

+

This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.5, it will block it.

In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte is.

Note: The protocol attribute for this filter is 0 by default. This tells the filter to ignore the IP protocol or type of IP packet.

Design guidelines

Careful thought must go into designing a new filter set. You should consider the following guidelines:

Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure.

Be sure each individual filter’s purpose is clear.

Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the filters would respond to a number of different hypothetical packets.

Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the packet is:

Passed if all the filters are configured to discard (not forward)

Discarded if all the filters are configured to pass (forward)

Discarded if the set contains a combination of pass and discard filters

Disadvantages of filters

Although using filter sets can greatly enhance network security, there are disadvantages:

Filters are complex. Combining them in filter sets introduces subtle interactions, increasing the likelihood of implementation errors.

Enabling a large number of filters can have a negative impact on performance. Processing of packets will take longer if they have to go through many checkpoints.

Too much reliance on packet filters can cause too little reliance on other security methods. Filter sets are not a substitute for password protection, effective safeguarding of passwords, caller ID, the “must match”

Page 149
Image 149
Farallon Communications R9100 manual Design guidelines, Filtering example #2, Disadvantages of filters

R9100 specifications

Farallon Communications R9100 is a high-performance network device designed to meet the demanding needs of modern telecommunications. This robust system specializes in delivering reliable, efficient, and scalable solutions for various networking environments. Its architectural design integrates cutting-edge technologies that enhance performance while ensuring compatibility with existing infrastructure.

One of the standout features of the R9100 is its advanced routing capabilities. Equipped with powerful processors, it supports multiple routing protocols, including OSPF, BGP, and EIGRP. This flexibility allows network administrators to optimize data flow and maintain seamless connectivity across diverse network topologies. The R9100 also includes sophisticated Quality of Service (QoS) mechanisms, enabling prioritization of critical traffic, which is essential for latency-sensitive applications.

Another significant aspect of the R9100 is its support for various interfaces. Whether organizations require Ethernet, fiber, or wireless connections, the R9100 accommodates a broad range of interface options. This versatility ensures that it can be deployed in various environments, from large enterprise networks to smaller branch offices.

Security is a crucial consideration in today’s networking landscape, and the R9100 addresses this with built-in security features. These include stateful firewall capabilities, Intrusion Detection System (IDS), and comprehensive Virtual Private Network (VPN) support. Such features allow organizations to safeguard sensitive data and maintain compliance with industry regulations.

The R9100 also prioritizes ease of management. With a user-friendly interface and robust monitoring tools, network administrators can easily configure and manage the device. This capability facilitates rapid troubleshooting and performance tuning, ensuring minimal downtime and optimal user experience.

Energy efficiency is an additional characteristic that sets the R9100 apart from its competitors. Designed with eco-friendly technologies, it minimizes power consumption while maximizing output, making it an ideal choice for organizations looking to reduce their carbon footprint.

In conclusion, Farallon Communications R9100 stands out as a versatile and powerful network device that meets the complexities of modern telecommunications. With its advanced routing features, robust security measures, varied interface options, and energy-efficient design, the R9100 is a formidable player in the networking landscape. Organizations can rely on this solution to enhance their network performance and evolve alongside their growing technological needs.