Manuals / Motorola / Power Tools / Router

Motorola 6161252-00-01 Design guidelines, Disadvantages of filters, An approach to using filters

Models: Enterprise Series Routers 6161252-00-01

1 340
Download 340 pages 8.06 Kb
Page 300
Image 300

10-26 Administrator’s Handbook

In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte is.

Note: The protocol attribute for this filter is 0 by default. This tells the filter to ignore the IP protocol or type of IP packet.

Design guidelines

Careful thought must go into designing a new filter set. You should consider the following guidelines:

Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure.

Be sure each individual filter’s purpose is clear.

Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the filters would respond to a number of different hypothetical packets.

Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the packet is:

Forwarded if all the filters are configured to discard (not forward)

Discarded if all the filters are configured to forward

Discarded if the set contains a combination of forward and discard filters

Disadvantages of filters

Although using filter sets can greatly enhance network security, there are disadvantages:

Filters are complex. Combining them in filter sets introduces subtle interactions, increasing the likelihood of implementation errors.

Enabling a large number of filters can have a negative impact on performance. Processing of packets will take longer if they have to go through many checkpoints.

Too much reliance on packet filters can cause too little reliance on other security methods. Filter sets are not a substitute for password protection, effective safeguarding of passwords, caller ID, the “must match” option in the answer profile, PAP or CHAP in connection profiles, callback, and general awareness of how your network may be vulnerable.

An approach to using filters

The ultimate goal of network security is to prevent unauthorized access to the network without compromising authorized access. Using filter sets is part of reaching that goal.

Each filter set you design will be based on one of the following approaches:

That which is not expressly prohibited is permitted.

That which is not expressly permitted is prohibited.

Page 299 Page 301
Page 300
Image 300
Motorola 6161252-00-01 manual Design guidelines, Disadvantages of filters, An approach to using filters
Page 299 Page 301