8-70 User’s Reference Guide

Filtering example #2

Suppose a filter is configured to block all incoming IP packets with the source IP address of 200.233.14.0, regardless of the type of connection or its destination. The filter would look like this:

+-#---

Source IP Addr---

Dest IP Addr-----

Proto-Src.Port-D.Port--

On?-Fwd-+

+----------------------------------------------------------------------

 

 

 

+

1

200.233.14.0

0.0.0.0

ANY --

--

Yes No

 

 

 

 

+----------------------------------------------------------------------

 

 

 

+

This filter blocks any packets coming from a remote network with the IP network address 200.233.14.0. The 0 at the end of the address signifies any host on the class C IP network 200.233.14.0. If, for example, the filter is applied to a packet with the source IP address 200.233.14.5, it will block it.

In this case, the mask, which does not appear in the table, must be set to 255.255.255.0. This way, all packets with a source address of 200.233.14.x will be matched correctly, no matter what the final address byte is.

Note: The protocol attribute for this filter is 0 by default. This tells the filter to ignore the IP protocol or type of IP packet.

Design guidelines

Careful thought must go into designing a new filter set. You should consider the following guidelines:

Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make your network less secure.

Be sure each individual filter’s purpose is clear.

Determine how filter priority will affect the set’s actions. Test the set (on paper) by determining how the filters would respond to a number of different hypothetical packets.

Consider the combined effect of the filters. If every filter in a set fails to match on a particular packet, the packet is:

Passed if all the filters are configured to discard (not forward)

Discarded if all the filters are configured to pass (forward)

Discarded if the set contains a combination of pass and discard filters

Disadvantages of filters

Although using filter sets can greatly enhance network security, there are disadvantages:

Filters are complex. Combining them in filter sets introduces subtle interactions, increasing the likelihood of implementation errors.

Enabling a large number of filters can have a negative impact on performance. Processing of packets will take longer if they have to go through many checkpoints.

Too much reliance on packet filters can cause too little reliance on other security methods. Filter sets are not a substitute for password protection, effective safeguarding of passwords, caller ID, the “must match” option in the answer profile, PAP or CHAP in connection profiles, callback, and general awareness of how

Page 69 Page 71
Page 70
Image 70
Netopia D3100-I IDSL, D7171 SDSL, D7100 SDSL, D3232 IDSL Design guidelines, Filtering example #2, Disadvantages of filters
Page 69 Page 71

D7100 SDSL, D3232 IDSL, D3100-I IDSL, D7171 SDSL specifications

Netopia offers a range of advanced digital subscriber line (DSL) modems that cater to various connectivity needs. Among these, the D7171 SDSL, D3100-I IDSL, D3232 IDSL, and D7100 SDSL models stand out for their robust features and technologies designed to enhance the user experience.

The Netopia D7171 SDSL modem is engineered for symmetrical digital subscriber line (SDSL) services, delivering equal upload and download speeds. It supports high-speed data transfers over standard copper lines, enabling businesses to maintain consistent performance for applications such as video conferencing and large file transfers. Key features of the D7171 include enhanced security protocols, a built-in firewall to protect against unauthorized access, and multiple interface options for flexible connectivity.

Moving to the D3100-I IDSL, this model caters to users who require a reliable internet connection over a longer distance than traditional DSL can provide. The IDSL technology enables it to function effectively in areas where standard DSL is unavailable or unreliable. It provides a lower bandwidth solution yet is valuable in reaching remote locations. This modem is particularly recognized for its ease of installation and robust performance, featuring built-in diagnostics that help troubleshoot potential connection issues.

In the same family, the D3232 IDSL offers similar advantages but with a focus on higher capacity and scalability. It is designed for small to medium enterprises that require greater bandwidth for multiple users or devices. This modem also supports both voice and data transmission, making it an attractive option for unified communications. The D3232 comes equipped with advanced networking features, including Quality of Service (QoS) capabilities to prioritize bandwidth for critical applications.

Lastly, the D7100 SDSL modem is distinguished by its versatility and high-performance output. Supporting SDSL standards, it is perfect for businesses that need reliable, symmetrical speeds. This model is characterized by its extensive range of connectivity options, including Ethernet ports and support for various network protocols, ensuring seamless integration into existing network infrastructures. Additionally, it boasts excellent reliability, making it a favored choice for mission-critical applications.

In summary, Netopia's DSL modems, including the D7171 SDSL, D3100-I IDSL, D3232 IDSL, and D7100 SDSL, provide scalable and reliable internet connectivity solutions tailored to meet diverse business needs. With cutting-edge technology and a suite of features designed for performance, these models are well-suited to enhance productivity and support modern communications.
Top Page Image Contents