Design guidelines, Disadvantages of filters – Netopia Router PN Series User Manual

Security

7-15

Design guidelines

Careful thought should go into designing a new filter set. You should
consider the following guidelines:

■

Be sure the filter set’s overall purpose is clear from the
beginning. A vague purpose can lead to a faulty set, and that
can actually make your network

less secure.

■

Be sure each individual filter’s purpose is clear.

■

Determine how filter priority will affect the set’s actions. Test
the set (on paper) by determining how the filters would respond
to a number of different hypothetical packets.

■

Consider the combined effect of the filters. If every filter in a
set fails to match on a particular packet, the packet is:

■

passed if all the filters are configured to discard (

not for-

ward).

■

discarded if all the filters are configured to pass (forward).

■

discarded if the set contains a combination of pass and
discard filters.

Disadvantages of filters

Although using filter sets can greatly enhance network security,
there are disadvantages:

■

Filters are complex. Combining them in filter sets introduces
subtle interactions, increasing the likelihood of implementation
errors.

■

Enabling a large number of filters can have a negative impact
on per formance. Processing of packets will take longer if they
have to go through many checkpoints.