Filtering tutorial, General filtering terms, Basic ip packet components – Netopia D3232 IDSL User Manual
Page 71
Security 8-71
your network may be vulnerable.
A
A
A
An
n
n
n aa
a
ap
p
p
pp
p
p
prrrro
o
o
oaa
a
acccch
h
h
h tttto
o
o
o u
u
u
ussssiiiin
n
n
ng
g
g
g ffffiiiillllttttee
e
errrrssss
The ultimate goal of network security is to prevent unauthorized access to the network without compromising
authorized access. Using filter sets is par t of reaching that goal.
Each filter set you design will be based on one of the following approaches:
■
“That which is not expressly permitted is prohibited.”
■
“That which is not expressly prohibited is permitted.”
The first rule is far more secure, and is the best approach to filter design. It is far easier (and more secure) to
allow in or out only cer tain ser vices and deny anything else. If the other rule is used, you would have to figure
out ever ything that you want to disallow, now and in the future.
FFF
Fiiiillllttttee
e
errrriiiin
n
n
ng
g
g
g ttttu
u
u
utttto
o
o
orrrriiiiaa
a
allll
G
G
G
Gee
e
en
n
n
nee
e
errrraa
a
allll ffffiiiillllttttee
e
errrriiiin
n
n
ng
g
g
g ttttee
e
errrrm
m
m
mssss
Filter rule: A filter set is comprised of individual filter rules.
Filter set: A grouping of individual filter rules.
Firewall: A component or set of components that restrict access between a protected network and the Internet,
or between two networks.
Host: A workstation on the network.
Packet: Unit of communication on the Internet.
Packet filter: Packet filters allow or deny packets based on source or destination IP addresses, TCP or UDP
por ts, or the TCP ACK bit.
Port: A number that defines a par ticular type of ser vice.
B
B
B
Baa
a
assssiiiicccc IIIIP
P
P
P p
p
p
paa
a
acccckk
k
kee
e
etttt cccco
o
o
om
m
m
mp
p
p
po
o
o
on
n
n
nee
e
en
n
n
nttttssss
All IP packets contain the same basic header information, as follows:
Source IP Address
163.176.132.18
Destination IP Address
163.176.4.27
Source Por t
2541
Destination Por t
80
Protocol
TCP
ACK Bit
Yes
DATA
User Data