beautypg.com

Ip rule set evaluation, Simplified cos core traffic flow – Amer Networks E5Web GUI User Manual

Page 194

background image

As stated above, when cOS Core is started for the first time, the default IP rules drop all traffic so
at least one IP rule must be added to allow traffic to flow. In fact, two cOS Core components need
to be present:

A route must exist in a cOS Core routing table which specifies on which interface packets
should leave in order to reach their destination.

A second route must also exist that indicates the source of the traffic is found on the interface
where the packets enter.

An IP rule in a cOS Core IP rule set which specifies the security policy that allows the packets
from the source interface and network bound for the destination network to leave the
Clavister Security Gateway on the interface decided by the route.

If the IP rule used is an Allow rule then this is bi-directional by default.

The ordering of these steps is important. The route lookup occurs first to determine the exiting
interface and then cOS Core looks for an IP rule that allows the traffic to leave on that interface. If
a rule does not exist then the traffic is dropped.

Figure 3.5. Simplified cOS Core Traffic Flow

This description of traffic flow is an extremely simplified version of the full flow description found
in Section 1.3, “cOS Core State Engine Packet Flow”.

For example, before the route lookup is done, cOS Core first checks that traffic from the source
network should, in fact, be arriving on the interface where it was received. This is done by cOS
Core performing a reverse route lookup which means that the routing tables are searched for a
route that indicates the network should be found on that interface.

This second route should logically exist if a connection is bi-directional and it must have a pair of
routes associated with it, one for each direction.

3.6.2. IP Rule Set Evaluation

When a new connection, such as a TCP/IP connection, is being established through the Clavister
Security Gateway, the IP rule set if scanned from top to bottom until a rule that matches the
parameters of the new connection is found. The first matching rule's Action is then performed.

If the action allows it, the establishment of the new connection will go ahead. A new entry or
state representing the new connection will then be added to the cOS Core internal state table

Chapter 3: Fundamentals

194

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: