1.2. NetDefendOS Architecture
1.2.1. State-based Architecture
The NetDefendOS architecture is centered around the concept of state-based connections.
Traditional IP routers or switches commonly inspect all packets and then perform forwarding
decisions based on information found in the packet headers. With this approach, packets are
forwarded without any sense of context which eliminates any possibility to detect and analyze
complex protocols and enforce corresponding security policies.
Stateful Inspection
NetDefendOS employs a technique called stateful inspection which means that it inspects and
forwards traffic on a per-connection basis. NetDefendOS detects when a new connection is being
established, and keeps a small piece of information or state in its state table for the lifetime of that
connection. By doing this, NetDefendOS is able to understand the context of the network traffic,
which enables it to perform in-depth traffic scanning, apply bandwidth management and much
more.
The stateful inspection approach additionally provides high throughput performance with the added
advantage of a design that is highly scalable. The NetDefendOS subsystem that implements stateful
inspection will sometimes be referred to in documentation as the NetDefendOS state-engine.
1.2.2. NetDefendOS Building Blocks
The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules
(or rule sets).
Interfaces
Interfaces are the doorways through which network traffic enters or leaves the hardware;. Without
interfaces, a NetDefendOS system has no means for receiving or sending traffic.
The following types of interface are supported in NetDefendOS:
•
Physical interfaces - These correspond to the actual physical Ethernet ports.
•
Sub-interfaces - These include VLAN and PPPoE interfaces.
•
Tunnel interfaces - Used for receiving and sending traffic through VPN tunnels.
Interface Symmetry
The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not
fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of
what is inside and outside is totally for the administrator to define.
Logical Objects
Logical objects can be seen as pre-defined building blocks for use by the rule sets. The address
book, for instance, contains named objects representing host and network addresses.
Another example of logical objects are services which represent specific protocol and port
combinations. Also important are the Application Layer Gateway (ALG) objects which are used to
define additional parameters on specific protocols such as HTTP, FTP, SMTP and H.323.
1.2. NetDefendOS Architecture
Chapter 1. NetDefendOS Overview
17
Summary of Contents for DFL-210 - NetDefend - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449...