Configuring Filtering Rules for a WM-AD
Summit WM20 User Guide, Software Release 4.2
123
Filtering Rules for an Exception Filter
The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered to the
controller. By default, your system is shipped with a set of restrictive filtering rules that help control
access through the interfaces to only absolutely necessary services.
By configuring to allow management on an interface, an additional set of rules is added to the shipped
filter rules that provide access to the system's management configuration framework (SSH, HTTPS,
SNMPAgent). Most of this functionality is handled directly behind the scenes by the system, rolling and
un-rolling canned filters as the system's topology and defined access privileges for an interface change.
NOTE
An interface for which
Allow Management
is enabled, can be reached by any other interface. By default,
Allow
Management
is disabled and shipped interface filters will only permit the interface to be visible directly from it's own
subnet.
The visible exception filters definitions, both in physical ports and WM-AD definitions, allow
administrators to define a set of rules to be prepended to the system's dynamically updated exception
filter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined.
Therefor, these user-defined rules are evaluated before the system’s own generated rules. As such, these
user-defined rules may inadvertently create security lapses in the system's protection mechanism or
create a scenario that filters out packets that are required by the system.
NOTE
Use exception filters only if absolutely necessary. It is recommended to avoid defining general allow all or deny all
rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic.
The exception rules are evaluated in the context of referring to the specific controller's interface. The
destination address for the filter rule definition is typically defined as the interface's own IP address.
The port number for the filter definition corresponds to the target (destination) port number for the
applicable service running on the controller's management plane.
The exception filter on an WM-AD applies only to the destination portion of the packet. Traffic to a
specified IP address and IP port is either allowed or denied. Adding exception filtering rules allows
network administrators to either tighten or relax the built-in filtering that automatically drops packets
not specifically allowed by filtering rule definitions. The exception filtering rules can deny access in the
event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied.
Typically,
Allow Management
is enabled.
To define filtering rules for an exception filter:
1
From the main menu, click
WM-AD Configuration
. The
WM-AD Configuration
screen is
displayed.
2
In the left pane
WM Access Domains
list, click the WM-AD you want to define filter ID values for.
The
Topology
tab is displayed.
3
Click the
Filtering
tab.
4
From the
Filter ID
drop-down list, select
Exception
.
Summary of Contents for Summit WM20
Page 8: ...Table of Contents Summit WM20 User Guide Software Release 4 2 8 ...
Page 20: ...About this Guide Summit WM20 User Guide Software Release 4 2 20 ...
Page 54: ...Configuring the Summit WM Controller Summit WM20 User Guide Software Release 4 2 54 ...
Page 96: ...WM Access Domain Services Summit WM20 User Guide Software Release 4 2 96 ...
Page 150: ...WM Access Domain Services Configuration Summit WM20 User Guide Software Release 4 2 150 ...
Page 168: ...Availability and Controller Functionality Summit WM20 User Guide Software Release 4 2 168 ...
Page 172: ...Working With Third Party APs Summit WM20 User Guide Software Release 4 2 172 ...
Page 184: ...Working With the Summit WM Series Spy Summit WM20 User Guide Software Release 4 2 184 ...
Page 194: ...Working With Reports and Displays Summit WM20 User Guide Software Release 4 2 194 ...
Page 216: ...Performing System Maintenance Summit WM20 User Guide Software Release 4 2 216 ...