network such as the Internet. The two networks being connected together communicate with a
common protocol which is tunneled using GRE through the intervening network. Examples of GRE
usage are:
•
Traversing network equipment that blocks a particular protocol.
•
Tunneling IPv6 traffic across an IPv4 network.
•
Where a UDP data stream is to be multicast and it is necessary to transit through a network
device which does not support multicasting. GRE allows tunneling though the network device.
GRE Security and Performance
A GRE tunnel does not use any encryption for the communication and is therefore not, in itself,
secure. Any security must come from the protocol being tunneled. The advantage of GRE's lack of
encryption is the high performance which is achievable because of the low traffic processing
overhead. The lack of encryption can be acceptable in some circumstances if the tunneling is done
across an internal network that is not public.
Setting Up GRE
Like other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical
interface by NetDefendOS, with the same filtering, traffic shaping and configuration capabilities as
a standard interface. The GRE options are:
•
IP Address - This is the IP address of the sending interface. This is optional and can be left
blank. If it is left blank then the sending IP address will default to the local host address of
127.0.0.1.
•
Remote Network - The remote network which the GRE tunnel will connect with.
•
Remote Endpoint - This is the IP address of the remote device which the tunnel will connect
with.
•
Use Session Key - A unique number can optionally be specified for the tunnel. This allows more
than one GRE tunnel to run between the same two endpoints. The Session Key value is used to
distinguish between them.
•
Additional Encapsulation Checksum - The GRE protocol allows for an additional checksum
over and above the IPv4 checksum. This provides an extra check of data integrity.
The Advanced settings for a GRE interface are:
•
Automatically add route for remote network - This option would normally be checked in
order that the routing table is automatically updated. The alternative is to manually create the
required route.
•
Address to use as source IP - It is possible to specify a particular IP address as the source
interface IP for the tunnel.
GRE and the IP Rule Set
An established GRE tunnel does not automatically mean that all traffic coming from or to that GRE
tunnel is trusted. On the contrary, network traffic coming from the GRE tunnel will be transferred to
the NetDefendOS IP rule set for evaluation. The source interface of the network traffic will be the
name of the associated GRE Tunnel. The same is true for traffic in the opposite direction, that is,
going into a GRE tunnel. Furthermore a Route has to be defined so NetDefendOS knows what IP
addresses should be accepted and sent through the tunnel.
3.3.5. GRE Tunnels
Chapter 3. Fundamentals
90
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...