3.6. IP Rules
3.6.1. Security Policies
Before examining IP rule sets in detail, we will first look at the generic concept of security polices
to which IP rule sets belong.
Security Policy Characteristics
NetDefendOS security policies are configured by the administrator to regulate the way in which
traffic can flow through the NetDefend Firewall. Such policies are described by the contents of
different NetDefendOS rule sets. These rule sets share a uniform means of specifying filtering
criteria which determine the type of traffic to which they will apply. The possible filtering criteria
consist of the following:
Source Interface
An Interface or Interface Group where the packet is received at
the NetDefend Firewall. This could also be a VPN tunnel.
Source Network
The network that contains the source IP address of the packet.
This might be a NetDefendOS IP object which could define a
single IP address or range of addresses.
Destination Interface
An Interface or an Interface Group from which the packet
would leave the NetDefend Firewall. This could also be a VPN
tunnel.
Destination Network
The network to which the destination IP address of the packet
belongs. This might be a NetDefendOS IP object which could
define a single IP address or range of addresses.
Service
The protocol type to which the packet belongs. Service objects
define a protocol/port type. Examples are HTTP and ICMP.
Service objects also define any ALG which is to be applied to the
traffic
NetDefendOS provides a large number of predefined service
objects but administrator defined custom services can also be
created. Existing service objects can also be collected together
into service groups.
See Section 3.3, “Services” for more information about this topic.
The NetDefendOS Security Policy Rule Sets
The principle NetDefendOS rule sets that define NetDefendOS security policies, and which use the
same filtering parameters described above (networks/interfaces/service), include:
•
IP Rules
These determine which traffic is permitted to pass through the NetDefend Firewall as well as
determining if the traffic is subject to address translation. The network filter for these rules can
be IPv4 or IPv6 addresses (but not both in a single rule). They are described further later in this
section.
•
Pipe Rules
These determine which traffic triggers traffic shaping to take place and are described in
Section 10.1, “Traffic Shaping”.
3.6. IP Rules
Chapter 3. Fundamentals
137
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...