NetDefendOS Rule Sets
Finally, rules which are defined by the administrator in the various rule sets are used for actually
implementing NetDefendOS security policies. The most fundamental set of rules are the IP Rules,
which are used to define the layer 3 IP filtering policy as well as carrying out address translation and
server load balancing. The Traffic Shaping Rules define the policy for bandwidth management, the
IDP Rules control the behavior of the intrusion prevention engine and so on.
1.2.3. Basic Packet Flow
This section outlines the basic flow in the state-engine for packets received and forwarded by
NetDefendOS. The following description is simplified and might not be fully applicable in all
scenarios, however, the basic principles will be valid for all NetDefendOS deployments.
1.
An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet
frame validation is performed and the packet is dropped if the frame is invalid.
2.
The packet is associated with a Source Interface. The source interface is determined as follows:
•
If the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a
configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN
interface becomes the source interface for the packet. If no matching interface is found, the
packet is dropped and the event is logged.
•
If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE
interface. If one is found, that interface becomes the source interface for the packet. If no
matching interface is found, the packet is dropped and the event is logged.
•
If none the above is true, the receiving Ethernet interface becomes the source interface for
the packet.
3.
The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The
consistency checker performs a number of sanity checks on the packet, including validation of
checksums, protocol flags, packet length and so on. If the consistency checks fail, the packet
gets dropped and the event is logged.
4.
NetDefendOS now tries to lookup an existing connection by matching parameters from the
incoming packet. A number of parameters are used in the match attempt, including the source
interface, source and destination IP addresses and IP protocol.
If a match cannot be found, a connection establishment process starts which includes steps
from here to 9 below. If a match is found, the forwarding process continues at step 10 below.
5.
The Access Rules are evaluated to find out if the source IP address of the new connection is
allowed on the received interface. If no Access Rule matches then a reverse route lookup will
be done in the routing tables.
In other words, by default, an interface will only accept source IP addresses that belong to
networks routed over that interface. A reverse lookup means that we look in the routing tables
to confirm that there is a route with this network as the destination on the same interface.
If the Access Rule lookup or the reverse route lookup determine that the source IP is invalid,
then the packet is dropped and the event is logged.
6.
A route lookup is being made using the appropriate routing table. The destination interface for
the connection has now been determined.
7.
The IP rules are now searched for a rule that matches the packet. The following parameters are
part of the matching process:
1.2.3. Basic Packet Flow
Chapter 1. NetDefendOS Overview
21
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...