Security 13-21
Firewall design rules
There are two basic rules to firewall design:
■
“What is not explicitly allowed is denied.”
and
■
“What is not explicitly denied is allowed.”
The first rule is far more secure, and is the best approach to firewall design. It is far easier (and more secure)
to allow in or out only cer tain ser vices and deny anything else. If the other rule is used, you would have to figure
out ever ything that you want to disallow, now and in the future.
Firewall Logic
Firewall design is a test of logic, and filter rule ordering is critical. If a packet is for warded through a series of
filter rules and then the packet matches a rule, the appropriate action is taken. The packet will not for ward
through the remainder of the filter rules.
For example, if you had the following filter set...
Allow WWW access;
Allow FTP access;
Allow SMTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would for ward through the first rule (WWW),
go through the second rule (FTP), and match this rule; the packet is allowed through.
If you had this filter set for example....
Allow WWW access;
Allow FTP access;
Deny FTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would for ward through the first filter rule
(WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all
FTP traffic, the FTP packet will never make it to this rule.
Binary representation
It is easiest when doing filtering to conver t the IP address and mask in question to binar y. This will allow you to
per form the logical AND to determine whether a packet matches a filter rule.
69
TFTP
387
AURP
UDP Port
Service
Содержание 4752
Страница 1: ...Netopia 4752 SDSL Integrated Access Device Administration Guide ...
Страница 12: ...Administration Guide ...
Страница 18: ...2 4 Administration Guide ...
Страница 30: ...4 8 Administration Guide ...
Страница 34: ...5 4 Administration Guide ...
Страница 40: ...6 6 Administration Guide ...
Страница 58: ...Administration Guide ...
Страница 82: ...9 24 Administration Guide ...
Страница 110: ...10 28 Administration Guide ...
Страница 172: ...12 30 Administration Guide ...
Страница 206: ...13 34 Administration Guide ...
Страница 236: ...Administration Guide ...
Страница 242: ...A 6 Administration Guide ...
Страница 258: ...C 14 Administration Guide ...
Страница 264: ...E 4 Administration Guide ...
Страница 272: ...F 8 Administration Guide Speed Dialing by dialing a feature code Three Way Calling Custom Ringing Distinctive Ringing ...
Страница 284: ...2 Administration Guide ...