These rules determine the routing table to be used by traffic and are described in Section 4.3,
“Policy-based Routing”.
•
Authentication Rules
These determine which traffic triggers authentication to take place (source net/interface only)
and are described in Chapter 8, User Authentication.
IP Rules and the Default main IP Rule Set
IP rule sets are the most important of these security policy rule sets. They determine the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through
the NetDefend Firewall, and if necessary, how address translations like NAT are applied. By
default, one NetDefendOS IP rule set always exist and this has the name main.
There are two possible approaches to how traffic traversing the NetDefend Firewall could be dealt
with:
•
Everything is denied unless specifically permitted.
•
Or everything is permitted unless specifically denied.
To provide the best security, the first of these approaches is adopted by NetDefendOS. This means
that when first installed and started, the NetDefendOS has no IP rules defined in the main IP rule set
and all traffic is therefore dropped. In order to permit any traffic to traverse the NetDefend Firewall
(as well as allowing NetDefendOS to respond to ICMP Ping requests), some IP rules must be
defined by the administrator.
Each IP rule that is added by the administrator will define the following basic filtering criteria:
•
From what interface to what interface traffic flows.
•
From what network to what network the traffic flows.
•
What kind of protocol is affected (the service).
•
What action the rule will take when a match on the filter triggers.
Specifying Any Interface or Network
When specifying the filtering criteria in any of the policy rule sets, there are several useful
predefined configuration objects that can be used:
•
For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.
•
For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
•
The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the NetDefend Firewall itself and NetDefendOS will respond to it.
New connections that are initiated by NetDefendOS itself do not need an explicit IP rule as they
are allowed by default. For this reason, the interface core is not used as the source interface.
Such connections include those needed to connect to the external databases needed for such
features as IDP.
•
The Service can be specified as all_services which includes all possible protocols.
3.5.1. Security Policies
Chapter 3. Fundamentals
122
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...