switch which imposes no controls on traffic passing between those networks. Caution should
therefore be exercised before using this feature.
All Traffic Must have Two Associated Routes
Something that is not intuitive when trying to understand routing in NetDefendOS is the fact that all
traffic must have two routes associated with it. Not only must a route be defined for the destination
network of a connection but also for the source network.
The route that defines the source network simply says that the source network is found on a
particular interface. When a new connection is opened, NetDefendOS performs a check known as a
reverse route lookup which looks for this route. The source network route is not used to perform
routing but instead as a check that the source network should be found on the interface where it
arrived. If this check fails, NetDefendOS generates a Default Access Rule error log message.
Even traffic destined for Core (NetDefendOS itself), such as ICMP ping requests must follow this
rule of having two routes associated with it. In this case, the interface of one of the routes is
specified as Core.
4.2.2. Static Routing
This section describes how routing is implemented in NetDefendOS, and how to configure static
routing.
NetDefendOS supports multiple routing tables. A default table called main is predefined and is
always present in NetDefendOS. However, additional and completely separate routing tables can be
defined by the administrator to provide alternate routing.
These user-defined extra routing toubles can be used to implement Policy Based Routing which
means the administrator can set up rules in the IP rule set that decide which of the routing tables will
handle certain types of traffic. (see Section 4.3, “Policy-based Routing”).
The Route Lookup Mechanism
The NetDefendOS route lookup mechanism has some slight differences to how some other router
products work. In many routers, where the IP packets are forwarded without context (in other words,
the forwarding is stateless), the routing table is scanned for each and every IP packet received by the
router. In NetDefendOS, packets are forwarded with state-awareness, so the route lookup process is
tightly integrated into the NetDefendOS stateful inspection mechanism.
When an IP packet is received on any of the interfaces, the connection table is consulted to see if
there is an already open connection for which the received packet belongs. If an existing connection
is found, the connection table entry includes information on where to route the packet so there is no
need for lookups in the routing table. This is far more efficient than traditional routing table
lookups, and is one reason for the high forwarding performance of NetDefendOS.
If an established connection cannot be found, then the routing table is consulted. It is important to
understand that the route lookup is performed before any of the various policy rules get evaluated
(for example, IP rules). Consequently, the destination interface is known at the time NetDefendOS
decides if the connection should be allowed or dropped. This design allows for a more fine-grained
control in security policies.
NetDefendOS Route Notation
NetDefendOS uses a slightly different way of describing routes compared to most other systems but
this way is easier to understand, making errors less likely.
Many other products do not use the specific interface in the routing table, but specify the IP address
of the interface instead. The routing table below is from a Microsoft Windows XP workstation:
4.2.2. Static Routing
Chapter 4. Routing
152
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...