Design guidelines, An approach to using filters – Netopia 2200 User Manual
Page 163
163
Firewall Tutorial
Design guidelines
Careful thought must go into designing a new filter set. You should consider the following
guidelines:
•
Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can
lead to a faulty set, and that can actually make your network less secure.
•
Be sure each individual filter’s purpose is clear.
•
Determine how filter priority will affect the set’s actions. Test the set (on paper) by
determining how the filters would respond to a number of different hypothetical pack-
ets.
•
Consider the combined effect of the filters. If ever y filter in a set fails to match on a par-
ticular packet, the packet is:
•
For warded if all the filters are configured to discard (not for ward)
•
Discarded if all the filters are configured to for ward
•
Discarded if the set contains a combination of for ward and discard filters
An approach to using filters
The ultimate goal of network security is to prevent unauthorized access to the network with-
out compromising authorized access. Using filter sets is par t of reaching that goal.
Each filter set you design will be based on one of the following approaches:
•
That which is not expressly prohibited is permitted.
•
That which is not expressly permitted is prohibited.
It is strongly recommended that you take the latter, and safer, approach to all of your filter
set designs.