Semi-private zone firewall templates, Ping, dns – Avaya 3.7 User Manual
Page 305
Semi-private zone firewall templates
Issue 4 May 2005
305
Semi-private zone firewall templates
A semi-private network interface provides connection to a network whose equipment can be
made physically secure, but whose medium is vulnerable to attack (such as a Wireless network
used within a corporation’s Private network infrastructure).
Because wireless connections cannot be easily controlled, strict firewall policy should be
enforced on the semi-private interface to limit the access from the semi-private zone to VPN
traffic. Clear traffic to Private and Management zones is not allowed. Common services to DMZ
are allowed and clear traffic to Public is allowed.
The semi-private high security rules are enforced for both incoming and outgoing packets as
follows.
Incoming traffic to the semi-private zone allowed includes:
●
VPN traffic. The VPN tunnel endpoints could be semi-private IP or Public IP.
●
Ping, DNS
●
ICMP unreachable packets
The following clear traffic is allowed
●
The source is semi-private and the destination is DMZ servers, with the following common
services: PING, FTP control, Passive Data FTP, SSH, Telnet, HTTP, HTTPs, POP3, IMAP,
SMTP, and NNTP.
Table 36: Private low security firewall rules
Rule Name
Action
Source
Destination
Servi
ce
Direction
Zone
Keep
State
Description
InBoundPriv
ateDenyAcc
ess
Deny
Any
ManagementNet
Any
In
Private
No
Traffic to
Managemen
tNet is
denied.
InBoundPriv
atePermitAll
Permit
Any
Any
Any
In
Private
Yes
Permit WI/
VMGR and
VPN, clear
traffic to
PUBLIC
OutBoundPri
vateDenyAcc
ess
Deny
DMZNet
Any
Any
Out
Private
No
Deny traffic
from and
SemiPrivate
Net
OutBoundPri
vateDenyAll
Permit
Any
Any
Any
Out
Private
Yes
Permit
incoming
VPN