D-Link DFL-210-WCF-12 Product Manual - Page 237
Security Mechanisms, 6.1. Access Rules, 6.1.1. Overview
UPC - 790069601545
View all D-Link DFL-210-WCF-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 237 highlights
Chapter 6. Security Mechanisms This chapter describes NetDefendOS security features. • Access Rules, page 237 • ALGs, page 240 • Web Content Filtering, page 292 • Anti-Virus Scanning, page 309 • Intrusion Detection and Prevention, page 315 • Denial-of-Service Attack Prevention, page 326 • Blacklisting Hosts and Networks, page 331 6.1. Access Rules 6.1.1. Overview One of the principal functions of NetDefendOS is to allow only authorized connections access to protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from untrusted sources is restricted from entering trusted areas. Before a new connection is checked against the IP rule set, NetDefendOS checks the connection source against a set of Access Rules. Access Rules can be used specify what traffic source is expected on a given interface and also to automatically drop traffic originating from specific sources. AccessRules provide an efficient and targeted initial filter of new connection attempts. The Default Access Rule Even if the administrator does not explicitly specify any custom Access Rules, an access rule is always in place which is known as the Default Access Rule. This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the NetDefendOS routing tables. This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic arrived. If this reverse lookup fails then the connection is dropped and a Default Access Rule log message will be generated. When troubleshooting dropped connections, the administrator should look out for Default Access Rule messages in the logs. The solution to the problem is to create a route for the interface where the connection arrives so that the route's destination network is the same as or contains the incoming connection's source IP. Custom Access Rules are Optional For most configurations the Default Access Rule is sufficient and the administrator does not need to explicitly specify other rules. The default rule can, for instance, protect against IP spoofing, which is described in the next section. If Access Rules are explicitly specified, then the Default Access Rule is still applied if a new connection does not match any of the custom Access Rules. The recommendation is to initially configure NetDefendOS without any custom Access Rules and add them if there is a requirement for stricter checking on new connections. 237