D-Link DFL-260E User Manual for DFL-260E - Page 20
NetDefendOS Architecture, 1.2.1. State-based Architecture, 1.2.2. NetDefendOS Building Blocks - port forward
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 20 highlights
1.2. NetDefendOS Architecture Chapter 1. NetDefendOS Overview 1.2. NetDefendOS Architecture 1.2.1. State-based Architecture The NetDefendOS architecture is centered around the concept of state-based connections. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies. Stateful Inspection NetDefendOS employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. NetDefendOS detects when a new connection is being established, and keeps a small piece of information or state in its state table for the lifetime of that connection. By doing this, NetDefendOS is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions. The stateful inspection approach additionally provides high throughput performance with the added advantage of a design that is highly scalable. The NetDefendOS subsystem that implements stateful inspection will sometimes be referred to in documentation as the NetDefendOS state-engine. 1.2.2. NetDefendOS Building Blocks The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules (or rule sets). Interfaces Interfaces are the doorways through which network traffic enters or leaves the NetDefend Firewall. Without interfaces, a NetDefendOS system has no means for receiving or sending traffic. The following types of interface are supported in NetDefendOS: • Physical interfaces - These correspond to the actual physical Ethernet interfaces. • Sub-interfaces - These include VLAN and PPPoE interfaces. • Tunnel interfaces - Used for receiving and sending traffic through VPN tunnels. Interface Symmetry The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of what is inside and outside is totally for the administrator to define. Logical Objects Logical objects can be seen as predefined building blocks for use by the rule sets. The address book, for instance, contains named objects representing host and network addresses. Another example of logical objects are services which represent specific protocol and port combinations. Also important are the Application Layer Gateway (ALG) objects which are used to define additional parameters on specific protocols such as HTTP, FTP, SMTP and H.323. 20