Filter
Top Products
156 Chapter 10 Firewalls
N0115790
• Restrict use of certain protocols, such as Telnet, to authorized users on the
LAN.
These custom rules work by evaluating the network traffic source IP address,
destination IP address, IP protocol type, and comparing these to rules set by the
administrator.
Below is a brief technical description of how these connections are tracked.
Connections can either be defined by the upper protocols (for instance, TCP), or
by the BCM50a Integrated Router itself (as with the virtual connections created
for UDP and ICMP).
TCP security
The BCM50a Integrated Router uses state information embedded in TCP packets.
The first packet of any new connection has its SYN flag set and its ACK flag
cleared; these are initiation packets. All packets that do not have this flag structure
are called subsequent packets, since they represent data that occurs later in the
TCP stream.
If an initiation packet originates on the WAN, someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases, (see
“Upper layer protocols” on page 157), these packets are dropped and logged.
If an initiation packet originates on the LAN, someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part
of the security policy (as is the case with the default policy), the connection is
allowed. A cache entry is added, which includes connection information such as
IP addresses, TCP ports, and sequence numbers.
Note: The ability to define firewall rules is a very powerful tool. Using
custom rules, it is possible to disable all firewall protection or block all
access to the Internet. Use extreme caution when creating or deleting
firewall rules. Test changes after creating them to make sure they work
correctly.