Security 7-15
Design guidelines
Careful thought should go into designing a new filter set. You should
consider the following guidelines:
■ Be sure the filter set’s overall purpose is clear from the
beginning. A vague purpose can lead to a faulty set, and that
can actually make your network
less
secure.
■ Be sure each individual filter’s purpose is clear.
■ Determine how filter priority will affect the set’s actions. Test
the set (on paper) by determining how the filters would respond
to a number of different hypothetical packets.
■ Consider the combined effect of the filters. If every filter in a
set fails to match on a particular packet, the packet is:
■ passed if all the filters are configured to discard (
not
for-
ward).
■ discarded if all the filters are configured to pass (forward).
■ discarded if the set contains a combination of pass and
discard filters.
Disadvantages of filters
Although using filter sets can greatly enhance network security,
there are disadvantages:
■ Filters are complex. Combining them in filter sets introduces
subtle interactions, increasing the likelihood of implementation
errors.
■ Enabling a large number of filters can have a negative impact
on performance. Processing of packets will take longer if they
have to go through many checkpoints.
