Table of Contents
Advertisement
4.3 Packet Firewalling
Introduction
SpeedTouch™610
packet firewall
How the packet firewall
works
SpeedTouch™610
hooks and PIP flows
E-SIT-CTC-20030306-0004 v2.0
A firewall is a security gateway that controls access between a private LAN domain,
often referred to as Intranet (even for one computer), and the public Internet.
It secures the entry points to the network in such way that access is only allowed to
authorized traffic. Therefore, to effectively control the flow of data, firewall protection
should be placed at each point where the network connects to the WAN.
One point at least, and most probably the most important connection point to the
WAN is the SpeedTouch™610.
The SpeedTouch™610 packet firewall is a set of related programs that protects the
resources of your local network from users from other networks.
Basically, a firewall examines each network packet to determine whether to forward it
towards its destination, or not. Firewalls work in most cases closely together with a
forwarding or proxy server that makes network requests on behalf of your local
network users.
For the SpeedTouch™610 firewall the SpeedTouch™610 DSL router acts as well as
network gateway and proxy server to contact the outside world via the DSL line.
The SpeedTouch™610 is in fact a packet firewall: inside and outside nodes are visible to
each other in the IP layer, but the firewall filters out, i.e. blocks the passage of certain
packets, based on their header information.
The packets are intercepted at certain Packet Interception Points (PIP) called hooks in
the SpeedTouch™610 IP router. At these points, they are matched against a chain,
which comprises a hierarchical set of rules (at least one). These rules determine the
type of control implemented on the packets.
Incoming and outgoing traffic is validated by comparing certain values in the packets
with configured firewall parameters. The parameters in a rule (See the CLI command
":firewall rule help create" for a full parameter description) can be divided according to
the protocol to which they belong: a first group validates traffic on the interface level, a
second group on IP level, and a third group on protocol level.
The following hooks can be determined in the SpeedTouch™610:
•
Input
The point of all incoming traffic, i.e. at this point it can be determined whether a
packet is allowed to reach the SpeedTouch™610 IP router or local IP host.
•
Sink
The point of all traffic destined for the SpeedTouch™610 IP router, i.e. at this
point it can be determined whether a packet is allowed to address the local IP
host.
•
Forward
The point of all traffic to be forwarded through the SpeedTouch™610, i.e. at this
point it can be determined whether a packet is allowed to be handled (i.e. routed)
by the local IP host.
4 SpeedTouch™610 Advanced Concepts
65
Advertisement
Table of Contents
