Security Mechanisms; Access Rules; Overview - D-Link DFL-1660 User Manual

Chapter 6. Security Mechanisms
This chapter describes NetDefendOS security features.
• Access Rules, page 269
• ALGs, page 272
• Web Content Filtering, page 325
• Anti-Virus Scanning, page 343
• Intrusion Detection and Prevention, page 349
• Denial-of-Service Attack Prevention, page 361
• Blacklisting Hosts and Networks, page 366

6.1. Access Rules

6.1.1. Overview

One of the principal functions of NetDefendOS is to allow only authorized connections access to
protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in
which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from
untrusted sources is restricted from entering trusted areas.
Before a new connection is checked against the IP rule set, NetDefendOS checks the connection
source against a set of Access Rules. Access Rules can be used to specify what traffic source is
expected on a given interface and also to automatically drop traffic originating from specific
sources. AccessRules provide an efficient and targeted initial filter of new connection attempts.
The Default Access Rule
Even if the administrator does not explicitly specify any custom Access Rules, an access rule is
always in place which is known as the Default Access Rule.
This default rule is not really a true rule but operates by checking the validity of incoming traffic by
performing a reverse lookup in the NetDefendOS routing tables. This lookup validates that the
incoming traffic is coming from a source that the routing tables indicate is accessible via the
interface on which the traffic arrived. If this reverse lookup fails then the connection is dropped and
a Default Access Rule log message will be generated.
When troubleshooting dropped connections, the administrator should look out for Default Access
Rule messages in the logs. The solution to the problem is to create a route for the interface where the
connection arrives so that the route's destination network is the same as or contains the incoming
connection's source IP.
Custom Access Rules are Optional
For most configurations the Default Access Rule is sufficient and the administrator does not need to
explicitly specify other rules. The default rule can, for instance, protect against IP spoofing, which is
described in the next section. If Access Rules are explicitly specified, then the Default Access Rule
is still applied if a new connection does not match any of the custom Access Rules.
The recommendation is to initially configure NetDefendOS without any custom Access Rules and
269