The Ip Rule-Set; Overview; Rule Evaluation - D-Link NetDefend DFL-210 User Manual

3.5. The IP Rule-Set

3.5. The IP Rule-Set

3.5.1. Overview

Security policies designed by the administrator regulate the way in which network applications are
protected against abuse and inappropriate use. NetDefendOS provides an array of mechanisms and
logical constructs to help with the building of such policies for attack prevention, privacy protection,
identification, and access control.
The IP Rule-set is at the heart of creating NetDefendOS security policies. The IP Rule-set determ-
ines the essential filtering functions of NetDefendOS, regulating what is allowed or not allowed to
pass through the D-Link Firewall, and how address translation, bandwidth management and traffic
shaping are applied to the traffic flow.
Once logical constructs such as Application Layer Gateways are created, they won't have any effect
on traffic flow until they are used somewhere in the IP Rule-set. Understanding how to define the IP
Rule-set is crucial to understanding how to create overall security policies. A good understanding is
also important since ambiguous or faulty IP rules can lead to breaches in security.
There are two essential stances which describe the underlying philosophy of the IP Rule-set and
NetDefendOS security policies in general:
• Everything is denied unless specifically permitted
• Everything is permitted unless specifically denied
In order to provide the highest possible security, Drop is the default policy of the IP Rule-set
(everything is denied). The default of dropping packets can be achieved without an explicit IP rule
that does this. For logging purposes however, it is recommended that the IP Rule-set has a DropAll
rule with logging enabled placed as the last rule in the rule-set.

3.5.2. Rule Evaluation

When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules
are evaluated from top to bottom until a rule that matches the parameters of that new connection is
found. Those parameters include, amongst others, the source IP address and the destination IP ad-
dress plus the source interface and the destination interface. The rule's Action is then carried out by
NetDefendOS.
If the action is Allow then the establishment of the new connection will be permitted. Furthermore,
an entry or "state" representing that new connection is added to the NetDefendOS's internal "state
table" which allows monitoring of opened and active connections passing through the firewall. If,
instead, the action were Drop, the new connection will be refused.
The First Matching Principle
If several rules match the connections parameters, the first matching rule in the scan from top to bot-
tom of the list, is the rule that decides what will happen with the connection (the exception to this
being SAT rules).
After initial rule evaluation of the opening connection, subsequent packets belonging to a connec-
tion will not need to be evaluated individually against the rule-set. Instead, a highly efficient al-
gorithm searches the state table for each packet to determine if it belongs to an established connec-
tion. This approach is known as "stateful inspection" and is applied not only to stateful protocols
such as TCP connections, but also, by means of "pseudo-connections", to stateless protocols such
UDP and ICMP as well. This approach means that evaluation against the IP rule-set is only done in
the initial opening phase of a connection. The size of the IP rule-set consequently has negligible ef-
fect on overall performance.
52
Chapter 3. Fundamentals