Netdefendos Architecture; State-Based Architecture; Netdefendos Building Blocks; Basic Packet Flow - D-Link NetDefend DFL-210 User Manual

1.2. NetDefendOS Architecture

1.2. NetDefendOS Architecture

1.2.1. State-based Architecture

The NetDefendOS architecture is centered around the concept of state-based connections. Tradition-
al IP routers or switches commonly inspect all packets and then perform forwarding decisions based
on information found in the packet headers. With this approach, packets are forwarded without any
sense of context which basically eliminates any possibility to detect and analyze complex protocols
and enforce corresponding security policies.
A NetDefendOS device, on the contrary, will inspect and forward traffic on a per-connection basis.
In other words, NetDefendOS is able to detect when a new connection is being established, and then
keeps a small piece of information, a "state", for the entire life-length of that connection. By doing
this, NetDefendOS is able to understand the context of the network traffic, which enables the device
to perform in-depth traffic scanning, apply bandwidth management and much more. In addition, this
approach provides high throughput performance with the added advantage of a design that is highly
scalable.

1.2.2. NetDefendOS Building Blocks

The basic building blocks in NetDefendOS are interfaces, logical objects and various types of rules
(or rule-sets).
Interfaces are the doorways for network traffic passing through, to or from the system. Without in-
terfaces, a NetDefendOS system has no means for receiving or sending traffic. Several types of in-
terfaces are supported; Physical Interfaces, Physical Sub-Interfaces and Tunnel Interfaces. Physical
interfaces corresponds to actual physical Ethernet ports; physical sub-interfaces include VLAN and
PPPoE interfaces while tunnel interfaces are used for receiving and sending traffic in VPN tunnels.
The NetDefendOS interface design is symmetric, meaning that the interfaces of the device are not
fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of
what is inside and outside is totally for the administrator to define.
Logical objects can be seen as pre-defined building blocks for use by the rule-sets. The address
book, for instance, contains named objects representing host and network addresses. Another ex-
ample of logical objects are services , representing specific protocol and port combinations. Also
important objects are the Application Layer Gateway (ALG) objects, used for defining additional
parameters on specific protocols such as HTTP, FTP, SMTP and H.323.
Finally, the various rule-sets are used for actually implementing the policies in the system. The most
fundamental rule-set is the IP Rules, which is used to define the layer 3 IP filtering policy as well as
carrying out address translation and server load balancing. The Traffic Shaping Rules define the
policy for bandwidth management, the IPS Rules controls the behavior of the intrusion prevention
engine and so forth.

1.2.3. Basic Packet Flow

This section outlines the basic flow for packets received and forwarded by a NetDefendOS device.
Please note that this description is simplified to ease the understanding and might not be fully ap-
plicable in all scenarios. The basic principle, however, is still valid in all applications.
1. An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet
frame validation is performed and the packet is dropped if the frame is invalid.
2. The packet is associated with a Source Interface. The source interface is determined as follows:
• If the Ethernet frame contains a VLAN ID (Virtual LAN identifier), the system checks for a
configured VLAN interface with a corresponding VLAN ID. If one is found, that VLAN
interface becomes the source interface for the packet. If no matching interface is found, the
packet is dropped and the event is logged.
3
Chapter 1. Product Overview