D-Link NetDefend DFL-210 User Manual page 17

1.2.3. Basic Packet Flow
• If the Ethernet frame contains a PPP payload, the system checks for a matching PPPoE in-
terface. If one is found, that interface becomes the source interface for the packet. If no
matching interface is found, the packet is dropped and the event is logged.
• If none the above is true, the receiving Ethernet interface becomes the source interface for
the packet.
3. The IP datagram within the packet is passed on to the NetDefendOS Consistency Checker. The
consistency checker performs a number of sanity checks on the packet, including validation of
checksums, protocol flags, packet length and so forth. If the consistency checks fail, the packet
gets dropped and the event is logged.
4. NetDefendOS now tries to lookup an existing connection by matching parameters from the in-
coming packet. A number of parameters are used in the match attempt, including the source in-
terface, source and destination IP addresses, IP protocol and so forth.
If a match cannot be found, a connection establishment process starts which includes steps 5 to
10 below. If a match is found, the forwarding process continues at step 11 below.
5. The source interface is examined to find out if the interface is a member of a specific routing
table. Also, the Virtual Routing Rules are evaluated to determine the correct routing table for
the connection.
6. The Access rules are evaluated to find out if the source IP address of the new connection is al-
lowed on the received interface. If no access rule matches then a reverse route lookup will be
done. In other words, by default, an interface will only accept source IP addresses that belong
to networks routed over that interface. If the access rules or the reverse route lookup determine
that the source IP is invalid, then the packet is dropped and the event is logged.
7. A route lookup is being made using the appropriate routing table. The destination interface for
the connection has now been determined.
8. The IP rules are now searched for a rule that matches the packet. Basically, the following para-
meters are part of the matching process: Source and destination interfaces, source and destina-
tion network, IP protocol (TCP, UDP, ICMP etc), TCP/UDP ports or ICMP types and schedule
(time-of-day).
If a match cannot be found, the packet is dropped.
If a rule is found that matches the new connection, the Action parameter of the rule decides
what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped
and the event is logged according to the log settings for the rule.
If the action is Allow, the packet is allowed through the system. A corresponding state will be
added to the connection table for matching subsequent packets belonging to the same connec-
tion. In addition, the Service object which matched the IP protocol and ports might have con-
tained a reference to an Application Layer Gateway (ALG) object. This information is recorded
in the state so that NetDefendOS will know that application layer processing will have to be
performed on the connection.
Finally, the opening of the new connection will be logged according to the log settings of the
rule.
9. The Intrusion Detection and Prevention (IDP) Rules are now evaluated in a similar way to the
IP rules. If a match is found, the IDP data is recorded with the state. By doing this, NetDefen-
dOS will know that IDP scanning is supposed to be conducted on all packets belonging to this
Note
There are actually a number of additional actions available such as address
translation and server load balancing. The basic concept of dropping and allow-
ing traffic is still the same.
4
Chapter 1. Product Overview