Table of Contents
Advertisement
9.5.2 Stateful Inspection and the Contivity 251
Additional rules may be defined to extend or override the default rules. For
example, a rule may be created which will:
These custom rules work by evaluating the network traffic's Source IP address,
Destination IP address, IP protocol type, and comparing these to rules set by the
administrator.
The ability to define firewall rules is a very powerful tool. Using custom
rules, it is possible to disable all firewall protection or block all access to
the Internet. Use extreme caution when creating or deleting firewall
rules. Test changes after creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked.
Connections may either be defined by the upper protocols (for instance, TCP), or
by the Contivity 251 itself (as with the "virtual connections" created for UDP and
ICMP).
9.5.3 TCP Security
The Contivity 251 uses state information embedded in TCP packets. The first
packet of any new connection has its SYN flag set and its ACK flag cleared; these
are "initiation" packets. All packets that do not have this flag structure are called
"subsequent" packets, since they represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to
make a connection from the Internet into the LAN. Except in a few special cases
(see "Upper Layer Protocols" shown next), these packets are dropped and logged.
i.
Block all traffic of a certain type, such as IRC (Internet Relay Chat),
from the LAN to the Internet.
ii. Allow certain types of traffic from the Internet to specific hosts on the
LAN.
iii. Allow access to a Web server to everyone but competitors.
iv. Restrict use of certain protocols, such as Telnet, to authorized users on
the LAN.
Contivity 251 VPN Switch User's Guide
Firewalls
9-11
Advertisement
Table of Contents
