Table of Contents
Advertisement
WM Access Domain Services configuration
Filtering rules for an exception filter
The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered to the
controller. By default, your system is shipped with a set of restrictive filtering rules that help control
access through the interfaces to only absolutely necessary services.
By configuring to allow management on an interface, an additional set of rules is added to the shipped
filter rules that provide access to the system's management configuration framework (SSH, HTTPS,
SNMPAgent). Most of this functionality is handled directly behind the scenes by the system, rolling and
un-rolling canned filters as the system's topology and defined access privileges for an interface change.
NOTE
An interface for which Allow Management is enabled, can be reached by any other interface. By default, Allow
Management is disabled and shipped interface filters will only permit the interface to be visible directly from it's own
subnet.
The visible exception filters definitions, both in physical ports and WM-AD definitions, allow
administrators to define a set of rules to be prepended to the system's dynamically updated exception
filter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined.
Therefor, these user-defined rules are evaluated before the system's own generated rules. As such, these
user-defined rules may inadvertently create security lapses in the system's protection mechanism or
create a scenario that filters out packets that are required by the system.
NOTE
Use exception filters only if absolutely necessary. It is recommended to avoid defining general allow all or deny all
rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic.
The exception rules are evaluated in the context of referring to the specific controller's interface. The
destination address for the filter rule definition is typically defined as the interface's own IP address.
The port number for the filter definition corresponds to the target (destination) port number for the
applicable service running on the controller's management plane.
The exception filter on an WM-AD applies only to the destination portion of the packet. Traffic to a
specified IP address and IP port is either allowed or denied. Adding exception filtering rules allows
network administrators to either tighten or relax the built-in filtering that automatically drops packets
not specifically allowed by filtering rule definitions. The exception filtering rules can deny access in the
event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied.
Typically, Allow Management is enabled
To define filtering rules for an exception filter:
1 From the main menu, click WM Access Domain Configuration. The WM Access Domain
Configuration page is displayed.
2 In the left pane WM Access Domains list, click the WM-AD you want to define filter ID values for.
The Topology tab is displayed.
3 Click the Filtering tab.
182
Summit WM User Guide, Software Version 5.3
Advertisement
Table of Contents
