Security Mechanisms; Access Rules; Overview; Ip Spoofing - D-Link NetDefend DFL-210 User Manual

Chapter 6. Security Mechanisms
This chapter describes NetDefendOS security features.
• Access Rules, page 204
• ALGs, page 207
• Web Content Filtering, page 255
• Anti-Virus Scanning, page 272
• Intrusion Detection and Prevention, page 278
• Denial-of-Service Attack Prevention, page 289
• Blacklisting Hosts and Networks, page 294

6.1. Access Rules

6.1.1. Overview

One of the principal functions of NetDefendOS is to allow only authorized connections access to
protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in
which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from
untrusted sources is restricted from entering trusted areas.
Before a new connection is checked against the IP rule set, NetDefendOS checks the connection
source against a set of Access Rules. Access Rules can specify what traffic source is expected on a
given interface and also to automatically drop traffic originating from specific sources. AccessRules
can provide an efficient and targeted initial filter of new connection attempts.
The Default Access Rule
Even if the administrator does not explicitly specify any Access Rules, a basic access rule is always
in place which is known as the Default Access Rule. This default rule always checks incoming
traffic by performing a reverse lookup in the routing tables. This lookup validates that the incoming
traffic is coming from a source that the routing tables indicate is accessible via the interface on
which the traffic arrived. If this reverse lookup fails then the connection is dropped and a "Default
Access Rule" log message will be generated.
For most configurations the Default Access Rule is sufficient and the administrator does not need to
explicitly specify other rules. The default rule can, for instance, protect against IP spoofing, which is
described in the next section. If Access Rules are explicitly specified, then the Default Access Rule
is still applied if a new connection does not match any of the specified rules.

6.1.2. IP Spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a
firewall's security mechanisms. Such an attack is commonly known as Spoofing.
IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass
filtering. The header of an IP packet indicating the source address of the packet is modified by the
attacker to be a local host address. The firewall will believe the packet came from a trusted source.
Although the packet source cannot be responded to correctly, there is the potential for unnecessary
network congestion to be created and potentially a Denial of Service (DoS) condition could occur.
Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of its nature.
204