Security Mechanisms; Access Rules; Introduction; Ip Spoofing - D-Link NetDefend DFL-210 User Manual

Chapter 6. Security Mechanisms
This chapter describes NetDefendOS security features.
• Access Rules, page 135
• Application Layer Gateways, page 138
• Web Content Filtering, page 169
• Anti-Virus Scanning, page 183
• Intrusion Detection and Prevention, page 188
• Denial-Of-Service (DoS) Attacks, page 198
• Blacklisting Hosts and Networks, page 202

6.1. Access Rules

6.1.1. Introduction

One of the principal functions of NetDefendOS is to allow only authorized connections access to
protected data resources. Access control is primarily addressed by the NetDefendOS IP rule set in
which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from
untrusted sources is restricted from entering trusted areas.
Before a new connection is checked against the IP rule set, NetDefendOS checks the connection
source against a set of Access Rules. Access Rules can specify what traffic source is expected on a
given interface and also to automatically drop traffic originating from specific sources. AccessRules
can provide an efficient and targeted initial filter of new connection attempts.
The Default Access Rule
Even if the administrator doesn't explicitly specify any Access Rules, a basic access rule is always in
place which is known as the Default Access Rule. This default rule always checks incoming traffic
by performing a reverse lookup in the routing tables. This lookup validates that the incoming traffic
is coming from a source that the routing tables indicate is accessible via the interface on which the
traffic arrived. If this reverse lookup fails then the connection is dropped and a "Default Access
Rule" log message will be generated.
For most configurations the Default Access Rule is sufficient and the administrator does not need to
explicity specify other rules. The default rule can, for instance, protect against IP spoofing, which is
described in the next section. If Access Rules are explicitly specified, then the Default Access Rule
is still applied if a new connection doesn't match any of the specified rules.

6.1.2. IP spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a
firewall's security mechanisms. Such an attack is commonly known as Spoofing.
IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass
filtering. The header of an IP packet indicating the source address of the packet is modified by the
attacker to be a local host address. The firewall will believe the packet came from a trusted source.
Although the packet source cannot be responded to correctly, there is the potential for unnecessary
network congestion to be created and potentially a Denial of Service (DoS) condition could occur.
Even if the firewall is able to detect a DoS condition, it is hard to trace or stop it because of its
nature.
135