D-Link DFL-1660 User Manual page 19

1.2.3. Basic Packet Flow
• TCP/UDP ports
• ICMP types
• Point in time in reference to a predefined schedule
If a match cannot be found, the packet is dropped.
If a rule is found that matches the new connection, the Action parameter of the rule decides
what NetDefendOS should do with the connection. If the action is Drop, the packet is dropped
and the event is logged according to the log settings for the rule.
If the action is Allow, the packet is allowed through the system. A corresponding state will be
added to the connection table for matching subsequent packets belonging to the same
connection. In addition, the Service object which matched the IP protocol and ports might have
contained a reference to an Application Layer Gateway (ALG) object. This information is
recorded in the state so that NetDefendOS will know that application layer processing will have
to be performed on the connection.
Finally, the opening of the new connection will be logged according to the log settings of the
rule.
8. The Intrusion Detection and Prevention (IDP) Rules are now evaluated in a similar way to the
IP rules. If a match is found, the IDP data is recorded with the state. By doing this,
NetDefendOS will know that IDP scanning is supposed to be conducted on all packets
belonging to this connection.
9. The Traffic Shaping and the Threshold Limit rule sets are now searched. If a match is found,
the corresponding information is recorded with the state. This will enable proper traffic
management on the connection.
10. From the information in the state, NetDefendOS now knows what to do with the incoming
packet:
• If ALG information is present or if IDP scanning is to be performed, the payload of the
packet is taken care of by the TCP Pseudo-Reassembly subsystem, which in turn makes use
of the different Application Layer Gateways, layer 7 scanning engines and so on, to further
analyze or transform the traffic.
• If the contents of the packet is encapsulated (such as with IPsec, PPTP/L2TP or some other
type of tunneled protocol), then the interface lists are checked for a matching interface. If
one is found, the packet is decapsulated and the payload (the plaintext) is sent into
NetDefendOS again, now with source interface being the matched tunnel interface. In other
words, the process continues at step 3 above.
• If traffic management information is present, the packet might get queued or otherwise be
subjected to actions related to traffic management.
11. Eventually, the packet will be forwarded out on the destination interface according to the state.
If the destination interface is a tunnel interface or a physical sub-interface, additional
processing such as encryption or encapsulation might occur.
The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS.
Note: Additional actions
There are actually a number of additional actions available such as address
translation and server load balancing. The basic concept of dropping and
allowing traffic is still the same.
19
Chapter 1. NetDefendOS Overview