Access Control Lists; Denial Of Service - Avaya G250 Technical White Paper

Access Control Lists / Denial of Service (DOS) Protection

1. Access Control Lists

The G250/G350 supports Access Control Lists (ACL's) which provide fine
grained control over ingress/egress protocols. In addition, the following
capabilities exist:
The Ability to Restrict:
— ip-fragments-in — applies to incoming packets that contain IP fragments
— ip-fragments-out — applies to outgoing packets that contain IP fragments
— ip-options-in — applies to incoming packets that contain IP options
— ip-options-out — applies to outgoing packets that contain IP options
You can configure policy rules to match packets based on one or more of the
following for ingress and egress:
• Source IP address, or a range of addresses
• Destination IP address or a range of addresses
• IP protocol, such as TCP, UDP, ICMP, IGMP
• Source TCP or UDP port or a range of ports
• Destination TCP or UDP port or a range of ports
• ICMP type and code
Use IP wildcards to specify a range of source or destination IP addresses.
The zero bits in the wildcard correspond to bits in the IP address that
remain fixed. The one bits in the wildcard correspond to bits in the IP
address that can vary. Note that this is the opposite of how bits are used in
a subnet mask.
For access control lists, you can require the packet to be part of an
established TCP session. If the packet is a request for a new TCP session,
the packet does not match the rule. You can also specify whether an
access control list accepts packets that have an IP option field.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.
5