Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
11121314151617181920
20 CHAPTER 3: NETWORK SECURITY CONFIGURATION
Packet filter: Such a firewall filters each packet depending on the items that
defined by the user. For example, it compares the packets with the defined
rules in source and destination addresses for a match. A packet filter neither
considers the status of sessions, nor analyzes the data. If the user specifies that
the packets carrying port number 21 or a port number no less than 1024 are
permitted, all the packets matching the condition will be able to pass through
the firewall. If the configured rules are properly set for the actual applications,
many packets that bring potential threat to the security can be filtered at this
layer.
Network Address Translation (NAT): Also called address proxy, NAT makes it
possible for a private network to access an external network. The NAT
mechanism is to substitute an external network address and port of security
gateway for the IP address and port of a host on a private network and vice
versa. In other words, it fulfills the conversion between <Private address + Port
number> and <Public address + Port number>. The private address discussed
here refers to an internal network or host address, and public address refers to
a globally unique IP address on the Internet. Internet assigned number
authority (IANA) provisioned that that the following IP address ranges are
reserved for private addresses:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
In other words, the addresses in these three ranges will be used inside an
organization or companies rather than assigned on the Internet. A company can
select a proper internal network address ranges, taking into consideration the
number of the internal hosts and networks in the near future. The internal
network addresses of different companies can be the same. However, it will be
very likely to cause chaos if a company selects a segment beyond the three ranges
given above as the internal network address. NAT allows internal hosts to access
the Internet resources while keeping their "privacy".
Packet Filter Function
Normally, a packet filter filters the IP packets. For the packets that the security
gateway will forward, the filter will first obtain the header information of each
packet, including upper protocol carried by the IP layer, source and destination
addresses of the packet, and source and destination ports. Then, it compares them
with the preset rules to determine whether the packet should be forwarded or
discarded.
Figure 1-2 illustrates the elements selected by a packet filter for decision making
(on IP packets), given the upper layer carried by IP is TCP/UDP.