Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

161

162

163

164

165

166

167

168

169

170

Efficient Networks

Router family

Technical Reference Guide

Chapter 5: System Security

Efficient Networks

Page 5-23

Authentication Levels

The router also uses security levels, as follows:

• Remote authentication protocol — Each remote router entered in the

remote router database has a minimum security level that must be

negotiated before the remote router gains access to the local router.

• System authentication protocol — A system-wide control is available for

overriding the minimum security level in the entire remote router database.

IP Filtering

IP filtering is a type of firewall used to control network traffic. IP filtering provides the

ability to specifically protect some services on the LAN while providing external

access to other services. It is a highly flexible means by which to control exactly which

network traffic will be allowed into or out of your LAN and which traffic should be

denied. It will protect against Denial of Service attacks and log suspicious activities

and can also be used to keep certain users on the LAN from accessing the Internet.

IP filtering can be used in conjunction with NAT, so you don't have to change an

existing configuration to add more security.

The process involves filtering packets received by an interface and deciding whether

to forward or to discard them. Filtering is performed for each interface; since a router

can support multiple PVCs over the same DSL line, there are actually virtual

interfaces separate from physical interfaces. One virtual WAN interface might go to

the Internet and another virtual interface might go to a Corporate LAN, but both of

these are carried over the same physical WAN interface. So, in addition to applying a

single filter on a physical interface, filters should be created for each virtual interface.

Filters and Interfaces

When IP filtering is used, the router examines information for each IP packet, such as

the source and destination addresses, ports, and protocols, and then screens (filters)

the packets based on this information. If the packet matches the conditions of a filter,

the router acts as directed by the filter, that is, it accepts, drops or rejects the packet.

As mentioned above, filters operate at the interface level. Each interface can have up

to four lists of filters associated with it: Input filters, Receive filters, Transmit filters, and

Output filters. Figure 5-3 illustrates the filtering process.

Input Filters

When a packet arrives at an interface, the router compares the packet to the list of

input filters. The first filter that matches the packet determines whether the packet is

accepted, dropped, or rejected. If no filter matches the packet, the packet is accepted.

If the packet is accepted, the next step is Network Address Translation, if NAT is

enabled for the input interface. For more information on Network Address Translation,

see “Network Address Translation (NAT)” on page 4-17.