Manualshelf

Installation guide

ManualsBrandsVertical ManualsComputer equipmentWave Phone
841842843844845846847848849850
Packet filtering 30-12
Chapter 30: Understanding Wave Data Networking
Wave Global Administrator Guide
To allow communication between the DMZ and the Internet, only two cases should be allowed:
Packets sent by a DMZ address going out to the public Internet
Packets sent to a DMZ address coming in from the public Internet
The following filters can be put into place on the WAN connection(s) with the filters set to “drop
all except listed below.” The IP addresses in the following table are those for the sample network
illustrated in the diagram in “Packet filtering” on page 30-10; substitute the addresses for your
own DMZ as appropriate.
Private networks
A private network (often referred to as an intranet) often uses RFC 1918-allocated, unregistered
IP addresses—sometimes known as private networks—which are used by a large number of
networks worldwide, with the understanding that they will never transmit those addresses on
any public network. If a company wishes to then connect to the public Internet, a network proxy
or Network Address Translator (NAT) is used to convert between the two sets of IP addresses.
This is done both for security and to avoid obtaining public, registered IP addresses to simplify
administration of the company's network. In an environment such as this, care should be taken
to avoid communication between the two networks.
In a simple environment, routing information is not passed between the ISP and the private
network. Therefore, the private network must have a default route (0.0.0.0 / 0.0.0.0) directed at
the ISP. A side effect is that any traffic that is not terminated internally (such as traffic destined
for a subnet that had just gone down) would be routed to the ISP.
Generally, the public Internet will not be able to handle the private IP addresses, and they will
eventually be discarded by one of the ISP's routers. This alone ensures that there is no normal
communication between the two networks.
DMZ network filters (drop all except those listed below)
Direction Filter Type IP network address Subnet mask
Input Destination network 222.222.222.0 255.255.255.0
Output Source network 222.222.222.0 255.255.255.0
Release 2.0
September 2010