[Top][Contents][Prev][Next][Last]Search


Defining Static Filters


This chapter contains:
Introduction to Ascend filters 4-1
Overview of filter profiles 4-3
Filtering inbound and outbound packets
Sample filters

Introduction to Ascend filters

A packet filter contains rules that specifies what the MAX does when it encounters different types of packets. When you specify a packet filter in a RADIUS user profile, the MAX monitors the data stream associated with that profile and takes a specified action when packet contents match the filter rules. Each filter specification either forwards or drops packets. You can apply a filter to inbound packets, outbound packets, or both. In addition, you can specify that the MAX forward or drop those packets that match the rules, or all packets except those that match the rules.

You can set up three types of packet filters on a per-user basis:

How packet filters work

You can specify several filters in a RADIUS user profile. Filter entries apply on a first-match basis. Therefore, the order in which you specify filter entries is significant. When you define a filter in a RADIUS user profile, it applies to data the user sends or receives. If you make changes to a filter, the changes do not take affect until a call uses that profile.

A match occurs at the first successful comparison between a filter and the packet being examined. When a comparison succeeds, the filtering process stops and the MAX applies the forward or drop action to the packet.

If no comparisons succeed, the packet does not match the filter. However, the MAX does not forward the packet. When no filter is in use, the MAX forwards all packets. However, once you apply a filter to a connection, this default is reversed. For security purposes, the MAX does not automatically forward non-matching packets. It requires a rule that explicitly allows those packets to pass.

In a generic filter, all settings work together to specify a location in a packet and a number that the MAX compares to the value in that location. In an IP filter, the MAX makes a set of distinct comparisons in order. When a comparison fails, the packet goes on to the next comparison. When a comparison succeeds, the filtering process stops and the MAX applies the forward or drop action to the packet. The IP filter tests proceed in the following order:

  1. Compare the source address specified by the filter to the source address of the packet. If they are not equal, the comparison fails.

  2. Compare the destination address specified by the filter to the destination address in the packet. If they are not equal, the comparison fails.

  3. If the protocol specified by the filter is zero (which matches any protocol), the comparison succeeds. If it is non-zero and not equal to the protocol field in the packet, the comparison fails.

  4. If the source port specified by the filter does not compare to the source port of the packet as the filter indicates, the comparison fails.

  5. If the destination port specified by the filter does not compare to the destination port of the packet as the filter indicates, the comparison fails.

If the filter specifies a match only if a TCP session is already established, and a TCP session is up, the comparison succeeds. Filter entries apply on a first-match basis. Therefore, the order in which you specify filter entries is significant. When a comparison succeeds, the filtering process stops and the MAX applies the forward or drop action to the packet.

If no comparisons succeed, the packet does not match the filter and the MAX does not forward the packet. When no filter is in use the MAX forwards all packets. Once you aply a filter to a connection, this default is reversed. For security purposes, the MAX does not automatically foward non-matching packets. It requires a rule that explicitly allows these packets to pass. Packets can pass through more than one filter. If both a data filter and call filter apply to an interface, the data filter is applied first.

When you define a filter in a user profile, it applies to data the user sends or receives. If you make changes to a filter or filter reference in a RADIUS user profile, the changes do not take effect until a call uses that profile. For complete information about how filters work, see the chapter on using filters in the MAX ISP and Telecommuting Configuration Guide.

You can also set up filters on the MAX or define firewalls in SAM, and then specify those filters or firewalls in a RADIUS user profile. When the connection is made the RADIUS user profile determines which filters are used for the connection. For more information, see the MAX RADIUS Configuration Guide, or your SAM documentation.


Note: This chapter describes how to set up and use data filters only. For information on how to configure call filters, see the MAX ISP and Telecommuting Configuration Guide. For information about IPX SAP filters, which affect which NetWare services the MAX adds to its service table, see the MAX ISP and Telecommuting Configuration Guide.

Data filters for dropping or forwarding certain packets

A data filter defines which packets the MAX can transmit on a connection. Many sites use data filters for security purposes, but you can apply data filters to any purpose that requires the MAX to drop or forward only specific packets. For example, you can use data filters to drop packets addressed to particular hosts or to prevent broadcasts from going across the WAN. You can also use data filters to allow users to access only specific devices across the WAN.

When you apply a data filter, its forward or drop action affects the actual data stream by preventing certain packets from reaching the Ethernet from the WAN, or vice versa (Figure 4-1).

Figure 4-1. Data filters can drop or forward certain packets

Data filters do not affect the idle timer, and a data filter applied to a RADIUS user profile does not affect the answering process.

Overview of filter profiles

Figure 4-2 shows how filters are organized adn the terminology used to describe each part of a filter.

Figure 4-2. Filter terminology

Filtering inbound and outbound packets

To set up filters, you must complete the following tasks:

The sections that follow describe how to perform each task.

Specifying and activating an input or output filter

To begin setting up filters for inbound and outbound packets, follow these steps:

  1. Open the Filters menu.

  2. Open a Filter profile.

  3. For the Name parameter, specify a descriptivee name for the profile. For example,

  4. Open the Input Filters or Output Filters submenu.

    When you select Input Filters, the following menu appears:

    You can specify up to 12 input filters and 12 output filters in a Filter profile. The MAX applies these filters in the order in which they appear; a filter must be activated for the MAX to apply it. Input filters cause the MAX to examine incoming packets. Output filters cause the MAX to examine outgoing packets.

    If the MAX applies the filter as a data filter on Ethernet, it affects packets from the Ethernet into the MAX or from the MAX out to the Ethernet. If the MAX applies a data filter on a WAN interface defined in a Connection profile, the filter affects packets from that WAN interface into the MAX or from the MAX out to that interface.

    The default action is to forward packets, so if a packet does not match any of the defined conditions, the MAX simply forwards it. If you define only input filters, the default action for output filters is to forward all packets. The same is true in the other direction; if you define only output filters, the default action for inbound packets is to forward them.

  5. Select an In filter or an Out filter to configure.

    When you open an "In filter," a menu like this one appears:

    For example, when you open an Out filter, the following menu appears:

  6. To activate the filter, set Valid=Yes.

    To be able to apply the filter, you must activate it.

  7. Define the filter type, Generic; IP filter, or IPX filter.

Defining generic filter conditions

If the Type=Generic, you can define generic filter conditions. Table 4-1 shows the parameters you can set.

Table 4-1. Generic filter conditions

Location

Parameters with sample values

Ethernet\>Filters\>Any Filter profile\>Input filters\>01 to 12\>Generic

Ethernet\>Filters\>Any Filter profile\>Output filters\>01 to 12\>Generic

Forward=No
Offset=14
Length=8
Mask=ffffffffffffffff
Value=aaa030000000080f3
Compare=Equals
More=No

To specify generic filter conditions, follow these steps:

  1. Set the Forward parameter.

    The Forward setting determines which packets the MAX transmits and receives.

    When you set Forward=Yes, the MAX forwards a packet if it meets the filter definition. When you set Forward=No, the MAX drops a packet it if meets the filter definition.

  2. Set the Length, Offset, Mask, and Value parameters.

    The Length parameter indicates the number of bytes in a packet. The Offset parameter specifies the starting position of the bytes the filter examines; the MAX ignores the portion of the packet that exceeds the Length specification. In other words, the Offset parameter hides the left-most bytes of data, while the Length parameter hides the right-most bytes of data.

    The Mask value consists of the same number of bytes as the Length parameter. A mask hides the part of a number that appears behind the binary zeroes in the mask; for example, if Mask=ffff0000 in hexadecimal format, the MAX uses only the first 16 binary digits in the comparison, because f=1111 in binary format. The MAX applies the value of the Mask parameter before comparing the bytes to the setting of the Value parameter.

  3. Set the Compare parameter.

    This parameter specifies how the MAX compares a packet's contents to the Value specified in the filter. After applying the Offset, Mask, and Length values to reach the appropriate location in a packet, the MAX compares the contents of that location to the Value parameter.

  4. Set the More parameter.

    This parameter specifies whether the current filter is linked to the one immediately following it. If More=Yes, the MAX can examine multiple non-contiguous bytes within a packet by "marrying" the current filter to the next one. The MAX applies the next filter before making a decision on whether to forward or drop the packet. The match occurs only if both sets of non-contiguous bytes contain the specified values. If More=No, the MAX bases its decision to forward or drop the packet based on whether the packet matches the definition in the present filter.

Defining IP filter conditions

If Type=IP, you can define filter conditions relevant only to TCP, IP, and UDP data packets, including bridged packets.

An IP filter can examine source address, destination address, and IP protocol type and port. Table 4-2 shows the filter conditions you can specify in an IP filter.

Table 4-2. IP filter conditions

Location

Parameters with sample values

Ethernet\>Filters\>Any Filter profile\>Input filters\>01 to 12\>Ip

Ethernet\>Filters\>Any Filter profile\>Output filters\>01 to 12\>Ip

Forward=Yes
Src Mask=255.255.255.192
Src Adrs=192.100.40.128
Dst Mask=0.0.0.0
Dst Adrs=0.0.0.0
Protocol=0
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=None
Dst Port #=N/A
TCP Estab=N/A

To specify IP filter conditions, follow these steps:

  1. Set the Forward parameter.

    The Forward setting determines which packets the MAX transmits and receives.

    When you set Forward=Yes, the MAX forwards a packet if it meets the filter definition. When you set Forward=No, the MAX drops a packet it if meets the filter definition.

  2. Set the Src Adrs parameter.

    This parameter specifies the address to which the MAX compares a packet's source address. Enter the address in dotted decimal format. The null address (0.0.0.0) is the default. If you accept the default, the MAX does not use the source address as a filtering criterion.

  3. Set the Src Mask parameter.

    This parameter specifies the bits the MAX should mask when comparing a packet's source address to the value of the Src Adrs parameter. A mask hides the part of a number that appears behind each binary 0 (zero) in the mask; the MAX uses only the part of a number that appears behind each binary 1 for comparison. The MAX applies the mask to the address using a logical AND after both mask and address translated into binary format.

    The value 0 (zero) hides all bits, because the decimal value 0 is the binary value 00000000; the value 255 does not mask any bits, because the decimal value 255 is the binary value 11111111. The null address (0.0.0.0) is the default; this setting indicates that the MAX masks all bits.

    To specify a single source address, set Src Mask=255.255.255.255 and set Src Adrs to the IP address that the MAX uses for comparison.

  4. Set the Dst Adrs parameter.

    This parameter specifies the address to which the MAX compares a packet's destination address. Enter the address in dotted decimal format. The null address (0.0.0.0) is the default. If you accept the default, the MAX does not use the destination address as a filtering criterion.

  5. Set the Dst Mask parameter.

    This parameter specifies the bits the MAX should mask when comparing a packet's destination address to the value of the Dst Adrs parameter.

  6. Set the Protocol parameter.

    This parameter identifies a specific TCP/IP protocol; for example, 6 specifies a TCP packet. Common protocols are listed below, but protocol numbers are not limited to this list. For a complete list, see the section on Well-Known Port Numbers in RFC 1700, Assigned Numbers, by Reynolds, J. and Postel, J., October 1994.

  7. Set the Src Port # parameter.

    This parameter specifies the port number to which the MAX compares the packet's source port number. The Src Port Cmp criterion determines how the MAX carries out the comparison.

    You can enter a number between 0 and 65535. The default setting is 0 (zero). If you accept the default, the MAX does not use the source port number as a filtering criterion.

  8. Set the Src Port Cmp parameter

    This parameter specifies the type of comparison the MAX makes when using the Src Port # parameter. You can specify one of these settings:

    This parameter works only for TCP and UDP packets. You must set Src Port Cmp=None if the Protocol parameter is not set to 6 (TCP) or 17 (UDP).

  9. Set the Dst Port # parameter.

    This parameter specifies the port number to which the MAX compares the packet's destination port number. The Dst Port Cmp criterion determines how the MAX carries out the comparison.

    You can enter a number between 0 and 65535. The default setting is 0 (zero). If you accept the default, the MAX does not use the destination port number as a filtering criterion.

  10. Set the Dst Port Cmp parameter.

    This parameter specifies the type of comparison the MAX makes when using the Dst Port # parameter. You can specify any of the settings available for Src Port Cmp (as described in step 8).

    The Dst Port Cmp parameter works only for TCP and UDP packets. You must set Dst Port Cmp=None if the Protocol parameter is not set to 6 (TCP) or 17 (UDP).

  11. Set the TCP Estab parameter.

    This parameter specifies whether the filter should match only established TCP connections. You can specify one of these settings:

    No is the default.

    The TCP Estab parameter does not apply if the Protocol field is set to any value other than 6 (TCP).

Defining IPX filter conditions

If Type=IPX, you can define filter conditions relevant IPX packets and bridged packets.

An IPX filter can examine network address, node address, and socket number. Table 4-2 shows the filter conditions you can specify in an IPX filter.

Table 4-3. IP filter conditions

Location

Parameters with sample values

Ethernet\>Filters\>Any Filter profile\>Input filters\>01 to 12\>Ipx

Ethernet\>Filters\>Any Filter profile\>Output filters\>01 to 12\>Ipx

Forward=Yes
Src Network Adrs=aaaa1234
Dst Network Adrs=bc34aa56
Src Node Adrs=111111111111
Dst Node Adrs=00000000000
Src Socket #=0451
Src Socket Cmp=Eql
Dst Socket #=N/A
Dst Socket Cmp=None

To specify IPX filter conditions, follow any or all of these steps:

  1. Set the Forward parameter.

    Determines which packets the MAX transmits and receives.

    When you set Forward=Yes, the MAX forwards a packet if it meets the filter definition. When you set Forward=No, the MAX drops a packet it if meets the filter definition.

  2. Set Src Network Adrs.

    Specifies the address to which the MAX compares a packet's source network address. Enter the address in hexadecimal format. The null address (000000000000) is the default. If you accept the default, the MAX does not use the source network address as a filtering criterion.

  3. Set Dst Network Adrs.

    Specifies the address to which the MAX compares a packet's destination network address. Enter the address in hexadecimal. The null address (000000000000) is the default. If you accept the default, the MAX does not use the destination nework address as a filtering criterion.

  4. Set Src Node Adrs.

    Specifies the node address to which the MAX compares a packet's source node address. Enter the address in hexadecimal. The null address (000000000000) is the default. If you accept the default, the MAX does not use the source node address as a filtering criterion.

  5. Set Dest Node Adrs.

    Specifies the node address to which the MAX compares a packet's source node address. Enter the address in hexadecimal. The null address (000000000000) is the default. If you accept the default, the MAX does not use the destination node address as a filtering criterion.

  6. Set the Src Socket # parameter.

    This parameter identifies a specific IPX socket. For example, 0451is the socket used for NetWare file services.

  7. Set the Src Socket Cmp parameter.

    This parameter specifies the type of comparison the MAX makes when using the Src Socket # parameter.

  8. Set the Dst Socket # parameter.

    This parameter identifies a specific IPX socket. For example, 0451is the socket used for NetWare file services.

  9. Set the Dst Socket Cmp parameter.

    This parameter specifies the type of comparison the MAX makes when using the Dest Socket # parameter.

Specifying a data filter in a profile

Using the Data Filter parameter, you can specify a data filter in an Answer profile, a Connection profile, or an Ethernet profile. Keep this information in mind:

Specifying a data filter for the WAN interface

To define which packets can cross the WAN interface, follow these steps:

  1. Open a Connection profile (under Ethernet > Connections) or the Ethernet > Answer menu.

  2. Open the Session Options menu.

  3. Using the Data Filter parameter, specify a data filter.

    When you set Data Filter to 0 (zero), the MAX forwards all data packets.

    The MAX applies a call filter after applying a data filter; only those packets that the data filter forwards can reach the call filter. If IPX client bridging is in use (Handle IPX=Client), set the Data Filter parameter to 0 (zero).

  4. Close the Connection profile or Answer profile, saving your changes.

A filter applied to a Connection or Answer profile takes effect only when the connection goes from an offline state to a call-placed state.

Specifying a data filter for the local Ethernet interface

To define which packets can cross the local Ethernet interface, follow these steps:

  1. Open the Ethernet > Mod Config > Ether Options menu.

  2. Using the Filter parameter, specify a data filter.

    When you set Filter to 0 (zero), the MAX forwards all data packets.

    The MAX applies a call filter after applying a data filter; only those packets that the data filter forwards can reach the call filter. If IPX client bridging is in use (Handle IPX=Client), set the Filter parameter to 0 (zero).

  3. Save your changes.

A filter applied to the Ethernet interface takes effect immediately. If you change the Filter profile definition, the new filters apply as soon as you save the Filter profile.

Sample filters

This section provides a step-by-step examples of creating Filter profiles and defining IP filters for network security purposes.

A sample IP filter to prevent address spoofing

IP address spoofing is a technique in which outside users pretend to be from the local network in order to obtain unauthorized access. This section shows how to define an IP data filter whose purpose is to prevent spoofing of local IP addresses. You can also use Password profiles to prevent IP address spoofing; for details, see Using Name/Password profiles to prevent IP address spoofing.

In this example, the filter first defines input filters that drop packets whose source address is on the local IP network or the loopback address (127.0.0.0). In effect, these filters say: "If you see an inbound packet with one of these source addresses, drop the packet." The third input filter defines every other source address (0.0.0.0) and specifies "Forward everything else to the local network."

The data filter then defines an output filter that specifies: "If an outbound packet has a source address on the local network, forward it; otherwise, drop it." The MAX drops all outbound packets with a non-local source address.

This example assumes a local IP network address of 192.100.50.128, with a subnet mask of 255.255.255.192. Of course, you use your own local IP address and netmask when defining a Filter profile.

To define an IP data filter to prevent address spoofing, follow these steps:

  1. Select an unnamed Filter profile in the Filters menu, and press Enter.

    For example, select 50-404.

  2. Assign a name to the Filter profile.

    For example:

  3. Open the Input Filters submenu

  4. Open In filter 01.

  5. Set Valid=Yes and Type=IP.

  6. Open the IP submenu and specify the following conditions:

    The Src Mask parameter specifies the local netmask The Src Adrs parameter specifies the local IP address. If an incoming packet has the local address, the MAX does not forward it onto the Ethernet.

  7. Close In filter 01, and then open In filter 02.

  8. Set Valid=Yes and Type=IP.

  9. Open the IP submenu and specify the following conditions:

    These conditions specify the loopback address in the Src Mask and Src Adrs fields. If an incoming packet has this address, the MAX does not forward it onto the Ethernet.

  10. Close In filter 02, and then open In filter 03.

  11. Set Valid=Yes and Type=IP.

  12. Open the IP submenu and specify the following conditions:

    These conditions specify every other source address (0.0.0.0) If an incoming packet has any non-local source address, the MAX does not forward it onto the Ethernet.

  13. Close In filter 03, and then return to the top level of the "no spoofing" Filter profile.

  14. Open the Output Filters submenu, and select Out filter 01.

  15. Set Valid=Yes and Type=IP.

  16. Open the IP submenu and specify the following conditions:

    The Src Mask parameter specifies the local netmask The Src Adrs parameter specifies the local IP address. If an outgoing packet has a local source address, the MAX forwards it.

  17. Close the Filter profile.

A sample IP filter for more complex security issues

This section illustrates some of the issues you may need to consider when writing your own IP filters. The sample filter presented here does not address the fine points of network security. You may want to use this sample filter as a starting point and augment it to address your security requirements.

In this example, the local network supports a Web server and the administrator needs to carry out these tasks:

However, many local IP hosts need to dial out to the Internet and use IP-based applications such as Telnet or FTP; therefore, their response packets need to be directed appropriately to the originating host. In this example, the Web server's IP address is 192.9.250.5.

The sample data filter appears in Connection profiles. Each input filter is defined in this way:



[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.