|
|
|
|
Despite theoretical issues surrounding packet filtering, the primary point of failure for modern firewall systems is misconfiguration, especially by inexperienced administrative staff. WinRoute makes configuration of filters simple and yet flexible enough so that even the novice network administrators can implement a secure configuration with a little knowledge of TCP/IP and a few mouse clicks, as illustrated in the following screen capture.
Filter rules may be applied on a per-interface basis to all of the following entities:
It is also important to note here that filters can be set for both incoming and outgoing traffic.
These capabilities allow granular tailoring of access rules to the security needs of almost any organization. For example, a group of Web developers could be granted access to specific external resources such as anonymous FTP staging servers, or a specified list of internal addresses can be designated accessible to external partner networks for drop-off of electronic files. The inbound/outbound configuration allows protection from malicious "inside-out" attacks such as Back Orifice (BO) or distributed denial of service (DDOS) servlets that attempt to communicate over unreliable protocols back out through the firewall with external attackers.
Rules can either Permit, Drop, or Deny the specified traffic; the "Drop" action gives away the least information about the firewall to potential attackers, as it does not send an ICMP Administrative Prohobited Filter or a TCP Reset/Acknowledge response to a TCP SYN packet (the 1st step in the standard three-way TCP handshake sequence).
Rules may be prioritized to act in a specific, user-defined order upon incoming or outgoing packets. The most popular use of this capability is to add so-called "cleanup rules" to filter lists that block all traffic not specifically allowed by previous rules that have higher priority in the list (for an example of a clean-up rule, see the Sample Basic packet Filter Rule sets, later in this document).