ADTRAN Stub Routing Spezifikationen PDF herunterladen (Seite 191)

Command Reference Guide Global Configuration Mode Command Set

Functional Notes

This command enables firewall processing for all interfaces with a configured policy class. Firewall processing

consists of the following functions:

1. Attack Protection: Detects and discards traffic that matches profiles of known networking exploits or

attacks.

2. Session Initiation Control: Allows only sessions that match traffic patterns permitted by

access-control policies to be initiated through the router.

3. Ongoing Session Monitoring and Processing: Each session that has been allowed through the

router is monitored for any irregularities that match patterns of known attacks or exploits. This traffic

will be dropped. Also, if NAT is configured, the firewall modifies all traffic associated with the session

according to the translation rules defined in NAT access-policies. Finally, if sessions are inactive for a

user-specified amount of time, the session will be closed by the firewall.

4. Application Specific Processing: Certain applications need special handling to work correctly in the

presence of a firewall. ADTRAN OS uses ALGs (application-level gateways) for these applications.

The ADTRAN OS includes several security features to provide controlled access to your network. The

following features are available when security is enabled (using the

ip firewall

command):

1. Stateful Inspection Firewall

The ADTRAN OS (and your unit) act as an application-level gateway and employ a stateful inspection firewall

that protects an organization’s network from common cyber attacks including TCP syn-flooding, IP spoofing,

ICMP redirect, land attacks, ping-of-death, and IP reassembly problems. In addition, further security is added

with use of Network Address Translation (NAT) and Port Address Translation (PAT) capability.

2. Access Policies (ACPs)

ADTRAN OS access control policies are used to allow, discard, or manipulate (using NAT) data for each

physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT). When

packets are received on an interface, the configured ACPs are applied to determine whether the data will be

processed or discarded.

3. Access Lists (ACLs)

Access control lists are used as packet selectors by ACPs; by themselves they do nothing. ACLs are

composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a packet

pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router system. A

deny ACL is used to block entry to the network for specified criteria. The ADTRAN OS provides two types of

ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended ACLs

may specify patterns using most fields in the IP header and the TCP or UDP header.

Usage Examples

The following example enables the ADTRAN OS security features:

(config)#

ip firewall

1 2 ... 186 187 188 189 190 191 192 193 194 195 196 ... 567 568

ADTRAN Stub Routing Spezifikationen Seite 191