163
Firewall Tutorial
Design guidelines
Careful thought must go into designing a new filter set. You should consider the following
guidelines:
• Be sure the filter set’s overall purpose is clear from the beginning. A vague purpose can
lead to a faulty set, and that can actually make your network less secure.
• Be sure each individual filter’s purpose is clear.
• Determine how filter priority will affect the set’s actions. Test the set (on paper) by
determining how the filters would respond to a number of different hypothetical pack-
ets.
• Consider the combined effect of the filters. If every filter in a set fails to match on a par-
ticular packet, the packet is:
• Forwarded if all the filters are configured to discard (not forward)
• Discarded if all the filters are configured to forward
• Discarded if the set contains a combination of forward and discard filters
An approach to using filters
The ultimate goal of network security is to prevent unauthorized access to the network with-
out compromising authorized access. Using filter sets is part of reaching that goal.
Each filter set you design will be based on one of the following approaches:
• That which is not expressly prohibited is permitted.
• That which is not expressly permitted is prohibited.
It is strongly recommended that you take the latter, and safer, approach to all of your filter
set designs.
