We recommend that you establish a security policy before you
write a packet filter. A security policy is a statement based on
thorough analysis of access needs, vulnerabilities, and real, or
perceived, threats to your assets. You must identify the types
of network traffic associated with these issues before you can create
a packet filter that supports your security policy.
The Foundations of Security Policies |
 |
In
general, all security policies are based on one of two opposing
strategies. Both types of policies are supported by PPP filters.
The first strategy permits a few specific services and blocks
everything else. If you follow this philosophy, a service will
be unavailable if you commit an error of omission. This is a fail-safe,
or closed, policy.
The second strategy blocks only specific services and permits
everything else. If you begin from this premise, an error of omission
may leave you unintentionally vulnerable when a fragile service
is not blocked.
If you need aid in developing security policies, or would
like more general information about network security and packet
filtering, you should begin by reading two books, Firewalls
and Internet Security by Bill Cheswick and Steve Bellovin
and Building Internet Firewalls by Brent
Chapman and Elizabeth Zwicky.
Filter File Rulesets |
|
When pppd
starts, the software checks for a filter file. If one is present,
it is parsed and installed. The default filter filename for pppd
is Filter. If you want to give
the file a different name, specify the new name as the argument
for the pppd 'filter'
option. Only add the filter option if you want to change the name
of the filter file.
A filter file contains rulesets for filtering packets. Each
ruleset begins with one of the following:
the special keyword, 'default'.
You may write a specific ruleset for each connecting host,
or a default ruleset will be used. The pppd
parser searches for a ruleset that matches the IP address or hostname
of the remote PPP/SLIP host, called the peer. This usually corresponds
to the IP address placed on the right hand side of the colon on
the pppd command line.
Rulesets
are designed on a per-connecting-host basis rather than a per-interface
basis. This provides support for devices acting as PPP or SLIP routing
hubs. A hub workstation allows multiple hosts to establish IP connections
and may support multiple hosts establishing connections at different
times on the same interface.
If a hub supports different classes of users, PPP filters
allow you to define different access policies for each group. A
single hub workstation may support all of the following PPP/SLIP
connections, each defined by a different ruleset:
a connection to the home of a developer
who is allowed to access multiple hosts and proprietary data
connections for members of a traveling sales team
who only require electronic mail access
connections to customers seeking support who may
only access the anonymous FTP host
Default rulesets are permitted. They simplify configuration
when a single machine supports similar multiple hosts/connections
that can be controlled by the same security policy.
The
order in which rulesets appear is important. Default rulesets should
appear early in the file because, after they are parsed, the parser
continues searching for more matching rulesets. However, when addresses
or hostnames in packets and rulesets match, the packet is processed
and the parser stops its search.
When a match is found and the 'non-default'
ruleset is processed, individual filters replace any default filters
"remembered" from earlier in the file. This means that packet filtering
may behave differently if the "default" rule appears early or late
in the file.
Printable version
