72 In this picture the local floor connection is shown as a concentrator. The actual technology is irrelevant, however. It could be a hub, or a switch, or even a piece of 10Base2 cable connected to the fiber pairs by means of transceivers.

3.5.1.3 Filtering

There are three reasons why you might want to implement filtering on a router: • Security • Clean up for ill-behaved applications • Policy-based routing If you really want hard security on an IP network, you should probably be looking at a proper firewall rather than a router. But, in many cases, you just want a little security. In an IPX network, a router may be the only practical option for implementing security precautions. You can do several different types of security-based filtering on a router: • Filtering based on source or destination IP address • Filtering based on UDP or TCP port number • Filtering based on who started the session • Filtering based on full IPX address or the external network number The decision about which combination of these different filters to use depends on what youre trying to accomplish. So, I want to look at some different examples and see how different filter rules might apply.

3.5.1.3.1 Filtering for security

It is fairly common, particularly in financial companies, to have an external information vendor such as a news or stock quote service. The vendors service involves putting a box on the clients internal LAN to allow them to access real-time information. The security problem is obvious: the external vendor theoretically has full access to the client LAN. Since financial companies usually have strict rules about access to their internal networks, they need to provide a mechanism that allows the information vendors box to see only the genuine application data that it is supposed to see. Assume that the vendors special application server is hidden on a special segment behind a router. Now what sorts of filters can be implemented on this router? The first type of filter, based on source or destination address, is probably not going to be useful here. There could be many internal users of this service, and you dont want to have to rewrite your filter rules every time somebody new wants access. It doesnt do any good to filter based on the address of the server because thats the only device on the special segment anyway. The second type of filter, based on TCP or UDP port number, on the other hand, should be quite useful here. Since the application probably uses a designated port number or perhaps a range, this could be a good way to identify the application packets. The third type of filter is only useful if the application is TCP-based. If it is UDP-based, then the router cannot discern a session, so it cant tell who started the conversation. If it is TCP-based, and if the application starts with the user logging in which is common, then this filter will help you to prevent the vendors box from being used to initiate an attack on the client LAN. What you really want is to combine the second and third filter types. You can do this on a Cisco router just adding the established keyword to an Access list for the required TCP port number. 73 The other example concerns the IPX filter. Its fairly common to have a special Novell server for sensitive data like personnel and payroll records, or other secret information. The payroll server makes a good example. The company might have this server on the Human Resources segment and use standard Novell authentication systems to ensure that only authorized people can see secret files. But the organization may be concerned that these measures are not sufficient to prevent people from trying to give themselves a special pay bonus. To help prevent this, you can keep this server on a special segment and configure the router to disallow any access from off-segment. The trouble is that members of the Human Resources staff still need to get to the other corporate Novell servers. The CEO or other high- ranking corporate officials that it is supposed to seemight need access to the Human Resources server. So you can build a special filter that allows only the CEOs full IPX address which includes the workstations MAC address to connect to the full IPX network number including internal and external network numbers of the server. Then you can allow all other internal network numbers to leave the segment. Consult your router vendors documentation for information about constructing IPX filters.

3.5.1.3.2 Filtering for application control