73 The other example concerns the IPX filter. Its fairly common to have a special Novell server for sensitive data like personnel and payroll records, or other secret information. The payroll server makes a good example. The company might have this server on the Human Resources segment and use standard Novell authentication systems to ensure that only authorized people can see secret files. But the organization may be concerned that these measures are not sufficient to prevent people from trying to give themselves a special pay bonus. To help prevent this, you can keep this server on a special segment and configure the router to disallow any access from off-segment. The trouble is that members of the Human Resources staff still need to get to the other corporate Novell servers. The CEO or other high- ranking corporate officials that it is supposed to seemight need access to the Human Resources server. So you can build a special filter that allows only the CEOs full IPX address which includes the workstations MAC address to connect to the full IPX network number including internal and external network numbers of the server. Then you can allow all other internal network numbers to leave the segment. Consult your router vendors documentation for information about constructing IPX filters.

3.5.1.3.2 Filtering for application control

Some applications do not behave in a friendly manner on a large network. An application might try to do any number of unfriendly things. For example, it might try to register with a server on the Internet. Or, it might send out SNMP packets to try and figure out the topology of the network. Sometimes a server tries to probe the client to see what other applications or protocols it supports. From there, the list branches out to the truly bizarre forms of bad behavior that Id rather not list for fear of giving somebody ideas. The trouble with most of these forms of bad behavior is that, if you have several hundred workstations all connecting simultaneously, it can cause a lot of irrelevant chatter on your network. If you dont have the spare capacity, this chatter can be dangerous. The SNMP example is particularly bad because a number of applications seem to think that they should have the right to poll every router on the network. In general, you dont want your servers to know or care what the underlying network structure looks like. It can actually become a dangerous problem because SNMP queries on network gear often use excessive CPU and memory resources on the devices. If several servers try to gather the same information at the same time, it can seriously hamper network performance. I have seen this problem cripple the Core of a mission- critical network during the start-of-day peak. If you suspect that you have a problem like this, you need to use a protocol analyzer to get a good picture of what the unwanted information looks like. You also need to prove experimentally that this information is really unwanted. Some applications may just work in mysterious ways. Once you have established what the unwanted data looks like and where its coming from, then you can start to filter it out. Usually, its best to put the filters close to the offending server hopefully its the server and not the client that is to blame to help contain the unwanted traffic.

3.5.1.3.3 Policy-based routing