From: lars@spectrum.CMC.COM (Lars Poulsen)
Subject: Re: CMC Rockwell Nethopper Packet Filtering?
Message-Id: <1993Jun12.065234.4235@spectrum.CMC.COM>
Organization: CMC Network Systems (Rockwell DCD), Santa Barbara, CA, USA
References: <9306110011.AA05001@norman.li.Cubic.COM>
Date: Sat, 12 Jun 93 06:52:34 GMT

In article <9306110011.AA05001@norman.li.Cubic.COM> mischler@Cubic.COM (Dave Mischler) writes:
>Could someone familiar with the Nethopper describe its packet filtering
>in detail?  Can it log denied and/or permitted packet information?

Hello Dave,

I am one of the NetHopper developers. The NetHopper's IP filters allow
you to specify any or all of:
	source IP address
	source port
	destination IP address
	destination port
	IP protocol
	interface
	direction (in or out)
	type (allow/deny/allow-but-don't-dial-for-this)

Each filter is named, and entries can be added before or after a
previously specified filter. Evaluation of each packet continues
until it hits a filter and is allowed or denied, or until the end
of the list, where there is an implied
	source any dest any protocol any allow.

(I.e. the default is to allow unknown, but it is trivial to change this
to deny anything unknown.)

For each filter, it is settable whether a denied packet returns an ICMP
error.

We do not currently trigger SYSLOG messages for denied packets (we were
concerned about this turning into a denial-of-service), but we do maintain
a count of hits in each filter. The filters are accessible as an
enterprise MIB group under SNMP.

The main things that we *don't* do that have been mentioned by others
here on the list are:
	- no logging of denied packets (see above)
	- no RANGE of port numbers
	- no ESTABLISHED keyword (we don't interpret TCP protocol)
	- no arbitrary offset/mask/pattern

The NetHopper is currently positioned as a low-cost way to interconnect
remote IP LANs to the backbone over dial-up V.32bis lines. Our customers
have found the security features adequate for this environment.

I don't think it would surprise anyone, if we came out with a
leased-56kbps line version of the unit, and we feel that these filters
would be adequate to protect the average small to medium sized site
(25-500 nodes) from the "reaonably believable threat".

If and when we implement IPX routing, we plan to include similar
filtering capability for IPX routing and SAP advertizements.

I will be happy to answer additional questions from this list.
-- 
/ Lars Poulsen, SMTS Software Engineer	Internet E-mail: lars@CMC.COM
  CMC Network Products / Rockwell Int'l	Telephone: +1-805-968-4262	
  Santa Barbara, CA 93117-3083		TeleFAX:   +1-805-968-8256