Establishing an explicit "deny-all" strategy

In order to achieve the maximum degree of security and control over data traffic, we recommend that you initially block all data transfers through the firewall. Subsequently, only those functions and communication paths that are really required are selectively activated. This provides protection for example from so-called 'Trojan horses' or e-mail viruses that actively establish an outgoing connection via certain ports.

The "deny-all" rule is by far the most important rule for the protection of your LAN. With this rule the firewall acts in accordance with the following principle: "Anything not explicitly allowed is forbidden." This is the only strategy with which the administrator can be really sure that no possibility of access has been overseen—only those points of access that have been explicitly allowed are available.

We recommend that you set the deny-all rule before attaching the LAN to the Internet via a device. You can then use the logging table (that can be launched from LANmonitor) to easily see which connections have been blocked by the firewall. Using this information you can then successively add "allow-rules" to the firewall.

Some typical applications are shown below.

Note: The filters described here are easily set up with the Firewall Wizard. If necessary, they can be further refined with LANconfig, for example.
Rule name Source Destination Action Service (target port)
ALLOW_HTTP Local network All stations Transmit HTTP, HTTPS
ALLOW_FTP Local network All stations Transmit FTP
ALLOW_EMAIL Local network All stations Transmit MAIL, NEWS
ALLOW_DNS_FORWARDING Local network Router IP address (option: Local network) Transmit DNS
DENY_ALL All stations All stations Reject ANY
Rule name Source Destination Action Service
ALLOW_VPN_DIAL_IN Remote site name Local network Transmit ANY
Rule name Source Destination Action Service (target port)
ALLOW_VPN VPN client VPN server Transmit IPSEC, PPTP
Rule name Source Destination Action Service
ALLOW_DIAL_IN Remote site name Local network Transmit ANY
Rule name Source Destination Action Service
ALLOW_LAN1_TO_LAN2 LAN1 LAN2 Transmit ANY
ALLOW_LAN2_TO_LAN1 LAN2 LAN1 Transmit ANY
Rule name Source Destination Action Service (target port)
ALLOW_WEBSERVER ANY Web server Transmit HTTP, HTTPS
Rule name Source Destination Action Service
ALLOW_PING Local network All stations Transmit ICMP

These rules can now be refined as required, for example by specifying minimum and maximum bandwidths for server access, or by the granular restriction to certain services, stations or remote sites.

Important: When the filter list is set up, the device automatically sorts the firewall rules. The rules are sorted according to their level of detail. The first rules to be processed are the specific ones followed by the general ones (e.g. deny-all). For complex rule sets, check the filter list as described in the following section.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo