Comparison of Routing Policies and Firewall Filters


Although routing policies and firewall filters share a common architecture, several differences exist. The fundamental difference between the policies is their purpose, and because of this, the implementation details, and, consequently, the configuration methods for each are very different. Table 8.1 compares the implementation details for routing policies and firewall filters, highlighting the similarities and differences between the two policies.

Table 8.1. Policy Implementation Details
Policy Architecture Routing Policy Implementation Firewall Filter Implementation
Control points Control routing information that is placed in the routing table with an import routing policy and advertised from the routing table with an export routing policy. Control packets that are accepted on a router interface with an input firewall filter and that are forwarded from an interface with an output firewall filter.

Configuration tasks :

  • Define policy

  • Apply policy

Define a policy that contains terms, match conditions, and actions.

Apply one or more export or import policies to a routing protocol. You can also apply a policy expression, which uses Boolean logical operators with multiple import or export policies.

You can also apply one or more export policies to the forwarding table.

Define a policy that contains terms, match conditions, and actions.

Apply one input or output firewall filter to a physical interface or physical interface group to filter data packets received by or forwarded to a physical interface (on routers with an Internet Processor II ASIC only).

You can also apply one input or output firewall filter to the router's loopback interface, which is the interface to the Routing Engine (on all routers). Doing this allows you to filter local packets received by or forwarded from the Routing Engine.

Terms

Configure as many terms as desired in a policy. Define a name for each term .

Terms are evaluated in the order in which you specify them in a policy.

Evaluation of a policy ends after a packet matches the criteria in a term and the defined or default policy action of accept or reject is taken. The route is not evaluated against subsequent terms in the same policy or subsequent policies.

Configure as many terms as desired in a firewall filter. Define a name for each term.

Terms are evaluated in the order in which you specify them in a firewall filter.

Evaluation of a firewall filter ends after a packet matches the criteria in a term and the defined or default action is taken. The packet is not evaluated against subsequent terms in the firewall filter.

Match conditions

Specify zero or more criteria that a route must match. You can specify criteria based on source, destination, or properties of a route. You can also specify the following match conditions, which require more configuration:

  • Autonomous system (AS) path expression ”A combination of AS numbers and regular expression operators.

  • Community ”A group of destinations that share a common property.

  • Prefix list ”A named list of prefixes.

  • Route list ”A list of destination prefixes.

  • Subroutine ”A routing policy that is called repeatedly from other routing policies.

Specify zero or more criteria that a packet must match. You must match various fields in the packet's header. The fields are grouped into the following categories:

  • Numeric values, such as port and protocol numbers.

  • Prefix values, such as IP source and destination prefixes.

  • Bit-field values, that is, if particular bits in the fields are or are not set, such as IP options, TCP flags, and IP fragmentation fields. You can specify the fields using Boolean logical operators.

Actions

Specify zero or one action to take if a route matches all criteria. You can specify the following actions:

  • Accept ”Accept the route into the routing table and propagate it. After this action is taken, the evaluation of subsequent terms and policies ends.

  • Reject ”Do not accept the route into the routing table, and do not propagate it. After this action is taken, the evaluation of subsequent terms and policies ends.

In addition to the actions described above, you can also specify zero or more of the following types of actions:

  • Next term ”Evaluate the next term in the routing policy.

  • Next policy ”Evaluate the next routing policy.

  • Actions that manipulate characteristics associated with a route as the routing protocol places it in the routing table or advertises it from the routing table.

  • Trace action, which logs route matches.

Specify zero or one action to take if a packet matches all criteria. (Juniper Networks recommends that you always explicitly configure an action.) You can specify the following actions:

  • Accept ”Accept a packet.

  • Discard ”Discard a packet silently, without sending an ICMP message.

  • Reject ”Discard a packet and send an ICMP destination unreachable message.

  • Routing instance ”Specify a routing table to which packets are forwarded.

    In addition to zero or one of the actions described above, you can also specify zero or more action modifiers. You can specify the following action modifiers:

  • Count ”Add packet to a count total.

  • Forwarding class ”Set the packet forwarding class to a specified value from 0 through 3.

  • IPSec security association ”Used with the source and destination address match conditions, specify an IP Security (IPSec) security association (SA) for the packet.

  • Log ”Store the header information of a packet on the Routing Engine.

  • Loss priority ”Set the packet loss priority (PLP) bit to a specified value, 0 or 1.

  • Policer ”Apply rate-limiting procedures to the traffic.

  • Sample ”Sample the packet traffic.

  • Syslog ”Log an alert for the packet.

Default policies and actions

If an incoming or outgoing route arrives and a policy related to the route is not explicitly configured, the action specified by the default policy for the associated routing protocol is taken.

The following default actions exist for routing policies:

  • If a policy does not specify a match condition, all routes evaluated against the policy match.

  • If a match occurs but the policy does not specify an accept, reject, next term, or next policy action, one of the following occurs:

    • The next term, if present, is evaluated.

    • If no other terms are present, the next policy is evaluated.

    • If no other policies are present, the action specified by the default policy is taken.

  • If a match does not occur with a term in a policy and subsequent terms in the same policy exist, the next term is evaluated.

  • If a match does not occur with any terms in a policy and subsequent policies exist, the next policy is evaluated.

  • If a match does not occur by the end of a policy and no other policies exist, the accept or reject action specified by the default policy is taken.

If an incoming or outgoing packet arrives on an interface and a firewall filter is not configured for the interface, the default policy is taken (the packet is accepted).

The following default actions exist for firewall filters:

  • If a firewall filter does not specify a match condition, all packets are considered to match.

  • If a match occurs but the firewall filter does not specify an action, the packet is accepted.

  • If a match occurs, the defined or default action is taken, and the evaluation ends. Subsequent terms in the firewall filter are not evaluated.

  • If a match does not occur with a term in a firewall filter and subsequent terms in the same filter exist, the next term is evaluated.

  • If a match does not occur by the end of a firewall filter, the packet is discarded.



Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net