14 New in this release• Dynamic NAT• Port Restricted Cone NATFor information on firewall and NAT fundamentals, see "Firewall and NATFundamentals" (page 21). For configuration information, see "Firewall andNAT configuration" (page 79).Packet filterWith the SR4134, the packet filter feature provides stateless, interface-basedpacket filtering as an alternative to the stateful firewall. It also provides IPv6packet filter functionality to complement the IPv4-only stateful firewall.The SR4134 packet filter examines each packet on the interface todetermine whether to permit or drop the packet, based on the criteriaspecified within user-configured access lists. This control can restrictnetwork traffic and restrict network use for certain users or devices.The SR4134 supports three packet filter types; IPv4, IPv6, and MAC. WANand chassis Ethernet interfaces only support IPv4 and IPv6 packet filters.The Module Ethernet interface support IPv4, IPv6, and MAC packet filtersin a slight different implementation.For information on packet filter fundamentals, see "Packet filter fundamentals" (page 37). For configuration information, see "Packet filter configuration"(page 107).IPsec VPNIPsec can protect packets between hosts, between security gateways (forexample, routers or firewalls), or between hosts and security gateways.The IPsec-based virtual private network (VPN) operates in the networklayer. Based on the policy defined, it secures individual IP packet. So, it istransparent to the higher layer applications.The SR4134 supports two basic types of VPN, each with an associated setof business requirements:• Site-to-Site VPN• Remote access VPNFor information on IPsec VPN fundamentals, see "IPsec VPN fundamentals"(page 43). For configuration information, see "IPsec VPN configuration"(page 117).Nortel Secure Router 4134Security — Configuration and ManagementNN47263-600 01.02 Standard10.0 3 August 2007Copyright © 2007, Nortel Networks.