A p p l i c a t i o n N o t e s 253“filter.” A filter is simply as set of rules that determine whether a packetshould be passed or discarded as it crosses an interface. An interface is anyport that carries IP traffic. On the IAD, it can be on of the following: Ethernetport, PPP connection, ATM PVC, or FR DLCI. IP filtering can selectivelypass or discard IP packets based on one or more of the following properties:• Protocol (IP, ICMP, TCP, and UDP)• Protocol flags (for TCP and ICMP only)• Source and/or Destination IP address• Source and/or Destination port numberInformation PolicyBefore you define a filtering rule set, you must determine what informationyou will permit to enter or exit the network and who should have access tothat information. This “information policy” can be divided into two broadgroups: open and closed. An open information policy, by default, allowsaccess to everything; filters are put in place to block access only to a smallnumber of sensitive addresses and/or protocols. This type of policy istypically used in a trusted network situation that places a premium onopenness rather than security. Any filters applied are intended to deny accessto sensitive information not intended for public viewing, such as financialdata. A closed information policy, by default, blocks access to everything;filters are put in place to allow access only to approved addresses and/orprotocols. A closed information policy is used when security and networkintegrity are more important than ease of access. If your network is connectedto the Internet, a closed information policy will make your system lessvulnerable to attack.Filtering InterfaceYou may apply IP Filtering to any interface that carries IP traffic. Rule setscan be defined for both inbound and outbound traffic through each interface.The block diagram below shows where IP Filtering is performed on the IAD.