Secure interfaces

Many firewall computers (particularly in enterprise environments) have multiple network interfaces, and route traffic between more than one network.

The firewall includes a feature which allows any network interface to be designated as a 'secure' (or 'trusted') interface. By default, all network interfaces which are not specifically designated as secure are 'non-secure'.

Note: These designations have no actual effect beyond allowing certain interfaces to be classified separately for the purpose of applying different rules to them.

Using secure interfaces

The general theory is that a secure interface is connected to a secure or trusted network, and can therefore afford to be less paranoid about the traffic it allows through. However, the manner in which secure interfaces are to be treated is entirely up to the firewall administrator.

The sole purpose of separating network interfaces into secure and non-secure categories is to allow different filter rules to be specified for each. This is done using the interface rule parameter.

For example, on a multi-homed web server, you may wish allow HTTP traffic on the secure interface while blocking it on the non-secure interface. This could be done with the following rules:

deny    0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  all  any 0  eq 80  non-secure  local  both
permit  0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  all  any 0  eq 80  secure      local  both

It should be noted that since the purpose of the 'secure' designation is to allow rules to distinguish between multiple network interfaces, it is only useful on a system with more than one interface.

Defining secure interfaces

To designate an interface as secure, you enter the IP address assigned to that interface as a line in the file


    %ETC%\fwsecad.cnf

where %ETC% is the directory indicated by the environment variable ETC. This file does not exist by default, and must be created if no secure interfaces were previously defined.

Note: If the file fwsecad.cnf (above) does not exist, the CFGFILT command will display the following warning message when run with the '-d' parameter:

ICA1841e: Access error on file %ETC%\fwsecad.cnf: -1.
 Defaulting to no secure interface.

where %ETC% will be replaced by the name of the directory indicated by the environment variable ETC.

This message simply means that all interfaces will default to the 'non-secure' category. This should be acceptable for most configurations.

---

[Back: Routing considerations]
[Next: Examples]