Network Integration Guide › Configuring the NBA › NBA Filters › Multiple Filters Are Applied Successively
Multiple Filters Are Applied Successively
In both passive and active modes, the NBA uses filters to check every IP packet it sees. These are filters that define which communications are captured, blocked or sent to a policy engine for processing.
The NBA supports network filters and application filters. These support the following actions.
Network filter actions
- Ignore: Packets are exempted from further NBA processing and permitted to continue;
- Prohibit: Packets are blocked;
- Analyze: Packets are passed from a network filter to an application filter.
- Decrypt: SSL session packets are decoded and then passed to an application filter. Matching packets that do not need decryption are also passed to an application filter.
Application filter actions
- Ignore: Packets are exempted from further NBA processing and permitted to continue;
- Prohibit: Packets are blocked;
- Analyze: Packets are passed from an application filter to a policy engine.
- Monitor: Packets are passed to a policy engine but cannot be blocked, even if the policy engine requests that they are blocked as a result of processing.
How Are Filters Applied?
Data packets are filtered as they pass through the NBA. The filters are defined in nbapolicy.xml. In this example, one network filter and two application filters are active. The network and application filters operate to successively narrow down the communications that must be sent to a policy engine for processing. This is the slowest part of the process.
Network filters are always applied first, followed by application filters. For best performance, configure the network filters to decrypt and/or analyze the smallest amount of network data possible for the application filters. In turn, configure the application filters to analyze or monitor the smallest amount of network data for reassembly into files and emails that are sent to a policy engine.
The following steps show how the NBA applies filters to data packets.
- A network filter checks data packets for their protocol (TCP or UDP). In this example, the filter action is set to analyze TCP packets. Any UDP packets are ignored and permitted to continue through the NBA without further intervention.
- When the NBA detects any TCP packets, it analyzes them to identify the application protocol.
- The NBA then applies the appropriate application filter to the packets.
- In this example, an application filter for SMTP data sent from specific IP addresses is set to 'ignore'. These packets are permitted to continue.
- At the same time, an application filter for all other protocols is set to ‘analyze’. These non-SMTP packets are passed to a policy engine for processing.
In this example, the ‘monitor’ and 'prohibit' actions for application filters are not used.
- The policy engine, after analyzing the non-SMTP communication, either blocks it or allows it to continue.
Copyright © 2014 CA.
All rights reserved.
|
|