One of the principal functions of cOS Stream is to allow only authorized connections access to protected data resources. Access control is primarily addressed by the main IP rule set in which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from untrusted sources is restricted from entering trusted areas.

Before a new connection is checked against the main IP rule set, cOS Stream checks the connection source against the set of AccessRule objects. An AccessRule object can be used to specify what traffic source is expected on a given interface and also to automatically drop traffic originating from specific sources. Access rules provide an efficient and targeted initial filter for new connection attempts.

The Default Access Rule

Even if the administrator does not explicitly specify any custom access rules, one predefined access rule is always applied by cOS Stream and this is known as the Default Access Rule.

This default access rule is not a rule in the usual sense. What it does is check the validity of incoming traffic by performing a reverse lookup in the firewall's routing tables. This lookup validates that the incoming traffic is originating from a source that the routing tables indicate is accessible via the interface on which the traffic arrives. If this reverse lookup fails then the connection is dropped and a Disallowed by Access Rule log message will be generated.

When troubleshooting dropped connections, the administrator should look out for Disallowed by Access Rule messages in the logs. If there is a problem with the default access rule unexpectedly dropping traffic then one solution is to create a route for the interface where the connection arrives so that the route's destination network is the same as or contains the incoming connection's source IP.

Custom Access Rules are Optional

For most configurations, the default access rule is sufficient and the administrator does not need to explicitly specify other access rules. The default rule can, for instance, protect against IP spoofing, which is described in the next section. If access rules are explicitly specified, then the default access rule is still applied if a new flow does not match any of the custom access rules.

The recommendation is to initially configure cOS Stream without any custom access rules and add them if there is a requirement for stricter checking on new flows.

IP Spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing.

IP spoofing is one of the most common types of spoofing attacks. Trusted IP addresses are used to bypass filtering. The header of an IP packet indicating the source address of the packet is modified by the attacker to be a local host address. The firewall will believe the packet came from a trusted source. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of its nature.

VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then access rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An access rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface. In other words:

The first point above prevents an outsider from using a local host's address as its source address. The second point prevents any local host from launching the spoof.