| |
AppleTalk device hiding filters restrict the advertisement of services on a router's internetwork by filtering out packets that advertise those services. These filters both prevent users from finding the network addresses of services and provide a level of network security.
In AppleTalk, the Name Binding Protocol (NBP) lets users access services such as file servers and printers. Specifically, it allows a user or application to specify search parameters such as the network entity name and service type, and a zone in which the search should be done. The search is represented in an NBP lookup request sent to the appropriate zone where the service might be. Services matching the search parameters reply directly to the requesting user or application with the AppleTalk address of the service. Once the user or application has received the NBP reply, the user or application can use the AppleTalk address to communicate with the service.
When AppleTalk device hiding filters are enabled on a router, the router drops the NBP replies for specified services. (That is, it does not deliver the replies to the client machine or application that requested them.) Thus, the services are hidden from that part of the network.
A common use of NBP is the Macintosh* Chooser application. The user or application issues an NBP lookup, specifying a zone and service type of interest. The lookup is sent to the appropriate zone. All devices or services of the specified type in the zone respond with an NBP reply. The Chooser displays the list of available devices, based on the NBP replies it receives. Using the AppleTalk address supplied in each NBP reply, the user or application can then communicate with the device or service.
If filtering for that device or service location is enabled, the router drops the NBP reply so that a user or application cannot get the network address of these services. Without the NBP reply, the application cannot know about the existence of the device.
NOTE: Device hiding filters provide a low level of security, but they do have limitations. Because filtering is enabled on a router, if the client machine requesting the address is on the same network as the service, the NBP reply goes directly to the client and the router has no opportunity to filter it out. Additionally, if a client machine knows the address of a specific service, it does not need the NBP reply to access the service.
You can configure AURP routers to filter service information traveling through an IP tunnel. If a filter is enabled on the tunnel, all networks accessible through the tunnel are affected by service information filters configured for the AURP router.
| |