17.10 - Applying a Mask to a Filter - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

When an IP filter encounters an incoming IP address during a logon, it uses the following process to determine whether or not the IP address is allowed access to Teradata Vantage.

The example process is based on a typical allow element in a restrictive filter. If the filter also contains a deny element, it continues evaluation of the incoming IP until it also applies the deny parameters, which represent exceptions to the allow.
  1. Convert the specified IP in the primary element, for example, the allow element IP 141.206.35.0 in a restrictive filter, to a binary string:
    10001101.11001110.00100011.00000000
  2. Convert the primary element mask, for example 255.255.255.0, to a binary string.
  3. AND the binary string representing the allow element IP with the mask, to obtain the allow result (shown in bold):
    10001101.11001110.00100011.00000000
    11111111.11111111.11111111.00000000
    ___________________________________
     10001101.11001110.00100011.00000000
  4. Examine the incoming IP address and convert it to binary format. For example, convert the incoming IP address 141.206.35.62 to the following binary string:
    10001101.11001110.00100011.00111110
  5. AND the binary incoming IP address with the allow element mask to obtain the incoming IP result (shown in bold):
    10001101.11001110.00100011.00111110
    11111111.11111111.11111111.00000000
    ___________________________________
     10001101.11001110.00100011.00000000
  6. Compare the binary incoming IP result with the allow element IP result (for this example, they are equal).

    A filter has an effect on an incoming logon only if both of the following are true:

    • The incoming IP result matches the allow result.
    • The username in the logon appears in the appliesto element of the filter.
The filter continues to test the incoming IP address against the secondary parameters, in this case, the deny portion of the filter. If the secondary testing denies the logon, it fails, even if the primary testing allows the logon.