16.10 - Applying a Mask to a Filter - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

When an IP filter encounters an incoming IP address during a logon, it uses the following process to determine whether or not the IP address is allowed access to Teradata Database.

The example process is based on a typical allow element in a restrictive filter. If the filter also contains a deny element, it continues evaluation of the incoming IP until it also applies the deny parameters, which represent exceptions to the allow.
  1. Convert the specified IP in the primary element, for example, the allow element IP 141.206.35.0 in a restrictive filter, to a binary string:
    10001101.11001110.00100011.00000000
  2. Convert the primary element mask, for example 255.255.255.0, to a binary string.
  3. AND the binary string representing the allow element IP with the mask, to obtain the allow result (shown in bold):
    10001101.11001110.00100011.00000000
    11111111.11111111.11111111.00000000
    ___________________________________
     10001101.11001110.00100011.00000000
  4. Examine the incoming IP address and convert it to binary format. For example, convert the incoming IP address 141.206.35.62 to the following binary string:
    10001101.11001110.00100011.00111110
  5. AND the binary incoming IP address with the allow element mask to obtain the incoming IP result (shown in bold):
    10001101.11001110.00100011.00111110
    11111111.11111111.11111111.00000000
    ___________________________________
     10001101.11001110.00100011.00000000
  6. Compare the binary incoming IP result with the allow element IP result (for this example, they are equal).

    A filter has an effect on an incoming logon only if both of the following are true:

    • The incoming IP result matches the allow result.
    • The username in the logon appears in the appliesto element of the filter.
The filter continues to test the incoming IP address against the secondary parameters, in this case, the deny portion of the filter. If the secondary testing denies the logon, it fails, even if the primary testing allows the logon.