How IP addresses work

Each inspection engine monitors traffic between one or more client and server IP addresses.

In an inspection engine definition, IP addresses are defined by using an IP address and a mask. IP address is a single location and a mask is a wildcard mechanism by which you to define a range of IP addresses.

IP addresses have the format: n.n.n.n, where each n is an eight-bit number (called an octet) in the range 0-255.

For example, an IP address for your PC might be: 192.168.1.3. This address is used in the examples. Since these addresses are binary numbers, the last octet (3) can be represented as: 00000011.

The mask is specified in the same format as the IP address: n.n.n.n. A zero in any bit position of the mask serves as a wildcard. Thus, the mask 255.255.255.240 that is combined with the IP address 192.168.1.3 matches all values from 0-15 in the last octet, since the value 240 in binary is 11110000. But it matches only the values 192.168.1 in the first three octets, since 255 is all 1s in binary (in other words, no wildcards apply for the first three octets).

Because specifying binary masks can be confusing, IP addresses are grouped in a hierarchical fashion with all the addresses in one category grouped in one of the last two octets. For example, desktop computers. Therefore, in practice, the numbers you see often in masks are either 255, that is, no wildcard, or 0, that is, all.

Thus, a mask 255.255.255.255 (which has no zero bits) identifies only the single address that is specified by IP address (192.168.1.3 in the example).

Alternatively, the mask 255.255.255.0 combined with the same IP address matches all IP addresses beginning with 192.168.1.

Important: Guardium® does not allow the IP address 0.0.0.0, which is sometimes used to indicate all IP addresses. To select all IP addresses when you use an IP address/mask combination, use any nonzero IP address followed by a mask that contains all zeros (for example: 1.1.1.1/0.0.0.0). However, 0.0.0.0/0.0.0.0 is a valid combination.