Embed
Email

Packet Filtering - JohnRouda.com

Document Sample

Shared by: yaoyufang
Categories
Tags
Stats
views:
0
posted:
11/30/2011
language:
English
pages:
8
Chapter 6

Packet Filtering



Objectives

After reading this chapter and completing the exercises, you will be able to:

 Describe packets and packet filtering

 Explain the approaches to packet filtering

 Recommend specific filtering rules







Understanding Packets and Packet Filtering

1. A packet filter acts like a ticket-taker in a multiplex movie theatre. The ticket-taker’s task is to admit only

those with valid tickets—that is, tickets for a particular film, on a particular day, at a particular time.

Similarly, a packet filter reviews the packet header before sending it on its way to a specific location

within the network.



Packet-Filtering Devices

1. The following hardware devices and software programs perform packet filtering:





 Routers

Packet  Operating systems

Filtering  Software firewalls





Anatomy of a Packet

1. TCP/IP provides for the transmission of data in small, manageable chunks called packets. Note that each

packet contains the following header information:

 Version

 Internet header length

 Type of service

 Total length

 Identification

 Flags

IP Packet  Fragment offset

Header  Time to Live (TTL)

Information  Protocol

 Header checksum

 Source address

 Destination address

 Options

 Data





Packet-Filtering Rules

1. Packet filtering is the procedure by which packet headers are inspected by a router or firewall to make a

decision on whether to let the packet pass. The packet-filtering device evaluates the information in the

header and compares it to the rules that have been set up.



2. Norton Internet Security 2002’s built-in firewall has an easy way to identify computers on the local

network: it puts them in a list of machines in a trusted zone. Note that other firewall programs require you

to set up rules yourself. Typically, you start with a protocol such as ICMP, UDP, or HTTP. Your first rule

may well be to block all traffic that uses that protocol on all ports. In subsequent rules, you identify types of

communications you want to permit, based on time of day, port, IP address, or other criteria.







Quick Quiz

1. True or False: Dropping all packets that use the IP header source routing feature is a common rule for

packet filtering.

Answer: True



2. _____ is an 8-bit value that identifies the maximum time a packet can remain in the system before it is

dropped.

Answer: Time to Live (TTL)



3. A packet-filtering device evaluates the information in the _____ of a packet and compares that information

to the rules that have been set up.

Answer: header







Packet-Filtering Methods

1. The sections that follow explore different approaches to filtering packets based on selected header contents.

Stateless Packet Filtering

1. Stateless packet filtering does not pay attention to the state of the connection when making decisions about

blocking or allowing packets. However, stateless packet filters are useful for completely blocking traffic

from a subnet or other network.



2. Some of the most common criteria that a stateless filter can be configured to use are IP header information,

the TCP or UDP port number being used, the ICMP message type, fragmentation flags such as ACK and

SYN, and suspect inbound IP addresses (an external packet that contains an internal address).



Filtering on IP Header Criteria

1. A stateless filter looks at each packet’s header individually. It compares the header data against its rule

base and forwards each packet as a rule is found to match the specifics of that packet. For instance, if the

filter has a rule stating that all connections from outside the network are to be blocked and it receives a

request from an external host, it drops the packet(s) associated with that request. Or, if it has a rule that all

incoming HTTP traffic needs to be routed to the public Web server at IP address 192.168.100.2, it sends

any HTTP packets to 192.168.100.2.



Protocol Transport Source IP Source Port Destination Destination Action

Protocol IP Port

HTTP TCP Any Any 192.168.0.1 80 Allow

HTTPS TCP Any Any 192.168.0.1 443 Allow

Telnet TCP 10.0.0.1/24 Any 192.168.0.5 223 Allow



2. Packets can also be filtered based on the IP protocol ID field in the header. The filter can use the data to

allow or deny traffic attempting to connect to a particular service, including the following:

 TCP (Protocol number 6)

 UDP (Protocol number 17)

 IGMP (Protocol number 2)

 CMP (Protocol number 1)



Filtering by TCP or UDP Port Number

1. Filtering by TCP or UDP port number is commonly called port filtering or protocol filtering. Using TCP or

UDP port numbers can help you filter a wide variety of information, including SMTP and POP e-mail

messages, NetBIOS sessions, DNS requests, and Network News Transfer Protocol (NNTP) newsgroup

sessions. For instance, you can block everything but TCP Port 80 for Web, TCP Port 25 for e-mail, and

TCP Port 21 for FTP.



Filtering by ICMP Message Type

1. Internet Control Message Protocol (ICMP) is a general management protocol for TCP/IP, helping

networked systems and administrators diagnose various communication problems and communicate certain

status information. From a security standpoint, ICMP packets have a downside: they may be used in some

situations by attackers to crash computers on your network. Because ICMP packets cannot be verified as to

the recipient of a packet, attackers may attempt to engineer man-in-the-middle attacks, in which they

redirect network traffic using the ICMP Redirect message.

ICMP Message Codes



ICMP Type Name Possible Cause

0 Echo reply Normal response to a ping

3 Destination Unreachable Destination unreachable

3 code 6 Destination network unknown Destination network unknown

3 code 7 Destination host unknown Destination host unknown

4 Source quench Router receiving too much traffic

5 Redirect Faster route located

8 Echo request Normal ping request

11 Time exceeded Too many hops to destination

12 Parameter problem There is a problem with a parameter



Filtering by Fragmentation Flags

1. Fragmentation of IP packets isn’t bad in theory. Fragmentation was originally developed as a means of

enabling large packets to pass through early routers that had frame size limitations. Routers were able to

divide packets into multiple fragments and send them along the network, where receiving routers would

reassemble them in the correct order and pass them to their destination.



Filtering by ACK Flag

1. A single bit of information in a TCP packet—the ACK bit or ACK flag—indicates whether a packet is

requesting a connection or whether a connection has already been established. Packets requesting a

connection have the ACK bit set to 0; those that are part of an ongoing connection have the ACK bit set to

1. An attacker can insert a false ACK bit of 1 into a packet to fool a host into thinking a connection is

ongoing. You should configure the firewall to allow packets with the ACK bit set to 1 to access only the

ports you specify and only in the direction you want.



Filtering Suspicious Inbound Packets

1. If a packet arrives at the firewall from the external network but containing an IP address that is inside the

network, the firewall should send an alert message. In Figure 6-6, Tiny Personal Firewall has encountered a

request from an external host to access the protected host’s SQL server.



Stateful Packet Filtering

1. A stateful filter can do everything a stateless filter can but with one significant addition: the ability to

maintain a record of the state of a connection. By “remembering” which packets are part of an active

connection and which are not, the stateful filter can make “intelligent” decisions to allow traffic that is a

true reply to an established connection and to deny traffic that represents “crafted” packets that contain

false information.



2. In addition to a rule base, a stateful filter has a state table, which is a list of current connections. The packet

filter compares the packet with the state table as well as the rule base. Entries that match criteria in both the

state table and rule base are allowed to pass; all others are dropped.

Filtering Based on Packet Contents

1. Some stateful firewalls are able to examine the contents of packets as well as the headers for signs that they

are legitimate. Such content filtering is sometimes called stateful inspection. For example, active FTP

might use a variety of different ports that are determined on the fly as a session is initiated. A stateless or

stateful packet filter that supports active FTP must allow all traffic coming from TCP Port 20 as well as

outbound traffic coming from ports above 1023. However, a stateful inspection looks at the data part of the

FTP command packets and can determine which ports are to be used for the session; instead of opening all

possible FTP ports, the packet filter opens ports as needed. After the session is done, the ports are again

closed.







Quick Quiz

1. True or False: Stateless packet filtering is a more secure approach than stateful packet filtering.

Answer: False



2. The technique by which a hacker inserts a false source IP address in the packet header is called _____.

Answer: IP spoofing



3. Because ICMP packets have no authentication method to verify the recipient of a packet, hackers can

attempt _____ attacks, in which they impersonate the intended recipient.

Answer: man-in-the-middle



4. Packets requesting a connection have the ACK bit set to _____.

Answer: 0 (zero)



5. A stateful filter has a list of current connections, called the _____.

Answer: state table



6. Filtering based on packet contents is also referred to as _____ inspection.

Answer: stateful







Setting Specific Packet-Filter Rules

1. The trick in coming up with packet filter rules is to account for all possible ports that a type of

communication might use or for all variations within a particular protocol (for instance, passive and active

FTP or standard HTTP and secure HTTP). Some of this comes by trial and error. For instance, an employee

complains that he or she can’t communicate with someone using MSN Messenger, and you adjust the

packet filter’s rule base accordingly (after consulting the security policy, of course).



Best Practices for Firewall Rules

1. In practice, configuring firewall rule sets can be something of a nightmare. Logic errors in the preparation

of the rules can cause unintended behavior, such as allowing access instead of denying it, specifying the

wrong port or service type, or causing the network to misroute traffic. These and myriad other mistakes can

turn a device designed to protect communications into a choke point. For example, a novice firewall

administrator might improperly configure a virus-screening e-mail gateway (think of it as a type of e-mail

firewall), thus blocking all incoming e-mail instead of only e-mail that contains malicious code. Each

firewall rule must be carefully crafted, placed into the list in the proper sequence, debugged, and tested.

The proper rule sequence ensures that the most resource-intensive actions are performed after the most

restrictive ones, thereby reducing the number of packets that undergo intense scrutiny.

Rules That Cover Multiple Variations

1. Packet-filter rules must account for all possible ports that a type of communication might use or for all

variations within a particular protocol (for instance, passive and active FTP or standard HTTP and secure

HTTP). This is a tricky process; rules are often created and modified as a result of trial and error; for

example, an employee complains that he or she can’t communicate with someone using MSN Messenger,

and you adjust the packet filter’s rule base accordingly (after consulting the security policy, of course).



Rules for ICMP Packets

1. The most common command to use ICMP is Packet Internet Groper (commonly called ping). The

command determines if a host is unreachable on the network. To prevent hackers from using the ping

command to identify some of your resources, you need to establish specific ICMP commands that cover

common ICMP messages. The following table provides some rules that enable you to send and receive the

ICMP packets you need while blocking those that open your internal hosts to intruders.



Rule Protocol Transport Source IP Destination ICMP Action

Protocol IP Message

1 ICMP ICMP Any Any Source Allow

Inbound Quench

2 ICMP ICMP 192.168.2.1/24 Any Echo Allow

Outbound Request

3 ICMP ICMP Any 192.168.2.1/24 Echo Reply Allow

Inbound

4 ICMP ICMP Any 192.168.2.1/24 Destination Allow

Inbound Unreachable

5 ICMP ICMP Any 192.168.2.1/24 Service Allow

Inbound Unavailable

6 ICMP ICMP Any 192.168.2.1/24 Time To Allow

Inbound Live (TTL)

7 ICMP ICMP Any 192.168.2.1/24 Echo Drop

Inbound Request

8 ICMP ICMP Any 192.168.2.1/24 Redirect Drop

Inbound

9 ICMP ICMP 192.168.2.1/24 Any Echo Reply Drop

Outbound

10 ICMP ICMP 192.168.2.1/24 Any TTL Drop

Outbound Exceeded

11 ICMP Block ICMP Any Any All Drop



Rules That Enable Web Access

1. The first priority of employees in a protected network is (not surprisingly) to be able to surf the Web and

exchange e-mail messages. The rules for accessing the Web need to cover both standard HTTP traffic on

TCP Port 80 as well as Secure HTTP (HTTPS) traffic on TCP Port 443.



Rules That Enable DNS

1. To connect to Web sites, the employees in our sample organization need to be able to resolve the fully

qualified domain names (FQDNs) they enter, such as course.com, to their corresponding IP addresses using

the Domain Name System (DNS). Internal users connect to external hosts using a DNS server located in

the DMZ of the security perimeter. DNS uses either UDP Port 53 or TCP Port 53 for connection attempts.

In addition, you need to set up rules that enable external clients to access computers in your own network

using the same TCP and UDP ports.

Rules That Enable FTP

1. FTP transactions can either be of the active or passive variety. The rules you set up for FTP need to support

two separate connections: TCP Port 21, which is the FTP Control port, and TCP 20, which is the FTP Data

port.



Rules That Enable E-Mail

1. E-mail service is one of the most essential forms of communication in both personal and office

environments. Yet, setting up firewall rules that permit the filtering of e-mail messages is not trivial. One

reason is the variety of e-mail protocols that might be used:

 Post Office Protocol version 3 (POP3) and Internet E-mail Access Protocol version 4

(IMAP4) for inbound mail transport

 Simple Mail Transfer Protocol (SMTP) for outbound mail transport

 Lightweight Directory Access Protocol (LDAP) for looking up e-mail addresses

 HyperText Transport Protocol (HTTP) for Web-based mail service







Quick Quiz

1. The rules for accessing the Web need to cover both standard HTTP traffic on TCP Port 80 as well as

Secure HTTP (HTTPS) traffic on TCP Port _____.

Answer: 443



2. DNS uses either TCP Port 53 or _____ Port 53 for connection attempts.

Answer: UDP



3. True or False: The rules you set up for FTP need to support three separate connections.

Answer: False



4. If some clients in your network support active FTP, you can’t specify a particular port because the client

can establish a connection with the FTP server at any port above _____.

Answer: 1023







Class Discussion Topics

1. Discuss stateless and stateful packet filtering. What are the pros and cons of each approach?



2. Discuss how a hacker might use IP spoofing to gain access to a company’s network.



3. Discuss the relevance of filtering based on packet contents rather than the packet header.

Additional Case Projects

1. Ask students to come up with a table of rules for an Internet-accessible Web server assuming the “first fit”

approach.



2. Ask students to come up with a table of packet-filter rules for a Web-based mail service.







Further Readings or Resources

1. For information on stateful inspection, see: www.webopedia.com/TERM/S/stateful_inspection.html.



2. For an article on IPSec Packet Filtering, see:

www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=25935.



Related docs
???????????? ??????????? Packet filtering
Views: 2  |  Downloads: 0
Packet Filtering
Views: 9  |  Downloads: 0
Firewall Packet Filtering
Views: 4  |  Downloads: 0
IPSEC for Windows – Packet Filtering
Views: 10  |  Downloads: 0
packet_filtering_firewall
Views: 129  |  Downloads: 18
Packet Filtering and Stateful Firewalls Outline
Views: 59  |  Downloads: 0
Packet Filtering in an IP Router
Views: 199  |  Downloads: 3
Using and Configuring Linux Packet Filtering.pdf
Views: 117  |  Downloads: 17
Filtering and security
Views: 90  |  Downloads: 1
Linux as a router, packet filtering, traffic shaping
Views: 139  |  Downloads: 6
System And Method For Filtering A Data Packet Using A Combined Filter - Patent 8089966
Views: 0  |  Downloads: 0
Packet Filtering in Active Networks - About NAS - TU Delft
Views: 0  |  Downloads: 0
RMON _alarms and filtering_
Views: 0  |  Downloads: 0
enrollment packet
Views: 0  |  Downloads: 0
Method, System And Apparatus For Filtering Packets - Patent 8089962
Views: 0  |  Downloads: 0
Other docs by yaoyufang
flyer_mk3.ppt
Views: 1  |  Downloads: 0
chpt1-5
Views: 5  |  Downloads: 0
13November
Views: 1  |  Downloads: 0
Georgia Avenue Business Resource Center
Views: 1  |  Downloads: 0
CETY OF FRANKLIN WATER UTILITY 65-751 PROGRAM Water Utiiity ...
Views: 1  |  Downloads: 0
Employment 3.ppt
Views: 1  |  Downloads: 0
As a visual reference_ the List TOC utility is pictured below in use
Views: 1  |  Downloads: 0
Discover Your Major Day field
Views: 1  |  Downloads: 0
Language Pattern 3A
Views: 1  |  Downloads: 0
Community Spouses' Club of Fort Benning _CSC_
Views: 5  |  Downloads: 0
By registering with docstoc.com you agree to our
privacy policy
Close

You are almost ready to download!

close

You are almost ready to download!