Download Firewalls 24seven
Transcript
This chapter discusses "pure" packet filtering: packet filtering when not combined with proxy or Network Address Translation functions. Pure packet filters are still in use all over the place, so this discussion remains very current. How Stateless Packet Filters Work Packet filters are border routers that increase security by determining whether or not to forward a packet based on information contained in the header of every individual packet. Filters can theoretically be configured to determine this based on any part of the protocol header, but most filters can be configured only to filter on the most useful data fields: •Protocol type •IP address •TCP/UDP port •Fragment number •Source routing information The following sections detail each of these fields. Protocol Filtering Protocol filtering filters packets based on the content of the IP protocol field. The protocol field can be used to discriminate against entire suites of services, such as: •UDP •TCP •ICMP •IGMP For example, if you have a single-purpose server serving a TCP-based service like HTTP, you could filter out all UDP services. Unfortunately, the protocol field is so general (only four common protocols are available to filter on) that most servers and routers will have to leave all of them open. IP Address Filtering IP address filtering allows you to limit connections to (or from) specific hosts and networks based on their IP address. Most filters allow you to either deny access to all hosts except an accepted list or allow access to all hosts except a denied list. Specific denial of certain hosts is almost worthless, since you'd have to keep track of every hacker that had ever attacked your network and assume that they have no way to gain information from a different IP address, which they always will. Relying on specific denial is not a strong security policy. Specific acceptance of certain host addresses provides particularly strong security, however; it is the strongest form of security that a stateless packet filter can provide. By denying access to all hosts except a list of known IP addresses, you can ensure that your routers can only be reached by the IP addresses of machines or networks you know about. This list could be other networks in your organization, the networks of your customers, or the networks of work-at-home users. By denying access to all other IP addresses, you make it nearly impossible for a hacker to exploit your network. To hack into your network, a hacker would have to have access to your list of allowed IP addresses. It is possible for hackers to use source-routing, (explained in detail in the next section), to "spoof" IP addresses. Source routing would allow a hacker to put an allowed address into a packet and then capture the return by specifying that responses are routed back to his computer. For this reason, packet filters should always be configured to drop source routed packets.