Download Firewalls 24seven

Transcript
This chapter discusses "pure" packet filtering: packet filtering when not combined with proxy or
Network Address Translation functions. Pure packet filters are still in use all over the place, so this
discussion remains very current.
How Stateless Packet Filters Work
Packet filters are border routers that increase security by determining whether or not to forward a
packet based on information contained in the header of every individual packet. Filters can
theoretically be configured to determine this based on any part of the protocol header, but most
filters can be configured only to filter on the most useful data fields:
•Protocol type
•IP address
•TCP/UDP port
•Fragment number
•Source routing information
The following sections detail each of these fields.
Protocol Filtering
Protocol filtering filters packets based on the content of the IP protocol field. The protocol field can
be used to discriminate against entire suites of services, such as:
•UDP
•TCP
•ICMP
•IGMP
For example, if you have a single-purpose server serving a TCP-based service like HTTP, you
could filter out all UDP services. Unfortunately, the protocol field is so general (only four common
protocols are available to filter on) that most servers and routers will have to leave all of them open.
IP Address Filtering
IP address filtering allows you to limit connections to (or from) specific hosts and networks based
on their IP address. Most filters allow you to either deny access to all hosts except an accepted list
or allow access to all hosts except a denied list.
Specific denial of certain hosts is almost worthless, since you'd have to keep track of every hacker
that had ever attacked your network and assume that they have no way to gain information from a
different IP address, which they always will. Relying on specific denial is not a strong security
policy.
Specific acceptance of certain host addresses provides particularly strong security, however; it is
the strongest form of security that a stateless packet filter can provide. By denying access to all
hosts except a list of known IP addresses, you can ensure that your routers can only be reached by
the IP addresses of machines or networks you know about. This list could be other networks in your
organization, the networks of your customers, or the networks of work-at-home users. By denying
access to all other IP addresses, you make it nearly impossible for a hacker to exploit your network.
To hack into your network, a hacker would have to have access to your list of allowed IP
addresses.
It is possible for hackers to use source-routing, (explained in detail in the next section), to "spoof" IP
addresses. Source routing would allow a hacker to put an allowed address into a packet and then
capture the return by specifying that responses are routed back to his computer. For this reason,
packet filters should always be configured to drop source routed packets.