Internet Security for Your LAN
As in the real world, attacks and threats on the Internet don't just occur randomly; they happen in predictable ways. We suggest that you use the layered network protocol stack model to analyze Internet security. Figure 1 shows what we mean. Different levels in the seven-layer model are vulnerable to attack in different ways, all of which can be dangerous if successful. Most of the attacks you'll hear about in the media occur at the application layer, going after Web servers and browsers and the information that they have access to, but application-layer attacks on open file shares are also common.
Security vulnerabilities against the seven-layer model
It's ridiculous to think that an array of defenses against many specific threats is worthwhile because, like the Maginot Line, the defense fails the first time that an unanticipated threat shows up. The same insight that lets you understand attacks in terms of how they operate against the seven-layer model, however, also lets you deploy defenses against entire classes of threats at once. Two main approaches have proven extremely valuable:
Packet filtersYou can examine traffic at the network layer, looking at the source and destination addresses. The filter can disallow traffic to or from specific addresses or address ranges and can disallow traffic with suspect address patterns.
FirewallsYou can also examine traffic as high as the application layer, checking ports in message addresses or even checking the internal content of specific application messages. Traffic that fails any of those tests can be rejected.
The next three sections teach you the different ways to implement both packet filters and firewalls.
TCP/IP addresses are composed of both a machine address and, within the machine, a port number identifying the program to handle the message. The combined address/port information is available in every TCP/IP message, with the exception of broadcasts and some messages exchanged while a TCP/IP address is being assigned via the DHCP protocol and is available for both the sender and the receiver of the message.
Packet filters, operating at a more primitive level than firewalls, tend to look at the TCP/IP addresses but not the port numbers or the internal content of messages. Nevertheless, packet filters offer good security tools to help protect your network.
Packet filters generally operate using a top-to-bottom list of rules. For example, a typical rule set might be the following:
Permit all outgoing traffic.
Deny new incoming connections.
Accept everything else.
This is a somewhat secure setup because (subject to some attacks) it rejects unsolicited connection attempts from the Internet to your computers. It explicitly protects against unauthorized access to shared drives and files because it blocks incoming traffic using TCP. A filter using this pattern does have one significant impact on users: It breaks the normal operation between FTP clients and servers, which requires the server to initiate a connection when starting a transfer. Essentially all FTP software today supports the PASV mode, which is a workaround designed just for this problem. By setting the client to request PASV mode exchanges with the server, you cause all connections to be initiated by the client so that you can use this filter.
The common application of a filter such as this is to deploy it in a router connecting your computer to the Internet (see Figure 2). By placing the filter between the LAN and the Internet, you're guaranteed that all Internet traffic goes through the filter.
Packet filter deployment
If your packet filter software is capable enough to examine the subnet of the source address based on which physical port delivers the message to the router, you can set up rules to avoid spoofed TCP/IP addresses, as described in the text in Figure 2. The idea behind spoofing is for messages from the Internet to appear to have originated from your LAN; the spoofing filter prevents this by rejecting messages coming on a port with impossible source addresses. The antispoofing filter is an important part of protecting machines on your network on which you've installed filters to limit particular services to machines on your subnet. For instance, suppose that you've installed software on a Linux machine to act as a Windows network file server. You can configure Linux to reject all network traffic originating outside your subnet, preventing computers on the Internet from seeing the file server. If an attacker could pretend to be on your LAN, that safeguard would be bypassed. Defeat that attack with the antispoofing filter.
Packet filters are good, but they aren't bulletproof. They generally don't protect against attacks using the UDP protocol; because there's no formal connection opening with UDP as there is with TCP, the filter can't reject the opening message. Packet filters also might not protect against lower-level attacks, such as intentionally malformed ping messages, often called the "Ping of Death." Technically, the messages involved are Internet Control Message Protocol (ICMP) echo requests, but the common term is ping.