Inside Network Perimeter Security: Packet Filtering
- TCP/IP Primer: How Packet Filtering Works
- TCP and UDP Ports
- TCP's Three-way Handshake
- The Cisco Router as a Packet Filter
- An Alternative Packet Filter: IPChains
- The Cisco ACL
- Effective Uses of Packet-Filtering Devices
- Egress Filtering
- Tracking Rejected Traffic
- Problems with Packet Filters
- Dynamic Packet Filtering and the Reflexive Access List
Packet filtering is one of the oldest and most widely available means to control access to networks. The concept is simple: Determine whether a packet is allowed to enter or exit the network by comparing some basic identifying pieces of information located in the packet's header. Packet-filtering technology can be found in operating systems, software and hardware firewalls, and as a security feature of most routers.
The goal of this chapter is to explore the highlights and weaknesses of packet-filtering technology and how to implement this technology successfully. We discuss the basics of TCP/IP and how it applies to packet filtering, along with the rules of how to implement packet filters using Cisco router access lists. We explore uses for rules that filter on source address, such as the allowance and prohibition of traffic from given hosts and ingress and egress filters. We also cover filters that examine destination addresses and make decisions based on port numbers and their uses for improved control of traffic flow. We examine the problems of the packet filter, including its weaknesses to spoofing, fragmentation, control of return traffic, and the problems with poking an always-open hole in your defense. Finally, we explore the power of dynamic packet filters and the ways they can help correct many of the downfalls of static packet filtering.
TCP/IP Primer: How Packet Filtering Works
Before we go into the details of packet filtering, it is necessary to understand the construct and technologies behind the TCP/IP protocol and its associated packets.
When systems on a network communicate, they need to speak the same language, or protocol. One such protocol suite is TCP/IP, the primary communications language of the Internet. To facilitate such communications, the information you send needs to be broken down into manageable pieces called packets. Packet headers are small segments of information that are stuck at the beginning of a packet to identify it.
The IP portion of TCP/IP stands for Internet Protocol. It is responsible for identifying the packets (by their IP address) and for guiding them to their destination. IP packets are directed, or routed, by the values located in their packet headers. These identifiers hold information about where the packets came from (source address), where they are going (destination address), as well as other information describing the type of service the packet might support, among other things.
When an IP packet arrives at a router, the router checks its destination to see whether it knows how to get to the place where the packet wants to go. If it does, it passes the packet to the appropriate network segment. The fact that a router passes any packet whose destination it is aware of is called implicit permit. Unless further security measures are added, all traffic is allowed in as well as out. For this reason, a method is required to control the information entering and exiting the interfaces of the router.