Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Chapter 6

advertisement 
Chapter 6
Packet Filtering
Objectives
After reading this chapter and completing the exercises, you will be able to:
 Describe packets and packet filtering
 Explain the approaches to packet filtering
 Recommend specific filtering rules
Understanding Packets and Packet Filtering
1.
A packet filter acts like a ticket-taker in a multiplex movie theatre. The ticket-taker’s task is to admit only
those with valid tickets—that is, tickets for a particular film, on a particular day, at a particular time.
Similarly, a packet filter reviews the packet header before sending it on its way to a specific location
within the network.
Packet-Filtering Devices
1.
The following hardware devices and software programs perform packet filtering:
a. Routers
b. Operating systems
c. Software firewalls
Anatomy of a Packet
1.
TCP/IP provides for the transmission of data in small, manageable chunks called packets. Note that each
packet contains the following header information:
IP Packet Header Information
 Version
 Internet header length
 Type of service
 Total length
 Identification
 Flags
 Fragment offset
 Time to Live (TTL)
 Protocol
 Header checksum
 Source address
 Destination address
 Options
 Data
Packet-Filtering Rules
1.
Packet filtering is the procedure by which packet headers are inspected by a router or firewall to make a
decision on whether to let the packet pass. The packet-filtering device evaluates the information in the
header and compares it to the rules that have been set up.
2.
Norton Internet Security 2002’s built-in firewall has an easy way to identify computers on the local
network: it puts them in a list of machines in a trusted zone. Note that other firewall programs require you
to set up rules yourself. Typically, you start with a protocol such as ICMP, UDP, or HTTP. Your first rule
may well be to block all traffic that uses that protocol on all ports. In subsequent rules, you identify types of
communications you want to permit, based on time of day, port, IP address, or other criteria.
1
Packet-Filtering Methods
1.
The sections that follow explore different approaches to filtering packets based on selected header contents.
Stateless Packet Filtering
1.
Stateless packet filtering does not pay attention to the state of the connection when making decisions about
blocking or allowing packets. However, stateless packet filters are useful for completely blocking traffic
from a subnet or other network.
2.
Some of the most common criteria that a stateless filter can be configured to use are IP header information,
the TCP or UDP port number being used, the ICMP message type, fragmentation flags such as ACK and
SYN, and suspect inbound IP addresses (an external packet that contains an internal address).
Filtering on IP Header Criteria
1.
A stateless filter looks at each packet’s header individually. It compares the header data against its rule
base and forwards each packet as a rule is found to match the specifics of that packet. For instance, if the
filter has a rule stating that all connections from outside the network are to be blocked and it receives a
request from an external host, it drops the packet(s) associated with that request. Or, if it has a rule that all
incoming HTTP traffic needs to be routed to the public Web server at IP address 192.168.100.2, it sends
any HTTP packets to 192.168.100.2.
Protocol
HTTP
HTTPS
Telnet
2.
Transport
Protocol
TCP
TCP
TCP
Source IP
Source Port
Any
Any
10.0.0.1/24
Any
Any
Any
Destination
IP
192.168.0.1
192.168.0.1
192.168.0.5
Destination
Port
80
443
223
Action
Allow
Allow
Allow
Packets can also be filtered based on the IP protocol ID field in the header. The filter can use the data to
allow or deny traffic attempting to connect to a particular service, including the following:
 TCP (Protocol number 6)
 UDP (Protocol number 17)
 IGMP (Protocol number 2)
 CMP (Protocol number 1)
Filtering by TCP or UDP Port Number
1.
Filtering by TCP or UDP port number is commonly called port filtering or protocol filtering. Using TCP or
UDP port numbers can help you filter a wide variety of information, including SMTP and POP e-mail
messages, NetBIOS sessions, DNS requests, and Network News Transfer Protocol (NNTP) newsgroup
sessions. For instance, you can block everything but TCP Port 80 for Web, TCP Port 25 for e-mail, and
TCP Port 21 for FTP.
Filtering by ICMP Message Type
1.
Internet Control Message Protocol (ICMP) is a general management protocol for TCP/IP, helping
networked systems and administrators diagnose various communication problems and communicate certain
status information. From a security standpoint, ICMP packets have a downside: they may be used in some
situations by attackers to crash computers on your network. Because ICMP packets cannot be verified as to
the recipient of a packet, attackers may attempt to engineer man-in-the-middle attacks, in which they
redirect network traffic using the ICMP Redirect message.
2
ICMP Message Codes
ICMP Type
Name
Possible Cause
0
Echo reply
Normal response to a ping
3
Destination Unreachable
Destination unreachable
3 code 6
Destination network unknown
Destination network unknown
3 code 7
Destination host unknown
Destination host unknown
4
Source quench
Router receiving too much traffic
5
Redirect
Faster route located
8
Echo request
Normal ping request
11
Time exceeded
Too many hops to destination
12
Parameter problem
There is a problem with a parameter
Filtering by Fragmentation Flags
1.
Fragmentation of IP packets isn’t bad in theory. Fragmentation was originally developed as a means of
enabling large packets to pass through early routers that had frame size limitations. Routers were able to
divide packets into multiple fragments and send them along the network, where receiving routers would
reassemble them in the correct order and pass them to their destination.
Filtering by ACK Flag
1.
A single bit of information in a TCP packet—the ACK bit or ACK flag—indicates whether a packet is
requesting a connection or whether a connection has already been established. Packets requesting a
connection have the ACK bit set to 0; those that are part of an ongoing connection have the ACK bit set to
1. An attacker can insert a false ACK bit of 1 into a packet to fool a host into thinking a connection is
ongoing. You should configure the firewall to allow packets with the ACK bit set to 1 to access only the
ports you specify and only in the direction you want.
Filtering Suspicious Inbound Packets
1.
If a packet arrives at the firewall from the external network but containing an IP address that is inside the
network, the firewall should send an alert message. In Figure 6-6, Tiny Personal Firewall has encountered a
request from an external host to access the protected host’s SQL server.
Stateful Packet Filtering
1.
A stateful filter can do everything a stateless filter can but with one significant addition: the ability to
maintain a record of the state of a connection. By “remembering” which packets are part of an active
connection and which are not, the stateful filter can make “intelligent” decisions to allow traffic that is a
true reply to an established connection and to deny traffic that represents “crafted” packets that contain
false information.
2.
In addition to a rule base, a stateful filter has a state table, which is a list of current connections. The packet
filter compares the packet with the state table as well as the rule base. Entries that match criteria in both the
state table and rule base are allowed to pass; all others are dropped.
Filtering Based on Packet Contents
1.
Some stateful firewalls are able to examine the contents of packets as well as the headers for signs that they
are legitimate. Such content filtering is sometimes called stateful inspection. For example, active FTP
might use a variety of different ports that are determined on the fly as a session is initiated. A stateless or
stateful packet filter that supports active FTP must allow all traffic coming from TCP Port 20 as well as
outbound traffic coming from ports above 1023. However, a stateful inspection looks at the data part of the
FTP command packets and can determine which ports are to be used for the session; instead of opening all
possible FTP ports, the packet filter opens ports as needed. After the session is done, the ports are again
closed.
3
Setting Specific Packet-Filter Rules
1.
The trick in coming up with packet filter rules is to account for all possible ports that a type of
communication might use or for all variations within a particular protocol (for instance, passive and active
FTP or standard HTTP and secure HTTP). Some of this comes by trial and error. For instance, an employee
complains that he or she can’t communicate with someone using MSN Messenger, and you adjust the
packet filter’s rule base accordingly (after consulting the security policy, of course).
Best Practices for Firewall Rules
1.
In practice, configuring firewall rule sets can be something of a nightmare. Logic errors in the preparation
of the rules can cause unintended behavior, such as allowing access instead of denying it, specifying the
wrong port or service type, or causing the network to misroute traffic. These and myriad other mistakes can
turn a device designed to protect communications into a choke point. For example, a novice firewall
administrator might improperly configure a virus-screening e-mail gateway (think of it as a type of e-mail
firewall), thus blocking all incoming e-mail instead of only e-mail that contains malicious code. Each
firewall rule must be carefully crafted, placed into the list in the proper sequence, debugged, and tested.
The proper rule sequence ensures that the most resource-intensive actions are performed after the most
restrictive ones, thereby reducing the number of packets that undergo intense scrutiny.
Rules That Cover Multiple Variations
1.
Packet-filter rules must account for all possible ports that a type of communication might use or for all
variations within a particular protocol (for instance, passive and active FTP or standard HTTP and secure
HTTP). This is a tricky process; rules are often created and modified as a result of trial and error; for
example, an employee complains that he or she can’t communicate with someone using MSN Messenger,
and you adjust the packet filter’s rule base accordingly (after consulting the security policy, of course).
Rules for ICMP Packets
1.
The most common command to use ICMP is Packet Internet Groper (commonly called ping). The
command determines if a host is unreachable on the network. To prevent hackers from using the ping
command to identify some of your resources, you need to establish specific ICMP commands that cover
common ICMP messages. The following table provides some rules that enable you to send and receive the
ICMP packets you need while blocking those that open your internal hosts to intruders.
Rule Protocol
Transport
Source IP
Destination
ICMP
Action
Protocol
IP
Message
1
ICMP
ICMP
Any
Any
Source
Allow
Inbound
Quench
2
ICMP
ICMP
192.168.2.1/24 Any
Echo
Allow
Outbound
Request
3
ICMP
ICMP
Any
192.168.2.1/24 Echo Reply Allow
Inbound
4
ICMP
ICMP
Any
192.168.2.1/24 Destination
Allow
Inbound
Unreachable
5
ICMP
ICMP
Any
192.168.2.1/24 Service
Allow
Inbound
Unavailable
6
ICMP
ICMP
Any
192.168.2.1/24 Time To
Allow
Inbound
Live (TTL)
7
ICMP
ICMP
Any
192.168.2.1/24 Echo
Drop
Inbound
Request
8
ICMP
ICMP
Any
192.168.2.1/24 Redirect
Drop
Inbound
9
ICMP
ICMP
192.168.2.1/24 Any
Echo Reply Drop
Outbound
10
ICMP
ICMP
192.168.2.1/24 Any
TTL
Drop
Outbound
Exceeded
11
ICMP Block ICMP
Any
Any
All
Drop
4
Rules That Enable Web Access
1.
The first priority of employees in a protected network is (not surprisingly) to be able to surf the Web and
exchange e-mail messages. The rules for accessing the Web need to cover both standard HTTP traffic on
TCP Port 80 as well as Secure HTTP (HTTPS) traffic on TCP Port 443.
Rules That Enable DNS
1.
To connect to Web sites, the employees in our sample organization need to be able to resolve the fully
qualified domain names (FQDNs) they enter, such as course.com, to their corresponding IP addresses using
the Domain Name System (DNS). Internal users connect to external hosts using a DNS server located in
the DMZ of the security perimeter. DNS uses either UDP Port 53 or TCP Port 53 for connection attempts.
In addition, you need to set up rules that enable external clients to access computers in your own network
using the same TCP and UDP ports.
Rules That Enable FTP
1.
FTP transactions can either be of the active or passive variety. The rules you set up for FTP need to support
two separate connections: TCP Port 21, which is the FTP Control port, and TCP 20, which is the FTP Data
port.
Rules That Enable E-Mail
1.
E-mail service is one of the most essential forms of communication in both personal and office
environments. Yet, setting up firewall rules that permit the filtering of e-mail messages is not trivial. One
reason is the variety of e-mail protocols that might be used:
 Post Office Protocol version 3 (POP3) and Internet E-mail Access Protocol version 4
(IMAP4) for inbound mail transport
 Simple Mail Transfer Protocol (SMTP) for outbound mail transport
 Lightweight Directory Access Protocol (LDAP) for looking up e-mail addresses
 HyperText Transport Protocol (HTTP) for Web-based mail service
5
Related documents
Chapter-2
Chapter-2
CIS 617 - NETWORKS & COMMUNICATION
CIS 617 - NETWORKS & COMMUNICATION
View File
View File
Learn TCP/IP Quiz
Learn TCP/IP Quiz
第一讲 - 信息工程学院
第一讲 - 信息工程学院
CSCI4911 SPECIAL TOPICS: COMPUTER SECURITY FINAL EXAM
CSCI4911 SPECIAL TOPICS: COMPUTER SECURITY FINAL EXAM
Optimizing the Extraction of Flow Features through
Optimizing the Extraction of Flow Features through
Download
advertisement