Instructor: Prof. Michael P. HarrisChapter 4

ITSC 2401 – Firewalls and Network SecurityPacket Filtering

Chapter 4

Packet Filtering

LECTURE NOTES

Understanding Packets and Packet Filtering

Some common rules for packet filtering include:

  1. Drop all inbound connections; allow only outbound connections on Ports 80 (HTTP), 25 (SMTP), and 21 (FTP).
  2. Eliminate packets bound for all ports that should not be available to the Internet.
  3. Filter out any ICMP redirect or echo (ping) messages.
  4. Drop all packets that use the IP header source routingfeature.

Devices That Perform Packet Filtering

The following hardware devices and software programs perform packet filtering:

Packet Filtering: /
  • Routers
  • Operating systems
  • Software firewalls

A Quick Tutorial on Packet Filtering

Packet filtering is the procedure by which packet headers are inspected by a router or firewall to make a decision on whether to let the packet pass. The packet-filtering device evaluates the information in the header and compares it to the rules that have been set up.

Anatomy of a Packet

TCP/IP provides for the transmission of datain small, manageable chunks called packets. Note that each packet contains the following header information:

IP Packet Header Information: /
  • Version
  • Internet Header Length
  • Type of Service
  • Total Length
  • Identification
  • Flags
  • Fragment Offset
  • Time to Live (TTL)
  • Protocol
  • Header Checksum
  • Source Address
  • Destination Address
  • Options
  • Data

The Use of Rules

Norton Internet Security 2002’s built-in firewall has an easy way to identify computers on the local network: it puts them in a list of machines in a trusted zone. Note that other firewall programs require you to set up rules yourself. Typically, you start with a protocol such as ICMP, UDP, or HTTP. Your first rule may well be to block all traffic that uses that protocol on all ports. In subsequent rules, you identify types of communications you want to permit, based on time of day, port, IP address, or other criteria.

Approaches to Packet Filtering

The sections that follow explore different approaches to filtering packets based on selected header contents.

Stateless Packet Filtering

  1. A stateless filter looks at each packet’s header individually. It compares the header data against its rule base and forwards only those packets that match a rule. For instance, if the filter has been assigned a rule stating that all connections from outside the network are to be blocked and it receives a request from an external host, it drops the packet(s) associated with that request.
  1. A stateless filter has no means of remembering the packets that preceded it. Some years ago, when packet filters first appeared, this was an adequate level of security. It is now inadequate, because hackers can do IP spoofing and insert false information into a packet header.
  1. The following table shows some filtering rules that combine IP addresses and port numbers to control how hosts gain access to an internal network:

Protocol / Transport Protocol / Source IP / SourcePort / Destination IP / DestinationPort / Action
HTTP / TCP / Any / Any / 192.168.0.1 / 80 / Allow
HTTPS / TCP / Any / Any / 192.168.0.1 / 443 / Allow
Telnet / TCP / 10.0.0.1/24 / Any / 192.168.0.5 / 223 / Allow

Stateful Packet Filtering

  1. A stateful filter can do everything a stateless filter can but with one significant addition: the ability to maintain a record of the state of a connection. By “remembering” which packets are part of an active connection and which are not, the stateful filter can make “intelligent” decisions to allow traffic that is a true reply to an established connection and to deny traffic that represents “crafted” packets that contain false information.
  1. In addition to a rule base, a stateful filter has a state table, which is a list of current connections. The packet filter compares the packet with the state table as well as the rule base. Entries that match criteria in both the state table and rule base are allowed to pass; all others are dropped.

Filtering Based on Packet Contents

Some stateful firewalls are able to examine the contents of packets as well as the headers for signs that they are legitimate. Such content filtering is sometimes called stateful inspection. For example, active FTP might use a variety of different ports that are determined on the fly as a session is initiated. A stateless or stateful packet filter that supports active FTP must allow all traffic coming from TCP Port 20 as well as outbound traffic coming from ports above 1023. However, a stateful inspection looks at the data part of the FTP command packets and can determine which ports are to be used for this session - instead of opening all possible FTP ports, the packet filter opens ports as needed. After the session is done, the ports are again closed.

Setting Specific Packet Filter Rules

The trick in coming up with packet filter rules is to account for all possible ports that a type of communication might use or for all variations within a particular protocol (for instance, passive and active FTP, or standard HTTP and secure HTTP). Some of this comes by trial and error. For instance, an employee complains that he or she can’t communicate with someone using MSN Messenger, and you adjust the packet filter’s rule base accordingly (after consulting the security policy, of course).

Packet Filter Rules That Block Ping Packets

The most common command to use ICMP is Packet Internet Groper (commonly called ping). The command determines if a host is unreachable on the network. To prevent hackers from using the ping command to identify some of your resources, you need to establish specific ICMP commands that cover common ICMP messages. The following table provides some rules that enable you to send and receive the ICMP packets you need while blocking those that open your internal hosts to intruders.

Rule / Protocol / Transport Protocol / Source IP / Destination IP / ICMP Message / Action
1 / ICMP Inbound / ICMP / Any / Any / Source Quench / Allow
2 / ICMP Outbound / ICMP / 192.168.2.1/24 / Any / Echo Request / Allow
3 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Echo Reply / Allow
4 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Destination Unreachable / Allow
5 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Service Unavailable / Allow
6 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Time To Live (TTL) / Allow
7 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Echo Request / Drop
8 / ICMP Inbound / ICMP / Any / 192.168.2.1/24 / Redirect / Drop
9 / ICMP Outbound / ICMP / 192.168.2.1/24 / Any / Echo Reply / Drop
10 / ICMP Outbound / ICMP / 192.168.2.1/24 / Any / TTL Exceeded / Drop
11 / ICMP Block / ICMP / Any / Any / All / Drop

Packet Filter Rules That Enable Web Access

The first priority of employees in a protected network is (not surprisingly) to be able to surf the Web and exchange e-mail messages. The rules for accessing the Web need to cover both standard HTTP traffic on TCP Port 80 as well as Secure HTTP (HTTPS) traffic on TCP Port 443.

Packet Filter Rules That Enable DNS

To connect to Web sites, the employees in our sample organization need to be able to resolve the fully qualified domain names (FQDNs) they enter, such as course.com, to their corresponding IP addresses using the Domain Name System (DNS). Internal users connect to external hosts using a DNS server located in the DMZ of the security perimeter. DNS uses either UDP Port 53 or TCP Port 53 for connection attempts. In addition, you need to set up rules that enable external clients to access computers in your own network using the same TCP and UDP ports.

Packet Filter Rules That Enable FTP

FTP transactions can either be of the active or passive variety. The rules you set up for FTP need to support two separate connections: TCP Port 21, which is the FTP Control port, and TCP 20, which is the FTP Data port.

Packet Filter Rules That Enable E-Mail

E-mail service is one of the most essential forms of communication in both personal and office environments. Yet, setting up firewall rules that permit the filtering of e-mail messages is not trivial. One reason is the variety of e-mail protocols that might be used:

  1. Post Office Protocol version 3 (POP3) and Internet E-mail Access Protocol version 4 (IMAP4) for inbound mail transport
  2. Simple Mail Transfer Protocol (SMTP) for outbound mail transport
  3. Lightweight Directory Access Protocol (LDAP) for looking up e-mail addresses
  4. HyperText Transport Protocol (HTTP) for Web-based mail service

Class Discussion Topics

  1. Discuss stateless and stateful packet filtering. What are the pros and cons of each approach?
  2. Discuss how a hacker might use IP spoofing to gain access to a company’s network.
  3. Discuss the relevance of filtering based on packet contents rather than the packet header.

Additional Case Projects

  1. Come up with a table of rules for an Internet-accessible Web server assuming the “first fit” approach.
  2. Ask students to come up with a table of packet filter rules for a web-based mail service.

Further Readings or Resources

  1. For information on stateful inspection, see:
  2. For an article on IPSec Packet Filtering, see:

1

Greg Holden, Guide To Firewalls and Network SecurityPage 1

Thompson/Course Technology ©2004 ISBN: 0-619-13039-3