Packet Filters

A packet filter provides the most basic functions of a firewall and can be implemented with a simple router. Indeed, packet-filtering routers were the first type of firewall created to help keep a network safe from intruders. A packet filter examines every network packet that passes through it, and either forwards or drops the packet, according to a set of rules established by the firewall administrator. Just about every router being manufactured today allows you to restrict traffic flowing inward or outward based on the contents of the TCP/IP packet header information.

A packet filter can be configured to block traffic by creating filters for the following:

• IP addresses This includes both source and destination addresses. You can specify individual addresses or ranges of addresses.

• Protocols Typical protocols include UDP (User Datagram Protocol) and the TCP (Transmission Control Protocol).

• Port numbers Port numbers are used to identify connections between applications, such as FTP or Telnet. You usually can specify a range of port numbers, or use filters that allow you to say "greater than" or "less than" a port number.

• Direction Filtering can be done based on whether the network packet is coming into your network from the Internet or being sent out by a user on your network to the Internet.

Note

As indicated, firewalls stand between your network and the Internet. However, in a large corporate network, firewalls are also typically deployed between different networks that exist within the same company. For example, you might place a firewall between the network used by the payroll department and the network that handles manufacturing computers for your company. Think of a firewall as a locked door, which can be used to keep out those who do not belong. Although usernames and passwords provide a general sort of security within your network, it's probably a good idea to isolate network segments that contain sensitive information from the rest of your network. Usernames and passwords are easily compromised. A properly configured firewall is not.

Filtering on IP Addresses

Chapter 24, "Overview of the TCP/IP Protocol Suite," discusses the information found in the Internet Protocol (IP) packet header. To briefly review, the IP protocol is used by other higher-level protocols (such as TCP and UDP) to provide a connectionless best-effort data-delivery service. To do so, the IP datagram encapsulates the TCP or other protocol segment by adding source and destination addresses, port numbers, and other header information before sending the datagram farther down the protocol stack, where it is eventually transmitted on the wire bit-by-bit by the physical components of the network.

Routers can be configured easily to examine the contents of the IP header and drop packets that don't match a set of rules that the network or firewall administrator configures on the router. Perhaps the most obvious example is to filter out packets arriving from the Internet that have a source address that falls within the same network address range used on the internal network. Because such a packet, if it were indeed valid, would have to originate inside the network, it shouldn't be coming in from the outside! It is easy to forge IP packets so that the source address, as well as other header information, can be set to anything a hacker desires. A lot of programs are freely available on the Internet to do this.

When a packet with a source address is sent into your network, it's more likely that the destination server or workstation in your network will accept it as a valid packet, thinking it's coming from a user on the local network, and the packet will be processed as usual. Using this method, it's easy to get packets into your network and actually have them delivered, when they should not be.

This is only one example of a good reason to filter packets based on the IP addressing information in the packet header. Because addresses can be forged, and because it's not practical to list all the millions of addresses that are allocated to computers on the Internet and pick and choose, you need to be cautious when using this kind of specific filtering. For example, suppose your network becomes the subject of a denial-of-service attack. You can use a network analyzer to discover the source addresses of the packets, and quickly insert a rule in the router (or firewall product) database that drops all packets that come from the network from which those packets are coming.

Filtering Based on Protocols

In the IP packet, a field is used to indicate the type of protocol the packet is carrying data for. For example, if the IP packet is carrying TCP data, the protocol field in the IP header is 6. If it's carrying an ICMP (Internet Control Message Protocol) message, the protocol number is 1. The capability to filter out certain protocols is useful because many of the protocols in use on the Internet were created many years ago when security was not as much of an issue as it is in today's commercial Internet.

Take ICMP, for example. The Ping utility makes use of ICMP packets to determine whether another host is reachable. An ICMP ECHO REQUEST packet is sent to the address of the host computer in question. If it receives the packet, the destination computer sends back an ICMP ECHO REPLY packet. Sounds simple and safe, doesn't it? Well, it is simple, but not necessarily safe. Inside your network, Ping can be a useful tool for quickly determining that somewhere along the network path something is wrong and a computer is not reachable, whether the destination you are pinging is inside your network or on the Internet.

However, just as you wouldn't give out your credit-card number to a stranger, it's not a good idea to give out any information about your network, especially the addresses of the computers on the network, to an outsider. And, that's exactly what the ping command can do. It's easy to write a program that sits back and cycles through a range of IP addresses, sending out ICMP ECHO REQUEST packets and looking to see what replies come back. This saves a malicious hacker time because he now knows that an IP address is in use and can proceed to further try to intrude and compromise the system. Because automated tools are available for continuing the hacker's probe, it's imperative that you keep your network address information secret.

If you've ever received those boring telemarketing calls during the early evening hours, you can understand how this works. The telemarketers just cycle through phone numbers until they get someone to pick up the phone and answer. Allowing ICMP ECHO REPLY packets to respond to requests from outside your network is the equivalent of picking up the phone. Although you can hang up on a telemarketing call, after a hacker has your network address, she can always try back later when you're not around and use a wide variety of tools to probe your system to determine what is needed to get inside.

For this reason, it's usually a good idea to block incoming ICMP ECHO REQUEST packets. You probably don't want to block outgoing packets of the same sort, because they serve a useful purpose. You can allow users inside your network to Ping other servers on the Internet. For example, suppose you want to place an order with a business that has a website, yet it doesn't pop up in your browser when you try to get to its home page. You can use Ping to determine whether the business's computer is on the Net and functioning, and then from there start your troubleshooting efforts to find out why you can't bring up the business's Web page. If you Ping the site and get no response, you can be sure that either it's down or somewhere along the network path a router or another device is not letting traffic get through.

The same goes for you if you offer a service on the Internet. However, in such a case, you should make sure that your Web servers are highly secured and located on a network segment that can limit the damage should these servers be compromised. This network segment is called a demilitarized zone (DMZ), and you'll learn more about that later in this chapter.

Another utility that uses ICMP is Tracert. This command probes the network path and returns a list of all the routers and other intermediary devices it passes through to get to a destination address. Again, this is a useful tool when used properly, but you should block this sort of packet at your firewall. Do you want outsiders to know the addresses of routers and other devices on your network? After an outsider has the address and knows that a computer is online using that address, it's easy to use one of the many hacker tools available on the Internet to begin breaking into the computer.

Filtering Based on Port Numbers

The TCP and UDP protocols use port numbers in their header information to identify applications. Although filtering based on IP addresses blocks all network traffic from a particular source, you can use filtering rules that block only specific ports. Thus, you might allow customers to interact with Web servers inside your network using the ports set aside for WWW activityport 80, for typical WWW trafficbut block other ports, such as port 23 that is used for Telnet functions.

As another example, you might want to allow some users to use Telnet (port 23) or FTP (ports 20 and 21) to connect to servers outside the corporate network while denying this capability to others. You can do this by setting up rules in the packet filter and specifying both a host source address and a port number. Ports are a two-way path. You can block incoming connections, outgoing connections, or both for each port.

Packet filtering is an integral component of most every firewall and has several advantages:

• Usually inexpensive If you use a router to connect to external sources, you already have the hardwareyou just need to configure it.

• Fast It does only minimal processing on the header information and does not make decisions based on multiple packets.

• Flexible It is easy, although some would say cumbersome, to configure as many address inclusions or exclusions as you like.

However, there are also several disadvantages to using a packet filter firewall:

• Packet filters perform no authentication A packet is a packet no matter "who" the sender is. The address is the only thing that counts. This is important because IP addresses, ports, and any other part of the packet can be forged using simple tools available on the Internet.

• Most system administrators don't take advantage of a router's auditing features You will most likely not even know that attempts were made to break in to the network; if the router does provide some kind of statistical information, you won't be able to determine where the attack came from. If you turn on logging for every packet that comes through your router, you'll experience a tremendous slowdown in network response time through the router. Selectively logging events is a better option, but then again you might miss important events. Small SOHO routers do not provide logging, so keep that in mind if you use one.

• Packet filters operate at the network level They are not very effective at stopping sophisticated attacks that are directed at higher-level protocols, such as TCP.

• Internal network information is not kept from outside prying eyes Using ordinary utilities, such as Tracert and Ping, mischievous persons can gain knowledge about your network unless you specifically block the protocol used by these utilities (ICMP).

Note

Although a typical packet filter is fast, more advanced devices offer additional service that can be compute-intensive. Extensive logging is one example. The capability to detect a large number of bad packets coming into the network in a short time can also be useful. Using this technique, packet filters can block access to subsequent packets. This can be useful in a denial-of-service attack.

If you had the choice, which of the following would you choose:

• Allow everything, but deny specific addresses.

• Deny everything, but allow selected known good addresses.

If it's not obvious that the second choice is the best, you need to stop and think about this again.

A good approach for configuring the rules to use on a packet filter is to first deny all traffic. Then, selectively enable only those addresses or services that are essential to your business. If you try to do this in reverseallowing all traffic and then denying specific itemsthere's no way you can create a set of rules that covers all possible sources of mischief. You might leave out something that didn't seem important at the time you did the configuration, or a new twist on an old technology might creep up and surprise you later.