A packet filter provides the most basic functions of a firewall and can be implemented with a simple router. Indeed, packet-filtering routers were the first type of firewall created to help keep a network safe from intruders. A packet filter examines every network packet that passes through it, and either forwards or drops the packet, according to a set of rules established by the firewall administrator. Just about every router being manufactured today allows you to restrict traffic flowing inward or outward based on the contents of the TCP/IP packet header information. A packet filter can be configured to block traffic by creating filters for the following:
Note As indicated, firewalls stand between your network and the Internet. However, in a large corporate network, firewalls are also typically deployed between different networks that exist within the same company. For example, you might place a firewall between the network used by the payroll department and the network that handles manufacturing computers for your company. Think of a firewall as a locked door, which can be used to keep out those who do not belong. Although usernames and passwords provide a general sort of security within your network, it's probably a good idea to isolate network segments that contain sensitive information from the rest of your network. Usernames and passwords are easily compromised. A properly configured firewall is not. Filtering on IP AddressesChapter 24, "Overview of the TCP/IP Protocol Suite," discusses the information found in the Internet Protocol (IP) packet header. To briefly review, the IP protocol is used by other higher-level protocols (such as TCP and UDP) to provide a connectionless best-effort data-delivery service. To do so, the IP datagram encapsulates the TCP or other protocol segment by adding source and destination addresses, port numbers, and other header information before sending the datagram farther down the protocol stack, where it is eventually transmitted on the wire bit-by-bit by the physical components of the network. Routers can be configured easily to examine the contents of the IP header and drop packets that don't match a set of rules that the network or firewall administrator configures on the router. Perhaps the most obvious example is to filter out packets arriving from the Internet that have a source address that falls within the same network address range used on the internal network. Because such a packet, if it were indeed valid, would have to originate inside the network, it shouldn't be coming in from the outside! It is easy to forge IP packets so that the source address, as well as other header information, can be set to anything a hacker desires. A lot of programs are freely available on the Internet to do this. When a packet with a source address is sent into your network, it's more likely that the destination server or workstation in your network will accept it as a valid packet, thinking it's coming from a user on the local network, and the packet will be processed as usual. Using this method, it's easy to get packets into your network and actually have them delivered, when they should not be. This is only one example of a good reason to filter packets based on the IP addressing information in the packet header. Because addresses can be forged, and because it's not practical to list all the millions of addresses that are allocated to computers on the Internet and pick and choose, you need to be cautious when using this kind of specific filtering. For example, suppose your network becomes the subject of a denial-of-service attack. You can use a network analyzer to discover the source addresses of the packets, and quickly insert a rule in the router (or firewall product) database that drops all packets that come from the network from which those packets are coming.
Filtering Based on ProtocolsIn the IP packet, a field is used to indicate the type of protocol the packet is carrying data for. For example, if the IP packet is carrying TCP data, the protocol field in the IP header is 6. If it's carrying an ICMP (Internet Control Message Protocol) message, the protocol number is 1. The capability to filter out certain protocols is useful because many of the protocols in use on the Internet were created many years ago when security was not as much of an issue as it is in today's commercial Internet. Take ICMP, for example. The Ping utility makes use of ICMP packets to determine whether another host is reachable. An ICMP ECHO REQUEST packet is sent to the address of the host computer in question. If it receives the packet, the destination computer sends back an ICMP ECHO REPLY packet. Sounds simple and safe, doesn't it? Well, it is simple, but not necessarily safe. Inside your network, Ping can be a useful tool for quickly determining that somewhere along the network path something is wrong and a computer is not reachable, whether the destination you are pinging is inside your network or on the Internet. However, just as you wouldn't give out your credit-card number to a stranger, it's not a good idea to give out any information about your network, especially the addresses of the computers on the network, to an outsider. And, that's exactly what the ping command can do. It's easy to write a program that sits back and cycles through a range of IP addresses, sending out ICMP ECHO REQUEST packets and looking to see what replies come back. This saves a malicious hacker time because he now knows that an IP address is in use and can proceed to further try to intrude and compromise the system. Because automated tools are available for continuing the hacker's probe, it's imperative that you keep your network address information secret. If you've ever received those boring telemarketing calls during the early evening hours, you can understand how this works. The telemarketers just cycle through phone numbers until they get someone to pick up the phone and answer. Allowing ICMP ECHO REPLY packets to respond to requests from outside your network is the equivalent of picking up the phone. Although you can hang up on a telemarketing call, after a hacker has your network address, she can always try back later when you're not around and use a wide variety of tools to probe your system to determine what is needed to get inside. For this reason, it's usually a good idea to block incoming ICMP ECHO REQUEST packets. You probably don't want to block outgoing packets of the same sort, because they serve a useful purpose. You can allow users inside your network to Ping other servers on the Internet. For example, suppose you want to place an order with a business that has a website, yet it doesn't pop up in your browser when you try to get to its home page. You can use Ping to determine whether the business's computer is on the Net and functioning, and then from there start your troubleshooting efforts to find out why you can't bring up the business's Web page. If you Ping the site and get no response, you can be sure that either it's down or somewhere along the network path a router or another device is not letting traffic get through. The same goes for you if you offer a service on the Internet. However, in such a case, you should make sure that your Web servers are highly secured and located on a network segment that can limit the damage should these servers be compromised. This network segment is called a demilitarized zone (DMZ), and you'll learn more about that later in this chapter. Another utility that uses ICMP is Tracert. This command probes the network path and returns a list of all the routers and other intermediary devices it passes through to get to a destination address. Again, this is a useful tool when used properly, but you should block this sort of packet at your firewall. Do you want outsiders to know the addresses of routers and other devices on your network? After an outsider has the address and knows that a computer is online using that address, it's easy to use one of the many hacker tools available on the Internet to begin breaking into the computer.
Filtering Based on Port NumbersThe TCP and UDP protocols use port numbers in their header information to identify applications. Although filtering based on IP addresses blocks all network traffic from a particular source, you can use filtering rules that block only specific ports. Thus, you might allow customers to interact with Web servers inside your network using the ports set aside for WWW activityport 80, for typical WWW trafficbut block other ports, such as port 23 that is used for Telnet functions. As another example, you might want to allow some users to use Telnet (port 23) or FTP (ports 20 and 21) to connect to servers outside the corporate network while denying this capability to others. You can do this by setting up rules in the packet filter and specifying both a host source address and a port number. Ports are a two-way path. You can block incoming connections, outgoing connections, or both for each port. Packet filtering is an integral component of most every firewall and has several advantages:
However, there are also several disadvantages to using a packet filter firewall:
Note Although a typical packet filter is fast, more advanced devices offer additional service that can be compute-intensive. Extensive logging is one example. The capability to detect a large number of bad packets coming into the network in a short time can also be useful. Using this technique, packet filters can block access to subsequent packets. This can be useful in a denial-of-service attack. If you had the choice, which of the following would you choose:
If it's not obvious that the second choice is the best, you need to stop and think about this again. A good approach for configuring the rules to use on a packet filter is to first deny all traffic. Then, selectively enable only those addresses or services that are essential to your business. If you try to do this in reverseallowing all traffic and then denying specific itemsthere's no way you can create a set of rules that covers all possible sources of mischief. You might leave out something that didn't seem important at the time you did the configuration, or a new twist on an old technology might creep up and surprise you later. |