3.2 Static packet filtering

3.2    Static packet filtering

Generally speaking, a router is a dedicated internetworking device that runs a specialized operating system (e.g., Cisco IOS) to transfer packets between two or more physically separated network segments. ^[5] It operates at the network layer of the OSI reference model, or the Internet layer of the Internet model. As such, it routes IP packets by consulting tables that indicate the best path the IP packet should take to reach its destination. More accurately, a router receives an IP packet on one network interface and forwards it on another network interface, possibly in the direction of the destination IP address that is included in the IP header. If the router knows on which interface to forward the packet, it does so. Otherwise, it is not able to route the packet. In this case, the router usually returns the packet using an ICMP destination unreachable message to the source IP address.

Because every IP packet contains a source and a destination IP address, packets originating from or destined to a particular host or network segment can be selectively filtered by a packet-filtering device. Also, transport layer protocols such as TCP or UDP add a source and destination port number to each segment or datagram as part of their header information. These port numbers indicate which processes on each host finally will receive the data encapsulated within the IP packet. This information can also be used to selectively filter IP packets. In the late 1980s and early 1990s, several scientific papers and articles were published that described how to use packet filters to provide access control services for corporate intranets [9 “13]. Some of these papers actually described the use of packet filtering in early firewall configurations at AT&T [10] and Digital Equipment Corporation (DEC) [11]. ^[6]

Today, most commercial router products (e.g., Cisco routers) provide the capability to screen IP packets and filter them in accordance with a set of packet filter rules. Such routers are sometimes also called screening routers . In general, screening routers can provide an efficient mechanism to control the type of network traffic that can enter or leave a particular network segment. By controlling the type of network traffic that can enter or leave a network segment, they can also control the types of services that may exist. Services that eventually compromise the security of the network segment can be effectively and efficiently restricted.

As mentioned above, IP packets are usually filtered based on information that is found in packet headers:

• Protocol numbers;

• Source and destination IP addresses;

• Source and destination port numbers;

• TCP connection flags;

• Some other options.

Note that routers do not normally look at (TCP or UDP) port numbers when making routing decisions, but do for filtering purposes, knowing that the source and destination port number allow selective filtering based on the service being used. For example, a Telnet server usually listens at port 23, whereas an SMTP server usually listens at port 25. Selective filtering by port numbers also takes advantage of how ports are assigned. Although a Telnet server uses port 23 most of the time, a Telnet client port number is not fixed, but assigned dynamically. In a UNIX or Linux environment, for example, the client port is assigned a number greater than 1,023. Also note that screening routers can filter on any of the TCP connection flags, but that the SYN and ACK flags are the most frequently used flags for packet filtering (this is because these two flags collectively determine whether a TCP connection is established inbound or outbound). For example, all TCP segments except the first one (i.e., the TCP connection request message) carry an ACK flag.

Unfortunately, not all screening routers are able to filter IP packets based on all header fields mentioned earlier. For example, some screening routers are not able to consider the source port of an IP packet. This can make packet-filtering rules more complex and can even open up holes in the entire packet filtering scheme. There is, for example, such a problem if a site wishes to allow both inbound and outbound SMTP traffic for e-mail. Remember that in the case of a client establishing an SMTP connection to a server, the client s source port number would be randomly chosen at or above 1,024, and the destination port number would be 25, the port at which an SMTP server conventionally resides. Consequently, the SMTP server would return IP packets with a source port number of 25 and a destination port number equal to the port number randomly chosen by the client. In this scenario, a packet filter must be configured to allow destination and source port numbers greater than 1,023 to pass through in either direction. If the router is able to filter on the source port, it can block incoming SMTP traffic with a destination port greater than 1,023 and a source port other than 25. Without this ability, however, the router cannot consider the source port and must therefore permit incoming SMTP traffic with a destination port greater than 1,023 and an arbitrary source port number. Consequently, legitimate but malicious users could conceivably make use of this situation and run servers at ports greater than 1,023 to circumvent the service access policy enforced by the packet filter. For example, a Telnet server that normally listens at port 23 could be told to listen at port 7,777 instead. Users on the Internet could then use a normal Telnet client to connect to this internal server even if the packet filter blocks destination port 23.

In addition to the header information itemized above, some packet-filtering devices also allow the administrator to specify packet-filtering rules based on which network interface an IP packet actually entered and on which interface the packet is destined to leave. Being able to specify filters on both inbound and outbound interfaces allows an administrator significant control over where the packet filter appears in the overall scheme and is very convenient for useful filtering on screening routers with more than two network interfaces. Unfortunately, for efficiency reasons, not all screening routers can filter on both inbound and outbound interfaces, and many routers implement packet filtering only on the outbound interface. Note that for outgoing IP packets, the filter rules can be applied when the router consults its routing tables to determine the interface to send the packet out on. At this point, however, the router no longer knows on which interface the packet entered; it has lost some important information.

Screening routers filter IP packets according to a set of packet filter rules. More accurately, when an IP packet arrives at a network interface of a filtering device, the packet headers are parsed. Each packet-filtering rule is applied to the packet in the order in which the packet-filtering rules are stored. If a rule blocks the transmission or reception of a packet, the packet is not allowed. If a rule allows the transmission or reception of a packet, the packet is allowed to proceed. If a packet does not satisfy any rule, it is either allowed or blocked depending on the firewall s ˜ ˜default rule. In general, it is good practice to have a rule that will block IP packets that don t match any other rules.

Packet filters are stateless, meaning that each IP packet must be examined in isolation from what has happened in the past (and what will happen in the future), forcing the filter to make a decision to permit or deny each packet individually based upon the packet-filtering rules. Routers are generally optimized to shuffle IP packets quickly. The packet filters of a screening router take time and can defeat the overall optimization efforts. In fact, packet filtering is a slow operation that may considerably reduce routing throughput. Logging of IP packets also occurs without regard to past history, and enabling logging results in another hit on performance. More often than not, packet filtering and logging are not enabled in routers primarily to achieve better throughput and performance. If enabled and used, packet filtering and logging are typically installed at the interface between different administrative domains.