Chapter 2. Packet Filtering

Packet filtering is one of the oldest and most widely available means to control access to networks. The concept is simple: Determine whether a packet is allowed to enter or exit the network by comparing some basic identifying pieces of information located in the packet's header. Packet-filtering technology can be found in operating systems, software and hardware firewalls, and as a security feature of most routers.

The goal of this chapter is to explore the highlights and weaknesses of packet-filtering technology and how to implement this technology successfully. We discuss the basics of TCP/IP and how it applies to packet filtering, along with the rules of how to implement packet filters using Cisco router access lists. We explore uses for rules that filter on source address, such as the allowance and prohibition of traffic from given hosts and ingress and egress filters. We also cover filters that examine destination addresses and make decisions based on port numbers and their uses for improved control of traffic flow. We examine the problems of the packet filter, including its weaknesses to spoofing, fragmentation, control of return traffic, and the problems with poking an always-open hole in your defense. Finally, we explore the power of dynamic packet filters and the ways they can help correct many of the downfalls of static packet filtering.