Chapter 8: Packet Filtering

Team-Fly

In this chapter, we elaborate on packet filtering as one of the core technologies employed by many firewall configurations. More specifically, we introduce the technology in Section 8.1, discuss packet filter rules in Section 8.2, overview some packet filtering products in Section 8.3, address stateful inspection (also known as dynamic packet filtering) in Section 8.4, and draw some conclusions in Section 8.5. In this chapter it should become clear that packet filtering is useful but not sufficient to provide appropriate access control services for corporate intranets.

8.1 INTRODUCTION

A router is an internetworking device that usually runs a specialized operating system (e.g., Cisco IOS) to transfer packets between two or more physically separated network segments.[1] It operates at the network layer in the OSI-RM, or the Internet layer in the Internet model, respectively. As such, it routes IP packets by consulting tables that indicate the best path the IP packet should take to reach its final destination. More accurately, a router receives an IP packet on one network interface and forwards it on another network interface, possibly in the direction of the destination IP address that is included in the IP header. If the router knows on which interface to forward the packet, it does so. Otherwise, it is not able to route the packet. In this case, the router usually returns the packet using an ICMP destination unreachable message to the source IP address.

Because every IP packet contains a source and a destination IP address, packets originating from or destined to a particular host or network segment can be selectively filtered by a packet-filtering device. Also, transport layer protocols such as TCP or UDP add a source and destination port number to each segment or datagram as part of the header information. These port numbers indicate which processes on each host finally will receive the data encapsulated within the IP packet. This information can also be used to selectively filter IP packets. In the late 1980s and early 1990s, several scientific papers and articles were published that describe how to use packet filters to provide basic access control services for corporate intranets [1–5]. Some of these papers describe the use of packet filtering in early firewall configurations at AT&T [2] and Digital Equipment Corporation (DEC) [3].[2]

Today, most commercial router products also provide the capability to screen IP packets and filter them in accordance with a set of packet filter rules that implement a specific service access policy. For example, routers from Cisco Systems use a fairly simple syntax to define packet-filtering rules [6-8]. Each network interface on a Cisco router can be assigned an access group, which is basically an integer number that references the interface. Packet-filtering commands for that interface are then expressed in access lists[3] that are associated with access groups. The router, in turn, matches each IP packet routed to a particular network interface against the access lists associated with the access group of that particular interface.

We said in Chapter 7 that routers that provide packet-filtering capabilities are sometimes also called screening routers. In general, screening routers can provide an efficient mechanism to control the type of network traffic that can exist (i.e., enter and/or leave) on a particular network segment. By controlling the type of network traffic that can exist on a network segment, they can also control the types of services that may exist. Services that eventually compromise the security of the network segment can be effectively and efficiently restricted.

Remember that a packet filter or a screening router is a multiported internet-working device that applies a set of rules to each incoming IP packet to decide whether it will be forwarded or discarded. As such, the packet filter or screening router has several ports or network interfaces. Each port may connect the packet filter to a network segment, and the network segments are classified as either internal or external: Internal network segments belong to the intranet, whereas external network segments typically belong to the Internet. Consequently, it is up to the packet filter to intercept and control data traffic between internal and external network segments.

Upon receiving an IP packet, the packet filter parses the header of the packet and applies the corresponding packet filter rules to determine whether the packet should be forwarded toward its destination IP address or dropped and discarded.[4] We mentioned in Chapter 7 that IP packets are filtered based on information that is usually found in packet headers:

  • Protocol numbers;

  • Source and destination IP addresses;

  • Source and destination port numbers;

  • TCP connection flags;

  • Some other options.

Note that routers do not normally look at (TCP or UDP) port numbers when making routing decisions, but do for filtering purposes, knowing the source and destination port number allows selective filtering based on the service being used. For example, a Telnet server usually listens at port 23, and an SMTP server usually listens at port 25. Selective filtering by port numbers also takes advantage of how ports are assigned. Although a Telnet server uses port 23 most of the time, a Telnet client port number is not fixed, but assigned dynamically. In a UNIX or Linux environment, for example, the client port is assigned a number greater than 1,023. Also note that screening routers can filter on any of the TCP connection flags summarized in Table 2.5, but that the SYN and ACK flags are the most frequently used flags for packet filtering (this is because these two flags collectively determine whether a TCP connection is established inbound or outbound). For example, all TCP segments except the first one (i.e., the TCP connection request message) carry an ACK flag.

Unfortunately, not all screening routers are able to filter IP packets based on all header fields mentioned earlier. For example, some screening routers are not able to consider the source port of an IP packet. This can make packet-filtering rules more complex and can even open up holes in the entire packet filtering scheme. There is, for example, such a problem if a site wishes to allow both inbound and outbound SMTP traffic for e-mail. Remember that in the case of a client establishing an SMTP connection to a server, the client's source port number would be randomly chosen at or above 1,024, and the destination port number would be 25, the port at which an SMTP server conventionally resides. Consequently, the SMTP server would return IP packets with a source port number of 25 and a destination port number equal to the port number randomly chosen by the client. In this scenario, a packet filter must be configured to allow destination and source port numbers greater than 1,023 to pass through in either direction. If the router is able to filter on the source port, it can block incoming SMTP traffic with a destination port greater than 1,023 and a source port other than 25. Without this ability, however, the router cannot consider the source port and must therefore permit incoming SMTP traffic with a destination port greater than 1,023 and an arbitrary source port number. Consequently, legitimate but malicious users could conceivably make use of this situation and run servers at ports greater than 1,023 to circumvent the service access policy enforced by the packet filter. For example, a Telnet server that normally listens at port 23 could be told to listen at port 7,777 instead. Users on the Internet could then use a normal Telnet client to connect to this internal server even if the packet filter blocks destination port 23.

In addition to the header information itemized, some packet-filtering devices also allow the administrator to specify packet-filtering rules based on which network interface an IP packet actually entered and on which interface the packet is destined to leave. Being able to specify filters on both inbound and outbound interfaces allows an administrator significant control over where the packet filter appears in the overall scheme and is very convenient for useful filtering on screening routers with more than two network interfaces. As described later, this ability has turned out to be very useful, and essential to protect against sequence number guessing and IP spoofing attacks. Unfortunately, not all screening routers can actually filter on both inbound and outbound interfaces, and many routers implement packet filtering only on the outbound interface for efficiency reasons. Note that for outgoing IP packets, the filter rules can be applied when the router consults its routing tables to determine the interface to send the packet out on. At this point, however, the router no longer knows on which interface the packet entered; it has lost some important information.

Screening routers filter IP packets according to specific packet filter rules. More accurately, when an IP packet arrives at a network interface of a filtering device, the packet headers are parsed. As described earlier, most packet filters examine the fields in only the IP and the TCP or UDP headers. Each packet-filtering rule is applied to the packet in the order in which the packet-filtering rules are stored. If a rule blocks the transmission or reception of a packet, the packet is not allowed. If a rule allows the transmission or reception of a packet, the packet is allowed to proceed. If a packet does not satisfy any rule, it is either allowed or blocked depending on the stance of the firewall. In general, it is good practice to block the IP packet in this case.

We mentioned previously that packet filters are stateless, meaning that each IP packet must be examined isolated from what has happened in the past, forcing the filter to make a decision to permit or deny each packet individually based upon the packet-filtering rules. Routers are generally optimized to shuffle IP packets quickly. The packet filters of a screening router take time and can defeat the overall optimization efforts. In fact, packet filtering is a slow operation that may considerably reduce routing throughput. Logging of IP packets also occurs without regard to past history, and enabling logging results in another hit on performance. More often than not, packet filtering and logging are not enabled in routers primarily to achieve better throughput and performance. If enabled and used, packet filtering and logging are typically installed at the edge of an administrative domain.

[1]Despite the fact that most routers in use today are able to route multiple protocols, we mainly focus on IP routing in this book. This is because IP is by far the most dominant network layer protocol used in the Internet.

[2]The DEC firewall was designed and implemented by Marcus J. Ranum. The same firewall was also used to secure the Web site of the White House at http://www.whitehouse.gov.

[3]More accurately, Cisco routers provide support for two types of access lists: standard access lists and extended access lists. We refer to [6 8] and the relevant product documentations for more information on this topic.

[4]Some packet-filtering implementations with only rudimentary capabilities do not actually parse the headers of IP packets, but instead require the administrator to specify byte ranges within the header to examine and the patterns for which to look in those ranges [4]. This is almost useless, as it requires the administrator to have a very detailed understanding of the structure of an IP packet. Also, it is totally unworkable for packets using IP option fields, which cause the location of the beginning of the transport layer protocol headers, such as TCP or UDP headers, to vary. This variation, in turn, makes it very difficult to find and examine the TCP or UDP port number fields.


Team-Fly


Internet and Intranet Security
Internet & Intranet Security
ISBN: 1580531660
EAN: 2147483647
Year: 2002
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net