Brought to you by EarthWeb
IT Library Logo

Click Here!
Click Here!


Search the site:
 
EXPERT SEARCH -----
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games

EarthWeb Direct EarthWeb Direct Fatbrain Auctions Support Source Answers

EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info

Previous Table of Contents Next


Packet Filtering Gateways

A packet filtering gateway is a system that protects the network by examining the source, destination, and service type of each packet contending for entry onto the protected network. By comparing the packet to a list of rules, the gateway makes a decision to allow the traffic to pass or drop the traffic, preventing a connection (see Exhibit 8-3-3).


Exhibit 8-3-3.  Packet Filter Gateway

Packet filtering gateways may be implemented by either setting options in a router connecting the protected LAN to the nontrusted networks or by configuring a bastion host to act as a router. The router-based implementation is the most common way of setting up a packet filtering gateway, because a router is usually needed to make the physical connection between the trusted and nontrusted networks.

Implementation Steps

Designing and implementing a packet filter is a multistep process.

Establishing Security Policies. First, the network manager must decide on a set of security policies for the installation. Examples of security policies are:

  Outbound Internet access from the organization’s hosts will not be restricted.
  Inbound SMTP mail sessions are allowed to connect to the mail server only.
  Inbound hypertext transfer protocol (HTTP) connections to the World Wide Web (WWW) are allowed to the organization’s WWW server only.
  Inbound DNS (domain name service) connections are allowed to the DNS server only.
  Everything else will be blocked.

Writing the Packet Filter Description. As the second step, these security policies must be translated into meta language based on packet types and source and destination addresses. The security policies noted previously could be written out as shown in Exhibit 8-3-4.


Exhibit 8-3-4.  Packet Filter Description

In Exhibit 8-3-4, the second and third lines of the packet filter decription ensure that inbound packets that have the ACK flag set or that are destined for nonprivileged ports (e.g., numbers 1024 and above) are allowed to pass into the protected system. These packets are the responses from outside Internet hosts to internal clients requesting services. The last two lines of the filter description ensure that any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packet that does not fit within the criteria defined for packet acceptance is blocked.

The next step in designing the packet filter is to translate the meta language description into the filter language of the router that will be doing the filtering.

Testing and Revising the Packet Filters. Finally, the packet filter must be tested to ensure that it allows authorized users to connect to authorized services while preventing unauthorized access. Once a packet filter is in place, any time a new public service is added to the protected network, the filter must be revised to allow authorized connections.

The order in which the packet filtering statements is specified is important. Each packet “falls through” the filters until it has either satisfied all of the criteria for admittance or is “kicked out” by a filter. Improper placement of filters causes unexpected and unwanted results. The final two lines in Exhibit 8-3-4’s sample filter description are the fail-safe mechanism that prevent unknown and unwanted packets from entering the network. These lines are the key to the “allow nothing except …” strategy. Their placement is vital to the success of the firewall.

Assessing the Pros and Cons

Advantages of the packet filtering approach include:

  Low startup costs. Because the packet filter can reside on the route that connects the protected network to the outside world, there is no extra hardware requirement. Most routers include the software needed to filter packets as a standard feature.
  Little impact on the users of the network. Unlike some of the other solutions (discussed later in this chapter), packet filters do not require users to use special versions of client programs (e.g., WWW, FTP, Telnet) written to work through a network firewall.

The packet filtering approach also has its disadvantages. For example:

  A high level of knowledge is required to configure and maintain the filter. Because filters work at the packet level, maintenance staff must be familiar with the TCP/IP protocol suite and the multitude of services and packet types they may encounter.
  Errors in the filter may produce major repercussions. A typographical error or mistaken assumption can easily leave security holes in the firewall. Packet filtering languages in most routers are extremely cryptic, so it is easy to make an error while entering the definition.
  New Internet-based services mean more maintenance. For example, the popular RealAudio streaming audio protocol used by many World Wide Web sites sends packets to its client software using TCP port 7070. Many sites’ firewalls are not configured to allow this traffic “out of the box,” requiring the network manager to change the filter rules manually to do so. As new applications of the Internet become popular, firewall rule sets (and thus maintenance) will become more complex.

Packet filtering gateways may provide sufficient protection for sites that are running their applications on operating systems such as Novell NetWare and Microsoft Windows NTAS, which are less accessible to network hackers than UNIX-based operating systems. UNIX-based network managers should view packet filters as one tool in their protective arsenal.


Previous Table of Contents Next

footer nav
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.