![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
Packet Filtering Gateways A packet filtering gateway is a system that protects the network by examining the source, destination, and service type of each packet contending for entry onto the protected network. By comparing the packet to a list of rules, the gateway makes a decision to allow the traffic to pass or drop the traffic, preventing a connection (see Exhibit 8-3-3).
Packet filtering gateways may be implemented by either setting options in a router connecting the protected LAN to the nontrusted networks or by configuring a bastion host to act as a router. The router-based implementation is the most common way of setting up a packet filtering gateway, because a router is usually needed to make the physical connection between the trusted and nontrusted networks. Implementation Steps Designing and implementing a packet filter is a multistep process. Establishing Security Policies. First, the network manager must decide on a set of security policies for the installation. Examples of security policies are:
Writing the Packet Filter Description. As the second step, these security policies must be translated into meta language based on packet types and source and destination addresses. The security policies noted previously could be written out as shown in Exhibit 8-3-4.
In Exhibit 8-3-4, the second and third lines of the packet filter decription ensure that inbound packets that have the ACK flag set or that are destined for nonprivileged ports (e.g., numbers 1024 and above) are allowed to pass into the protected system. These packets are the responses from outside Internet hosts to internal clients requesting services. The last two lines of the filter description ensure that any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packet that does not fit within the criteria defined for packet acceptance is blocked. The next step in designing the packet filter is to translate the meta language description into the filter language of the router that will be doing the filtering. Testing and Revising the Packet Filters. Finally, the packet filter must be tested to ensure that it allows authorized users to connect to authorized services while preventing unauthorized access. Once a packet filter is in place, any time a new public service is added to the protected network, the filter must be revised to allow authorized connections. The order in which the packet filtering statements is specified is important. Each packet falls through the filters until it has either satisfied all of the criteria for admittance or is kicked out by a filter. Improper placement of filters causes unexpected and unwanted results. The final two lines in Exhibit 8-3-4s sample filter description are the fail-safe mechanism that prevent unknown and unwanted packets from entering the network. These lines are the key to the allow nothing except strategy. Their placement is vital to the success of the firewall. Assessing the Pros and Cons Advantages of the packet filtering approach include:
The packet filtering approach also has its disadvantages. For example:
Packet filtering gateways may provide sufficient protection for sites that are running their applications on operating systems such as Novell NetWare and Microsoft Windows NTAS, which are less accessible to network hackers than UNIX-based operating systems. UNIX-based network managers should view packet filters as one tool in their protective arsenal.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |