The Power of Packet Filtering

Without a firewall of some sort, an organization's network is wide open to access by anyone connected to the same public network. Packet filtering is one of the most common methods of building a TCP/IP firewall. This technique lets you control the movement of IP packets according to the packet contents.

Packet filtering filters IP packets based on a set of rules you define at a router or other packet-forwarding device, such as a Windows NT server. You can key packet-filtering rules to a combination of host address, protocol, application, direction of connection, and message type. The specifics of implementing packet-filtering rules depend on your particular equipment and vendor.

To understand packet-filtering operation, you need to understand the relationship between the TCP/IP protocol layers. You also need to know how packet filtering relates specifically to various TCP/IP protocols and have some guidelines for filtering IP packets.

The TCP/IP Protocol Stack
Figure 1, page 84, shows the three layers of the TCP/IP protocol stack involved in packet filtering. The entire TCP/IP stack comprises four layers.

The network access protocols define the network infrastructure over which TCP/IP communication occurs. Protocols in the Network Access layer include all deployed network topologies and technologies, including dedicated and dial-up point-to-point links, asymmetric digital subscriber line (ADSL), asynchronous transfer mode (ATM), frame relay, and all LANs. Figure 1 doesn't include the Network Access layer because the layer is irrelevant to the discussion of packet filtering.

The Internet layer is roughly equivalent to the Open System Interconnection (OSI) Network layer and is responsible primarily for routing. IP is the protocol for device-to-device communication, such as host-to-router and router-to-router. Packet-filtering rules typically apply to IP and the protocols carried in IP datagrams.

The Transport layer is roughly equivalent to the OSI Transport layer and is responsible for host-to-host communications. The communications protocols for this layer are TCP and UDP, which provide a connection-oriented (virtual circuit) and connectionless (datagram) service, respectively. An IP packet carries a TCP segment or UDP datagram. (As Figure 1 shows and we discuss later, some non-Transport layer protocols also place their data directly into an IP packet.)

The Application layer defines the higher-layer user application protocols, such as HTTP for the Web and SMTP and POP for email. Each application protocol is associated with one or both of the Transport layer protocols.

Packet Filtering and IP
All TCP/IP packet filtering starts with an IP packet. Three IP packet fields are crucial to filtering. The source address is the 32-bit IP address of the host that sent the packet and generated the information in it. The destination address is the 32-bit IP address of the intended destination host expected to receive the packet and the information the packet carries. The Protocol Identifier (PID) is the identifier of the protocol information the IP packet carries. You can base packet filtering on any or all of these fields. Using the source or destination address, for example, you can block all packets from an address or set of addresses, and you can route to a set of addresses those packets you let enter.

Of interest is the PID field. An IP packet carries data directly for many protocols, including

• Internet Control Message Protocol (ICMP)—an essential part of IP that carries IP-related error and informational messages (PID=1)
• TCP—connection-oriented, reliable host-to-host communication (PID=6)
• UDP—connectionless, unreliable host-to-host communication (PID=17)
• Generic Routing Encapsulation (GRE)—an encapsulation protocol commonly used in VPNs (PID=47)
• IP Encapsulating Security Payload (ESP)—part of the IP Security (IPSec) protocol suite that provides data encryption and authentication of data origin (PID=50)
• IP Authentication Header (AH)—part of IPSec that authenticates the origin of the packet's data (PID=51)
• Open Shortest Path First (OSPF)—the primary routing protocol for internal IP network routing (PID=89)

The Internet Assigned Numbers Authority (IANA) maintains a list of all protocol numbers at http://www.isi.edu/in-notes/iana/assignments/protocol-numbers.

You need to know which protocols you need to filter at your site and which your packet-filtering device supports. Some packet filters allow filtering based only on higher-layer protocols already known to the filter's software; others let you specify the PID and thus filter based on new or unknown protocols.

   Previous  [1]  2  Next