Professional Documents
Culture Documents
Introduction
A packet-filtering firewall examines each packet that crosses the firewall and
tests the packet according to a set of rules that you set up. If the packet passes the
test, it’s allowed to pass. If the packet doesn’t pass, it’s rejected.
Packet filters are the least expensive type of firewall. As a result, packet-filtering
firewalls are very common. However, packet filtering has a number of flaws that
knowledgeable hackers can exploit. As a result, packet filtering by itself doesn’t make
for a fully effective firewall.
Packet filters work by inspecting the source and destination IP and port
addresses contained in each Transmission Control Protocol/Internet Protocol
(TCP/IP) packet. TCP/IP ports are numbers that are assigned to specific services that
help to identify for which service each packet is intended. For example, the port
number for the HTTP protocol is 80. As a result, any incoming packets headed for an
HTTP server will specify port 80 as the destination port.
Background
One of the biggest weaknesses of packet filtering is that it pretty much trusts
that the packets themselves are telling the truth when they say who they’re from and
who they’re going to. Hackers exploit this weakness by using a hacking technique
called IP spoofing, in which they insert fake IP addresses in packets that they send to
your network.
Packet filters are very efficient. They hold up each inbound and outbound
packet for only a few milliseconds while they look inside the packet to determine
the destination and source ports and addresses. After these addresses and
ports are determined, the packet filter quickly applies its rules and either sends
the packet along or rejects it. In contrast, other firewall techniques have a more
noticeable performance overhead.
Packet filters are almost completely transparent to users. The only time a
user will be aware that a packet filter firewall is being used is when the firewall
rejects packets. Other firewall techniques require that clients and/or servers be
specially configured to work with the firewall.
Packet filters are inexpensive. Most routers include built-in packet filtering.
In cases where a packet filter restricts access to a resource based on the source
IP address attempting to access that resource, the packet filter cannot verify whether
the packets originate from the real device or from a host or router spoofing this source
address. A transparent proxy illustrates this problem perfectly. A transparent proxy
frequently runs on a masquerading or NAT host which is connected to the Internet.
This machine intercepts outbound connections for a particular protocol (e.g, HTTP),
and simulates the real server to the client. The client may have a packet filter limiting
outbound connections to a single IP and port pair, but the transparent proxy will still
operate on the outbound connection.
A packet filter makes no effort to validate the contents of a data stream, so data
passed over a packet filter may be bogus, invalid or otherwise incorrect. The packet
filter only verifies that the network layer datagrams are correctly addressed and well-
formed. Many security devices, such as firewalls, include support for proxies, which
are application aware. These are security mechanisms which can validate data
streams. Proxies are often integrated with packet filters for a tight network layer and
application layer firewall.
Proposed solution/changes
Recommendation
In cases when you need to allow remote access from others to your network,
you may create a DMZ (Demilitarized Zone). This is an option provided by most of the
software firewalls; they will designate a directory on the gateway computer as a DMZ.