Module 13 Packet Filtering and Proxy Server

EC-Council Certified
Network Security
Administrator
Module XIII:
Packet Filtering and
Proxy Server
Module Objective
This module will familiarize you with the

following concepts:
• Understanding Packet Filtering

• Configuring and Types of Filtering
• Rules for Filtering
• Pros and Cons of Filtering and Flags Used
• Understanding the Proxy Server
• The Authentication Process and Firewalls in the Proxy Server
• Understanding the Security and Benefits of the Proxy Server
Copyright © by EC-Council
EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Flow
Understanding Packet Filtering Understanding the Proxy Server
The Authentication Process

Configuring and Types of Filtering
and Firewalls in the Proxy Server
Pros and Cons of Understanding the Security

Filtering and Flags Used and Benefits of the Proxy Server
Application Layer Gateway
Application layer gateway is also called as a

proxy server
It operates in the application layer of OSI

network model (7 layers)
Application layer gateway ensures firewall

protection
Controls network access by establishing

proxy services
Figure: Application Layer Gateway

Inspects the content in the packet header to
decide whether to grant/deny access
Network Address Translation
Conceals the TCP/IP information of hosts in the network
Functions as a network layer proxy making requests on behalf of all

internal hosts over the network
Converts IP address of internal hosts to IP address of the firewall
NAT-equipped firewall receives the request and replaces the

genuine IP address
Network Address Translation (cont’d)
11.0.0.6
11.0.01
11.0.0.5
Router 11.0.0.2
11.0.0.4
Server gets request
Firewall 24.44.8.0 Request comes
from 24.44.8.0
from 11.0.0.3
Private Network
Internet
Figure: Network Address Translation

Packet Filtering
Packet filters monitor the data packets entering the network.
Packet filters checks the data header, conceals the header with new
header, and then sends it to the intended location in the network.
Few rules of packet filters:
• Outbound connection on HTTP, SMTP, and FTP are

accepted
• Internet-related traffic can be accessed
• Alerts when the hacker tries to find open ports
• Data packets that hold features of IP header source
routing must be discarded
Approaches to Packet Filtering
Stateless (static) Packet

Filtering
• Reviews packet header contents and decides

whether to allow or discard the packets
• Blocks traffic from a subnet or other traffic
Stateful Packet Filtering

(Stateful Inspection)
• Maintains connection status, while performing

all functions of stateful packet filtering
Packet Sequencing
The data is transmitted in a small packet with a unique sequence

number.
This is called packet sequencing.
The TCP/IP rearranges the file into the original format before
sending.
The packets also have the timestamp so that the packets can be
recognized fully.
If the packet not reorganized into the proper sequence, the entire
message is discarded or is of no use.
Packet Prioritization
Packet prioritization is a widely used technique for packet

conditioning.
Some specific information or marking is done on the packet

which specifies:
• Priority of the packets
• Resources used by it
• Memory
• Part of bandwidth with respect to its priority
When the congestion occurs, the priority of the packets is

used to decide which packet is to be dropped.
Packet Fragmentation
The working of fragmentation: The datagram is split into smaller packets for
transmission and are organized or reassembled at the receiving host.
Fragmentation of packets is necessary because beneath the IP protocol some

physical and logical protocols are operating to transport the packets into the
network.
The exception in this rule is when the Internet datagram are marked as ‘don’t
fragment’.
Any Internet datagram that has the ‘do not fragment’ bit set, if not delivered, is
discarded and even in any condition it is not fragmented.
Packet Fragmentation (cont’d)
Figure: Packet Fragmentation

Analyzing Packet Fragmentation
Using fragmentation, an attacker can manage to break the

firewall.
The attackers break down into the networks because of the

way of reassembling and not by fragmentation.
The fragmented packets have the header portion same but

the fragmented packet bit is modified.
Signature Analysis
Signature analysis is based on the simple concept of string

matching, which is also known as pattern matching.
The incoming packets are matched byte by byte.
The signature can also contain a key phrase or the trigger of the
command which is associated with an attack.
If it matches with the string an alert is generated, or else data is

checked with the next signature on the list.
Signature analysis concentrates on the specific attacks on the

known or identified weak points of the points.
Stateful Packet Filtering
Stateful packet filtering comes into two forms: generic and

checkpoint.
Flags in stateful packet filtering specify whether the session is

starting or closing.
It maintains records of the state of the connection.
It also maintains a state table that maintains the list of current

connections.
It consults the state table and the rule base when a packet is
encountered.
It permits packets based on previously accepted packets.
Stateful Packet Filtering (cont’d)
Internet
3. Rule that internal hosts access 4. Packets received by course.com

TCP/80 exists; packets are Web server; SYN/ACK
allowed to pass through reply sent to firewall
Router
5. Packets received state table

entry referenced
2. Router checks for state table State Table

and sees that no coneection Source IP: www.course.com
exists, state entry created and Ethernet Source port: 70
request passed to rule base Destination IP: 10.0.0.6
Destination port: 1087
Transport: TCP
6. Packets allowed
to pass
1. Host attempts to connect

www.course.com
EC-Council
Figure: Stateful Packet Filtering All Rights reserved. Reproduction is strictly prohibited
Stateless Packet Filtering
Stateless packet filtering decides to permit or block the data

transfer.
It can totally block the transfer of data packets from the

subnet to other networks.
Stateless packet filtering is configured on the

basis of:
• IP header information.
• TCP/ UDP port number in use.
• The ICMP message type.
• Fragmentation flags like ACK and SYN.
• Filtering suspicious inbound packets.
Dynamic Packet Filtering
The dynamic packet filtering is done using information of

the current packet as well as previous packet.
Filtering in dynamic packet filter is based on:
• The IP address and ports allowed by the administrator at the

network and transport layer.
• The connection state, which examines the prior packets which
are traced in the firewall.
• The contents of the application layer.
Advantages of Filtering
Advantages of filtering:
• The packet filters are ready to install.

• One screening router can help protect an entire
network.
• Simple packet filtering is efficient.
• Packet filtering is widely available.
• The packet filtering operates at the level of the
network routers and thus becomes transparent for
the end user.
• The implementation of the packet filter security
system is less complicated than the other network
securities.
Disadvantages of Filtering
Disadvantages of packet filtering:
• Data is exposed and is susceptible to exposure as

packet filtering forces network to network
connections.
• The packet filters cannot be fixed with large
complicated rules.
• Packet filters rules, if configured, are hard to test.
• If the packet filters have bugs in them they would
allow the packets that are denied previously.
Transmission Control Protocol (TCP)
TCP is a connection-oriented and end-to-end reliable protocol.
It is designed to fit into a layered hierarchy of protocols that support

multi-network applications.
The TCP provides reliable inter-process communication between pairs

of processes in host computers.
There are six different types of flags used in the TCP header:
• URG
• ACK
• PSH
• RST
• SYN
• FIN
Transmission Control Protocol (cont’d)
Figure: TCP Header Format

TCP: URG Flag
The URG is urgent pointer; it is used to identify the incoming packet as urgent.
The urgent pointer is mostly used during the stream of data transfer.
If data processing halts due to transmission error, then the abort signal is sent
with the URG pointer set, then it is processed first.
If the URG pointer flag is set to ‘1’, the remote machine will not wait for the other
segments, the abort is processed first.
TCP: ACK Flag
The ACK is an acknowledgement flag, which is a receipt of the

successful delivery of the packet.
If the flow of the packet is traversed, there are many cases where
the acknowledgement follows with the send or receive signal.
If a packet is received the workstation set the bit of the ACK flag to
‘1’ and sends it to the sender.
There are some cases where the sender wants only one
acknowledgement of the packets send.
The above process is called Windowing.
TCP: PSH Flag
PSH is the PUSH flag of the TCP.
Whenever a host sends the data, that data is temporarily

queued in the TCP buffer.
The segments should be of a certain size so that the data

transfer should be as efficient as possible.
The segments are not divided as all are combined to form a

larger one without wasting the bandwidth and the time.
The PUSH flag is sent at the last segment of the file so that
to prevent the deadlocks.
TCP: RST Flag
RST is the reset flag, used when a packet arrives at the host for
establishing a connection and there is no service ready for the
answer.
The host rejects or discards that packet and sends the reply
with the RST flag set, which indicates that the remote host
had reset the connection.
With this reset flag, the feature are used by the hackers to scan
the open ports.
TCP: SYN Flag
SYN is the synchronization flag used to synchronize the two hosts before
the data transfer.
The three-way handshaking requires the SYN flag to be initially sent.
Before the connection, the synchronous flag is sent to the remote host
and then the host sends it back with the ACK flag and then the
connection is established.
Figure: Three-way Handshake

TCP: FIN Flag
The (finished flag) FIN flag comes with the last

packet that helps in tearing down the connection.
There is a certainty that a host can receive the data

after closing the connection from one side.
After the connection is closed from both the sides,

the buffer is also released from the connection.
The direction of the flow of the data in TCP is

bidirectional, that is why this procedure is followed.
User Datagram Protocol (UDP)
UDP works on the transport layer of the OSI model.
It offers a limited amount of service and is an

alternative to TCP.
UDP is unreliable because it doesn’t have the error

code detection and correction.
The UDP header consists of four fields with 2 bytes of

length:
• Source port
• Destination port
• UDP length
• UDP checksum
Proxy Server
The proxy server works as a shield, and protects and hides the
computer from the outside network.
The proxy sends and receives the encapsulated packets from the
specific applications.
If there is a group of users, the performance can be increased by

using the proxy servers.
The proxy server can also be used for the filtering of the request.
Even the restriction can also be applied to user for blocking a

website.
Proxy Server (cont’d)
Figure: Proxy Server

Role of Proxy Server
Internal host requests to process a web site
The request enters the proxy server. It examines the header and packet content based
on the rule base
Server reconstructs the data packet with a different source IP address
Proxy server transmits the packet to target address that conceals the actual end user
who made the request
If the data packet is returned, it is again sent to the proxy server to check with the rule
base
The returned packet is reconstructed by the proxy server and is sent to the source
computer
Transparent Proxies
The transparent proxy is the proxy through which the client system
connects to without its knowledge.
The transparent proxy works on port 80.
With the transparent proxy, all the web clients have to be configuring
manually.
The transparent proxies have some disadvantages, such as it is not

possible to automatically detect the FTP or HTTPs connections.
Most of the networks have the routers which connect the internal
LAN to the Internet.
Non-transparent Proxy
A “non-transparent proxy” is a proxy that modifies the request

or response.
It provides some added service to the user agent:
• Group annotation services

• Media type transformation
• Protocol reduction
• Anonymity filtering
The non-transparent proxy deployment is a deployment in

which the client is made aware of the proxy’s existence.
The entire requested URL is sent to the proxy that has the host
name.
Socks Proxy
The socks is an IETF (Internet Engineering Task Force ) standard.
It is like a proxy system which supports the proxy aware applications.
The SOCKS package includes or contains the following components:
• A SOCK server for the specified operating system

• A client program such as FTP, telnet, or the internet browser
• A client library for the SOCKS
The socks proxy server doesn’t allow the external network components to
collect the information of the client which had generated the request.
Authentication Process
Process of identifying users and providing network services

based on their identity
Types of authentication:
• Basic authentication: Server matches username-password pair supplied

by the client
• Challenge-response authentication: Firewall generates a random code or
number termed as challenge
• Centralized authentication service: It handles the three practices :
• Authentication
• Authorization
• Auditing
Application Proxy Firewall
Application proxy is software that is installed on any operating system
It accepts the authorized information and inspects the data vulnerabilities
An application proxy operates as a substitute for host
It accepts the requests made and sends them to the corresponding

locations
Application Proxy Firewall (cont’d)
Internet
190.32.24.1
Dual horned host with

application proxy gateway
180.34.23.1
Router
LAN Gateway
EC-Council Figure: Application Proxy on a Dual-Homed Host All Rights reserved. Reproduction is strictly prohibited
Security and Access Control
To prevent the unauthorized IP packets from entering network, disable

IP forwarding.
To disable the IP forwarding:
• Click Start, point to Settings, and then click Control Panel.

Step 1:
• Double-click Network.
Step 2:
• On the Protocols tab, click TCP/IP Protocol, and then click Properties.
Step 3:
• On the Routing tab, click to clear the Enable IP Forwarding check box, and then click OK.
Step 4:
Reverse Proxies
The route, DNS, or network address translation at the firewall

redirects the unknown web contents request to the reverse proxy.
The cache is checked by the reverse proxy to process the request and
sends the content to the unknown client.
Another security layer can be created on network for data by placing

the reverse proxy in the demilitarized zone.
How Proxy Server Differ From Packet
Filtering
Proxy server scans complete data part of the IP packets and creates
elaborate log file listings
Restructure packet with new source of IP information which protects

internal users from outsiders
Server on the Internet and an internal host are never directly

connected to one another
More vital to network communications
Summary
The application layer gateway ensures firewall protection.
Packet filters monitor the data packets entering the network.
The fragmented packets have the same header portion, but the
fragmented packet bit is modified.
Signature analysis is based on the simple concept of string matching,

which is also known as pattern matching.
Stateful packet filtering comes into two forms: generic and

checkpoint.

Module 13 Packet Filtering and Proxy Server

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 13 Packet Filtering and Proxy Server

Uploaded by

Copyright:

Available Formats

EC-Council Certified

This module will familiarize you with the

• Understanding Packet Filtering

Understanding Packet Filtering Understanding the Proxy Server

The Authentication Process

Pros and Cons of Understanding the Security

Application layer gateway is also called as a

It operates in the application layer of OSI

Application layer gateway ensures firewall

Controls network access by establishing

Figure: Application Layer Gateway

Conceals the TCP/IP information of hosts in the network

Functions as a network layer proxy making requests on behalf of all

Converts IP address of internal hosts to IP address of the firewall

NAT-equipped firewall receives the request and replaces the

Figure: Network Address Translation

Packet filters monitor the data packets entering the network.

Few rules of packet filters:

• Outbound connection on HTTP, SMTP, and FTP are

Stateless (static) Packet

• Reviews packet header contents and decides

Stateful Packet Filtering

• Maintains connection status, while performing

The data is transmitted in a small packet with a unique sequence

This is called packet sequencing.

Packet prioritization is a widely used technique for packet

Some specific information or marking is done on the packet

When the congestion occurs, the priority of the packets is

Fragmentation of packets is necessary because beneath the IP protocol some

Figure: Packet Fragmentation

Using fragmentation, an attacker can manage to break the

The attackers break down into the networks because of the

The fragmented packets have the header portion same but

Signature analysis is based on the simple concept of string

The incoming packets are matched byte by byte.

If it matches with the string an alert is generated, or else data is

Signature analysis concentrates on the specific attacks on the

Stateful packet filtering comes into two forms: generic and

Flags in stateful packet filtering specify whether the session is

It maintains records of the state of the connection.

It also maintains a state table that maintains the list of current

It permits packets based on previously accepted packets.

3. Rule that internal hosts access 4. Packets received by course.com

5. Packets received state table

2. Router checks for state table State Table

1. Host attempts to connect

Stateless packet filtering decides to permit or block the data

It can totally block the transfer of data packets from the

Stateless packet filtering is configured on the

The dynamic packet filtering is done using information of

Filtering in dynamic packet filter is based on:

• The IP address and ports allowed by the administrator at the

• The packet filters are ready to install.

Disadvantages of packet filtering:

• Data is exposed and is susceptible to exposure as

TCP is a connection-oriented and end-to-end reliable protocol.

It is designed to fit into a layered hierarchy of protocols that support

The TCP provides reliable inter-process communication between pairs

Figure: TCP Header Format

The ACK is an acknowledgement flag, which is a receipt of the

The above process is called Windowing.

PSH is the PUSH flag of the TCP.

Whenever a host sends the data, that data is temporarily

The segments should be of a certain size so that the data