Malware and Intrusion

Detection

Chapter Five
Packet Filtering
 Overview
• Describe packets and packet filtering
• Explain the approaches to packet filtering
• Configure specific filtering rules based on business
needs

Guide to Firewalls and VPNs, 3rd Edition 2

 Introduction
• Packets
– Discrete blocks of data
– Basic unit of data handled by a network
• Network traffic is broken down into packets for
network transmission
– Then reassembled into its original form at its
destination
• Packet filter
– Hardware or software that blocks or allows
transmission of information packets based on criteria

Guide to Firewalls and VPNs, 3rd Edition 3

 Understanding Packets and Packet
Filtering
• Packet filter
– Acts like a doorman in a very popular night club
– Reviews the packet header before sending it on its
way to a specific location within the network

Guide to Firewalls and VPNs, 3rd Edition 4

 Packet-Filtering Devices
• Routers:
– Most common packet filters
• Operating systems
– Built-in utilities can filter packets on the TCP/IP stack
of the server software
• Software firewalls
– Most enterprise-level programs filter packets
• Firewall appliances
– Standalone hardware and software devices that
have self-contained components
Guide to Firewalls and VPNs, 3rd Edition 5
 Anatomy of a Packet
• Part of Transport Control Protocol/Internet Protocol
(TCP/IP)
• Provides for the transmission of data in small,
manageable chunks
• Start as messages developed by the higher-level
protocols
– Format it into usable data sets
• Lower-networking protocols take packets and
break them into frames
– Coded as electronic pulses on the media
Guide to Firewalls and VPNs, 3rd Edition 6
 Anatomy of a Packet (cont’d.)
• Each packet consists of two parts:
– Header
• Contains information that is normally only read by
computers
– Data
• Part that end users actually see

Guide to Firewalls and VPNs, 3rd Edition 7

 Figure 5-1 Firewall View of Packet Data
@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 8

 Anatomy of a Packet (cont’d.)
• Header of an IP packet
– https://www.youtube.com/watch?v=Ti4q9o3NBNw
– Version: identifies the version of IP that was used to
generate the packet
– Internet Header Length: describes the length of the
header in 32-bit words
– Type of Service: indicates which of four service
options is used to transmit the packet:
• Minimize delay, maximize throughput, maximize
reliability, and minimize cost

Guide to Firewalls and VPNs, 3rd Edition 9

 Anatomy of a Packet (cont’d.)
– Total Length: 16-bit field gives the total length of the
packet
– Identification: 16-bit value aids in the division of the
data stream into packets of
– Information Flags: 3-bit value tells whether this
packet is a fragment
– Fragment Offset: If the data received is a fragment,
indicates where the fragment belongs in the
sequence of fragments
• So that packet can be reassembled

Guide to Firewalls and VPNs, 3rd Edition 10

 Anatomy of a Packet (cont’d.)
– Time to Live (TTL): 8-bit value identifies the
maximum time the packet can remain in the system
before it is dropped
– Protocol: identifies the IP protocol that was used in
the data portion of the packet
– Header Checksum: summing up of all the 16-bit
values in the packet header in a single value
– Source IP Address: address of the computer or
device that sent the IP packet

Guide to Firewalls and VPNs, 3rd Edition 11

 Anatomy of a Packet (cont’d.)
– Destination IP Address: address of the computer or
device that is to receive the IP packet
– Options: can contain a security field, as well as
several source routing fields
– Data: part that the end user actually sees
– Trailer or footer: contains data that indicates the end
of the packet (optional)

Guide to Firewalls and VPNs, 3rd Edition 12

 Technical Details
The Binary Connection
• Actual packets sent and received across the
Internet are encoded into binary
– Just 1s and 0s
• Example:
– Time to Live (TTL): 8-bit value
– In binary, packet’s life can be between 00000001
and 11111111
• Between 1 and 255 hops (also referred to as device
transfers)

Guide to Firewalls and VPNs, 3rd Edition 13

 Technical Details
The Binary Connection (cont’d.)

Guide to Firewalls and VPNs, 3rd Edition 14

 Packet-Filtering Rules
• “Allow” rules
– Packet is allowed to pass
• “Deny” rules
– Packet is dropped
• Packet filters only examine packet headers

Guide to Firewalls and VPNs, 3rd Edition 15

 Packet-Filtering Rules (cont’d.)
• Common rules for packet filtering:
– Drop all inbound connections except connection
requests for configured servers
– Eliminate packets bound for all ports that should not
be available to the Internet
– Filter out any ICMP redirect or echo (ping) messages
– Drop all packets that use the IP header source
routing feature

Guide to Firewalls and VPNs, 3rd Edition 16

 Packet-Filtering Rules (cont’d.)
• Small-scale, software-only personal firewall
– Should set up an access list that includes all of the
computers in your local network by name or IP
address so communications can flow between them
• Easy way to identify computers on the local
network
– Put them in a list of machines in a trusted zone
• Block all the traffic that uses protocol on all ports
– Add specific ports or programs that enable only the
functionality that is needed

Guide to Firewalls and VPNs, 3rd Edition 17

 Figure 5-3 Trust Rules
@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 18

 Figure 5-4 Adding Rules
@ Cengage Learning 2012
Guide to Firewalls and VPNs, 3rd Edition 19
 Packet-Filtering Methods
• Stateless packet filtering
– Reviews packet header content
– Allow or drop the packets based on whether a
connection has actually been established between
an external host and an internal one
• Stateful packet filtering
– Maintains a record of the state of a connection and
can thus make informed decisions
• Packet filtering
– Based on the contents of the data part of a packet
and the header
Guide to Firewalls and VPNs, 3rd Edition 20
 Stateless Packet Filtering
• Stateless packet filters
– Useful for completely blocking traffic from a subnet
or other network
• Filtering on IP header criteria
– Compares the header data against its rule base and
forwards each packet as a rule is found to match
– Acknowledgement (ACK) flag
• Indicates destination computer has received the
packets that were previously sent
• Can be used to determine connection status

Guide to Firewalls and VPNs, 3rd Edition 21

 Figure 5-5 TCP Flags
@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 22

 Stateless Packet Filtering (cont’d.)
• Source IP address
– First IP header criteria you can filter on
– Allow only certain source IP addresses to access
your resources
• Destination IP address
– Enable external hosts to connect to your public
servers in the DMZ, but not to hosts in the internal
LAN
• Protocol
– Specify which protocols are available

Guide to Firewalls and VPNs, 3rd Edition 23

 Stateless Packet Filtering (cont’d.)

Table 5-1 Filtering by Destination IP and Port Number

Guide to Firewalls and VPNs, 3rd Edition 24

 Stateless Packet Filtering (cont’d.)
• IP protocol ID field
– Internet Group Management Protocol (IGMP)
enables a computer to identify its multicast
• Options
– Rarely used
• Filtering by TCP or UDP port number
– Called port filtering or protocol filtering
– Helps filter a wide variety of information

Guide to Firewalls and VPNs, 3rd Edition 25

 Stateless Packet Filtering (cont’d.)
• Filtering by ICMP message type
– Internet Control Message Protocol (ICMP)
• General management protocol for TCP/IP
• Used to diagnose various communication problems
and communicate certain status information
– A firewall/packet filter must be able to determine,
based on message type, whether an ICMP packet
should be allowed to pass
– Common ICMP message types are shown in Table
5-2

Guide to Firewalls and VPNs, 3rd Edition 26

 Stateless Packet Filtering (cont’d.)

Table 5-2 ICMP Message Types

Guide to Firewalls and VPNs, 3rd Edition 27

 Stateless Packet Filtering (cont’d.)
• Filtering by fragmentation flags
– TCP or UDP port number appears only in fragments
numbered 0
– Should have the firewall reassemble fragmented
packets before making the admit/drop decision
• Filtering by ACK flag
– Configure the firewall to allow packets with the ACK
bit set to 1 to access
• Only the ports you specify
• Only in the direction you want

Guide to Firewalls and VPNs, 3rd Edition 28

 Stateless Packet Filtering (cont’d.)
• Filtering suspicious inbound packets
– If a packet arrives at the firewall from the external
network but contains an IP address that is inside the
network
• Firewall should send an alert message
– Most firewalls customize rules to work with all ports
or all protocols

Guide to Firewalls and VPNs, 3rd Edition 29

 Stateless Packet Filtering (cont’d.)

Figure 5-6 Firewall Alert

@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 30

 Stateful Packet Filtering
• Stateful filter
– Can do everything a stateless filter can
– Also has ability to maintain a record of the state of a
connection
• Powerful enterprise firewalls do stateful packet
filtering
• State table
– List of current connections

Guide to Firewalls and VPNs, 3rd Edition 31

 Figure 5-8 Stateful Packet Filtering
@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 32

 Stateful Packet Filtering (cont’d.)
• Stateful packet filtering limitations
– Inspects only header information and doesn’t verify
the packet data
– Filter might let in traffic that is bound for the well-
known port but block traffic bound for other ports

Guide to Firewalls and VPNs, 3rd Edition 33

 Filtering Based on Packet Content
• Some traffic uses packets that are difficult to filter
reliably for various reasons
• Stateful inspection
– Examine both the contents of packets and the
headers for signs that they are legitimate
• Proxy gateway
– Looks at the data within a packet and decides which
application should handle it
• Specialty firewall
– Looks at the body of e-mail messages or Web pages
for profanities or other content identified as offensive
Guide to Firewalls and VPNs, 3rd Edition 34
 Setting Specific Packet Filter Rules
• Establish packet-filter rules that control traffic to
various resources
• Block potentially harmful packets
• Pass packets that contain legitimate traffic

Guide to Firewalls and VPNs, 3rd Edition 35

 Best Practices for Firewall Rules
• Firewall device is never accessible directly from the
public network
• Simple Mail Transport Protocol (SMTP) data
– Allowed to pass through the firewall, but all of it is
routed to a well-configured SMTP gateway
• All Internet Control Message Protocol (ICMP) data
denied
• Telnet access to all internal servers from the public
networks is blocked

Guide to Firewalls and VPNs, 3rd Edition 36

 Best Practices for Firewall Rules
(cont’d.)
• HTTP traffic
– Prevented from reaching the internal networks via
the implementation of some form of proxy access or
DMZ architecture
• Test all firewall rules before they are placed into
production use

Guide to Firewalls and VPNs, 3rd Edition 37

 Rules That Cover Multiple Variations
• Packet-filter rules
– Account for all possible ports that a type of
communication might use or for all variations within a
particular protocol
– Created and modified as a result of trial and error
• Figure 5-9
– Typical LAN that is protected by a firewall and two
routers
– Rules allow Web, FTP, e-mail, and other services
while blocking potentially harmful packets from
getting to the internal LAN
Guide to Firewalls and VPNs, 3rd Edition 38
 Rules That Cover Multiple Variations
(cont’d.)

Figure 5-9 Sample Network

@ Cengage Learning 2012

Guide to Firewalls and VPNs, 3rd Edition 39

 Rules for ICMP Packets
• ICMP packets
– Easily forged
– Used to redirect other communications
• Packet Internet Groper (commonly called ping)
– Determines if a host is unreachable on the network
• Establish specific ICMP commands
• Table 5-3
– Rules to send and receive needed ICMP packets
– While blocking those that open internal hosts to
intruders
Guide to Firewalls and VPNs, 3rd Edition 40
 Rules for ICMP Packets (cont’d.)

Table 5-3 ICMP Packet Filter Rules

Guide to Firewalls and VPNs, 3rd Edition 41

 Rules for ICMP Packets
Rule 1 (Source Quench): Lets external hosts tell your internal hosts if
the network is saturated.

Rule 2(Echo Request): Gives your computers the ability to ping external
computers.

Rule 3(Echo Reply): Enables your computers to receive ping replies

from external hosts.

Rule 4(Destination Unreachable): Lets your hosts receive packets

stating that an external resource is unreachable.

Rule 5(Service Unavailable): Lets your hosts receive packets stating

that an external resource is unavailable.

Rule 6(Time to Live Exceeded): Lets your hosts know that an exterior
resource is too many hops away.
Guide to Firewalls and VPNs, 3rd Edition 42
 Rules for ICMP Packets
Rule 7(Echo Request): Blocks ping packets that might be used to locate
internal hosts.

Rule 8(Redirect): Prevent attackers or others from changing your

routing tables, which are data stored in the router about network routes
that this device uses or knows about that it keeps handy for ready
reference as it makes routing decisions.

Rule 9(Echo Reply): Prevents attackers from receiving replies to ping

requests.

Rule 10(Time to Live Exceeded): Prevent attackers from determining

the number of hops inside your network.

Rule 11(ICMP Block): After setting your rules, drops all other ICMP
packets for extra security.

Guide to Firewalls and VPNs, 3rd Edition 43

 Rules That Enable Web Access
• Cover
– Standard HTTP traffic on TCP Port 80
– Secure HTTP (HTTPS) traffic on TCP Port 443
• Table 5-4
– Rules for Internet-accessible Web server in test
network

Guide to Firewalls and VPNs, 3rd Edition 44

 Rules That Enable Web Access
(cont’d.)

Table 5-4 HTTP Access Rules

Guide to Firewalls and VPNs, 3rd Edition 45

 Rules That Enable DNS
• Employees need to be able to resolve the fully
qualified domain names (FQDNs)
• Domain Name System (DNS)
– Uses either UDP Port 53 or TCP Port 53 for
connection attempts
• Table 5-5
– Rules that enable external clients to access
computers in own network using the same TCP and
UDP ports

Guide to Firewalls and VPNs, 3rd Edition 46

 Rules That Enable DNS (cont’d.)

Table 5-5 Rules That Enable DNS Resolution

Guide to Firewalls and VPNs, 3rd Edition 47

 Technical Details
DNS
• Domain Name System (DNS)
– Structure for organizing Internet names associated
with IP addresses
– Facilitates easy remembrance of site locations for
HTTP, FTP, and other services
• Works through a set of servers
– Root servers store the base address
• Provides the IP address of the primary name server
for the organization registered with that domain name
– Name servers also know the location of any specific
devices associated with the tertiary name service
Guide to Firewalls and VPNs, 3rd Edition 48
 Rules That Enable FTP
• FTP transactions
– Either active or passive.
– Support two separate connections:
• TCP Port 21: FTP control port
• TCP 20: FTP data port.
– Client can establish a connection with the FTP
server at any port above 1023
• Table 5-6
– Specify the IP address of your FTP server

Guide to Firewalls and VPNs, 3rd Edition 49

 Rules That Enable FTP (cont’d.)

Table 5-6 Rules to Enable Active and Passive FTP

Guide to Firewalls and VPNs, 3rd Edition 50

 Rules That Enable E-Mail
• Setting up firewall rules that filter e-mail messages
can be difficult
– Large variety of e-mail protocols used
• Table 5-7
– Configuration only uses POP3 and SMTP for
inbound and outbound e-mail, respectively
• Assess:
– Whether your organization needs to accept incoming
e-mail messages at all
– Whether users can access external mail services

Guide to Firewalls and VPNs, 3rd Edition 51

 Rules That Enable E-Mail (cont’d.)

Table 5-7 POP3 and SMTP E-mail Rules

Guide to Firewalls and VPNs, 3rd Edition 52

 Summary
• Packets
– Basic unit of data handled by a network
• Packet filtering
– Can be done by a variety of hardware devices and
software programs: routers, operating systems, or
software firewalls
• Packet-filtering devices
– Evaluate information in packet headers and compare
it to one or more sets of rules that have been
established to conform to network usage policy

Guide to Firewalls and VPNs, 3rd Edition 53

 Summary (cont’d.)
• Stateless packet filtering
– Simplest packet-filtering method
– Reviews packet header content and makes
decisions on whether to allow or drop the packets
• Stateful packet filtering
– More sophisticated and secure method
– Maintains a record of the state of a connection

Guide to Firewalls and VPNs, 3rd Edition 54