INSTRUCTOR PROF MICHAEL P HARRIS CHAPTER 4 ITSC 2401

ME211 – INSTRUMENTATION AND SOFTWARE APPLICATIONS INSTRUCTOR MR
11TH GRADE ONLEVEL ENGLISH – AMERICAN LITERATURE INSTRUCTOR MR
12 NCAC 09B 0227 SPECIALIZED DRIVER INSTRUCTOR TRAINING (A)

130 INSTRUCTOR’S RESOURCE GUIDE FOR INTERVIEWING SPEAKING LISTENING AND
16 ORLE 151 LEADERS IN GRASSROOTS ORGANIZATIONS INSTRUCTOR CHERYL
2 NAME DATE UNIT POSITION INSTRUCTOREVALUATOR POSITION EXCELLENT SATISFACTORY

Okay, here is some sample text

Instructor: Prof. Michael P. Harris Chapter 4

ITSC 2401 – Firewalls and Network Security Packet Filtering

Chapter 4

Packet Filtering

LECTURE NOTES



Understanding Packets and Packet Filtering


Some common rules for packet filtering include:


    1. Drop all inbound connections; allow only outbound connections on Ports 80 (HTTP), 25 (SMTP), and 21 (FTP).

    2. Eliminate packets bound for all ports that should not be available to the Internet.

    3. Filter out any ICMP redirect or echo (ping) messages.

    4. Drop all packets that use the IP header source routing feature.





Devices That Perform Packet Filtering


The following hardware devices and software programs perform packet filtering:


Packet Filtering:


  • Routers

  • Operating systems

  • Software firewalls





A Quick Tutorial on Packet Filtering


Packet filtering is the procedure by which packet headers are inspected by a router or firewall to make a decision on whether to let the packet pass. The packet-filtering device evaluates the information in the header and compares it to the rules that have been set up.


Anatomy of a Packet


TCP/IP provides for the transmission of data in small, manageable chunks called packets. Note that each packet contains the following header information:


IP Packet Header Information:


  • Version

  • Internet Header Length

  • Type of Service

  • Total Length

  • Identification

  • Flags

  • Fragment Offset

  • Time to Live (TTL)

  • Protocol

  • Header Checksum

  • Source Address

  • Destination Address

  • Options

  • Data




The Use of Rules


Norton Internet Security 2002’s built-in firewall has an easy way to identify computers on the local network: it puts them in a list of machines in a trusted zone. Note that other firewall programs require you to set up rules yourself. Typically, you start with a protocol such as ICMP, UDP, or HTTP. Your first rule may well be to block all traffic that uses that protocol on all ports. In subsequent rules, you identify types of communications you want to permit, based on time of day, port, IP address, or other criteria.


Approaches to Packet Filtering


The sections that follow explore different approaches to filtering packets based on selected header contents.


Stateless Packet Filtering


  1. A stateless filter looks at each packet’s header individually. It compares the header data against its rule base and forwards only those packets that match a rule. For instance, if the filter has been assigned a rule stating that all connections from outside the network are to be blocked and it receives a request from an external host, it drops the packet(s) associated with that request.


  1. A stateless filter has no means of remembering the packets that preceded it. Some years ago, when packet filters first appeared, this was an adequate level of security. It is now inadequate, because hackers can do IP spoofing and insert false information into a packet header.


  1. The following table shows some filtering rules that combine IP addresses and port numbers to control how hosts gain access to an internal network:


Protocol

Transport Protocol

Source IP

Source Port

Destination IP

Destination Port

Action

HTTP

TCP

Any

Any

192.168.0.1

80

Allow

HTTPS

TCP

Any

Any

192.168.0.1

443

Allow

Telnet

TCP

10.0.0.1/24

Any

192.168.0.5

223

Allow



Stateful Packet Filtering


  1. A stateful filter can do everything a stateless filter can but with one significant addition: the ability to maintain a record of the state of a connection. By “remembering” which packets are part of an active connection and which are not, the stateful filter can make “intelligent” decisions to allow traffic that is a true reply to an established connection and to deny traffic that represents “crafted” packets that contain false information.


  1. In addition to a rule base, a stateful filter has a state table, which is a list of current connections. The packet filter compares the packet with the state table as well as the rule base. Entries that match criteria in both the state table and rule base are allowed to pass; all others are dropped.


Filtering Based on Packet Contents


Some stateful firewalls are able to examine the contents of packets as well as the headers for signs that they are legitimate. Such content filtering is sometimes called stateful inspection. For example, active FTP might use a variety of different ports that are determined on the fly as a session is initiated. A stateless or stateful packet filter that supports active FTP must allow all traffic coming from TCP Port 20 as well as outbound traffic coming from ports above 1023. However, a stateful inspection looks at the data part of the FTP command packets and can determine which ports are to be used for this session - instead of opening all possible FTP ports, the packet filter opens ports as needed. After the session is done, the ports are again closed.


Setting Specific Packet Filter Rules


The trick in coming up with packet filter rules is to account for all possible ports that a type of communication might use or for all variations within a particular protocol (for instance, passive and active FTP, or standard HTTP and secure HTTP). Some of this comes by trial and error. For instance, an employee complains that he or she can’t communicate with someone using MSN Messenger, and you adjust the packet filter’s rule base accordingly (after consulting the security policy, of course).



Packet Filter Rules That Block Ping Packets


The most common command to use ICMP is Packet Internet Groper (commonly called ping). The command determines if a host is unreachable on the network. To prevent hackers from using the ping command to identify some of your resources, you need to establish specific ICMP commands that cover common ICMP messages. The following table provides some rules that enable you to send and receive the ICMP packets you need while blocking those that open your internal hosts to intruders.


Rule

Protocol

Transport Protocol

Source IP

Destination IP

ICMP Message

Action

1

ICMP Inbound

ICMP

Any

Any

Source Quench

Allow

2

ICMP Outbound

ICMP

192.168.2.1/24

Any

Echo Request

Allow

3

ICMP Inbound

ICMP

Any

192.168.2.1/24

Echo Reply

Allow

4

ICMP Inbound

ICMP

Any

192.168.2.1/24

Destination Unreachable

Allow

5

ICMP Inbound

ICMP

Any

192.168.2.1/24

Service Unavailable

Allow

6

ICMP Inbound

ICMP

Any

192.168.2.1/24

Time To Live (TTL)

Allow

7

ICMP Inbound

ICMP

Any

192.168.2.1/24

Echo Request

Drop

8

ICMP Inbound

ICMP

Any

192.168.2.1/24

Redirect

Drop

9

ICMP Outbound

ICMP

192.168.2.1/24

Any

Echo Reply

Drop

10

ICMP Outbound

ICMP

192.168.2.1/24

Any

TTL Exceeded

Drop

11

ICMP Block

ICMP

Any

Any

All

Drop



Packet Filter Rules That Enable Web Access


The first priority of employees in a protected network is (not surprisingly) to be able to surf the Web and exchange e-mail messages. The rules for accessing the Web need to cover both standard HTTP traffic on TCP Port 80 as well as Secure HTTP (HTTPS) traffic on TCP Port 443.


Packet Filter Rules That Enable DNS


To connect to Web sites, the employees in our sample organization need to be able to resolve the fully qualified domain names (FQDNs) they enter, such as course.com, to their corresponding IP addresses using the Domain Name System (DNS). Internal users connect to external hosts using a DNS server located in the DMZ of the security perimeter. DNS uses either UDP Port 53 or TCP Port 53 for connection attempts. In addition, you need to set up rules that enable external clients to access computers in your own network using the same TCP and UDP ports.


Packet Filter Rules That Enable FTP


FTP transactions can either be of the active or passive variety. The rules you set up for FTP need to support two separate connections: TCP Port 21, which is the FTP Control port, and TCP 20, which is the FTP Data port.


Packet Filter Rules That Enable E-Mail

E-mail service is one of the most essential forms of communication in both personal and office environments. Yet, setting up firewall rules that permit the filtering of e-mail messages is not trivial. One reason is the variety of e-mail protocols that might be used:


    1. Post Office Protocol version 3 (POP3) and Internet E-mail Access Protocol version 4 (IMAP4) for inbound mail transport

    2. Simple Mail Transfer Protocol (SMTP) for outbound mail transport

    3. Lightweight Directory Access Protocol (LDAP) for looking up e-mail addresses

    4. HyperText Transport Protocol (HTTP) for Web-based mail service



Class Discussion Topics


  1. Discuss stateless and stateful packet filtering. What are the pros and cons of each approach?

  2. Discuss how a hacker might use IP spoofing to gain access to a company’s network.

  3. Discuss the relevance of filtering based on packet contents rather than the packet header.


Additional Case Projects


  1. Come up with a table of rules for an Internet-accessible Web server assuming the “first fit” approach.

  2. Ask students to come up with a table of packet filter rules for a web-based mail service.

Further Readings or Resources


  1. For information on stateful inspection, see: http://www.webopedia.com/TERM/S/stateful_inspection.html

  2. For an article on IPSec Packet Filtering, see: http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=25935

5

Greg Holden, Guide To Firewalls and Network Security Page 5

Thompson/Course Technology ©2004 ISBN: 0-619-13039-3



3 THEATRE 101 INTRODUCTION TO ACTING FALL 2007 INSTRUCTOR
32207 JOSE NORIEGA TA ADAM BARNETT JULIO SUAREZ INSTRUCTORS
4 CLINICAL INSTRUCTOR REFERENCE 32116 CL CONTENTS 1 FACULTY


Tags: chapter 4, filtering chapter, michael, instructor, harris, chapter