The Power of Packet Filtering

[January 2000]
The Power of Packet Filtering
By: Rik J. Dayvie , Gary C. Kessler , Craig T. Martin
Feature
InstantDoc #7735
From the January 2000 edition of Windows IT Pro

Guidelines to securing your server

Without a firewall of some sort, an organization's network is wide open to access by anyone connected to the same public network. Packet filtering is one of the most common methods of building a TCP/IP firewall. This technique lets you control the movement of IP packets according to the packet contents.

Packet filtering filters IP packets based on a set of rules you define at a router or other packet-forwarding device, such as a Windows NT server. You can key packet-filtering rules to a combination of host address, protocol, application, direction of connection, and message type. The specifics of implementing packet-filtering rules depend on your particular equipment and vendor.

To understand packet-filtering operation, you need to understand the relationship between the TCP/IP protocol layers. You also need to know how packet filtering relates specifically to various TCP/IP protocols and have some guidelines for filtering IP packets.

The TCP/IP Protocol Stack
Figure 1, page 84, shows the three layers of the TCP/IP protocol stack involved in packet filtering. The entire TCP/IP stack comprises four layers.

The network access protocols define the network infrastructure over which TCP/IP communication occurs. Protocols in the Network Access layer include all deployed network topologies and technologies, including dedicated and dial-up point-to-point links, asymmetric digital subscriber line (ADSL), asynchronous transfer mode (ATM), frame relay, and all LANs. Figure 1 doesn't include the Network Access layer because the layer is irrelevant to the discussion of packet filtering.

The Internet layer is roughly equivalent to the Open System Interconnection (OSI) Network layer and is responsible primarily for routing. IP is the protocol for device-to-device communication, such as host-to-router and router-to-router. Packet-filtering rules typically apply to IP and the protocols carried in IP datagrams.

The Transport layer is roughly equivalent to the OSI Transport layer and is responsible for host-to-host communications. The communications protocols for this layer are TCP and UDP, which provide a connection-oriented (virtual circuit) and connectionless (datagram) service, respectively. An IP packet carries a TCP segment or UDP datagram. (As Figure 1 shows and we discuss later, some non-Transport layer protocols also place their data directly into an IP packet.)

The Application layer defines the higher-layer user application protocols, such as HTTP for the Web and SMTP and POP for email. Each application protocol is associated with one or both of the Transport layer protocols.

Packet Filtering and IP
All TCP/IP packet filtering starts with an IP packet. Three IP packet fields are crucial to filtering. The source address is the 32-bit IP address of the host that sent the packet and generated the information in it. The destination address is the 32-bit IP address of the intended destination host expected to receive the packet and the information the packet carries. The Protocol Identifier (PID) is the identifier of the protocol information the IP packet carries. You can base packet filtering on any or all of these fields. Using the source or destination address, for example, you can block all packets from an address or set of addresses, and you can route to a set of addresses those packets you let enter.

Of interest is the PID field. An IP packet carries data directly for many protocols, including

Internet Control Message Protocol (ICMP)—an essential part of IP that carries IP-related error and informational messages (PID=1)
TCP—connection-oriented, reliable host-to-host communication (PID=6)
UDP—connectionless, unreliable host-to-host communication (PID=17)
Generic Routing Encapsulation (GRE)—an encapsulation protocol commonly used in VPNs (PID=47)
IP Encapsulating Security Payload (ESP)—part of the IP Security (IPSec) protocol suite that provides data encryption and authentication of data origin (PID=50)
IP Authentication Header (AH)—part of IPSec that authenticates the origin of the packet's data (PID=51)
Open Shortest Path First (OSPF)—the primary routing protocol for internal IP network routing (PID=89)

The Internet Assigned Numbers Authority (IANA) maintains a list of all protocol numbers at http://www.isi.edu/in-notes/iana/assignments/protocol-numbers.

You need to know which protocols you need to filter at your site and which your packet-filtering device supports. Some packet filters allow filtering based only on higher-layer protocols already known to the filter's software; others let you specify the PID and thus filter based on new or unknown protocols.

Prev. page [1] 2 next page

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!: Wish you could migrate multiple SQL databases with the same time and effort it takes for one? Now you can with DBLaunch. Download a free trial today!

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

FEATURED LINKS

Empower Your Processes with PowerShell 201: Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

SQL Connections, March 22-25, 2009 – Orlando, FL: The first 800 paid attendees receive SQL Server 2008 Standard Edition w/one CAL. Register by January 12 and receive a free night at the JW Marriott (with 3-night stay). For details (203) 268-3204 or 800-438-6720.

Join Today: VIP Monthly Pass: Get online access to ALL of the resources in the Windows IT Pro and SQL Server Magazine network! With your order, you'll also receive a full digital copy of the latest issue of SQL Server Magazine.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2009 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

SQL Management Made Easy with DBLaunch 4.0!

Order Your SharePoint Fundamentals CD!

FEATURED LINKS

Empower Your Processes with PowerShell 201

SQL Connections, March 22-25, 2009 – Orlando, FL

Join Today: VIP Monthly Pass