Technical Library
|
|
Technical Library |
|
|
|
|
25 Oct 2000 
|
 |
Packet Filtering
What is Packet Filtering? What is Packet Filtering?A routing device, without packet filtering, looks at a packet's destination address and decides whether or not this packet has to be routed through the router or should remain on that interface. This is a basic principle that routing works under. When you add packet filtering, you add another level of analysis for each packet. The first step is still examination of the destination address. Then, if the router has determined it has to process the packet, it applies its filter "rules". Filter rules are your security policies implemented as approved and disapproved services. For instance, you can restrict packets destined for particular machines, specific types of packets or even packets leaving your LAN destined for the outside world. Packet filtering can be very sweeping or specific down to individual machines and ports. For instance, let's say you are running a web server on machine X. You want users on the Internet to have access to your web pages, but you don't want them trying to telnet into machines on your LAN. You can use packet filtering for this type of selective access. Why Use Packet Filtering?Packet filtering is most commonly used as a first line of defense against attacks from machines outside your LAN. Since most routing devices have built-in filtering capabilities, packet filtering has become a common and inexpensive method of security. Although packet filtering is very flexible and powerful, by no means does it guarantee the security of your LAN and internal data. How Powerful is Packet Filtering?Packet filtering allows you to explicitly restrict or allow packets by machine, port, or machine and port. For instance, you can restrict all packets destined for port 80 (WWW) on all machines on your LAN except machine X and Y. The downfall of packet filtering is the lack of flexibility. Standard packet filtering allows or restricts packets to a location or from a location. There is no "sometimes" or "only from this person". If you disallow telnets from the outside world into a particular machine, you've done just that. No machine on the other side of the router can telnet into the machine specified in your filter. This sort of filtering is known as Static Filtering. Dynamic Filtering is more flexible by allowing you to restrict packets only from certain users. For instance, you could stop all incoming telnet packets except those from user X,Y and Z. This is accomplished via an advanced security system which challenges the incoming user to provide a passkey before the router will pass packets into your LAN. This type of packet filtering is not covered in this document. How to Configure Packet FiltersThere are three basic steps to packet filtering:
Step 1. Decide what to permit and what to restrict.As a first step, you must decide, on a conceptual level, what services are approved and which are restricted. For example, do all the machines on your LAN accept mail from the Internet, or is it done by one central machine (i.e., an SMTP Gateway)? The best security policy is to restrict all packets except those expressly permitted. To simplify the procedure, we have three examples of filtering policies with the configuration for your router. Please refer to the primary page for these. Step 2. Formally define rules.Now that you have a conceptual security policy, you need to formally define it in such a way which allows easy translation into vendor syntax. A good template to work under is the following:
There are a few technical notes to remember:
Step 3. Translate into vendor specific syntax.Take a look at our Automated Filter Builder to convert your security profile to the syntax for your router.      |