Packet Filtering has gained its importance as a tool to improve network security with the increasing number of IP router products. It is a useful tool for the security-conscious network administrator, but its effective use demands a deep understanding of its capabilities and weaknesses, and of the peculiar behavior of the particular protocols where filters are being applied to. This report explains the usage of IP packet filtering as a measure of network security, briefly contrasts IP packet filtering to alternative network security approaches such as circuit-level firewalls, describes what packet filters might examine in each packet, and describes how the characteristics of common application protocols relate to those of packet filtering. The Report identifies and examines problems common to many current packet filtering implementations, shows how these problems can easily excavate the network administrator's intents and lead to a false sense of security, and proposes solutions to these problems.
REASONS FOR THE INTERNET TO BE INSECURE:
Internet is a network of interconnected network with a boundary. Because of this fact, the organizational network becomes accessible and vulnerable from any computer in the world. As companies become internet business, new threats arise from person who no longer requires physical access to a company's computer assets. The increasing complexity of networks, and the need to make them more open due to the growing emphasis on and attractiveness of the Internet as a medium for business transactions, mean that networks are becoming more and more exposed to attacks, both from without and from within.
Types of Attacks
The following list gives the general classes of attack along with some common or well-known examples and specific solutions to these problems:
Attacks originating from outside your home or office computer/network.
Denial of Service (DOS)
The purpose of this type of attack is not to gain control over your computer, rather it is to prevent anyone from making use of one or more of the services that the attacked computer provides. Some examples include:
SYN Attack -- A "SYN" packet is used to initiate a connection between computers using the TCP protocol, it is part of a three way handshake used by TCP to set up a connection. In this attack, repeated "SYN" packets are sent to the computer under attack, the attacked computer sends its response handshake packet, and waits for the final handshake packet from the attacking computer (which never sends it). Each of these incomplete connection attempts ties up one network port on the computer until it times out, if enough are sent before the timeout occurs, the system runs out of ports and/or other resources at which point no one else can connect.
Process Table Overflow -- Most computers have some kind of limit on the total number of processes that can be active at one time, in many cases if this limit is ever reached, the system will crash or at least become virtually unusable. One way to do this is to simply establish as many connections as possible to as many different system services as possible. Many standard services will create a new process for each connection, quickly using up all space in the process table.
Network/Server Overload -- No matter how fast your connection to the internet is, someone else has a faster one, and if they make requests faster than your server or internet connection can handle them, your site will become virtually unusable to everyone else. Even if the person attacking you doesn't have a faster link, they can use other computers that they have compromised to launch multiple attacks which, when combined, exceed the capabilities of your server.
Ping of Death -- This one should be fixed in any computer operating system which has been updated in the last couple of years, but it is a classic example of how easy it can be to knock a system off-line. In this attack, a person simply sends a 64k+ byte "ping" packet to the target system. This would overflow the receive buffer and crash the network link if not the entire computer.
On the bright side, for these kinds of attack your data is not in any danger of being stolen or corrupted and in some cases the simplest course if you are not running an E-commerce or other high availability site, may be to just ignore the problem until you get enough attacks to be irritating.
The reasons for this type of attack are virtually unlimited; it can be anything from just proving they can break into your system, to revenge.
Standard accounts and password scans -- This type of attack simply attempts to log-in using any available login service (telnet, ssh, rsh, etc.) by using common account names (root, games, mail, etc.) or the names of users discovered by looking at internet discussion groups, company websites and other sources. Armed with a potential list of account names, the attacker will use a list of common passwords or simply words from the dictionary in an automated attempt to log-in to the system. A more serious attacker dedicated to breaking into your computer specifically, will research people with accounts on the system and apply birth dates, namesof children and other personal information in order to find a working account and password. This type of attack is also a common internal attack, but is even more likely to succeed since personal information is even more readily available to those on the inside.
Known bugs, common bugs and security holes -- In this type of attack, the attacker looks for bugs or system security holes in your computer which can be used to gain access. Once they have one of these bugs or holes, it is used to break into the computer.
Computer viruses -- Many people today only think of computer viruses and worms as an irritation which may delete files on their hard disk or display silly messages, unfortunately, many of them are very discrete and instead gather information to send out to their originator so that they can better attack your network, or even just install a program to give their originator direct access to your network.
If you have a large network shared by many people, an internal attack should be a major concern, since most networks are least protected against this. Small or single user networks generally do not give this any consideration at all, but itcould be a big mistake to do so. Once your firewall is breached by an outside attack, the next stage of the attack is in fact an internal attack! There are far too many different kinds of internal attacks to list them all here, but some of the more common general approaches include:
- Password cracking
- Temp file
- Buffer Overflow
What is a Firewall?
A firewall is a tool to implement security policy for controlling traffic between two or more networks. It performs several security functions. Primarily, a firewall monitors, inspects and controls inbound/outbound network traffic. The firewall implements user-defined security policies to determine whether to permit or deny particular network traffic. The security policies define the characteristics of acceptable and unacceptable network traffic based on packet criteria at the IP level and above. Typically, network traffic that represents hostile intrusion attempts, denial of service attacks and/or unauthorized attempts to read, modify or delete information is proactively denied by the firewall. A firewall examines all the traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted.
Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependent upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
How does a firewall work?
There are two access denial methodologies used by firewalls. A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it meets certain criteria. The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports. They may also use complex rule bases that analyze the application data to determine if the traffic should be allowed through. How a firewall determines what traffic to let through depends on which network layer it operates at.
Types of Firewall
Firewalls can be classified into 4 types:
- Packet Filter
- Circuit - Level Gateway
- Application Gateway
- Stateful multilayer inspection
Packet filtering firewalls are the most basic type of firewall. Packet filtering firewalls work at the lowest level of the protocol stack possible. This is the layer 3, the network layer in the OSI and TCPIP/ model. It receives packets and decides their fate based upon a set of rules that are usually in the form of access control lists. The possibilities are to be forwarded on to their destination (pass/accept), denied passage (drop/block), or dropped with a return message to the sender informing him of the packet's transgression (reject).
The filtering capabilities vary from vendor to vendor, but some of the more common items packets filters can act upon are:
- Source address
- Destination address
- Source and destination port number
- Protocol type (e.g., TCP, UDP, ICMP, DECnet, IPX)
- The network interface through which the packet enters
- The direction of traffic (inbound or outbound)
- Source routing
- Connection state (e.g., SYN, SYN/ACK,FIN)
A circuit-level firewall is a second generation firewall that validates TCP and UDP sessions before opening a connection. Once a handshake has taken place, it passes everything through until the session is ended. Circuit-level firewalls operate at the session layer of the OSI model, the transport layer of TCP/IP model.
Operating at the transport layer means a circuit-level firewall actually establishes a virtual circuit between the client and the host on a session-by-session basis. To validate and create a session, the circuit-level firewall examines each connection setup to ensure it follows a legitimate handshake for the transport layer being used, typically TCP. No data packets are forwarded to until the handshake is complete. The firewall maintains a table of valid connections, which includes session state and sequencing information, and let's network packets containing data pass through when the network packet information matches an entry in the virtual circuit table. When a connection is terminated, its table entry is removed and that virtual circuit between the two peers is closed.
In summary, circuit-level firewalls have the following advantages:
- Circuit-level firewalls have good performance once the initial connections are established because they relay packets between hosts with little evaluation.
- There is no direct connection between an application client and an application server.
- By virtue of its inherent NAT capabilities, circuit-level gateways shield internal IP addresses from external users.
- Since circuit-level gateways are extremely generic relaying packets between application client and application server, they offer a high degree of flexibility. As new Internet services are added, circuit-level firewalls automatically support them.
Packet filtering firewalls represent one extreme of firewall technology; application-level firewalls represent the other. So extreme are the views about which one is better that religious wars would have broken out in previous times. Now all we get are flame wars on the Internet. Whereas packet filtering firewalls apply general purpose rules to mitigate all the kinds of traffic in the world, application-level firewalls run special purpose code in the context of a process that handles only one kind of traffic. Application-level firewalls are so-called because they operate at the application layer of the protocol stack. An application-level firewall runs a proxy server application acting as an intermediary between two systems. Consequently, application-level firewalls are sometimes referred to as proxy server firewalls. An internal client sends a request to the server running on the application-level firewall to connect to an external service such as FTP, or HTTP. The proxy server evaluates the request and decides to permit or deny the request based on a set of rules that apply to the individual network service. Proxy servers understand the protocol of the service they are evaluating. Thus, they only allow packets through complying with the protocol for that service. They also enable additional benefits: detailed audit records or session information, user authentication, URL filtering, and caching.
To summarize, application-level firewalls have the following advantages:
- There is no direct connection between internal client and external server.
- Proxy servers know the service protocol and only allow packets through complying with the protocol for that service, e.g., SMTP, HTTP, and telnet.
- Application-level firewalls can screen data streams for potential threats, e.g., send mail attacks, Java, ActiveX, or other things riding on top of HTTP.
- The proxy servers can process and manipulate the data in a packet.
- Application-level firewalls inherently implement NAT thus shielding internal IP addresses from the external world.
- An application-level firewall's operation is transparent to the internal user. It appears as if clients are accessing the Internet directly.
- Client programs do not need to be modified to use application-level firewalls.
- Reverse proxy servers can redirect external requests to internal servers.
- Proxy servers can implement features such as HTTP object caching, URL filtering, and user authentication.
- Application-level firewalls are good at generating audit records. This allows administrators to closely monitor the firewall for violations of security policy.
Stateful Multilayer Inspection:
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer. They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Stateful multilayer inspection firewalls offer a high level of security, good performance and transparency to end users. They are expensive however, and due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel. The principle motivation for stateful inspection is a compromise between performance and security. As a routing "add-on," stateful inspection provides much better performance than proxies. It also provides an increase in the level of firewall function than simple packet filtering. Like proxies, much more complex access control criteria can be specified and like packet filtering, stateful inspection depends on a high quality (i.e., correct) underlying routing implementation. What makes a stateful firewall "stateful" is not that it can filter packets, or that it can validate packet data, but that it maintains a communication history for each connection. Each vendor has their own implementation, their own "best" way of managing and filtering traffic. What's ultimately best is what provides the greatest level of security for the assets it's designed to protect, and those are as unique and individual as each of these vendor's products.
PROBLEMS WITH CURRENT PACKET FILTERING FIREWALLS AND THEIR SOLUTIONS
Packet filtering firewalls are the most basic type of firewall. Packet filtering firewalls work at the lowest level of the protocol stack possible. In the OSI model, this is the layer 3, the network layer in both the OSI and TCPIP/ model. It receives packets and decides their fate based upon a set of rules that are usually in the form of access control lists. The possibilities are to be forwarded on to their destination (pass/accept), denied passage (drop/block), or dropped with a return message to the sender informing him of the packet's transgression (reject).
For example, the security policy says, "accept inbound email (this is SMTP on TCP port 25) from everybody but bigspammers.org." The firewall administrator would write up two rules. The first would drop any connection from bigspammers.org to the firewall. The second rule would pass from anybody on TCP port 25 to the firewall. The rules are applied in top-down order. Rules are usually ordered from most restrictive to least restrictive. If they were reversed, the rule dropping packets from big-spammers.org would not be reached because the less restrictive rule matched first and the packet was passed.
To solve the problems of security and scarcity of IP addresses, Network Address Translation (NAT) was invented and subsequently integrated into packet filtering firewalls. In 1994, Kjeld Borch Egevang of Cray Communications drafted RFC 1631, "The IP Network Address Translator (NAT)".
NAT allows an Intranet to use addresses that are different from what the Internet sees. NAT functions very much like a Private Branch Exchange (PBX) in a telephone system. A company telephone system may have several hundreds of telephone extensions within the company. Each telephone has its own internal "extension" number it uses to call others in the company. When it calls someone outside the company, the outside sees the number of the "trunk" line the PBX system uses and not the extension number of the user's telephone. The actual connection between the outside trunk and the inside user is maintained temporarily by the telephone system. NAT allows insiders to get out without allowing outsiders to get in. NAT rewrites the IP headers of internal packets going out making it appear as if the packets originated from firewall. Reply packets coming back are translated and forwarded to the appropriate internal machine. With NAT, inside machines are allowed to connect to the outside world but outside machines cannot. In fact, outside machines cannot find the internal machines because they are aware of only one IP address, the firewall. The ability to attack internal machines is greatly reduced using by employing NAT.
NAT solves the problem of the scarcity of IP addresses. The administrator of an internal network can choose reserved IP addresses, e.g., 10.x.x.x range or 192.168.x.x range. These addresses do not have to be registered with an authority and be used however the administrator wants. Thus, a site with few or one Internet IP address can have hundreds of computers each with their own IP address without denying any of its users Internet access.
Packet filtering firewalls also offer Port-level NAT or PAT for added security. CGI scripts and Java applets that access a database server, or some other type of server, are becoming more common as businesses do more e-commerce. This presents a security problem because the script/applet must be outside the firewall where is can be accessed from the Internet but the database containing sensitive customer data is behind thefirewall where it cannot be attacked. Enter PAT to the rescue. On the firewall, IP packets coming into a specific port number are re-written and forwarded to the internal server providing the requested service. The reply packets from the server are re-written to make it appear as if they originated on the firewall. Thus, PAT can be used to secure internal servers for external access.
Early packet filtering firewalls had these advantages:
- Low overhead and high throughput
- Good traffic management
As the Internet evolved, it became apparent packet filtering firewalls had several disadvantages:
- Direct connections by external clients to internal hosts
- Packet filtering rules become unmanageable in complex environments
- Vulnerable to attacks such as IP Spoofing, i.e., impersonating another system by using its IP address
- No user authentication
To combat these and other disadvantages, two advances in packet filtering firewalls came about, dynamic packet filtering and stateful inspection.
In the early packet filtering firewalls, connections were "static", i.e., direct connections were open from internal hosts to external systems. This opened many doors through which desirable traffic flowed and opened the possibility of internal systems being prey to a range of attacks. Because host security is often lax, these types of attacks were frequent and successful.
Dynamic packet filtering techniques were developed to address this issue. Dynamic packet filters open and close apertures in the firewall based on header information in the packet. Once a series of packets has passed through the aperture to its destination, the firewall closes the aperture.
Stateful inspection in a packet filtering firewall analyzes the network traffic that traverses it. A packet filtering firewall with stateful inspection has the ability to peer inside a packet to allow certain types of commands within an application while disallowing others. For example, a stateful packet filtering firewall can allow the FTP "GET" command while disallowing the "PUT" command. Stateless protocols can be made more secure with stateful inspection. UDP protocol-based applications (DNS, RPC, NFS) are difficult to filter with static packet filtering because there is no concept of request and response, hence the term "stateless". With static packet filtering, the choice is either to disallow all UDP-based traffic or open the communication channels and expose internal systems to security risks. Stateful inspection secures UDP-based traffic by creating a virtual connection on top of the UDP communications. Each UDP packet request packet permitted to cross the firewall is recorded in the state table. UDP packets traveling in the opposite direction are verified against the ones awaiting a response in state table. A packet that is a genuine response to a request packet is passed on and all others are dropped. If a response does not arrive in a specified period of time, the connection is timed out. Thus, even UDP applications can be secured.
How Packet Filtering Works?
What do packet filters base their decisions on
Current IP packet filtering implementations all operate in the same basic fashion; they parse the headers of a packet and then apply rules from a simple rule base to determine whether to route or drop the packet. Generally, the header fields that are available to the filter are packet type (TCP, UDP, etc.), source IP address, destination IP address, and destination TCP/UDP port. For some reason, the source TCP/UDP port is often not one of the available fields; this is a significant deficiency. In addition to the information contained in the headers, many filtering implementations also allow the administrator to specify rules based on which router interface the packet is destined to go out on, and some allow rules based on which interface the packet came in on. Being able to specify filters on both inbound and outbound interfaces allows you significant control over where the router appears in the filtering scheme (whether it is "inside" or "outside" your packet filtering "fence"), and is very convenient (if not essential) for useful filtering on routers with more than two interfaces. If certain packets can be dropped using inbound filters on a given interface, those packets don't have to be mentioned in the outbound filters on all the other interfaces; this simplifies the filtering specifications. Further, some filters that an administrator would like to be able to implement require knowledge of which interface a packet came in on; for instance, the administrator may wish to drop all packets coming inbound from the external interface that claim to be from an internal host, in order to guard against attacks from the outside world that use faked internal source addresses. Some routers with very rudimentary packet filtering capabilities don't parse the headers, but instead require the administrator to specify byte ranges within the header to examine, and the patterns to look for in those ranges. This is almost useless, because it requires the administrator to have a very detailed understanding of the structure of an IP packet. It is totally unworkable for packets using IP option fields within the IP header, which cause the location of the beginning of the higher-level TCP or UDP headers to vary; this variation makes it very difficult for the administrator to find and examine the TCP or UDP port information.
How packet filtering rules are specified
Generally, the filtering rules are expressed as a table of conditions and actions that are applied in a certain order until a decision to route or drop the packet is reached. When a particular packet meets all the conditions specified in a given row of the table, the action specified in that row (whether to route or drop the packet) is carried out; in some filtering implementations the action can also indicate whether or not to notify the sender that the packet has been dropped (through an ICMP message), and whether or not to log the packet and the action taken on it. Some systems apply the rules in the sequence specified by the administrator until they find a rule that applies which determines whether to drop or route the packet. Others enforce a particular order of rule application based on the criteria in the rules, such as source and destination address, regardless of the order in which the rules were specified by the administrator. Some, for instance, apply filtering rules in the same order as routing table entries; that is, they apply rules referring to more specific addresses (such as rules pertaining to specific hosts) before rules with less specific addresses (such as rules pertaining to whole subnets and networks). The more complex the way in which the router reorders rules, the more difficult it is for the administrator to understand the rules and their application; routers which apply rules in the order specified by the administrator, without reordering the rules, are easier for an administrator to understand and configure, and therefore more likely to yield correct and complete filter sets.
A packet filtering example
For example, consider this scenario. The network administrator of a company with Class B network 123.45 wishes to disallow access from the Internet to his network in general (18.104.22.168/16). The administrator has a special subnet in his network (22.214.171.124/24) that is used in a collaborative project with a local university which has class B network 135.79; he wishes to permit access to the special subnet (126.96.36.199/24) from all subnets of the university (188.8.131.52/16). Finally, he wishes to deny access (except to the subnet that is open to the whole university) from a specific subnet (184.108.40.206/24) at the university, because the subnet is known to be insecure and a haven for crackers.
For simplicity, we will consider only packets flowing from the university to the corporation; symmetric rules (reversing the SrcAddr and DstAddr in each of the rules below) would need to be added to deal with packets from the corporation to the university. Rule C is the "default" rule, which specifies what happens if none of the other rules apply.
Rule SrcAddr DstAddr Action
- 220.127.116.11/16 18.104.22.168/24 Permit
- 22.214.171.124/24 126.96.36.199/16 Deny
- 0.0.0.0/0 0.0.0.0/0 Deny
Consider these "sample" packets, their desired treatment under the policy outlined above, and their treatment depending on whether the rules above are applied in order "ABC" or "BAC".
Packet SrcAddr DstAddr Desired Action ABC action BAC action
- 188.8.131.52 184.108.40.206 Deny Deny (B) Deny (B)
- 220.127.116.11 18.104.22.168 Permit Permit (A) Deny (B)
- 22.214.171.124 126.96.36.199 Permit Permit (A) Permit (A)
- 188.8.131.52 184.108.40.206 Deny Deny (C) Deny (C)
A router that applies the rules in the order ABC will achieve the desired results: packets from the "hacker haven" subnet at the university to the company network in general (such as packet 1 above) will be denied (by rule B), packets from the university "hacker haven" subnet at the university to the company's collaboration subnet (such as packet 2 above) will be permitted (by rule A), packets from the university's general network to the company's "open" subnet (such as packet 3 above) will be permitted (by rule A), and packets from the university's general network to the company's general network (such as packet 4 above) will be denied (by rule C).
If, however, the router reorders the rules by sorting them into order by number of significant bits in the source address then number of significant bits in the destination address, the same set of rules will be applied in the order BAC. If the rules are applied in the order BAC, packet 2 will be denied, when we want it to be permitted.
In summary, packet filtering firewalls have the following advantages:
- They offer good performance.
- Network Address Translation and Port-level Address Translation shield internal addresses from external users.
- Packet filter firewalls do not require client code modifications.
- Dynamic packet filtering enhances security by closing communication apertures when not in use.
- Stateful inspection provides security by analyzing packet contents and securing stateless protocols.
Packet filtering firewalls have the following disadvantages:
- Packet filters do not have capabilities such as HTTP caching, URL filtering or authentication.
- Packet filters have little or no audit event generating or alerting mechanisms.
- Because of the complexity of supporting most non-trivial network services, it can be difficult to test rule sets.
- Packet filtering firewalls with stateful inspection cannot immediately accommodate new services because either a vendor or administrator must supply the rules to interpret the new service.
Firewalls based on Packet Filters are one of the most powerful and widely used techniques which are used in networking security. Net defender firewall is based on this technique since it is able to provide a control to an end user on the traffic on his machine therefore it complies with basic definition of the firewall. The user has the facility to allow only certain packets while denying others. He can use the facility of denying all the traffic and can also allow all the traffic to his computer. As a consequence, the firewall is largely transparent to trusted users and therefore retains the sense of ``openness'' critical in a research environment .This transparency and perceived openness actually increasesecurity by eliminating the temptation for users to bypass our security mechanisms.