Stateful Inspection Packet Filtering
Stateful Inspection Filtering is a more complex packet filtering technology that filters traffic on more than just source, destination, port number, and protocol type. Stateful Inspection keeps track of the state of the current connection to help assure that only desired traffic passes through. This allows the creation of one way rules (for example, inside to outside).
Packet-filtering routers yield a permit or deny decision for each packet that it receives. The router examines each IP datagram to determine whether it matches one of its packet-filtering rules. The filtering rules are based on packet header information that''s made available to the IP forwarding process. This information consists of:
- IP source address
- IP destination address
- Encapsulated protocol (TCP, UDP, ICMP, or VPN IP Tunnel)
- TCP/UDP source port
- TCP/UDP destination port
- ICMP message type
- Incoming interface of the packet
- Outgoing interface of the packet
If a match is found and the rule permits the exchange, the packet is forwarded using the information in the network routing table. If a match is found and the rule denies the packet, the packet is discarded. If there are no matching rules, a user-configurable default parameter determines whether the packet is forwarded or discarded.
Service-Dependent Filtering
Packet-filtering rules establish when a router will permit or deny traffic based on a specific service, since most service listeners reside on well-known TCP/UDP port numbers. For example, services such as a Telnet server listen for remote connections on TCP port 23, and an SMTP server listens for incoming connections on TCP port 25. To block all incoming Telnet connections, the router simply discards all packets that contain a TCP destination port value equal to 23. To restrict incoming Telnet connections to a limited number of internal hosts, the router must deny all packets that contain a TCP destination port value equal to 23 and that do not contain the destination IP address of one of the permitted hosts. Your policies spell out these rules.
One set of typical filtering rules may include:
- Permit incoming Telnet sessions only to a specific list of internal hosts
- Permit incoming FTP sessions only to specific internal hosts
- Permit all outbound Telnet sessions
- Permit all outbound FTP sessions
- Deny all incoming traffic from specific external networks
Service-Independent Filtering
Certain types of attacks are difficult to identify using basic packet header information because these attacks are service independent. Routers may be configured to protect against these types of attacks, but they''re more difficult to specify because filtering rules require additional information that''s only available by carefully examining the routing table, inspecting for specific IP options, checking for a special fragment offset, etc. Some examples of these types of attacks include:
- Source IP Address Spoofing Attacks For this type of attack, an intruder transmits packets from the outside that pretend to originate from an internal host. These packets falsely contain the source IP address of an inside system. The attacker hopes that the use of a spoofed source IP address will allow penetration of systems that employ simple source address security where packets from specific trusted internal hosts are accepted and packets from other hosts are discarded. Source spoofing attacks can be defeated by discarding each packet with an inside source IP address, if the packet arrives on one of the router''s outside interfaces.
- Source Routing Attacks In a source routing attack, the source station specifies the route that a packet should take as it crosses the Internet. This type of attack is designed to bypass security measures and cause the packet to follow an unexpected path to its destination. A source routing attack can be defeated by simply discarding all packets that contain the source route option.
- Tiny Fragment Attacks For this type of attack, the intruder uses the IP fragmentation feature to create extremely small fragments and force the TCP header information into a separate packet fragment. Tiny fragment attacks are designed to circumvent user-defined filtering rules; the hacker hopes that a filtering router will examine only the first fragment and allows all other fragments to pass. A tiny fragment attack can be defeated by discarding all packets where the protocol type is TCP and the IP FragmentOffset is equal to 1.
Benefits of Packet-Filtering Routers
A number of Internet firewall systems are deployed using only a packet-filtering router. Other than the time spent planning the filters and configuring the router, there is little or no cost to implement packet filtering, since the feature is included as part of standard router software releases. Since Internet access is generally provided over a WAN interface, there is little impact on router performance if traffic loads are moderate and few filters are defined. Finally, packet-filtering routers are generally transparent to users and applications, eliminating the need for specialized user training or specific software on each connected host system.
Limitations of Packet-Filtering Routers
Defining packet filters can be a complex task because network administrators need to have a detailed understanding of the various Internet services, packet header formats, and the specific values they expect to find in each field. If complex filtering requirements must be supported, the filtering rule set can become robust and complicated, increasing its difficulty to manage and comprehend. Finally, there are few testing facilities to verify the correctness of the filtering rules after they are configured on the router. This can potentially leave a site open to untested vulnerabilities.
Any packet that passes directly through a router could potentially be used launch a data-driven attack. Data-driven attacks occur when seemingly harmless data is forwarded by the router to an internal host. The data may contain hidden instructions that cause the host to modify access control and security-related files, making it easier for the intruder to gain access to the system.
Generally, the packet throughput of a router decreases as the number of filters increases. Routers are optimized to extract the destination IP address from each packet, make a relatively simple routing table lookup, and then forward the packet to the proper interface for transmission. If filtering is enabled, the router must not only make a forwarding decision for each packet, but also apply all of the filter rules to each packet. This can consume CPU cycles and impact the performance of a system.
IP packet filters may not be able to provide enough control over traffic. A packet-filtering router can permit or deny a particular service, but it is not capable of understanding the context/data of a particular service. For example, a network administrator may need to filter traffic at the application layer in order to limit access to a subset of the available FTP or Telnet commands, or to block the import of mail or newsgroups concerning specific topics. This type of control is best performed at a higher layer by application-level gateways and proxy services, often called firewalls. We''ll continue the series next time with the topic of firewalls.
